Share
## https://sploitus.com/exploit?id=5D9C1155-CFA8-5F95-A6E6-193DBFE2941C
# Web-Application-Pentest-Report
OWASP methodology penetration test of e-commerce platform SQL injection to admin compromise, 15+ vulnerability findings

# Web Application Penetration Test Report โ€” E-Commerce Platform

A comprehensive web application security assessment conducted against an e-commerce platform using the **OWASP Web Application Security Testing Guide** methodology. The assessment achieved full administrative compromise through chained vulnerabilities including SQL Injection, Cross-Site Scripting, and Insecure Direct Object References.

## Executive Summary

| Detail | Info |
|---|---|
| **Target** | E-commerce shopping platform (PHP/MySQL, Apache 2.4.3) |
| **Methodology** | OWASP Web Application Security Testing Guide v4 |
| **Testing Type** | Grey-box penetration test |
| **Critical Findings** | 15+ vulnerabilities across 11 OWASP testing categories |
| **Highest Impact** | Full admin credential extraction via SQL Injection โ†’ complete database dump |
| **Environment** | Kali Linux attack machine against isolated lab target |

## Vulnerabilities Discovered

### Critical

| # | Vulnerability | Impact |
|---|---|---|
| 1 | **SQL Injection** (manual + SQLMap) | Full database dump โ€” extracted all user credentials, admin password hash, order data, and PII. Achieved admin-level access. |
| 2 | **Stored XSS via File Upload Bypass** | Bypassed client-side file type validation using Burp Suite request interception. Uploaded malicious HTML/JS as profile image. |
| 3 | **Insecure Direct Object Reference (IDOR)** | Accessed other users' order invoices and tracking details by manipulating `oid` parameter. |

### High

| # | Vulnerability | Impact |
|---|---|---|
| 4 | **Reflected Cross-Site Scripting** | Injected `alert(1)` via search field โ€” no input sanitisation. |
| 5 | **DOM-Based XSS** | Exploited client-side DOM manipulation through crafted URL payloads. |
| 6 | **No SSL/TLS โ€” HTTP Only** | All traffic including credentials transmitted in plaintext. Confirmed via `sslscan`. |
| 7 | **Missing Account Lockout** | 1000+ login attempts via Hydra/ZAP Fuzzer with no rate limiting or lockout. |
| 8 | **Weak Password Reset** | Password change requires only email + contact number (no old password, no security questions). |
| 9 | **Directory Traversal** | Accessed `/admin/productimages/`, `/admin/scripts/`, and internal directories without authentication. |
| 10 | **Privilege Escalation** | Added items to cart/wishlist without authentication by manipulating URL parameters (`pid`). |

### Medium

| # | Vulnerability | Impact |
|---|---|---|
| 11 | **Clickjacking** | No `X-Frame-Options` header. Demonstrated attack using Burp Clickbandit. |
| 12 | **Missing Security Headers** | No CSP, X-XSS-Protection, X-Content-Type-Options, or HSTS headers. |
| 13 | **Insecure Cookies** | Session cookies set without `HttpOnly` or `Secure` flags. |
| 14 | **Information Leakage** | `phpinfo.php` publicly accessible. `robots.txt` exposed internal file paths. Server version exposed in headers and error pages. |
| 15 | **Weak Registration Policy** | Single-character usernames/passwords accepted. Duplicate registrations allowed. No email verification. |
| 16 | **HTML Injection** | Arbitrary HTML rendered in search results via unsanitised input. |

## Tools Used

| Tool | Purpose |
|---|---|
| **Nmap** | Service enumeration, port scanning, version detection (`-sV`, `-sT`, `-p0-65535`) |
| **Nikto** | Web server vulnerability scanning, header analysis, directory discovery |
| **OWASP ZAP** | Automated scanning, spidering (283 URLs discovered), passive/active vulnerability detection |
| **DirBuster** | Directory and file brute-forcing (discovered `/admin/scripts/`, `/phpmyadmin/`, exposed directories) |
| **SQLMap** | Automated SQL injection exploitation (`--forms --crawl=2 --dump`) โ€” extracted 7 database tables |
| **Burp Suite** | Request interception, file upload bypass, clickjacking PoC (Clickbandit) |
| **Hydra** | Brute-force authentication testing (1000+ credential combinations) |
| **Netcat** | HTTP header inspection, `X-Powered-By` header discovery |
| **sslscan** | SSL/TLS configuration assessment โ€” confirmed all protocols disabled |
| **curl/wget** | Manual `robots.txt` review, header analysis |

## Methodology

The assessment followed the OWASP Web Application Security Testing Guide across all 11 testing categories:

```
1.  Information Gathering          โ†’ Nmap, Nikto, DirBuster, ZAP Spider
2.  Configuration Management       โ†’ Nikto scan, directory indexing checks
3.  Identity Management            โ†’ SQLMap role enumeration, registration testing
4.  Authentication Testing         โ†’ Hydra brute-force, password policy checks
5.  Authorization Testing          โ†’ IDOR, directory traversal, privilege escalation
6.  Session Management             โ†’ Cookie attribute analysis, timeout testing
7.  Input Validation               โ†’ XSS (reflected/stored/DOM), SQLi, HTML injection
8.  Error Handling                 โ†’ 404 page information leakage
9.  Cryptography                   โ†’ sslscan, Burp Suite traffic interception
10. Business Logic                 โ†’ Workflow bypass, request forgery, upload validation
11. Client-Side Testing            โ†’ DOM XSS, JavaScript injection, clickjacking
```

## Attack Chain โ€” From Zero to Admin

```
Reconnaissance (Nmap + Nikto)
    โ”‚
    โ”œโ”€โ”€ Discovered Apache 2.4.3, PHP 5.4.7, MySQL, ProFTPD 1.3.4a
    โ”œโ”€โ”€ Found phpinfo.php, robots.txt with internal paths
    โ”‚
    โ–ผ
Directory Enumeration (DirBuster + ZAP)
    โ”‚
    โ”œโ”€โ”€ Exposed /admin/scripts/, /includes/config.php, /admin/index.php
    โ”œโ”€โ”€ 283 URLs mapped via ZAP Spider
    โ”‚
    โ–ผ
SQL Injection (Manual + SQLMap)
    โ”‚
    โ”œโ”€โ”€ Confirmed SQLi in /my-cart.php with: 1' AND '1'='1' --
    โ”œโ”€โ”€ SQLMap: extracted 7 tables from 'shopping' database
    โ”œโ”€โ”€ Dumped admin table: username='admin', password hash extracted
    โ”œโ”€โ”€ Dumped users table: emails, passwords, addresses, contact info
    โ”‚
    โ–ผ
Full Admin Access Achieved
    โ”‚
    โ”œโ”€โ”€ Admin panel: user PII visible in plaintext
    โ”œโ”€โ”€ Password reset exploitable (email + contact = account takeover)
    โ”œโ”€โ”€ File upload bypass via Burp โ†’ stored XSS potential
    โ”‚
    โ–ผ
Complete Compromise Demonstrated
```

## Remediation Summary

| Vulnerability | Recommended Fix |
|---|---|
| SQL Injection | Parameterised queries / prepared statements for all database interactions |
| XSS (all types) | Input validation + output encoding. Implement CSP headers |
| Missing HTTPS | Deploy SSL/TLS certificate, enforce HSTS |
| Weak Auth | Implement account lockout (3-5 attempts), enforce password complexity, add MFA |
| IDOR | Implement server-side authorisation checks per resource request |
| Directory Traversal | Disable directory indexing, restrict file path access |
| File Upload Bypass | Validate file content (magic bytes), not just extensions |
| Information Leakage | Remove `phpinfo.php`, customise error pages, strip server version headers |
| Clickjacking | Add `X-Frame-Options: DENY` and `Content-Security-Policy: frame-ancestors 'none'` |
| Insecure Cookies | Set `HttpOnly`, `Secure`, and `SameSite` flags on all session cookies |

## Repository Structure

```
โ”œโ”€โ”€ README.md                          # This file
โ”œโ”€โ”€ report/
โ”‚   โ””โ”€โ”€ Web_Application_Pentest_Report.pdf   # Full detailed report
โ”œโ”€โ”€ payloads/
โ”‚   โ”œโ”€โ”€ xss_payloads.txt               # XSS test payloads used
โ”‚   โ”œโ”€โ”€ sqli_payloads.txt              # SQL injection payloads used
โ”‚   โ””โ”€โ”€ auth_bypass_payloads.txt       # Authentication bypass attempts
โ”œโ”€โ”€ scripts/
โ”‚   โ”œโ”€โ”€ recon.sh                       # Automated recon script (Nmap + Nikto + DirBuster)
โ”‚   โ””โ”€โ”€ header_check.sh               # Security header verification script
โ””โ”€โ”€ screenshots/
    โ””โ”€โ”€ [redacted for repository]
```

## Key Takeaways

- A single SQL injection vulnerability enabled complete application compromise within minutes
- Defence-in-depth failures compounded risk โ€” no input validation, no encryption, no access controls
- The application had zero rate limiting, allowing unlimited brute-force attempts
- File upload validation based solely on extension is trivially bypassed with request interception

## Disclaimer

This assessment was conducted in an authorised, isolated lab environment as part of academic coursework (CMP509 โ€” Ethical Hacking, Abertay University). No real-world systems were tested or harmed. All findings and techniques documented here are for educational and professional portfolio purposes only.

## Author

**Anjali Singh**
MSc Ethical Hacking โ€” Abertay University, Dundee
Cybersecurity Engineer โ€” HCLTech

---
*If you found this useful, consider giving it a โญ*