APPLICATION PENETRATION TESTING REPORT

Scope: CRM Submitted To: Quatrro Date: 28th December 2012

Document Details

Company Document Title Date Classification Document Type

Quatrro Penetration Testing Report 28-03-2012 Confidential Report

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization.

Table of Contents
Executive Summary Goal Scope Assessment Findings Details Conclusion Recommendation 3 3 3 4 12 22 22

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization.

Executive Summary
We thank you for choosing Appin Software Security Pvt. Ltd. as your Information Security partner. We appreciate your business and look forward to provide you services in the near future. The following report presents the results of the application, as per your request. In case you have any questions, please contact your Appin representative or email contact@appinlabs.com

Goal
To provide comprehensive Penetration Testing Report of the Web Application based on OWASP Top 10 including but not limited to SQL Injection, CRLF Injections, Directory Traversals, File Inclusion, Buffer Overflow, Cross Site Scripting(XSS), Cross Site Request Forgery etc. which will help Quatrro to improve the Security level by addressing the vulnerabilities.

Scope
In depth Security Assessment of the following Web Application:

Web Application
http://10.100.4.50/testcrm/

Audit Dates

26th March

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization.

Assessment Findings

Ref Nos

Vulnerability Name

Vulnerable URLs http://10.100.4.50/testcrm/key_view.php?submit1=Vie w&status=0

Risk Level

SQL Injection

High

http://10.100.4.50/testcrm/orderdetail_frame.php?srno =163473

http://10.100.4.50/testcrm/orderinfo.php?orderno=0111 111144

Cross Site Scripting

http://10.100.4.50/testcrm/orderinfo.php?orderno=0111 111144

High

http://10.100.4.50/testcrm/currency_master.php?cid=15

http://10.100.4.50/testcrm/Payment_master.php?pid=1 1

http://10.100.4.50/testcrm/mail_template.php?mtid=16

http://10.100.4.50/testcrm/subcategory.php?action=edi t&catid=1

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization.

http://10.100.4.50/testcrm/newproduct.php?srno=558

http://10.100.4.50/testcrm/system.php?action=edit&ids ystem=1

http://10.100.4.50/testcrm/component.php?action=edit &idcomponent=1

http://10.100.4.50/testcrm/incident.php?action=edit&id incident=1

http://10.100.4.50/testcrm/module.php?action=edit&id module=1

http://10.100.4.50/testcrm/promocode.php?action=edit &id=6

http://10.100.4.50/testcrm/origin_of_cust.php?action=e dit&srno=1

http://10.100.4.50/testcrm/sale_medium.php?action=ed it&id=1

http://10.100.4.50/testcrm/brand_master.php?action=e dit&id=1

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization.

http://10.100.4.50/testcrm/disposition_master.php?acti on=edit&id=1

http://10.100.4.50/testcrm/computer_type.php?action= edit&code=1

http://10.100.4.50/testcrm/operatingsys.php?action=edi t&code=2

http://10.100.4.50/testcrm/computer_age.php?action=e dit&code=1

http://10.100.4.50/testcrm/internet_con.php?action=edi t&code=3

http://10.100.4.50/testcrm/createdfrom.php?action=edi t&id=2

http://10.100.4.50/testcrm/subvdnmap_edit.php?accou nt=91011832&vdn=60250

http://10.100.4.50/testcrm/subvdnmap_edit.php?accou nt=91011832

http://10.100.4.50/testcrm/reportschdl.php?action=edit &id=1

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization.

http://10.100.4.50/testcrm/matrixmaster.php?eid=3&ac c=36321671&plan=200000522&act=1

http://10.100.4.50/testcrm/partnerreportsetting.php?ac tion=edit&id=14

http://10.100.4.50/testcrm/survey_edit.php?surveyid=6 9C82D9A-0E2E-E011-91D3-001E0BD9CB7C

http://10.100.4.50/testcrm/menu_header.php?action=e dit&headerid=1

http://10.100.4.50/testcrm/sub_menu.php?action=edit &idsmenu=1

http://10.100.4.50/testcrm/rolemaster.php?action=edit &iduserrights=1

http://10.100.4.50/testcrm/business_agent.php?id=1

http://10.100.4.50/testcrm/accountdetails.php?account =91011832&action=1&aname=AAA

http://10.100.4.50/testcrm/ibmaster.php?ibid=206

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization.

http://10.100.4.50/testcrm/subibmaster.ph?ibid=1

http://10.100.4.50/testcrm/department.php?action=edit &depid=3

http://10.100.4.50/testcrm/employeemaster.php?eid=1

http://10.100.4.50/testcrm/business_agent.php?id=1

3 4

Unencrypted Login Request Phishing Through Frames

http://10.100.4.50/testcrm/login-exec.php http://10.100.4.50/testcrm/orderinfo.php?orderno=0111 111144

Medium Medium

http://10.100.4.50/testcrm/currency_master.php?cid=15

http://10.100.4.50/testcrm/Payment_master.php?pid=1 1

http://10.100.4.50/testcrm/mail_template.php?mtid=16

http://10.100.4.50/testcrm/subcategory.php?action=edi t&catid=1

http://10.100.4.50/testcrm/newproduct.php?srno=558

http://10.100.4.50/testcrm/system.php?action=edit&ids

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization.

ystem=1

http://10.100.4.50/testcrm/component.php?action=edit &idcomponent=1

http://10.100.4.50/testcrm/incident.php?action=edit&id incident=1

http://10.100.4.50/testcrm/module.php?action=edit&id module=1

http://10.100.4.50/testcrm/promocode.php?action=edit &id=6

http://10.100.4.50/testcrm/origin_of_cust.php?action=e dit&srno=1

http://10.100.4.50/testcrm/sale_medium.php?action=ed it&id=1

http://10.100.4.50/testcrm/brand_master.php?action=e dit&id=1

http://10.100.4.50/testcrm/disposition_master.php?acti on=edit&id=1

http://10.100.4.50/testcrm/computer_type.php?action=

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization.

edit&code=1

http://10.100.4.50/testcrm/operatingsys.php?action=edi t&code=2

http://10.100.4.50/testcrm/computer_age.php?action=e dit&code=1

http://10.100.4.50/testcrm/internet_con.php?action=edi t&code=3

http://10.100.4.50/testcrm/createdfrom.php?action=edi t&id=2

http://10.100.4.50/testcrm/subvdnmap_edit.php?accou nt=91011832&vdn=60250

http://10.100.4.50/testcrm/subvdnmap_edit.php?accou nt=91011832

http://10.100.4.50/testcrm/reportschdl.php?action=edit &id=1

http://10.100.4.50/testcrm/matrixmaster.php?eid=3&ac c=36321671&plan=200000522&act=1

http://10.100.4.50/testcrm/partnerreportsetting.php?ac

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization.

10

tion=edit&id=14

http://10.100.4.50/testcrm/survey_edit.php?surveyid=6 9C82D9A-0E2E-E011-91D3-001E0BD9CB7C

http://10.100.4.50/testcrm/menu_header.php?action=e dit&headerid=1

http://10.100.4.50/testcrm/sub_menu.php?action=edit &idsmenu=1

http://10.100.4.50/testcrm/rolemaster.php?action=edit &iduserrights=1

http://10.100.4.50/testcrm/business_agent.php?id=1

http://10.100.4.50/testcrm/accountdetails.php?account =91011832&action=1&aname=AAA

http://10.100.4.50/testcrm/ibmaster.php?ibid=206

http://10.100.4.50/testcrm/subibmaster.ph?ibid=1

http://10.100.4.50/testcrm/department.php?action=edit &depid=3

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization.

11

http://10.100.4.50/testcrm/employeemaster.php?eid=1

http://10.100.4.50/testcrm/business_agent.php?id=1

Directory Listing Enabled

http://10.100.4.50/testcrm/template http://10.100.4.50/testcrm/include http://10.100.4.50/testcrm/images

Low

Details
http://10.100.4.50/testcrm/

Vulnerability SQL Injection Risk High Potential Security Issue It is possible to view, modify or delete database entries and tables Technical Description A common way to reduce the risk of being attacked by SQL injection is to supress detailed SQL error messages, which are usually used by attackers to easily locate scripts that are susceptible to SQL Injection. The concept behind blind SQL injection is that it is possible, even without receiving direct data from the database (in the form of an error message, or leaked information), to extract data from the database, one bit at a time, or to modify the query in a malicious way. The idea is that the

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization.

12

application behavior (result identical to the original result, or result different than the original result) can provide a single bit of information about the evaluated (modified) query, meaning, it's possible for the attacker to formulate an SQL Boolean expression whose evaluation (single bit) is compromised in the form of the application behavior (identical/un-identical to the original behavior). Fix Recommendations There are several issues whose remediation lies in sanitizing user input. By verifying that user input does not contain hazardous characters, it is possible to prevent malicious users from causing your application to execute unintended operations, such as launch arbitrary SQL queries, embed Javascript code to be executed on the client side, run various operating system commands etc. It is advised to filter out all the following characters: [1] | (pipe sign) [2] & (ampersand sign) [3] ; (semicolon sign) [4] $ (dollar sign) [5] % (percent sign) [6] @ (at sign) [7] ' (single apostrophe) [8] " (quotation mark) [9] \' (backslash-escaped apostrophe) [10] \" (backslash-escaped quotation mark) [11] <> (triangular parenthesis) [12] () (parenthesis) [13] + (plus sign)

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization.

13

[14] CR (Carriage return, ASCII 0x0d) [15] LF (Line feed, ASCII 0x0a) [16] , (comma sign) [17] \ (backslash)

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization.

14

http://10.100.4.50/testcrm/

Vulnerability Cross Site Scripting Risk High Potential Security Issue It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user. Technical Description The Cross-Site Scripting attack is a privacy violation, that allows an attacker to acquire a legitimate user's credentials and to impersonate that user when interacting with a specific website. The attack hinges on the fact that the web site contains a script that returns a user's input (usually a parameter value) in an HTML page, without first sanitizing the input. This allows an input consisting of JavaScript code to be executed by the browser when the script returns this input in the response page. As a result, it is possible to form links to the site where one of the parameters consists of malicious JavaScript code. This code will be executed (by a user's browser) in the site context, granting it access to cookies that the user has for the site, and other windows in the site through the user's browser. Possible actions that can be performed by the script are: [1] Send user's cookies (for the legitimate site) to the attacker. [2] Send information that is accessible through the DOM (URLs, Form fields, etc.), to the attacker. The result is that the security and privacy of the victim user is compromised on the vulnerable site. Fix Recommendations Sanitize user input & filter out JavaScript code. We suggest you filter the following characters:

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization.

15

[1] <> (triangular parenthesis) [2] " (quotation mark) [3] ' (single apostrophe) [4] % (percent sign) [5] ; (semicolon) [6] () (parenthesis) [7] & (ampersand sign) [8] + (plus sign)

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization.

16

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization.

17

http://10.100.4.50/testcrm/

Vulnerability Unencrypted Login Request Risk Medium Potential Security Issue It may be possible to steal user login information such as usernames and passwords that are sent unencrypted. Technical Description
During the application test, it was detected that an unencrypted login request was sent to the server. Since some of the input fields used in a login process (for example: usernames, passwords, etc.) are personal and sensitive, it is recommended that they should be sent to the server over an encrypted connection.

Fix Recommendations
Make sure that all login requests are sent encrypted to the server (e.g. SSL).

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization.

18

http://10.100.4.50/testcrm/

Vulnerability Phishing Through Frames Risk Medium Potential Security Issue It is possible to persuade a naive user to supply sensitive information such as username, password, credit card number etc. Technical Description It is possible for an attacker to inject a frame or an iframe tag with malicious content which resembles the attacked site. An incautious user may browse it and not realize that he is leaving the original site and surfing to a malicious site. The attacker may then lure the user to login again, thus acquiring his login credentials. The fact that the fake site is embedded in the original site helps the attacker by giving his phishing attempts a more reliable appearance. Fix Recommendations It is advised to filter out all the following characters: [1] | (pipe sign) [2] & (ampersand sign) [3] ; (semicolon sign) [4] $ (dollar sign) [5] % (percent sign) [6] @ (at sign) [7] ' (single apostrophe) [8] " (quotation mark) [9] \' (backslash-escaped apostrophe) [10] \" (backslash-escaped quotation mark) [11] <> (triangular parenthesis) [12] () (parenthesis) [13] + (plus sign) [14] CR (Carriage return, ASCII 0x0d) [15] LF (Line feed, ASCII 0x0a)

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization.

19

[16] , (comma sign) [17] \ (backslash)

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization.

20

http://10.100.4.50/testcrm/

Vulnerability Directory Listing Enabled Risk Low Potential Security Issue It is possible to view and download the contents of certain web application virtual directories, which might contain restricted files. Technical Description If the web server was configured improperly, it is possible to retrieve a directory listing by sending a request for a specific directory, rather than for a file. Fix Recommendations [1] Configure the web server to deny listing of directories. [2] Download a specific security patch according to the issue existing on your web server or web application.

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization.

21

Conclusion
On the basis of penetration testing carried out on your web application it can be concluded that web application does contain vulnerabilities.

Recommendation
High

& Medium Level vulnerabilities should be patched on priority.

CONFIDENTIAL DOCUMENT Not to be circulated or reproduced without appropriate authorization.

22