Pen Test Report for DVWA in a Virtual Environment
Keywords:
vulnerability, hacking, encryption and decryptionAbstract
Business operations are now more digitalized and hence more exposed to technological risks such as hacking exploitation. Penetration testing helps organizations to estimate their security posture through the testing of network, computer systems, or Web applications to identify any existing vulnerabilities that a hacker can exploit. In this article, we aim to demonstrate a practical implementation of Penetration Testing in a virtual environment which was configured for learning purposes. The process involves the following phases: Reconnaissance, Scanning, Enumeration, Vulnerability Assessment, Gaining Access, and recommendation of the countermeasures. The results demonstrated several existing vulnerabilities such as Missing Encryption of Sensitive Data, Improper Certificate Validation and Windows Bluetooth driver elevation of privilege. At the end of the report, several countermeasures have been recommended in order to enhance the security posture of the studied environment.
Downloads
Metrics
References or Bibliography
Vaultes. (2020). Why penetration testing is important. https://www.vaultes.com/why-penetration-testing-is-important/#:~:text=The%20main%20reason%20penetration%20tests,security%20policies%20are%20genuinely%20effective.
Tang, A. (2014). A Guide to Penetration Testing. Network Security, 2014(8), 8–11. https://doi.org/10.1016/s1353-4858(14)70079-0
Panda Security. (2022). What is a man-in-the-middle (MITM) attack? definition and prevention. https://www.pandasecurity.com/en/mediacenter/security/man-in-the-middle-attack/
Invicti. (2022). Cookie not marked as secure. https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/cookie-not-marked-as-secure/
Invicti. (2022). Insecure Transportation Security Protocol Supported. https://www.invicti.com/eb-vulnerability-scanner/vulnerabilities/insecure-transportation-security-protocol-supported-tls-10/
Alfaro, J. G., & Arribas, G. N. (2009). A Survey on Cross-Site Scripting Attacks. https://doi.org/10.48550/arXiv.0905.4850
Krasniqi, G., & Bejtullahu, V. (2018). Vulnerability assessment and penetration testing: Case study on web application security. 2018 UBT International Conference. https://doi.org/10.33107/ubt-ic.2018.213
Kareem, F. Q., Ameen, S. Y., Salih, A. A., Ahmed, D. M., Kak, S. F., Yasin, H. M., Ibrahim, I. M., Ahmed, A. M., Rashid, Z. N., & Omar, N. (2021). SQL Injection Attacks Prevention System Technology: Review. Asian Journal of Research in Computer Science, 13–32. https://doi.org/10.9734/ajrcos/2021/v10i330242
Invicti. (2022). Internal Server Error. https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/internal-server-error/
Invicti. (2022). Missing X-Frame-Options Header. https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/missing-x-frame-options-header/
Bhavsar, V., Kadlak, A., & Sharma, S. (2018). Study on phishing attacks. International Journal of Computer Applications, 182(33), 27–29. https://doi.org/10.5120/ijca2018918286
Tal, L. (2019). 84% of all websites are impacted by jQuery XSS Vulnerabilities. Medium. https://lirantal.medium.com/84-of-all-websites-are-impacted-by-jquery-xss-vulnerabilities-snyk-4c73a935ab11
CWE. (2022). CWE-550: Server-generated Error Message Containing Sensitive Information. https://cwe.mitre.org/data/definitions/550.html
Yari, I. A. (2016). Vulnerability Assessment of Web Applications and Recommendations for Actions: Penetration Testing Report. Friedrich-Alexander-University of Erlangen-Nürnberg. https://doi.org/10.13140/RG.2.2.16548.40323
Varshney, G., Misra, M., & Atrey, P. (2017). Browshing a new way of phishing using a malicious browser extension. 2017 Innovations in Power and Advanced Computing Technologies (i-PACT). https://doi.org/10.1109/ipact.2017.8245147
Tanwar, R., Choudhury, T., Zamani, M., & Gupta, S. (2021). Information security and optimization (1st ed.).
Namecheap. (2022). What is ModSecurity and why do we need it?. https://www.namecheap.com/support/knowledgebase/article.aspx/9542/22/what-is-modsecurity-and-why-do-we-need-it/
Sheldon, R. (2022). 12 best patch management software and Tools for 2023. Enterprise Desktop. https://www.techtarget.com/searchenterprisedesktop/tip/12-best-patch-management-software-and-tools
nmap. (2022). Zenmap - Official cross-platform nmap security scanner GUI. Retrieved from https://nmap.org/zenmap/
ManageEngine. (2022).
.
Cyber. (2022). What is vulnerability scoring system and Databases. https://www.xmcyber.com/glossary/what-is-common-vulnerability-scoring-system/
CVE. (2022). Vulnerability details : CVE-2002-1561. https://www.cvedetails.com/cve/CVE-2002-1561/
Mutune, G. (2021). Banner grabbing. https://cyberexperts.com/encyclopedia/banner-grabbing/
GeeksforGeeks. (2022). What is banner grabbing? https://www.geeksforgeeks.org/what-is-banner-grabbing/
Kaspersky. (2022). IP spoofing: How it works and how to prevent it. https://www.kaspersky.com/resource-center/threats/ip-spoofing
Greycampus. (2022). Enumeration and its types. Ethical Hacking. https://www.greycampus.com/opencampus/ethical-hacking/enumeration-and-its-types
Upguard. (2021). What is an enumeration attack? how they work + prevention tips. https://www.upguard.com/blog/what-is-an-enumeration-attack
Imperva. (2019). What is Social Engineering: Attack Techniques & Prevention Methods. https://www.imperva.com/learn/application-security/social-engineering-attack/
Published
How to Cite
Issue
Section
Copyright (c) 2023 Mohammed Mujeebuddin; Samiha Najah
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Copyright holder(s) granted JSR a perpetual, non-exclusive license to distriute & display this article.
