TestSparker

TechDefence Labs

Jemin Khunt

26th March 2025

1
Executive Summary:
This report presents the findings of a penetration testing assessment conducted on the
web application http://aspnet.testsparker.com as requested by TechDefence Labs for a
practical task evaluation. The assessment, performed on 25th March, aimed to identify
security vulnerabilities through a combination of manual and automated testing
methodologies.

During the assessment, several vulnerabilities were discovered, these vulnerabilities

present a [High/Medium/Low] risk to the application's integrity and could lead to
unauthorized data access, session hijacking, or application manipulation etc.

This report provides detailed descriptions of the identified vulnerabilities, their potential
impact, and prioritized recommendations for remediation. Immediate attention is
recommended to address the critical vulnerabilities and enhance the overall security
posture of the application.

Approach:
The vulnerability assessment divided in three phases:
● Network Discovery – Identifying active systems, open ports, and network configurations.
● Automated Assessment – Utilizing scanning tools to detect potential security weaknesses.
● Manual Testing & Validation – Conducting targeted security tests and verifying
vulnerabilities to reduce false positives.

Tools:
Nmap: Network and Port Scanning

Burp Suite: Web application vulnerability testing

SQLmap: For testing SQL Injection

2
Key Findings:
No. Name Severity
1 SQL Injection on Product ID Critical
2 SQL Injection on Blog Page Critical
3 SQL Injection on Bitcoin Calculate Critical
4 Local File Inclusion (LFI) on Help Page High
5 FTP Logs Disclosure via WS_FTP.log High
6 Publically Accessible Database File High
7 Stored Cross Site Scripting on Guestbook High
8 Reflected Cross Site Scripting on About Page Medium
9 EXIF Metadata Leak Medium
10 Directory Listing Medium
11 Unauthorized Product Listing Medium
12 Open Redirect on redirect.aspx Medium
13 Session Fixation Medium
14 Possible Broken Link Hijacking Low
15 MITM on Clear Text Password Submission Low
16 Server Path Disclosure Low
17 IIS Tilde Enumeration Low
18 Click-Jacking Low
19 Access Policy Misconfiguration Low

3
#1 Vulnerability: SQL Injection on Product Id
Vulnerable URL: http://aspnet.testsparker.com/Products.aspx?pId=1
Vulnerability Class [OWASP]: A03: 2021 Injection
Severity: Critical
Summary:
The pId parameter in the provided URL is vulnerable to SQL injection, allowing attackers
to manipulate database queries. This vulnerability can be exploited using tools like
SQLmap to extract sensitive data or gain control of the database server.
Steps to Reproduce:
1. Trigger SQL Injection by injecting a payload into the following parameter:
http://aspnet.testsparker.com/Product.aspx?pId=1
2. Use SQLmap and The following command was used to confirm the vulnerability:
sqlmap -u http://aspnet.testsparker.com/Products.aspx?pId=1 –flush-session –
dbms=MsSQL –random-agent –proxy=http://127.0.0.1:8080 --dbs
3. Full Exploit URL: http://aspnet.testsparker.com/Products.aspx?pId=(SELECT
CONCAT(CONCAT(CHAR(113)+CHAR(118)+CHAR(106)+CHAR(113)+CHAR(113),
(CASE WHEN (8075=8075) THEN CHAR(49) ELSE CHAR9(48)
END)),CHAR(113)+CHAR(122)+CHAR(112)+CHAR(98)+CHAR(113)))
4. This confirms that SQL queries can be manipulated, posing a significant security
risk to the application.
Proof of Concept:

Remediation:
Use parameterized queries or prepared statements to separate SQL code from user
input. This prevents user input from being interpreted as SQL code.

4
#2 Vulnerability: SQL Injection on Blog Page
Vulnerable URL: http://aspnet.testsparker.com/blog/is-bitcoin-anonymous-95
Vulnerability Class [OWASP]: A03: 2021 Injection
Severity: Critical
Summary:
The given URL is vulnerable to SQL injection, allowing arbitrary SQL query manipulation
as demonstrated by successful exploitation with SQLmap and a crafted injection
payload. This vulnerability poses a significant risk of unauthorized database access and
data compromise.
Steps to Reproduce:
1. Trigger SQL Injection by injecting a payload into the following parameter:
http://aspnet.testsparker.com/blog/is-bitcoin-anonymous-95
2. Use SQLmap and the following command was used to confirm the vulnerability:
sqlmap -u http://aspnet.testsparker.com/blog/is-bitcoin-anonymous-95 --flush-
session --dbms=MsSQL --random-agent --dbs –level 1 –risk 3
3. Final Exploitaton URL: http://aspnet.testsparker.com/blog/-7992’ ) OR
4631=4631 AND (‘XiPE’=’XiPE’
4. This confirms that SQL queries can be manipulated, posing a significant security
risk to the application.
Proof of Concept:

5
Remediation:
Use parameterized queries or prepared statements to separate SQL code from user
input. This prevents user input from being interpreted as SQL code.

6
#3 Vulnerability: SQL Injection on Bitcoin Calculator
Vulnerable URL: http://aspnet.testsparker.com/Converter.aspx
Vulnerability Class [OWASP]: A03: 2021 Injection
Severity: Critical
Summary:
The Converter.aspx page on aspnet.testsparker.com is vulnerable to SQL injection via
the btcAmount parameter in its JSON request body. Injecting a crafted SQL payload
successfully executes database commands, confirming the vulnerability.
Steps to Reproduce:
1. Visit the following parameter: http://aspnet.testsparker.com/Converter.aspx
2. Add random value to BTC parameter and click on Calculate, Capture request in
Burp Suite.
3. There you will be able to see the btcAmount parameter in Json body, add the
following payload:
(select convert(int,cast(0521403264696c656d6d61 as varchar (8000))) from
syscolumns)
4. The response confirms the SQL Injection Vulnerability.
Proof of Concept:

7
Remediation:
Use parameterized queries or prepared statements to separate SQL code from user
input. This prevents user input from being interpreted as SQL code.

8
#4 Vulnerability: Local File Inclusion on Help Page
Vulnerable URL: http://aspnet.testsparker.com/Help.aspx?item=1
Vulnerability Class [OWASP]: A03: 2021 Injection
Severity: High
Summary:
The Help.aspx?item= parameter on the URL is vulnerable to Local File Inclusion (LFI),
allowing retrieval of arbitrary server files, as demonstrated by successfully accessing
the win.ini file.
Steps to Reproduce:
1. Visit the following parameter: http://aspnet.testsparker.com/Help.aspx?item=1
2. Add the following payload:
../../../../../../../../../../windows/win.ini
Full URL with payload:
https://aspnet.testsparker.com/Help.aspx?item=../../../../../../../../../../windows/
win.ini
3. The response in webpage confirms the LFI Vulnerability.
Proof of Concept:

9
Remediation:
Sanitize user input to remove or escape directory traversal sequences, Restrict direct
access to sensitive files and directories from the web application.

10
#5 Vulnerability: FTP Logs Disclosure via WS_FTP.log

Vulnerable URL: http://aspnet.testsparker.com/WS_FTP.log

Vulnerability Class [OWASP]: A05: 2021 Security Misconfiguration
Severity: High
Summary:
The WS_FTP.log file on the server is publicly accessible, directly exposing potentially
sensitive FTP server logs. This constitutes a significant security vulnerability, as it allows
unauthorized access to server activity details.
Steps to Reproduce:
1. Visit the following parameter: http://aspnet.testsparker.com/WS_FTP.log
2. The response in webpage confirms the Vulnerability.
Proof of Concept:

Remediation:
Configure the web server to deny direct access to the WS_FTP.log file.

11
#6 Vulnerability: Publically Accessible Database File
Vulnerable URL: http://aspnet.testsparker.com/statics/data.mdb
Vulnerability Class [OWASP]: A05: 2021 Security Misconfiguration
Severity: High
Summary:
The data.mdb is directly accessible and downloadable, exposing a Microsoft Access
database file. This constitutes a significant information disclosure vulnerability as it
contains potentially sensitive application data.
Steps to Reproduce:
1. Visit the following parameter: http://aspnet.testsparker.com/statics/data.mdb
2. The response in burp suite confirms the Vulnerability.
Proof of Concept:

Remediation:
Immediately move the data.mdb file outside the web root directory or restrict access to
it using web server configurations

12
#7 Stored Cross Site Scripting on Guestbook

Vulnerable URL: http://aspnet.testsparker.com/Guestbook.aspx

Vulnerability Class [OWASP]: A03: 2021 Injection
Severity: High
Summary:
The Guestbook feature on aspnet.testsparker.com is vulnerable to stored Cross-Site
Scripting (XSS). User-supplied input containing <img src=x onerror=alert(1)> is not
properly sanitized, allowing malicious JavaScript to execute when the guestbook list is
viewed, potentially compromising user sessions and data.
Steps to Reproduce:
1. Visit the following parameter: http://aspnet.testsparker.com/Guestbook.aspx
2. Add the following parameter the both the input field
<img src=x onerror=alert(1)>
3. Submit the form and Check the Guestbook List.
4. The payload will be executed on the following page
http://aspnet.testsparker.com/GuestbookList.aspx
Proof of Concept:

13
Remediation:
Implement a strong Content Security Policy to restrict the execution of inline JavaScript
and other potentially malicious content.

14
#8 Reflected Cross Site Scripting on About Page
Vulnerable URL: http://aspnet.testsparker.com/About.aspx?hello=1
Vulnerability Class [OWASP]: A03: 2021 Injection
Severity: Medium
Summary:
The hello parameter is vulnerable to reflected Cross-Site Scripting (XSS). Inputting <img
src=x onerror=alert(document.domain)> into the parameter results in the JavaScript
payload executing within the user's browser, displaying an alert box with the
document's domain, demonstrating the ability to inject arbitrary script into the page.
Steps to Reproduce:
1. Visit the following parameter: http://aspnet.testsparker.com/About.aspx?hello=1
2. Add the following parameter the both the input field
<img src=x onerror=alert(document.domain)>
3. Submit the URL and look for the response.
4. The payload will be executed and shows the alert box containing the domain
name.
Proof of Concept:

Remediation:
Implement a strong Content Security Policy to restrict the execution of inline JavaScript
and other potentially malicious content.

15
#9 Vulnerability: EXIF Metadata Leak
Vulnerable URL: http://aspnet.testsparker.com/statics/write-us.jpg
Vulnerability Class [OWASP]: A05: 2021 Security Misconfiguration
Severity: Medium
Summary:
Accessing write-us.jpg and analyzing its metadata via jimpl.com reveals the image's
ProfileDateTime. This exposes the exact date and time the image was created or
modified, potentially disclosing sensitive information about the application's internal
processes or content management.
Steps to Reproduce:
1. Visit the following parameter: http://aspnet.testsparker.com/statics/write-us.jpg
2. Visit the https://jimpl.com and check the matadata of the image.
3. There you will be able to see the ProfileDateTime of the image.
Proof of Concept:

16
Remediation:
Implement server-side image processing to strip EXIF metadata from uploaded images
before serving them to users. Libraries like ImageMagick or Pillow (PIL) in Python can be
used for this purpose.

17
#10 Vulnerability: Directory Listing
Vulnerable URL: http://aspnet.testsparker.com/statcs/
Vulnerability Class [OWASP]: A05: 2021 Security Misconfiguration
Severity: Medium
Summary:
Direct access to http://aspnet.testsparker.com/statics/ reveals a directory listing,
exposing the internal file structure of the web application's static resources. This allows
unauthorized users to enumerate files and potentially access sensitive data within the
statics directory.
Steps to Reproduce:
1. Visit the following parameter: http://aspnet.testsparker.com/statics/
2. There you will be able to see the list of directories.
Proof of Concept:

Remediation:
Configure the web server (e.g., IIS, Apache) to disable directory listing for the statics
directory and all other relevant directories.

18
#11 Vulnerability: Unauthorized Product Listing
Vulnerable URL: http://aspnet.testsparker.com/Shop.aspx
Vulnerability Class [OWASP]: A01: 2021 Broken Access Control
Severity: Medium
Summary:
The Shop.aspx page on aspnet.testsparker.com displays a product list, and the
underlying Products.aspx endpoint exposes product details via the pId parameter. By
sequentially incrementing the pId value in the URL, an attacker can enumerate and
access all product information.
Steps to Reproduce:
1. Visit the following parameter: http://aspnet.testsparker.com/Shop.aspx
2. You will be able to see the product list (2 Products)
3. Capture the request in burp suite of accessing the product.
4. You will be see the following URL in Burp suite
/Products.aspx?pId=1
5. Now just change the id in sequence and will be able to access other products.
Proof of Concept:

19
Remediation:
Use session-based or role-based access controls to verify that the user is authorized to
view the requested product.

20
#12 Open Redirect on redirect.aspx
Vulnerable URL: http://aspnet.testsparker.com/redirect.aspx?site=bitcoin.com
Vulnerability Class [OWASP]: A03: 2021 Injection/A10: 2021 SSRF
Severity: Medium
Summary:
The “?site=” parameter allows for arbitrary URL redirection. This constitutes an open
redirect vulnerability, potentially enabling phishing attacks.
Steps to Reproduce:
1. Visit the following parameter: http://aspnet.testsparkr.com/redirect.aspx?site=
2. Add any URL after the “?site=” parameter.
3. You will be redirect to the new URL.
Proof of Concept:

21
Remediation:
If redirection is necessary, use relative paths instead of absolute URLs. If possible, avoid
user-controlled redirects altogether.

22
#13 Session Fixation
Vulnerable URL:
http://aspnet.testsparker.com/administrator/Login.aspx?r=/Dashboard
Vulnerability Class [OWASP]: A02: 2021 Cryptographic Failures
Severity: Medium
Summary:
The application is vulnerable to session fixation vulnerability. By manipulating the
ASP.NET_SessionId cookie before login, an attacker can force a user to authenticate
with a pre-determined session ID, potentially gaining unauthorized access to the
/Dashboard/ area after legitimate login.
Steps to Reproduce:
1. Visit the following parameter:
http://aspnet.testsparkr.com/administrator/Login.aspx?r=/Dashboard/
2. Check the stored cookie “ASP.NET_sessionId” from the network tab.
3. Now assign the random value to the sessionId with same number of character.
4. Try to login with real credentials and check the sessionId after login.
5. The sessionId will be same which we set earlier.
Proof of Concept:

23
Remediation:
Implement proper session ID regeneration upon successful user login. This should
involve generating a new, unpredictable session ID and invalidating the old one. Validate
session IDs on the server-side to prevent the use of predictable or manipulated session
IDs.

24
#14 Vulnerability: Possible Broken Link Hijacking
Vulnerable URL: http://aspnet.testsparker.com/About.aspx?hello=visitor
Vulnerability Class [OWASP]: A08: 2021 Software and Data Integrity Failures
Severity: Low
Summary:
The application contains a broken Facebook link. Clicking the Facebook social media
button redirects to a non-existent profile, indicating a potential Broken Link Hijacking
vulnerability.
Steps to Reproduce:
1. Visit the following parameter:
http://aspnet.testsparkr.com/administrator/About.aspz?hello=visitor
2. Look for the Social Media button (Facebook).
3. Click on the button and you will be redirect to the facebook profile.
4. You will see that the profile doesn’t exist on facebook.
Proof of Concept:

25
Remediation:
Immediately correct the broken Facebook link to point to the correct, existing profile.

26
#15 Vulnerability: MITM on Clear Text Password Submission
Vulnerable URL:
http://aspnet.testsparker.com/administrator/Login.aspx?r=/Dashboard
Vulnerability Class [OWASP]: A05: 2021 Security Misconfiguration
Severity: Low
Summary:
The application transmits login credentials in plain text over HTTP. By capturing network
traffic with Wireshark, the POST request reveals the username and password, exposing
a critical security vulnerability due to the lack of encryption.
Steps to Reproduce:
1. Visit the following parameter:
http://aspnet.testsparkr.com/administrator/Login.aspx?r=/Dashboard
2. You will see that the application is communicating over HTTP protocol.
3. Now open a Wireshark and start capturing the network traffic.
4. Try to login with real credentials.
5. Look for this request in Wireshark using below filter
ip.addr=={applicationIP}
6. Look for POST request to the server and will be able to see the credentials in plain
text.
Proof of Concept:

27
Remediation:
Migrate the entire application, including the login form and all subsequent pages, to
HTTPS. This ensures all communication is encrypted using TLS/SSL.

28
#16 Vulnerability: Server Path Disclosure
Vulnerable URL: http://aspnet.testsparker.com/images/2.jpg
Vulnerability Class [OWASP]: A05: 2021 Security Misconfiguration
Severity: Low
Summary:
Visiting the URL results in an error response that reveals the server's internal directory
path. This information disclosure could aid attackers in understanding the server's file
structure and potentially exploiting other vulnerabilities.
Steps to Reproduce:
1. Visit the following parameter: http://aspnet.testsparkr.com/images/.jpg
2. You will see that the application shows the error with disclosing the server
internal directory path.
Proof of Concept:
RR

Remediation:
Implement custom error pages that do not reveal sensitive information.

29
#17 Vulnerability: IIS Tilde Enumeration
Vulnerable URL: http://aspnet.testsparker.com/
Vulnerability Class [OWASP]: A05: 2021 Security Misconfiguration
Severity: Low
Summary:
Visiting the URL and then using Burp Suite's IIS Tilde Enumeration extension revealed
that the web server is vulnerable to directory and file enumeration via the IIS short
filename vulnerability.
Steps to Reproduce:
1. Visit the following parameter: http://aspnet.testsparkr.com
2. Capture the request in Burp Suite and shoot the IIS Tilde Enumeration Extension.
3. Look at the results for the vulnerability.
Proof of Concept:

30
Remediation:
Disable the creation of 8.3 short filenames on the IIS server. This can be done by
modifying the NtfsDisable8dot3NameCreation registry key. Specifically, set it to 2 to
disable it on all NTFS volumes.

31
#18 Vulnerability: Click-Jacking

Vulnerable URL: http://aspnet.testsparker.com/

Vulnerability Class [OWASP]: A05: Security Misconfiguration
Severity: Low
Summary:
The application is vulnerable to clickjacking vulnerability, By embedding the target site
in a transparent Iframe and overlaying a deceptive button, an attacker can trick users
into performing unintended actions on the framed website.
Steps to Reproduce:
1. Visit the following parameter: http://aspnet.testsparkr.com
2. Use the below code and save the file as Test.html

3. Open The file and you will be see that the website loaded within an Iframe. The
"Click here to Win Prize" button is positioned to overlap interactive elements of
the framed website
Proof of Concept:

Remediation:
Implement X-Frame-Options Header: The most effective defense is to set the X-Frame-
Options HTTP response header.

32
#19 Vulnerability: Access Policy
Vulnerable URL: http://aspnet.testsparker.com/
Vulnerability Class [OWASP]: A05: 2021 Security Misconfiguration
Severity: Low
Summary:
The clientaccesspolicy.xml and crossdomain.xml files, located at the specified URLs,
contain wildcard (*) entries within their policy definitions. These files control cross-
domain access permissions for Adobe Flash Player and Silverlight applications,
respectively. The presence of the wildcard (*) allows any domain to access resources on
aspnet.testsparker.com
Steps to Reproduce:
1. Visit the following URL: http://aspnet.testsparker.com/clientaccesspolicy.xml
http://aspnet.testsparker.com/crossdomain.xml
2. Observe the presence of <allow-access-from domain=”*” /> or similar entries.
Proof of Concept:

33
Remediation:
Replace the wildcard (*) in the domain attribute with specific, trusted domain names.
This limits cross-domain access to only authorized origins.

34