Free €60 welcome bonus
with referral code: Beau
sign up now ✈️

Data with Beau

Pentest Report

Report detailing the findings, vulnerabilities, potential risks, impact on the system along with recommendations for enhance security policies, procedures, and awareness programs for ongoing improvement etc


Task

I will be testing the website https://pentest-ground.com:81 , ports and networks using https://app.pentest-tools.com to conduct scans. I will then write a report with the vulnerabilities identified, the risks and recommendations of how to harden the system.

Website scanner findings

The vulnerability is the insecure cookie setting: missing Secure flag. The risk is if the cookie ID is not encrypted in a clear-text communication between the client and server, a hacker can take the session token to gain unauthorised access to the target’s web session. It is advisable to set a secure flag for cookies so that the session token is encrypted when establishing a session.

The vulnerability is the insecure cookie setting: missing HttpOnly flag. The risk is the hacker can inject malicious JavaScript code on the page using an XSS attack to obtain the session cookie to gain unauthorised access to the target’s web session. It is advisable to set a HttpOnly flag for cookies so that the session token is encrypted when establishing a session.

The vulnerability is the outdated jQuery 3.4.1 version. The risk is this version of jQuery allows hackers to execute untrusted code, even after sanitising the input value. It is advisable to upgrade the software version to jQuery 3.5.0 which has the vulnerability patch.

The vulnerability is the missing security header: Referrer-Policy. The risk is when a web link is clicked and the user is redirected to a different page, the browser will send the full originating URL in the referrer header to the browser company, e.g. Google. This allows the company to track the user’s online movement from one website to another and is considered sensitive information if left in the hands of a hacker who might want to understand the user’s online habits. It is advisable to configure the Referrer-Policy header on the server side to no-referrer which omits the Referrer header completely.

The vulnerability is the missing security header: Strict-Transport-Security. The risk is that without this header, the HTTP connection to the server may be in clear text and a hacker can extract information such as a session cookie to hijack a session, bypassing authentication. It informs the browser that it should never load a site using HTTP which is not encrypted, and should automatically convert all attempts to access the site using HTTP to HTTPS requests to prevent man-in-the-middle attacks. It is advisable to include the Strict-Transport-Security HTTP header in each HTTPS response with the max-age of over 7,776,000 seconds or over several months. The recommended HTTP syntax is Strict-Transport-Security: max-age=<expire-time>; includeSubDomains; preload to include Strict-Transport-Security for sub-domains.

The vulnerability is the missing security header: Content-Security-Policy. The risk is the application is open to cross-site scripting (XSS). An example of this is when a user enters a text in string format which contains a malicious script to influence what the webpage loads, e.g. malicious content on a trusted website such as a fake login form that redirects the victim to a malicious website or collects sensitive details. It is advisable to include the Content-Security-Policy in the response header in the server or in the HTML file meta tag. This allows the website administrator to control resources the user agent is allowed to load on a page. If the dynamic webpage loads from the specified image source, font source, media source, etc, this is permitted, otherwise this is blocked and not loaded.

The vulnerability is the missing security header: X-Content-Type-Options. The risk is the application is open to cross-site scripting (XSS) or phishing attacks. When the website administrator has not set the content type and the response is fed to the browser, the browser will perform a media type or multipurpose Internet mail extensions (MIME) sniffing to determine the content type before executing or loading the content. Without the browser sniffing the media type when type is not set by the administrator, the site will not load. The downside of this browser automated sniffing is to assume a JPEG file is an HTML and execute it. This can happen when the content may be some malicious script hidden in a JPEG file but does not have the proper content type configured as JPEG and so the browser sniffs the file content which turns out to be HTML. in this case, it is better not to load malicious content than crashing the site. It is advisable to include X-Content-Type-Options: nosniff.

The vulnerability is the server software and technology are found. The risk is that a hacker may be able to make use of such information. It is advisable to conceal  or remove as much identifiable information as possible about the software used from the HTTP server headers and HTML meta information so the hacker will not know the weaknesses of the software. For example, if the software is outdated and not patched, the hacker will exploit this known vulnerability.

The vulnerability is the missing security.txt file in https://pentest-ground.com:81/.well-known/. This file is a central location for reporting vulnerabilities and security issues to be triaged and patched. Without this process in place, one can argue the security process is weak and there is no coordinated effort in defending the server. It is advisable to create a security.txt file to ocument any vulnerabilities identified and log any remediation.

The vulnerability is the HTTP OPTIONS are enabled. The risk is clear-text communication is prone to eavesdropping attacks, resulting in credentials and session tokens being revealed. It is advisable to disable the HTTP OPTIONS method in the webserver configuration.

Port scanner findings

Port numbers 80, 81 and 443 and their HTTP or HTTPS connections are exposed and can be exploited. A hacker can use network scanners such as nmap and metasploit to scan the specified ports and retrieve information and files about the system. It is advisable to protect the network by network segmentation or having a demilitarised zone that is external facing so even if a hacker accesses a port, their intrusion is contained within the isolated network. The ports are well known ones that are used regularly, but for reference, close any unused ports. Firewall can be configured to block unauthorised IP addresses from accessing the ports. By changing the port number from the standard to a random one to obfuscate the ports, hackers will need to spend more time working out what port accepts what type of data which frustrates their reconnaissance.

Network scanner findings

The vulnerability is that the SSH service is exposed to the Internet. The risk is the login portals are open to exploitation such as password guessing. It is advisable to use multi-factor authentication. Allowing network administrators to log in based on their geolocation and IP address makes it harder for hackers from a suspicious location to log in. Using a virtual private network instead of SSH keeps the authentication private.

The vulnerability is the outdated jQuery 3.4.1 version as described previously.

The vulnerability is that the IP information, location, and autonomous system number are in the public domain. The risk is hackers can conduct research of the region to better cause physical or cyber disruption in that area such as bringing down power and critical infrastructure to cause an outage, leading to the downtime of the website. It is advisable to keep abreast of regional security news and monitor network traffic as well as encrypting data.

The vulnerability is that the DNS records are public information. The risk is hackers can use the information to identify domains. Usually, live domains are monitored diligently by the company, but old and unused domains are neglected and forgotten. If the hacker finds a DNS record that contains old information, it might lead them to a legacy domain that is not protected which may be an entry into the network. It is advisable to keep the DNS records clean and up-to-date and remove obsolete records.

The vulnerability is web redirection from port 80 to port 443. The risk is that scanning is not in place at port 443. It is advisable to scan all open ports and incoming data and scan again if the data is redirected.

The vulnerability is that there are six open ports. The risk is that the number of ports determines the attack surface. To reduce the attack surface, it is advisable to close disused ports.

The vulnerability is the exposed information of server software and technologies. The risk is that hackers can write malicious code that is compatible with the technologies. It is advisable to conceal the information in the HTTP server headers and HTML meta information, etc, as discussed previously.