SlideShare a Scribd company logo

Penetration Test Report

DOTCOMIT PRO SRL
DOTCOMIT PRO SRL

Raport de vulnerabilitati, test de penetrare whistleblow.ro

Technology
1 of 13
Download to read offline
Continuous Vulnerability Assessment Platform Web Application Penetration Test Report Whistleblow 22 Oct 2022 Confidential Copyright © 2022 Beagle Security I
Copyright The copyright in this work is vested to Beagle Security and the document is issued in confidence for the purpose to which it is supplied. If you are not the intended recipient, be aware. Any disclosure, copying or distribution of this document without the prior consent of Beagle Security is prohibited. If found so, you will be open to legal actions. © Beagle Security Email : info@beaglesecurity.com PH : +91 807 800 9000 Confidential Copyright © 2022 Beagle Security II
Document Details Title Details Completed On 22 Oct 2022 Approved By Rejah, CISO Approved On 22 Oct 2022 * This report was generated on 22 Oct 2022 Confidential Copyright © 2022 Beagle Security III
Table of Contents 1 Introduction 1 2 Executive Summary 2 2.1 Catalog 2 2.2 Graphical Summary 2 2.3 Tabular Summary 2 2.4 OWASP Top 10 Summary 3 3 Application Info 4 3.1 Domain Details 4 3.2 SSL Details 4 4 Technical Summary 5 4.1 Detailed Technical Report 5 4.1.1 X-XSS-Protection header not implemented 5 4.1.2 Google API Key found 5 4.1.3 BREACH Attack 6 4.1.4 Email Address Disclosure 7 5 Conclusion 9 Confidential Copyright © 2022 Beagle Security IV
This report documents the results of penetration testing performed on https://app.whistleblow.ro using Beagle Security. The purpose of this penetration test is to find all the open vulnerabilities present in the application and identify how deep it can be penetrated by an attacker. Beagle Security automates the penetration testing process under human supervision. It uses a meticulously planned and phased approach to find all the open vulnerabilities in the application under test. The platform splits the whole penetration testing process into four different phases. They are vulnerability scanning, vulnerability exploitation & penetration, report preparation and manual verification & sign-off. Beagle Security maintains an up to date repository with the latest vulnerabilities and its test cases. It ensures that the application under test doesn't leave any unidentified loopholes or exploits through which security of the application could be compromised. Using Beagle Security, your organization can adopt a DevSecOps approach to keep track of application security continuously across its different release cycles. This report plays an important role in improving the knowledge about your application's security posture (both for the executive management and the development team). The next section provides the managerial team with a summary of all the key findings and the impact it will have on your business. Section three provides the technical team with a detailed report of individual vulnerabilities along with the mitigation procedures. The detailed report generated by Beagle Security will help your development team to improve the overall security of the application. 1. Introduction Confidential Copyright © 2022 Beagle Security 1
The executive summary section provides you with charts, tables and graphs to give you a better understanding of all the vulnerabilities present in the application based on its status and severity. The severity of each vulnerability is calculated based on its occurrence, frequency and impact on the application. By examining the graphs generated by Beagle Security, you can know the current level of the application's security and improvement areas. 2.1 Catalog 2.2 Graphical Summary 2. Executive Summary Status Count New 0 Not Fixed 1 Reopened 0 Fixed 3 Vulnerability Distribution Overall Risk score Critical(0.0%) High(0.0%) Medium(0.0%) Low(100.0%) Very Low(0.0%) 8 Good Confidential Copyright © 2022 Beagle Security 2
2.3 Tabular Summary 2.4 OWASP Top 10 Summary Category Count Critical 0 High 0 Medium 0 Low 1 Very Low 0 Sl No ID Test Risk 1 A1 Broken Access Control Very Low 2 A2 Cryptographic Failures Very Low 3 A3 Injection Very Low 4 A4 Insecure Design Very Low 5 A5 Security Misconfiguration Low 6 A6 Vulnerable and Outdated Components Very Low 7 A7 Identification and Authentication Failures Very Low 8 A8 Software and Data Integrity Failures Very Low 9 A9 Security Logging and Monitoring Failures Very Low 10 A10 Server-Side Request Forgery (SSRF) Very Low Confidential Copyright © 2022 Beagle Security 3
3.1 Domain Details 3.2 SSL Details 3. Application Info The details of the application are as listed below: Application name : Whistleblow Project name : Own URL : https://app.whistleblow.ro Test completed on : 22 Oct 2022 Name Value Domain name whistleblow.ro Domain status Valid Created on 04 Aug 2022 Updated on Expires on 04 Aug 2023 Days to expire 286 Name Value Resolves to app.whistleblow.ro Status Host not match Vendor signed Yes Host matches Doesn't Match Expires on 12 Nov 2022 Confidential Copyright © 2022 Beagle Security 4
● 4.1 Detailed Technical Report • Likelihood: Medium • Impact: Low • Severity: Low Issue Description: In this webpage X-XSS-Protection header is not found.The X-XSS-Protection header is designed to enable the cross-site scripting filter, Recommendations: The only mitigation is to add the X-XSS-Protection and set the value to 1. Occurrence: • Likelihood: High • Impact: High • Severity: Critical 4. Technical Summary 4.1.1. X-XSS-Protection header not implemented OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 CWE-16 Subpart C, HIPAA-164.308(a)(1)(i) ISO27001-A.14.2.5 WASC-15 A.12.1.1 PCI v4.0-6.2.4 Occurrences 001 Status: Not fixed URL : https://app.whistleblow.ro 4.1.1. Google API Key found OWASP 2013-A6 OWASP 2017-A3 OWASP 2021-A2 CAPEC-37 CWE-798 Confidential Copyright © 2022 Beagle Security 5
● ● Issue Description: One or more pages with Google API key(s) hard-coded in the code were discovered. Because the API key serves as a means of identifying the program or the user, it must be unique, random, and unguessable. The API key is a one-of-a-kind identifier that authenticates requests for use and billing purposes linked with your project. Recommendations: Do not store or hardcode sensitive keys in the code. If you need to communicate with a sensitive or external API, create an endpoint to do that. This endpoint must be authenticated with a user token and enforce the right protection requirements. Occurrence: • Likelihood: Medium • Impact: Medium • Severity: Medium Issue Description: BREACH is a side compression channel attack that targets information compressed in HTTP responses through HTTP compression. The BREACH attack capture information in compressed and encrypted responses by performing an oracle attack. Another speciality is that the attack is agnostic Occurrences 002 Status: Fixed Found : AIzaSyBoPX3J0F_VGyr4SgTx- RKBMY6lOXvF37M" URL : https://app.whistleblow.ro/lib/js/main.js 4.1.1. BREACH Attack OWASP 2013-A9 OWASP 2017-A9 OWASP 2021-A6 OWASP PC-C1 CWE-310 Subpart C, HIPAA-164.312(e)(1) WASC-04 WSTG-CLNT-10 A.12.3.1 PCI v4.0-6.2.4 Confidential Copyright © 2022 Beagle Security 6
● ● ● ● to the version of TLS/SSL, and does not require TLS-layer compression. Additionally, the attack works against any cipher suite. Recommendations: We suggest you disable HTTP compression and separate the secrets from the user input. Add CSRF Token to vulnerable pages. Mask secretes in each client request by randomizing effectively by XORing with a random secret per request. Disable http compression. Occurrence: • Likelihood: Low • Impact: Low • Severity: Info Issue Description: The inclusion of email addresses in source code or application response does not always indicate a security flaw. However, spam email engines and brute- force programs can both use email addresses found within the application. Valid email addresses can also be used in social engineering attacks, or they can represent usernames that can be used to log in to an application. Recommendations: Occurrences 003 Status: Fixed URL : https://app.whistleblow.ro 4.1.1. Email Address Disclosure OWASP 2017-A3 OWASP 2021-A2 OWASP PC-C7 CAPEC-118 CWE-200 ISO27001-A.9.4.1 WASC-13 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N WSTG-IDNT-04 A.11.6.1 PCI v4.0-3.2.1 Confidential Copyright © 2022 Beagle Security 7
● ● ● Remove unnecessary email addresses Use generic or anonymous mailbox addresses like info@example.com instead of user or people-specific email addresses. To reduce incoming spam, consider providing a submission form that generates the email on the server-side. Occurrence: Occurrences 004 Status: Fixed Found : ariel@mashraki.co.il URL : https://app.whistleblow.ro/js/scripts.min.js Confidential Copyright © 2022 Beagle Security 8
5. Conclusion The tested web application has very low vulnerabilities, and are not a major concern. Your development team can fix the vulnerabilities found by Beagle Security. All you have to do is follow the mitigation techniques provided. Thank you for using Beagle Security. We hope to be of service to you soon! Confidential Copyright © 2022 Beagle Security 9

Recommended

Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...
Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...
Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...owasplondon
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report exampleIhor Uzhvenko
 
Semi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsSemi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsRam G Athreya
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Javier Santiago Vargas Paredes
 
September Patch Tuesday Analysis 2018
September Patch Tuesday Analysis 2018September Patch Tuesday Analysis 2018
September Patch Tuesday Analysis 2018Ivanti
 
A Study on Vulnerability Management
A Study on Vulnerability ManagementA Study on Vulnerability Management
A Study on Vulnerability ManagementIRJET Journal
 

Recommended

Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...
Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...
Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...owasplondon
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report exampleIhor Uzhvenko
 
Semi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsSemi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsRam G Athreya
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Javier Santiago Vargas Paredes
 
September Patch Tuesday Analysis 2018
September Patch Tuesday Analysis 2018September Patch Tuesday Analysis 2018
September Patch Tuesday Analysis 2018Ivanti
 
A Study on Vulnerability Management
A Study on Vulnerability ManagementA Study on Vulnerability Management
A Study on Vulnerability ManagementIRJET Journal
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesKai Wähner
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryTowards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryAshley Zupkus
 
Owasp masvs spain 17
Owasp masvs spain 17Owasp masvs spain 17
Owasp masvs spain 17Luis A. Solís
 
Clear Pci Vulnerability Scans Web2
Clear Pci Vulnerability Scans Web2Clear Pci Vulnerability Scans Web2
Clear Pci Vulnerability Scans Web2Cybera Inc
 
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...IRJET Journal
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsAshley Zupkus
 
C01461422
C01461422C01461422
C01461422IOSR Journals
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET Journal
 
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET Journal
 
Sandboxing in .NET CLR
Sandboxing in .NET CLRSandboxing in .NET CLR
Sandboxing in .NET CLRMikhail Shcherbakov
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsEnergySec
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment Mykhailo Antonishyn
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingRana Khalil
 
Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022Radu Vunvulea
 
SSL VPN Evaluation Guide
SSL VPN Evaluation GuideSSL VPN Evaluation Guide
SSL VPN Evaluation Guide Array Networks
 
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesWeb Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesAvi Networks
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 

More Related Content

Similar to Penetration Test Report

Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesKai Wähner
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryTowards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryAshley Zupkus
 
Clear Pci Vulnerability Scans Web2
Clear Pci Vulnerability Scans Web2Clear Pci Vulnerability Scans Web2
Clear Pci Vulnerability Scans Web2Cybera Inc
 
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...IRJET Journal
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsAshley Zupkus
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET Journal
 
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET Journal
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsEnergySec
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment Mykhailo Antonishyn
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingRana Khalil
 
Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022Radu Vunvulea
 
SSL VPN Evaluation Guide
SSL VPN Evaluation GuideSSL VPN Evaluation Guide
SSL VPN Evaluation Guide Array Networks
 
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesWeb Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesAvi Networks
 

Similar to Penetration Test Report (20)

Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryTowards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industry
 
Owasp masvs spain 17
Owasp masvs spain 17Owasp masvs spain 17
Owasp masvs spain 17
 
Clear Pci Vulnerability Scans Web2
Clear Pci Vulnerability Scans Web2Clear Pci Vulnerability Scans Web2
Clear Pci Vulnerability Scans Web2
 
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEs
 
C01461422
C01461422C01461422
C01461422
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
 
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing Suite
 
Sandboxing in .NET CLR
Sandboxing in .NET CLRSandboxing in .NET CLR
Sandboxing in .NET CLR
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022
 
SSL VPN Evaluation Guide
SSL VPN Evaluation GuideSSL VPN Evaluation Guide
SSL VPN Evaluation Guide
 
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesWeb Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery Pipelines
 

Recently uploaded

WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

Recently uploaded (20)

WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 

Penetration Test Report

  • 1. Continuous Vulnerability Assessment Platform Web Application Penetration Test Report Whistleblow 22 Oct 2022 Confidential Copyright © 2022 Beagle Security I
  • 2. Copyright The copyright in this work is vested to Beagle Security and the document is issued in confidence for the purpose to which it is supplied. If you are not the intended recipient, be aware. Any disclosure, copying or distribution of this document without the prior consent of Beagle Security is prohibited. If found so, you will be open to legal actions. © Beagle Security Email : info@beaglesecurity.com PH : +91 807 800 9000 Confidential Copyright © 2022 Beagle Security II
  • 3. Document Details Title Details Completed On 22 Oct 2022 Approved By Rejah, CISO Approved On 22 Oct 2022 * This report was generated on 22 Oct 2022 Confidential Copyright © 2022 Beagle Security III
  • 4. Table of Contents 1 Introduction 1 2 Executive Summary 2 2.1 Catalog 2 2.2 Graphical Summary 2 2.3 Tabular Summary 2 2.4 OWASP Top 10 Summary 3 3 Application Info 4 3.1 Domain Details 4 3.2 SSL Details 4 4 Technical Summary 5 4.1 Detailed Technical Report 5 4.1.1 X-XSS-Protection header not implemented 5 4.1.2 Google API Key found 5 4.1.3 BREACH Attack 6 4.1.4 Email Address Disclosure 7 5 Conclusion 9 Confidential Copyright © 2022 Beagle Security IV
  • 5. This report documents the results of penetration testing performed on https://app.whistleblow.ro using Beagle Security. The purpose of this penetration test is to find all the open vulnerabilities present in the application and identify how deep it can be penetrated by an attacker. Beagle Security automates the penetration testing process under human supervision. It uses a meticulously planned and phased approach to find all the open vulnerabilities in the application under test. The platform splits the whole penetration testing process into four different phases. They are vulnerability scanning, vulnerability exploitation & penetration, report preparation and manual verification & sign-off. Beagle Security maintains an up to date repository with the latest vulnerabilities and its test cases. It ensures that the application under test doesn't leave any unidentified loopholes or exploits through which security of the application could be compromised. Using Beagle Security, your organization can adopt a DevSecOps approach to keep track of application security continuously across its different release cycles. This report plays an important role in improving the knowledge about your application's security posture (both for the executive management and the development team). The next section provides the managerial team with a summary of all the key findings and the impact it will have on your business. Section three provides the technical team with a detailed report of individual vulnerabilities along with the mitigation procedures. The detailed report generated by Beagle Security will help your development team to improve the overall security of the application. 1. Introduction Confidential Copyright © 2022 Beagle Security 1
  • 6. The executive summary section provides you with charts, tables and graphs to give you a better understanding of all the vulnerabilities present in the application based on its status and severity. The severity of each vulnerability is calculated based on its occurrence, frequency and impact on the application. By examining the graphs generated by Beagle Security, you can know the current level of the application's security and improvement areas. 2.1 Catalog 2.2 Graphical Summary 2. Executive Summary Status Count New 0 Not Fixed 1 Reopened 0 Fixed 3 Vulnerability Distribution Overall Risk score Critical(0.0%) High(0.0%) Medium(0.0%) Low(100.0%) Very Low(0.0%) 8 Good Confidential Copyright © 2022 Beagle Security 2
  • 7. 2.3 Tabular Summary 2.4 OWASP Top 10 Summary Category Count Critical 0 High 0 Medium 0 Low 1 Very Low 0 Sl No ID Test Risk 1 A1 Broken Access Control Very Low 2 A2 Cryptographic Failures Very Low 3 A3 Injection Very Low 4 A4 Insecure Design Very Low 5 A5 Security Misconfiguration Low 6 A6 Vulnerable and Outdated Components Very Low 7 A7 Identification and Authentication Failures Very Low 8 A8 Software and Data Integrity Failures Very Low 9 A9 Security Logging and Monitoring Failures Very Low 10 A10 Server-Side Request Forgery (SSRF) Very Low Confidential Copyright © 2022 Beagle Security 3
  • 8. 3.1 Domain Details 3.2 SSL Details 3. Application Info The details of the application are as listed below: Application name : Whistleblow Project name : Own URL : https://app.whistleblow.ro Test completed on : 22 Oct 2022 Name Value Domain name whistleblow.ro Domain status Valid Created on 04 Aug 2022 Updated on Expires on 04 Aug 2023 Days to expire 286 Name Value Resolves to app.whistleblow.ro Status Host not match Vendor signed Yes Host matches Doesn't Match Expires on 12 Nov 2022 Confidential Copyright © 2022 Beagle Security 4
  • 9. ● 4.1 Detailed Technical Report • Likelihood: Medium • Impact: Low • Severity: Low Issue Description: In this webpage X-XSS-Protection header is not found.The X-XSS-Protection header is designed to enable the cross-site scripting filter, Recommendations: The only mitigation is to add the X-XSS-Protection and set the value to 1. Occurrence: • Likelihood: High • Impact: High • Severity: Critical 4. Technical Summary 4.1.1. X-XSS-Protection header not implemented OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 CWE-16 Subpart C, HIPAA-164.308(a)(1)(i) ISO27001-A.14.2.5 WASC-15 A.12.1.1 PCI v4.0-6.2.4 Occurrences 001 Status: Not fixed URL : https://app.whistleblow.ro 4.1.1. Google API Key found OWASP 2013-A6 OWASP 2017-A3 OWASP 2021-A2 CAPEC-37 CWE-798 Confidential Copyright © 2022 Beagle Security 5
  • 10. ● ● Issue Description: One or more pages with Google API key(s) hard-coded in the code were discovered. Because the API key serves as a means of identifying the program or the user, it must be unique, random, and unguessable. The API key is a one-of-a-kind identifier that authenticates requests for use and billing purposes linked with your project. Recommendations: Do not store or hardcode sensitive keys in the code. If you need to communicate with a sensitive or external API, create an endpoint to do that. This endpoint must be authenticated with a user token and enforce the right protection requirements. Occurrence: • Likelihood: Medium • Impact: Medium • Severity: Medium Issue Description: BREACH is a side compression channel attack that targets information compressed in HTTP responses through HTTP compression. The BREACH attack capture information in compressed and encrypted responses by performing an oracle attack. Another speciality is that the attack is agnostic Occurrences 002 Status: Fixed Found : AIzaSyBoPX3J0F_VGyr4SgTx- RKBMY6lOXvF37M" URL : https://app.whistleblow.ro/lib/js/main.js 4.1.1. BREACH Attack OWASP 2013-A9 OWASP 2017-A9 OWASP 2021-A6 OWASP PC-C1 CWE-310 Subpart C, HIPAA-164.312(e)(1) WASC-04 WSTG-CLNT-10 A.12.3.1 PCI v4.0-6.2.4 Confidential Copyright © 2022 Beagle Security 6
  • 11. ● ● ● ● to the version of TLS/SSL, and does not require TLS-layer compression. Additionally, the attack works against any cipher suite. Recommendations: We suggest you disable HTTP compression and separate the secrets from the user input. Add CSRF Token to vulnerable pages. Mask secretes in each client request by randomizing effectively by XORing with a random secret per request. Disable http compression. Occurrence: • Likelihood: Low • Impact: Low • Severity: Info Issue Description: The inclusion of email addresses in source code or application response does not always indicate a security flaw. However, spam email engines and brute- force programs can both use email addresses found within the application. Valid email addresses can also be used in social engineering attacks, or they can represent usernames that can be used to log in to an application. Recommendations: Occurrences 003 Status: Fixed URL : https://app.whistleblow.ro 4.1.1. Email Address Disclosure OWASP 2017-A3 OWASP 2021-A2 OWASP PC-C7 CAPEC-118 CWE-200 ISO27001-A.9.4.1 WASC-13 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N WSTG-IDNT-04 A.11.6.1 PCI v4.0-3.2.1 Confidential Copyright © 2022 Beagle Security 7
  • 12. ● ● ● Remove unnecessary email addresses Use generic or anonymous mailbox addresses like info@example.com instead of user or people-specific email addresses. To reduce incoming spam, consider providing a submission form that generates the email on the server-side. Occurrence: Occurrences 004 Status: Fixed Found : ariel@mashraki.co.il URL : https://app.whistleblow.ro/js/scripts.min.js Confidential Copyright © 2022 Beagle Security 8
  • 13. 5. Conclusion The tested web application has very low vulnerabilities, and are not a major concern. Your development team can fix the vulnerabilities found by Beagle Security. All you have to do is follow the mitigation techniques provided. Thank you for using Beagle Security. We hope to be of service to you soon! Confidential Copyright © 2022 Beagle Security 9