Cloud Server Penetration Test Summary Report - Jan 2025

  • Print
21 Mar 2025
33
0

This is to certify that SecIQ Technologies has performed Vulnerability Assessment and Penetration Testing (VAPT) from 27-Jan-2025 to 31-Jan-2025 for the uKnowva Cloud & Network application.

Executive Summary

Scope of Testing:

The assessment was conducted to identify security vulnerabilities in the uKnowva Cloud & Network application and evaluate its compliance with OWASP security guidelines. The primary focus was on security misconfigurations and potential exposure risks within the cloud infrastructure.

Findings & Summary:

The penetration testing revealed several vulnerabilities categorized as Critical, High, Medium, and Low. These issues were identified, remediated, and validated during the retesting process. The details are provided in the table below.

Business-Critical Risks

The assessment identified multiple security misconfigurations, which were remediated as part of the testing process. The key vulnerabilities included:

Use of Unsupported PHP Version: A critical risk that could lead to security exploits due to lack of vendor support and security patches.

Outdated Apache Tomcat & Apache Server Versions: Multiple vulnerabilities were found in older versions, posing a risk of remote code execution and unauthorized access.

Weak SSL Cipher Suites (SWEET32 Attack): The presence of medium-strength ciphers could allow attackers to exploit outdated cryptographic protocols.

CloudTrail Logs Not Encrypted with KMS CMKs: Unencrypted logs posed a risk of exposure in case of unauthorized access.

Exposed Admin Login Pages & Unsecured S3 Buckets: Several storage misconfigurations were identified that could lead to unauthorized data access.

All identified vulnerabilities were closed after remediation efforts.

Assessment Approach

The Cloud Server Penetration Testing was conducted using an OSINT (Open Source Intelligence) approach, evaluating security risks from both unauthenticated and authenticated user perspectives. The following steps were performed:

Network Scans and OSINT:

  • Identification of publicly exposed services and security misconfigurations.
  • Scanning cloud infrastructure for weak security controls.

Triage and Exploitation:

  • Assessing the exploitability of identified vulnerabilities.
  • Simulating attack scenarios to evaluate security weaknesses.

Report Generation and Review:

  • Documenting findings with risk categorization.
  • Validating fixes and retesting vulnerabilities.

Tools Used:

  • Nessus (for vulnerability scanning and compliance checks)
  • Nmap (for network scanning and reconnaissance)



 

If you encounter any issues, please write to This email address is being protected from spambots. You need JavaScript enabled to view it.. Our support team will be happy to assist you!

Was this Article helpful?