penetration testing report report pt.pdf · 2019-12-23 · p a g epenetration testing report -...
Post on 16-Apr-2020
7 Views
Preview:
TRANSCRIPT
This disclaimer governs the use of this report. The credibility and content of this report are directly derived from the information provided by
IPsafe. Although reasonable commercial attempts have been made to ensure the accuracy and reliability of the information contained in this
report, the methodology proposed in this report is a framework for the "project" and is not intended to ensure or substitute for compliance
with any requirements and guidelines by the relevant authorities. Does not represent that the use of this report or any part of it or the
implementation of the recommendation contained therein will ensure a successful outcome, or full compliance with applicable laws,
regulations or guidelines of the relevant authorities. Under no circumstances will its officers or employees be liable for any consequential,
indirect, special, punitive, or incidental damages, whether foreseeable or unforeseeable, based on claims of IPsafe (including, but not limited
to, claims for loss of production, loss of profits, or goodwill). This report does not substitute for legal counseling and is not admissible in court.
The content, terms, and details of this report, in whole or in part, are strictly confidential and contain intellectual property, information, and
ideas owned by IPsafe. IPsafe may only use this report or any of its content for its internal use. This report or any of its content may be
disclosed only to IPsafe employees on a need to know basis, and may not be disclosed to any third party.
Penetration Testing
ISP – Open Internet
Report
June, 2019 Grey Box PT
Penetration Testing Report - Confidential P a g e | 2
TABLE OF CONTENT EXECUTIVE SUMMARY 6
INTRODUCTION 6
SCOPE 6
CPE/ACS 6
INTERNAL ASSESMENT 6
CONCLUSIONS 8
IDENTIFIED VULNERABILITIES 8
VULN-001 REMOTE CODE EXECUTION (CRITICAL) 8
VULN-002 JUMP/RADIUS SERVERS TAKEOVER (CRITICAL) 8
VULN-003 INSUFFICIENT CONFIGURATION HARDENING (HIGH) 8
VULN-004 WEAK ADMIN CREDENTIALS (HIGH) 9
VULN-005 IMPROPER NETWORK SEGMENTATION (MEDIUM) 9
VULN-006 INSECURE ACS CONFIGURATION (MEDIUM) 9
VULN-007 MAN IN THE MIDDLE (MEDIUM) 9
VULN-008 INSECURE PORT FORWARDING (MEDIUM) 9
VULN-009 DEFAULT ADMIN CREDENTIALS IBMC (MEDIUM) 9
VULN-010 ACCESSIBLE ADMIN PANEL (LOW) (MEDIUM) 9
VULN-011 WEAK DEFAULT FIREWALL CONFIGURATION (LOW) 9
VULN-012 WEAK MIDDLEWARE CONFIGURATION (LOW) 9
VULN-013 INFORMATION DISCLOSURE – ACS SERVER (LOW) 10
VULN-014 IMPROPER ERROR HANDLING (LOW) 10
VULN-015 SECURITY FEATURES AND CONTROL FILTER BYPASS (LOW) 10
VULN-016 EXTERNAL ACCESSIBLE SERVICES (LOW) 10
VULN-017 SENSITIVE DATA DISCLOSURE (LOW) 10
VULN-018 INSECURE PCB DESIGN (LOW) 10
VULN-019 INFORMATION DISCLOSURE – ZTE ROUTER (LOW) 10
VULN-020 OLD VERSION SUPPORT (LOW) 10
VULN-021 INSECURE COOKIE (LOW) 11
FINDING DETAILS 12
VULN-001 REMOTE CODE EXECUTION
12
RISK ANALYSIS 12
VULNERABILITY DESCRIPTION 12
VULNERABILITY DETAILS 12
RECOMMENDED RECTIFICATION 14
Penetration Testing Report - Confidential P a g e | 3
VULN-002 JUMP/RADIUS SERVERS TAKEOVER
14
RISK ANALYSIS 14
VULNERABILITY DESCRIPTION 14
VULNERABILITY DETAILS 14
RECOMMENDED RECTIFICATION 17
VULN-003 INSUFFICIENT CONFIGURATION HARDENING
19
RISK ANALYSIS 19
VULNERABILITY DESCRIPTION 19
VULNERABILITY DETAILS 19
RECOMMENDED RECTIFICATION 20
VULN-004 WEAK ADMIN CREDENTIALS
21
RISK ANALYSIS 21
VULNERABILITY DESCRIPTION 21
VULNERABILITY DETAILS 21
RECOMMENDED RECTIFICATION 22
VULN-005 IMPROPER NETWORK SEGMENTATION
23
RISK ANALYSIS 23
VULNERABILITY DESCRIPTION 23
VULNERABILITY DETAILS 23
RECOMMENDED RECTIFICATION 23
VULN-006 INSECURE ACS CONFIGURATION
24
RISK ANALYSIS 24
VULNERABILITY DESCRIPTION 24
VULNERABILITY DETAILS 24
RECOMMENDED RECTIFICATION 24
VULN-007 MAN IN THE MIDDLE
25
RISK ANALYSIS 25
VULNERABILITY DESCRIPTION 25
VULNERABILITY DETAILS 25
RECOMMENDED RECTIFICATION 25
VULN-008 INSECURE PORT FORWARDING
26
RISK ANALYSIS 26
VULNERABILITY DESCRIPTION 26
VULNERABILITY DETAILS 26
EXECUTION DEMONSTRATION 26
RECOMMENDED RECTIFICATION 27
VULN-009 DEFAULT ADMIN CREDENTIALS IBMC
28
RISK ANALYSIS 28
Penetration Testing Report - Confidential P a g e | 4
VULNERABILITY DESCRIPTION 28
VULNERABILITY DETAILS 28
RECOMMENDED RECTIFICATION 32
VULN-010 ACCESSIBLE ADMIN PANEL
33
RISK ANALYSIS 33
VULNERABILITY DESCRIPTION 33
VULNERABILITY DETAILS 33
EXECUTION DEMONSTRATION ERROR! BOOKMARK NOT DEFINED.
RECOMMENDED RECTIFICATION 36
VULN-011 WEAK DEFAULT FIREWALL CONFIGURATION
37
RISK ANALYSIS 37
VULNERABILITY DESCRIPTION 37
VULNERABILITY DETAILS 37
RECOMMENDED RECTIFICATION 37
VULN-012 WEAK MIDDLEWARE CONFIGURATION
38
RISK ANALYSIS 38
VULNERABILITY DESCRIPTION 38
VULNERABILITY DETAILS 38
EXECUTION DEMONSTRATION 38
RECOMMENDED RECTIFICATION 38
VULN-013 INFORMATION DISCLOSURE – ACS SERVER
39
RISK ANALYSIS 39
VULNERABILITY DESCRIPTION 39
VULNERABILITY DETAILS 39
RECOMMENDED RECTIFICATION 40
VULN-014 IMPROPER ERROR HANDLING
41
RISK ANALYSIS 41
VULNERABILITY DESCRIPTION 41
VULNERABILITY DETAILS 41
RECOMMENDED RECTIFICATION 41
VULN-015 SECURITY FEATURES AND CONTROL FILTER BYPASS
42
RISK ANALYSIS 42
VULNERABILITY DESCRIPTION 42
VULNERABILITY DETAILS 42
RECOMMENDED RECTIFICATION 42
VULN-016 EXTERNAL ACCESSIBLE SERVICES
43
RISK ANALYSIS 43
VULNERABILITY DESCRIPTION 43
VULNERABILITY DETAILS 43
Penetration Testing Report - Confidential P a g e | 5
RECOMMENDED RECTIFICATION 44
VULN-017 SENSITIVE DATA DISCLOSURE
45
RISK ANALYSIS 45
VULNERABILITY DESCRIPTION 45
VULNERABILITY DETAILS 45
RECOMMENDED RECTIFICATION 45
VULN-018 INSECURE PCB DESIGN
46
RISK ANALYSIS 46
VULNERABILITY DESCRIPTION 46
VULNERABILITY DETAILS 46
RECOMMENDED RECTIFICATION 48
VULN-019 INFORMATION DISCLOSURE – ZTE ROUTER
49
RISK ANALYSIS 49
VULNERABILITY DESCRIPTION 49
VULNERABILITY DETAILS 49
RECOMMENDED RECTIFICATION 50
VULN-020 OLD VERSION SUPPORT
51
RISK ANALYSIS 51
VULNERABILITY DESCRIPTION 51
VULNERABILITY DETAILS 51
RECOMMENDED RECTIFICATION 52
VULN-021 INSECURE COOKIE
53
RISK ANALYSIS 53
VULNERABILITY DESCRIPTION 53
VULNERABILITY DETAILS 53
EXECUTION DEMONSTRATION 53
RECOMMENDED RECTIFICATION 53
APPENDICES 54
METHODOLOGY 54
APPLICATION TESTS 54
INFRASTRUCTURE TESTS 56
FINDING CLASSIFICATION 58
Penetration Testing Report - Confidential P a g e | 6
EXECUTIVE SUMMARY
INTRODUCTION
IPsafe`s penetration-testing team was requested to conduct penetration testing of the “GPON” infrastructure
for “ISP”. Our test aimed to uncover vulnerabilities and logical bugs that can put “ISP” and its users at risk.
During the audit, the team reviewed the ability to map the infrastructure and the ability to withstand attacks.
The different tests aimed to uncover misconfigurations and vulnerabilities. The report contains suggestions
to mitigate them and enhance the security of the systems in use, to increase the overall safety of the data
they contain.
The grey-box security audit was performed against the “ISP Network” infrastructure during June 2019
SCOPE
CPE/ACS The penetration testing started at Naples HQ against the CPE(ZTE-F680) and its infrastructure with no prior
knowledge of the environment.
The main goal of this part was to uncover flaws which a malicious actor can exploit and mitigate them,
focusing on the provided CPE.
INTERNAL ASSESSMENT The second part of penetration testing was performed from the London HQ against ISP`s infrastructure with
no prior knowledge of the environment.
The main goal of this part was to uncover vulnerabilities and misconfigurations inside the internal LAN, which
might assist a potential malicious actor in lateral movement and exploitation.
The audit included:
General Injection attacks and code execution attacks on both Client and server sides.
OWASP Top 10 possible vulnerabilities, including CSRF tests and advanced hacking techniques.
Inspection of sensitive data handling and risk of information disclosure.
Tests for advance logical bugs and cross-account actions.
Hardening inspection
TEST LIMITATIONS The audit was conducted mostly on the production environment, and thus automation and DOS attacks were
excluded.
Also, the lateral movement inside the internal network was excluded as well due to GDPR issues.
SUMMARY The penetration testing team was able to find a critical vulnerability (RCE) on the ACS server, which allowed
them to gain access from the client’s environment to ISP`s internal network.
The vulnerability was based on the insufficient input validation of the FreeACS server used by the company.
Penetration Testing Report - Confidential P a g e | 7
Inside ISP`s network, the penetration testing team uncovered few misconfigurations and weak credentials,
which allowed the team to penetrate the radius and the jump servers.
If these bugs would be exploited by an attacker, he could exfiltrate sensitive information from the network
and its devices.
Penetration Testing Report - Confidential P a g e | 8
CONCLUSIONS
From our professional perspective, the overall
security level of the system is Low -Medium.
The current environment is vulnerable to Remote
Code Execution which allows a malicious threat actor
to gain access to the local network and as well, it is
possible to perform multiple malicious actions
against this infrastructure, for an example:
Execute Remote code inside ISP`s LAN and
perform lateral movement
Perform DNS Hijacking on all of ISP`s client using
a hidden admin user or by pushing malicious
configuration from the ACS
Abuse weak admin credentials on servers such as the “Ponte” server and run crypto miners and
ransomware on multiple sensitive networks.
Abuse misconfiguration and weak credentials to hijack network devices.
Gain access to unprotected critical assets such as Hadoop database.
Exploiting most of these vulnerabilities requires a Medium – High technical knowledge.
IDENTIFIED VULNERABILITIES
VULN-001 REMOTE CODE EXECUTION (CRITICAL) A Remote Code Execution vulnerability can provide an attacker with the ability to execute malicious
code and take complete control of an affected system with the privileges of the user running the
application.
VULN-002 JUMP/RADIUS SERVERS TAKEOVER (CRITICAL) A Server Takeover allows the attacker to execute any commands of his choice on a target machine. It is
commonly used in remote code execution vulnerability to describe a software bug that gives an attacker
a way to take complete control of the system.
VULN-003 INSUFFICIENT CONFIGURATION HARDENING (HIGH)
Application server configurations play a vital role in the security of a web application and routers. These
routers are responsible for serving content and invoking applications that generate content. Also, many
routers provide several services that the end user can use. Failure to manage the proper configuration
of your router can lead to a wide variety of security problems.
Vulnerabilities
Critical High Medium Low Informative
21
Penetration Testing Report - Confidential P a g e | 9
VULN-004 WEAK ADMIN CREDENTIALS (HIGH)
A Weak Admin Credentials makes it easier for attackers to compromise user accounts. An
authentication mechanism is only as secure as its credentials. For this reason, it is essential to restrict
users to strong passwords.
VULN-005 IMPROPER NETWORK SEGMENTATION (MEDIUM)
When a particular client or server is compromised by an attacker, the impact could be minimized by
separating between them. Client separation is required between different types of systems or
applications that are not supposed to communicate with each other internally, to ensure that a security
breach won't affect the entire network.
VULN-006 INSECURE ACS CONFIGURATION (MEDIUM) An Insecure ACS Configuration may lead to full ACS takeover and various other attacks on the ACS
server itself.
VULN-007 MAN IN THE MIDDLE (MEDIUM)
A Man-In-The-Middle attack allows an attacker to intercepts communication between two systems. In
an HTTP, FTP, SAMBA transactions, the target is the TCP connection between client and server.
VULN-008 INSECURE PORT FORWARDING (MEDIUM)
Services in the local network usually inaccessible from the internet, in order to access a service that
located behind a router the user has to perform a port forwarding.
Insecure Port Forwarding may lead to entire network comprise and sensitive information exposed.
VULN-009 DEFAULT ADMIN CREDENTIALS IBMC (MEDIUM)
A Default Admin Credentials that are set during installation should be changed. An unauthenticated,
remote attacker could exploit this vulnerability by logging in to the affected application, using known
default credentials. If successful, the attacker could access a targeted system with elevated privileges.
VULN-010 ACCESSIBLE ADMIN PANEL (MEDIUM)
An Accessible Admin Panel describes a situation where administrative panels are publicly available.
VULN-011 WEAK DEFAULT FIREWALL CONFIGURATION (LOW)
A Firewall provides protection against attackers and other threats to the application and report about
these threats. Even if a vulnerability exists within the application, the security system could alert an
attempt to exploit it and sometimes block it, if the firewall is not configured correctly the attacker can
bypass it and access the vulnerable service.
VULN-012 WEAK MIDDLEWARE CONFIGURATION (LOW)
Weak middleware configuration occurs when CPE provisioning against the ACS server occurs.
If the user is accessing the web admin panel at this time, he can review and change sensitive settings
and still enjoy the full admin authority which bypasses the business logic of ISP.
Penetration Testing Report - Confidential P a g e | 10
VULN-013 INFORMATION DISCLOSURE – ACS SERVER (LOW)
Revealing sensitive and critical information about the system and applications may help attackers focus
their attacks. Sensitive information may appear in the form of HTTP Headers, error messages, source
code comments, informative pages, and more.
VULN-014 IMPROPER ERROR HANDLING (LOW)
A web application must define a default error page for 404 errors, 500 errors, stack traces, and more.
Specifically designed thrown exceptions, prevent attackers from mining information about the
application. When an attacker explores a web site looking for vulnerabilities, the amount of data that
the site provides is crucial to the eventual success or failure of any attempted attack.
VULN-015 SECURITY FEATURES AND CONTROL FILTER BYPASS (LOW)
A lot of personal information goes through the router. Protection against infiltration is, therefore,
paramount. In order to ensure nobody can connect to the router without the user consent, different
security protocols and features are developed.
VULN-016 EXTERNAL ACCESSIBLE SERVICES (LOW)
An External Accessible Service sometimes is highly sensitive and should be adequately secured to
prevent attackers from accessing it. Even when authentication is enforced properly - one should never
expose these services to the outside world.
VULN-017 SENSITIVE DATA DISCLOSURE (LOW)
Revealing sensitive and critical information about the system and applications may help attackers focus
their attacks. Sensitive information may appear in the form of HTTP Headers, error messages, source
code comments, informative pages, and more.
VULN-018 INSECURE PCB DESIGN (LOW)
Insecure PCB Design allows attackers to map and gather sensitive information about the
Microcontrollers installed on the PCB.
An attacker with physical access to the PCB, can map the connections and interact with the exposed
interfaces of the Microcontrollers embedded in the PCB.
VULN-019 INFORMATION DISCLOSURE – ZTE ROUTER (INFORMATIVE)
Revealing sensitive and critical information about the system and applications may help attackers focus
their attacks. Sensitive information may appear in the form of HTTP Headers, error messages, source
code comments, informative pages, and more.
VULN-020 OLD VERSION SUPPORT (INFORMATIVE)
What makes it easier for attackers to target software is the virtually guaranteed presence of
vulnerabilities, which can be exploited to violate one or more of the software’s security properties.
Most successful attacks result from targeting and exploiting an outdated old version software’s.
Penetration Testing Report - Confidential P a g e | 11
VULN-021 INSECURE COOKIE (INFORMATIVE)
The application utilizes HTTP cookies in order to exchange sensitive information (such as session ID) with
its clients but does not include the “Secure” attributes while creating the cookie.
Without the "Secure" attribute, the browser will send the cookie over a none-encrypted (HTTP) channel,
thereby exposing the content of the cookies any attacker eavesdropping on the network.
Penetration Testing Report - Confidential P a g e | 12
FINDING DETAILS VULN-001 REMOTE CODE EXECUTION
RISK ANALYSIS Total Risk Critical Severity Critical Probability Critical Fix effort Medium
TARGET HOST AND ENTRANCE POINT The target in this vulnerability was the ACS, in particular the FreeACS (X.X.X.X)
The entrance point was the CPE network in City_Name.
VULNERABILITY DESCRIPTION Remote Code Execution vulnerabilities can provide an attacker with the ability to execute malicious code and take complete control of an affected system with the privileges of the user running the application.
After gaining access to the system, attackers will often attempt to elevate their privileges through other running services. With escalated privileges, an attacker could steal sensitive information, cause a denial of service, and implement additional malware.
VULNERABILITY DETAILS During the test, we successfully mapped the ACS server version in ISP`s network is “FREEACS” which is detailed on finding “VULN-008”.
In addition, we found that it is possible to abuse and run remote code on the free ACS Server, located at the following address:
X.X.X.X
What's even worse is that the remote code execution occurs inside the Authorization header, which means the user doesn’t need to authenticate to perform the attack and take full control over the FreeACS Web Panel.
In the audit, after we gained access to the sensitive data on the CPE, which referred to the TR069 protocol and exploited the insufficient configuration hardening which is detailed in finding “VULN-002”. Those finding allowed the team to understand when and how the CPE is connecting to the ACS server.
The exploitation took place in the inform message the CPE sends at the begging of the session against the ACS.
The following image demonstrates a typical session between a CPE and an ACS server:
Penetration Testing Report - Confidential P a g e | 13
The CPE begins every session by sending an Inform RPC to the ACS, with arguments that include the event that caused the session. This is done over an HTTP POST request.
The XML query which includes the Inform RPC values were exploitable and allowed injection by inserting the following line of code into the authorization header:
And here is the execution point as can be seen in the next image:
Penetration Testing Report - Confidential P a g e | 14
RECOMMENDED RECTIFICATION Implement parameter sanitation on the server side.
Consider forking the open source and fixing all the issues for ISP version of the
code.
VULN-002 JUMP/RADIUS SERVERS TAKEOVER
RISK ANALYSIS Total Risk Critical Severity Critical Probability High Fix effort Medium
TARGET HOST AND ENTRANCE POINT The target in this vulnerability were 3 servers in the network 10.246.128.0/24
10.246.x.y – Ponte (Bridge/Jump Server)
10.246.z.m – New Radius
10.246.k.p – Radius
The entrance point was a phycsicaly connected cable to the network 10.246.g.k/24 in the
London server room.
VULNERABILITY DESCRIPTION Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and
software that enables remote access servers to communicate with a central server to
authenticate dial-in users and authorize their access to the requested system or
service.
RADIUS allows a company to maintain user profiles in a central database that all
remote servers can share. A RADIUS server provides better security, allowing a
company to set up a policy that will be applied at a single administered network
point.
However, if an attacker will be able to get access inside the RADIUS server, he will be
able to control the complete services which use this access server.
VULNERABILITY DETAILS During our test, we gained access into the ACS server via remote code execution as
described at finding “VULN-001” which allowed us to access into the internal
network, then we performed comprehensive scanning on the internal network and
identified multiple servers and systems some of which had exposed SSH services.
By using specially written scripts, we performed targeted and throttled brute-force
based on a small dictionary of common passwords related to “ISP” and were able to
get access to 3 different servers in the local network:
10.246.x.y – Ponte (Bridge/Jump Server)
10.246.z.m – New Radius
10.246.k.p – Radius
Penetration Testing Report - Confidential P a g e | 15
The exploitation was successful since these best security practices were not
enforced:
Certificate authentication to sensitive servers
Disallowance of remote connection protocols with power user(root)
Strong password policy
Two of the servers were RADIUS servers, which can be seen in the following
screenshots:
root shell over the “radius” server
Penetration Testing Report - Confidential P a g e | 16
root shell over the “newradius” server
After gaining access, we checked if the RADIUS contains any critical information and
found a few sensitive files which included a list of username, passwords, and IP
address as can be seen in the following picture:
Confidential information found on the “radius” server
Besides the radius servers mentioned before, we successfully gained admin access to
the “Ponte” server which has a connection to multiple sensitive networks in addition
to confidential services such as DNS and Radius; the following image demonstrates
the access and different interfaces of the server:
Penetration Testing Report - Confidential P a g e | 17
Root access on the “Ponte” server
Also, while exploring the servers that we successfully breached we found the clear
text DCN secret key of the following clients:
83.224.q.w
91.80.z.x
Identified clients
The located clear text keys
A potential attacker might exploit this vulnerability to gain unauthorized access to
these sensitive networks and server and cause severe damage, such as confidential
data exfiltration, DoS, and more.
RECOMMENDED RECTIFICATION Disallow remote connections to the system with administrative users such as “root”
and use a standard permission user for authentication purposes.
Penetration Testing Report - Confidential P a g e | 18
It is recommended to change the authentication method for critical servers to
Certificate-based authentication rather than password authentication. If not possible,
enforce firm password policy:
Password must be at least 8-10 characters long, ideally longer (especially for
administrative accounts).
Password Complex with alpha and numeric characters, including special
characters (#$%).
Penetration Testing Report - Confidential P a g e | 19
VULN-003 Insufficient Configuration Hardening
RISK ANALYSIS Total Risk High Severity Medium Probability Critical Fix effort Low
TARGET HOST AND ENTRANCE POINT The target in this vulnerability was the CPE in City_Name.
The entrance point was a phycsicaly access to the CPE in City_Name.
VULNERABILITY DESCRIPTION Applicative server configurations play a vital role in the security of any devices and routers. These routers are responsible for serving content and invoking applications that generate content. Also, many routers provide several services that the end user can use. Failure to manage the proper configuration of your router can lead to a wide variety of security problems.
VULNERABILITY DETAILS During our test, we have found that it is possible to revert the secure configuration of the router to default, which is quite insecure.
The action can be performed simply by pushing the factory reset button.
The reset button
By reverting to the default configuration, the end user can access features which were intentionally hidden in the router and view sensitive information like the TR069 configurations and address, dial-up configuration, and much more.
The following image shows the differences between the versions:
Penetration Testing Report - Confidential P a g e | 20
before and after settings reset
when inspecting the settings after the reset process, we found the TR069 configuration settings and information, which isn’t accessible by the user in the updated version:
`
This could allow a malicious threat actor to expose sensitive data and flaws inside the
ISPs`s network topology.
It is essential to mention that during the audit, we leveraged these flaws, and they
played a vital role in the RCE against the ACS.
RECOMMENDED RECTIFICATION Make sure to override the factory reset partition with a secure configuration; this
way factory reset will not uncover hidden functionality.
It is recommended to use a firmware with the final security configuration.
Penetration Testing Report - Confidential P a g e | 21
VULN-004 Weak Admin Credentials
RISK ANALYSIS Total Risk High Severity High Probability Medium Fix effort Low
TARGET HOST AND ENTRANCE POINT The target in this vulnerability was the CPE in City_Name.
The entrance point was a network access to the CPE.
VULNERABILITY DESCRIPTION Weak Admin Credentials vulnerability describes a situation which allows an attacker to
abuse the administrative credentials to gain unauthorized access to interfaces and
management panels.
VULNERABILITY DETAILS During the test, it was found during the exploitation of insecure configurations hardening that besides the default admin:admin user which has restricted admin access, ISP created another hidden administrative user which allows them to gain full access.
For example, under the Administration tab, a local admin user cannot access the sensitive TR069 settings while the hidden “admin@ISP” user can.
After exploiting the factory reset misconfiguration, we were able to see that under TR069 settings there is a hidden admin user:
User settings after a configuration reset
After several login attempts, we were able to uncover that the password for this user is the same as the username.
Using the same credentials is ubiquitous and not recommended, especially at administrative panels.
Penetration Testing Report - Confidential P a g e | 22
To exploit this vulnerability and gain full unauthorized access, you don’t need brute-force the application and can guess the password, making the exploitation probability is higher.
Furthermore, due to the fact that this user is hidden from regular customers, a potential adversary can create a malware which will perform DNS hijacking, Due to the fact that a regular customer who is using ISP`s CPE and even changed the default admin password is not aware of the hidden privileged admin account and for an example, might give someone Wi-Fi access or might be exploited by a malware and more which will allow the threat actor to perform DNS Hijacking.
The following steps elaborate about the actions of the DNS Hijacking:
1. A potential attacker connects to the network and enumerates the router technologies and understand that ISP and ZTE CPE are being used as described in VULN-011.
2. The attacker uses the hidden administrator (admin@ISP) to edit DNS Server settings and make him the DNS Server
3. The attacker redirects the user whenever he wants to malicious websites and steal sensitive credentials
Also, this vulnerability will assist a potential attacker in exploiting other issues like the one described in “VULN-001” by opening more functionality in the system which enhance the attack surface.
RECOMMENDED RECTIFICATION It's recommended to change every username password which is the same for both
authentication fields.
Password must be at least 8-10 characters long, ideally longer (especially for
administrative accounts).
Use complex passwords with alpha-numeric characters, including special characters
(#$%).
Set password max age to 120 days to enforced users to change their password.
Set password min age to 3-7 days to prevent users from changing their password
multiple times in a short time.
Enforce password history so users won’t be able to re-pick the same password over
again.
Penetration Testing Report - Confidential P a g e | 23
VULN-005 Improper Network Segmentation
RISK ANALYSIS Total Risk Medium Severity Medium Probability Medium Fix effort Medium
TARGET HOST AND ENTRANCE POINT The target in this vulnerability was the network 10.246.x.y/24
The entrance point was a phycsicaly connected cable to the network in the London server
room.
VULNERABILITY DESCRIPTION Improper network segmentation allows users to access various network resources
which should be restricted by design using Network Segmentation.
Networks which are divided into VLANs are usually separated for security reasons by
network and security engineers to enhance the security of the system or establish
order. Improper routing between the networks, also known as a Flat Network, is
basically deducting the protection from the VLAN segmentation and allows potential
attackers to move between sensitive networks and access sensitive data laterally.
VULNERABILITY DETAILS During our test, we discovered that the network segmentation in the following address range is improper:
10.246.p.t/25
This network is the heart of “ISP” internal servers and thus has to be as secure as possible.
Due to improper segmentation, we managed to laterally move and access different sensitive servers and applications such as the radius and the “Ponte” servers.
Due to the sensitivity of the network, only core services should be inside.
We discovered that there are some stations in the network which poses a threat to the system. A potential attacker may use domain hijacking techniques to try to penetrate one of the computers and get access to all of his connected services and sessions on the network.
RECOMMENDED RECTIFICATION It is recommened to separate user and server networks to enhance the security of
network
It is recommened to use certificate authentication to sensitive servers such as bridge servers.
It is recommened to use NAC solution to administer sensitive networks
Penetration Testing Report - Confidential P a g e | 24
VULN-006 Insecure ACS Configuration
RISK ANALYSIS Total Risk Medium Severity Low Probability Medium Fix effort Low
TARGET HOST AND ENTRANCE POINT The target in this vulnerability was the CPE in City_Name.
The entrance point was a phycsicaly access to the CPE in City_Name.
VULNERABILITY DESCRIPTION Auto Configuration Server is a software that manages devices remotely.
The device establishes the connection with the ACS only at specific points in time. It
usually lasts several seconds, just enough to exchange all necessary messages
between CPE and the ACS.
Insecure ACS configuration may lead to various attacks on the ACS itself.
VULNERABILITY DETAILS During our test, after the reboot/factory reset it was revealed that the TR069 allows any ACS to control it and specify the configuration remotely. As seen the parameter in “Connection Request URL” is http://0.0.0.0:58000, which means anyone can send malicious updates to the CPE via port 58000.
TR069 configuration on the CPE
RECOMMENDED RECTIFICATION It is recommended to use a Whitelist which includes only ISP`s ACS servers
Consider updating the default router configuration to force it to connect to ISP ACS at boot.
Penetration Testing Report - Confidential P a g e | 25
VULN-007 Man in The Middle
RISK ANALYSIS Total Risk Medium Severity Medium Probability Low Fix effort Low
TARGET HOST AND ENTRANCE POINT The target in this vulnerability was the CPE in City_Name.
The entrance point was a network access to the CPE.
VULNERABILITY DESCRIPTION A Man-In-The-Middle attack allows an attacker to intercept communication between two systems. In an HTTP, FTP, SAMBA transactions, the target is the TCP connection between client and server. Using different techniques, the attacker can split the original TCP connection into two instances, one between the client and the attacker and the other between the attacker and the server. Once the TCP connection is intercepted, the attacker acts as a proxy, reading, inserting, and modifying the data in the intercepted communication.
VULNERABILITY DETAILS During our test, we have found that it is possible to abuse the local services installed on the router.
Most of the router services are unencrypted; which allows the attacker to perform a man in the middle and get access to the data, for example, the router is FTP service which considered insecure:
FTP configuration
There is also unencrypted samba service.
RECOMMENDED RECTIFICATION Use an encrypted channel for all client-server communications (TLS) such as FTPS.
Implement HSTS header to move the HTTP traffic automatically to https.
Consider disabling insecure services, same as you did to telnet which is disabled.
Penetration Testing Report - Confidential P a g e | 26
VULN-008 INSECURE PORT FORWARDING
RISK ANALYSIS Total Risk Medium Severity Medium Probability Medium Fix effort Low
TARGET HOST AND ENTRANCE POINT The target in this vulnerability was the CPE in City_Name.
The entrance point was a network access to the CPE.
VULNERABILITY DESCRIPTION Port forwarding allows external internet connections to contact your router, which
then will be forwarded the computer in the local network and his service.
A malicious attacker can exploit the port forwarding to access internal sensitive data.
VULNERABILITY DETAILS During our test, we have found that, it is possible to access our Public IP address from the internet and access internal services which were automactilly forwarded.
We have monitored the traffic by using Wireshark and found that it is possible to access internal services from a remote target.
To abuse this misconfiguration, a potential adversary can perform a port scanning and access all internal services.
Anyone with a remote website can get the user`s IP address and scan his home network and find out that sensitive services such as the following are accessible:
SMB
FTP
HTTP
EXECUTION DEMONSTRATION The following screenshot demonstrates a samba connection from remote IP address 2.58.x.y:
Penetration Testing Report - Confidential P a g e | 27
We also were able to brute force the ftp from remote by using hydra (a hacking tool
to perform advanced brute force) which can be seen in the following image:
Then we connected to the FTP server from remote which should be closed to internet
users.
RECOMMENDED RECTIFICATION Make sure to deny access to the remote IP address and allow only if permitted by the
user via the router configuration and not by default.
Penetration Testing Report - Confidential P a g e | 28
VULN-009 DEFAULT ADMIN CREDENTIALS IBMC
RISK ANALYSIS Total Risk Medium Severity Medium Probability Medium Fix effort Low
TARGET HOST AND ENTRANCE POINT The target in this vulnerability were 4 iBMC Devices in the network 10.40.z.p/24
10.40.x.y
10.40.x.u
10.40.x.p
10.40.x.g
The entrance point was a phycsicaly connected cable to the network 10.40.x.p/24 in the
London server room.
VULNERABILITY DESCRIPTION Default Admin Credentials vulnerability describes a situation in which an attacker can
abuse the administrative credentials to gain unauthorized access to interfaces and
management panels.
VULNERABILITY DETAILS During the test, it was found that the iBMC admin panel and shell can be accessed with default credentials:
root
Huai12#$
Due to this, a malicious user can control the iBMC service and gain full access.
The Intelligent Baseboard Management Controller (iBMC) is Huawei's proprietary system for remote server management. iBMC complies with Intelligent Platform Management Interface (IPMI) 2.0 and SNMP standards and supports various functions, including keyboard, video, and mouse (KVM) redirection, text console redirection, remote virtual media, and hardware monitoring and management.
The following addresses were breached:
10.40.x.p
10.40.x.u
10.40.x.y
10.40.x.g
Admin access to the iBMC server on 10.40.x.y
Penetration Testing Report - Confidential P a g e | 30
Admin access to the iBMC server on 10.40.x.y
Admin access to the iBMC server on 10.40.x.y
Further testing revealed that the default credentials allowed access over SSH as well
Penetration Testing Report - Confidential P a g e | 31
Admin access to the iBMC server on 10.40.x.u
Admin access to the iBMC server on 10.40.x.u
Admin access to the iBMC server on 10.40.x.u
Penetration Testing Report - Confidential P a g e | 32
Admin access to the iBMC server on 10.40.x.q
RECOMMENDED RECTIFICATION It's recommended to change every username password which is the same for both
authentication fields.
Password must be at least 8-10 characters long, ideally longer (especially for
administrative accounts).
Password Complex with alpha and numeric characters, including special characters
(#$%).
Set password max age to 120 days to enforced users to change their password.
Set password min age to 3-7 days to prevent users from changing their password
multiple times in a short time.
Enforce password history so a user won’t be able to re-pick the same password over
again.
Penetration Testing Report - Confidential P a g e | 33
VULN-010 ACCESSIBLE ADMIN PANEL
RISK ANALYSIS Total Risk Medium Severity Medium Probability Medium Fix effort Low
TARGET HOST AND ENTRANCE POINT The target in this vulnerability entire 172.x.y.z network which conatins multiple servers and
services. Almost all of the services found to be unprotected.
The entrance point was a phycsicaly connected cable to the network 172.k.l.m/24 in the
London basement (the room on floor -1 which controlled by some other company).
VULNERABILITY DESCRIPTION Accessible Management Panel describes a situation where administrative panels are
accessible publicly.
Many systems include several management panels to control different parts of the systems. These administrative panels make it easier for system administrators to manage and change preferences. If these panels are accessible to an attacker, he may exploit that to gain administrative access to the system.
VULNERABILITY DETAILS During the audit, we found accessible admin panels on different subdomains of “LI”
network:
Hadoop
Tomcat
A potential attacker might exploit this admin panels for running the command on the servers and eavesdrop for local sensitive information.
EXECUTION DEMONSTRATION The following screenshot demonstrates the administrative panel access page:
Penetration Testing Report - Confidential P a g e | 34
Nifi’s exposed admin panel
exposed admin panel
Penetration Testing Report - Confidential P a g e | 35
Hadoop’s exposed admin panel
Nifi’s remote command execution panel exposed
Penetration Testing Report - Confidential P a g e | 36
Tomcat’s exposed admin panel
RECOMMENDED RECTIFICATION It is recommended to limit access to the component’s management panels to a specific IP
address.
It is recommended to implement an authentication mechanism for the component's
management panels.
Do not allow public access to the admin panels.
Enable access to the management system only from white-listed IP sources.
Penetration Testing Report - Confidential P a g e | 37
VULN-011 Weak Default Firewall configuration
RISK ANALYSIS Total Risk Low Severity Low Probability Low Fix effort Low
TARGET HOST AND ENTRANCE POINT The target in this vulnerability was the CPE in City_Name.
The entrance point was a network access to the CPE.
VULNERABILITY DESCRIPTION Weak Default Firewall configuration occurs when firewall settings are set by default with the lowest security configuration, which put the customers at risk since most customers aren’t technical there is a high probability that these settings won’t change.
VULNERABILITY DETAILS During the test, it was found that the default firewall configuration is set to weakest setting available which is without the “Anti-Hacking Protection” feature and firewall level set to “Low”.
The following image demonstrates weak settings:
The default configuration of the router
since most customers aren’t technical, there is a high probability that this setting won’t change and therefore are potential attackers might exploit them.
RECOMMENDED RECTIFICATION It is recommended to use at least medium security features by default to enhance
customers’ protection from malicious attackers.
Penetration Testing Report - Confidential P a g e | 38
VULN-012 WEAK MIDDLEWARE CONFIGURATION
RISK ANALYSIS Total Risk Low Severity Low Probability Low Fix effort Low
TARGET HOST AND ENTRANCE POINT The target in this vulnerability was the CPE in City_Name.
The entrance point was a network access to the CPE.
VULNERABILITY DESCRIPTION Weak middleware configuration occurs when CPE provisioning against the ACS server occurs.
If the user is accessing the web admin panel at the provisioning stage, he can review and change sensitive settings and still enjoy the full admin authority which bypasses the business logic of ISP.
VULNERABILITY DETAILS During the test, we found that while the middleware configuration is set by the ACS on the related CPE, the customer can change the ACS IP address or/and define his own DNS server as the routers primary DNS server, which will allow him to gain WAN access and also have permanent access to all of the sensitive configurations such as the TR069 Setting.
A potential attacker might abuse this misconfiguration to research the connection between CPE to ISP and find more misconfigurations and exploit them.
EXECUTION DEMONSTRATION The following screenshot shows that Changing the TR069 ACS server address is allowed as setting a DNS server:
RECOMMENDED RECTIFICATION Restricted user access to sensitive fields which may influence the business logic such
as TR-069 ACS address and DNS Server
Penetration Testing Report - Confidential P a g e | 39
VULN-013 INFORMATION DISCLOSURE – ACS SERVER
RISK ANALYSIS Total Risk Low Severity Low Probability Medium Fix effort Low
TARGET HOST AND ENTRANCE POINT The target in this vulnerability was the ACS, in particular the FreeACS (X.X.X.X)
The entrance point was the CPE network in City_Name.
VULNERABILITY DESCRIPTION An Information Disclosure vulnerability is a misconfiguration problem that provides information about the technology used by the application. This information mostly appears in server responses, errors, or broken functionality.
Response headers and default error pages reveal the server’s type, version, and maybe other technologies in use, which may help an attacker in finding vulnerabilities and plan his attack on the system.
In order to enhance the security of the product, it is essential to manage errors and prevent sensitive information leakage.
VULNERABILITY DETAILS While enumerating the ACS Server that was found on the following IP address:
X.X.X.X/TR069/OK
Server response caught in burp
We saw that the response contains a unique answer “FREEACSOK” which belongs to the open source “FREE ACS Server”, which can be downloaded from GitHub at https://github.com/freeacs
a potential attacker might use this information to focus on this server and plan the attack course.
Penetration Testing Report - Confidential P a g e | 40
It is essential to mention that we used this information leakage to research the Free ACS server and by doing this we managed to gain RCE as elaborated on finding VULN-001
RECOMMENDED RECTIFICATION Substitute the default answers for unique undisclosed answers which do not reveal
the technologies being used.
Penetration Testing Report - Confidential P a g e | 41
VULN-014 IMPROPER ERROR HANDLING RISK ANALYSIS
Total Risk Low Severity Low Probability Low Fix effort Low
TARGET HOST AND ENTRANCE POINT The target in this vulnerability was the ACS, in particular the FreeACS (X.X.X.X)
The entrance point was the CPE network in City_Name.
VULNERABILITY DESCRIPTION Improper Error Handling can introduce a variety of security problems for a web site. The most common problem is when detailed internal error messages such as stack traces, database dumps, and error codes are displayed to the user or hacker.
These messages reveal implementation details that should never be revealed. Such information can provide hackers essential clues on potential flaws in the site, and such messages are also disturbing to ordinary users.
VULNERABILITY DETAILS During our test, while examining the traffic between the CPE and the ACS, we found
that ACS server discloses private architecture information to the user.
In the following screenshot you can see that ACS disclose that the web server is
“nginx/1.14.2”:
Default NGINX 404 response page
As we demonstrated multiple times during our test, such information can assist the
attacker in order to penetrate the organization.
RECOMMENDED RECTIFICATION Implement a specific policy for how to handle errors should be documented,
including the types of errors to be processed and for each, what information is going
to be reported back to the user, and what information is going to be logged. All
developers need to understand the policy and ensure that their code follows it.
Use custom error pages without information disclosure
Penetration Testing Report - Confidential P a g e | 42
VULN-015 SECURITY FEATURES AND CONTROL FILTER BYPASS
RISK ANALYSIS Total Risk Low Severity Low Probability Low Fix effort Low
TARGET HOST AND ENTRANCE POINT The target in this vulnerability was the CPE in City_Name.
The entrance point was a network access to the CPE.
VULNERABILITY DESCRIPTION A lot of personal information goes through the router. Protection against infiltration
is, therefore, paramount. To ensure nobody can connect to the router without the
user’s consent, different security protocols and features are developed.
ZTE router contains three security features that intended to protect network
infiltration and filtering:
Mac Filter
IP Filter
Service Control Filter
VULNERABILITY DETAILS During the test, if found that the security features provided by ZTE can be easily bypassed, for example, the attacker can change his IP to avoid the IP Filter or change his Mac address to undergo the Mac Filter.
By spoofing the Mac address and IP address, it is also possible to bypass the Service Control Filter.
RECOMMENDED RECTIFICATION Consider performing IP/MAC-matching with DHCP address and information supplied
by the router to the endpoint device.
Block duplicated Mac/IP network equipment.
Penetration Testing Report - Confidential P a g e | 43
VULN-016 EXTERNAL ACCESSIBLE SERVICES
RISK ANALYSIS Total Risk Low Severity Low Probability Low Fix effort Low
TARGET HOST AND ENTRANCE POINT The target in this vulnerability was the ACS, in particular the FreeACS (X.X.X.X)
The entrance point was the CPE network in City_Name.
VULNERABILITY DESCRIPTION Devices and Servers configurations play a crucial role in the security of a network. These devices are responsible for serving content and invoking applications that generate content.
Also, many application servers provide several services that users can use, including data storage, directory services, mail, messaging, and more.
Failure to manage the proper configuration of your device can lead to a wide variety of security problems.
VULNERABILITY DETAILS During our test, we have found that the device 2.58.x.y contains multiple services,
and it’s wide open to the internet.This can allow the attacker to try to exploit these
services from a remote location.
Scan results for open ports on 2.58.x.y
It is possible to communicate with the services and create an SSH connection from
the internet to the device:
Penetration Testing Report - Confidential P a g e | 44
Scan results for open ports on 2.58.x.y
RECOMMENDED RECTIFICATION Consider limiting access to the device to authorized users/IPs only.
Consider configuring the firewall to hide internal devices.
Penetration Testing Report - Confidential P a g e | 45
VULN-017 SENSITIVE DATA DISCLOSURE
RISK ANALYSIS Total Risk Low Severity Low Probability Low Fix effort Low
TARGET HOST AND ENTRANCE POINT The target in this vulnerability was the CPE in City_Name.
The entrance point was a network access to the CPE.
VULNERABILITY DESCRIPTION Sensitive data exposure vulnerabilities can occur when an application does not
adequately protect confidential information from being disclosed to attackers. For
many applications, this may be limited to information such as passwords, but it can
also include information such as credit card data, session tokens, or other
authentication credentials.
VULNERABILITY DETAILS During our audit, we managed to get access to TR069 information and other inner CPE
information, one of the parameters we have found was the PON number, which is the
unique user identifier.
By sharing this PON number, users may overlap in the ACS configuration and receive
unauthorized internet access.
RECOMMENDED RECTIFICATION
Consider hiding sensitive information from the end user.
Penetration Testing Report - Confidential P a g e | 46
VULN-018 Insecure PCB Design
RISK ANALYSIS Total Risk Low Severity Low Probability Low Fix effort Low
TARGET HOST AND ENTRANCE POINT The target in this vulnerability was the CPE in City_Name.
The entrance point was a phycsicaly access to the CPE in City_Name.
VULNERABILITY DESCRIPTION Insecure PCB Design allows attackers to map and gather sensitive information about
the microcontrollers installed on the PCB.
An attacker with physical access to the PCB, can map the connections and interact with
the exposed interfaces of the microcontrollers embedded in the PCB.
To accomplish that, we need to the serial number map the “FCCID” which can be found
on the microcontrollers. Some microcontrollers have debugging interfaces and even
file systems which can be extracted
Once the attacker connects the interface, he can gather sensitive information, and
based on the connection also dump the firmware or access directly to the file system.
Without protection, an attacker can steal the intellectual property of the
victim(ZTE/ISP), access the file system, dump the firmware for flaw/vulnerability
research in the application's source code.
VULNERABILITY DETAILS During the audit, it was discovered that the ZTE F680`s PCB which has exposed Debug
Interfaces, for example, the following microcontroller fccid was exposed:
Winbond w29n0
Penetration Testing Report - Confidential P a g e | 47
visibility of FCCID on the microcontroller
identifying the FCCID allowed us to find its datasheet, which included the pin
assignment:
https://eu.mouser.com/datasheet/2/949/w29n01hvxina_revc-1489886.pdf
The pin assignment datasheet found for the microcontroller
Penetration Testing Report - Confidential P a g e | 48
RECOMMENDED RECTIFICATION Consider Removing any indicators to technologies and microcontrollers in use on the PCB
Consider Disabling any debug interfaces in the Production Printed Circuit boards.
Remove Hardware Test Points
Remove Software support
Penetration Testing Report - Confidential P a g e | 49
VULN-019 INFORMATION DISCLOSURE – ZTE ROUTER
RISK ANALYSIS Total Risk Informative
TARGET HOST AND ENTRANCE POINT The target in this vulnerability was the CPE in City_Name.
The entrance point was a network access to the CPE.
VULNERABILITY DESCRIPTION An Information Disclosure Vulnerability is a misconfiguration problem that provides information about the technology used by the application. This information mostly appears in server responses, errors, or broken functionality.
Response headers and default error pages reveal the server’s type, version, and maybe other technologies in use, which may help an attacker in finding vulnerabilities and plan his attack on the system.
To enhance the security of the product, it is essential to manage errors and prevent sensitive information leakage.
VULNERABILITY DETAILS While enumerating the router Web panel, we discovered that web server response headers contain sensitive information about the server technologies.
The “Server” response header contained the following:
Mini web server 1.0 ZTE corp 2005
A potential attacker might use this information to focus on this server and expand the attack.
Header information disclosure as caught in Burp
Penetration Testing Report - Confidential P a g e | 50
Because this Web server is customized for ZTE, the exploitation probability downgrades and yet, it is recommended to dispose of the header.
RECOMMENDED RECTIFICATION Substitute the default answers for unique undisclosed answers which do not reveal
the technologies being used.
Penetration Testing Report - Confidential P a g e | 51
VULN-020 OLD VERSION SUPPORT
RISK ANALYSIS Total Risk Informative
TARGET HOST AND ENTRANCE POINT The target in this vulnerability was the CPE in City_Name.
The entrance point was a network access to the CPE.
VULNERABILITY DESCRIPTION
What makes it easier for attackers to target software is the virtually guaranteed
presence of vulnerabilities, which can be exploited to violate one or more of the
software’s security properties.
Most successful attacks result from targeting and exploiting an outdated old version
software’s.
VULNERABILITY DETAILS In the course of our test we have found that ZTE router Is using samba protocol to share files with Windows devices, it is possible to turn on the file sharing from the admin panel as can be seen in the following screenshot:
SAMBA configuration on a ZTE router
The problem is that the configured samba is SMBv1, which contains multiple vulnerabilities and disallowed by default on Windows 10. This version of SMB can expose the system to attacks from hackers.
Penetration Testing Report - Confidential P a g e | 52
Windows error when accessing SMBv1
RECOMMENDED RECTIFICATION Upgrade services used by the router to the latest version and consult the vendor
documentation about known vulnerabilities.
Upgrade all used applications to the latest version and consults the vendor documentation about known vulnerabilities.
Penetration Testing Report - Confidential P a g e | 53
VULN-021 INSECURE COOKIE
RISK ANALYSIS Total Risk Informative
TARGET HOST AND ENTRANCE POINT The target in this vulnerability was the CPE in City_Name.
The entrance point was a network access to the CPE.
VULNERABILITY DESCRIPTION The application utilizes HTTP cookies to exchange sensitive information (such as Token) with its clients but does not include the "HttpOnly" and the “Secure” attributes while creating the cookie.
Without the "HttpOnly" attribute, the content of the cookie will be accessible to JavaScript code, and in case of an application vulnerable to Cross-Site Scripting, the attacker would be able to steal user’s Token and perform authentication on behalf of the victim.
Without the "Secure" attribute, the browser will send the cookie over a none-encrypted (HTTP) channel, thereby exposing the content of the cookies any attacker eavesdropping on the network.
VULNERABILITY DETAILS During the test, we found that the server is not protection to cookies correctly, we could find any Cross Site Scripting vulnerability, but if in the future the attacker will find Cross-Site Scripting vulnerability in any new features he would be able to steal the token cookie.
EXECUTION DEMONSTRATION The following screenshot shows that both cookies don’t have “Secure” and “SameSite” protection flags enabled:
RECOMMENDED RECTIFICATION Set the "HttpOnly" attribute on sensitive cookies, to prevent access to by malicious client-
side code (JavaScript).
Set the "Secure" attribute on all sensitive cookies, to prevent them from being sent over the
none-encrypted channel.
Penetration Testing Report - Confidential P a g e | 54
APPENDICES METHODOLOGY
The work methodology includes some or all of the following elements, to meet client requirements:
APPLICATION TESTS Various tests to identify:
o Vulnerable functions.
o Known vulnerabilities.
o Un-sanitized Input.
o Malformed and user manipulated output.
o Coding errors and security holes.
o Unhandled overload scenarios.
o Information leakage.
General review and analysis (including code review tests if requested by the client).
Automated tools are used to identify security-related issues in the code or the application.
After an automated review, thorough manual tests are performed regarding:
o Security functions: Checking whether security functions exist, whether they operate
based on a White List of a Black List, and whether they can be bypassed.
o Authentication mechanism: The structure of the identification mechanism, checking
the session ID's strength, securing the identification details on the client side, by
passing through the use of mechanisms for changing passwords, recovering
passwords, etc.
o Authorization policy: Verifying the implementation of the authorization validation
procedures, whether they are implemented in all the application's interfaces, checking
for a variety of problems, including forced browsing, information disclosure, directory
listing, path traversal.
o Encryption policy: Checking whether encryption mechanisms are implemented in the
application and whether these are robust/known mechanisms or ones that were
developed in-house, decoding scrambled data.
o Cache handling: Checking whether relevant information is not saved in the cache
memory on the client side and whether cache poisoning attacks can be executed.
Penetration Testing Report - Confidential P a g e | 55
o Log off mechanism: Checking whether users are logged off in a controlled manner after
a predefined period of inactivity in the application and whether information that can
identify the user is saved after he has logged off.
o Input validation: Checking whether stringent intactness tests are performed on all the
parameters received from the user, such as matching the values to the types of
parameters, whether the values meet maximal and minimal length requirements,
whether obligatory fields have been filled in, checking for duplication, filtering
dangerous characters, SQL / Blind SQL injection.
o Information leakage: Checking whether essential or sensitive information about the
system is not leaking through headers or error messages, comments in the code, debug
functions, etc.
o Signatures (with source code in case of a code review test): Checking whether the code
was signed in a manner that does not allow a third party to modify it.
o Code obscurification (with source code in case of a code review test, or the case of a
client-server application): Checking whether the code was encrypted in a manner that
does not allow debugging or reverse engineering.
o Administration settings: Verifying that the connection strings are encrypted and that
custom errors are used.
o Administration files: Verifying that the administration files are separate from the
application and that they can be accessed only via a robust identification mechanism.
o Supervision, documentation and registration functions: Checking the documentation
and logging mechanism for all the significant actions in the application, checking that
the logs are saved in a secure location, where they cannot be accessed by unauthorized
parties.
o Error handling: Checking whether the error messages that are displayed are general
and do not include technical data and whether the application is operating based on
the failsafe principle.
In-depth manual tests of an application's business logic and complex attack scenarios.
Review of possible attack scenarios, presenting exploit methods and POCs.
Test results: a detailed report which summarizes the findings, including their:
o Description.
o Risk level.
o The probability of exploitation.
o Details.
Penetration Testing Report - Confidential P a g e | 56
o Mitigation recommendations.
o Screenshots and detailed exploit methods.
Additional elements that may be provided if requested by the client:
o Ensuring the development team with professional support along the rectification
process.
o Repeat test (validation) including report resubmission after rectification is completed.
INFRASTRUCTURE TESTS
Questioning the infrastructure personnel, general architecture review.
Various tests to identify:
o IP addresses, active DNS servers.
o Active services.
o Open ports.
o Default passwords.
o Known vulnerabilities.
o Infrastructure-related information leakage.
Comprehensive review and analysis. Automated tools are used to identify security-related
issues in the code or the application.
After an automated review, thorough manual tests are performed regarding:
o Vulnerable, open services.
o Authentication mechanism.
o Authorization policy.
o Encryption policy.
o Log off mechanism.
o Information leakage.
o Administrative settings.
o Administrative files.
o Error handling.
o Exploit of known security holes.
o Infrastructure local information leakage.
o Bypassing security systems.
o Networks separation durability.
Penetration Testing Report - Confidential P a g e | 57
In-depth manual tests of application's business logic and complex scenarios.
Review of possible attack scenarios, presenting exploit methods and POCs.
Test results: a detailed report which summarizes the findings, including their:
o Description.
o Risk level.
o Probability of exploitation.
o Details.
o Mitigation recommendations.
o Screenshots and detailed exploit methods.
Additional elements that may be provided if requested by the client:
o Providing the development team with professional support along the rectification
process.
o Repeat test (validation) including report resubmission after rectification is completed.
Penetration Testing Report - Confidential P a g e | 58
FINDING CLASSIFICATION
Severity
The finding’s severity relates to the impact which might be inflicted to the organization due to that finding. The severity level can be one of the following options, and is determined by the specific attack scenario:
Critical – Critical level findings are ones which may cause significant business damage to the organization, such as:
- Significant data leakage
- Denial of Service to essential systems
- Gaining control of the organization’s resources (For example Servers, Routers, etc.)
High – High-level findings are ones which may cause damage to the organization, such as:
- Data leakage
- Execution of unauthorized actions
- Insecure communication
- Denial of Service
- Bypassing security mechanisms
- Inflicting various business damage
Medium – Medium level findings are ones which may increase the probability of carrying out attacks, or perform a small amount of damage to the organization, such as –
- Discoveries which makes it easier to conduct other attacks
- Findings which may increase the amount of damage which an attacker can inflict, once he carries out a successful attack
- Findings which may inflict a low level of damage to the organization
Low – Low-level findings are ones which may inflict a marginal cost to the organization, or assist the attacker when performing an attack, such as –
- Providing the attacker with valuable information to help plan the attack
- Findings which may inflict marginal damage to the organization
- Results which may slightly aid the attacker when carrying out an attack, or remaining undetected
Informative – Informative findings are findings without any information security impact. However, they are still brought to the attention of the organization.
top related