Scribd
Upload
35 views

Task 2

The document summarizes 5 vulnerabilities found in an insecure web application: 1) SQL injection vulnerability allows unauthorized access to the database due to broken authentication. 2) Clickjacking vulnerability tricks users into performing unintended actions by disguising the true content behind a hidden interface. 3) XSS vulnerability allows injection of malicious scripts by inserting them into dynamic web pages. 4) HTML injection, also known as XSS, allows injection of HTML code into web pages seen by other users. 5) File upload vulnerability permits uploading malicious files that can then be executed, potentially allowing remote code execution if validation is insufficient.

Uploaded by

Shiva Shiva
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
35 views

Task 2

The document summarizes 5 vulnerabilities found in an insecure web application: 1) SQL injection vulnerability allows unauthorized access to the database due to broken authentication. 2) Clickjacking vulnerability tricks users into performing unintended actions by disguising the true content behind a hidden interface. 3) XSS vulnerability allows injection of malicious scripts by inserting them into dynamic web pages. 4) HTML injection, also known as XSS, allows injection of HTML code into web pages seen by other users. 5) File upload vulnerability permits uploading malicious files that can then be executed, potentially allowing remote code execution if validation is insufficient.

Uploaded by

Shiva Shiva
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 10

ASSESSMENT

TEST 1 - Insecure Web Application:


http://15.207.221.18:1002/dow88u170t/app

1. BROKEN AUTHENTICATION VULNERABLE DUE TO SQL INJECTION

Summary

:
SQL INJECTION SQL injection is a code injection technique that might destroy your database, common
web hacking technique and placement of malicious code in SQL statements, via web page input.

LOGIN URL:http://15.207.221.18:1002/dow88u170t/app/index.php

PAYLOAD: “admin” and “password”

STEPS:

1. Open login url :http://15.207.221.18:1002/dow88u170t/app/index.php you get below


website like shown image.
2. Give the payload: “admin and password” in the login field that will shown below

3. Click on sign in and default user get logged shown below


2. CLICKJACKING
Summary:
Clickjacking is an attack that fools users into thinking they are clicking on one thing when they are
actually clicking on another. Its other name, user interface (UI) redressing, better describes what is
going on. Users think they are using a web page’s normal UI, but in fact there is a hidden UI in control;
in other words, the UI has been redressed. When users click something they think is safe, the hidden UI
performs a different action.

.
1.URL http://15.207.221.18:1002/dow88u170t/app/index.php
2.PAYLOAD : html code
<html>
<head>
<title></title>
</head>
<body>
<center> <h1>hide</h1>
<h2>the</h2>
<h3>clickjaking</h3>
<iframe src="http://15.207.221.18:1002/dow88u170t/app/index.php" width="500"
height="700" style=" opacity: 1;">
</iframe>
</center>
</body>
</html>

3.STEPS TO REPRODUCE:
(I) . Open the above HTML file with target url in browser.

(I) .Then see the above screen shot the target website embeded into the above html
page .So,this leads to clickjacking vulnerability.

IMPACT:Modify account details by exploiting click jacking vulnerability.

3. XSS VULNERABILITY:
Summary: Cross-site Scripting (XSS) is a security vulnerability usually found in websites
and/or web applications that accept user input.

Steps to reproduce :

1. Open default account in the above url . That will shoe below.
2. Enter the <script>alert(123)</script> this payload in the Add document field that will shown
below.

3. Now click on “Add Account”. now see the reflected xss


IMPACT:User accounts can be hijacked, credentials could be stolen, sensitive
data could be exfiltrated, and lastly, access to your client computers can be
obtained.

4. HTML INJECTION.

Summary:
HTML Injection also known as Cross Site Scripting. It is a security vulnerability that allows an
attacker to inject HTML code into web pages that are viewed by other users.

Attackers often inject malicious JavaScript, VBScript, ActiveX, and/or HTML into vulnerable
applications to deceive the user in order to gather data from them. Cross-site scripting (XSS)
vulnerabilities can be used by attackers to bypass authentication controls there by gaining
access to sensitive data on your system. Well crafted malicious code can even help the
attacker gain access to the entire system.HTML Injection also known as Cross Site Scripting. It
is a security vulnerability that allows an attacker to inject HTML code into web pages that are
viewed by other users.

Steps to reproduce :

1. First Login to your account then go to the add account field that will shown below
2. Now enter the <h1>hello</h1> this payload in the add account field

That will shown below.

3. Now click on add account and successfully inject the html code .that
will shown below
IMPACT:It can allow an attacker to modify the page. To steal another person's
identity.

5.FILE UPLOAD VULNERABILITY

Summary:
A local file upload vulnerability is a vulnerability where an application allows a user to upload a
malicious file directly which is then executed.

Steps to reproduce :”

1. Go to your account then click on the “upload checks” then you see the below image .
2. Actually in the field we upload only images but here it takes any type file here I am upload .php
file that will sucessfully uploaded that will shown below

3. Then you see that you didn’t get any error related file upload .

IMPACT:This is very dangerous and this leads to Remote Code Execution.


Thanks & Regards,

Siva Gandeti

[email protected]

+917729023860

You might also like