This report holds the results of the Web Penetration Testing performed on uKnowva web application by the SecIQ security team. The details about each task and our findings have been consolidated for this Executive Summary.
Executive Summary :
Business-Critical Risks:
The uKnowva web application was identified to have Critical, high risks, which are listed below:
-
It was observed that there was a vulnerable plugin which led to a critical vulnerability of SQL Injection.
-
It was observed that Insecure direct object reference allows broken access control across many endpoints.
-
It was observed that the application redirects user to any attacker domain causing open redirection which allows attacks such as phishing easier to launch.
Findings Summary :
|
Category Name |
Vulnerability Name |
Instances |
Status |
Severity |
|---|---|---|---|---|
|
Injection/ Vulnerable Outdated Components |
SQL Injection Via Vulnerable Plugin |
Nil |
Closed |
Critical |
|
Broken Access Control |
Insecure Direct Object Reference |
9 |
Closed |
High |
|
Lack of Resources and Rate Limiting |
Login Brute force |
1 |
Closed |
High |
|
Injection |
Open Redirection |
1 |
Closed |
High |
|
Broken Access Control/Injection |
Parameter Pollution |
2 |
Closed |
High |
|
Injection |
Stored Cross Site Scripting |
10 |
Closed |
High |
|
Identification and Authentication Failures |
Cookie Reusability |
1 |
Closed |
Medium |
|
Injection |
Cross site Scripting via File Upload |
9 |
Closed |
Medium |
|
Lack of Resources and Rate Limiting |
Email Flooding |
1 |
Closed |
Medium |
|
Security Misconfiguration |
.Git Folder Exposure |
1 |
Closed |
Medium |