AAPPPPLLIICCAATTIIOONN PPEENNEETTRRAATTIIOONN TTEESSTT SSUUPPEERR VVEEDDAA
March 2004
Document Version 1.00
Imperva
All rights reserved
This document is the property of Imperva who owns the copyright therein. The information in this document is given in confidence and without the written consent of Imperva given by contract or otherwise the document must not be copied reprinted or reproduced in any material form either wholly or in part nor must the contents of the document or any method or technique available there from be disclosed to any third party.
LEGAL NOTICE
DOCUMENT DETAILS
Document Type: Application Penetration Test Project Name: Super Veda Document Version: 1.00 Created by: Application Defense Center Creation Date: 17/03/04
REVISION HISTORY
VERSION DATE AUTHOR CHANGE DESCRIPTION
1.00 17/03/2004 ADC Document Created
COPYRIGHTS 2004, Imperva Ltd.
This document contains proprietary and confidential material of Imperva. Any unauthorized reproduction, use or disclosure of this material, or any part thereof, is strictly prohibited. This document is solely for the use by Imperva employees and authorized Imperva customers.
This is an unpublished work protected under the copyright laws. All rights reserved.
REFERENCES
REF DOCUMENT VERSION DATE
Note: To simplify cross-referencing a raised numeric in this document will refer to the above
reference document.
ACKNOWLEDGMENTS This specification was developed with input from:
NAME COMPANY FUNCTION LOCATION PHONE
CONTACTS For more information about this document or its contents, please contact:
Imperva Professional Services:
ADC IMPERVA.COM
TABLE of CONTENTS
References.........................................................................................................................................3
Acknowledgments .............................................................................................................................3
Contacts ...........................................................................................................................................3
1 Introduction............................................................................................................................6
2 Scope & Limitations ..............................................................................................................7
2.1 Scope......................................................................................................................................7
2.2 Limitations .............................................................................................................................7
2.3 Method ...................................................................................................................................7
2.4 Prior Knowledge....................................................................................................................7
3 Application Description.........................................................................................................8
3.1 Functionality..........................................................................................................................8
3.2 Technology.............................................................................................................................9
4 Summary of Results.............................................................................................................10
4.1 Reading the Entire Database Contents...............................................................................10
4.2 Unauthorized Access to Accounts .......................................................................................10
4.3 Obtaining a Discount for Purchases...................................................................................10
4.4 Parameters Tampering........................................................................................................11
4.5 Script Injection into Administrators Browser....................................................................11
4.6 Script Injection into USERS BROWSER ...........................................................................11
4.7 Cross-site Scripting .............................................................................................................12
4.8 Permissions Misuse .............................................................................................................12
4.9 Forceful Browsing ...............................................................................................................12
4.10 Information Disclosure...................................................................................................12
5 Detailed results.....................................................................................................................14
5.1 Reading the Entire Database Contents...............................................................................14 5.1.1 showproducts.asp ...........................................................................................................................14 5.1.2 proddetails.asp................................................................................................................................17 5.1.3 addcomment.asp.............................................................................................................................18 5.1.4 dosearch.asp ...................................................................................................................................19 5.1.5 getstates.asp....................................................................................................................................20
5.2 Unauthorized Access to Accounts .......................................................................................20
5.3 Obtaining a Discount for Purchases...................................................................................22
5.4 Parameters Tampering........................................................................................................24
5.5 Script Injection into Administrators Browser....................................................................27
5.6 Script Injection into Users Browser ..................................................................................28
5.7 Cross-site Scripting .............................................................................................................30
5.8 Permissions Misuse .............................................................................................................31
5.9 Forceful Browsing ...............................................................................................................31
5.10 Information Disclosure........................................................................................................31
6 Recommendations................................................................................................................33
6.1 Avoiding SQL Injection .......................................................................................................33
6.2 Obtaining a Discount for Purchases...................................................................................34
6.3 Parameters Tampering........................................................................................................34
6.4 Scripts Handling ..................................................................................................................34
6.5 Permissions Misuse .............................................................................................................35
6.6 Forceful Browsing ...............................................................................................................35
6.7 Information Disclosure........................................................................................................35
Appendix A - Reading the Entire Database Contents...............................................................36
Appendix B - Unauthorized Access to Accounts........................................................................53
Appendix C - Obtaining a Discount for Purchases ...................................................................55
Appendix D - Parameters Tampering ........................................................................................60
Appendix E - Script Injection into Administrators Browser ..................................................67
Appendix F - Script Injection into Users Browser ...................................................................69
Appendix G - Cross-site Scripting ..............................................................................................72
Application Penetration Test for Super Veda
- Sample Report -
Imperva
Page 6 of 73
1 INTRODUCTION The document hereby describes the proceedings and results of an application penetration test conducted against Imperva's demonstration application located on veda1.imperva.com. The penetration test took place during the month of November as part of an internal research. The penetration test was performed by application security experts from Imperva.
Application Penetration Test for Super Veda
- Sample Report -
Imperva
