Submit Search
Upload
Penetration Test Report
•
0 likes
•
107 views
DOTCOMIT PRO SRL
Follow
Raport de vulnerabilitati, test de penetrare whistleblow.ro
Read less
Read more
Technology
Report
Share
Report
Share
1 of 13
Download now
Download to read offline
Recommended
Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...
Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...
owasplondon
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
Ben Rothke
Secure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
ByteCode pentest report example
ByteCode pentest report example
Ihor Uzhvenko
Semi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applications
Ram G Athreya
Owasp top 10 2013
Owasp top 10 2013
Javier Santiago Vargas Paredes
September Patch Tuesday Analysis 2018
September Patch Tuesday Analysis 2018
Ivanti
A Study on Vulnerability Management
A Study on Vulnerability Management
IRJET Journal
Recommended
Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...
Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...
owasplondon
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
Ben Rothke
Secure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
ByteCode pentest report example
ByteCode pentest report example
Ihor Uzhvenko
Semi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applications
Ram G Athreya
Owasp top 10 2013
Owasp top 10 2013
Javier Santiago Vargas Paredes
September Patch Tuesday Analysis 2018
September Patch Tuesday Analysis 2018
Ivanti
A Study on Vulnerability Management
A Study on Vulnerability Management
IRJET Journal
Log Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
Kai Wähner
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industry
Ashley Zupkus
Owasp masvs spain 17
Owasp masvs spain 17
Luis A. Solís
Clear Pci Vulnerability Scans Web2
Clear Pci Vulnerability Scans Web2
Cybera Inc
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET Journal
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEs
Ashley Zupkus
C01461422
C01461422
IOSR Journals
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET Journal
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing Suite
IRJET Journal
Sandboxing in .NET CLR
Sandboxing in .NET CLR
Mikhail Shcherbakov
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
EnergySec
Standards and methodology for application security assessment
Standards and methodology for application security assessment
Mykhailo Antonishyn
Building an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
centralohioissa
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Rana Khalil
Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022
Radu Vunvulea
SSL VPN Evaluation Guide
SSL VPN Evaluation Guide
Array Networks
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery Pipelines
Avi Networks
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
More Related Content
Similar to Penetration Test Report
Log Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
Kai Wähner
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industry
Ashley Zupkus
Owasp masvs spain 17
Owasp masvs spain 17
Luis A. Solís
Clear Pci Vulnerability Scans Web2
Clear Pci Vulnerability Scans Web2
Cybera Inc
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET Journal
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEs
Ashley Zupkus
C01461422
C01461422
IOSR Journals
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET Journal
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing Suite
IRJET Journal
Sandboxing in .NET CLR
Sandboxing in .NET CLR
Mikhail Shcherbakov
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
EnergySec
Standards and methodology for application security assessment
Standards and methodology for application security assessment
Mykhailo Antonishyn
Building an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
centralohioissa
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Rana Khalil
Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022
Radu Vunvulea
SSL VPN Evaluation Guide
SSL VPN Evaluation Guide
Array Networks
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery Pipelines
Avi Networks
Similar to Penetration Test Report
(20)
Log Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industry
Owasp masvs spain 17
Owasp masvs spain 17
Clear Pci Vulnerability Scans Web2
Clear Pci Vulnerability Scans Web2
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEs
C01461422
C01461422
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing Suite
Sandboxing in .NET CLR
Sandboxing in .NET CLR
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
Standards and methodology for application security assessment
Standards and methodology for application security assessment
Building an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Secure Application Development InfoShare 2022
Secure Application Development InfoShare 2022
SSL VPN Evaluation Guide
SSL VPN Evaluation Guide
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery Pipelines
Recently uploaded
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
Sandro Moreira
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
apidays
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
Elevate Developer Efficiency & build GenAI Application with Amazon Q
Elevate Developer Efficiency & build GenAI Application with Amazon Q
Bhuvaneswari Subramani
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
danishmna97
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
The Digital Insurer
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
rafiqahmad00786416
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
Christopher Logan Kennedy
Recently uploaded
(20)
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Elevate Developer Efficiency & build GenAI Application with Amazon Q
Elevate Developer Efficiency & build GenAI Application with Amazon Q
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
Penetration Test Report
1.
Continuous Vulnerability Assessment Platform Web
Application Penetration Test Report Whistleblow 22 Oct 2022 Confidential Copyright © 2022 Beagle Security I
2.
Copyright The copyright in
this work is vested to Beagle Security and the document is issued in confidence for the purpose to which it is supplied. If you are not the intended recipient, be aware. Any disclosure, copying or distribution of this document without the prior consent of Beagle Security is prohibited. If found so, you will be open to legal actions. © Beagle Security Email : info@beaglesecurity.com PH : +91 807 800 9000 Confidential Copyright © 2022 Beagle Security II
3.
Document Details Title Details Completed
On 22 Oct 2022 Approved By Rejah, CISO Approved On 22 Oct 2022 * This report was generated on 22 Oct 2022 Confidential Copyright © 2022 Beagle Security III
4.
Table of Contents 1
Introduction 1 2 Executive Summary 2 2.1 Catalog 2 2.2 Graphical Summary 2 2.3 Tabular Summary 2 2.4 OWASP Top 10 Summary 3 3 Application Info 4 3.1 Domain Details 4 3.2 SSL Details 4 4 Technical Summary 5 4.1 Detailed Technical Report 5 4.1.1 X-XSS-Protection header not implemented 5 4.1.2 Google API Key found 5 4.1.3 BREACH Attack 6 4.1.4 Email Address Disclosure 7 5 Conclusion 9 Confidential Copyright © 2022 Beagle Security IV
5.
This report documents
the results of penetration testing performed on https://app.whistleblow.ro using Beagle Security. The purpose of this penetration test is to find all the open vulnerabilities present in the application and identify how deep it can be penetrated by an attacker. Beagle Security automates the penetration testing process under human supervision. It uses a meticulously planned and phased approach to find all the open vulnerabilities in the application under test. The platform splits the whole penetration testing process into four different phases. They are vulnerability scanning, vulnerability exploitation & penetration, report preparation and manual verification & sign-off. Beagle Security maintains an up to date repository with the latest vulnerabilities and its test cases. It ensures that the application under test doesn't leave any unidentified loopholes or exploits through which security of the application could be compromised. Using Beagle Security, your organization can adopt a DevSecOps approach to keep track of application security continuously across its different release cycles. This report plays an important role in improving the knowledge about your application's security posture (both for the executive management and the development team). The next section provides the managerial team with a summary of all the key findings and the impact it will have on your business. Section three provides the technical team with a detailed report of individual vulnerabilities along with the mitigation procedures. The detailed report generated by Beagle Security will help your development team to improve the overall security of the application. 1. Introduction Confidential Copyright © 2022 Beagle Security 1
6.
The executive summary
section provides you with charts, tables and graphs to give you a better understanding of all the vulnerabilities present in the application based on its status and severity. The severity of each vulnerability is calculated based on its occurrence, frequency and impact on the application. By examining the graphs generated by Beagle Security, you can know the current level of the application's security and improvement areas. 2.1 Catalog 2.2 Graphical Summary 2. Executive Summary Status Count New 0 Not Fixed 1 Reopened 0 Fixed 3 Vulnerability Distribution Overall Risk score Critical(0.0%) High(0.0%) Medium(0.0%) Low(100.0%) Very Low(0.0%) 8 Good Confidential Copyright © 2022 Beagle Security 2
7.
2.3 Tabular Summary 2.4
OWASP Top 10 Summary Category Count Critical 0 High 0 Medium 0 Low 1 Very Low 0 Sl No ID Test Risk 1 A1 Broken Access Control Very Low 2 A2 Cryptographic Failures Very Low 3 A3 Injection Very Low 4 A4 Insecure Design Very Low 5 A5 Security Misconfiguration Low 6 A6 Vulnerable and Outdated Components Very Low 7 A7 Identification and Authentication Failures Very Low 8 A8 Software and Data Integrity Failures Very Low 9 A9 Security Logging and Monitoring Failures Very Low 10 A10 Server-Side Request Forgery (SSRF) Very Low Confidential Copyright © 2022 Beagle Security 3
8.
3.1 Domain Details 3.2
SSL Details 3. Application Info The details of the application are as listed below: Application name : Whistleblow Project name : Own URL : https://app.whistleblow.ro Test completed on : 22 Oct 2022 Name Value Domain name whistleblow.ro Domain status Valid Created on 04 Aug 2022 Updated on Expires on 04 Aug 2023 Days to expire 286 Name Value Resolves to app.whistleblow.ro Status Host not match Vendor signed Yes Host matches Doesn't Match Expires on 12 Nov 2022 Confidential Copyright © 2022 Beagle Security 4
9.
● 4.1 Detailed Technical
Report • Likelihood: Medium • Impact: Low • Severity: Low Issue Description: In this webpage X-XSS-Protection header is not found.The X-XSS-Protection header is designed to enable the cross-site scripting filter, Recommendations: The only mitigation is to add the X-XSS-Protection and set the value to 1. Occurrence: • Likelihood: High • Impact: High • Severity: Critical 4. Technical Summary 4.1.1. X-XSS-Protection header not implemented OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 CWE-16 Subpart C, HIPAA-164.308(a)(1)(i) ISO27001-A.14.2.5 WASC-15 A.12.1.1 PCI v4.0-6.2.4 Occurrences 001 Status: Not fixed URL : https://app.whistleblow.ro 4.1.1. Google API Key found OWASP 2013-A6 OWASP 2017-A3 OWASP 2021-A2 CAPEC-37 CWE-798 Confidential Copyright © 2022 Beagle Security 5
10.
● ● Issue Description: One or
more pages with Google API key(s) hard-coded in the code were discovered. Because the API key serves as a means of identifying the program or the user, it must be unique, random, and unguessable. The API key is a one-of-a-kind identifier that authenticates requests for use and billing purposes linked with your project. Recommendations: Do not store or hardcode sensitive keys in the code. If you need to communicate with a sensitive or external API, create an endpoint to do that. This endpoint must be authenticated with a user token and enforce the right protection requirements. Occurrence: • Likelihood: Medium • Impact: Medium • Severity: Medium Issue Description: BREACH is a side compression channel attack that targets information compressed in HTTP responses through HTTP compression. The BREACH attack capture information in compressed and encrypted responses by performing an oracle attack. Another speciality is that the attack is agnostic Occurrences 002 Status: Fixed Found : AIzaSyBoPX3J0F_VGyr4SgTx- RKBMY6lOXvF37M" URL : https://app.whistleblow.ro/lib/js/main.js 4.1.1. BREACH Attack OWASP 2013-A9 OWASP 2017-A9 OWASP 2021-A6 OWASP PC-C1 CWE-310 Subpart C, HIPAA-164.312(e)(1) WASC-04 WSTG-CLNT-10 A.12.3.1 PCI v4.0-6.2.4 Confidential Copyright © 2022 Beagle Security 6
11.
● ● ● ● to the version
of TLS/SSL, and does not require TLS-layer compression. Additionally, the attack works against any cipher suite. Recommendations: We suggest you disable HTTP compression and separate the secrets from the user input. Add CSRF Token to vulnerable pages. Mask secretes in each client request by randomizing effectively by XORing with a random secret per request. Disable http compression. Occurrence: • Likelihood: Low • Impact: Low • Severity: Info Issue Description: The inclusion of email addresses in source code or application response does not always indicate a security flaw. However, spam email engines and brute- force programs can both use email addresses found within the application. Valid email addresses can also be used in social engineering attacks, or they can represent usernames that can be used to log in to an application. Recommendations: Occurrences 003 Status: Fixed URL : https://app.whistleblow.ro 4.1.1. Email Address Disclosure OWASP 2017-A3 OWASP 2021-A2 OWASP PC-C7 CAPEC-118 CWE-200 ISO27001-A.9.4.1 WASC-13 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N WSTG-IDNT-04 A.11.6.1 PCI v4.0-3.2.1 Confidential Copyright © 2022 Beagle Security 7
12.
● ● ● Remove unnecessary email
addresses Use generic or anonymous mailbox addresses like info@example.com instead of user or people-specific email addresses. To reduce incoming spam, consider providing a submission form that generates the email on the server-side. Occurrence: Occurrences 004 Status: Fixed Found : ariel@mashraki.co.il URL : https://app.whistleblow.ro/js/scripts.min.js Confidential Copyright © 2022 Beagle Security 8
13.
5. Conclusion The tested
web application has very low vulnerabilities, and are not a major concern. Your development team can fix the vulnerabilities found by Beagle Security. All you have to do is follow the mitigation techniques provided. Thank you for using Beagle Security. We hope to be of service to you soon! Confidential Copyright © 2022 Beagle Security 9
Download now