xref web application and api penetration test report
TRANSCRIPT
Xref Web Application and API Penetration Test Report
Prepared for Xref on the 13th July 2021
Red Cursor Pty Ltd – Client Confidential 2
Table of Contents
1 Document Control ..................................................................................................... 3
1.1 Revision History ............................................................................................................... 3
1.2 Document Distribution..................................................................................................... 3
2 Executive Summary ................................................................................................... 4
3 Scope ........................................................................................................................ 6
4 Technical Summary ................................................................................................... 7
5 Detailed Technical Findings ....................................................................................... 8
5.1 Insufficient Input Validation............................................................................................. 8
5.2 Remotely Hosted Resources........................................................................................... 11
5.3 HSTS Header Missing ...................................................................................................... 14
5.4 Insecure Content Security Policy .................................................................................... 18
5.5 TCP Timestamps ............................................................................................................. 22
6 Appendices ............................................................................................................. 24
6.1 Appendix 1 – Technical Risk Calculation ......................................................................... 24
6.1.1 Impact Calculation ........................................................................................................................ 24
6.1.2 Likelihood Calculation ................................................................................................................... 25
6.1.3 Overall Technical Risk Calculation Matrix ..................................................................................... 27
6.2 Appendix 2 – Tools Used During This Test ...................................................................... 29
Red Cursor Pty Ltd – Client Confidential 3
1 Document Control
1.1 Revision History
Version Author Date
Initial Draft v0.9 Gordon Maddern 20th April 2021
QA and Final Release v1.0 Michael Bielenberg 30th April 2021
Retesting v1.1 Michael Bielenberg 13th of July 2021
1.2 Document Distribution
Version Date Details of Distribution
Final Release v1.0 30th April 2021 Released to Xref as password protected file. Password sent via SMS
Retest Release v1.1 13th July 2021 Released to Xref as password protected file. Password sent via SMS
This document is Copyright Red Cursor Pty Ltd 2021.
Red Cursor Pty Ltd – Client Confidential 4
2 Executive Summary
Red Cursor was engaged by Xref on the 20th of April 2021 to perform web application and API penetration testing of their Xref application. This application is used to streamline the reference checking process for employers.
This testing was designed to simulate both a malicious user on the Internet, as well as a malicious or compromised authenticated user. During the testing eight security issues were identified.
After performing retesting only 5 issues remained. The graph below shows the number and security rating of the risks identified after retesting:
Risk Summary Chart
Very High
High
Medium
Low
Informational
None of the issues found pose any significant risk.
0 1 2 3
Number of issues identified
Red Cursor Pty Ltd – Client Confidential 5
Industry Comparison
Figure 1. Security posture relative to peers
The yellow ball on the above bell curve shows where Xref aligns relative to their peers. This is based on performing 1000’s of penetration tests, comparing similar in-house built SaaS applications, industries, and sized IT departments. The results of this penetration test are considered very good and well above average.
Red Cursor Pty Ltd – Client Confidential 6
3 Scope
Red Cursor was engaged by Xref to perform web application and API penetration testing against their Xref application. The environment used for testing was the sandbox environment. This application is made up of multiple microservices.
Red Cursor performed both authenticated and unauthenticated testing against the applications and APIs which are located at the following URLs:
• api-app.sandbox.xref.com
• api-candidate.sandbox.xref.com
• api-help.sandbox.xref.com
• api-questionnaire.sandbox.xref.com
• api-referee.sandbox.xref.com
• api-search.sandbox.xref.com
• app.sandbox.xref.com
• auth.sandbox.xref.com
• candidate.sandbox.xref.com
• id.sandbox.xref.com
• login.sandbox.xref.com
• pages.xref.com
• referee.sandbox.xref.com
• search.sandbox.xref.com
• template-builder.sandbox.xref.com
• xref-assets.xref.com
• help.sandbox.xref.com
• api-open.xref.com
Testing was performed from the 20th to the 30th of April 2021.
Retesting was performed on the 13th of July 2021.
Red Cursor Pty Ltd – Client Confidential 7
4 Technical Summary
This section is targeted towards Project Managers or IT Managers wishing to delegate remediation tasks to various parties. It is a summary of all vulnerabilities with related risk ratings and business impacts designed to help prioritise resourcing for remediation.
Risk Reference Business Impact
Low
5.1 - Insufficient Input Validation
The application accepts and stores in its database malicious characters and payloads. There is no risk to this application. However, secondary systems that trust and ingest this data may be affected.
Low
5.2 - Remotely
Hosted Resources
The application is using remotely hosted 3rd party JavaScript libraries. This means that a 3rd party or a compromised 3rd party has complete control over what data is taken from the site and what code gets executed.
Informational
5.3 - HSTS Header
Missing
If a user is being man-in-the-middled, they will be given the option to accept the certificate error and proceed. Most non-security aware users will click through certificate security warnings.
Informational
5.4 - Missing or Insecure Content Security Policy (CSP)
The application is missing protective mechanisms that keep it safe from cross-site scripting (XSS), clickjacking and serving mixed HTTP and HTTPS content. Having a secure Content Security Policy (CSP) is a defence in depth mechanism.
Informational
5.5 - TCP Timestamps It is possible to work out the uptime of devices. Disclosing uptimes indicates how effectively a device is patched.
Red Cursor Pty Ltd – Client Confidential 8
5 Detailed Technical Findings
5.1 Insufficient Input Validation
Insufficient Input Validation
RISK RATING RISK CALCULATION
LOW
Likelihood:
Moderate
Consequence:
Low
DESCRIPTION OF VULNERABILITY
The application accepts malicious characters as input and does not properly validate that
the input is valid and expected.
In more serious instances this vulnerability can lead to critical vulnerabilities like SQL injections and remote code execution. However, in this instance, even though the input didn’t necessarily lead to an injection vulnerability, it was stored in the system and could cause a ‘second order injection’ vulnerability.
Second order injection vulnerabilities happen when other systems or applications use data from another application. For example, if an attacker was to enter their address in one web application as:
‘Drop table;
Then if a secondary billing or reporting system read this data, it could lead to data being destroyed in the database.
Furthermore, when stored cross site scripting payloads are used, it can cause other users to have their credentials compromised on secondary applications.
PROOF OF CONCEPT
Although not necessarily exploitable in this instance, the Xref application accepts malicious characters throughout the entire application.
Red Cursor Pty Ltd – Client Confidential 9
In the screenshot below, Red Cursor entered a cross site scripting payload in to one of the fields:
Figure 2. Malicious characters entered into field
As shown below, the application saves the malicious input to its database and then displays it back:
Figure 3. Application accepted and stored malicious characters
Red Cursor Pty Ltd – Client Confidential 10
The XSS payload did not execute because the application is using output encoding. However, if a secondary system such as a reporting system used this data, it may be possible to cause second order injection attacks.
BUSINESS IMPACT
The application accepts and stores in its database malicious characters and payloads. There is no risk to this application. However, secondary systems that trust and ingest this data may be affected.
REPRODUCTION STEPS
To reproduce the same results as the proof of concept:
• Enter malicious characters into any field
RECOMMENDATIONS
It is best practice to sanitise data at the point of entry. Red Cursor recommends:
• Ensuring that all user input is validated before being accepted. It is recommended to use a whitelisting approach. It is important to do this on the server because client-side validation checks can be disabled.
Red Cursor Pty Ltd – Client Confidential 11
5.2 Remotely Hosted Resources
Remotely Hosted Resources
RISK RATING RISK CALCULATION
LOW
Likelihood:
Moderate
Consequence:
Low
DESCRIPTION OF VULNERABILITY
The application is using 3rd party hosted JavaScript. Modern web applications use JavaScript libraries to extend functionality and enrich user experience. Developers can include these external libraries in their web applications in two ways: either
1) by downloading a copy of the library from a third-party vendor and uploading it to their own web server, or
2) by instructing the users’ browsers to fetch the code directly from a server operated by a third party
By using 3rd party hosted libraries the applications security boundary is extended to include the 3rd party. Developers need to trust that 3rd parties will not abuse their power or not become victims of hacks themselves. Furthermore, using semi trusted code opens the application up to the following risks:
• The loss of control over changes to the client application
• The execution of arbitrary code on client systems
• The disclosure or leakage of sensitive information to 3rd parties
The safest method of using 3rd party libraries is to download a local copy to the application server. This gives developers full control over what code runs on their application.
It is worth noting that in 2013 the Bootstrap CDN was compromised and served out malicious JavaScript to millions of sites:
https://opsec.readthedocs.io/en/latest/incidences/maxcdn.html
PROOF OF CONCEPT
Red Cursor Pty Ltd – Client Confidential 12
The following applications are using remotely hosted 3rd party JavaScript libraries that Xref has no control over:
• https://app.sandbox.xref.com/
• https://help.sandbox.xref.com
• https://pages.xref.com/
• https://template-builder.sandbox.xref.com/
As shown in the screenshot below the template builder application is requesting files from fast.wistia.com:
Figure 4. Remote hosted 3rd party library in use
This creates a risk in that the application’s security boundary is extended to include the 3rd party vendor and their security practices. Furthermore, developers do not have full control over changes to their application.
BUSINESS IMPACT
The application is using remotely hosted 3rd party JavaScript libraries. This means that a 3rd party or a compromised 3rd party has complete control over what data is taken from the site and what code gets executed.
REPRODUCTION STEPS
To reproduce the same results as the proof of concept:
• View the page source for the application and note that the browser is calling
remotely hosted libraries.
RECOMMENDATIONS
Red Cursor recommends copying the library files locally to the application server. This way the developers have complete control over the code that is served to the users’ browsers and can inspect it to verify its proper functionality.
Red Cursor Pty Ltd – Client Confidential 13
If it is not possible to use a local copy, then it is recommended to implement sub-resource integrity checking for remotely hosted scripts. More information on how this works can be found here:
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
Red Cursor Pty Ltd – Client Confidential 14
5.3 HSTS Header Missing
HSTS Header Missing
RISK RATING RISK CALCULATION
Informational
Likelihood:
Very Low
Consequence:
Very Low
DESCRIPTION OF VULNERABILITY
HTTP Strict Transport Security (HSTS) is a HTTP header that serves two functions:
1) It helps to protect websites against protocol downgrade attacks from tools like sslstrip. It tells browsers that they should only interact with the application using only secure HTTPS connections and never via the insecure HTTP protocol. This is how the tool sslstrip works by downgrading HTTPS to HTTP connections. It will also automatically turn any insecure links referenced in the web application into secure links.
2) It prevents the user from accepting a certificate security warning if the connection is insecure.
The second function is often overlooked. Most non-security aware users will click through security warnings if an attacker is man-in-the-middling a connection. An example of this warning screen shown is below:
Red Cursor Pty Ltd – Client Confidential 15
Figure 5. Without the HSTS header users can still use the site insecurely by clicking proceed
However, if the HSTS header is implemented, users are not able to accept the security error and visit the site as shown below:
Figure 6. With HSTS the option to proceed is not available
Adding the HSTS header to a web application can significantly decrease the likelihood of a successful man-in-the-middle attack.
Red Cursor Pty Ltd – Client Confidential 16
PROOF OF CONCEPT
The following servers do not correctly set the HSTS Header:
• https://app.sandbox.xref.com/
• https://candidate.sandbox.xref.com/
• https://help.sandbox.xref.com/
• https://login.sandbox.xref.com/
• https://pages.xref.com/
• https://referee.sandbox.xref.com/
• https://search.sandbox.xref.com/
• https://template-builder.sandbox.xref.com/
As an example, the screenshot below shows that responses from the app.sandbox.xref.com server do not contain the HSTS header:
Figure 7. No HSTS header returned by application
Without this security header a user can accept certificate errors.
BUSINESS IMPACT
If a user is being man-in-the-middled, they will be given the option to accept the certificate error and proceed. Most non-security aware users will click through certificate security warnings.
REPRODUCTION STEPS
Red Cursor Pty Ltd – Client Confidential 17
To reproduce the same results as the proof of concept:
• Run a local proxy like Burp Suite
• Seta browser to use the local proxy
• Browse to the application and accept the certificate warning
• Observe that the HSTS header is missing in server responses.
RECOMMENDATIONS
Red Cursor recommends adding the following header to the application:
Strict-Transport-Security: max-age=31536000
Red Cursor Pty Ltd – Client Confidential 18
5.4 Insecure Content Security Policy
Insecure Content Security Policy
RISK RATING RISK CALCULATION
INFORMATIONAL
Likelihood:
Very Low
Consequence:
Very Low
DESCRIPTION OF VULNERABILITY
The application is missing a Content Security Policy or has a poorly configured Content Security Policy.
Content Security Policy (CSP) is a set of security headers introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks. CSP provides a standard method for an application to declare approved origins of content that browsers should be allowed to load on that website.
By disallowing inline scripts and allowing only trusted domains as a source of external scripts, CSP restricts a site’s capability to execute malicious client-side code. Even when an attacker is capable of finding an XSS vulnerability, CSP keeps the application safe by preventing the exploitation of the bug.
In order for a CSP policy to be effective in stopping XSS attacks, preventing script execution and not by-passable it must at a minimum have the following three conditions
1. The policy must define both the script-src and object-src (or default-src in their absence)
2. The script-src source list cannot contain the unsafe-inline keyword (unless accompanied by a nonce)
3. The script-src and object-src source lists cannot contain any endpoints that allow an attacker to control security-relevant parts of the response or contain unsafe libraries.
If any of these conditions are not met, the policy can be bypassed and is not effective at preventing script execution and XSS attacks.
To prevent clickjacking attacks, the CSP must include the following directive:
Red Cursor Pty Ltd – Client Confidential 19
frame-ancestors 'none';
Additionally, a CSP policy can prevent HTTP and HTTPS mixed content by specifying the following directives:
block-all-mixed-content; or alternatively the upgrade-insecure-requests; directive.
It is recommended to set either or of these directives but not both.
Finally, the CSP replaces the older now obsolete security headers:
• X-XSS-Protection:
• X-Frame-Options:
More information on all directives and syntax can be found here:
https://content-security-policy.com/
PROOF OF CONCEPT
The following endpoints do not correctly set a secure Content Security Policy:
• https://api-app.sandbox.xref.com/
• https://api-candidate.sandbox.xref.com/
• https://api-help.sandbox.xref.com/
• https://api-questionnaire.sandbox.xref.com/
• https://api-referee.sandbox.xref.com/
• https://api-search.sandbox.xref.com/
• https://app.sandbox.xref.com/
• https://auth.sandbox.xref.com/
• https://candidate.sandbox.xref.com/
• https://id.sandbox.xref.com/
• https://login.sandbox.xref.com/
• https://pages.xref.com/
• https://referee.sandbox.xref.com/
• https://search.sandbox.xref.com/
• https://template-builder.sandbox.xref.com/
• https://xref-assets.xref.com/
• https://help.sandbox.xref.com
• https://api-open.xref.com
The content security policed used is shown below:
default-src http://localhost:* https://*.xref.com https://*.xref.io
https://*.sentry.io https://inlinemanual.com https://*.inlinemanual.com
https://js.stripe.com https://www.facebook.com *.hotjar.com; img-src
'self' blob: data: http://localhost:* https://*.xref.com
https://*.xref.io https://inlinemanual.com https://*.inlinemanual.com
https://*.adsymptotic.com *.bizible.com *.bizibly.com *.linkedin.com
https://*.facebook.com https://*.amazonaws.com *.wistia.com
https://www.google-analytics.com; script-src 'self' data: blob:
https://*.facebook.net https://*.cloudfront.net https://js.stripe.com
Red Cursor Pty Ltd – Client Confidential 20
https://inlinemanual.com https://*.inlinemanual.com *.bizible.com
*.hotjar.com *.licdn.com *.wistia.com 'unsafe-inline'
https://*.googletagmanager.com https://www.google-analytics.com 'unsafe-
eval' https://*.xref.com https://*.xref.io; style-src 'self'
http://localhost:* https://*.xref.com https://*.xref.io
https://inlinemanual.com https://*.inlinemanual.com 'unsafe-inline'
*.hotjar.com *.wistia.com; connect-src 'self' http://localhost:*
https://*.xref.com https://*.xref.io *.hotjar.com
https://inlinemanual.com https://*.inlinemanual.com
https://*.smartling.com https://*.sentry.io https://www.google-
analytics.com;
This can be trivially bypassed as it allows inline JavaScript execution (unsafe-inline), the execution of code injected into DOM APIs (unsafe-eval) and, external JavaScript execution from domains an attacker can control the contents. Allowing https://*.cloudfront.net or https://*.googletagmanager.com means an attacker can host the JavaScript on those domains and the script will be included within the CSP whitelist.
BUSINESS IMPACT
The application is missing protective mechanisms that keep it safe from cross-site scripting (XSS), clickjacking and serving mixed HTTP and HTTPS content. Having a secure Content Security Policy (CSP) is a defence in depth mechanism.
REPRODUCTION STEPS
To reproduce the same results as the proof of concept:
• The tool https://csp-evaluator.withgoogle.com/ can be used to evaluate the security of a content security policy. All issues marked “High severity finding” should be fixed.
RECOMMENDATIONS
Red Cursor recommends implementing a secure Content Security Policy (CSP) to add
additional protection to the application.
A CSP policy is delivered in either the Content-Security-Policy HTTP response header or in a <meta> tag. The following examples demonstrate how to enable a CSP:
# Enable CSP in Apache
Header set Content-Security-Policy "default-src 'none'; img-src 'self';
script-src 'self' https://code.jquery.com; style-src 'self'"
Red Cursor Pty Ltd – Client Confidential 21
# Enable CSP in nginx
add_header Content-Security-Policy "default-src 'none'; img-src 'self';
script-src 'self' https://code.jquery.com; style-src 'self'";
# Enable CSP in IIS
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src 'self';" />
</customHeaders>
</httpProtocol>
</system.webServer>
#<!-- Enable CSP inside the page's HTML -->
<head>
<meta http-equiv="Content-Security-Policy" content="default-src 'none';
img-src 'self'; script-src 'self' https://code.jquery.com; style-src
'self'">
More information on all CSP directives and examples can be found at the following URLs:
https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet
https://content-security-policy.com/
Red Cursor Pty Ltd – Client Confidential 22
5.5 TCP Timestamps
TCP Timestamps
RISK RATING RISK CALCULATION
INFORMATIONAL
Likelihood:
Very Low
Consequence:
Very Low
DESCRIPTION OF VULNERABILITY
The server is allowing TCP timestamps. This allows an attacker to calculate the uptime of the server. This can be a rough indication of how effectively a device is patched. If a device has not been rebooted for a long time, it can be a sign that the server is missing critical security patches that require a reboot.
It is best practice to disclose as little information as possible to attackers.
PROOF OF CONCEPT
Red Cursor found that the following endpoints are disclosing their uptimes via TCP timestamps:
• api-app.sandbox.xref.com
• api-candidate.sandbox.xref.com
• api-help.sandbox.xref.com
• api-open.xref.com
• api-questionnaire.sandbox.xref.com
• api-referee.sandbox.xref.com
• api-search.sandbox.xref.com
• app.sandbox.xref.com
• auth.sandbox.xref.com
• candidate.sandbox.xref.com
• help.sandbox.xref.com
• id.sandbox.xref.com
• login.sandbox.xref.com
• referee.sandbox.xref.com
Red Cursor Pty Ltd – Client Confidential 23
• search.sandbox.xref.com
• template-builder.sandbox.xref.com
• xref-assets.xref.com
An example of this is shown in the following screenshot:
Figure 8. login.sandbox.xref.com uptime via TCP timestamps
This allows an attacker to estimate roughly how well devices are patched.
BUSINESS IMPACT
It is possible to work out the uptime of devices. Disclosing uptimes indicates how effectively
a device is patched.
REPRODUCTION STEPS
To reproduce the proof of concept run the following Nmap command:
nmap -O -P0 -vv <HOSTNAME>
RECOMMENDATIONS
Red Cursor recommends removing TCP timestamps where possible. To remove TCP
timestamps on Linux devices run the following command:
sudo sysctl -w net.ipv4.tcp_timestamps=0
Starting with Windows Server 2008 and Vista, TCP timestamps cannot be completely disabled. Disabling TCP Timestamp only affects the outgoing traffic, for incoming traffic Microsoft has to honour it if the other side requests it.
Red Cursor Pty Ltd – Client Confidential 24
6 Appendices
6.1 Appendix 1 – Technical Risk Calculation
Red Cursor’s risk ratings are based on the NIST 800 30 Cyber Security Framework and the ISO 27001 standard. They are designed to provide a model for calculating risks that arise from vulnerabilities in systems. The purpose is to help businesses qualitatively measure their risk and prioritise remediation of the identified issues. This calculation uses the metrics of:
Impact * Likelihood = Overall technical risk
6.1.1 Impact Calculation
The level of impact from a vulnerability is the magnitude of harm that can be expected to result if the vulnerability is exploited.
It takes into account violations of confidentiality, integrity and availability (CIA) of user, data and systems. It can include unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or system availability. Technical impact factors include:
• Loss of confidentiality
How much data could be disclosed and how sensitive is it? Minimal non-sensitive data disclosed, minimal critical data disclosed, extensive non-sensitive data disclosed, extensive critical data disclosed, or all data disclosed.
• Loss of integrity
How much data could be corrupted and how damaged is it? Minimal slightly corrupt data, minimal seriously corrupt data, extensive slightly corrupt data, extensive seriously corrupt data or all data totally corrupt.
• Loss of availability
How much service could be lost and how vital is it? Minimal secondary services interrupted, minimal primary services interrupted, extensive secondary services interrupted, extensive primary services interrupted, or all services completely lost.
The table below shows how each value is determined:
Red Cursor Pty Ltd – Client Confidential 25
Qualitive Value Description
Very High
The threat event could be expected to have multiple severe or catastrophic adverse effects on organisational operations, organisational assets, individuals, other organisations, or data.
High
The threat event could be expected to have a severe or catastrophic adverse effect on organisational operations, organisational assets, individuals, other organisations, or data.
Moderate
The threat event could be expected to have a serious adverse effect on organisational operations, organisational assets, individuals, other organisations, or data.
Low
The threat event could be expected to have a limited adverse effect on organisational operations, organisational assets, individuals, other organisations, or data.
Very Low
The threat event could be expected to have a negligible adverse effect on organisational operations, organisational assets, individuals, other organisations, or data.
6.1.2 Likelihood Calculation
Likelihood is how likely this particular vulnerability is to be uncovered and exploited by an attacker.
Red Cursor Pty Ltd – Client Confidential 26
The likelihood of occurrence is determined by the following factors:
• Skill level How technically skilled would an attacker have to be? Security penetration skills, network and programming skills, advanced computer user, some technical skills or no technical skills.
• Motive How motivated would an attacker have to be to find and exploit this vulnerability? Low or no reward, possible reward or high reward.
• Opportunity
What resources and opportunities are required for an attacker to find and exploit this vulnerability? Full access or expensive resources required, special access or resources required, some access or resources required, or no access or resources required.
• Size How large is this group of threat agents? Developers, system administrators, internal users, partners, authenticated users or anonymous Internet users.
• Ease of discovery How easy is it for an attacker to discover this vulnerability? Practically impossible, difficult, easy, or are automated tools available.
• Ease of exploit How easy is it for an attacker to actually exploit this vulnerability? Theoretical, difficult, easy, or are automated tools available.
• Awareness How well known is this vulnerability to Attackers? Unknown, hidden, obvious, or public knowledge.
• Intrusion detection
How likely is an exploit to be detected? Active detection in application, logged and reviewed, logged without review, or not logged.
The table below shows how each value is determined:
Qualitive Value Description
Very High An attacker is almost certain to initiate the threat event.
High An attacker is highly likely to initiate the threat event
Moderate An attacker is somewhat likely to initiate the treat event.
Red Cursor Pty Ltd – Client Confidential 27
Low An attacker is unlikely to initiate the threat event.
Very Low An attacker is highly unlikely to initiate the threat event.
6.1.3 Overall Technical Risk Calculation Matrix
The final risk calculation uses the likelihood and impact metrics to determine technical risk. The table below demonstrates how these metrics align to calculate the final technical risk:
Likelihood
Very Low Low Moderate High Very High
Imp
act
Very High
Low
Medium
High
Very High
Very High
High
Low
Medium
Medium
High
Very High
Moderate
Low
Low
Medium
Medium
High
Low
Informational
Low
Low
Medium
Medium
Very Low
Informational
Informational
Low
Low
Low
Red Cursor Pty Ltd – Client Confidential 28
It is important to note that the risks reported in this report are technical risks.
The final business risk stems from the technical risk but requires an in-depth understanding of what is important to the company running the systems. This information is not necessarily known to Red Cursor and the technical risk should be used in conjunction with corporate knowledge when calculating the overall business risk. A company needs to take into account the following business risk factors:
• Financial damage
• Reputational damage
• Non-compliance
• Privacy violations
Red Cursor Pty Ltd – Client Confidential 29
6.2 Appendix 2 – Tools Used During This Test
Tool Description
Burp Suite Pro
Burp suite is the leading tool for testing web application security. It is a local proxy that allows manipulation of requests to and from a web server.
Selenium
Selenium is a suite of tools and libraries for automating browser requests. It allows scripting of web requests that can simulate a browser.
Gobuster
Gobuster is a go application designed to brute force directories and files names on web/application servers.
DirBuster
DirBuster is a java application designed to brute force directories and files names on web/application servers. It is developed by the OWASP community.
Various
Chrome/Firefox plugins
Various browser plugins like developer tools such as: Built With, No
Script, Firebug d3coder, XSS rays, cache killer, HPP finder, GHDB, cookie editor, foxyproxy.
Kali
Kali is a Linux distribution with preconfigured tools for penetration testers. Kali contains several hundred tools which are tailored for security testing.
SQLmap
SQLmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and exploiting database servers
Nessus Nessus is a commercial vulnerability scanner used for automatically identifying known security vulnerabilities.
SSL labs SSL labs is a website designed to test the security configuration of TLS connections. https://ssllabs.com
Nmap
Nmap is a very common port scanner used for identifying and fingerprinting open services. It also contains the NSE scripting engine for identifying common vulnerabilities.
Red Cursor Pty Ltd – Client Confidential 30
Testssl.sh Testssl.sh is a script/website for testing servers TLS settings.
http://testssl.sh
Hping3 Hping3 is a command-line TCP/IP packet assembler/analyser. It is used
for constructing various packet types in pen testing.
Slurp Slurp is tool for identifying unsecured AWS S3 buckets.
Exiftool Exiftool is Linux tool used for reading and modifying metadata in office
documents.
Fingerprinter Is a script that attempts to fingerprint version numbers of popular
content management systems based on checksums of common files.