Share
## https://sploitus.com/exploit?id=3275285F-618C-57EC-A483-4063C0C162D9
# Web Application Penetration Test โ AltoroMutual (demo.testfire.net)

-orange)



A **measured** web application penetration test of **AltoroMutual** (`demo.testfire.net`), HCL/IBM's
public, intentionally-vulnerable demo banking app. Recon โ exploitation of the documented
vulnerabilities โ professional reporting with remediation **and blue-team detection rules**.
> ### โ๏ธ Authorization & responsible scope
> `demo.testfire.net` is a **vendor-sanctioned public test site** that the owner provides for security
> testing. Because it is **not my host**, testing was deliberately kept **measured and non-destructive**:
> recon and the *documented* vulnerabilities only โ **no database dumping, no brute-forcing, no
> heavy/automated crawling, no Metasploit**. Impact was *proven*, not *maximized*. Knowing where to stop
> on a third-party system is part of professional, ethical testing.
---
## What is AltoroMutual?
[AltoroMutual](https://demo.testfire.net) is a deliberately-insecure demo banking application published
by HCL (formerly IBM) AppScan as a public target for web security testing. It contains classic OWASP
Top 10 issues โ SQL injection, XSS, weak configuration โ and is sanctioned for assessment.
---
## Engagement overview
| | |
|---|---|
| **Target** | `demo.testfire.net` (AltoroMutual demo bank) |
| **Type** | Black-box web application penetration test |
| **Scope** | Single sanctioned host; **measured, non-destructive** |
| **Authorization** | Vendor-provided public test site |
| **Conduct** | Scope-gated + recorded to a tamper-evident audit log |
| **Deliverables** | Exploitation + recommendations PDFs ยท per-finding write-ups ยท detections |
---
## Findings
| # | Severity | CVSS | Finding | OWASP | Write-up |
|---|---|---|---|---|---|
| 1 | ๐ด Critical | 9.8 | **SQL injection authentication bypass** (`/doLogin`) | A07/A03 | [01](./findings/01-sqli-login-authbypass.md) |
| 2 | ๐ High | 6.1 | **Reflected XSS** (`/search.jsp?query=`) | A03 | [02](./findings/02-reflected-xss-search.md) |
| 3 | ๐ก Low | 3.7 | Missing security headers (CSP/HSTS/โฆ) | A05 | [03](./findings/03-missing-security-headers.md) |
| 4 | ๐ก Low | 5.3 | Version disclosure + cleartext HTTP transport | A02/A05 | [04](./findings/04-info-disclosure-transport.md) |
**MITRE ATT&CK:** T1190 (Exploit Public-Facing Application), T1059.007 (JavaScript).
---
## Repository contents
```
.
โโโ README.md
โโโ reports/ # exploitation + recommendations PDFs
โโโ findings/ # per-vulnerability write-ups (root cause, CVSS, mappings, fix, detection)
โโโ evidence/ # sanitized proof-of-concept captures (no data exfiltrated)
โโโ detections/ # blue-team Sigma rules + WAF guidance
```
- ๐ **[Exploitation Report (PDF)](./reports/AltoroMutual_Exploitation-Report.pdf)**
- ๐ **[Recommendations (PDF)](./reports/AltoroMutual_Recommendations.pdf)**
---
## Blue-team detection
[`detections/`](./detections) ships Sigma rules + WAF guidance to catch the SQLi auth-bypass and the
reflected XSS โ turning the assessment into defensive value, with no further active testing required.
## Key remediation themes
1. **Parameterized queries** for authentication (eliminate the SQLi).
2. **Output encoding + strict CSP** (neutralize XSS).
3. **Enforce HTTPS/TLS** site-wide and add the missing security headers.
4. Suppress version banners; patch/replace end-of-life components.
## Skills demonstrated
- Black-box web app testing with **disciplined, ethical scoping** on a third-party host
- OWASP/CWE/WSTG/ATT&CK-aligned analysis, CVSS scoring, clear reporting
- Paired **blue-team detection engineering**
## Legal & ethical note
Conducted against a **vendor-sanctioned** public test site, measured and non-destructively. **Never**
test systems you do not own or lack explicit authorization to test.