Cyber Security Engineer
October 11, 2022
Find out about the website's security vulnerabilities and send their 3 high-risk vulnerabilities along with PoC (Proof of Concept).
| Target | URL |
|---|---|
| 1 | http://rest.vulnweb.com/ |
| 2 | http://testphp.vulnweb.com/ |
| 3 | http://testhtml5.vulnweb.com/ |
| 4 | http://testaspnet.vulnweb.com/ |
| Penetration Testing Tool |
|---|
| ZOFixer |
| Summary Title | Target | Technical Severity | Vulnerability Details | Description & Solution |
|---|---|---|---|---|
| External Redirect | http://rest.vulnweb.com/ | High | A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. | An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance. Solution: Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems when generating the disclaimer page. |
| Cross Site Scripting Reflected | http://testphp.vulnweb.com/ | High | The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. | Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Cross-site scripting (XSS) vulnerabilities occur when: 1) Untrusted data enters a web application, typically from a web request. 2) The web application dynamically generates a web page that contains this untrusted data. 3) During page generation, the application does not prevent the data from containing content that is executable by a web browser, such as JavaScript, HTML tags, HTML attributes, mouse events, Flash, ActiveX, etc. 4) A victim visits the generated web page through a web browser, which contains malicious script that was injected using the untrusted data. 5) Since the script comes from a web page that was sent by the web server, the victim's web browser executes the malicious script in the context of the web server's domain. 6) This effectively violates the intention of the web browser's same-origin policy, which states that scripts in one domain should not be able to access resources or run code in a different domain. Solution: Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection. For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. |
| SQL Injection | http://testphp.vulnweb.com/ | High | The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. | Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database, possibly including execution of system commands. SQL injection has become a common issue with database-driven web sites. The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind. This flaw depends on the fact that SQL makes no real distinction between the control and data planes. Solution: Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Consider using persistence layers such as Hibernate or Enterprise Java Beans, which can provide significant protection against SQL injection if used properly. |
Vulnerability details and the corresponding technical severity can be found on zofixer.com (reference)