Penetration Testing Report for http://altoro.testfire.net/

1. Date: 9/2/2025
Prepared by: Ragab Mohamed Ragab
PENETRATION TESTING
REPORT
Target: http://altoro.testfire.net

2. 1 | P a g e
Table of Contents
1. Executive Summary .............................................................................................................2
1.1 Purpose of Assessment....................................................................................................2
1.2 Overall Summary...........................................................................................................2
1.3 Summary of Findings .....................................................................................................3
2 Scope of Work......................................................................................................................4
3 Limitations and Assumptions................................................................................................4
4 Findings & Vulnerabilities....................................................................................................5
4.1 SQL Injection ................................................................................................................5
4.2 Authentication Bypass....................................................................................................7
4.3 HTTP Request Smuggling...............................................................................................9
4.4 No Login Rate Limit ....................................................................................................10
4.5 Static Session ID..........................................................................................................12
4.6 Reflected Cross-Site Scripting (XSS) .............................................................................14
4.7 Clickjacking................................................................................................................19
4.8 Cleartext Submission of Password..................................................................................21
4.9 Password Field with Autocomplete Enabled ....................................................................22
4.10 Cookie Without HttpOnly Flag Set.................................................................................23
4.11 Base64-Encoded Data in Parameter................................................................................24
14.12 Default Credentials (admin/admin) ...............................................................................25
14.13 API Credentials (jsmith/ demo1234)..................................................................................26

3. 2 | P a g e
1.Executive Summary
1.1 Purpose of Assessment
The penetration test was conducted on http://altoro.testfire.net to identify and
assess security vulnerabilities that could potentially be exploited by attackers. The
objective was to evaluate the overall security posture of the web application and
provide remediation strategies based on OWASP web application penetration
testing guidelines.
1.2 Overall Summary
The following graph represents the overall discovered vulnerabilities with respect
to their risk severity:
Critical
High
Medium
Low
Info
OVERALL SUMMARY

4. 3 | P a g e
1.3 Summary of Findings
Number Vulnerability Severity
1 SQL injection Critical
2 Authentication Bypass Critical
3 HTTP Request Smuggling High
4 Static Session ID High
5 No Login Rate Limit High
6 Reflected Cross-Site Scripting Medium
7 Clickjacking Medium
8 Clear text Submission of Password Medium
9 Password Field with Autocomplete Enabled Low
10 Cookie Without HttpOnly Flag Set Low
11 Base64-Encoded Data in Parameter Low
12 Default Credentials (admin/admin) Info
13 API Credentials (user/user) Info

5. 4 | P a g e
2 Scope of Work
• Target URL: http://altoro.testfire.net
• Testing Type: Black Box Testing
• Testing Methodology: OWASP Web Application Penetration Testing
Guidelines
• Testing Environment: Production Environment
• Tools Used:
o Burp Suite
o SQLmap
o Nmap
3 Limitations and Assumptions
• The Tester did not engage in any testing outside the agreed-upon scope.
• Testing was conducted over 7 days to minimize disruption to the production
environment.
• Testing activities included controlled exploitation of vulnerabilities that did
not harm the production environment.
• Any payload used to exploit vulnerabilities were documented in detail.
• Denial-of-Service (DoS) attacks were strictly prohibited during this
engagement.

6. 5 | P a g e
4 Findings & Vulnerabilities
4.1 SQL Injection
ID 1
Severity Critical
Affected URL http://altoro.testfire.net/login.jsp
Vuln-parameter uid & passw
Description:
The login form is vulnerable to SQL Injection, allowing attackers to bypass
authentication and access sensitive data and login by admin user “admin”
Proof-of-Concept (PoC):
Username: ' OR '1'='1' --
Password: [Anything]

7. 6 | P a g e
Impact:
• Full database access
• Unauthorized user authentication bypass
• Data exfiltration
Recommendation:
• Use prepared statements and parameterized queries.
• Implement input validation and sanitization.

8. 7 | P a g e
4.2 Authentication Bypass
ID 2
Severity Critical
Affected URL http://altoro.testfire.net/login.jsp
Description:
The login mechanism lacks proper authentication controls, allowing an attacker to
log in using known default credentials
Proof-of-Concept (PoC):
Username: admin
Password: admin
`

9. 8 | P a g e
Impact:
• Full admin account takeover
• Unauthorized access to sensitive data
Recommendation:
• Implement strong password policies.
• Disable default credentials and enforce multi-factor authentication (MFA)

10. 9 | P a g e
4.3 HTTP Request Smuggling
ID 3
Severity HIGH
Affected URL http://altoro.testfire.net/login.jsp
Description:
The server misinterprets HTTP request headers, enabling an attacker to poison
caches or bypass security controls.
Proof-of-Concept (PoC):
Impact:
• Cache poisoning
• Session hijacking
Recommendation:
• Implement strict HTTP request parsing rules.

11. 10 | P a g e
4.4 No Login Rate Limit
ID 4
Severity HIGH
Affected URL http://altoro.testfire.net/login.jsp
Description:
The login page allows unlimited login attempts, making it vulnerable to brute-force
attacks
Proof-of-Concept (PoC):
Once I intercept the HTTP login request, I sent it to the intruder to start the
dictionary brute-force attack.

12. 11 | P a g e
Impact:
• Account compromise via credential stuffing
Recommendation:
• Implement account lockout mechanisms and CAPTCHA.

13. 12 | P a g e
4.5 Static Session ID
ID 5
Severity HIGH
Affected URL http://altoro.testfire.net/login.jsp
Description:
Session IDs do not change upon login, making session fixation attacks possible.
Proof-of-Concept (PoC):
While I was browsing the application I logged in and out several time and I noticed
the user “admin” has the same session ID value without any changes.

14. 13 | P a g e
Impact:
• Session hijacking
Recommendation:
• Implement dynamic session ID generation upon login.

15. 14 | P a g e
4.6 Reflected Cross-Site Scripting (XSS)
ID 6
Severity Medium
Affected URL
• http://altoro.testfire.net/search.jsp?query=%3Cscript%3Ealert%28%22X
SS1%22%29%3C%2Fscript%3E
• http://altoro.testfire.net/feedback.jsp
• http://altoro.testfire.net/bank/queryxpath.jsp?content=queryxpath.jsp&qu
ery=+%22XSS%3D%3Cscript%3Ealert%28%3Cscript%3Ealert%28%2
2XSS3%22%29%3C%2Fscript%3E
Vuln-parameter query & name & query
Description:
The application does not properly sanitize user input, allowing JavaScript
injection.
Cross-Site scripting (XSS) vulnerability is one of vulnerability attacks that allow
the attacker to inject malicious executable payload/script across trusted application
target the end users of this web application
Proof-of-Concept (PoC):
During I was browsing “altoro.testfire.net” I find field for search then I tries to
search about “anything”, it returned me to same page with “seach.jsp” file that has
parameter “query” this parameter takes the value which is “anything”.
I injected the below JS payload that if succeed it will pop up with message
“<script>alert("XSS1")</script>”

16. 15 | P a g e

17. 16 | P a g e
Then I continue browsing “altoro.testfire.net” I find form for feedback then I tries
to write feedback with Your Name “anything”, then I intercept the http request to
get the parameters that will send I find many parameters include this parameter
“query” this parameter takes the value which is “anything”.
I injected the below JS payload that if succeed it will pop up with message
“<script>alert("XSS2")</script>”

18. 17 | P a g e

19. 18 | P a g e
Then I continue browsing “altoro.testfire.net”, I find another field for search then I
tries to search about “anything”, it returned me to same page with “queryxpath.jsp”
file that has parameter “query” this parameter takes the value which is “anything”.
I injected the below JS payload that if succeed it will pop up with message
“ "XSS=<script>alert(<script>alert("XSS3")</script> ”
Impact:
• Session hijacking
Recommendation:
• Since XSS is one of user-input vulnerability, you have to filter the user input on
arrival. At the point where user input is received, filter as strictly as possible
based on what is expected or valid input.
• Adding to the above point, Encode data on output. At the point where user-
controllable data is output in HTTP responses, encode the output to prevent it
from being interpreted as active content. Depending on the output context.

20. 19 | P a g e
4.7 Clickjacking
ID 7
Severity Medium
Affected URL altoro.testfire.net
Description:
The application can be embedded in an iframe, making it susceptible to
clickjacking attacks.
Proof-of-Concept (PoC):
I noticed that the “X-Frame-Options” is not founded in the HTTP response that
indicated me to check if the web application is vulnerable to clickjacking
vulnerability. Thus, I wrote the following simple HTML script to bring
“altoro.testfire.net” in an external website.

21. 20 | P a g e
Impact:
• Trick the user to click on a link or a button to perform another hidden action
the user is not aware of.
Recommendation:
• Implement X-Frame-Options header.

22. 21 | P a g e
4.8 Cleartext Submission of Password
ID 8
Severity Medium
Affected URL http://altoro.testfire.net/login.jsp
Description:
Passwords are transmitted over HTTP instead of HTTPS.
Proof-of-Concept (PoC):
I tried to intercept the http request when I login in with
Username: admin
Password: admin
Impact:
• Man-in-the-Middle (MitM) attacks can intercept user credentials.
• Unauthorized access risk due to exposed passwords in transit.
Recommendation:
• Enforce HTTPS with TLS 1.2+.

23. 22 | P a g e
4.9 Password Field with Autocomplete Enabled
ID 9
Severity Low
Affected URL http://altoro.testfire.net/login.jsp
Proof-of-Concept (PoC):
Impact:
• Stored credentials could be auto-filled by browsers.
Recommendation:
• Set autocomplete="off" for password fields.

24. 23 | P a g e
4.10 Cookie Without HttpOnly Flag Set
ID 10
Severity Low
Affected URL http://altoro.testfire.net/login.jsp
Impact:
• Increased risk of XSS stealing session cookies.
Recommendation:
• Set HttpOnly and Secure flags for cookies.

25. 24 | P a g e
4.11 Base64-Encoded Data in Parameter
ID 11
Severity Low
Affected URL http://altoro.testfire.net/login.jsp
Impact:
• Potential weak encoding obfuscation.
Recommendation:
• Avoid using Base64 encoding for security-related data.

26. 25 | P a g e
14.12 Default Credentials (admin/admin)
ID 12
Severity Info
Affected URL http://altoro.testfire.net/login.jsp
Description:
The application allows authentication using weak default credentials.
Proof-of-Concept (PoC):
Username: admin
Password: admin
Impact:
• Unauthorized access to admin panel and user data.
Recommendation:
• Enforce strong password policies.
• Disable default accounts upon deployment

27. 26 | P a g e
14.13 API Credentials (jsmith/ demo1234)
ID 13
Severity Info
Affected URL http://altoro.testfire.net/login.jsp
Description:
The application allows authentication using weak default credentials.
Proof-of-Concept (PoC):
Username: jsmith
Password: demo1234
Impact:
• Unauthorized access to admin panel and user data.
Recommendation:
• Enforce strong password policies.
• Disable default accounts upon deployment.