0% found this document useful (0 votes)

31 views21 pages

ACS-Admin Penetration Testing Report Modirum Oü: Vakhtang Mosidze October 2016

The ACS-Admin penetration testing report details the use of the Arachni scanner framework to identify security vulnerabilities in the Modirum application. The report highlights various types of security issues detected, including high severity findings such as misconfigurations and the absence of the HTTP Strict Transport Security header. Overall, the scan uncovered 13 high severity, 1 medium severity, 1 low severity, and 6 informational severity issues across over 700 scanned pages.

Uploaded by

marketvillage7

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

31 views21 pages

ACS-Admin Penetration Testing Report Modirum Oü: Vakhtang Mosidze October 2016

Uploaded by

marketvillage7

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 21

ACS-Admin penetration testing report

Modirum oü
Vakhtang Mosidze

October 2016

1
Introduction

To maintain system stability and be sure, about security, we have implement nightly pen-testing engine.

Arachni scanner framework ranked one of the best in class, able to run scan's over web application, and create full report
about found issues

For nowadays, scanner able to detect and test follow security issues like Code injection (code injection)

• Code injection (timing) (code_injection_timing)

• CSRF (csrf)

• File Inclusion (file_inclusion)

• Blind NoSQL Injection (differential analysis) (no_sql_injection_differential)

• OS command injection (os_cmd_injection)

• OS command injection (timing) (os_cmd_injection_timing)

• Path Traversal (path_traversal)

• Response Splitting (response_splitting)

• Remote File Inclusion (rfi)

• Session fixation (session_fixation)

• Source code disclosure (source_code_disclosure)

• SQL Injection (sql_injection)

• Blind SQL Injection (differential analysis) (sql_injection_differential)

• Blind SQL injection (timing attack) (sql_injection_timing)

• Unvalidated redirect (unvalidated_redirect)

• Unvalidated DOM redirect (unvalidated_redirect_dom)

• XPath Injection (xpath_injection)

• XSS (xss)

• DOM XSS (xss_dom)

• DOM XSS in script context (xss_dom_script_context)

• XSS in HTML element event attribute (xss_event)

• XSS in path (xss_path)

• XSS in script context (xss_script_context)

• XSS in HTML tag (xss_tag)

• XML External Entity (xxe)

2
Along with a highly customizable plugin's and self-learning algorithm, and, also with possibility to manually train and
substitute attach founded attack vectors (via proxy server) this tool give us possibility to test our application for all know
attack types

Used Methodology
By using built- in proxy tool, and ability to manual scan of whole web-site (because automated scan does not recognize
some input form) I create full list of all used form and fields, which are feeded to scan engine along with profile (which
provides information about what type of attack need to be used, and what kind of platform is used in web application) As
our system is builded on Tomcat/java I exclude ability to scan windows/iss/php/asp.

For now scanner is trigged to run test’s on follow platforms:

• unix
• linux
• bsd
• sql
• mysql
• oracle
• apache
• nginx
• tomcat
• java
• perl
• python
• ruby

And can provide scanning of

• code_injection
• code_injection_timing
• csrf
• file_inclusion
• no_sql_injection_differential
• os_cmd_injection
• os_cmd_injection_timing
• path_traversal
• response_splitting
• rfi
• session_fixation
• source_code_disclosure
• sql_injection
• sql_injection_differential
• sql_injection_timing
• trainer
• unvalidated_redirect
• unvalidated_redirect_dom
• xpath_injection
• xss
• xss_dom
• xss_dom_script_context
• xss_event
• xss_path
• xss_script_context
• xss_tag
3
• xxe
• allowed_methods
• backdoors
• backup_directories
• backup_files
• captcha
• common_admin_interfaces
• common_directories
• common_files
• cookie_set_for_parent_domain
• credit_card
• cvs_svn_users
• directory_listing
• emails
• form_upload
• hsts
• htaccess_limit
• html_objects
• http_only_cookies
• http_put
• insecure_client_access_policy
• insecure_cookies
• insecure_cors_policy
• insecure_cross_domain_policy_access
• insecure_cross_domain_policy_headers
• interesting_responses
• mixed_resource
• origin_spoof_access_restriction_bypass
• password_autocomplete
• private_ip
• ssn
• unencrypted_password_forms
• webdav
• xst

Special designed profile provides auto login to password-protected content, and allows scanner to run inside of
application. Also, is remarkable, that’s this kind of test it totally “white hat” test, since I’m having administrative right’s to
application and know what platform/tools were used.

Total time of each scanning in “sniper” mode for 3ds-admin is around 4 hour (10 stream) and for “Heavy” scanner ( with
autotrainer future about 6 hour to complete

4
Scan initial setup data

Target https://3ds-admin.ci.modirum.com/mdpayacs-admin/
Total scanned pages >700

Used profile name 3ds_hv.afp

Used vector file 3ds.yml

Username pentest
Password

Initializing script as

#!/bin/bash

NOW=$(date +"%m-%d-%Yxls")

./arachni --profile-load-filepath=profiles/scan.afp https://3ds-admin.ci.modirum.com/mdpayacs-admin/ --

plugin=vector_feed:yaml_file=vectors/3ds.yml --report-save-path=reports/3dshv.$NOW.afr && ./arachni_reporter
reports/3dshv.$NOW.afr --report=html:outfile=reports/3dshv.$NOW.zip

Discovered issues

Type #
High severity 13
Medium severity 1
Low severity 1
Informational severity 6

5
Detailed information

High severity

A5-Security Good security requires having a secure configuration defined and deployed for
Misconfiguration the application, frameworks, application server, web server, database server, and
platform. Secure settings should be defined, implemented, and maintained, as
defaults are often insecure. Additionally, software should be kept up to date
Missing 'Strict- The HTTP protocol by itself is clear text, meaning that any data that is
Transport-Security' transmitted via HTTP can be captured and the contents viewed. To keep data
header private and prevent it from being intercepted, HTTP is often tunnelled through
either Secure Sockets Layer (SSL) or Transport Layer Security (TLS). When either
of these encryption standards are used, it is referred to as HTTPS.
HTTP Strict Transport Security (HSTS) is an optional response header that can be
configured on the server to instruct the browser to only communicate via HTTPS.
This will be enforced by the browser even if the user requests a HTTP resource
on the same server.
Cyber-criminals will often attempt to compromise sensitive information passed
from the client to the server using HTTP. This can be conducted via various Man-
in-The-Middle (MiTM) attacks or through network packet captures.
Arachni discovered that the affected application is using HTTPS however does
not use the HSTS header.

Vector type HTTP method Action

server GET https://3ds-admin.ci.modirum.com/mdpayacs-
admin/issuers/21321321321321321321321321321321321321321321321321321321321321321321321321
32132132132132132132132132132121321321321321321321321321321321321321321321321321321321
32132132132132132132132132132132132132132132132113213213213213213213132132131321321313
213213123

6
Cross-Site Request In the majority of today’s web applications, clients are required to submit forms
Forgery which can perform sensitive operations.

An example of such a form being used would be when an administrator wishes to

create a new user for the application.

In the simplest version of the form, the administrator would fill-in:

Name
Password
Role (level of access)
Continuing with this example, Cross Site Request Forgery (CSRF) would occur
when the administrator is tricked into clicking on a link, which if logged into the
application, would automatically submit the form without any further
interaction.

Cyber-criminals will look for sites where sensitive functions are performed in this
manner and then craft malicious requests that will be used against clients via a
social engineering attack.

There are 3 things that are required for a CSRF attack to occur:

The form must perform some sort of sensitive action.

The victim (the administrator the example above) must have an active session.
Most importantly, all parameter values must be known or guessable.
[1] In form with inputs tid xid pan bin last4 acqBin merId amount trMacro-today-button trMacro-month-
button trMacro-year-button txButton trMacro-monthly-sum-button trMacro-monthly-issuer-button
trMacro-daily-sum-button trMacro-daily-issuer-button clear trMacro-submit-button issuer.id status
toFssScore fromFssScore flow after.year after.month after.day after.hour after.minute after.second version
before.year before.month before.day before.hour before.minute before.second channel limit using GET at
https://3ds-admin.ci.modirum.com/mdpayacs-admin/transactions/transactionsList.htm pointing to
https://3ds-admin.ci.modirum.com/mdpayacs-admin/transactions/transactionsList.htm
Proof <form id="issuerUsersForm" method="post">
<input type="hidden" id="csrfToken" name="csrfToken"
value="5b1d3522fb7cade684ed3ab6cd72364958906e617c2209c0c7ce587afa2e3
cfe">
</input>
<input type="submit" value="Deactivate all users"
onclick="document.forms['issuerUsersForm'].action =
'../users/deactivateAllUsers.htm?issuer=26';\n
document.forms['issuerUsersForm'].submit();\n return
false;">
</input>
<input type="submit" value="Activate all users"
onclick="document.forms['issuerUsersForm'].action =
'../users/activateAllUsers.htm?issuer=26';\n
document.forms['issuerUsersForm'].submit();\n return
false;">
</input>

7
</form>

[2]In form with inputs issuer using GET at https://3ds-admin.ci.modirum.com/mdpayacs-

admin/issuers/issuerView.htm?id=26 pointing to https://3ds-admin.ci.modirum.com/mdpayacs-
admin/adaptiveauths/adaptiveAuthConfigurationAdd20.htm .
Proof <form method="get"
action="../adaptiveauths/adaptiveAuthConfigurationAdd20.htm">
<input type="hidden" id="issuerId" name="issuer" value="26">
</input>
<input type="submit" value="Add New Rule Set">
</input>
</form>
[3] In form with inputs issuerId using GET at https://3ds-admin.ci.modirum.com/mdpayacs-
admin/issuers/issuerView.htm?id=26 pointing to https://3ds-admin.ci.modirum.com/mdpayacs-
admin/cardranges/cardrangeAdd.htm .
Proof <form method="get" action="../cardranges/cardrangeAdd.htm">
<input type="hidden" id="issuerId" name="issuerId" value="26">
</input>
<input type="submit" value="Add Card Range">
</input>
</form>
[4] In form with inputs csrfToken using GET at https://3ds-admin.ci.modirum.com/mdpayacs-
admin/issuers/issuerView.htm?id=26 pointing to https://3ds-admin.ci.modirum.com/mdpayacs-
admin/issuers/issuerView.htm .

8
Proof <form id="issuerUsersForm" action="?" method="post">
<input type="hidden" id="csrfToken" name="csrfToken"
value="5b1d3522fb7cade684ed3ab6cd72364958906e617c2209c0c7ce587afa2e3
cfe">
</input>
<input type="submit" value="Deactivate all users" onclick="\n
if(confirm('Confirm deactivation')) {\n
document.forms['issuerUsersForm'].action =
'../users/usersDeactivate.htm?id=26';\n
document.forms['issuerUsersForm'].submit();\n }\n
return false;">
</input>
<input type="submit" value="Activate all users" onclick="\n
if(confirm('Confirm activation')) {\n
document.forms['issuerUsersForm'].action =
'../users/usersActivate.htm?id=26';\n
document.forms['issuerUsersForm'].submit();\n }\n
return false;">
</input>
</form>
[5] In form with inputs using GET at https://3ds-admin.ci.modirum.com/mdpayacs-
admin/issuers/issuerView.htm?id=26 pointing to https://3ds-admin.ci.modirum.com/mdpayacs-
admin/issuers/issuerView.htm .
Proof <form id="issuerForm" action="?" method="get">
<input type="submit" value="Edit" onclick="document.location.href =
'../issuers/issuerEdit.htm?id=26';return false;">
</input>
<input type="submit" value="User Management"
onclick="document.location.href =
'../users/issuerUsersList.htm?issuer=26';return false;">
</input>
<input type="submit" value="Transactions" onclick="document.location.href =
'../transactions/transactionsList.htm?issuer=26';return false;">
</input>
<input type="submit" value="Card Holders" onclick="document.location.href =
'../cards/cardsList.htm?issuer=26&reset=true';return false;">
</input>
<input type="submit" value="File Upload" onclick="document.location.href =
'../upload/importCsvView.htm?issuer=26';return false;">
</input>
</form>
[6] In form with inputs csrfToken id firstLogin login newUser fullname locale status issuerOrGroup role.id
using GET at https://3ds-admin.ci.modirum.com/mdpayacs-
admin/users/userEdit.htm?button=Add%20new%20user pointing to https://3ds-
admin.ci.modirum.com/mdpayacs-admin/users/userEdit.htm .

9
Proof <form id="uForm" action="../users/userEdit.htm" method="post" accept-
charset="UTF-8" autocomplete="off">
<input type="hidden" id="csrfToken" name="csrfToken"
value="5b1d3522fb7cade684ed3ab6cd72364958906e617c2209c0c7ce587afa2e3
cfe">
</input>
<input type="hidden" id="id" name="id" value="">
</input>
<input type="hidden" id="firstLogin" name="firstLogin" value="Y">
</input>
<input type="text" id="login" name="login" value="" size="40">
</input>
<input type="hidden" name="newUser" value="true">
</input>

<input type="text" id="fullname" name="fullname" value="" size="40">

</input>

<select id="locale" name="locale">

<option value="en_US" selected="selected">
English
</option>
<option value="es_ES">
Spanish
</option>
<option value="et_EE">
Estonian
</option>
<option value="fi_FI">
Finnish
</option>
<option value="fr_FR">
French
</option>
<option value="it_IT">
Italian
</option>
<option value="ru_RU">
Russian
</option>
<option value="sv_SE">
Swedish
</option>
</select>

<select id="status" name="status">

<option value="A">
Active
</option>
<option value="B" selected="selected">
10
Inactive
</option>
</select>

<select id="issuerOrGroup" name="issuerOrGroup"

onchange="getSelect(this.value);">
<option value="-1" selected="selected">
Unlimited
</option>
<option value="26">
abc
</option>
<option value="32">
Art Test
</option>
<option value="41">
Carrefour Banque France
</option>
<option value="43">
Issuer_BNM
</option>
<option value="44">
Issuer_PAL
</option>
<option value="42">
Issuer_SPEC
</option>
<option value="46">
Issuer_THG
</option>
<option value="30">
Jace Test
</option>
<option value="47">
katie01
</option>
<option value="45">
M ISSUER
</option>
<option value="27">
Oberthur
</option>
<option value="29">
Oberthur New Issuer 2 - OBERTHUR
</option>
<option value="35">
Sample Test
</option>
<option value="1">
Test issuer
11
</option>
<option value="7">
Test issuer 1
</option>
<option value="37">
Test issuer 2
</option>
<option value="25">
Test issuer 3
</option>
<option value="28">
TestUpload
</option>
<option value="39">
vesas issuer
</option>
<option value="GROUP-1">
Group 1 issuer (GROUP)
</option>
<option value="GROUP-8">
Jace (GROUP)
</option>
<option value="GROUP-7">
MGroup (GROUP)
</option>
<option value="GROUP-6">
Oberthur (GROUP)
</option>
<option value="GROUP-4">
Sample Gr1 (GROUP)
</option>
<option value="GROUP-5">
Test Group (GROUP)
</option>
</select>

<select id="role.id" name="role.id" onchange="onChangeRole()">

</form>
Vector information
[7] In form with inputs csrfToken type iid after.year after.month after.day after.hour before.year
before.month before.day before.hour using GET at https://3ds-admin.ci.modirum.com/mdpayacs-
admin/reports/reportsEdit.htm?type=MerchantReport pointing to https://3ds-
admin.ci.modirum.com/mdpayacs-admin/reports/reportsAdd.htm .

12
Proof <form id="rForm" action="reportsAdd.htm" method="post" onsubmit="return
MDM.isValideDates();">
<input type="hidden" id="csrfToken" name="csrfToken"
value="5b1d3522fb7cade684ed3ab6cd72364958906e617c2209c0c7ce587afa2e3
cfe">
</input>
<input type="hidden" id="type" name="type" value="MerchantReport">
</input>
<select id="iid" name="iid">
<option value="-1">
Unlimited
</option>
<option value="26">
abc
</option>
<option value="32">
Art Test
</option>
<option value="41">
Carrefour Banque France
</option>
<option value="43">
Issuer_BNM
</option>
<option value="44">
Issuer_PAL
</option>
<option value="42">
Issuer_SPEC
</option>
<option value="46">
Issuer_THG
</option>
<option value="30">
Jace Test
</option>
<option value="47">
katie01
</option>
<option value="45">
M ISSUER
</option>
<option value="27">
Oberthur
</option>
<option value="29">
Oberthur New Issuer 2 - OBERTHUR
</option>
<option value="35">
Sample Test
13
</option>
<option value="1">
Test issuer
</option>
<option value="7">
Test issuer 1
</option>
<option value="37">
Test issuer 2
</option>
<option value="25">
Test issuer 3
</option>
<option value="28">
TestUpload
</option>
<option value="39">
vesas issuer
</option>
</select>

<input type="hidden" id="iid" name="iid" value="">

</input>
<select id="after.year" name="after.year">
<option value="1998" selected="selected">
<form id="rForm" action="reportsAdd.htm" method="post" onsubmit="return
MDM.isValideDates();">
<input type="hidden" id="csrfToken" name="csrfToken"
value="5b1d3522fb7cade684ed3ab6cd72364958906e617c2209c0c7ce587afa2e3
cfe">
</input>
<input type="hidden" id="type" name="type" value="MerchantReport">
</input>
<select id="iid" name="iid">
<option value="-1">
Unlimited
</option>
<option value="26">
abc
</option>
<option value="32">
Art Test
</option>
<option value="41">
Carrefour Banque France
</option>
<option value="43">
Issuer_BNM
</option>
<option value="44">
14
Issuer_PAL
</option>
<option value="42">
Issuer_SPEC
</option>
<option value="46">
Issuer_THG
</option>
<option value="30">
Jace Test
</option>
<option value="47">
katie01
</option>
<option value="45">
M ISSUER
</option>
<option value="27">
Oberthur
</option>
<option value="29">
Oberthur New Issuer 2 - OBERTHUR
</option>
<option value="35">
Sample Test
</option>
<option value="1">
Test issuer
</option>
<option value="7">
Test issuer 1
</option>
<option value="37">
Test issuer 2
</option>
<option value="25">
Test issuer 3
</option>
<option value="28">
TestUpload
</option>
<option value="39">
vesas issuer
</option>
</select>

<input type="hidden" id="iid" name="iid" value="">

</input>
<select id="after.year" name="after.year">
<option value="1998" selected="selected">
15
[8] In form with inputs pan txButton using GET at https://3ds-admin.ci.modirum.com/mdpayacs-
admin/pantransactions/panTransactionsList.htm pointing to https://3ds-admin.ci.modirum.com/mdpayacs-
admin/pantransactions/panTransactionsList.htm .
Proof <form id="panTrSearchForm" action="?" method="get">
<input type="text" id="pan" name="pan" value="" size="26" maxlength="19">
</input>
<input type="submit" class="blueButton" value="Cancel"
onclick="document.getElementById('pan').value='';
document.getElementById('panTrSearchForm').action =
'panTransactionsList.htm';">
</input>
<input type="submit" class="blueButton" id="txButton" value="Submit"
onclick="document.getElementById('panTrSearchForm').action =
'panTransactionsList.htm';">
</input>
</form>
[9] In form with inputs csrfToken using GET at https://3ds-admin.ci.modirum.com/mdpayacs-
admin/issuers/issuersList.htm pointing to https://3ds-admin.ci.modirum.com/mdpayacs-
admin/issuers/issuersList.htm .
Proof <form id="statusChange" action="" method="post">
<input type="hidden" id="csrfToken" name="csrfToken"
value="5b1d3522fb7cade684ed3ab6cd72364958906e617c2209c0c7ce587afa2e3
cfe">
</input>
<input type="submit" value="Deactivate" onclick="\n if
(confirm('Confirm deactivation 1.0.2 \\'abc\\'?')) {\n \t\t\t\t
document.forms['statusChange'].action =
'issuerDeactivate.htm?id=26&protocol=1.0.2';\n \t\t\t\t
document.forms['statusChange'].submit();\n }\n \t\t\t\t
return false;">
</input>
</form>
[10] In form with inputs button using GET at https://3ds-admin.ci.modirum.com/mdpayacs-
admin/users/usersList.htm pointing to https://3ds-admin.ci.modirum.com/mdpayacs-
admin/roles/roleList.htm .
Proof <form action="../roles/roleList.htm" method="get">
<input type="submit" name="button" value="User roles">
</input>
</form>
[11] In form with inputs button using GET at https://3ds-admin.ci.modirum.com/mdpayacs-
admin/users/usersList.htm pointing to https://3ds-admin.ci.modirum.com/mdpayacs-
admin/users/userEdit.htm .
Proof <form action="userEdit.htm" method="get">
<input type="submit" name="button" value="Add new user">
</input>
</form>

16
[12] In form with inputs j_username j_password button2 using GET at https://3ds-
admin.ci.modirum.com/mdpayacs-admin/login/login.htm pointing to https://3ds-
admin.ci.modirum.com/mdpayacs-admin/j_spring_security_check .
Proof <form name="f" action="/mdpayacs-
admin/j_spring_security_check;jsessionid=20FA6BC35DA3055860B832407F5760
84" method="POST" autocomplete="off">
<input type="text" name="j_username" id="j_username" value=""
autocomplete="off" style="font-family: sans-serif; width: 32">
</input>
<input type="password" name="j_password" value="" id="j_password"
autocomplete="off" style="font-family: sans-serif; width: 32">
</input>
<input type="submit" name="button2" id="button" value="Login">
</input>
</form>

Medium severity

Missing 'Strict- The HTTP protocol by itself is clear text, meaning that any data that is
Transport-Security' transmitted via HTTP can be captured and the contents viewed. To keep data
header private and prevent it from being intercepted, HTTP is often tunnelled through
either Secure Sockets Layer (SSL) or Transport Layer Security (TLS). When either
of these encryption standards are used, it is referred to as HTTPS.

HTTP Strict Transport Security (HSTS) is an optional response header that can be
configured on the server to instruct the browser to only communicate via HTTPS.
This will be enforced by the browser even if the user requests a HTTP resource
on the same server.

Cyber-criminals will often attempt to compromise sensitive information passed

from the client to the server using HTTP. This can be conducted via various Man-
in-The-Middle (MiTM) attacks or through network packet captures.
[13] In server using GET at https://3ds-admin.ci.modirum.com/mdpayacs-
admin/issuers/21321321321321321321321321321321321321321321321321321321321321321321321321
32132132132132132132132132132121321321321321321321321321321321321321321321321321321321
32132132132132132132132132132132132132132132132113213213213213213213132132131321321313
213213123 pointing to https://3ds-admin.ci.modirum.com/mdpayacs-
admin/issuers/21321321321321321321321321321321321321321321321321321321321321321321321321
32132132132132132132132132132121321321321321321321321321321321321321321321321321321321
32132132132132132132132132132132132132132132132113213213213213213213132132131321321313
213213123 .

17
Missing 'X-Frame- Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a
Options' header 1 malicious technique of tricking a Web user into clicking on something different
x_frame_options from what the user perceives they are clicking on, thus potentially revealing
confidential information or taking control of their computer while clicking on
seemingly innocuous web pages.

The server didn’t return an X-Frame-Options header which means that this
website could be at risk of a clickjacking attack.

The X-Frame-Options HTTP response header can be used to indicate whether or

not a browser should be allowed to render a page inside a frame or iframe. Sites
can use this to avoid clickjacking attacks, by ensuring that their content is not
embedded into other sites.
[14] In server using GET at https://3ds-admin.ci.modirum.com/mdpayacs-admin/styles/acs-style.css
pointing to https://3ds-admin.ci.modirum.com/mdpayacs-admin/styles/acs-style.css .

Low

Missing 'X-Frame-Options' Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is
header 1 x_frame_options a malicious technique of tricking a Web user into clicking on something
different from what the user perceives they are clicking on, thus potentially
revealing confidential information or taking control of their computer while
clicking on seemingly innocuous web pages.

The server didn’t return an X-Frame-Options header which means that this
website could be at risk of a clickjacking attack.

The X-Frame-Options HTTP response header can be used to indicate whether

or not a browser should be allowed to render a page inside a frame or iframe.
Sites can use this to avoid clickjacking attacks, by ensuring that their content is
not embedded into other sites.
[15] In server using GET at https://3ds-admin.ci.modirum.com/mdpayacs-admin/styles/acs-style.css
pointing to https://3ds-admin.ci.modirum.com/mdpayacs-admin/styles/acs-style.css .

Informational severity

HTML object Logs the existence of HTML object tags.

[16] In body using GET at https://3ds-admin.ci.modirum.com/mdpayacs-admin/js/jquery.min.js pointing to

https://3ds-admin.ci.modirum.com/mdpayacs-admin/js/jquery.min.js .
Proof Signature <object.*?>.*?</object>
Proof <object>","</object>

18
E-mail address disclosure Email addresses are typically found on “Contact us” pages, however, they can
also be found within scripts or code comments of the application. They are
used to provide a legitimate means of contacting an organisation.

As one of the initial steps in information gathering, cyber-criminals will spider

a website and using automated methods collect as many email addresses as
possible, that they may then use in a social engineering attack.

Using the same automated methods, Arachni was able to detect one or more
email addresses that were stored within the affected page.
[17] In body using GET at https://3ds-admin.ci.modirum.com/mdpayacs-admin/js/jquery.ajaxq.js pointing
to https://3ds-admin.ci.modirum.com/mdpayacs-admin/js/jquery.ajaxq.js .

Signature [A-Z0-9._%+-]+(?:@|\s*\[at\]\s*)[A-Z0-9.-]+(?:\.|\s*\[dot\]\s*)[A-Z]{2,4}
Proof oleg.podolsky@gmail.com
[18] In body using GET at https://3ds-admin.ci.modirum.com/mdpayacs-admin/users/usersList.htm
pointing to https://3ds-admin.ci.modirum.com/mdpayacs-admin/users/usersList.htm .

Signature [A-Z0-9._%+-]+(?:@|\s*\[at\]\s*)[A-Z0-9.-]+(?:\.|\s*\[dot\]\s*)[A-Z]{2,4}
Proof
cheny.parreno@modirum.com
Interesting response The server responded with a non 200 (OK) nor 404 (Not Found) status code.
This is a non-issue, however exotic HTTP response status codes can provide
useful insights into the behavior of the web application and assist with the
penetration test
[19] In server using TRACE at https://3ds-admin.ci.modirum.com/mdpayacs-admin/login/login.htm pointing
to https://3ds-admin.ci.modirum.com/mdpayacs-admin/login/login.htm .

Proof HTTP/1.1 405 Not Allowed

[20] In server using PUT at https://3ds-admin.ci.modirum.com/mdpayacs-admin/login/Arachni-
d6ab49f34c7f12eef02a705f64e9b025 pointing to https://3ds-admin.ci.modirum.com/mdpayacs-
admin/login/Arachni-d6ab49f34c7f12eef02a705f64e9b025 .
Proof HTTP/1.1 100 Continue
Allowed HTTP methods There are a number of HTTP methods that can be used on a webserver
(OPTIONS, HEAD, GET, POST, PUT, DELETE etc.). Each of these methods
perform a different function and each have an associated level of risk when
their use is permitted on the webserver.

A client can use the OPTIONS method within a request to query a server to
determine which methods are allowed.

Cyber-criminals will almost always perform this simple test as it will give a
very quick indication of any high-risk methods being permitted by the server.

[21] In server using OPTIONS at https://3ds-admin.ci.modirum.com/mdpayacs-admin/login/login.htm

pointing to https://3ds-admin.ci.modirum.com/mdpayacs-admin/login/login.htm .
Proof GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
19
Conclusion

In point of view from security issue mostly this mistakes are not critical, and at least requires access to
above URL’s. Also, even if user has some right’s it’s does not means’ that’s he/she allow to run such
transaction. Overall score of possible injection is

# Description Found
A1 Injection X

A2 Broken Authentication and Session Management (XSS) X

A3 Cross Site Scripting (XSS) X

A4 Insecure Direct Object References X

A5 Security Misconfiguration 0,1%

A6 Sensitive Data Exposure X

A7 Missing Function Level Access Control X

A8 Cross Site Request Forgery (CSRF) 1%

A9 Using Components with Known Vulnerabilities X

A10 Unvalidated Redirects and Forwards X

20
Elimination of problems

[1] Can be marked as false-positive, unique CSRFtoken exsist

[2]Form method GET contain relative path, according to OWASP “HTTP Referer” and full path must be used,
also, using of hidden form market as CSRFtoken must be applied.

[3] Same as 2

[4] False positive result, CSRFtoken exsist, uses POST

[5] Same as 2

[6] False positive

[7]False positive

[8]No CSRF token defined,

[9]False Positive

[10] Same as 2

[11] Form action without any path, no CSRF, no Referer

[12]Face positive

[13]Answer from server wasn’t clearly understood by scanner, false positive result

[14] Missing X-header on CSS, does not affect to application

[15] Same as [14]

[16]jquery normal

[17] jquery developer signature- need to remove

[18] Our QA signature- also need to be removed

[19] NGINX block attack with error 405. No issues

[20] Same as 19

[21]

OWASP Testing Guide Notes
No ratings yet
OWASP Testing Guide Notes
5 pages
Penetration Testing
100% (1)
Penetration Testing
52 pages
Lecture 6 Webapps
No ratings yet
Lecture 6 Webapps
36 pages
Web Hacking for Ethical Hackers
No ratings yet
Web Hacking for Ethical Hackers
25 pages
Web Application Penetration Testing Checklist A Detailed Cheat Sheet
No ratings yet
Web Application Penetration Testing Checklist A Detailed Cheat Sheet
6 pages
Webapps
No ratings yet
Webapps
112 pages
Lab 1
No ratings yet
Lab 1
14 pages
Advanced Pentesting and Forensics
No ratings yet
Advanced Pentesting and Forensics
15 pages
The Top 10 Security Weakness (Vulnerabilities) in Web Applications (OWASP Top 10)
100% (1)
The Top 10 Security Weakness (Vulnerabilities) in Web Applications (OWASP Top 10)
33 pages
(CyberSec'24) Lab07 - Student Version
No ratings yet
(CyberSec'24) Lab07 - Student Version
45 pages
Q
No ratings yet
Q
3 pages
PENTEST-Introduction To Web Pentest
No ratings yet
PENTEST-Introduction To Web Pentest
10 pages
With Emphasis On Web Applications Security Related Issues
0% (1)
With Emphasis On Web Applications Security Related Issues
28 pages
Headless
No ratings yet
Headless
15 pages
E WPT
No ratings yet
E WPT
15 pages
Introduction To Web-Application Penetration Testing
No ratings yet
Introduction To Web-Application Penetration Testing
27 pages
Unit 4
No ratings yet
Unit 4
32 pages
Web Attacks:: Cross-Site Request Forgery, SQL Injection, Cross-Site Scripting
No ratings yet
Web Attacks:: Cross-Site Request Forgery, SQL Injection, Cross-Site Scripting
110 pages
Penetration Testing Final
No ratings yet
Penetration Testing Final
24 pages
Owasp - API Checklist
No ratings yet
Owasp - API Checklist
9 pages
Bug Bounty Checklist For Web App - Taskade
No ratings yet
Bug Bounty Checklist For Web App - Taskade
6 pages
Vulnerabilities in Modern Web Applications
100% (2)
Vulnerabilities in Modern Web Applications
34 pages
Web App Security for IT Students
100% (1)
Web App Security for IT Students
6 pages
Finding and Preventing Cross Site Request Forgery
No ratings yet
Finding and Preventing Cross Site Request Forgery
22 pages
ISCP - Information Security Certified Professional (3) - Compressed
No ratings yet
ISCP - Information Security Certified Professional (3) - Compressed
13 pages
Vapt 1
No ratings yet
Vapt 1
18 pages
XSS Techniques to Bypass CSRF
100% (1)
XSS Techniques to Bypass CSRF
12 pages
Web Application Security: Vulnerabilities, Attacks, and Countermeasures
No ratings yet
Web Application Security: Vulnerabilities, Attacks, and Countermeasures
72 pages
Introductiontopentesting 190926185919
No ratings yet
Introductiontopentesting 190926185919
14 pages
Web Application Security Web Application Security Testing: Ir. Geert Colpaert, CEH 8 Oktober 2008
No ratings yet
Web Application Security Web Application Security Testing: Ir. Geert Colpaert, CEH 8 Oktober 2008
22 pages
Introduction To Web Penetration Testing
No ratings yet
Introduction To Web Penetration Testing
60 pages
Web Security Basics & Vulnerabilities
No ratings yet
Web Security Basics & Vulnerabilities
16 pages
Web App Security: Top Vulnerabilities
No ratings yet
Web App Security: Top Vulnerabilities
90 pages
Master Penetration Testing and Red Teaming
No ratings yet
Master Penetration Testing and Red Teaming
22 pages
12siddharth Anbalahan
No ratings yet
12siddharth Anbalahan
46 pages
Cybersecurity Threat Actors
No ratings yet
Cybersecurity Threat Actors
14 pages
Web Pentesting Course Slides
No ratings yet
Web Pentesting Course Slides
63 pages
Web Attacks From Zero To Hero
No ratings yet
Web Attacks From Zero To Hero
66 pages
Web Security for Developers
No ratings yet
Web Security for Developers
106 pages
Udemy - Web Pentesting Course Slides
100% (1)
Udemy - Web Pentesting Course Slides
103 pages
Penetration Test Scoping Form CloudTech24
No ratings yet
Penetration Test Scoping Form CloudTech24
1 page
Ethical Hacking and Penetration Testing (Kali Linux) - IExplo1t
No ratings yet
Ethical Hacking and Penetration Testing (Kali Linux) - IExplo1t
4 pages
Web PenTest Techniques Guide
No ratings yet
Web PenTest Techniques Guide
1 page
FHBJ
No ratings yet
FHBJ
63 pages
Penetration Testing Guide
No ratings yet
Penetration Testing Guide
14 pages
CSWAE Version2
No ratings yet
CSWAE Version2
9 pages
APCS Slide Deck V18.6.1
No ratings yet
APCS Slide Deck V18.6.1
220 pages
Bug Bounty Checklist
No ratings yet
Bug Bounty Checklist
7 pages
Web App Vulnerability Scanner Guide
100% (1)
Web App Vulnerability Scanner Guide
43 pages
BSCP Tracker
No ratings yet
BSCP Tracker
207 pages
Website Vulnerability Scanner Report (Light)
No ratings yet
Website Vulnerability Scanner Report (Light)
5 pages
SecPoint Penetrator Schematics
No ratings yet
SecPoint Penetrator Schematics
2 pages
Affected Items Report
No ratings yet
Affected Items Report
336 pages
Cheatsheet OWASPCheckList
No ratings yet
Cheatsheet OWASPCheckList
4 pages
Ciso Wapt Finalppt 201201112006
No ratings yet
Ciso Wapt Finalppt 201201112006
25 pages
15 - Web Security
No ratings yet
15 - Web Security
13 pages
Module 3 - Managing Data, Application, and Host Security New
No ratings yet
Module 3 - Managing Data, Application, and Host Security New
61 pages
Module 3 - Managing Data, Application, and Host Security New-Merged
No ratings yet
Module 3 - Managing Data, Application, and Host Security New-Merged
137 pages
Web Application Test Cases
No ratings yet
Web Application Test Cases
10 pages
The Hacker Playbook 1 - Practical Guide To Penetration Testing
92% (12)
The Hacker Playbook 1 - Practical Guide To Penetration Testing
308 pages
Michael Bazzell - Open Source Intelligence Techniques - Resources For Searching and Analyzing Online Information-Createspace Independent Publishing Platform (2021)
94% (16)
Michael Bazzell - Open Source Intelligence Techniques - Resources For Searching and Analyzing Online Information-Createspace Independent Publishing Platform (2021)
669 pages
Ethical Hacking for Beginners
100% (9)
Ethical Hacking for Beginners
185 pages
OSWA (Offensive Security Web Attacks) - Study Overview PT.1 PDF
No ratings yet
OSWA (Offensive Security Web Attacks) - Study Overview PT.1 PDF
399 pages
CRTP-full Exam Report
86% (7)
CRTP-full Exam Report
23 pages
Google Dorks Cheat Sheet
80% (5)
Google Dorks Cheat Sheet
9 pages
OSCP Exam Hits and Preparation
No ratings yet
OSCP Exam Hits and Preparation
7 pages
Attacking Active Directory (AD) From Kali Linux
100% (2)
Attacking Active Directory (AD) From Kali Linux
28 pages
Kali Linux Advanced Methods and Strategies To Learn Kali Linux (BooxRack)
100% (9)
Kali Linux Advanced Methods and Strategies To Learn Kali Linux (BooxRack)
110 pages
Wireless Hacking Tools
90% (10)
Wireless Hacking Tools
28 pages
Oscp
100% (2)
Oscp
6 pages
Osint Cheat Sheet
100% (15)
Osint Cheat Sheet
2 pages
OSEP Exam Steps.
No ratings yet
OSEP Exam Steps.
1 page
CTF Series - Vulnerable Machines
100% (1)
CTF Series - Vulnerable Machines
153 pages
Hacking - Hacking With Python - The Complete Beginner'Srcises (Hacking Series Book 1)
100% (10)
Hacking - Hacking With Python - The Complete Beginner'Srcises (Hacking Series Book 1)
150 pages
Google Hacking Database
75% (20)
Google Hacking Database
91 pages
Hakin9 EXPLOITING - SOFTWARE TBO (01 - 2013) - Metasploit Tutorials PDF
100% (7)
Hakin9 EXPLOITING - SOFTWARE TBO (01 - 2013) - Metasploit Tutorials PDF
181 pages
OSCP Exam Report
No ratings yet
OSCP Exam Report
26 pages
Linux Essentials For Cybersecurity
100% (23)
Linux Essentials For Cybersecurity
1,966 pages
OSCP Exam Report
50% (2)
OSCP Exam Report
24 pages
Cybersecurity Exploit Tutorials
No ratings yet
Cybersecurity Exploit Tutorials
4 pages
eCPPT Exam Nmap & Metasploit Guide
100% (3)
eCPPT Exam Nmap & Metasploit Guide
157 pages
Metasploit Techniques for Hackers
100% (3)
Metasploit Techniques for Hackers
51 pages
Challenge 6
No ratings yet
Challenge 6
30 pages
OSCP MEDTECH AND OSCP C CHALLENGE WRITEUP FREE BreachForums 1 PDF
100% (2)
OSCP MEDTECH AND OSCP C CHALLENGE WRITEUP FREE BreachForums 1 PDF
6 pages
OSCP Notes
100% (2)
OSCP Notes
78 pages
Hacking Tools Cheat Sheet
100% (14)
Hacking Tools Cheat Sheet
2 pages
Web Security Exploits Guide
100% (2)
Web Security Exploits Guide
12 pages
Hakin9 StarterKit 04 2013
100% (20)
Hakin9 StarterKit 04 2013
210 pages
Certified Red Team Professional (CRTP)
No ratings yet
Certified Red Team Professional (CRTP)
33 pages
How To Configure Router
No ratings yet
How To Configure Router
6 pages
PaymentGatewayModule PayPalWebsitePaymentsStandard QuickStartGuide 2019 12 20
No ratings yet
PaymentGatewayModule PayPalWebsitePaymentsStandard QuickStartGuide 2019 12 20
10 pages
Google Cloud Engineering Practical Preparation
No ratings yet
Google Cloud Engineering Practical Preparation
11 pages
Internet Administration Bodies and Standards
No ratings yet
Internet Administration Bodies and Standards
10 pages
02 Intrusion Detection by Analyzing Traffic Part2
No ratings yet
02 Intrusion Detection by Analyzing Traffic Part2
190 pages
Web Basics
No ratings yet
Web Basics
31 pages
Lui)
No ratings yet
Lui)
46 pages
SAP Backbone Configuration With Enable TCI
No ratings yet
SAP Backbone Configuration With Enable TCI
13 pages
Dell PowerVault ME5 Series Storage System - Deployment Guide
No ratings yet
Dell PowerVault ME5 Series Storage System - Deployment Guide
117 pages
Web Services Core Programming Guide
No ratings yet
Web Services Core Programming Guide
24 pages
Component Architecture - Kanishk Mishra
No ratings yet
Component Architecture - Kanishk Mishra
18 pages
Networking and Internet Class 11
No ratings yet
Networking and Internet Class 11
9 pages
iVMS-5200 ANPR V1.0.2 Ports List
No ratings yet
iVMS-5200 ANPR V1.0.2 Ports List
3 pages
Network Security v2.0.0
No ratings yet
Network Security v2.0.0
56 pages
Ariba Network Level 2 Punch Out Catalog Guide
No ratings yet
Ariba Network Level 2 Punch Out Catalog Guide
42 pages
Axis-Um p3367v 1465569 en 1702
No ratings yet
Axis-Um p3367v 1465569 en 1702
65 pages
Unit I - Website Basics, HTML, Css-1
No ratings yet
Unit I - Website Basics, HTML, Css-1
159 pages
Module 01 - Integration Technologies
No ratings yet
Module 01 - Integration Technologies
38 pages
Amazon API Gateway
No ratings yet
Amazon API Gateway
3 pages
Connection Log
No ratings yet
Connection Log
140 pages
Dec50132 Internet Based Controller Pw3
No ratings yet
Dec50132 Internet Based Controller Pw3
19 pages
Csf3223 Networking Final Exam Notes - 240723 - 001609
No ratings yet
Csf3223 Networking Final Exam Notes - 240723 - 001609
26 pages
IBM PY0101EN - Python Basics For Data Science
100% (2)
IBM PY0101EN - Python Basics For Data Science
590 pages
Web Tech Notes Unit 3,4,5
No ratings yet
Web Tech Notes Unit 3,4,5
20 pages
SOC Detection Engineering Guide
No ratings yet
SOC Detection Engineering Guide
20 pages
Networking Imp Questions
No ratings yet
Networking Imp Questions
13 pages
(BookRAR - Net) - Computer Networking
No ratings yet
(BookRAR - Net) - Computer Networking
89 pages
Configuring The Maximum Allowed URL Length For An HTTP Request
No ratings yet
Configuring The Maximum Allowed URL Length For An HTTP Request
3 pages
IT-Workshop Lab Manual
No ratings yet
IT-Workshop Lab Manual
85 pages
Unicast Routing Protocols Guide
No ratings yet
Unicast Routing Protocols Guide
12 pages