Vulnerability Assessment and

Penetration Testing Report

Client: Shirtable (https://www.shirtable-theshirtmaker.com/)

Date: May 9, 2024

Author: Josekutty Kunnelthazhe Binu

Table Of Contents:

1.Project Objective

2.Scope & Timeframe

3.In-Scope Target

4.User Accounts provided by Shirtable - the Shirt

Maker

5.Summary of Findings

6.Summary of Business Risks for Shirtable - the

Shirt Maker

7.High-Level Recommendations

8.Methodology

9.Testing Phases

10.Project Limitations

11.Web Application Findings Details

1.Project Objective
This web application penetration test aims to assess the security of
https://shirtable-theshirtmaker.com/ by identifying vulnerabilities that could be exploited by
attackers. This will involve discovering weaknesses, evaluating current security measures
against industry standards, and providing actionable recommendations to address the risks and
improve the overall security posture of the application and its infrastructure. The Common
Vulnerability Scoring System (CVSS) v3.0 will be used to prioritize vulnerabilities based on their
severity.

2.Scope & Timeframe

Testing and verification were performed between May 5th, 2024 and May 7th, 2024. The scope
of this project was limited to the web application and any related network infrastructure of
Shirtable - the Shirt Maker (https://www.shirtable-theshirtmaker.com/).

3.In-Scope Target
shirtable-theshirtmaker.com | In Scope | Shirtable - the Shirt Maker is a web application
offering custom-tailored shirt services.

Description: Shirtable - the Shirt Maker (https://www.shirtable-theshirtmaker.com/) is a Hong

Kong-based company specializing in custom-made dress shirts. They offer a variety of fabrics,
patterns, and styles to choose from, along with tailoring services to ensure a perfect fit. Their
website allows customers to browse their selection, configure their desired shirt, and place an
order.
4.User Accounts provided by Shirtable - the Shirt
Maker (https://www.shirtable-theshirtmaker.com/)
No specific accounts have been given from the company so, the accounts used were created
like a normal user. The username and the email have been used during the testing:

Username: Test Account

Email: [email protected]

5.Summary of Findings
From the assessment of the Shirtable - the Shirt Maker web application revealed several
vulnerabilities. Security experts performed manual security testing according to the OWASP
Web Application Testing Methodology, identifying the following issues:

Critical (1):

● SQL Injection Vulnerability: This is a critical vulnerability because it allows attackers to

inject malicious SQL code into database queries. This could potentially lead to
unauthorized access to sensitive data, modification of data, or even complete
compromise of the database.

High (1):

● Account Verification Link Not Expiring: This vulnerability allows attackers to

potentially reuse an account verification link, leading to account takeover. While not as
severe as an immediate data breach, it can have significant consequences for user
accounts and overall system trust.
Medium (1):

● Reflected XSS Vulnerability: This vulnerability allows attackers to inject malicious

scripts into web pages that are reflected back to the user's browser. These scripts can
then be used to steal session cookies, hijack accounts, or launch further attacks. The
severity depends on the specific impact the reflected script can have.

Informational (1):

● Web.config File Misconfiguration: While not directly exploitable, exposing the

web.config file can reveal sensitive information such as connection strings or
configuration settings. This information could be used by attackers to gain insights into
the website's operation and potentially aid further attacks.

6.Summary of Business Risks for Shirtable - the

Shirt Maker

CRITICAL
Disruption and Unavailability: A successful SQL injection attack could disrupt or completely
disable Shirtable's core services. This could prevent users from placing orders, accessing
account information, or interacting with the website at all.
Data Breach: Attackers could steal sensitive customer information, including names,
addresses, credit card details, and order history. This could lead to financial losses for Shirtable
and severe reputational damage.
Ransomware Attack: In a worst-case scenario, attackers could exploit the SQL injection
vulnerability to launch a ransomware attack, encrypting Shirtable's data and demanding a
ransom payment for decryption.

HIGH
Account Takeover: Attackers could potentially reuse an account verification link to gain
unauthorized access to newly created customer accounts. This could allow them to steal user
information, place fraudulent orders, or damage Shirtable's reputation.
Increased Attack Surface: Exposing the web.config file could provide attackers with valuable
insights into Shirtable's website configuration. This information could be used to launch further
attacks, such as targeted phishing campaigns against Shirtable employees.

MEDIUM
Limited Account Takeover: Attackers could potentially use the reflected XSS vulnerability to
steal session cookies or launch phishing attacks within the website. While the impact might be
limited to a single user account, it could still damage Shirtable's trust and reputation.
Degraded User Experience: XSS attacks can inject malicious scripts that disrupt the website's
functionality or display misleading information to users. This can significantly degrade the user
experience and discourage customers from using Shirtable's services.

INFORMATIONAL
The web.config file was found in a FFUF scan this vulnerability could allow attackers to steal
sensitive data like customer information, intellectual property, or financial records (Data Breach).
Furthermore, attackers might exploit this bug to disrupt Shirtable's operations and prevent them
from fulfilling orders (System Disruption). These incidents could severely damage Shirtable's
reputation and erode customer trust (Reputational Damage).

7.High-Level Recommendations

Due to the critical and high-severity vulnerabilities discovered during the penetration testing,
immediate action is necessary to address these issues and significantly improve Shirtable - the
Shirt Maker's security posture.

● Prioritize Critical Vulnerabilities: The SQL injection vulnerability poses the most
significant threat, potentially leading to data breaches, service disruption, and even
ransomware attacks. Patching the application to address this vulnerability should be the
top priority.
● Remediate High-Severity Issues: Promptly address the account verification link
expiration issue to prevent potential account takeover scenarios. Additionally, secure the
web.config file by restricting access and implementing proper permission controls to
prevent unauthorized exposure of sensitive information.
 ● Mitigate Medium-Severity Risks: Remediate the reflected XSS vulnerability by
implementing proper input validation and sanitization techniques to prevent malicious
script injection. This will protect users from potential phishing attacks and ensure a
secure user experience.
● Continuous Security Measures: Implement a vulnerability management program to
regularly assess the web application for new vulnerabilities. Additionally, consider
security awareness training for employees to improve overall security posture and
prevent social engineering attacks.

By implementing these high-level recommendations, Shirtable - the Shirt Maker can significantly
reduce the risks associated with the identified vulnerabilities and enhance the overall security of
their web application. This will safeguard sensitive user data, prevent service disruptions, and
maintain user trust in their platform.

8.Methodology
This section details the methodology employed during the penetration testing of the Shirtable -
the Shirt Maker web application.

Testing Approach:

A manual penetration testing approach was adopted, adhering to the OWASP Testing Guide
(OWASP Top 10). This methodology emphasizes a structured, phased approach to identify and
exploit vulnerabilities in web applications.

Tools and Techniques:

The following open-source security tools were used throughout the testing process:

Burp Suite Community Edition: A comprehensive web application security testing platform
used for:
● Proxy interception to analyze and modify web traffic.
● Manual testing of functionalities and potential injection points.
● Automated scanning for common vulnerabilities.

FFUF (Fuzz Faster U Finer): A directory enumeration tool used to discover hidden directories
and files on the web server.

Nmap: A network scanner used to identify active hosts, ports, and services running on the
target web server. This information helped map the attack surface and understand the overall
network infrastructure.

SQLmap : An automated SQL injection exploitation tool.

9.Testing Phases
The testing process can be broken down into the following phases:

1.Reconnaissance: Gathering information about the target application, including technologies

used, domain names, and IP addresses. Tools like Nmap and FFUF were potentially used in
this phase.
2.Enumeration: Identifying functionalities, forms, and potential entry points for exploitation
using Burp Suite and manual testing techniques.
3.Vulnerability Scanning: Utilizing Burp Suite's scanner to identify common web application
vulnerabilities.
4.Exploitation: Manually exploiting identified vulnerabilities using tools like SQLmap and Burp
Suite to confirm their existence and assess their impact.
5.Post-Exploitation: Evaluating the potential consequences of exploiting vulnerabilities and
attempting to gain further access to the system.
6.Reporting: Documenting the findings, including details about identified vulnerabilities,
proof-of-concept exploits, and recommendations for remediation.

10.Project Limitations
Testing Scope: The penetration testing was limited to the publicly accessible web application of
Shirtable - the Shirt Maker and the. Internal systems and infrastructure were excluded from the
scope.

Tool Limitations: Open-source tools have limitations in vulnerability detection compared to

commercial solutions.

Time Constraints: The penetration testing was conducted within a predefined timeframe. A
more comprehensive assessment could potentially benefit from additional time allocation. This
would allow for a deeper exploration of identified vulnerabilities, further manual testing, and a
more exhaustive analysis of the target application.
11.Web Application Findings Details

SQL Injection Vulnerability (Critical)

Location: https://www.shirtable-theshirtmaker.com/product.php?id=casual

Severity: Critical

Impact: An attacker could exploit this vulnerability to inject malicious SQL code into the web
application's database queries. This could potentially lead to:

● Data Breach: Sensitive information stored in the database, such as customer names,
addresses, credit card details, and order history, could be accessed and stolen by
attackers.
● Data Manipulation: Attackers could modify or delete data within the database,
potentially disrupting Shirtable's operations and causing financial losses.
● Website Compromise: In a worst-case scenario, attackers could gain complete control
of the database server, leading to website downtime and a complete breakdown of
Shirtable's services.

Vulnerability Details: SQL injection vulnerabilities occur when user-supplied input is not
properly sanitized before being used in database queries. In this case, the id parameter in the
product.php script appears to be vulnerable. By injecting malicious SQL code into this
parameter, an attacker could potentially bypass security measures and manipulate database
queries.

Steps to Reproduce:

> Go to this url https://www.shirtable-theshirtmaker.com/product.php?id=casual

>Add the payload (‘ or 1=1;--) with the id parameter, and search

> You will see the “You have an error in your SQL syntax” as the output.
Account Verification Link Not Expiring

Location:
https://www.shirtable-theshirtmaker.com/confirm-email.php?id=ZjRkZDdiYThkZTk4ZjA5NzAzZD
Q1MzIyM2NkMTMyNmVhNmUzZWNlZg==

Severity: High

Impact: An attacker could exploit this vulnerability to reuse a verification link intended for a
legitimate user. This could allow unauthorized account takeover and compromise the security of
user accounts.

Vulnerability Details: This vulnerability exists because the account verification link sent to
users does not expire after a certain time frame. An attacker who intercepts a verification link
could potentially use it later to gain access to the victim's account. This could allow them to steal
personal information, change account details, or perform other malicious actions.

Steps to Reproduce:

> Create an account , the website will send the verification link to the registered email address
> Use the link to login in and verify the account
> The verification link is not expiring, You will be able to use the verification link again and again
, even after several days the link seems not to be expiring

Reflected XSS Vulnerability

Location: https://www.shirtable-theshirtmaker.com/product.php?id=casual

Severity: Medium

Impact: A reflected XSS vulnerability allows attackers to inject malicious scripts into web pages
that are reflected back to the user's browser. These scripts can then be used to perform various
attacks, with the severity depending on the specific script and the context of the application.
Here are some potential impacts:

● Session Hijacking: An attacker can steal the user's session cookie and impersonate
them on the website. This could allow them to access the user's account information,
perform unauthorized actions, or even make fraudulent purchases.
● Data Theft: Malicious scripts can be used to steal sensitive data entered by users on the
website, such as login credentials, credit card information, or personally identifiable
information (PII).
● Account Takeover: Attackers might use stolen session cookies or other information
gleaned through XSS to gain complete control of a user's account.
● Malvertising: Attackers can inject scripts that redirect users to malicious websites or
display unwanted advertisements.
● Phishing Attacks: XSS can be used to create phishing attacks that appear to be
legitimate. These attacks can trick users into revealing sensitive information or clicking
on malicious links.
● Defacement: In some cases, attackers can use XSS to deface the website, displaying a
message or image of their choosing.

Vulnerability Details:

Reflected XSS vulnerabilities occur when user-supplied input is not properly sanitized before
being reflected back to the user's browser. This allows attackers to inject malicious scripts into
various parts of a web application, such as:

● Search queries
● Form fields
● URLs
● Comments
Steps to Reproduce:

> Go to the url: https://www.shirtable-theshirtmaker.com/product.php?id=casual/

> Change the id parameter by injecting the XSS payload <a

href="javas\x0Bcript:javascript:alert(1)" id="fuzzelement1">test</a>

> The reflected note test"> will be found as output

Web.config File Misconfiguration(Informational)

Location: https://shirtable-theshirtmaker.com/web.config/

Impact:

● Information Disclosure: Sensitive data stored in the web.config file, such as connection
strings, database credentials, encryption keys, or API keys, can be accessed by
 attackers. This information can be used to steal data, impersonate legitimate users, or
gain unauthorized access to systems.
● Functionality Exposure: The web.config file might contain configurations related to
application functionalities, security settings, or hidden features. Attackers can exploit
these configurations to bypass security measures, disrupt functionalities, or gain
unauthorized access.
● Denial-of-Service (DoS): In some cases, misconfiguration can lead to denial-of-service
attacks. For instance, if the web.config file exposes information on critical application
resources, attackers could target those resources to overload the system and cause
outages.

Vulnerability Details:

Web.config files are commonly used in ASP.NET applications to store configuration settings.
These files are often intended to be hidden from public access. However, due to
misconfiguration, they might be accessible through a web browser. Here are common causes of
web.config misconfiguration:

● Default Web.config File: By default, ASP.NET might create a sample web.config file in
the web application's root directory. This file contains examples of sensitive
configurations and should be removed from a production environment.
● Incorrect Access Control: The web server might be misconfigured to allow access to
the web.config file. Ideally, the server should be configured to restrict access to this file.
● Version Control Exposure: If the web.config file is accidentally added to a version
control system (like Git), its content might be publicly accessible through the version
control platform's repository.

Steps To Reproduce:

> We are using ffuf tool to find the web.config file, the command is ffuf -w
/usr/share/wordlists/dirb/common.txt -u https://shirtable-theshirtmaker.com/FUZZ --mc 200-299 -v

`-w /usr/share/wordlists/dirb/common.txt`: This specifies the wordlist to use for fuzzing.

`-u https://shirtable-theshirtmaker.com/FUZZ`: This is the URL to fuzz. The `FUZZ` keyword is

replaced by each entry from the wordlist.

`--mc 200-299`: This tells FFUF to only show responses with HTTP status codes between 200
and 299.

‘ -v-: This option in ffuf is often used to enable verbose mode. Verbose mode is a command-line
option that provides additional details as to what the command is doing while it runs.
> You will see the output of web.config
> Search the web.config with the https://shirtable-theshirtmaker.com/