Security And Penetration Testing

Vulnerabilities Report
 Project URL: https://demo.testfire.net/index.jsp

To Be Viewed By
Client: Altoro Mutual
Authorized
Date of Completion: 29th March 2025
Personnel Only
Confidentiality and liability
This document is property of Demo.testfire. Senior IT management only, and contains matter which is strictly
confidential and must not be given to any third party, or be printed or reprinted or photo-copied or shared in
electric from such as email, in whole or in part, without the prior consent of Budget Bet Senior IT
management. If you received this document in error please notify the owner us Immediately. Consistent
System will not be liable for any misuse of information in this document in any form, or situation or event.
Management personnel, who are responsible for receiving this document, do own and control the document.
Disclaimer
Since the success of the testing is a joint venture between the customer and Consistent Systems we seek
complete support from customer’s IT management and a helpful tech contact person. Consistent Systems will
not be responsible for any data loss, business functionality loss, reputational and/or revenue loss etc. caused
during the testing or then forth. To that end, Consistent System mandates and urges customer to be very
diligent to backup all the systems, configurations, folders and files, and settings which come in the scope of
proposed testing.
By its nature, pen-tests scan only the vulnerabilities that potentially lead to an intrusion. It does not mean that
the intrusions which happened in the past will be detected; neither would it mean that it will detect and
prevent intrusions which might happen in future.
Penetration tests are meant to find possible vulnerabilities based on the data provided by customer. If
inadequate or incorrect data is provided, it can result into limiting the scope of testing, which can further result
into unidentified loopholes in the networks. Consistent System will not be liable of such situations.
Disclaimer
With time, hacking methodologies, technologies and took change, as a result, vulnerability fixed today
does not mean it is fixed forever. It is very likely that the vulnerability fixed today with a patch or
reconfiguration, can still be exploited in future, which makes penetration testing a periodically conducted
continuous improvement process.
It is often misconstrued that a penetration test is really an actual hacking attack, however it reality the
penetration test, is a network scanning, as well as an attempt to penetrate for the possible vulnerabilities
that can potentially lead to an intrusion. An actual penetration may not happen, because most of the real
life hacking scenarios is rather time consuming process which can only be simulated up to some extent in
penetration test.
VAPT tests are not capable of and are not intended to detect an internet hardware, software, firmware or
application based problems. Same applies to IT performance and functionality problems too.
As a policy to protect customer’s data privacy, Consistent System does not provide log to the customer. The
logs are treated as internal working data for Consistent System tech team, hence are intellectual property
of Consistent System, and the report generated out of it is the only output or outcome meant for customer
to see. Consistent System deletes or destroys all the logs and findings of the performance test, after three
days from the submission of final report as matter of security practice, to protect client’s confidentiality.
Any disputes or concerns raised after three days will call for a retesting which counts repetition of the
testing reports and will be charged extra.
and trying it to the specific product, and is not a generic one.
Disclaimer
If the penetration test is being carried out for product security endorsement, it is important to understand
that the test certifies software build version and the same that of the applications running on the product.
This also means that any major or minor change in the software, or operating systems or application stacks
which forms the product undergoes any change or update or configuration change, the certificate provided
becomes null and void and in such case product would need to be recertified for the new software build.
This certificate provided by us for product, clarify mentions the software and application build and the
related technical details making and trying it to the specific product, and is not a generic one.
 Vulnerability Finding And Attack Performed
OWAPS
Approx No. of Attacks
Standard Attack Type
Performed
s
A1 Injection 1000+

A2 Broken Authentication and Session 800+

Management

A3 A3:2017-Sensitive Data Exposure 700+

A4 A4:2017-XML External Entities (XXE) 120+

A5 A5:2017-Broken Access Control 2000+

A6 A6:2017-Security Misconfiguration 50+

A7 A7:2017-Cross-Site Scripting (XSS) 75+

A8 A8:2017-Insecure Deserialization 75+

A9 A9:2017-Using Components with 45+

Known Vulnerabilities

A10 A10:2017-Insufficient Logging & 40+

Monitoring
 Vulnerability List
SR. Vulnerability Title Severity
No.
1 OWASP 1: Sql Injection: Authentication Bypass Critical

2 OWASP 7: Cross Site Scripting: Reflected XSS Critical

3 OWASP 5: Broken Access Control : Privilege escalation Critical

4 OWASP 2: Session Management : Back refresh attack Critical

5 OWASP 6: Security Misconfiguration : Invalid Certificate/Connection is not Secure Critical

6 OWASP 2: Broken Authentication : Application is Vulnerable to Brute Force Attack Critical

7 OWASP 7: Cross-Site Scripting : Application is Vulnerable to Click jacking Attack High

8 OWASP 3: Sensitive Data Exposure : Missing Strict-Transport-Security policy in Response Header High

OWASP 2: Broken Authentication : Application is Accepting Weak Password without any Special
9 Medium
Character or Numerical value

10 OWASP 2: Broken Authentication : Autocomplete is not set off Medium

SR. Vulnerability Title Severity
No.
OWASP 2: Broken Authentication : Idle Session is not getting Expired within Stipulated Time
11 Medium

12 OWASP 5: Broken Access Control : Un identical Ports are Open on Application Server Medium

13 OWASP 2: Session Management : Same session id before and after login Medium

14 OWASP 6: Security Misconfiguration : Host Header Attack Medium

15 OWASP 7: Cross Site Scripting : : Missing X-XSS-Protection in Response Header Low

16 OWASP 7: Cross-Site Scripting XSS : Missing Content Security Policy in Response Header Low

17 OWASP 7: Broken Authentication : Weak Password Policy Low

18 OWASP 6: Injection : Application is vulnerable to HTML injection High

Vulnerability 1: OWASP 1: Sql Injection – Authentication Bypass

Prerequisites:
User in login page

Step to reproduce:
1. Navigate to https://demo.testfire.net/index.jsp
2. Login with payload i.e sql injection
3. Observe the result.
Vulnerability 1: OWASP 1: Sql Injection – Authentication Bypass
Vulnerability 1: OWASP 1: Sql Injection – Authentication Bypass
Vulnerability 1: OWASP 1: Sql Injection – Authentication Bypass
Expected Result:
One should not be able to inject sql payload and bypass authentication

Actual Result:
Attacker is able to inject and successfully bypass authentication

Impact:
User account get compromised hence adversary can take a control of complete account and able to perform
malicious operations.

Remediation:
Proper input validation and sanitization

Reference:
https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
Vulnerability 2: OWASP 7: Cross site Scripting – Reflected Xss

Prerequisites:
User with valid credentials.

Steps to reproduce:

1. Navigate to https://demo.testfire.net/index.jsp in any browser

2. Enter valid username and password.
3. Go to search field
4. Insert xss alert script
5. Observe the result in browser.
Vulnerability 2: OWASP 7: Cross site Scripting – Reflected Xss
Vulnerability 2: OWASP 7: Cross site Scripting – Reflected Xss
Vulnerability 2: OWASP 7: Cross site Scripting – Reflected Xss
Expected Result:
Application should successfully create a tag. And script provided as a input in any input field should not be
executed.

Actual Result:
Provided script as a input is getting executed. Application is showing cross site scripting alert.

Impact:
The impact of XSS is moderate for reflected and DOM XSS, and severe for stored XSS, with remote code execution
on the victim’s browser, such as stealing credentials, sessions, or delivering malware to the victim.

Remediation:
Input validation/ Sanitization
Enable content security policy

Reference:
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
Vulnerability 3: OWASP 5: Broken Access Control - Privilege Escalation

Expected Result:
Modification of request should not allowed

Actual Result:
After transfer fund activity amount get modified if intercept

Impact:
Adversary can perform any action from application can change account number amount etc

Remediation:
Proper Privilege sanitization

References:
https://owasp.org/Top10/A01_2021-Broken_Access_Control/
Vulnerability 3: OWASP 5: Broken Access Control - Privilege Escalation

Prerequisites
Burp Suite

Step to reproduce:
1. Open link https://demo.testfire.net/bank/main.jsp in any browser.
2. Click to the fund transfer tab
3. Select account and transfer fund
4. Intercept request in Burp
5. Application allow modify the amount.
Vulnerability 3: OWASP 5: Broken Access Control - Privilege Escalation
Vulnerability 3: OWASP 5: Broken Access Control - Privilege Escalation
Vulnerability 3: OWASP 5: Broken Access Control - Privilege Escalation
Vulnerability 4: OWASP 2: Session Management – Back Refresh Attack

Prerequisites:
Login with valid credentials

Step to reproduce:
1. Open link https://demo.testfire.net/bank/main.jsp in any browser
2. Visit some pages in websites
3. Then click sign off and click back button
Vulnerability 4: OWASP 2: Session Management – Back Refresh Attack
Vulnerability 4: OWASP 2: Session Management – Back Refresh Attack
Vulnerability 4: OWASP 2: Session Management – Back Refresh Attack

Expected Result:
Session get expired after sign off

Actual Result:
Session not getting expired and account not properly log out

Impact:
If someone can get access of your computer then he can perform any activity behalf of legimated users without
have valid credentials

Remediation:
Session managment

References:
https://www.coveros.com/understanding-session-management-one-of-owasp-top-10-part-1/
https://www.sitelock.com/blog/owasp-top-10-broken-authentication-session-management/
Vulnerability 5: OWASP 6: Security Misconfiguration – Invalid Certificate/Connection is not Secure

Prerequisites:
NA

Step to reproduce:
1. Open link https://demo.testfire.net/bank/main.jsp in any browser
2. Click on Certificate.
Vulnerability 5: OWASP 6: Security Misconfiguration – Invalid Certificate/Connection is not Secure
Vulnerability 5: OWASP 6: Security Misconfiguration – Invalid Certificate/Connection is not Secure

Expected Result:
Application should use valid Digital certificate.

Actual Result:
Application is not using any Digital certificate & connection is not secure

Impact:
Makes the system more vulnerable to hacking.

Remediation:
Application should use latest version of Digital certificate for secure connection.
Vulnerability 6: OWASP 2: Broken Authentication - Application is vulnerable to Brute Force attack

Prerequisites:
NA

Step to reproduce:
1. Navigate to https://demo.testfire.net/bank/main.jsp
2. Enter Invalid Credentials multiple times .
3. Observe the result.
Vulnerability 6: OWASP 2: Broken Authentication - Application is vulnerable to Brute Force attack
Vulnerability 6: OWASP 2: Broken Authentication - Application is vulnerable to Brute Force attack
Expected Result:
After several wrong attempts, system should block the account of the user for stipulated time.

Actual Result:
Since account is not getting locked out , hence attacker can perform Brute Force on login page.

Impact:
Attacker can guess valid credentials and can exploits the application.

Remediation:
Adversary should not able to perform more that 5 invalid login attempts.

Reference:
https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks
Vulnerability 7: OWASP 7: Cross-Site Scripting - Application is Vulnerable to Click jacking Attack

Prerequisites:
NA

Step to reproduce:
1. Create HTML file with following HTML code.
<html>

<body>

<iframe src="http://altoro.testfire.net/ " width="100%" height="100%" style="position: absolute; top: 0; left: 0;"></iframe>

<button style="position: absolute; top: 20px; left: 20px; z-index: 100;" onclick="window.location='https://www.flaticon.com/free-icons/padlock';">Click Me!</button>

</body>

</body>

</html>

2. Open newly created HTML file in any browser and observe the result.
Vulnerability 7: OWASP 7: Cross-Site Scripting - Application is Vulnerable to Click jacking Attack
Vulnerability 7: OWASP 7: Cross-Site Scripting - Application is Vulnerable to Click jacking Attack

Expected Result:
Framable contents should not get loaded.
Actual Result:
Application is vulnerable to click jacking attack. Framable contents are getting loaded.
Impact:
Can trick users into unknowingly clicking on hidden elements, leading to unauthorized actions like account
takeover, data theft, or malware downloads.
Remediation:
implement X-Frame-Options or Content Security Policy (CSP) headers to prevent your site from being embedded
in iframes.
Reference:
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
Vulnerability 8: OWASP 2: Broken Authentication – Autocomplete is not set to off for Username textbox

Prerequisites:
NA

Steps to Reproduce:
1. Navigate to https://demo.testfire.net/index.jsp
2. Click on username field
Vulnerability 8: OWASP 2: Broken Authentication – Autocomplete is not set to off for Username textbox
Vulnerability 8: OWASP 2: Broken Authentication – Autocomplete is not set to off for Username textbox

Expected Result:
Autocomplete field should be off
Actual Result:
Autocomplete is on
Impact:
Attacker can get userid
Remediation:
Autocomplete field should be off

References:
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Auh
entication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities
Vulnerability 9: OWASP 2: Broken Authentication - Idle Session is not getting Expired within Stipulated Time

Prerequisites:
User with valid credentials

Step to reproduce:
1. Navigate to https://demo.testfire.net/index.jsp
2. Login with username and password
3. On home page keep session idle for next 30 min
4. Try to perform any activity after 30 minutes.
Vulnerability 9: OWASP 2: Broken Authentication - Idle Session is not getting Expired within Stipulated Time

Expected Result:
Session should get expired after 30 min.

Actual Result:
Session remain active after 30 min.

Impact:
Adversary can take over the active session and might get administrator access.
Insufficient Session Expiration could allow an attacker to use the browser's back button to access web
pages previously accessed by the victim.

Remediation:
Testing for server-side session termination.
Testing for session timeout, set session timeout to the minimal value possible depending on the context
of the application e.g.: 30 min.

Reference
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
Vulnerability 10: OWASP 5: Broken Access Control – Un Identical Ports are Open on Application Server

Prerequisites
Nmap

Step to reproduce:
1. Open Nmap tool.
2. Put link https://demo.testfire.net/index.jsp in target function of Nmap.
3. Select Profile category and click on scan.
4. Nmap start scanning with respective category.
5. Discovered unidentical open ports.
Vulnerability 10 : OWASP 5: Broken Access Control – Un Identical Ports are Open on Application Server
Vulnerability 10 : OWASP 5: Broken Access Control – Un Identical Ports are Open on Application Server
Vulnerability 10 : OWASP 5: Broken Access Control – Un Identical Ports are Open on Application Server
Vulnerability 10: OWASP 5: Broken Access Control – Un Identical Ports are Open on Application Server

Expected Result:
Only required ports should be open . Unused ports are advised to keep close.

Actual Result:
unused ports are open.

Impact:
Impact of Service ports is very high as it helps cyber criminals to find open ports and figure out whether they are
receiving or sending data. It can also reveal whether active security devices like firewalls are being used by an
organization.

Remediation:
IDS and IPS.
Vulnerability 11: OWASP 2: Session Management – Same session id before and after login

Prerequisites
Burp Suite

Step to reproduce:
1. Open link https://demo.testfire.net/index.jsp in any browser.
2. Intercept the request using Burp Suite Pro.
3. Login using credential
5. Again intercept request after login
6. Observe both request
Vulnerability 11: OWASP 2: Session Management – Same session id before and after login
Vulnerability 11: OWASP 2: Session Management – Same session id before and after login
Vulnerability 11: OWASP 2: Session Management – Same session id before and after login

Expected Result:
Application should change session id after login

Actual Result:
Same session id use

Impact:
Attacker can takeover account without valid credentials

Remediation:
Session Management

References:
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
Vulnerability 12: OWASP 6: Security Misconfiguration – Host Header Attack
Prerequisites:
Burp Suite

Steps to reproduce:
1. Navigate to https://demo.testfire.net/index.jsp
2. Enter username and password for login and click on login button.
3. Intercept request through burp suite
4. Change host name
5. Check responce.
Vulnerability 14: OWASP 6: Security Misconfiguration – Host Header Attack
Vulnerability 14: OWASP 6: Security Misconfiguration – Host Header Attack
Vulnerability 14: OWASP 6: Security Misconfiguration – Host Header Attack

Expected Result:
Server do not serve the responce if host changes

Actual Result:
Server send responce without validation of host

Impact:
Attacker can perform malicious task behalf of legimated user

Remediation:
Server side validation whitelist

References:
https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-
Input_Validation_Testing/17-Testing_for_Host_Header_Injection
Vulnerability 17: OWASP 2: Broken Authentication– Weak Password Policy

• Prerequisites
• Burp Suite

Steps to reproduce:
• As per current username and password
• Did not able to perform because of no change password functionality available in application
Vulnerability 17 : OWASP 2: Broken Authentication– Weak Password Policy

Expected Result:
Application should give an error message to requesting user to use combination of number, character, and
special characters and length of password should be minimum 8 characters . Strong password policy should be
enforced.
Actual Result:
Application is accepting weak password which does not contain any special character , numerical value ,capital
letter and password which is less than in size 8 .Strong password policy is not implemented.
Impact:
User’s account gets compromised hence adversary can take a control of complete site and able to perform
malicious operations. Password can be guessed easily it could lead to a severe data bridge or security bridge.
Remediation:
Strong Password Policy should be implemented
Vulnerability 18 : OWASP 7 : Cross site scripting- Application is vulnerable for HTML Injection.

Prerequisites
• User with valid credentials.
Step to reproduce:
• Navigate to https://demo.testfire.net/index.jsp
• Navigate to search tab or login and navigate to feedback form
• Enter text Name as “<h1>kirti</h1>”.
• Click button Submit
Vulnerability 18 : OWASP 7 : Cross site scripting- Application is vulnerable for HTML Injection.
Vulnerability 18 : OWASP 7 : Cross site scripting- Application is vulnerable for HTML Injection.
Expected Result:
Application should not accept any HTML TAGS in name or comment field text box and application should
successfully create tag .
Actual Result:
Application is accepting HTML TAGS in name or comment field text box and displaying results in web page.
Impact:
This vulnerability can have many consequences, like disclosure of a user’s session cookies that could be used to
impersonate the victim, or, more generally, it can allow the attacker to modify the page content seen by the
victims.
Remediation:
Escape untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS,
or URL) will resolve Reflected and Stored XSS vulnerabilities.
Enable a Content Security Policy (CSP) as a defense-in-depth mitigating control against XSS.
References:
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Clie
nt-side_Testing/03-Testing_for_HTML_Injection
Vulnerability 19 : OWASP 7 :Missing security headers.

Prerequisites
• User with valid credentials.
Step to reproduce:
• Copy target url-> https://demo.testfire.net/index.jsp
• Open new tab and search security headers
• Copy paste the url in the input field and check the missing headers on the website
Vulnerability 18 : OWASP 7 : Missing security headers.
Vulnerability 18 : OWASP 7 : Cross site scripting- Application is vulnerable for HTML Injection.
Expected Result:
Application should include necessary security headers to protect against common web vulnerabilities.
Actual Result:
Application is missing security headers such as Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-
Options, and Strict-Transport-Security (HSTS)
Impact:
This makes it vulnerable to attacks like clickjacking, MIME sniffing, and man-in-the-middle attacks .
Remediation:
Implement necessary security headers-> CSP, HSTS, etc.
References:
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Clie
nt-side_Testing/03-Testing_for_HTML_Injection
Vulnerability 19 : OWASP 7 :Exposed API Documentation

Prerequisites
Target url
Step to reproduce:
• Open -> https://demo.testfire.net/index.jsp
• Click on Rest API to see API operations
Vulnerability 18 : OWASP 7 : Exposed API Documentation
Vulnerability 18 : OWASP 7 : Exposed API Documentation
Vulnerability 18 : OWASP 7 :
Expected Result:
API documentation should not be publicly accessible without authentication.
Actual Result:
API documentation is exposed without authentication, allowing unauthorized users to view API endpoints,
request structures, and sensitive information.
Impact:
Attackers can use exposed API details to perform reconnaissance, exploit vulnerabilities, and launch attacks such
as API abuse, data leakage, and unauthorized access.
Remediation:
Restrict access to API documentation using authentication and authorization controls. Implement rate limiting
and monitor API requests for suspicious activity.
References:
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Clie
nt-side_Testing/03-Testing_for_HTML_Injection
Thank You!!