Client Confidential

Web Application VAPT

BY

CyberSapiens United LLP

Report on
poshsecure.com

WEB APPLICATION VAPT CYBERSAPIENS UNITED LLP

Client Confidential

Table of Contents
1. Document Attributes…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..….
2. Executive Summary…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..
3. VAPT Test Graph…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..….....
4. Auditing Scope…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..……
5. Methodologies and Standards….…..…..…..…..…..…..…..…..…..…..…..….....
6. VAPT project Timeframe …..…..…..….…..…..…..….…..…..…..….…..………
7. Risk Ratings and Threat level ….…….…….…….……...…….…….…….….
8. Vulnerability Summary …..……..……..……..……..……..……..……..………...
9. Observations …..……..……..……..……..……..……..……..……..……..………
10. Tools used for Assessment …..……..……..……..……..……..……..……..……
11. Conclusion …..……..……..……..……..……..……..……..……..……..……….

WEB APPLICATION VAPT CYBERSAPIENS UNITED LLP

Client Confidential

1. Document Attributes
Date 30-01-2022

Version 1.0

Prepared by Pavan Kumar Chinta (mr-white-hat)

Reviewed by

2. Executive Summary

CyberSapiens United LLP was contracted by Posh Secure to conduct a web

application vulnerability assessment and penetration testing activity to determine its
exposure to the targeted attacks and ensure that Posh Secure web application is
secure from advanced attack techniques.
This activity was conducted in a manner that malicious attacker is engaged to assess
the provided scope of Posh Secure. The goals of the vulnerability assessment and
Penetration Testing scan were:
• Identifying the threats or vulnerabilities that might be present on the web
application
• Confidentiality of the Posh Secure data that are stored on the company
storage/servers

3. VAPT Test Graph

Type Count
Non-Vulnerable
domains 3
Vulnerable domains 5

Risk Distrubusion

WEB APPLICATION VAPT CYBERSAPIENS UNITED LLP

Non Vulnerable Assets Vulnerable Assets
Client Confidential

4. AUDITING SCOPE
Detailed list of assets is given in the below table.

SL NO URL Type of Asset

1 www.poshsecure.com Web Application

2 blog.poshsecure.com Web Application

3 medibuddy.poshsecure.com Web Application

4 prysm.poshsecure.com Web Application

5 portal.poshsecure.com Web Application

6 stage.poshsecure.com Web Application

7 tcp.poshsecure.com Web Application

8 poshsecure.com Web Application

5. METHODOLOGIES and Standards

The following methodologies and standards were used during the project.
- OWASP testing guide

6. VAPT Project Timeframe

The VAPT activity was conducted between 24-01-2022 to 30-01-2022.

WEB APPLICATION VAPT CYBERSAPIENS UNITED LLP

Client Confidential

7. Risk Ratings and Treat Level

Severity Description
Loss of business / Breach of internal data / Non-bearable financial and reputational
Critical loss / Breakdown of assets / Access and modification of critical data
Loss of customer / Exposure of internal data / Noncompliance to regulations /
High Unavailability of the services / Access to configurational changes / High financial and
reputational loss / Access and modification of internal data
Customer service affected for one day / Noncompliance with internal requirements /
Medium Bearable financial and reputational loss / Disclosure of non-public data
Internal services affected / Minor inconvenience to customers / Very minimal
Low
financial and reputation loss

8. Vulnerability Summary

A summary of vulnerabilities that have been discovered while performing web

application security assessment are given bellow:

Critical High Medium

3 1 3

Low Info Total

10 0 17

9. Observations
Vulnerability No SPF & DMARC Policies
IP Address 35.190.26.15
Risk Low
Description There are no SPF & DMARC Policies set.
Impact Anyone can send emails using this vulnerability.
Proof of Concept MXtool Box – NO DMARC

(POC)

WEB APPLICATION VAPT CYBERSAPIENS UNITED LLP

Client Confidential

Kitterman – NO SPF

Remediation Set the both SPF & DMARC policies.

Video POC https://drive.google.com/file/d/1vkMCz7XwIkf-
TU1WOnjertJ4mm21MGwK/view?usp=sharing

Vulnerability HTML Injection on Forgot Password

IP Address 35.190.26.15
Risk Low
Description The First name & Last name are not sanitizing the html tags
so it’s reflecting the reset password link mail.
Impact This leads to reformatting/editing of emails from an official
email address, which can be used in targeted phishing
attacks. This could lead to users being tricked into giving
logins away to malicious attackers.

WEB APPLICATION VAPT CYBERSAPIENS UNITED LLP

Client Confidential

Proof of Concept
(POC)

Remediation Sanitize all the input from the user and store them in the
same way.
Video POC https://drive.google.com/file/d/1f9jz4KqA80F8nGnjipXyuoN
LnOJ37j2r/view?usp=sharing

Vulnerability No Rate limit on Password Reset link

IP Address 35.190.26.15
Risk Low
Description The attacker and send unlimited reset links to the victim.
Impact The victim’s inbox with get spammed by the mails & may
lead to degrade the company’s reputation.
Proof of Concept
(POC)

Remediation Allow only limited number of requests. Also, implement

WEB APPLICATION VAPT CYBERSAPIENS UNITED LLP

Client Confidential

brute-force detection algorithms and then block the further

requests.
Video POC https://drive.google.com/file/d/1QugyH6nIigqFVpSvPyQcySi
VPpjFAGf1/view?usp=sharing

Vulnerability Clickjacking
IP Address 35.190.26.15
Risk Low
Description Clickjacking, also known as a "UI redress attack", is when an
attacker uses multiple transparent or opaque layers to trick
a user into clicking on a button or link on another page when
they were intending to click on the top-level page. Thus, the
attacker is "hijacking" clicks meant for their page and routing
them to another page, most likely owned by another
application, domain, or both.
Impact Using a similar technique, keystrokes can also be hijacked.
With a carefully crafted combination of stylesheets, iframes,
and text boxes, a user can be led to believe they are typing
in the password to their email or bank account, but are
instead typing into an invisible frame controlled by the
attacker.
Proof of Concept
(POC)

Remediation There are two general ways to defend against clickjacking:

• Client-side methods – the most common is called
Frame Busting. Client-side methods can be effective
in some cases, but are considered not to be a best
practice, because they can be easily bypassed.
• Server-side methods – the most common is X-Frame-
Options. Server-side methods are recommended by
security experts as an effective way to defend against
WEB APPLICATION VAPT CYBERSAPIENS UNITED LLP
Client Confidential

clickjacking.
Video POC https://drive.google.com/file/d/1zzRschn_TCe1kcyM5SL5Rjt
6g34GdbhE/view?usp=sharing

Vulnerability Exif Meta Data on Company Logo/ Profile Picture

IP Address 35.190.26.15
Risk Low
Description When a user uploads an image in poshsecure.com, the
uploaded image’s EXIF Geolocation Data does not get
stripped. As a result, anyone can get sensitive information
of poshsecure.com users like their Geolocation, their Device
information like Device Name, Version, Software & Software
version used, etc.
Impact This vulnerability is CRITICAL and impacts all the
poshsecure.com customer base. This vulnerability violates
the privacy of a User and shares sensitive information of the
user who uploads an image on poshsecure.com or any of
the poshsecure.com instances.
Proof of Concept
(POC)

Remediation Remove all the sensitive and unnecessary Meta Data from
the image before uploading publicly.
Video POC https://drive.google.com/file/d/1l16pdkezZfFDvZQkzMnV1
artIWS3Sg22/view?usp=sharing

WEB APPLICATION VAPT CYBERSAPIENS UNITED LLP

Client Confidential

Vulnerability Directory Listing of Apache default

IP Address 35.190.26.15
Risk Low
Description I found a directory listing of Apache default services.
Impact In Cookies servlet the main domain cookies reflecting & the
attacker can also manipulate his session for privileged
access using Session servlet.
Proof of Concept Apache Directory:

(POC)

Cookies Example:

Remediation Access to every directory should be restricted.

Video POC https://drive.google.com/file/d/1PinyjNznuvuzSmepz0B_Ue
KTRqWCmYUm/view?usp=sharing

Vulnerability Rate Limit on Login field (Password)

IP Address 35.190.26.15
Risk Low
Description The attacker can brute-force the victim’s password without
any restriction.
Impact No rate limit is set on the login field which can leads to an
account takeover.

WEB APPLICATION VAPT CYBERSAPIENS UNITED LLP

Client Confidential

Proof of Concept
(POC)

Remediation Allow only limited number of requests. Also, implement

brute-force detection algorithms and then block the further
requests. As, this is password brute-force attack the account
should mandatorily require 2FA to login.
Video POC https://drive.google.com/file/d/11G0-
mOUTsyVXaZnUiAuS_zsVepaFtwR-/view?usp=sharing

Vulnerability Rate limit Server Side (Help & Support)

IP Address 35.190.26.15
Risk Low
Description The attacker can send infinite number of query/ complaint
requests to the company.
Impact This leads to spamming of their inbox and may miss some
import queries also this leads to memory corruption.
Proof of Concept
(POC)

Remediation You should limit the rate for contact form to avoid such kind
of issues.
WEB APPLICATION VAPT CYBERSAPIENS UNITED LLP
Client Confidential

Video POC https://drive.google.com/file/d/1CONTI_1yeN082tSZdq4V9

OQy3W6RSTRa/view?usp=sharing

Vulnerability Missing Secure Flag from the Session Cookie

IP Address 35.190.26.15
Risk Low
Description This cookie does not have the Secure flag set. When a cookie
is set with the Secure flag, it instructs the browser that the
cookie can only be accessed over secure SSL channels. This
is an important security protection for session cookies.
Impact If cookies are used to transmit session tokens, then areas of
the application that are accessed over HTTPS should employ
their own session handling mechanism, and the session
tokens used should never be transmitted over unencrypted
communications.
Proof of Concept
(POC)

Remediation The secure flag should be set on all cookies that are used for
transmitting sensitive data when accessing content over
HTTPS.
Video POC https://drive.google.com/file/d/1UcF3TB3JA-fcEcoFeBWb-
bBgFOV-vCUT/view?usp=sharing

WEB APPLICATION VAPT CYBERSAPIENS UNITED LLP

Client Confidential

Vulnerability The pre-login & post-login cookies are same

IP Address 35.190.26.15
Risk Low
Description The pre-login & post-login session cookies are same.
Impact If the attacker get access to the victim’s cookie at once, he
can login into the victim’s account until the cookie is
invalidated.
Proof of Concept
(POC)

Remediation Every time the generated cookie should be unique.

Video POC https://drive.google.com/file/d/1dbgHBvS2xtC4bRtU9wSKA
gRyS3ILKQZH/view?usp=sharing

Vulnerability HTTP by Default – Cleartext transmission of Credentials

IP Address 35.190.26.15
Risk Medium
Description The website is not fully protected by an SSL certificate. This
could allow an attacker in a Man-in-the-Middle position to
obtain usernames and passwords of users visiting the site.
Impact If a user were to visit this page from a public or shared
network (e.g., office, airport, library, etc.) and login into an
account, a malicious user on the same network would be
able to obtain that user's username and password by
conducting a Man-in-the-Middle attack using Wireshark.
This would allow the malicious user complete access to the
user's account.
Proof of Concept
(POC)

WEB APPLICATION VAPT CYBERSAPIENS UNITED LLP

Client Confidential

Remediation The website should be fully protected with SSL certificate.

Video POC https://drive.google.com/file/d/1r7Ckc0UOyVFEHQdNoG5M
aHY89rMPR9LF/view?usp=sharing

Vulnerability Rate limit on OTP request & login

IP Address 35.190.26.15
Risk Medium
Description No rate limit on OTP field leads to OTP bypass.
Impact The attacker will be able to bypass the OTP which can lead
to an account takeover.
Proof of Concept
(POC)

Remediation Allow only limited number of requests. Also, implement

brute-force detection algorithms and then block the further
requests. As, this is OTP brute-force attack the account
should mandatorily require 2FA to login.
Video POC https://drive.google.com/file/d/13lfwsSvt_CesApJUYnkQ6Be
7mo5vqH-K/view?usp=sharing

Vulnerability Unrestricted file upload on profile picture

IP Address 35.190.26.15
Risk Medium
Description The attack can upload any script instead of an image.
Impact Whenever the Super Admin/ Admin click on the image they
might be directed to some other website. It’s a logic error
WEB APPLICATION VAPT CYBERSAPIENS UNITED LLP
Client Confidential

and it can lead to financial loss because of the large storage

consumption (big file).
Proof of Concept
(POC)

Remediation Check the file & it’s extension properly on the server side.
Video POC https://drive.google.com/file/d/1jptThCHNyD6zZlxnDla3Cb
NB1ffh9PGo/view?usp=sharing

Vulnerability IDOR on API

IP Address 35.190.26.15
Risk High
Description The attack can get all the registered users’ details.
Impact This leads to data breach of the company’s users’ data.

WEB APPLICATION VAPT CYBERSAPIENS UNITED LLP

Client Confidential

Proof of Concept
(POC)

Remediation Restrict the access to the other user’s data such that only
authorized user is permitted to view his data.
Video POC https://drive.google.com/file/d/1TZlWcpfqUjn-
jsl4sopYs0p3fr1JGOSH/view?usp=sharing

Vulnerability Account takeover using that IDOR

IP Address 35.190.26.15
Risk Critical
Description By chaining with the previous vulnerability, the attacker can
modify the other user’s data.
Impact The attacker can takeover/ delete/ edit the victim’s account.
Proof of Concept
(POC)

WEB APPLICATION VAPT CYBERSAPIENS UNITED LLP

Client Confidential

Remediation Restrict the access to the other user’s data such that only
authorized user is permitted to view his data.
Video POC https://drive.google.com/file/d/1xQm2ioQxkNZrmcOQLKR
WsTwlcflSyPCP/view?usp=sharing

Vulnerability Log4j DNS

IP Address 35.190.26.15
Risk Critical
Description https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Impact Probably arbitrary code execution. Observed that a request was

made to your DNS server. This strongly suggests a vulnerable log4j.
Proof of Concept
(POC)

WEB APPLICATION VAPT CYBERSAPIENS UNITED LLP

Client Confidential

Remediation Update log4j or disable jndi support.

Video POC https://drive.google.com/file/d/1kYzey6q5Ec0Ike8orqQMgel
4D2-X6kzx/view?usp=sharing

Vulnerability WordPress Vulnerabilities - Admin accounts disclosure &

XMLRPC
IP Address 192.0.78.13
Risk Critical
Description The attacker was able to see the admin’s username and
brute-force it.
Impact The attacker can takeover the admin’s account that leads to
full blog takeover.
Proof of Concept
(POC)

Remediation Restrict the access public access to XMLRPC & to any /wp-
json.
Video POC https://drive.google.com/file/d/1DhxGL8bu8S7xqE5xXfS1b
6-wbQHA4pch/view?usp=sharing

WEB APPLICATION VAPT CYBERSAPIENS UNITED LLP

Client Confidential

10. Tools used for the Assessment

The VAPT activities utilizes many automated tools and manual exploitation
methodologies to identify security vulnerabilities. A detailed list of tools used is
given below.

Tool Name Description

Burp Suite is an integrated platform/graphical tool for performing security
testing of web applications. You can configure Burp to do live scanning of all
Burp Suite in-scope requests passing through the Proxy. You can use Burp Intruder to
perform fuzzing, using your own test strings and payload positions.
Nmap is a free, open-source tool for vulnerability scanning and network
discovery. Network administrators use Nmap to identify what devices are
Nmap running on their systems, discovering hosts that are available and the
services they offer, finding open ports and detecting security risks.
Nessus is a remote security scanning tool, which scans a computer and
Nessus raises an alert if it discovers any vulnerabilities that malicious hackers could
use to gain access to any computer you have connected to a network.
Cookie-Editor lets you efficiently create, edit and delete a cookie for the
Cookie-Editor current tab. Perfect for developing, quickly testing or even manually
managing your cookies for your privacy.
Wappalyzer is a browser extension that uncovers the technologies used on
Wappalyzer websites. It detects content management systems, eCommerce platforms,
web servers, JavaScript frameworks, analytics tools and many more.
A canary token is a file, URL, API key, or other resource that is monitored for
Canary Token access. Once the resource has been accessed, an alert is triggered notifying
the object owner of said access.
Exif Tool is a powerful tool used to extract metadata of a file. It is used not
only on images but some other formats of files like PDF and mp4 etc. It
Exif Tool enables us to update and remove metadata of files and gives a lot of
information about files.
These are intelligent tools used for information gathering and enhancement
Amass, Subfinder,
of the attack surface. This open-source tool helps in identifying hidden
Sublist3r resource/targets through DNS enumeration and network mapping.
These are the automated tools used to fuzz the directories. It has various
DirSearch,
key features of manipulation the method from GET to POST and vice versa.
AssertFinder, Ffuf We can use various wordlists for fuzzing the vhost as well.
This tool can identify and recognize all the web technologies available on the
Whatweb target website. This tool can identify technologies used by websites such as
blogging, content management system, all JavaScript libraries.

11. Conclusion
Overall, we found the Assets tested to be well designed and to be utilizing many
solid security practices. However, few misconfigurations/vulnerabilities were
identified which are given above. We recommend to immediately fix the issue
identified to make the systems risk free and secure.

WEB APPLICATION VAPT CYBERSAPIENS UNITED LLP