VULNERABILITY ASSESSMENT AND PENETRATION TESTING REPORT
VULNERABILITY ASSESSMENT & PENETRATION TESTING (VAPT)
REPORT
Prepared by: OMAIVBOJE Ohimah Miracle
Date: 29th of March 2025
1
� VULNERABILITY ASSESSMENT AND PENETRATION TESTING REPORT
STATEMENT OF CONFIDENTIALITY
This document is only meant for the designated recipient or recipients and includes sensitive and
confidential information. Without prior written approval, the results, vulnerabilities, and security
assessments described here must not be shared, copied, or disclosed to unauthorized parties.
If this information is distributed or used improperly, there could be security threats, legal
repercussions, or harm to one's reputation. All information must be handled in compliance with
the organization's security rules, and the purpose of this penetration test was to enhance security
measures.
Please destroy all copies from your systems and tell the sender right away if you obtained this
document incorrectly.
2
� VULNERABILITY ASSESSMENT AND PENETRATION TESTING REPORT
EXECUTIVE SUMMARY
The target web application, “http://testphp.vulnweb.com”, has its security posture evaluated in
this penetration testing report. Finding and analyzing vulnerabilities that malevolent attackers
could exploit was the aim of this assessment.
Throughout the engagement, reconnaissance, vulnerability scanning, and exploitation testing
were carried out using industry-standard tools like Nmap, Nikto, Burp Suite, OWASP ZAP,
Metasploit, Hydra, and SQLmap.
Key Findings:
1. Vulnerabilities known as Cross-Site Scripting (XSS) that might provide hackers the ability
to run malicious scripts in users' browsers.
2. Absence of security headers (such as X-Frame-Options, X-Content-Type-Options, and
Content Security Policy) exposes the application to MIME-type sniffing and Clickjacking
attacks.
3. Exposed technology and server data that might be used to initiate specific exploits.
4. Vulnerabilities in session management that could result in attacks using session
hijacking.
5. Weaknesses in SQL Injection that could be used to obtain private data from databases.
6. Brute-force testing using Hydra revealed Weak Authentication Procedures that can give
hackers access without authorization.
Recommendation:
1. To stop SQL Injection, use prepared statements and input validation.
2. HttpOnly and Secure cookie flags are used for secure session management.
3. Implement robust authentication procedures to lessen the impact of brute-force assaults.
4. Use security headers to defend against frequent online threats.
5. Limit the release of server information to reduce the number of potential points of attack.
This report describes the approaches taken, the vulnerabilities found, and the concrete actions
taken to improve the application's security posture.
3
� VULNERABILITY ASSESSMENT AND PENETRATION TESTING REPORT
Table of Contents
STATEMENT OF CONFIDENTIALITY ................................................................................................. 2
EXECUTIVE SUMMARY .................................................................................................................... 3
Key Findings: ............................................................................................................................... 3
Recommendation:....................................................................................................................... 3
INTRODUCTION ............................................................................................................................... 5
Objective ..................................................................................................................................... 5
Scope ........................................................................................................................................... 5
Tools Used ................................................................................................................................... 5
METHODOLOGY .............................................................................................................................. 5
WEBSITE OVERVIEW ....................................................................................................................... 6
Possible Attack Surfaces: ............................................................................................................ 6
RECONNAISSANCE & SCANNING .................................................................................................... 6
Nmap – Port enumeration and network scanning ..................................................................... 6
Nikto – Vulnerability scanning for web servers .......................................................................... 8
Burp Suite - Manual testing and HTTP request interception...................................................... 8
OWASP ZAP (Zed Attack Proxy) - Automated vulnerability scanning for web application ...... 10
EXPLOITATION............................................................................................................................... 11
SQL Injection (SQLi) ................................................................................................................... 11
BRUTE-FORCE LOGIN ATTACK ....................................................................................................... 13
Hydra for Brute Force Logins .................................................................................................... 13
Metasploit Framework – Exploitation and Post Exploitation Analysis ..................................... 14
POST-EXPLOITATION ..................................................................................................................... 15
RECOMMENDATION ..................................................................................................................... 16
CONCLUSION ................................................................................................................................. 16
4
� VULNERABILITY ASSESSMENT AND PENETRATION TESTING REPORT
INTRODUCTION
Objective
This penetration test's objective is to evaluate “http://testphp.vulnweb.com” security by locating
and taking advantage of vulnerabilities while adhering to ethical testing standards.
Scope
• http://testphp.vulnweb.com/ is the target.
• Type of Testing: Penetration test for black-box web applications
• Restrictions: only non-destructive testing
Tools Used
Tool Purpose
Nmap Port enumeration and network scanning
Burp Suite Manual testing and HTTP request interception
OWASP ZAP (Zed Attack Proxy) Automated vulnerability scanning for web
applications
SQLmap Automated SQL Injection testing
Hydra For brute-force logins
Nikto Vulnerability scanning for web servers
Metasploit Framework Exploitation and post-exploitation analysis
METHODOLOGY
Based on industry standards such as the OWASP Testing Guide and PTES (Penetration Testing
Execution Standard), the penetration test was conducted in an organized manner. Among the
crucial stages were:
• Reconnaissance: Gathering information about the target using Nmap and Nikto.
• Scanning: Finding vulnerabilities with Burp Suite, OWASP ZAP, and Nikto.
• Exploitation: Using SQLmap, Hydra, and Metasploit to actively test for brute-force attacks,
SQL injection, and session hijacking.
• Post-Exploitation: Assessing the effects of successful attacks and drawing insightful
conclusions.
• Reporting: Recording conclusions, supporting data, and suggestions.
5
� VULNERABILITY ASSESSMENT AND PENETRATION TESTING REPORT
WEBSITE OVERVIEW
“http://testphp.vulnweb.com” is a purposefully weak web application that Acunetix keeps up to
date for security research and penetration testing. The following characteristics of the website
mimic those of an e-commerce platform:
• A system for user authentication (Login/Signup).
• Product catalog with dynamic content loading.
• Utility for searches.
• Administrator panel (not visible to regular users).
• PHP and JavaScript are used for client-side and server-side scripting.
Welcome page
Sign in page
Figure 1 Figure 2
Possible Attack Surfaces:
• SQL Injection (SQLi): Product queries that contain user input could be susceptible.
• Cross-Site Scripting (XSS): Script injection may be possible in search boxes and forms.
• Brute-force attack vectors: Weak admin panel and login authentication systems.
• Inadequate cookie session management increases the possibility of session hijacking.
Finding and taking use of these flaws to illustrate security threats in practical situations is the
main goal of this evaluation.
RECONNAISSANCE & SCANNING
Nmap – Port enumeration and network scanning
Goal: Finding open ports, services, and possible attack surfaces is the goal.
Command Used: “nmap -A -T4 testphp.vulnweb.com”
6
� VULNERABILITY ASSESSMENT AND PENETRATION TESTING REPORT
IP address: 44.228.249.3
Hostname
Nmaps OS detection
Figure 3
Key Findings from Nmap Scan:
1. Target Information:
• IP address: 44.228.249.3
• Hostname: ec2-44-228-249-3.us-west-2.compute.amazonaws.com.
• Hosted in a cloud environment on Amazon AWS
2. Services and Open ports:
• FTP port 21 → Filtered (closed or possibly firewalled)
• SMTP port 25 → Filtered (SMTP block, perhaps as a result of ISP limitations)
• Open port 80 (HTTP) → with Nginx 1.19.0 installed
➢ "Home of Acunetix Art" is the HTTP title, indicating that it is a test site for
Acunetix security testing.
3. Recognizing the Operating System:
• According to Nmap's OS detection, the system is likely running QEMU (94%),
Oracle VirtualBox (98%), or other virtualized environments.
• This is probably a virtualized environment configured for penetration testing
because Acunetix hosts it for security testing.
4. Analysis of Networks:
• Network Distance: One hop is the network distance, which suggests that it is near
our scanning device and may be in the same AWS region.
• Traceroute: Verifies a cloud-hosted service with a single hop to Amazon AWS.
7
� VULNERABILITY ASSESSMENT AND PENETRATION TESTING REPORT
Nikto – Vulnerability scanning for web servers
Goal: Find known vulnerabilities, security setup errors, and out-of-date software.
Command Used: “nikto -h http://testphp.vulnweb.com”
Server: nginx/1.19.0
Figure 4
Key Findings from Nikto Scan:
1. Web Server Information:
• Server: nginx/1.19.0
• PHP Version: 5.6.40 (vulnerable, obsolete)
• Ubuntu 20.04.1 is the operating system (may be out of date).
2. Security Misconfigurations:
• The X-Frame-Options Header is missing. This implies the possibility of clickjacking
assaults.
• The X-Content-Type-Options Header is missing. This might make sniffer attacks of
the MIME type possible.
3. Possible Connection String for PHP MySQL Database Found:
• This implies that if database credentials are exposed or inadequately secured, SQL
Injection may be feasible.
Burp Suite - Manual testing and HTTP request interception
Steps Taken:
1. Start up your Burp Suite
2. Open the browser and type in the URL link and create an account
3. Head back to Burp Suite and go over to HTTP history, the recent log is where the login Is
placed
8
� VULNERABILITY ASSESSMENT AND PENETRATION TESTING REPORT
4. send over to the repeater and alter the login details anyhow you like.
Original uname and upass
Original username
Original password
Figure 5
Uname and upass changed
Altered Username
Altered Password
Figure 6
Key findings from Brup Suite
1. Insufficient Authorization and Authentication
• The request's uname (username) and upass (password) arguments could be
changed by hand.
• The request was processed by the system without first confirming that you were
authorized to do so.
• This implies that authorization and authentication procedures are either absent
or inadequate.
2. Possibility of Account Takeover
9
� VULNERABILITY ASSESSMENT AND PENETRATION TESTING REPORT
• Should this same vulnerability be present in a login or password reset feature, an
attacker might alter the login credentials of another user and gain access to their
account.
3. IDOR (Insecure Direct Object References)
• An IDOR vulnerability occurs when an attacker can change parameters (such as
uname or id) and access or alter the data of other users.
• Attackers might be able to read, alter, or remove user data without authorization
as a result.
OWASP ZAP (Zed Attack Proxy) - Automated vulnerability scanning for web
application
Steps Taken:
1. Start up your ZAProxy
2. Head to quick start and type in the website (http://testphp.vulnweb.com) needed for
scan
3. Then proceed to Attack
Inputed URL for scan
Result from Scan
Figure 4
Key Findings from OWASP ZAP
1. Cross Site Scripting (DOM-Based):
• Shows that the web application is susceptible to malicious JavaScript injection
into the page through DOM-based XSS attacks.
10
� VULNERABILITY ASSESSMENT AND PENETRATION TESTING REPORT
• Exploitable by creating URLs that, when clicked, cause JavaScript to run.
2. Absence of Anti-CSRF Tokens:
• CSRF protection is not used by the application.
• While authenticated, attackers can fool users into performing undesirable
behaviors.
3. Content Security Policy (CSP) Header Not Set (46 Instances):
• Potential XSS and data injection attacks are made possible by the absence of CSP.
4. Missing Anti-Clickjacking Header (42 Instances):
• It is susceptible to Clickjacking, in which hackers can use an iframe to embed the
website and fool users into doing things they didn't want to.
5. Server Leaks Information via "X-Powered-By" Header (60 Instances):
• By revealing the PHP version, the “X-Powered-By” header can assist attackers in
identifying known vulnerabilities.
6. Server Leaks Version Information via "Server" HTTP Response Header (72 Instances):
• The server discloses that “nginx/1.19.0” is installed, which aids attackers in
creating focused vulnerabilities.
7. X-Content-Type-Options Header Missing (66 Instances):
• Absence of the X-Content-Type-Options header could cause files to be interpreted
wrongly by browsers, potentially opening the door to assaults.
8. Authentication Request Identified:
• Authentication is required for certain areas.
• Use Hydra to test brute-force login attacks.
9. Information Disclosure - Suspicious Comments”
• There are developer comments in the application that could reveal private data or
internal reasoning.
10. User Controllable HTML Element Attribute (Potential XSS) (3 Instances):
• Implies that some user-input fields are vulnerable to XSS attacks since they are not
adequately sanitized.
EXPLOITATION
SQL Injection (SQLi)
Using SQLmap for Automated SQL Injection Testing
Command Used: “sqlmap -u "http://testphp.vulnweb.com/product.php?id=1" –dbs”
11
� VULNERABILITY ASSESSMENT AND PENETRATION TESTING REPORT
Target URL test
SQLMap
Recommendation
s
Figure 5
Key findings from SQLmap Scan
1. Target URL is stable
• “http://testphp.vulnweb.com/product.php?id=1” was successfully reached by the
scan, proving that the website is operational and responsive.
2. GET Parameter (ID) is dynamic but might not be injectable
• The ID argument is dynamic, meaning that user input determines its value,
according to SQLMap's detection.
• WARNING: SQLMap said that it might not be injectable.
3. SQL Injection Tests Conducted
• SQLMap tried a number of SQL injection methods, such as:
➢ Boolean-based blind SQLi
➢ Error-based SQLi
➢ Time-based SQLi
➢ UNION-based SQLi
➢ Various database-specific techniques (MySQL, PostgreSQL, Oracle, MSSQL,
etc.)
12
� VULNERABILITY ASSESSMENT AND PENETRATION TESTING REPORT
• The simple test revealed no instances of successful SQL injection.
4. SQLMap Recommendations for Further Testing
• Boosting the intensity of the scan for a test that is more aggressive, use --level=5
and --risk=3. i.e “sqlmap -u "http://testphp.vulnweb.com/product.php?id=1" --
dbs --level=5 --risk=3”
BRUTE-FORCE LOGIN ATTACK
Hydra for Brute Force Logins
Command Used: “hydra -l admin -P /usr/share/wordlists/rockyou.txt testphp.vulnweb.com http-
post-form "/login.php:user=^USER^&pass=^PASS^:Invalid username or password"”
Login details
Figure 6
13
� VULNERABILITY ASSESSMENT AND PENETRATION TESTING REPORT
Hydra still
active
Figure 7
Key Findings from Hydra Brute Force Attack
1. Successful Login Found
• Username: admin
• Password: Jessica
• Hydra was able to locate a legitimate pair of credentials for the target
“testphp.vulnweb.com”
2. Brute Force Speed & Progress
• Running 15 active threads.
• Speed - 1,434,399 tries/min.
• 15 hours have passed (and still running).
• 1,434,4399 tries in total (more than 14 million attempts).
Metasploit Framework – Exploitation and Post Exploitation Analysis
Steps Taken:
1. Open the terminal and type in “msfconsole” to load up the Metasploit framework
2. Use the command “use auxiliary/scanner/http/http_login”
3. Set RHOSTS “set RHOSTS http://testphp.vulnweb.com”
4. Run
14
� VULNERABILITY ASSESSMENT AND PENETRATION TESTING REPORT
RHOSTS SET
Missing HTTP Authentication
Figure 8
Key Findings from Metasplout Framework:
1. HTTP Authentication was not found:
• According to the scan result, accessing the website's pages doesn't require HTTP
authentication (Basic or Digest Auth).
• Websites that request HTTP authentication can get their login credentials brute-
forced using the “scanner/http/http_login” module. The attack does not apply to
this site because it does not use it.
2. The host was successfully scanned:
• The scan against the target (testphp.vulnweb.com) was completed successfully.
• There were no pop-ups requesting a login and password or any authentication
questions.
POST-EXPLOITATION
After scanning and testing vulnerabilities using Metasploit, critical observations were discovered
regarding the target website.
1. Method of Authentication:
• An HTTP login brute-force attack was unsuccessful because the website does not
use HTTP authentication (Basic or Digest authentication).
• Alternative authentication-based assaults, including form-based-brute-force
attacks, might be taken into consideration, nevertheless, given the existence of a
web-based login form.
2. Additional Attempts at Exploitation:
• Conventional methods of password brute-force or credential theft were not
applicable because no database containing login credentials was found.
• For additional exploitation, other strategies like testing for default credentials,
examining hidden admin panels, or manually testing web applications might be
investigated.
15
� VULNERABILITY ASSESSMENT AND PENETRATION TESTING REPORT
RECOMMENDATION
The following actions are advised in order to improve the tested system's security and lessen any
potential weaknesses:
1. Strengthen Authentication Security:
• If the website just uses form-based authentication, put in place:
➢ Systems that lock out accounts after several unsuccessful attempts to log
in.
➢ MFA, or multi-factor authentication, offers further protection.
➢ To prevent automated brute-force attacks, use CAPTCHA systems.
• Make sure that safe password hashing methods like bcrypt, scrypt, or Argon2 are
used in all authentication processes.
2. Infrastructure for Secure Web Applications:
• Make sure user accounts only have access to the information they need in order
to uphold the least privilege rules.
• Use secure coding techniques to avoid common vulnerabilities like as cross-site
scripting (XSS) and SQL injection.
• To identify and reduce possible security threats, do frequent vulnerability
assessments and security audits.
3. Keep an eye out for suspicious activity:
• Turning on real-time authentication attempt monitoring and logging.
• Deploying intrusion detection systems (IDS) and security information and event
management (SIEM) tools to track and examine questionable activity.
• Setting up automated alerts for odd login patterns, like several unsuccessful login
attempts from various IP addresses.
CONCLUSION
Potential weaknesses in database security and authentication were found during the target
website's security evaluation. Form-based login security should be improved to thwart brute-
force assaults, even though HTTP authentication was not used. There may also be SQL injection
flaws, which could provide unwanted access to the database.
It is strongly advised that the company:
• Puts in place secure authentication procedures (MFA, account lockouts, and strong
password restrictions) in order to reduce these risks.
• Uses prepared statements and input validation to address possible SQL injection issues.
• Makes use of security monitoring tools to identify and address threats instantly.
16
� VULNERABILITY ASSESSMENT AND PENETRATION TESTING REPORT
The company may greatly improve the security of its web apps and shield private user
information from online attacks by implementing these suggestions.
17
