Veda Penetration Test - Final - · PDF fileApplication Penetration Test for Super Veda - Sample Report - Imperva™ Page 8 of 73 3 APPLICATION DESCRIPTION 3.1 FUNCTIONALITY Super-Veda

Embed Size (px)

Citation preview

  • AAPPPPLLIICCAATTIIOONN PPEENNEETTRRAATTIIOONN TTEESSTT SSUUPPEERR VVEEDDAA

    March 2004

    Document Version 1.00

    Imperva

    All rights reserved

    This document is the property of Imperva who owns the copyright therein. The information in this document is given in confidence and without the written consent of Imperva given by contract or otherwise the document must not be copied reprinted or reproduced in any material form either wholly or in part nor must the contents of the document or any method or technique available there from be disclosed to any third party.

  • LEGAL NOTICE

    DOCUMENT DETAILS

    Document Type: Application Penetration Test Project Name: Super Veda Document Version: 1.00 Created by: Application Defense Center Creation Date: 17/03/04

    REVISION HISTORY

    VERSION DATE AUTHOR CHANGE DESCRIPTION

    1.00 17/03/2004 ADC Document Created

    COPYRIGHTS 2004, Imperva Ltd.

    This document contains proprietary and confidential material of Imperva. Any unauthorized reproduction, use or disclosure of this material, or any part thereof, is strictly prohibited. This document is solely for the use by Imperva employees and authorized Imperva customers.

    This is an unpublished work protected under the copyright laws. All rights reserved.

  • REFERENCES

    REF DOCUMENT VERSION DATE

    Note: To simplify cross-referencing a raised numeric in this document will refer to the above

    reference document.

    ACKNOWLEDGMENTS This specification was developed with input from:

    NAME COMPANY FUNCTION LOCATION PHONE

    CONTACTS For more information about this document or its contents, please contact:

    Imperva Professional Services:

    ADC IMPERVA.COM

  • TABLE of CONTENTS

    References.........................................................................................................................................3

    Acknowledgments .............................................................................................................................3

    Contacts ...........................................................................................................................................3

    1 Introduction............................................................................................................................6

    2 Scope & Limitations ..............................................................................................................7

    2.1 Scope......................................................................................................................................7

    2.2 Limitations .............................................................................................................................7

    2.3 Method ...................................................................................................................................7

    2.4 Prior Knowledge....................................................................................................................7

    3 Application Description.........................................................................................................8

    3.1 Functionality..........................................................................................................................8

    3.2 Technology.............................................................................................................................9

    4 Summary of Results.............................................................................................................10

    4.1 Reading the Entire Database Contents...............................................................................10

    4.2 Unauthorized Access to Accounts .......................................................................................10

    4.3 Obtaining a Discount for Purchases...................................................................................10

    4.4 Parameters Tampering........................................................................................................11

    4.5 Script Injection into Administrators Browser....................................................................11

    4.6 Script Injection into USERS BROWSER ...........................................................................11

    4.7 Cross-site Scripting .............................................................................................................12

    4.8 Permissions Misuse .............................................................................................................12

    4.9 Forceful Browsing ...............................................................................................................12

    4.10 Information Disclosure...................................................................................................12

    5 Detailed results.....................................................................................................................14

    5.1 Reading the Entire Database Contents...............................................................................14 5.1.1 showproducts.asp ...........................................................................................................................14 5.1.2 proddetails.asp................................................................................................................................17 5.1.3 addcomment.asp.............................................................................................................................18 5.1.4 dosearch.asp ...................................................................................................................................19 5.1.5 getstates.asp....................................................................................................................................20

    5.2 Unauthorized Access to Accounts .......................................................................................20

    5.3 Obtaining a Discount for Purchases...................................................................................22

    5.4 Parameters Tampering........................................................................................................24

    5.5 Script Injection into Administrators Browser....................................................................27

  • 5.6 Script Injection into Users Browser ..................................................................................28

    5.7 Cross-site Scripting .............................................................................................................30

    5.8 Permissions Misuse .............................................................................................................31

    5.9 Forceful Browsing ...............................................................................................................31

    5.10 Information Disclosure........................................................................................................31

    6 Recommendations................................................................................................................33

    6.1 Avoiding SQL Injection .......................................................................................................33

    6.2 Obtaining a Discount for Purchases...................................................................................34

    6.3 Parameters Tampering........................................................................................................34

    6.4 Scripts Handling ..................................................................................................................34

    6.5 Permissions Misuse .............................................................................................................35

    6.6 Forceful Browsing ...............................................................................................................35

    6.7 Information Disclosure........................................................................................................35

    Appendix A - Reading the Entire Database Contents...............................................................36

    Appendix B - Unauthorized Access to Accounts........................................................................53

    Appendix C - Obtaining a Discount for Purchases ...................................................................55

    Appendix D - Parameters Tampering ........................................................................................60

    Appendix E - Script Injection into Administrators Browser ..................................................67

    Appendix F - Script Injection into Users Browser ...................................................................69

    Appendix G - Cross-site Scripting ..............................................................................................72

  • Application Penetration Test for Super Veda

    - Sample Report -

    Imperva

    Page 6 of 73

    1 INTRODUCTION The document hereby describes the proceedings and results of an application penetration test conducted against Imperva's demonstration application located on veda1.imperva.com. The penetration test took place during the month of November as part of an internal research. The penetration test was performed by application security experts from Imperva.

  • Application Penetration Test for Super Veda

    - Sample Report -

    Imperva