Web App Penetration Test Summary Report - January 2023

This report holds the results of the Web Penetration Testing performed on Uknowva web application by the SecIQ security team. The details about each task and our findings have been consolidated for this Executive Summary and additional information is contained within the Detailed Vulnerability Information section of this report.

Objective

The objective of this assignment was to perform controlled attack and penetration activities to assess the overall level of security of the uKnowva web application – with the intent to

  1. Uncover any security issues in the given application.
  2. Explain the impact and risks associated with the found issues.
  3. Provide guidance to the team in the prioritization and remediation steps.

2.Executive Summary :

 
Business-Critical Risks:

The Uknowva web application was identified to have Critical, high risks, which are listed below:

  • It was observed that access control check is missing, allowing to access functions that a low-level user should not have access to.

  • It was observed that Cross Site Request Forgery token was not implemented.

3.Findings Summary:

 

Sr. No

Category Name

Vulnerability Name

Instances

Status

Severity

1

Injection/Vulnerable Outdated Components

SQL Injection Via Vulnerable Plugin

Nil

Closed

Critical

2

Broken Access Control

Insecure Direct Object Reference

9

Closed

High

3

Lack of Resources and Rate Limiting

Login Brute force

1

Closed

High

4

Injection

Open Redirection

1

Closed

High

5

Broken Access Control/ Injection

Parameter Pollution

2

Closed

High

6

Injection

Stored Cross Site Scripting

10

Closed

High

7

Identification and Authentication Failures

Cookie Reusability

1

Closed

Medium

8

Cross Site Request Forgery

Cross Site Request Forgery

1

Closed

Medium

9

Injection

Cross site Scripting via File Upload

9

Closed

Medium

10

Lack of Resources and Rate Limiting

Email Flooding

1

Closed

Medium

11

Forced Browsing

Broken Access Control

3

Open

Medium

12

Security Misconfiguration

.Git Folder Exposure

1

Closed

Medium

13

Security Misconfiguration/ Broken Access Control

Information Exposure Via Log file

3

Closed

Medium

14

Injection

Reflected Cross Site Scripting 

2

Closed

Medium

15

Security Misconfiguration

Cacheable HTTPS response

2

Closed

Low

16

Security Misconfiguration

Clickjacking



1

Closed

Low

17

Security Misconfiguration

Cookie Set without HTTPOnly Flag

1

Closed

Low

18

Security Misconfiguration

HTTP Trace Method is Enabled

1

Closed

Low

19

Security Misconfiguration

Session Token in URL

3

Risk Accepted

Low

20

Security Misconfiguration


Vulnerable JavaScript Dependency

1

Closed

Low

21

Weak Password Policy

Weak Password Policy

1

Closed

Low

 

In case you face any problems, then please write to This email address is being protected from spambots. You need JavaScript enabled to view it., our awesome support team will surely help you!

Was this Article helpful?