VAPT Report – September 2025

  • Print
07 Oct 2025
17
0

This is to certify that SecIQ Technologies has performed Vulnerability Assessment and Penetration Testing (VAPT) for the uKnowva Web Application.

Executive Summary

Scope of Testing

The scope of this penetration testing was limited to the uKnowva Web Application with a focus on identifying security vulnerabilities that could be exploited by malicious users. The testing was conducted in alignment with OWASP security guidelines and included a review of injection flaws, cross-site scripting issues, and misconfigurations.

Findings & Summary

The application was tested for compliance with OWASP Top 10 and business logic vulnerabilities. The following key points summarize the results:

  • Critical Issues Identified: SQL Injection was found that allowed dumping of database information. This was considered highly critical but has since been fixed and verified.
  • Medium/Low Issues Identified: Reflected Cross-Site Scripting (XSS) vulnerabilities were discovered, which allowed injection of malicious scripts. These issues have been remediated and marked closed, with some risks formally accepted.
  • Informational Issues Identified: A misconfiguration related to Cacheable HTTPS Response remains open but has been categorized as an informational risk with minimal impact.

Overall, the major vulnerabilities were fixed and retested successfully. The application is now significantly more secure, with only minor informational risks remaining.

Business-Critical Risks

The uKnowva Web Application was identified to have some business-critical risks during the assessment. However, all of them have been closed as part of remediation and retesting.

  • SQL Injection:

It was observed that SQL Injection vulnerabilities allowed dumping of database information. This posed a critical business risk but has since been remediated and closed.

  • Reflected Cross-Site Scripting (XSS):

It was observed that Reflected XSS vulnerabilities allowed the injection of malicious scripts into the application. This issue was also remediated and closed.

Approach

This assessment was conducted through a grey-box approach from the perspective of an authenticated end user.

The tests were carried out simulating the identity of an attacker or a malicious user, while ensuring that the server was not harmed.

The assessment involved the use of open-source automated tools for Dynamic Application Security Testing (DAST).

The following phases were covered during this assessment:

1. Vulnerability Assessment (DAST Scan):
Identifying security vulnerabilities by simulating real-world attack scenarios using automated scanners and manual verification.

2. Report Generation & Review:
Documenting findings, categorizing them based on OWASP Top 10, and reviewing remediation efforts to confirm closure.

If you encounter any issues, please write to This email address is being protected from spambots. You need JavaScript enabled to view it.. Our support team will be happy to assist you!

Was this Article helpful?