SlideShare a Scribd company logo

Security Assessment Report Finds SQL Injection & Client-Side Vulnerabilities

A
AyonDebnathCertified

Burp Suite - Application Security Testing Software - PortSwigger

Data & Analytics
1 of 19
Download to read offline
SECURITY ASSESSMENT REPORT By Ayon Debnath Certified Ethical Hacker || Penetration Tester
1 C O N T E N T P A G E Executive Summary 2 1. 2.Sub-domain list 3 3.Nmap Scan on main domain 4 4.Nikto Scan on main domain 5 5.Slilpfish Scan on main domain 6 6.Security Header Scan 7-9 8. Burpsuite Scan 10-12 9.High Risk Vulnerabilities 13-15 10.Meduim Risk Vulnerabilities 16-17 11.Conclusion 18
2 This report summarizes the findings of a vulnerability testing and bug reportconducted on https://www.securitas.com and its 10 sub-domains . The testing was operated using a different kind of methods, including vulnerability scanning, manual penetration testing, and many other online tools. The testing identified a few types of vulnerabilities in different sub domains and directory here found High risk vulnerabilities is 2 and Medium risk is 2 . The high- risk vulnerabilities represent the most serious threats to the organization's security, and should be addressed as soon as possible.The report includes detailed descriptions of each vulnerability. H I G H Executive Summary M E D U I M L O W 2 2 many
W W W . S E C U R I T A S . C O M ( M A I N D O M A I N ) Intelligence.securitas.com Brand.securitas.com Mylearning.securitas.com Flow.securitas.com Solutionsportal.securitas.com Ssmd-dc.securitas.com toolbox.securitas.com support.solutions.securitas.com Projects.europe.securitas.com airflow-ds.sis.securitas.com Sub-domain ( 10 ): 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 3
PORT STATE SERVICE VERSION 80/tcp open http Cloudflare http proxy |_http-server-header: cloudflare |_http-title: Did not follow redirect to https://www.securitas.com/ 443/tcp open ssl/http Cloudflare http proxy |_http-title: securitas.com | http-robots.txt: 3 disallowed entries |_/Static/ /controllers/ /helpers/ |_http-server-header: cloudflare | ssl-cert: Subject: commonName=sni.cloudflaressl.com/organizationName=Cloudflare, Inc./stateOrProvinceName=California/countryName=US | Subject Alternative Name: DNS:www.securitas.com, DNS:sni.cloudflaressl.com | Not valid before: 2022-10-14T00:00:00 |_Not valid after: 2023-10-14T23:59:59 8080/tcp open http Cloudflare http proxy |_http-server-header: cloudflare |_http-title: Attention Required! | Cloudflare 8443/tcp open ssl/http Cloudflare http proxy | ssl-cert: Subject: commonName=sni.cloudflaressl.com/organizationName=Cloudflare, Inc./stateOrProvinceName=California/countryName=US | Subject Alternative Name: DNS:www.securitas.com, DNS:sni.cloudflaressl.com | Not valid before: 2022-10-14T00:00:00 |_Not valid after: 2023-10-14T23:59:59 |_http-server-header: cloudflare |_http-title: Attention Required! | Cloudflare Nmap Scan on main domain 4
Nikto Scan on main domain - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 104.18.24.154 + Target Hostname: 104.18.24.154 + Target Port: 80 + Start Time: 2023-07-02 12:02:03 (GMT6) --------------------------------------------------------------------------- + Server: cloudflare + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability- scanner/vulnerabilities/missing-content-type-header/ + All CGI directories 'found', use '-C none' to test none + /cdn-cgi/trace: Retrieved access-control-allow-origin header: *. + /cdn-cgi/trace: Cloudflare trace CGI found, which may leak some system information. + 26662 requests: 0 error(s) and 3 item(s) reported on remote host + End Time: 2023-07-02 12:18:25 (GMT6) (982 seconds) --------------------------------------------------------------------------- 5
SkipFish Scan on main domain 6
Security Header Scan on main domain and subdomain 7
8
9
Burpsuite Scan on main domain and subdomain Using burpsuite i find few responsive vulnerabilities here we find two high risk vulnerabilities the are sql injection and client side desync on different sub-domian. I also find two meduim risk vulnerabilities 3/4 sub- domain different directory they are HTTP request sumggeling and TSL certificate problem . The table below shows the numbers of issues identified in different categories. Issues are classified according to severity as High, Medium, Low or Information. This reflects the likely impact of each issue for a typical organization. Issues are also classified according to confidence as Certain, Firm or Tentative. This reflects the inherent reliability of the technique that was used to identify the issue. sql injection client side desync on different High Risk HTTP request sumggeling TSL certificate problem . Meduim Risk 1 0
1 1
1 2
https://projects.europe.securitas.com/vpn/js/rdx.js High Risk 1 3
https://mylearning.securitas.com High Risk 1 4
1 5
https://solutionsportal.securitas.com/ Meduim Risk 1 6
https://airflow-ds.sis.securitas.com/ Meduim Risk 1 7
In conclusion, the vulnerability testing conducted on https://www.securitas.com/ systems, applications, and networks have identified significant security weaknesses. These vulnerabilities could potentially lead to unauthorized access, data breaches, and service disruptions. It is crucial that https://www.securitas.com immediate action to address the high severity vulnerabilities, as they pose the greatest risk. Additionally, educating employees on secure practices, establishing an incident response plan, and regularly updating security controls are vital steps to ensure ongoing protection against emerging threats. By following these recommendations and maintaining a proactive approach to security, https://www.securitas.com/ can significantly improve its security posture and maintain the trust of its stakeholders. Remember, vulnerability management is an ongoing process, and it is important to regularly reassess and update security measures to stay ahead of potential . 1 8 Conclusion

Recommended

So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in CybersecurityTeri Radichel
 
cybersecurity-careers.pdf
cybersecurity-careers.pdfcybersecurity-careers.pdf
cybersecurity-careers.pdfRakeshKumar442494
 
Sandbox kiev
Sandbox kievSandbox kiev
Sandbox kievuisgslide
 
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive PresentationNormShield, Inc.
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec TrainingMike Spaulding
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Internal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guideInternal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guideDarin Fredde
 

Recommended

So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in CybersecurityTeri Radichel
 
cybersecurity-careers.pdf
cybersecurity-careers.pdfcybersecurity-careers.pdf
cybersecurity-careers.pdfRakeshKumar442494
 
Sandbox kiev
Sandbox kievSandbox kiev
Sandbox kievuisgslide
 
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive PresentationNormShield, Inc.
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec TrainingMike Spaulding
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Internal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guideInternal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guideDarin Fredde
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET Journal
 
Penetration testing using metasploit framework
Penetration testing using metasploit frameworkPenetration testing using metasploit framework
Penetration testing using metasploit frameworkPawanKesharwani
 
27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploitFreddy Buenaño
 
Threat Modeling
Threat ModelingThreat Modeling
Threat Modelingkeyuradmin
 
Detect Threats Faster
Detect Threats FasterDetect Threats Faster
Detect Threats FasterForce 3
 
Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewallskkkseld
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019Alexander Master
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewallskkkseld
 
Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinJonnathan Griffin
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxSuhailShaik16
 
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For CybersecurityNathan Anderson
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
ITrust Whitepaper: Top 10 vulnerabilities
ITrust Whitepaper: Top 10 vulnerabilitiesITrust Whitepaper: Top 10 vulnerabilities
ITrust Whitepaper: Top 10 vulnerabilitiesITrust - Cybersecurity as a Service
 
Application security Best Practices Framework
Application security Best Practices FrameworkApplication security Best Practices Framework
Application security Best Practices FrameworkSujata Raskar
 
MIT-MON Day4 Context.pptx
MIT-MON Day4 Context.pptxMIT-MON Day4 Context.pptx
MIT-MON Day4 Context.pptxCouronne1
 
User_Access_IIA-LA_3-9-2016
User_Access_IIA-LA_3-9-2016User_Access_IIA-LA_3-9-2016
User_Access_IIA-LA_3-9-2016Karla Sasser, CPA CITP, CIA, CGMA
 
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.pptdokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.pptSonatrach
 
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Callshivangimorya083
 

More Related Content

Similar to Security Assessment Report Finds SQL Injection & Client-Side Vulnerabilities

IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET Journal
 
Penetration testing using metasploit framework
Penetration testing using metasploit frameworkPenetration testing using metasploit framework
Penetration testing using metasploit frameworkPawanKesharwani
 
27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploitFreddy Buenaño
 
Threat Modeling
Threat ModelingThreat Modeling
Threat Modelingkeyuradmin
 
Detect Threats Faster
Detect Threats FasterDetect Threats Faster
Detect Threats FasterForce 3
 
Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewallskkkseld
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019Alexander Master
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewallskkkseld
 
Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinJonnathan Griffin
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxSuhailShaik16
 
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For CybersecurityNathan Anderson
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Application security Best Practices Framework
Application security Best Practices FrameworkApplication security Best Practices Framework
Application security Best Practices FrameworkSujata Raskar
 
MIT-MON Day4 Context.pptx
MIT-MON Day4 Context.pptxMIT-MON Day4 Context.pptx
MIT-MON Day4 Context.pptxCouronne1
 

Similar to Security Assessment Report Finds SQL Injection & Client-Side Vulnerabilities (20)

IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit Framework
 
Penetration testing using metasploit framework
Penetration testing using metasploit frameworkPenetration testing using metasploit framework
Penetration testing using metasploit framework
 
27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit
 
Threat Modeling
Threat ModelingThreat Modeling
Threat Modeling
 
Detect Threats Faster
Detect Threats FasterDetect Threats Faster
Detect Threats Faster
 
Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewalls
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019ENPM808 Independent Study Final Report - amaster 2019
ENPM808 Independent Study Final Report - amaster 2019
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewalls
 
Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny Griffin
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
 
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
ITrust Whitepaper: Top 10 vulnerabilities
ITrust Whitepaper: Top 10 vulnerabilitiesITrust Whitepaper: Top 10 vulnerabilities
ITrust Whitepaper: Top 10 vulnerabilities
 
Application security Best Practices Framework
Application security Best Practices FrameworkApplication security Best Practices Framework
Application security Best Practices Framework
 
MIT-MON Day4 Context.pptx
MIT-MON Day4 Context.pptxMIT-MON Day4 Context.pptx
MIT-MON Day4 Context.pptx
 
User_Access_IIA-LA_3-9-2016
User_Access_IIA-LA_3-9-2016User_Access_IIA-LA_3-9-2016
User_Access_IIA-LA_3-9-2016
 

Recently uploaded

dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.pptdokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.pptSonatrach
 
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Callshivangimorya083
 
Predictive Analysis - Using Insight-informed Data to Determine Factors Drivin...
Predictive Analysis - Using Insight-informed Data to Determine Factors Drivin...Predictive Analysis - Using Insight-informed Data to Determine Factors Drivin...
Predictive Analysis - Using Insight-informed Data to Determine Factors Drivin...ThinkInnovation
 
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...dajasot375
 
04242024_CCC TUG_Joins and Relationships
04242024_CCC TUG_Joins and Relationships04242024_CCC TUG_Joins and Relationships
04242024_CCC TUG_Joins and Relationshipsccctableauusergroup
 
How we prevented account sharing with MFA
How we prevented account sharing with MFAHow we prevented account sharing with MFA
How we prevented account sharing with MFAAndrei Kaleshka
 
Call Girls In Dwarka 9654467111 Escorts Service
Call Girls In Dwarka 9654467111 Escorts ServiceCall Girls In Dwarka 9654467111 Escorts Service
Call Girls In Dwarka 9654467111 Escorts ServiceSapana Sha
 
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Sapana Sha
 
EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptx
EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptxEMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptx
EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptxthyngster
 
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130Suhani Kapoor
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfSocial Samosa
 
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024thyngster
 
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...Suhani Kapoor
 
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Jack DiGiovanna
 
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /WhatsappsBeautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsappssapnasaifi408
 
GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]📊 Markus Baersch
 

Recently uploaded (20)

dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.pptdokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
 
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
 
Predictive Analysis - Using Insight-informed Data to Determine Factors Drivin...
Predictive Analysis - Using Insight-informed Data to Determine Factors Drivin...Predictive Analysis - Using Insight-informed Data to Determine Factors Drivin...
Predictive Analysis - Using Insight-informed Data to Determine Factors Drivin...
 
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
 
04242024_CCC TUG_Joins and Relationships
04242024_CCC TUG_Joins and Relationships04242024_CCC TUG_Joins and Relationships
04242024_CCC TUG_Joins and Relationships
 
E-Commerce Order PredictionShraddha Kamble.pptx
E-Commerce Order PredictionShraddha Kamble.pptxE-Commerce Order PredictionShraddha Kamble.pptx
E-Commerce Order PredictionShraddha Kamble.pptx
 
How we prevented account sharing with MFA
How we prevented account sharing with MFAHow we prevented account sharing with MFA
How we prevented account sharing with MFA
 
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
 
Call Girls In Dwarka 9654467111 Escorts Service
Call Girls In Dwarka 9654467111 Escorts ServiceCall Girls In Dwarka 9654467111 Escorts Service
Call Girls In Dwarka 9654467111 Escorts Service
 
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
 
EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptx
EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptxEMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptx
EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptx
 
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
 
Deep Generative Learning for All - The Gen AI Hype (Spring 2024)
Deep Generative Learning for All - The Gen AI Hype (Spring 2024)Deep Generative Learning for All - The Gen AI Hype (Spring 2024)
Deep Generative Learning for All - The Gen AI Hype (Spring 2024)
 
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
 
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
 
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
 
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
 
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /WhatsappsBeautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
 
GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]GA4 Without Cookies [Measure Camp AMS]
GA4 Without Cookies [Measure Camp AMS]
 

Security Assessment Report Finds SQL Injection & Client-Side Vulnerabilities

  • 1. SECURITY ASSESSMENT REPORT By Ayon Debnath Certified Ethical Hacker || Penetration Tester
  • 2. 1 C O N T E N T P A G E Executive Summary 2 1. 2.Sub-domain list 3 3.Nmap Scan on main domain 4 4.Nikto Scan on main domain 5 5.Slilpfish Scan on main domain 6 6.Security Header Scan 7-9 8. Burpsuite Scan 10-12 9.High Risk Vulnerabilities 13-15 10.Meduim Risk Vulnerabilities 16-17 11.Conclusion 18
  • 3. 2 This report summarizes the findings of a vulnerability testing and bug reportconducted on https://www.securitas.com and its 10 sub-domains . The testing was operated using a different kind of methods, including vulnerability scanning, manual penetration testing, and many other online tools. The testing identified a few types of vulnerabilities in different sub domains and directory here found High risk vulnerabilities is 2 and Medium risk is 2 . The high- risk vulnerabilities represent the most serious threats to the organization's security, and should be addressed as soon as possible.The report includes detailed descriptions of each vulnerability. H I G H Executive Summary M E D U I M L O W 2 2 many
  • 4. W W W . S E C U R I T A S . C O M ( M A I N D O M A I N ) Intelligence.securitas.com Brand.securitas.com Mylearning.securitas.com Flow.securitas.com Solutionsportal.securitas.com Ssmd-dc.securitas.com toolbox.securitas.com support.solutions.securitas.com Projects.europe.securitas.com airflow-ds.sis.securitas.com Sub-domain ( 10 ): 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 3
  • 5. PORT STATE SERVICE VERSION 80/tcp open http Cloudflare http proxy |_http-server-header: cloudflare |_http-title: Did not follow redirect to https://www.securitas.com/ 443/tcp open ssl/http Cloudflare http proxy |_http-title: securitas.com | http-robots.txt: 3 disallowed entries |_/Static/ /controllers/ /helpers/ |_http-server-header: cloudflare | ssl-cert: Subject: commonName=sni.cloudflaressl.com/organizationName=Cloudflare, Inc./stateOrProvinceName=California/countryName=US | Subject Alternative Name: DNS:www.securitas.com, DNS:sni.cloudflaressl.com | Not valid before: 2022-10-14T00:00:00 |_Not valid after: 2023-10-14T23:59:59 8080/tcp open http Cloudflare http proxy |_http-server-header: cloudflare |_http-title: Attention Required! | Cloudflare 8443/tcp open ssl/http Cloudflare http proxy | ssl-cert: Subject: commonName=sni.cloudflaressl.com/organizationName=Cloudflare, Inc./stateOrProvinceName=California/countryName=US | Subject Alternative Name: DNS:www.securitas.com, DNS:sni.cloudflaressl.com | Not valid before: 2022-10-14T00:00:00 |_Not valid after: 2023-10-14T23:59:59 |_http-server-header: cloudflare |_http-title: Attention Required! | Cloudflare Nmap Scan on main domain 4
  • 6. Nikto Scan on main domain - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 104.18.24.154 + Target Hostname: 104.18.24.154 + Target Port: 80 + Start Time: 2023-07-02 12:02:03 (GMT6) --------------------------------------------------------------------------- + Server: cloudflare + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability- scanner/vulnerabilities/missing-content-type-header/ + All CGI directories 'found', use '-C none' to test none + /cdn-cgi/trace: Retrieved access-control-allow-origin header: *. + /cdn-cgi/trace: Cloudflare trace CGI found, which may leak some system information. + 26662 requests: 0 error(s) and 3 item(s) reported on remote host + End Time: 2023-07-02 12:18:25 (GMT6) (982 seconds) --------------------------------------------------------------------------- 5
  • 7. SkipFish Scan on main domain 6
  • 8. Security Header Scan on main domain and subdomain 7
  • 9. 8
  • 10. 9
  • 11. Burpsuite Scan on main domain and subdomain Using burpsuite i find few responsive vulnerabilities here we find two high risk vulnerabilities the are sql injection and client side desync on different sub-domian. I also find two meduim risk vulnerabilities 3/4 sub- domain different directory they are HTTP request sumggeling and TSL certificate problem . The table below shows the numbers of issues identified in different categories. Issues are classified according to severity as High, Medium, Low or Information. This reflects the likely impact of each issue for a typical organization. Issues are also classified according to confidence as Certain, Firm or Tentative. This reflects the inherent reliability of the technique that was used to identify the issue. sql injection client side desync on different High Risk HTTP request sumggeling TSL certificate problem . Meduim Risk 1 0
  • 12. 1 1
  • 13. 1 2
  • 16. 1 5
  • 19. In conclusion, the vulnerability testing conducted on https://www.securitas.com/ systems, applications, and networks have identified significant security weaknesses. These vulnerabilities could potentially lead to unauthorized access, data breaches, and service disruptions. It is crucial that https://www.securitas.com immediate action to address the high severity vulnerabilities, as they pose the greatest risk. Additionally, educating employees on secure practices, establishing an incident response plan, and regularly updating security controls are vital steps to ensure ongoing protection against emerging threats. By following these recommendations and maintaining a proactive approach to security, https://www.securitas.com/ can significantly improve its security posture and maintain the trust of its stakeholders. Remember, vulnerability management is an ongoing process, and it is important to regularly reassess and update security measures to stay ahead of potential . 1 8 Conclusion