Share
## https://sploitus.com/exploit?id=5D9C1155-CFA8-5F95-A6E6-193DBFE2941C
# Web-Application-Pentest-Report
OWASP methodology penetration test of e-commerce platform SQL injection to admin compromise, 15+ vulnerability findings
# Web Application Penetration Test Report โ E-Commerce Platform
A comprehensive web application security assessment conducted against an e-commerce platform using the **OWASP Web Application Security Testing Guide** methodology. The assessment achieved full administrative compromise through chained vulnerabilities including SQL Injection, Cross-Site Scripting, and Insecure Direct Object References.
## Executive Summary
| Detail | Info |
|---|---|
| **Target** | E-commerce shopping platform (PHP/MySQL, Apache 2.4.3) |
| **Methodology** | OWASP Web Application Security Testing Guide v4 |
| **Testing Type** | Grey-box penetration test |
| **Critical Findings** | 15+ vulnerabilities across 11 OWASP testing categories |
| **Highest Impact** | Full admin credential extraction via SQL Injection โ complete database dump |
| **Environment** | Kali Linux attack machine against isolated lab target |
## Vulnerabilities Discovered
### Critical
| # | Vulnerability | Impact |
|---|---|---|
| 1 | **SQL Injection** (manual + SQLMap) | Full database dump โ extracted all user credentials, admin password hash, order data, and PII. Achieved admin-level access. |
| 2 | **Stored XSS via File Upload Bypass** | Bypassed client-side file type validation using Burp Suite request interception. Uploaded malicious HTML/JS as profile image. |
| 3 | **Insecure Direct Object Reference (IDOR)** | Accessed other users' order invoices and tracking details by manipulating `oid` parameter. |
### High
| # | Vulnerability | Impact |
|---|---|---|
| 4 | **Reflected Cross-Site Scripting** | Injected `alert(1)` via search field โ no input sanitisation. |
| 5 | **DOM-Based XSS** | Exploited client-side DOM manipulation through crafted URL payloads. |
| 6 | **No SSL/TLS โ HTTP Only** | All traffic including credentials transmitted in plaintext. Confirmed via `sslscan`. |
| 7 | **Missing Account Lockout** | 1000+ login attempts via Hydra/ZAP Fuzzer with no rate limiting or lockout. |
| 8 | **Weak Password Reset** | Password change requires only email + contact number (no old password, no security questions). |
| 9 | **Directory Traversal** | Accessed `/admin/productimages/`, `/admin/scripts/`, and internal directories without authentication. |
| 10 | **Privilege Escalation** | Added items to cart/wishlist without authentication by manipulating URL parameters (`pid`). |
### Medium
| # | Vulnerability | Impact |
|---|---|---|
| 11 | **Clickjacking** | No `X-Frame-Options` header. Demonstrated attack using Burp Clickbandit. |
| 12 | **Missing Security Headers** | No CSP, X-XSS-Protection, X-Content-Type-Options, or HSTS headers. |
| 13 | **Insecure Cookies** | Session cookies set without `HttpOnly` or `Secure` flags. |
| 14 | **Information Leakage** | `phpinfo.php` publicly accessible. `robots.txt` exposed internal file paths. Server version exposed in headers and error pages. |
| 15 | **Weak Registration Policy** | Single-character usernames/passwords accepted. Duplicate registrations allowed. No email verification. |
| 16 | **HTML Injection** | Arbitrary HTML rendered in search results via unsanitised input. |
## Tools Used
| Tool | Purpose |
|---|---|
| **Nmap** | Service enumeration, port scanning, version detection (`-sV`, `-sT`, `-p0-65535`) |
| **Nikto** | Web server vulnerability scanning, header analysis, directory discovery |
| **OWASP ZAP** | Automated scanning, spidering (283 URLs discovered), passive/active vulnerability detection |
| **DirBuster** | Directory and file brute-forcing (discovered `/admin/scripts/`, `/phpmyadmin/`, exposed directories) |
| **SQLMap** | Automated SQL injection exploitation (`--forms --crawl=2 --dump`) โ extracted 7 database tables |
| **Burp Suite** | Request interception, file upload bypass, clickjacking PoC (Clickbandit) |
| **Hydra** | Brute-force authentication testing (1000+ credential combinations) |
| **Netcat** | HTTP header inspection, `X-Powered-By` header discovery |
| **sslscan** | SSL/TLS configuration assessment โ confirmed all protocols disabled |
| **curl/wget** | Manual `robots.txt` review, header analysis |
## Methodology
The assessment followed the OWASP Web Application Security Testing Guide across all 11 testing categories:
```
1. Information Gathering โ Nmap, Nikto, DirBuster, ZAP Spider
2. Configuration Management โ Nikto scan, directory indexing checks
3. Identity Management โ SQLMap role enumeration, registration testing
4. Authentication Testing โ Hydra brute-force, password policy checks
5. Authorization Testing โ IDOR, directory traversal, privilege escalation
6. Session Management โ Cookie attribute analysis, timeout testing
7. Input Validation โ XSS (reflected/stored/DOM), SQLi, HTML injection
8. Error Handling โ 404 page information leakage
9. Cryptography โ sslscan, Burp Suite traffic interception
10. Business Logic โ Workflow bypass, request forgery, upload validation
11. Client-Side Testing โ DOM XSS, JavaScript injection, clickjacking
```
## Attack Chain โ From Zero to Admin
```
Reconnaissance (Nmap + Nikto)
โ
โโโ Discovered Apache 2.4.3, PHP 5.4.7, MySQL, ProFTPD 1.3.4a
โโโ Found phpinfo.php, robots.txt with internal paths
โ
โผ
Directory Enumeration (DirBuster + ZAP)
โ
โโโ Exposed /admin/scripts/, /includes/config.php, /admin/index.php
โโโ 283 URLs mapped via ZAP Spider
โ
โผ
SQL Injection (Manual + SQLMap)
โ
โโโ Confirmed SQLi in /my-cart.php with: 1' AND '1'='1' --
โโโ SQLMap: extracted 7 tables from 'shopping' database
โโโ Dumped admin table: username='admin', password hash extracted
โโโ Dumped users table: emails, passwords, addresses, contact info
โ
โผ
Full Admin Access Achieved
โ
โโโ Admin panel: user PII visible in plaintext
โโโ Password reset exploitable (email + contact = account takeover)
โโโ File upload bypass via Burp โ stored XSS potential
โ
โผ
Complete Compromise Demonstrated
```
## Remediation Summary
| Vulnerability | Recommended Fix |
|---|---|
| SQL Injection | Parameterised queries / prepared statements for all database interactions |
| XSS (all types) | Input validation + output encoding. Implement CSP headers |
| Missing HTTPS | Deploy SSL/TLS certificate, enforce HSTS |
| Weak Auth | Implement account lockout (3-5 attempts), enforce password complexity, add MFA |
| IDOR | Implement server-side authorisation checks per resource request |
| Directory Traversal | Disable directory indexing, restrict file path access |
| File Upload Bypass | Validate file content (magic bytes), not just extensions |
| Information Leakage | Remove `phpinfo.php`, customise error pages, strip server version headers |
| Clickjacking | Add `X-Frame-Options: DENY` and `Content-Security-Policy: frame-ancestors 'none'` |
| Insecure Cookies | Set `HttpOnly`, `Secure`, and `SameSite` flags on all session cookies |
## Repository Structure
```
โโโ README.md # This file
โโโ report/
โ โโโ Web_Application_Pentest_Report.pdf # Full detailed report
โโโ payloads/
โ โโโ xss_payloads.txt # XSS test payloads used
โ โโโ sqli_payloads.txt # SQL injection payloads used
โ โโโ auth_bypass_payloads.txt # Authentication bypass attempts
โโโ scripts/
โ โโโ recon.sh # Automated recon script (Nmap + Nikto + DirBuster)
โ โโโ header_check.sh # Security header verification script
โโโ screenshots/
โโโ [redacted for repository]
```
## Key Takeaways
- A single SQL injection vulnerability enabled complete application compromise within minutes
- Defence-in-depth failures compounded risk โ no input validation, no encryption, no access controls
- The application had zero rate limiting, allowing unlimited brute-force attempts
- File upload validation based solely on extension is trivially bypassed with request interception
## Disclaimer
This assessment was conducted in an authorised, isolated lab environment as part of academic coursework (CMP509 โ Ethical Hacking, Abertay University). No real-world systems were tested or harmed. All findings and techniques documented here are for educational and professional portfolio purposes only.
## Author
**Anjali Singh**
MSc Ethical Hacking โ Abertay University, Dundee
Cybersecurity Engineer โ HCLTech
---
*If you found this useful, consider giving it a โญ*