FPT SOFTWARE

1
Public
 SECURITY ASSESSMENT REPORT

Target Application: TIKTOK CLONE

Report by: Lam Dan Huy
Sumitted to: Mr. Ho Duc Hanh (HanhHD4)
Date: 18/11/2024

INDEX
1 . Executive Summary ……………………………………………………. 3
1.1 Purpose of the Assessment ………………………………………… 3
1.2 Key Recommendations ……………………………………………. 3
2. Scope and Testing Objectives ……………………………………………. 4
2.1 Scope ………………………………………………………………. 4
2.2 Testing Objectives …………………………………………………. 4
3. Detailed Results ……………………………………………………………5
3.1 Summary of Vulnerabilities ………………………………………...5
3.2 List of Detected Vulnerabilities …………………………………….6
3.2.1 DOM Data Manipulation (DOM-based)………………………….6
3.2.2 Lack of CAPTCHA and Login Protection Mechanisms………….7

2
Public
 3.2.3 Insecure Content-Encoding
Configuration………………………..9
3.2.4 Missing HTTP Security Headers…………………………………11
3.2.5 Permissions-Policy ………………………………………………11
3.2.6 X-Content-Type-Options ………………………………………...12
4. Remediation and Recommendations …………………………………….12
4.1 General Recommendations ……………………………………………12
4.2 Specific Mitigation Strategies …………………………………………12
5. Conclusion ………………………………………………………………... 13
6. Appendixes …………………………………………………………………13
6.1 Tools Used ………………………………………………………….13
6.2 References…………………………………………………………. 13

3
Public
1. Executive Summary
1.1: Purpose of the Assessment:
This security assessment report documents findings, analysis, and recommendations
obtained from a detailed evaluation of the security posture of the web application
hosted at [https://top-top-rho.vercel.app].
The website is built on the Vercel platform, a dynamic environment designed for
content sharing, resembling social media applications like TikTok. Key features
include enabling users to upload and share video and image content, as well as
manage personal profiles, such as updating names, bios, and other details.
The target audience appears to include individual professionals, content creators, and
organizations seeking efficient public profile management.
The assessment evaluated the website’s primary components, including the user
interface (UI), backend (application logic and database interactions), and hosting
environment. It also considered dependencies and integrations, such as frameworks,
libraries, and external services.

1.2: Key Recommendations:

The objective of this security assessment was to evaluate the web application's
security posture. The assessment was designed to identify potential vulnerabilities,

4
Public
 analyze associated risks, and provide actionable recommendations
to enhance the application’s security.
Key goals of this assessment include:
 Identifying vulnerabilities that could compromise the confidentiality, integrity,
and availability of user data and the application.
 Simulating potential attack vectors.
 Providing feasible recommendations to mitigate identified risks and improve
overall security.

2. Scope and Testing Objectives:

2.1: Scope:
 Website Name: TikTok Clone
 URL: https://top-top-rho.vercel.app/
 Description: The website is a social media platform that mimics TikTok's core
functionality, allowing users to create and share visual content such as videos and
images. It includes several features:
o Secure login and registration functionality.
o Uploading, editing, and sharing multimedia content with others.
o Personalizing user profiles by adding profile pictures, editing bios, and
managing other personal details.
o Features like liking, commenting, following, and interacting with other users’
content.

2.2: Testing Objectives:

Critical Risk (9.0–10.0):
 Mitigation Plan:
o Immediately patch or fix vulnerabilities.
o Enhance monitoring and alert systems to detect active threats.
o Conduct a comprehensive code review and security testing for affected
components.
High Risk (7.0–8.9):
 Mitigation Plan:
o Apply security updates and configuration changes promptly.
o Implement compensating controls, such as firewall rules or access restrictions,
to reduce exposure.
o Strengthen logging and auditing to detect potential exploitation attempts.

Medium Risk (4.0–6.9):

5
Public
  Mitigation Plan:
o Address vulnerabilities in the next development cycle or
during scheduled maintenance.
o Conduct further risk assessments to evaluate potential impacts in specific
scenarios.
o Educate users or administrators on safety measures to mitigate risks.

Low Risk (1.0–3.9):

 Mitigation Plan:
o Monitor for changes in exploitability or risk levels.
o Address during planned updates if resources permit.
o Document as part of ongoing risk management processes.

Informational (0):
 Action:
o No immediate action required but continue monitoring for potential changes.

3. Detailed Results:
3.1 Summary of Vulnerabilities
The security assessment identified vulnerabilities across three main categories:
• Medium Impact: A total of 4 vulnerabilities were found related to missing HTTP security
headers.
• High Impact: 1 vulnerabilities were identified related to insecure configurations.
• Critical Impact: 1 critical vulnerabilities were discovered.
The table below presents a comprehensive list of findings along with their corresponding
severity levels.
Impact Finding ID Vulnerability Identified Status Percent
CRITICAL 1 Critical Issues (e.g., 1 Open 16.67%
CAPTCHA/Login Protection, SQL
Injection)

HIGH 2 Insecure Configurations (e.g., 1 Open 16.67%

Content-Encoding, CORS Policies)

MEDIUM 3 Missing HTTP Security Headers 4 Open 66.66%

(e.g.,
HSTS, Permissions-Policy)
DOM Data Manipulation

LOW 4

6
Public
3.2: List of Detected Vulnerabilities:
3.2.1: DOM Data Manipulation (DOM-based): Medium
Issue Details:
➢ The application may be vulnerable to DOM-based data manipulation. Data is read from
location.href and passed to history.replaceState.
Issue Context:
➢ DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of the
DOM (e.g., URL) and processes this data in an unsafe manner.
➢ DOM data manipulation occurs when a script writes controllable data to a DOM field used in the
visible UI or client-side application logic.
➢ Attackers can exploit this vulnerability by creating a URL that, when accessed by other users,
modifies the UI's appearance or behavior on the client side. This could allow attackers to perform
virtual defacement of the application or cause users to take unintended actions.
➢ Burp Suite automatically identified this issue using dynamic and static code analysis. Static
analysis might lead to false positives that are not exploitable in practice. If Burp Scanner does not
provide evidence from dynamic analysis, you should review the relevant code and execution paths to
verify whether the vulnerability exists or whether mitigation measures have been applied to prevent
exploitation.
Issue Remediation:
➢ The most effective way to prevent DOM-based data manipulation vulnerabilities is to avoid
dynamically writing untrusted data into any DOM fields.
➢ If this behavior is unavoidable due to the application's functionality, defensive measures should be
implemented in the client-side code to prevent malicious data from being stored.
➢ The best approach is typically to use a whitelist of allowed values.

References:
➢ DOM-data manipulation | Web Security Academy
https://portswigger.net/web-security/dom-based/dom-data-manipulation
Vulnerability Classification:
➢ CWE - CWE-20: Improper Input Validation (Version 4.16)
https://cwe.mitre.org/data/definitions/20.html
➢ CAPEC - CAPEC-153: Input Data Manipulation (Version 3.9)
https://capec.mitre.org/data/definitions/153.html

7
Public
3.2.2 Lack of CAPTCHA and Login Protection Mechanisms: Critical
Issue Details:

The login system of the TikTok Clone platform lacks critical protections against brute
force attacks, such as CAPTCHA or account lockout mechanisms. This absence allows attackers
to execute unlimited login attempts using automated tools to systematically guess valid user
credentials. This vulnerability poses a significant risk to both user account security and the
overall integrity of the platform.

8
Public
Impact:
Brute force attacks can lead to:
• Attackers gaining control over user accounts, including those with administrative privileges.
• Access to personal user data and system information.
• Exploitation of compromised accounts to carry out malicious actions, potentially degrading
trust in the platform.
Reproduction Steps:
• First, attacker navigate to the login page of the application.
• Then, they will use automated tools or scripts to send a large number of username-
password combinations to the login endpoint. There are no restrictions, rate-
limiting, or account lockouts, enabling rapid credential-guessing.
Recommendations: To mitigate this vulnerability, the following steps should be implemented:

9
Public
• Add a CAPTCHA or reCAPTCHA feature to detect and block automated
login attempts.
• Restrict the number of login attempts from a single IP address within a short period.
• Temporarily lock accounts after a predefined number of failed login attempts.
• Encourage or enforce Multi-Factor Authentication (MFA) for additional security.
• Record and monitor login attempts to detect unusual patterns or brute force attempts.
By applying these measures, the application will significantly reduce its exposure to brute
force attacks and enhance user account security.

3.2.3 Insecure Content-Encoding Configuration: High

Issue detail:
The Nikto’s scan results showing that the server’s Content-Encoding header is configured to use
deflate compression, which may make the application vulnerable to BREACH (Browser
Reconnaissance and Exfiltration via Adaptive Compression of Hypertext) attacks. This
vulnerability arises when attackers exploit the combination of HTTP compression and HTTPS
encryption to infer sensitive information from compressed responses.

Impact: Compression-based attacks such as BREACH can lead to:

• Attackers may retrieve confidential data, such as session cookies, CSRF tokens, or user
credentials, by analyzing response sizes.
• The exploitation undermines the security guarantees of HTTPS by revealing encrypted data.
• Sensitive user activity or authentication details could be exposed.

10
Public
Reproduction Steps:
• An attacker sends repeated requests to an endpoint containing sensitive data
(e.g., CSRF tokens or session cookies) with controlled variations in input.
• By analyzing changes in the size of the compressed responses, the attacker infers the content of
sensitive data.
• The attacker continues to refine input until they exfiltrate the desired sensitive information.
Recommendations:
• Configure the server to exclude responses containing sensitive information (e.g., CSRF tokens,
authentication cookies) from being compressed.
• Introduce dynamic values or random padding in sensitive data to disrupt size- based analysis.
• Add random padding to responses to equalize their sizes and prevent compression-based
inference.
• Use TLS implementations with built-in mitigation strategies for BREACH (e.g., disabling
HTTP-level compression while retaining safe alternatives).
• Continuously monitor server configurations and test for vulnerabilities using tools such as
Nikto or Nessus.
3.2.4 Missing HTTP Security Headers: Medium
 Calculated individually for each missing header
During the scan of the TikTok Clone platform using the Nuclei tool (GitHub), several critical
HTTP security headers were found to be missing. These headers are essential for enhancing
the security of a web application by mitigating various attack vectors, such as cross-site
scripting (XSS), clickjacking, and information disclosure. Their absence exposes the
application to increased risk from potential attackers.

11
Public
 3.2.5 Permissions-Policy: Medium

Impact: Without this header, the application cannot restrict which browser features (e.g.,
geolocation, camera) are accessible to the page, increasing the risk of unauthorized access to
sensitive functionalities.
3.2.6 X-Content-Type-Options: Medium

Impact: Missing this header allows browsers to interpret files as a different MIME type than
declared, potentially enabling script execution attacks.

4. REMEDIATION AND RECOMMENDATIONS

4.1 General Recommendations
To strengthen the security posture of the platform and mitigate the identified risks, the
following general recommendations are proposed:

12
Public
 • Adopt Comprehensive Security Policies:
o Develop and enforce security guidelines aligned with OWASP and
NIST
standards.
o Educate the development team on secure coding practices to prevent
vulnerabilities such as SQL injection and XSS.
• Continuous Monitoring:
o Implement a robust monitoring system that detects unusual activities in real time.
o Use Security Information and Event Management (SIEM) tools to analyze potential
threats.
• Regular Updates:
o Regularly update software dependencies and frameworks to minimize exposure to
known vulnerabilities.
• Penetration Testing:
o Conduct periodic penetration tests to proactively identify and address weaknesses.
4.2 Specific Mitigation Strategies
[The specific mitigation strategies for each vulnerability are already detailed within their
respective sections under the vulnerabilities discussed.
For further details, please refer to the vulnerability-specific recommendations in the
earlier sections of this report.]

5. CONCLUSION
 Summary of Results
The assessment identified several vulnerabilities categorized into three severity levels:
• Critical: Lack of CAPTCHA(1 vulnerabilities).
• High: Missing HTTP Security Headers and improper content encoding (1 vulnerabilities).
• Medium: Issues like CORS misconfigurations and insecure MIME type handling
(4vulnerabilities).
The distribution demonstrates the need for immediate attention to critical vulnerabilities
while also addressing high and medium risks to enhance the platform's security.

6. APPENDIXES
13
Public
6.1 Tools Used
The security assessment utilized the following tools to identify vulnerabilities
and assess risks:
1. Nuclei
o Purpose: Scanned for missing HTTP security headers and other misconfigurations.
o Reference: Nuclei GitHub Repository
2. SQLMap
o Purpose: Detected SQL injection vulnerabilities through automated queries and analysis.
o Reference: SQLMap Official Website
3. Burp Suite
o Purpose: Provided both manual and automated tools for security testing, including web
application scanning, interception, and analysis.
o Reference: Burp Suite Official Website
4. Dirsearch: A command-line tool for enumerating directories and identifying unprotected
assets.
5. Nikto: A vulnerability scanner that scans web servers for dangerous files or CGIs,
outdated server software and other problems.

6.2 References
OWASP Web Security Testing Guide: OWASP Guide
NIST Cybersecurity Framework: NIST CSF
SQL Injection Mitigation Techniques: Logz.io SQL Injection Prevention
XSS Protection Strategies: PortSwigger XSS Guide
Nuclei Tool Documentation: Nuclei Documentation
Dirsearch User Guide: Dirsearch Guide

14
Public
 15
Public