Documente Academic
Documente Profesional
Documente Cultură
16 August 2018
ATTENTION: This document contains information from XYSec Labs Pvt. Ltd. that is confidential and privileged. The information is intended for private use of the client. By accepting
this document you agree to keep the contents in confidence and not copy, disclose, or distribute this without written request to and written confirmation from XYSec Labs Pvt. Ltd. If
you are not the intended recipient, be aware that any disclosure, copying, or distribution of the contents of this document is prohibited.
Security Audit Report
Contents
Item No.
Executive Summary 3
Scope of Testing 3
Methodology 4
Details of Vulnerabilities 6 - 17
Confidential 2
Security Audit Report
Executive Summary
This document contains security assessment report of HungerBox’s web
application.
The purpose of this assessment was to point out security loopholes, business
logic errors and missing security best practices. The tests were carried out
assuming the identity of an attacker or a malicious user but no harm was made
to functionality or working of the website.
Scope of Testing
• https://paladion.hungerbox.com/
• https://rest.hungerbox.com/ (APIs being called from above app)
Confidential 3
Security Audit Report
Methodology
Exhaustive Vulnerability Assessment and Penetration Testing (VAPT) has be
performed to identify security loopholes in the Web Application that could
potentially allow a malicious user to gain access to the system or perform
malicious operations.
The Web Application Security Testing is based on the OWASP (Open Web
Application Security Project) Testing Methodologies and the OWASP Testing
Framework. 120+ active security tests have been performed falling under the
following categories:
• Information Gathering • Authorization Testing
• Configuration and Deployment • Session Management Testing
Management Testing • Error Handling
• Known Security Issues (CVE) Testing • Input Validation Testing
• SSL Testing • Cryptography
• Identity Management Testing • Security Best Practices
• Authentication Testing
Confidential 4
Security Audit Report
Confidential 5
Security Audit Report
Client-side template injection High Passed Passed
Cross-site scripting (DOM-based) High Passed Passed
Cross-site scripting (reflected DOM-based) High Passed Passed
Cross-site scripting (stored DOM-based) High Passed Passed
JavaScript injection (DOM-based) High Passed Passed
JavaScript injection (reflected DOM-based) High Passed Passed
JavaScript injection (stored DOM-based) High Passed Passed
Path-relative style sheet import Information Passed Passed
Client-side SQL injection (DOM-based) High Passed Passed
Client-side SQL injection (reflected DOM-based) High Passed Passed
Client-side SQL injection (stored DOM-based) High Passed Passed
WebSocket hijacking (DOM-based) High Passed Passed
WebSocket hijacking (reflected DOM-based) High Passed Passed
WebSocket hijacking (stored DOM-based) High Passed Passed
Local file path manipulation (DOM-based) High Passed Passed
Local file path manipulation (reflected DOM-based) High Passed Passed
Local file path manipulation (stored DOM-based) High Passed Passed
Client-side XPath injection (DOM-based) Low Passed Passed
Client-side XPath injection (reflected DOM-based) Low Passed Passed
Client-side XPath injection (stored DOM-based) Low Passed Passed
Client-side JSON injection (DOM-based) Low Passed Passed
Client-side JSON injection (reflected DOM-based) Low Passed Passed
Client-side JSON injection (stored DOM-based) Low Passed Passed
Flash cross-domain policy High Passed Passed
Cross-origin resource sharing Information Passed Passed
Passed Passed
Cross-origin resource sharing: arbitrary origin trusted High
Passed Passed
Cross-origin resource sharing: unencrypted origin trusted Low
Passed Passed
Cross-origin resource sharing: all subdomains trusted Low
Confidential 6
Security Audit Report
Cross-domain POST Information Passed Passed
ASP.NET ViewState without MAC enabled Low Passed Passed
XML entity expansion Medium Passed Passed
Long redirection response Information Passed Passed
Serialized object in HTTP message High Passed Passed
Duplicate cookies set Information Passed Passed
Input returned in response (stored) Information Passed Passed
Input returned in response (reflected) Information Passed Passed
Suspicious input transformation (reflected) Information Passed Passed
Suspicious input transformation (stored) Information Passed Passed
Open redirection (reflected) Low Passed Passed
Open redirection (stored) Medium Passed Passed
Open redirection (DOM-based) Low Passed Passed
Open redirection (reflected DOM-based) Low Passed Passed
Open redirection (stored DOM-based) Medium Passed Passed
SSL cookie without secure flag set Medium Passed Passed
Cookie scoped to parent domain Low Passed Passed
Cross-domain Referer leakage Information Passed Passed
Cross-domain script include Information Passed Passed
Cookie without HttpOnly flag set Low Passed Passed
Session token in URL Medium Passed Passed
Password field with autocomplete enabled Low Passed Passed
Password value set in cookie Medium Passed Passed
Browser cross-site scripting filter disabled Information Passed Passed
HTTP TRACE method is enabled Information Passed Passed
Cookie manipulation (DOM-based) Low Passed Passed
Cookie manipulation (reflected DOM-based) Low Passed Passed
Cookie manipulation (stored DOM-based) Low Passed Passed
Ajax request header manipulation (DOM-based) Low Passed Passed
Passed Passed
Ajax request header manipulation (reflected DOM-based) Low
Passed Passed
Ajax request header manipulation (stored DOM-based) Low
Confidential 7
Security Audit Report
HTML5 storage manipulation (stored DOM-based) Information Passed Passed
Link manipulation (DOM-based) Low Passed Passed
Link manipulation (reflected DOM-based) Low Passed Passed
Link manipulation (stored DOM-based) Low Passed Passed
Link manipulation (reflected) Information Passed Passed
Link manipulation (stored) Information Passed Passed
Document domain manipulation (DOM-based) Medium Passed Passed
Passed Passed
Document domain manipulation (reflected DOM-based) Medium
Passed Passed
Document domain manipulation (stored DOM-based) Medium
Confidential 8