Web App Penetration Test Summary Report

This report holds the results of the Web Penetration Testing performed on uKnowva web application by the SecIQ security team. The details about each task and our findings have been consolidated for this Executive Summary.

Objective

The objective of this assignment was to perform controlled attack and penetration activities to assess the overall level of security of the uKnowva web application – with the intent to

  1. Uncover any security issues in the given application.
  2. Explain the impact and risks associated with the found issues.
  3. Provide guidance to the team in the prioritization and remediation steps.

Executive Summary :

Business-Critical Risks:

The uKnowva web application was identified to have Critical, high risks, which are listed below:

  • It was observed that there was a vulnerable plugin which led to a critical vulnerability of SQL Injection.

  • It was observed that Insecure direct object reference allows broken access control across many endpoints.

  • It was observed that the application redirects user to any attacker domain causing open redirection which allows attacks such as phishing easier to launch.

Findings Summary :

Category Name

Vulnerability Name

Instances

Status

Severity

Injection/ Vulnerable Outdated Components

SQL Injection Via Vulnerable Plugin

Nil

Closed

Critical

Broken Access Control

Insecure Direct Object Reference

9

Closed

High

Lack of Resources and Rate Limiting

Login Brute force

1

Closed

High

Injection

Open Redirection

1

Closed

High

Broken Access Control/Injection

Parameter Pollution

2

Closed

High

Injection

Stored Cross Site Scripting

10

Closed

High

Identification and Authentication Failures

Cookie Reusability

1

Closed

Medium

Injection

Cross site Scripting via File Upload

9

Closed

Medium

Lack of Resources and Rate Limiting

Email Flooding

1

Closed

Medium

Security Misconfiguration

.Git Folder Exposure

1

Closed

Medium

 

Download the complete report here.