Client : B9.xyz
Test type: Grey-Box Web test
SCOPE OF PROJECT
In scope:
Out of scope:
EXECUTIVE SUMMARY
During our testing we investigated the B9 website, including the listed scope items on the production site. We tested many types of attacks on the production environment, especially hunting for hidden directories, information leakage, many common vulnerabilities including but not limited to the OWASP Top 10 standards, and have identified a couple of issues that we reported here, and has since been patched or is scheduled to be.
METHODOLOGY
Our attack cycle consists of waves, after a first exploration to give a proper estimation, we begin to first go for the low hanging fruit, running any vulnerability scanner we deem suitable. This is our assessment phase, after which we try to exploit any found vulnerabilities. The first assessment always happens unauthenticated. We build documentation after the first phase to round it off, containing coverage and any found oddities. Phase 2 consists of manually exploring the application for the OWASP top 10 (assessment) and trying to exploit it (Exploitation). We document our findings again.
In phase 3, we run our automated scanners authenticated after exploring the application (assessment) and trying to exploit any findings we have. In phase 4 we add in more exploratory testing, trying to exploit more business logic flaws, and exploit other oddities. These will follow the same pattern as before. We will start finalizing our reports and preparing to hand over our automation and test plan.
EXECUTIVE MITIGATION STRATEGY
Its recommended that you disable XMLRPC in WordPress, as there is no need if youre using JSON and most modern functions of the platform.
FINDINGS OVERVIEW
SUMMARY
Overall we found few findings in the allotted time, and the security functions were tested against OWASP top 10 standards, and found to be secure. We spent a good deal of time testing business logic flaws, which we found your flows to be pretty solid for the attacks we attempted. The results reflect our best efforts in the time allotted. The following provides an overview of the identified vulnerabilities and the remaining risk to the business:
Severity | Identified |
---|---|
Critical | 0 |
High | 1 |
Medium | 0 |
Low | 0 |
Informational/Oddity | 1 |
Secure | 0 |
Hotspot | 0 |
Project Contacts:
Name | Role | Company | |
---|---|---|---|
Brandon Lachterman | Owner/Pentest Manager | Darkshield LLC | blachterman@darkshieldcs.com |
Lucas Noki | Lead Pentester | Darkshield LLC | – |
——————— | ——————— | ——————— | ——————— |
Papahboehner | B9 Management | B9.xyz | papahboehner@b9.xyz |
MiddleClassWorkingMan | B9 Management and Dev | B9.xyz | middleclassworkingman@b9.xyz |
DEFECTS IDENTIFIED
██████ is enabled in ██████████, this allows an attacker to ███████ ███ ██████, ████ force ██████, and cause a ████-HIGH
Platform: Web
Request: ███ request to https://██.███/██████.███
IMPACT
Potential present/future █████
An attacker could cause a potentially ██████ █████ or ███ attack, taking the site down, even with the current controls in place ██ ██████ ████ limiting. An attacker can also █████ ████ ██████████ for █████ on the site, also bypassing ████████.
CVSS Score:
Common Vulnerability Scoring System Version 3.1 Calculator (Base and Temporal)
Base score: 7.5 (HIGH)
Temporal score: 7.0 (HIGH)
References:
████████████████████████████████████
████████████████████████████████████
EMPTY ████████ LETS USERS ███████ THE █████████ AND SEE ALL █████-LOW/INFORMATIONAL
Affected asset(s)
Platform: Web
Request: ███ request to https://██.███/███
DESCRIPTION:
Empty ██████ – ███████ bypass
IMPACT:
Potential present/future abuse
This may me by design, but it still worth reporting just in case.
CVSS Score:
Common Vulnerability Scoring System Version 3.1 Calculator (Base and Temporal)
Base score: N/A
Temporal score: N/A
References:
NIL