Share
## https://sploitus.com/exploit?id=E1901A15-B34E-5DD1-9A7C-817CEF598442
# Sankofa Digital โ Web Application Penetration Test
## Stage 2: Web Application Security
This project documents a paper-based penetration test of Sankofa's `/legacy-admin/` application, proving an attack chain that resulted in the exfiltration of 312 customer records.
---
## ๐ Investigation Summary
| Aspect | Details |
| :--- | :--- |
| **Target** | `/legacy-admin/` application |
| **Vulnerabilities Found** | 10 critical and high-severity |
| **Attack Chain** | 5 hops from initial access to exfiltration |
| **Data Exfiltrated** | 312 customer records |
---
## ๐ Repository Structure
๐ sankofa-web-application-penetration-test/
โโโ ๐ README.md
โโโ ๐ Findings-Catalogue.docx
โโโ ๐ Exploit-Chain-Impact.docx
โโโ ๐ Sankofa-Pentest-Report.docx
โโโ ๐ Ethics-Stance-Pressure-Call.docx
โโโ ๐ artefacts/
โ โโโ ๐ 01-legacy-admin-login.php
โ โโโ ๐ 02-attacker-http-capture.txt
โ โโโ ๐ 03-legacy-admin-tokens.txt
โ โโโ ๐ 04-import-xxe.xml
โ โโโ ๐ 05-exfil-sample.csv
โโโ ๐ certificates/
โโโ ๐ cert-2.txt
---
## ๐จ Critical Vulnerabilities
| Finding | CVSS | Impact |
| :--- | :---: | :--- |
| SQL Injection | **9.8** | Complete authentication bypass |
| JWT `alg:none` | **9.1** | Token forgery โ any admin account |
| Hardcoded JWT Secret | **9.1** | Token forgery โ guessable secret |
| Stored XSS | **8.8** | Session theft โ all viewing users |
| XXE | **8.6** | System file read โ `/etc/passwd` |
| Path Traversal | **7.5** | System file read |
---
## ๐ Attack Chain
| Hop | Time | Action | Evidence |
| :---: | :--- | :--- | :--- |
| 1 | 02:14:08 | Found login page | HTTP capture |
| 2 | 02:15:31 | SQL injection bypassed login | `admin' OR '1'='1` |
| 3 | 02:18:47 | Planted XSS in comments | Session-stealing script |
| 4 | 02:24:02 | Read system files | `/etc/passwd` via path traversal |
| 5 | 02:16:04 | Stole 312 customer records | Exfil sample CSV |
---
## ๐ ๏ธ Tools Used
- Burp Suite
- OWASP Top 10
- CVSS 3.1
---
## ๐ Remediation Priority
| Rank | Finding | Fix | Effort |
| :---: | :--- | :--- | :---: |
| 1 | SQL Injection | Parameterize login query | 2 hours |
| 2 | JWT `alg:none` | Remove acceptance; require valid signatures | 1 hour |
| 3 | Hardcoded JWT Secret | Rotate secret; move to environment variable | 1 hour |
| 4 | No JWT Expiration | Add `exp` claim with 1-hour expiry | 2 hours |
---
## ๐ Business Impact
| Metric | Value |
| :--- | :--- |
| Customer Records Exfiltrated | **312** |
| Exposed Customer Balances | **โฆ84,240,000** |
| NDPC Fine Exposure | **โฆ250,000,000** |
---
## ๐ Certificates

---
## ๐จโ๐ป Author
**Olaniyan Sodiq Abiodun** (UBI-2026-0085)
Ubuntu Bridge Initiatives Cybersecurity Internship (2026)
---
## ๐ Connect
- [LinkedIn](https://www.linkedin.com/in/olaniyan-sodiq)
- [GitHub](https://github.com/Olaniyansodiq1234)
---
## ๐
Last Updated
July 2026