1.

1 Web Application VAPT

1.1.1 Database Takeover due to disclosure of Severity: Critical

environment file in Multiple Web Threat Critical
Applications Vulnerability Critical
Impact Critical
Identification
Application Applicatio Authenticate Internal/ Affected
Name n URL d/ External URL
Unauthentic
ated

HRMIS Web https:// Unauthenticat External https://

Application hrmis.nia.g ed hrmis.nia.g
(Public) ov.np ov.np/.env

Vacancy https:// Unauthenticat External https://

Web vacancy.ni ed vacancy.nia
Application a.gov.np .gov.np/.en
(Public) v

Condition It was observed that, HRMIS and Vacancy Web Applications were
disclosing “.env” file that contains critical information such as
mysql database name, username and plaintext password which led
us to take over the database.
It was also observed that, HRMIS and Vacancy web application’s
database service (port no 3306) was accessible from the internet.
An .env file (short for "environment") is a configuration file
commonly used in web development to store sensitive information
such as API keys, database credentials, and other environment-
specific settings.
Proof of Concept

Figure: Environment File (.env) accessible publicly that discloses database name,
username and plaintext password in HRMIS Web Application
Figure: Environment File (.env) accessible publicly that discloses database name,
username and plaintext password in Vacancy Web Application

Figure: Accessing the MySQL DBMS of HRMIS Web Application using the credentials
disclosed in environment file
 Figure: Existing databases in HRMIS Web Application’s MySQL DBMS

FIGURE: EMPLOYEE AND VENDOR DETAILS AND THEIR PERSONAL INFORMATION

 FIGURE: DATABASE USERNAMES AND THEIR HASHED CREDENTIALS
Criteria As per best practice, “.env” file should not be disclosed and securely
configured as it contains sensitive data such as database credentials
and secret keys.
Additionally, the database service should be accessible to the users
concerned (such as database administrator, web application or
intranet) only.
Impact An attacker can:
i Access MySQL DBMS to complete takeover the information
within databases.
ii Steal sensitive data such as usernames, their encrypted
passwords, email, phone numbers, salary details or personally
identifiable information (PII) such as citizenship number for
identity theft or financial fraud.
iii Modify or delete data within the database, potentially causing
data loss or damage to the affected organization.
iv Use the compromised database to pivot to other systems or
databases on the network, potentially leading to further
compromise of sensitive information.
Recommendatio It is recommended to restrict access to the sensitive files by configuring the
n web server properly to prevent unauthorized access. In addition to this, access
to the database service should be restricted from internet and allow from the
concerned hosts only.
References A05: Security Misconfiguration
Management
Response

1.1.2 Unrestricted File Upload vulnerability in Severity: High

HRMIS Web Application Threat High
 Vulnerabilit Critical
y
Impact Critical
Identification Application Application Authenticat Internal/ Affected
Name URL ed External URL
/Unauthenti
cated

HRMIS Web http:// Authenticate Internal http://

Application 192.168.0.6 d 192.168.0.
(UAT) 5:8081 65:8081/
erp/news-
list

Condition We observed that HRMIS Web Application contains a feature

which is intended to upload files (jpg, png, gif) as attachment in
its announcements page. But the feature allowed uploading any
arbitrary files without any validation which is also known as
unrestricted file upload vulnerability. So, we were able to upload
file extensions such as .pdf, .html, .php, .svg and so on to execute
different attacks such as Remote Code Execution (RCE) and
Stored Cross Site Scripting (XSS) and gain complete control over
its hosted application’s operating system.
Unrestricted file upload occurs when an application fails to verify
the contents of an uploaded file, allowing an attacker to upload a
malicious file to the web server or application.
Remote code execution refers to the ability of an attacker to
execute code on a victim's system from a remote location,
potentially giving the attacker complete control over the system.

Proof of Concept

FIGURE: UNRESTRICTED FILE UPLOAD: UPLOADING NORMAL IMAGE FILE AS AN

ATTACHMENT FOR ANNOUNCEMENT
 FIGURE: UNRESTRICTED FILE UPLOAD: INTERCEPTING THE REQUEST IN BURPSUITE

FIGURE: UNRESTRICTED FILE UPLOAD: MODIFYING CONTENT TYPE, FILE EXTENSIONS AND
UPLOADING PHP REVERSE SHELL PAYLOAD THOUGH BURPSUITE
 FIGURE: UNRESTRICTED FILE UPLOAD: FILE UPLOADED SUCCESSFULLY

FIGURE: UNRESTRICTED FILE UPLOAD: LISTENING WITH NETCAT, EXECUTING THE FILE IN
THE BROWSER AND GAINING THE REMOTE CODE EXECUTION
FIGURE: UNRESTRICTED FILE UPLOAD: ATTACKER LOGGED IN AS ADMINISTRATOR USER IN
THE SERVER

FIGURE: UNRESTRICTED FILE UPLOAD: SYSTEM INFORMATION OF COMPROMISED SERVER

 FIGURE: UNRESTRICTED FILE UPLOAD: ACCESSING FILES AND DIRECTORIES OF
COMPROMISED SERVER

FIGURE: UNRESTRICTED FILE UPLOAD: UPLOADING .HTML FILE WITH XSS PAYLOAD AS
AN ATTACHMENT FOR ANNOUNCEMENT
 FIGURE: UNRESTRICTED FILE UPLOAD: FILE UPLOADED SUCCESSFULLY

FIGURE- UNRESTRICTED FILE UPLOAD: XSS PAYLOAD EXECUTED WHILE VIEWING THE FILE
IN NEW TAB

Criteria Under OWASP security knowledge framework, the application

should only allow or whitelist the file of definite extensions and
contents.

Impact An attacker can:

i Modify the requests to upload malicious PHP scripts to
execute attacks such as Remote code execution.
ii Gain complete control over the target system.
iii Use the compromised system as a foothold to spread
malware or launch attacks against other systems on the
network.
iv Upload .html files to execute client-side attacks such as
 Stored XSS (Cross-Site Scripting) attacks.
v Craft phishing pages that look like a legitimate page to
steal user credentials.

Recommendat It is recommended to:

ion
i Validate file extension and block those file extensions that
are not required by the application i.e., whitelisting the file
extension.
ii Change storage location of uploaded files to the location
that do not have any “execute” permission.
iii Validate the contents of the uploaded file to ensure that it
is an image before proceeding with the upload process.
References O: Unrestricted File Upload

Management
Response

4.2.7 Reflected Cross Site Scripting (XSS) vulnerability in Severity: Low

HRMIS Web Application Threat Medium
Vulnerability Medium
Impact High
Identification Application Application Authenticated/ Internal/ Affected URL
Name URL Unauthenticated External
HRMIS Web http:// Authenticated Internal http://
Application 192.168.0 192.168.0.
(UAT) .65:8081 65:8081/erp/t
od o-list
Condition It was observed that the “Todo” Items section in the HRMIS Web
Application feeds users input directly into the response without
sanitizing it, resulting in reflected Cross-Site Scripting.
Reflected Cross-Site Scripting (or XSS) arises when an application
receives data in HTTP request and includes that data within the
immediate response in an unsafe way.
Proof of Concept
Figure- Reflected Cross-Site Scripting: Injecting XSS payload in Todo items section
of HRMIS Web Application
 Figure- Reflected Cross-Site Scripting: XSS payload successfully executed in
HRMIS Web Application
Criteria Under OWASP security knowledge framework, all the input fields
should be sanitized before being sent in the HTTP Response.
Impact An attacker can:
i Inject client-side script into a website’s content, which
could then be used to launch Social Engineering types of
attacks.
ii Hijack a user session and log into the account to collect
information.
Recommendation It is recommended to:
i Filter input on arrival. At the point where user input is
received, filter as strictly as possible based on what is
expected or valid input.
ii Encode data on output. At the point where user-controllable
data is output in HTTP responses, encode the output to
prevent it from being interpreted as active content.
Depending on the output context, this might require
applying combinations of HTML, URL, JavaScript, and CSS
encoding.
iii Use appropriate response headers. To prevent XSS in HTTP
responses that aren't intended to contain any HTML or
JavaScript, you can use the Content-Type and X-Content-
Type Options headers to ensure that browsers interpret the
responses in the way you intend.
iv Content Security Policy. As a last line of defense, you can
use Content Security Policy (CSP) to reduce the severity of
any XSS vulnerabilities that still occur.
References A03: Injection
4.2.8 Rate Limiting was not implemented in Multiple Severity: Low
Web Applications Threat High
Vulnerability Medium
Impact Medium
Identification Application Application Authenticated/ Internal/ Affected URL
Name URL Unauthenticated External
Airmark http:// Unauthenticate Internal http://
Web 192.16 d 192.168.0.65:
Application 8.0.65:808 8080
(UAT) 0
Exam https:// Unauthenticate Externa https://
Web exam d l exam.nia.go v.np
Applicatio .nia.gov.np
n
HRMIS Web http:// Unauthenticate Internal http://
Application 192.16 d 192.168.0.65:
(UAT) 8.0.65:808 8081
1
IRMIS Web http:// Unauthenticate Internal http://
Application 10.5.1 d 10.5.19.225:2
(UAT) 9.225:201 010
0
Condition We observed that multiple web applications; Airmark, Exam,
HRMIS and IRMIS web applications did not limit the multiple
login attempts making it prone to brute force attacks. The
attacker could utilize this condition to execute brute force
attacks and could disclose credentials of user.
Rate limiting is a security measure that restricts the rate at
which requests can be made to a server or application. This
helps to prevent attacks such as Denial-of-Service (DoS) and
brute-force attacks by limiting the number of requests that can
be made in a given time period.
Proof of Concept

Figure: Login Credentials can be Brute Forced in Airmark Web Application

4.2.9 Session Fixation vulnerability in Multiple Web Severity: Low

Applications Threat Medium
Vulnerability Medium
Impact High
Identification Application Application Authenticated/ Internal/ Affected URL
Name URL Unauthenticated External
Airmark http:// Authenticated Internal http://
Web 192.16 192.168.0.65:
Application 8.0.65:808 8080
(UAT) 0
Exam https:// Authenticated Externa https://
Web exam. l exam.nia.go
Applicatio nia.gov.np v.np/master
n
HRMIS Web http:// Authenticated Internal http://
Application 192.16 192.168.0.65:
(UAT) 8.0.65:808 8081
1
IRMIS Web http:// Authenticated Internal http://
Application 10.5.1 10.5.19.225:2
(UAT) 9.225:201 010
0

Condition We observed that multiple web applications did not handle

sessions properly. Airmark, Exam, HRMIS, and IRMIS web
applications allowed to run multiple sessions simultaneously
such that change of password in a particular session did not
invalidate users from all other active sessions.
Session Fixation is an attack that permits an attacker to hijack a
valid user session. Authenticating a user, or otherwise
establishing a new user session, without invalidating any existing
session identifier gives an attacker the opportunity to steal
authenticated sessions.
Proof of Concept
Figure: Session Fixation in Airmark Web Application – Session1 did not logout although
password was changed in Session2
4.2.11 Improper Error Handling in Multiple Web Severity: Low
Applications Threat Low
Vulnerability Low
Impact Medium
Identification Application Application Authenticated/ Internal/ Affected URL
Name URL Unauthenticated External
Airmark http:// Authenticated Internal http://
Web 192.16 192.168.0.6
Application 8.0.65:808 5:8080/public/ad
(UAT) 0 m
in/insurances/38
http://
192.168.0.6
5:8080/public/ad
m
in/insurances/38
# share
http://
192.168.0.6
5:8080/public/ad
m
in/insurances/3
8# context-
request- body
http://
192.168.0.6
5:8080/admin/ad
m ins/533
http://
192.168.0.6
5:8080/public/ad
m in/NIA-import
http://
192.168.0.6
5:8080/public/ad
m in/insurance-
import
http://
192.168.0.6
5:8080/admin/p
as sword/email
http://
192.168.0.6
5:8080/admin
HRMIS Web http:// Unauthenticate Internal http://
Application 192.16 d 192.168.0.6
(UAT) 8.0.65:808 5:8081/app/confi
1 g/ Database.php
Exam https:// Unauthenticate External https://
Web exam d exam.nia.g
Applicatio .nia.gov.np ov.np/home
n Authenticated External https://
exam.nia.g
ov.np/Examiner/
in dex
Vacancy https:// Unauthenticate External https://
Web vaca d vacancy.nia
Application ncy.nia.go .gov.np/app/
v. np config
/Database.php
 https://
vacancy.nia
.gov.np/system/
CL I/CLI.php

Condition We observed that multiple web applications such as; Airmark,

HRMIS, Exam, and Vacancy web application did not use a proper
page for
displaying errors due to this sensitive data like server
information, cookies, database commands, stack trace, full path,
etc. were disclosed.
Airmark Web Application discloses full path, session tokens,
Laravel version, PHP version, database information and stack
trace.
HRMIS Web Application discloses full path information.
Exam Web Application discloses web framework (ASP.NET)
information and stack trace.
Vacancy Web Application discloses full path information.
Improper Error Handling occurs when an error message
displayed to end user provides clues about how an application or
website operates. It occurs mostly when debugging mode is
enabled in the application.
Proof of Concept

Figure: Improper error handling: Airmark Web Application discloses full path
information and stack trace

Figure: Improper error handling: Airmark Web Application discloses cookies and
session token
 Figure: Improper error handling: Airmark Web Application discloses Laravel and PHP
version

Figure: Improper error handling: Airmark Web Application discloses database query
information

Figure: Improper error handling: HRMIS Web Application discloses full path information
 Figure: Improper error handling: Exam Web Application discloses web
framework (ASP.NET) name

Figure: Improper error handling: Exam Web Application discloses stack trace

Figure: Improper error handling: Vacancy Web Application discloses full path information

Criteria As per best practice, if the web application encounters any error,
it should redirect to generic error page and should not contain
any sensitive information.
Impact An attacker can:
i Gain information about the internal structure of the
web server. ii Use the information available from this
step and use it for post
exploitation.
Recommendation It is recommended to:
 i. Configure the web server to surpass any exceptions that
may arise and return a generic error page.
ii. Disable debug mode as such feature may disclose
information when error occurs.
References A04: Security Misconfiguration

4.2.13 HTTP Strict Transport Security (HSTS) was not Severity: Low
Implemented in Multiple Web Applications Threat Low
Vulnerability Low
Impact Low
Identification Application Application Authenticated/ Internal/ Affected URL
Name URL Unauthenticated External
Airmark http:// Unauthenticate External http://
d airmark.ni
Web airmark.ni
a.gov.np
Application a.gov.np
(Public)

NIA http:// Unauthenticate External http://

d nia.gov.n p
Official nia.gov.n p
Website

Condition We observed that Official Website and Airmark Web Application

did not implement HTTP Strict Transport Security (HSTS). The
HTTP web request on respective web applications did not redirect
the requests to the secure web connections over HTTPS.This
allowed an attacker to perform several types of attacks such as
MiTM and Protocol Downgrade attacks that could be used to steal
sensitive information being transferred between user and web
browser.
HSTS (HTTP Strict Transport Security) is a security feature that
instructs web browsers to only communicate with a website over
HTTPS, even if the user types in an HTTP URL or follows an HTTP
link.
Proof of Concept
 Figure: HSTS not implemented in Airmark Web Application

Criteria Under OWASP security framework, HSTS header must be used to

prevent web application from establishing connection to the
servers using unencrypted HTTP.
Impact An attacker can:
 i Downgrade the protocol and establish connection
using HTTP connection.
ii Execute SSL stripping
attacks. iii Perform sniffing
attacks.
Recommendation It is recommended to:
i Configure the webserver to redirect HTTP requests to HTTPS.
ii Ensure that all requested resources use only TLS with a
well-formed HSTS header.
References A05: Security Misconfiguration

4.2.12 Clickjacking vulnerability in Multiple Web Severity: Low

Applications Threat Low
Vulnerability Low
Impact Low
Identification Application Application Authenticated Internal/ Affected URL
Name URL /Unauthenticated External
NIA https:// Unauthenticate External https://
Official nia.gov. np d nia.gov.n p
Website
Account https:// Unauthenticate External https://
Web account d accounts.
Applicatio s.nia.gov.np nia.gov.np
n
Airmark http:// Unauthenticate Internal http://
Web 192.168. d 192.168.0.
Applicatio 0.65:8080 65:8080
n
HRMIS Web http:// Unauthenticate Internal http://
Application 192.168. d 192.168.0.
0.65:8081 65:8081
Vacancy https:// Unauthenticate External https://
web vacanc d vacancy.n
applicatio y.nia.gov.n ia.gov.np
n p

Condition We observed that multiple web applications were vulnerable to

Clickjacking Vulnerability. A malicious user or an attacker can
trick a user into clicking a webpage element which is invisible or
disguised as another element usually by HTML ‘iframe’ tag.
Clickjacking, also known as a “UI redress attack”, is when an
attacker uses multiple transparent or opaque layers to trick a
user into clicking on a button or link on another page when they
were intending to click on the top- level page.
Figure- Clickjacking vulnerability in Airmark Web Application

Figure- Clickjacking vulnerability in HRMIS Web Application

4.2.6 Information Disclosure in Multiple Web Severity: Medium
Applications Threat Medium
Vulnerability High
Impact High
Identification Application Application Authenticated/ Internal/ Affected URL
Name URL Unauthenticated External

NIA https:// Unauthenticate External https://

Official nia.gov d nia.gov.np
Website .np https://
nia.gov.np/w p-
json/
https://
nia.gov.np/w p-
json/wp/v2/users
/1
https://
nia.gov.np/w p-
json/wp/v2/page
s/
Exam https:// Unauthenticate External https://
Web exam.n d exam.nia.go v.np
Applicatio ia.gov.np
n
Account https:// Unauthenticate External https://
Web accoun d account.nia.
Applicatio t.nia.gov.np gov.np
n
Vacancy https:// Unauthenticate External https://
Web vacanc d vacancy.nia.
Applicatio y.nia.gov.n gov.np
n p https://
vacancy.nia.
gov.np/public/ass
et
s/css/images/loa
di ng.html
https://
vacancy.nia.
gov.np/phpinfo.p
hp
https://
vacancy.nia.
gov.np/spark
https://
vacancy.nia.
gov.np/php_error
s.l og
 https://
vacancy.nia.
gov.np/
composer.js
on
https://
vacancy.nia.
gov.np/.git/config
https://
vacancy.nia.
gov.np/.gitignore
https://
vacancy.nia.
gov.np/.git/logs/
HE
AD
IRMIS Web https:// Unauthenticate Extern https://
irmis.ni d al irmis.nia.gov
Application a.gov.np .np
(Public)
IRMIS Web http:// Unauthenticate Interna http://
10.5.19. d l 10.5.19.225:2
Application 225:2010 010
(UAT)
HRMIS Web https:// Unauthenticate Extern https://
hrmis.n d al hrmis.nia.go
Application ia.gov.np v.np
(Public) https://
hrmis.nia.go
v.np/public/
assets/
css/images/
loading
.html
https://
vacancy.nia.
gov.np/
phpinfo.php
https://
vacancy.nia.
gov.np/spark
https://
vacancy.nia.
gov.np/
php_errors.l
og
https://
vacancy.nia.
gov.np/
composer.js
on
https://
vacancy.nia.
gov.np/.git/config
https://
vacancy.nia.
gov.np/.gitignore
https://
vacancy.nia.
gov.np/.git/logs/
HE
AD
HRMIS Web http:// Unauthenticate Interna http://
 192.168. d l 192.168.0.65:
Application 0.65:8081 8081
(UAT) http://
192.168.0.65:
8081/
php_errors.lo
g
http://
192.168.0.65:
8081/spark
Airmark https:// Unauthenticate Extern https://
Web airmark d al airmark.nia.
Application .nia.gov.np gov.np
(Public) https://
airmark.nia.
gov.np/
phpinfo.php
https://
airmark.nia.
gov.np/
php_errors.l
 og
Airmark http:// Unauthenticate Internal http://
Web 192.168. d 192.168.0.65:
Application 0.65:8080 8080
(UAT) http://
192.168.0.65:
8080/phpinfo.php
http://
192.168.0.65:
8080/php_errors.
lo g
Condition It was observed that:
NIA Official Website disclosed server information and wp-json
endpoint along with several other API endpoints representing
sensitive information regarding users, pages and so on.
Exam Web Application disclosed server information and web
development framework information in HTTP response header.
Account Web Application disclosed server information and web
development framework information in the HTTP response
header.
Vacancy Web Application disclosed server information, php
information, spark file containing PHP source code, PHP errors
log, git, and. gitignore files.
IRMIS Web Application disclosed server information in HTTP
response header.
HRMIS Web Application disclosed server information, php
information, spark file containing PHP source code, PHP errors
log, git, and. gitignore files.
Airmark Web Application disclosed server information, php
information and PHP errors log file.