Pentest Report
Report detailing the findings, vulnerabilities, potential risks, impact on the system along with recommendations for enhance security policies, procedures, and awareness programs for ongoing improvement etc
Task
I will be testing the website https://pentest-ground.com:81, ports and networks using https://app.pentest-tools.com to conduct scans. I will then write a report with the vulnerabilities identified, the risks and recommendations of how to harden the system.
Website scanner findings
The vulnerability is the insecure cookie setting: missing Secure flag. The risk is if the cookie ID
is not encrypted in a clear-text communication between the client and server, a hacker can take the
session token to gain unauthorised access to the target’s web session. It is advisable to set a
secure flag for cookies so that the session token is encrypted when establishing a session.
The vulnerability is the insecure cookie setting: missing HttpOnly flag. The risk is the hacker can
inject malicious JavaScript code on the page using an XSS attack to obtain the session cookie to
gain unauthorised access to the target’s web session. It is advisable to set a HttpOnly flag for
cookies so that the session token is encrypted when establishing a session.
The vulnerability is the outdated jQuery 3.4.1 version. The risk is this version of jQuery allows
hackers to execute untrusted code, even after sanitising the input value. It is advisable to upgrade
the software version to jQuery 3.5.0 which has the vulnerability patch.
The vulnerability is the missing security header: Referrer-Policy. The risk is when a web link is
clicked and the user is redirected to a different page, the browser will send the full originating
URL in the referrer header to the browser company, e.g. Google. This allows the company to track the
user’s online movement from one website to another and is considered sensitive information if left
in the hands of a hacker who might want to understand the user’s online habits. It is advisable to
configure the Referrer-Policy header on the server side to no-referrer which omits the Referrer
header completely.
The vulnerability is the missing security header: Strict-Transport-Security. The risk is that
without this header, the HTTP connection to the server may be in clear text and a hacker can extract
information such as a session cookie to hijack a session, bypassing authentication. It informs the
browser that it should never load a site using HTTP which is not encrypted, and should automatically
convert all attempts to access the site using HTTP to HTTPS requests to prevent man-in-the-middle
attacks. It is advisable to include the Strict-Transport-Security HTTP header in each HTTPS response
with the max-age of over 7,776,000 seconds or over several months. The recommended HTTP syntax is
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains; preload
to include
Strict-Transport-Security for sub-domains.
The vulnerability is the missing security header: Content-Security-Policy. The risk is the
application is open to cross-site scripting (XSS). An example of this is when a user enters a text
in string format which contains a malicious script to influence what the webpage loads, e.g.
malicious content on a trusted website such as a fake login form that redirects the victim to a
malicious website or collects sensitive details. It is advisable to include the
Content-Security-Policy in the response header in the server or in the HTML file meta tag. This
allows the website administrator to control resources the user agent is allowed to load on a page.
If the dynamic webpage loads from the specified image source, font source, media source, etc, this
is permitted, otherwise this is blocked and not loaded.
The vulnerability is the missing security header: X-Content-Type-Options. The risk is the
application is open to cross-site scripting (XSS) or phishing attacks. When the website
administrator has not set the content type and the response is fed to the browser, the browser will
perform a media type or multipurpose Internet mail extensions (MIME) sniffing to determine the
content type before executing or loading the content. Without the browser sniffing the media type
when type is not set by the administrator, the site will not load. The downside of this browser
automated sniffing is to assume a JPEG file is an HTML and execute it. This can happen when the
content may be some malicious script hidden in a JPEG file but does not have the proper content
type configured as JPEG and so the browser sniffs the file content which turns out to be HTML. in
this case, it is better not to load malicious content than crashing the site. It is advisable to
include X-Content-Type-Options: nosniff
.
The vulnerability is the server software and technology are found. The risk is that a hacker may be
able to make use of such information. It is advisable to conceal or remove as much identifiable
information as possible about the software used from the HTTP server headers and HTML meta
information so the hacker will not know the weaknesses of the software. For example, if the software
is outdated and not patched, the hacker will exploit this known vulnerability.
The vulnerability is the missing security.txt file in https://pentest-ground.com:81/.well-known/.
This file is a central location for reporting vulnerabilities and security issues to be triaged and
patched. Without this process in place, one can argue the security process is weak and there is no
coordinated effort in defending the server. It is advisable to create a security.txt file to
ocument any vulnerabilities identified and log any remediation.
The vulnerability is the HTTP OPTIONS are enabled. The risk is clear-text communication is prone to
eavesdropping attacks, resulting in credentials and session tokens being revealed. It is advisable
to disable the HTTP OPTIONS method in the webserver configuration.
Port scanner findings
Port numbers 80, 81 and 443 and their HTTP or HTTPS connections are exposed and can be exploited. A hacker can use network scanners such as nmap and metasploit to scan the specified ports and retrieve information and files about the system. It is advisable to protect the network by network segmentation or having a demilitarised zone that is external facing so even if a hacker accesses a port, their intrusion is contained within the isolated network. The ports are well known ones that are used regularly, but for reference, close any unused ports. Firewall can be configured to block unauthorised IP addresses from accessing the ports. By changing the port number from the standard to a random one to obfuscate the ports, hackers will need to spend more time working out what port accepts what type of data which frustrates their reconnaissance.
Network scanner findings
The vulnerability is that the SSH service is exposed to the Internet. The risk is the login portals
are open to exploitation such as password guessing. It is advisable to use multi-factor
authentication. Allowing network administrators to log in based on their geolocation and IP address
makes it harder for hackers from a suspicious location to log in. Using a virtual private network
instead of SSH keeps the authentication private.
The vulnerability is the outdated jQuery 3.4.1 version as described previously.
The vulnerability is that the IP information, location, and autonomous system number are in the
public domain. The risk is hackers can conduct research of the region to better cause physical or
cyber disruption in that area such as bringing down power and critical infrastructure to cause an
outage, leading to the downtime of the website. It is advisable to keep abreast of regional security
news and monitor network traffic as well as encrypting data.
The vulnerability is that the DNS records are public information. The risk is hackers can use the
information to identify domains. Usually, live domains are monitored diligently by the company, but
old and unused domains are neglected and forgotten. If the hacker finds a DNS record that contains
old information, it might lead them to a legacy domain that is not protected which may be an entry
into the network. It is advisable to keep the DNS records clean and up-to-date and remove obsolete
records.
The vulnerability is web redirection from port 80 to port 443. The risk is that scanning is not in
place at port 443. It is advisable to scan all open ports and incoming data and scan again if the
data is redirected.
The vulnerability is that there are six open ports. The risk is that the number of ports determines
the attack surface. To reduce the attack surface, it is advisable to close disused ports.
The vulnerability is the exposed information of server software and technologies. The risk is that
hackers can write malicious code that is compatible with the technologies. It is advisable to
conceal the information in the HTTP server headers and HTML meta information, etc, as discussed
previously.