Geez Security
Penetration Test
Report of Findings
� Table of Content
CONFIDENTIALITY
DISCLAIMERS
Proprietary Information
Executive Summary
Assessment Summary
Strategic Recommendation
Technical Summary
Scope
System Information
Software Information
Post Assessment Clean-up
Final Findings Overview
Vulnerability 1: SQL Injection – Login Bypass
Vulnerability 2: Admin Panel Exposure
Vulnerability 3: Stored Cross-Site Scripting
Vulnerability 4: Reflected Cross-Site Scripting
Vulnerability 5: Insecure Direct Object Reference
Vulnerability 6: Brute-Force Login Attack
Summary of Findings
Conclusion
Appendix A: Tools and Techniques
Appendix B: Glossary
� GTST
1/1/2001
PENETRATION TESTING REPORT TEMPLATE
CONFIDENTIALITY
Under no circumstances shall I be held responsible for any special, incidental, indirect, or
consequential damages resulting from the use of this information. This document contains
confidential and proprietary information belonging to the OWASP Foundation. It is crucial that
caution is exercised before sharing copies of this document or any of its contents. I have
granted our designated point of contact at the OWASP Foundation the authority to access,
review, and distribute this document in alignment with their internal policies and procedures.
This document should be clearly labeled as “CONFIDENTIAL” and shared strictly on a need-to-
know basis.
DISCLAIMERS
This report reflects the system's state at the time of testing. Vulnerabilities discovered may change over
time. Remediation advice is based on best practices but should be reviewed in the context of your
organization.
Proprietary Information
The information contained in this document is deemed proprietary and must not be shared outside of
the recipient organization’s network. The OWASP Foundation grants permission to reproduce this report
solely for internal distribution within your organization or to any relevant regulatory authorities.
Contact Information
Abreham Abebe – Junior Penetration Tester
Email: [email protected]
Phone: (+251) 930368324
OWASP Foundation(OWASP Juice Shop)
Email: [email protected]
Phone: +1 951-692-7703
GTST 2
� GTST
1/1/2001
PENETRATION TESTING REPORT TEMPLATE
Executive Summary
This report summarizes the results of a penetration test conducted on the OWASP Juice Shop
application as part of a Capture The Flag (CTF) exercise. The objective was to identify exploitable
vulnerabilities that reflect real-world security flaws in modern web applications.All vulnerabilities were
successfully exploited using common tools and techniques, including Burp Suite, browser developer
tools, and publicly available wordlists.
The results of this assessment demonstrate that the application contains multiple attack vectors that
could lead to unauthorized access, data leakage, privilege escalation, or full application compromise if
left unresolved.It is strongly recommended that the identified vulnerabilities be remediated immediately
and that secure development practices—including input validation, proper access control, and
authentication hardening—be applied throughout the application.
Assessment Summary
During the penetration testing of the OWASP Juice Shop application, six high-impact vulnerabilities
were discovered and successfully exploited. These findings demonstrate real-world attack scenarios and
highlight serious weaknesses in the application's authentication, access control, and input validation
mechanisms.These vulnerabilities present a significant risk to the security of the application. If exploited
in a production environment, they could result in full administrative compromise, theft of user data, and
malicious manipulation of site content. Each issue was demonstrated using standard tools such as Burp
Suite, browser dev tools, and public wordlists, confirming that exploitation does not require advanced
resources or techniques
Critica
Phase Description High Medium Low Total
l
Web Application Penetration
1 2 3 1 0 6
Testing
Strategic Recommendation
The vulnerabilities identified during this assessment pose a serious threat to the confidentiality,
integrity, and availability of the application and its user data. Several of the issues—such as SQL
injection, exposed administrative functionality, and weak authentication mechanisms—can be exploited
with minimal effort using publicly available tools..
GTST 3
� GTST
1/1/2001
PENETRATION TESTING REPORT TEMPLATE
Technical Summary
CVSS v3
Vulnerability Severity Score Definition
(Est.)
SQL Injection – Login Unauthenticated SQL injection
1 Critical 9.8
Bypass allowed full admin login bypass.
Exposed administrative interface
Admin Panel Exposure –
2 Critical 9.1 accessible without proper
Unauthenticated Access
authorization.
Stored XSS payload triggered in the
Persistent Cross-Site
3 High 8.2 admin panel, leading to potential
Scripting (XSS)
hijack.
Executable scripts injected via
Reflected & DOM-Based
4 High 7.8 search field and URL query
Cross-Site Scripting (XSS)
parameters.
Accessed another user’s cart by
Improper Access Control –
5 High 7.6 modifying intercepted request
Shopping Basket
parameters.
Admin password guessed using
Brute-Force Admin Login –
6 Medium 6.2 best1050.txt wordlist; no rate
Weak Authentication
limiting.
Scope
Field Value
Assessment Type Web Application Penetration Test
IP Address / Host http://10.10.87.13
Testing Platform OWASP Juice Shop CTF (TryHackMe)
Burp Suite, Firefox (FoxyProxy), Wordlists
Tools Used
(best1050.txt)
System Information
Field Details
Operating System Linux (Kali Linux used as the testing environment)
4
GTST 4
� GTST
1/1/2001
PENETRATION TESTING REPORT TEMPLATE
Field Details
Open Ports 80/tcp (HTTP), 443/tcp (HTTPS)
Web Server Node.js with Express.js backend, Angular-based frontend
OWASP Juice Shop – intentionally vulnerable web
Software Platform
application
Burp Suite, FoxyProxy, best1050.txt (SecLists), Firefox
Testing Tools Used
Dev Tools
Software Information
Field Details
Frameworks Angular (Frontend), Node.js with Express.js (Backend)
Burp Suite, Firefox Dev Tools (Ctrl+Shift+C), FoxyProxy,
Tools Used
SecLists
Plugins FoxyProxy
Post Assessment Clean-up
No changes made to target system. Test accounts and data should be reviewed and removed.
Final Findings Overview
Ref Description Risk
CRITIC
ref-1-1 SQL Injection – Login Bypass
AL
CRITIC
ref-1-2 Admin Panel Exposure – Unauthenticated Access
AL
ref-1-3 Persistent Cross-Site Scripting (XSS) – Stored Payload HIGH
ref-1-4 Reflected & DOM-Based Cross-Site Scripting (XSS) HIGH
ref-1-5 Improper Access Control – Shopping Basket HIGH
Brute-Force Admin Login – Weak Authentication MEDIU
ref-1-6
Mechanism M
GTST 5
� GTST
1/1/2001
PENETRATION TESTING REPORT TEMPLATE
Technical Detail
Vulnerability 1: SQL Injection – Login Bypass
Field Details
Vulnerability SQL Injection – Login Bypass
Ref ID ref-1-1
Risk/Severity Critical
Vulnerability The login form fails to sanitize SQL input, allowing attackers to
Explanation manipulate authentication logic.
Affects /rest/user/login
Parameter(s) email, password
Attack Vectors ' OR 0=0 --
Screen Shoot
By injecting SQL syntax into the email field, an attacker can
Vulnerability
bypass login restrictions and gain access to any account,
Description
including the administrator.
Successful login as admin using Burp Suite and the payload '
Proof
OR 0=0 --.
Recommendation Use parameterized queries and input sanitization.
GTST 6
� GTST
1/1/2001
PENETRATION TESTING REPORT TEMPLATE
Vulnerability 2: Admin Panel Exposure – Unauthenticated Access
Field Details
Vulnerability Admin Panel Exposure – Unauthenticated Access
Ref ID ref-1-2
Risk/Severity Critical
Vulnerability Lack of authentication and access control on sensitive admin
Explanation routes.
Affects /administration
Parameter(s) URL path
Attack Vectors Direct path access discovered via dev tools
Screen Shoot
Vulnerability An attacker can access the admin interface and sensitive data by
Description directly visiting the exposed endpoint.
Accessed /administration via browser dev tools
Proof
(Ctrl+Shift+C) without authentication.
Recommendation Apply proper access controls and restrict admin-only routes.
GTST 7
� GTST
1/1/2001
PENETRATION TESTING REPORT TEMPLATE
Vulnerability 3: Persistent Cross-Site Scripting (XSS)
Field Details
Vulnerability Stored Cross-Site Scripting (XSS)
Ref ID ref-1-3
Risk/Severity High
Vulnerability Malicious scripts persist in the application and execute in
Explanation privileged views.
Affects /rest/saveLoginIP
Parameter(s) IP address input
Attack Vectors <script>alert('XSS')</script>
Vulnerability Stored input is rendered without sanitization, executing scripts
Description in the admin panel.
Proof Alert triggered upon admin viewing the login IP history.
Recommendation Encode output and implement input validation. Enable CSP.
GTST 8
� GTST
1/1/2001
PENETRATION TESTING REPORT TEMPLATE
Vulnerability 4: Reflected & DOM-Based Cross-Site Scripting (XSS)
Field Details
Vulnerability Reflected Cross-Site Scripting (XSS)
Ref ID ref-1-4
Risk/Severity High
Vulnerability Inputs reflected in the DOM or HTML without proper
Explanation encoding.
Affects Search and tracking fields
Parameter(s) URL parameters
Attack Vectors ?search=<script>alert(1)</script>
Vulnerability JavaScript is executed by reflecting user-controlled input in the
Description client-side page logic.
Injected scripts executed in real time during navigation or
Proof
search.
Recommendation Sanitize inputs and apply secure front-end frameworks.
Vulnerability 5: Improper Access Control – Shopping Basket
Field Details
Vulnerability Insecure Direct Object Reference (IDOR)
Ref ID ref-1-5
Risk/Severity High
Vulnerability Users can access or modify resources that do not belong to
Explanation them.
Affects /rest/basket/:id
Parameter(s) Basket ID
Attack Vectors Intercept and modify request in Burp Suite
GTST 9
� GTST
1/1/2001
PENETRATION TESTING REPORT TEMPLATE
Field Details
Screen Shoot
Vulnerability The application fails to enforce user/session bindings, allowing
Description data exposure across accounts.
Accessed another user’s basket by altering the ID value in an
Proof
HTTP request.
Recommendation Enforce authorization checks based on session ownership.
Vulnerability 6: Brute-Force Admin Login – Weak Authentication
Field Details
Vulnerability Brute-Force Login – No Rate Limiting
Ref ID ref-1-6
Risk/Severity Medium
Vulnerability
No protection mechanisms against repeated login attempts.
Explanation
Affects /rest/user/login
Parameter(s) email, password
Attack Vectors Wordlist brute-force using best1050.txt
10
GTST 10
� GTST
1/1/2001
PENETRATION TESTING REPORT TEMPLATE
Field Details
Screen Shoot
Vulnerability An attacker can guess valid login credentials due to missing rate-
Description limiting and CAPTCHA.
Admin password successfully guessed and login confirmed with 200
Proof
OK.
Implement rate limiting, account lockout, and multi-factor
Recommendation
authentication.
11
GTST 11
� GTST
1/1/2001
PENETRATION TESTING REPORT TEMPLATE
summary of Findings
The following list is a summary of items requiring remediation:
Issue ID Description Risk Rating
issue-1 SQL Injection – Admin Bypass CRITICAL
Admin Panel Exposure – Unauthenticated
issue-2 CRITICAL
Access
issue-3 Persistent Cross-Site Scripting (XSS) HIGH
issue-4 Reflected & DOM-Based XSS HIGH
issue-5 Improper Access Control – Shopping Basket HIGH
Brute-Force Admin Login – Weak
issue-6 MEDIUM
Authentication
Conclusion
The OWASP Juice Shop penetration test successfully demonstrated how common web application
vulnerabilities can be discovered and exploited in a real-world simulation. The six confirmed
vulnerabilities—including SQL Injection, multiple forms of Cross-Site Scripting, broken access controls,
admin panel exposure, and weak login protections—highlight serious security flaws that, if exploited in a
live environment, could result in complete compromise of the application and its users.
Each issue was verified using common penetration testing tools such as Burp Suite, browser developer
tools, and public wordlists. These findings show that even without advanced tools or techniques, an
attacker could leverage basic methods to gain unauthorized access and manipulate application
functionality.It is strongly recommended that the identified vulnerabilities be remediated as a priority,
and that secure development practices be adopted going forward. Additionally, continuous security
testing and monitoring should be implemented to ensure the long-term protection of the application
and its users.
12
GTST 12
� GTST
1/1/2001
PENETRATION TESTING REPORT TEMPLATE
Appendices
Appendix A: Tools and Techniques
Kali Linux (testing environment)
Burp Suite
FoxyProxy (proxy configuration)
SecLists (best1050.txt wordlist)
Browser Developer Tools (Firefox – Ctrl+Shift+C)
Appendix B: Glossary
SQL Injection (SQLi): Injecting SQL queries via input fields to manipulate database queries and
bypass authentication.
XSS (Cross-Site Scripting): Injecting malicious scripts into web pages, which then execute in
another user’s browser.
Brute Force Attack: Attempting many passwords rapidly using automation or wordlists to gain
unauthorized access.
Broken Access Control: Flaws in authorization checks that allow users to access resources they
shouldn't.
Admin Panel Exposure: Unauthenticated access to administrative interfaces that should be
restricted.
13
GTST 13
