VULNERABILITY ASSESSMENT &

PENETRATION TESTING

Report prepared for

Report issued: 22/04/2025 Submitted by: MARTIN D

Sensitive: The information in this document is strictly confidential and is made

by Martin D
Confidentiality Notice
This report contains sensitive, privileged and confidential
information. Precautions should be taken to protect the
confidentiality of the information in this document.

Disclaimer
Note that this assessment may not disclosure all vulnerabilities that
are present on the systems within the scope of the engagement. This
report is a summary of the findings from a “point-in-time” assessment
made on three different client environment. Any changes made to the
environment during the period of testing may affect the results of the
assessment.
TABLE OF CONTENTS

1. Confidentiality
2. Disclaimer
3. Executive Summary
a. Scope
4. Testing Methodology
5. Classification
a. Risk Classification
6. Assessment Findings
a. Vulnerability #1
b. Vulnerability #2
c. Vulnerability #3
7. Appendix A: Tools Used
8. Appendix B: Engagement information
a. Contact information
9. Conclusion
EXECUTIVE SUMMARY
I performed a security assessment on three web applications. The
purpose of this assessment was to discover and identify vulnerabilities
in the three website’s infrastructure and suggest methods to remediate
the vulnerabilities and identified a total of three vulnerabilities within
the scope of the engagement which are broken down by severity in the
table below.

CRITICAL HIGH MEDIUM

1 1 1

The highest severity vulnerabilities give potential attackers the

opportunity in confidential data being deleted, lost or stolen; websites
being defaced; unauthorised access to systems or accounts and,
ultimately, compromise of individual machines or entire networks. In
order to ensure data confidentiality, integrity and availability security
remediations should be implemented as described in the security
assessment findings.
Note that his assessment may not disclose all vulnerabilities that are
present on the systems within the scope. Any changes made to the
environment during the period of testing may affect the results of
environment.
SCOPE
Security assessment includes testing security loopholes in the scope defined
below. Apart from the following, no other information was provided.
Nothing was assumed at that start of the security assessment. The following
was the scope covered under the security audit.

Web Application 1: [Link]

Web Application 2: [Link]
Web Application 3: [Link]
TESTING METHODOLOGY

My testing methodology was split into three phases: Reconnaissance,

Target Assessment, and Discovering Vulnerabilities. During
reconnaissance, we gathered information about the we applications. I
gathered evidence of vulnerabilities during this phase of the
engagement in a manner that would not disrupt normal business
operations.

The following image is a graphical representation of this methodology.

CLASSIFICATION

Risk Classification

Level Score Description

The vulnerability poses an immediate threat to the

organization. Successful exploitation may permanently
Critical 10 affect the organization. Remediation should be
immediately performed.

The vulnerability poses an urgent threat to the organization,

High 7-9 and remediation should be prioritized.

Successful exploitation is possible and may result in notable

Medium 4-6 disruption of business functionality. This vulnerability should
be remediated when feasible.

The vulnerability poses a negligible/minimal threat to the

Low 1-3 organization. The presence of this vulnerability should be
noted and remediated if possible.

These findings have no clear threat to the organization, but

Informative
0 may cause business processes to function differently than
desired or reveal sensitive information about the company.
ASSESSMENT FINDINGS

Number Findings CVSS Severity

1 Parameter Tampering 6.5 Medium

2 SQL Injection 9.1 Critical

3 Cryptographic Failure 7.5 High

VULNERABILITY #1

MEDIUM RISK (6.5/10)

Name of Vulnerability Parameter Tampering

Security Impact Medium

Vulnerability URL
[Link]
Security Implications
Parameter tampering is a type of web application vulnerability where
an attacker manipulates parameters exchanged between the client
(such as a web browser) and the server to perform unauthorized
actions. These parameters can include query strings in the URL, form
fields (especially hidden fields), cookies, headers, or even data sent
via POST requests in JSON or XML format.
The root cause of this vulnerability lies in the assumption that the data
sent from the client is always trustworthy, which unfortunately is not
true. Attackers can use tools like Burp Suite, OWASP ZAP, or even
browser developer tools to intercept and modify these values before
they reach the server.
Parameter tampering can also be used to escalate privileges. For
instance, if a form includes a hidden input field for user role, such as
role=user, an attacker may change it to role=admin. If the server
blindly accepts this value without checking the user’s actual
privileges, it could grant unauthorized administrative access.
Additionally, manipulating parameters that define file paths or
resource locations might allow attackers to perform directory
traversal attacks, potentially exposing sensitive server files.
To test for parameter tampering, security professionals often intercept
HTTP requests using tools like Burp Suite and alter the parameters
manually to observe how the application responds. They look for
signs that the application fails to properly validate input or enforce
authorization. If unauthorized access, privilege escalation, or data
manipulation is possible through these changes, the application is
considered vulnerable.
Steps to Reproduce
1. Open Burp Suite and set your browser to use Burp as a proxy.
2. Ensure Burp Suite is intercepting traffic.
3. Go to the target URL [Link]

4. Then buy some products and do payment.

5. Burp Suite will capture the request and stop it before sending.
6. You will see the request details in the Proxy → Intercept tab.
7. Try changing amount=1 (to test for price tampering).
 8. After changing the values, click "Forward" to send it to the
server.
9. Go back to the browser we can see the payment will be visible
what we have edited using burp suite.
Impact

1. Unauthorized Access – Attackers can view or edit other users’

data by changing IDs or parameters.
2. Price Manipulation – In e-commerce, attackers can change item
prices and buy products for very low amounts.
3. Privilege Escalation – Changing roles (e.g., from user to admin)
can give more access than allowed.
4. Fraudulent Transactions – In banking apps, attackers can
transfer money or change amounts illegally.
5. Validation Bypass – Client-side checks can be skipped, allowing
dangerous input.
6. Business & Legal Risks – Leads to financial loss, damaged
reputation, and legal issues for companies.
+
Mitigation Strategies:

1. Server-Side Validation– Always validate and re-check all inputs

on the server, not just on the client/browser.
2. Access Control Checks– Ensure users can only access their own
data (e.g., don’t trust IDs from the user).
3. Avoid Hidden Sensitive Parameters– Never put sensitive
values like prices or roles in hidden fields.
4. Use Strong Session Management– Tie user sessions to server-
side controls, not to user-modifiable parameters.
5. Encrypt or Sign Parameters– Use cryptographic methods to
protect data passed between client and server.
6. Disable Client-Side Trust– Don’t trust anything from the client.
Always assume it can be changed.
 7. Logging and Monitoring– Detect unusual activity or parameter
changes using logs and alerts.
8. Use Web Application Firewalls (WAFs)– WAFs can help detect
and block common tampering attacks.

References
[Link]
[Link]
VULNERABILITY#2

CRITICAL RISK (9.1/10)

Name of Vulnerability SQL Injection

Security Impact Severe

Vulnerability URL
[Link]
Security Implications
SQL Injection (SQLi) is a type of cyber attack where an attacker
inserts or "injects" malicious SQL (Structured Query Language) code
into input fields of a web application to manipulate the database behind
it. This usually happens when the application fails to properly check or
sanitize user inputs before sending them to the database. For example,
if a login form directly uses a user's input in a SQL query like:
SELECT * FROM users WHERE username = ‘’AND password = ‘’;
An attacker could input something like OR '1'='1which could change
the query logic to always return true, possibly giving unauthorized
access to the application.
There are several types of SQL Injection based on how the attacker gets
the result. The most common is Error-Based SQL Injection, where the
attacker uses error messages from the database to get information. Next
is Union-Based SQL Injection, which uses the UNION SQL command
to combine multiple queries and display hidden data, like usernames or
passwords. Then comes Boolean-Based Blind SQL Injection, where the
attacker sends true or false conditions and observes changes in the
website’s behavior to guess the database content. Another is Time-
Based Blind SQL Injection, where the attacker uses time delays (like
SLEEP) in queries to check if conditions are true. If the server responds
slowly, it confirms the condition is correct. Lastly, Out-of-Band SQL
Injection is used when no direct feedback is given by the website.
Instead, it sends data through other channels like DNS or HTTP
requests to the attacker’s server.

Steps to Reproduce

1. Go to the target URL [Link]

2. When a product is clicked from Product Detail

section and the URL changes to
[Link]
3. Load Linux root terminal and load the sqlmap tool by typing
➢ sqlmap -u " [Link]

4. After the search completed, the results of some databases were

displayed as follows:

[Link] checking the database ‘cphulkd’

➢ sqlmap -u " [Link] -D

cphulkd --tables --batch.

[Link] shows the table as follows:

IMPACT
• Unauthorized data access
• Data leakage or theft
• Data manipulation or deletion
• Bypass of authentication
• Full system compromise
• Financial and reputational loss
Mitigation Strategies:
• Use Prepared Statements (Parameterized Queries) – Always use
prepared statements with parameterized inputs (e.g., using ? or
named parameters) instead of concatenating SQL strings
directly.
• Use Stored Procedures – Execute database operations through
stored procedures instead of building dynamic queries in code.
• Validate and Sanitize Input – Rigorously validate and sanitize all
user inputs to ensure only expected data is accepted.
• Use ORM (Object-Relational Mapping) Frameworks – ORMs
like Hibernate, Django ORM, or Entity Framework help abstract
and safely handle database operations.
• Limit Database Permissions – Use the principle of least
privilege by giving database accounts only the access they
absolutely need.
• Enable Web Application Firewall (WAF) – Deploy a WAF to
detect and block common SQL injection attempts.
• Escape User Input Carefully (if Needed) – If dynamic SQL is
unavoidable, escape user inputs using proper escaping functions.
• Regularly Update and Patch – Keep your database software and
application frameworks updated to fix known vulnerabilities.
• Conduct Regular Security Testing – Perform code reviews,
penetration testing, and use automated tools to detect SQL
injection vulnerabilities early.

References
[Link]
[Link]
VULNERABILITY #3

HIGH RISK (7.5/10)

Name of Vulnerability Cryptographic Failure

Security Impact High

Vulnerability URL

[Link]

Security Implications
Cryptographic failures, previously referred to as "sensitive data
exposure" in the OWASP Top 10, refer to vulnerabilities that arise when
cryptographic methods are improperly implemented or entirely
neglected. These failures can result in the exposure of sensitive
information such as passwords, credit card numbers, personal data, and
confidential communications. A cryptographic failure doesn't
necessarily mean the cryptographic algorithm itself is broken, but
rather that it has been misused or applied incorrectly, such as using
outdated algorithms, weak key sizes, poor key management practices,
or insecure storage of cryptographic keys.
Cryptographic failures also include improper implementation of
encryption protocols. For instance, developers might incorrectly
implement encryption libraries, skip certificate validation, or use
predictable initialization vectors (IVs), making even strong algorithms
ineffective. These missteps can often go unnoticed during development
and testing but can be exploited in real-world attacks, such as man-in-
the-middle attacks or database breaches.

Steps to Reproduce

1. Go to the target URL [Link]

2. Navigate to the login page.

3. Open Wireshark and start capturing the network traffic. Then, enter
the credentials on the login page and log in.
4. Go back to Wireshark and stop the packet capture.
5. Apply the filter to narrow down the packets
[Link] == POST
6. After applying the filter, the username and password in visible in
plain text if the credentials are not encrypted.
IMPACT
• Data Exposure – Sensitive information like passwords,
credit card details, or personal data can be leaked.
• Unauthorized Access – Attackers may gain access to
systems or accounts without proper authentication.
• Identity Theft – Exposed personal data can be used for
impersonation or fraud.
• Financial Loss – Organizations may face direct losses or
fines due to data breaches.
• Loss of Trust – Users may lose confidence in the security
of the system or service.
• Regulatory Penalties – Non-compliance with data
protection laws can lead to legal consequences.
• System Compromise – Weak encryption can allow
attackers to alter or inject malicious data.
MITIGATION STRATEGIES
• Use Strong, Updated Algorithms – Always use modern, vetted
algorithms like AES-256, RSA-2048, and SHA-256.
• Enable HTTPS (TLS) – Ensure secure transmission of data over
networks by enforcing HTTPS using strong TLS configurations.
• Implement Proper Key Management – Store cryptographic keys
securely, use hardware security modules (HSMs), and rotate
keys regularly.
• Encrypt Data at Rest and in Transit – Always encrypt sensitive
data both when stored and when being transmitted.
• Avoid Hardcoded Secrets – Never hardcode keys, passwords, or
tokens in code; use secure vaults or environment variables.
• Use Salted Hashing for Passwords – Apply a strong hashing
algorithm with unique salts for each password (e.g., bcrypt,
Argon2).
• Validate Certificates Properly – Ensure correct certificate
validation to prevent man-in-the-middle (MITM) attacks.
• Regular Security Audits – Conduct frequent code reviews and
security assessments to identify and fix cryptographic flaws.
• Follow Security Best Practices and Standards – Adhere to
OWASP guidelines, NIST standards, and industry-specific
regulations.

REFERENCE
[Link]
[Link]
APPENDIX A – TOOLS USED

TOOLS DESCRIPTION
Used for Web Application Penetration
Burp Suite Professional
Testing
Automated tool for Web Vulnerability
Acunetix
Scanner
Used to capture and analyze network
Wireshark
traffic
APPENDIX B – ENGAGEMENT INFORMATION

Contact Information

Name MARTIN D

Phone 8300259940

Email martinroy6982@[Link]
CONCLUSION

The primary goal is the identification of specific, documented

vulnerabilities and their timely remediation. It’s important to an
organisation with an Internet presence because attackers are
able to take advantage of any loophole or flaw that may be
present.
Vulnerability assessments also provide an organisation with the
necessary knowledge, awareness and risk backgrounds to
understand and react to threats to its environment. A
vulnerability assessment process is intended to identify threats
and the risks they pose.