Share
## https://sploitus.com/exploit?id=3275285F-618C-57EC-A483-4063C0C162D9
# Web Application Penetration Test โ€” AltoroMutual (demo.testfire.net)

![Type](https://img.shields.io/badge/engagement-VAPT-1d3557)
![Target](https://img.shields.io/badge/target-AltoroMutual%20(demo.testfire.net)-orange)
![Scope](https://img.shields.io/badge/scope-measured%20%2F%20non--destructive-success)
![OWASP](https://img.shields.io/badge/mapped-OWASP%20Top%2010%202021-blue)
![License](https://img.shields.io/badge/license-MIT-green)

A **measured** web application penetration test of **AltoroMutual** (`demo.testfire.net`), HCL/IBM's
public, intentionally-vulnerable demo banking app. Recon โ†’ exploitation of the documented
vulnerabilities โ†’ professional reporting with remediation **and blue-team detection rules**.

> ### โš–๏ธ Authorization & responsible scope
> `demo.testfire.net` is a **vendor-sanctioned public test site** that the owner provides for security
> testing. Because it is **not my host**, testing was deliberately kept **measured and non-destructive**:
> recon and the *documented* vulnerabilities only โ€” **no database dumping, no brute-forcing, no
> heavy/automated crawling, no Metasploit**. Impact was *proven*, not *maximized*. Knowing where to stop
> on a third-party system is part of professional, ethical testing.

---

## What is AltoroMutual?

[AltoroMutual](https://demo.testfire.net) is a deliberately-insecure demo banking application published
by HCL (formerly IBM) AppScan as a public target for web security testing. It contains classic OWASP
Top 10 issues โ€” SQL injection, XSS, weak configuration โ€” and is sanctioned for assessment.

---

## Engagement overview

| | |
|---|---|
| **Target** | `demo.testfire.net` (AltoroMutual demo bank) |
| **Type** | Black-box web application penetration test |
| **Scope** | Single sanctioned host; **measured, non-destructive** |
| **Authorization** | Vendor-provided public test site |
| **Conduct** | Scope-gated + recorded to a tamper-evident audit log |
| **Deliverables** | Exploitation + recommendations PDFs ยท per-finding write-ups ยท detections |

---

## Findings

| # | Severity | CVSS | Finding | OWASP | Write-up |
|---|---|---|---|---|---|
| 1 | ๐Ÿ”ด Critical | 9.8 | **SQL injection authentication bypass** (`/doLogin`) | A07/A03 | [01](./findings/01-sqli-login-authbypass.md) |
| 2 | ๐ŸŸ  High | 6.1 | **Reflected XSS** (`/search.jsp?query=`) | A03 | [02](./findings/02-reflected-xss-search.md) |
| 3 | ๐ŸŸก Low | 3.7 | Missing security headers (CSP/HSTS/โ€ฆ) | A05 | [03](./findings/03-missing-security-headers.md) |
| 4 | ๐ŸŸก Low | 5.3 | Version disclosure + cleartext HTTP transport | A02/A05 | [04](./findings/04-info-disclosure-transport.md) |

**MITRE ATT&CK:** T1190 (Exploit Public-Facing Application), T1059.007 (JavaScript).

---

## Repository contents

```
.
โ”œโ”€โ”€ README.md
โ”œโ”€โ”€ reports/        # exploitation + recommendations PDFs
โ”œโ”€โ”€ findings/       # per-vulnerability write-ups (root cause, CVSS, mappings, fix, detection)
โ”œโ”€โ”€ evidence/       # sanitized proof-of-concept captures (no data exfiltrated)
โ””โ”€โ”€ detections/     # blue-team Sigma rules + WAF guidance
```

- ๐Ÿ“„ **[Exploitation Report (PDF)](./reports/AltoroMutual_Exploitation-Report.pdf)**
- ๐Ÿ“„ **[Recommendations (PDF)](./reports/AltoroMutual_Recommendations.pdf)**

---

## Blue-team detection

[`detections/`](./detections) ships Sigma rules + WAF guidance to catch the SQLi auth-bypass and the
reflected XSS โ€” turning the assessment into defensive value, with no further active testing required.

## Key remediation themes
1. **Parameterized queries** for authentication (eliminate the SQLi).
2. **Output encoding + strict CSP** (neutralize XSS).
3. **Enforce HTTPS/TLS** site-wide and add the missing security headers.
4. Suppress version banners; patch/replace end-of-life components.

## Skills demonstrated
- Black-box web app testing with **disciplined, ethical scoping** on a third-party host
- OWASP/CWE/WSTG/ATT&CK-aligned analysis, CVSS scoring, clear reporting
- Paired **blue-team detection engineering**

## Legal & ethical note
Conducted against a **vendor-sanctioned** public test site, measured and non-destructively. **Never**
test systems you do not own or lack explicit authorization to test.