Web Application Penetration Testing

Scope

The purpose of the test was to discover security vulnerabilities, which could lead to intellectual and financial damage to the school and its clients. The test was performed in a Grey Box manner following OWASP methodology and simulated a malicious user with partial knowledge regarding the system functionality. We have tested the platform using three accounts with different accesses – student account, parent account and an admin one.

Conclusions

A successful penetration test was achieved, and High vulnerabilities were discovered on the web application for all three authentication levels, which have to be remediated immediately. User’s account has a Broken authentication mechanism, an attacker can view the functionalities of the admin account and view higher privilege user’s information. Admin account can be hijacked because of the excessive session timeout and it is possible to compromise user’s account by brute forcing the account because of missing account lockout policy.

Time frame

  • 10 working days
  • 7 days penetration of the WEB app
  • 3 days vulnerabilities & remediation
  • report preparation

Steps performed

  • Information gathering
  • Configuration and deployment management testing
  • Identity management testing
  • Authentication and authorization testing
  • Session management testing
  • Input validation testing
  • Error handling
  • Cryptography
  • Business logic testing
  • Client side testing