VAPT Report for Warsaw Dynamics

Description

Vulnerability Assessment and Penetration Testing (VAPT)

Draft Date: January 9, 2024
Finalized report date: January 12, 2024

Executive Summary

This report presents the findings from a comprehensive VAPT conducted for Warsaw Dynamics Company.

Introduction

Objective: To identify security vulnerabilities in Warsaw Dynamics Corporation’s web application and network.
Scope: Web application and internal network.
Methodology: Used automated and manual testing techniques, including OWASP Top 10 for web applications

Vulnerability Assessment Findings

Target	Description	Status
Java Application - dependencies		dependency-chec... 1.23 MiB 3 CRITICAL 11 HIGH 16 MEDIUM
NGINX version	nginx/1.18.0 1.18.0-6.1+deb11u3	Patched with Debian Bullseye release until July 2024.
Open ports	Only 80 and 443	> nmap -p1-65535 -v 51.77.42.240 Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-11 20:32 CET. Initiating Ping Scan at 20:32 Scanning 51.77.42.240 [4 ports] Completed Ping Scan at 20:32, 0.06s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 20:32 Completed Parallel DNS resolution of 1 host. at 20:32, 0.05s elapsed Initiating SYN Stealth Scan at 20:32 Scanning ns3146018.ip-51-77-42.eu (51.77.42.240) [65535 ports] Discovered open port 80/tcp on 51.77.42.240 Discovered open port 443/tcp on 51.77.42.240 SYN Stealth Scan Timing: About 14.62% done; ETC: 20:36 (0:03:01 remaining) SYN Stealth Scan Timing: About 29.95% done; ETC: 20:36 (0:02:23 remaining) SYN Stealth Scan Timing: About 42.08% done; ETC: 20:36 (0:02:05 remaining) SYN Stealth Scan Timing: About 57.98% done; ETC: 20:36 (0:01:28 remaining) SYN Stealth Scan Timing: About 72.79% done; ETC: 20:36 (0:00:56 remaining) Completed SYN Stealth Scan at 20:36, 206.70s elapsed (65535 total ports) Nmap scan report for ns3146018.ip-51-77-42.eu (51.77.42.240) Host is up, received echo-reply ttl 53 (0.055s latency). Scanned at 2024-01-11 20:32:50 CET. for 207s Not shown: 65533 filtered tcp ports (no-response) PORT STATE SERVICE REASON 80/tcp open http syn-ack ttl 53 443/tcp open https syn-ack ttl 53 Nmap done: 1 IP address (1 host up) scanned in 207.05 seconds Raw packets sent: 131227 (5.774MB) \| Rcvd: 1379 (140.395KB)
HSTS	present	GET https://confluence.external-share.com/web/redirect/share-list?… HTTP/1.1 200 OK Server: nginx Date: Thu, 11 Jan 2024 19:37:02 GMT Content-Type: text/html;charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Cache-Control: no-cache, no-store, max-age=0, must-revalidate Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Encoding: gzip
SSL Certificate	https://confluence.external-share.com	Subject confluence.external-share.com Fingerprint SHA256: b268a6e828a9fdf627d84476acf8a9a2bf9ad0811b42193eecd015fb45b0beec Pin SHA256: mjPDS0KDrEQVnOde8Nh2jhrBYV8PNELv+hvz1G4QPYA= Common names confluence.external-share.com Alternative names confluence.external-share.com Serial Number 0364e8902426dc3d5064046f9fa121bae9fc Valid from Thu, 23 Nov 2023 20:48:25 UTC Valid until Wed, 21 Feb 2024 20:48:24 UTC (expires in 1 month and 10 days) Key RSA 2048 bits (e 65537) Weak key (Debian) No Issuer R3 AIA: http://r3.i.lencr.org/ Signature algorithm SHA256withRSA Extended Validation No Certificate Transparency Yes (certificate) OCSP Must Staple No Revocation information OCSP OCSP: http://r3.o.lencr.org Revocation status Good (not revoked) DNS CAA Yes policy host: external-share.com issue: letsencrypt.org flags:0 issuewild: letsencrypt.org flags:0 iodef: mailto:contact@warsawdynamics.com flags:9 Trusted Yes Mozilla Apple Android Java Windows
	https://warsawdynamics.com	Subject warsawdynamics.com Fingerprint SHA256: ea12722cfb5de1627c1c863cf1f055299f94c6202c15f0b7e4177709d6e39611 Pin SHA256: ZWuD7xHCN1aOit2XRJ8fn1gxW2vYeDZgReaRuKgc0Gk= Common names warsawdynamics.com Alternative names warsawdynamics.com www.warsawdynamics.com Serial Number 03ad73d2401be9dcaef201e27280994f37e2 Valid from Wed, 20 Dec 2023 08:43:27 UTC Valid until Tue, 19 Mar 2024 08:43:26 UTC (expires in 2 months and 7 days) Key RSA 2048 bits (e 65537) Weak key (Debian) No Issuer R3 AIA: http://r3.i.lencr.org/ Signature algorithm SHA256withRSA Extended Validation No Revocation information OCSP OCSP: http://r3.o.lencr.org Revocation status Good (not revoked) DNS CAA Yes policy host: warsawdynamics.com issue: letsencrypt.org flags:0 issuewild: letsencrypt.org flags:0 Trusted Yes Mozilla Apple Android Java Windows
	https://external-share.com	Server Key and Certificate #1 Subject external-share.com Fingerprint SHA256: 10d9f9de680d4dcc6734e6c92541ba29b0d5be104a631df41513898dfb6d7475 Pin SHA256: LNnlsdhcjVlJDuTP6d66umY2lkgSfySUs1KAAx+D3rA= Common names external-share.com Alternative names external-share.com Serial Number 04aa5cdfb5c3962a57d415fca44a80431f1f Valid from Sun, 10 Dec 2023 09:50:09 UTC Valid until Sat, 09 Mar 2024 09:50:08 UTC (expires in 1 month and 26 days) Key RSA 2048 bits (e 65537) Weak key (Debian) No Issuer R3 AIA: http://r3.i.lencr.org/ Signature algorithm SHA256withRSA Extended Validation No Revocation information OCSP OCSP: http://r3.o.lencr.org Revocation status Good (not revoked) DNS CAA Yes policy host: external-share.com issue: letsencrypt.org flags:0 iodef: mailto:contact@warsawdynamics.com flags:9 issuewild: letsencrypt.org flags:0 Trusted Yes Mozilla Apple Android Java Windows
HTTP to HTTPS redirect	http://confluence.external-share.com http://external-share.com http://warsawdynamics.com	present on all domains
Bugcrowd	@Krzysztof Bogdan	Provided in separate document
E2E security test	@Krzysztof Bogdan	January 10, 2024 all automate E2E test with security check are passing
XSS	@Parsa Shiva	Details below
SQL Injection	@Parsa Shiva	Details below

Penetration Testing Report

Introduction:

This report documents the security testing conducted on the "External Share for Confluence" application, focusing on Cross-Site Scripting (XSS), SQL Injection, and HTML manipulation vulnerabilities.

Methodology:

Testing was conducted manually, targeting various elements:

Input Fields: In areas such as user profiles, comments, attachments, labels, and internal macros (tables, code snippets, quotes, info panels).
API Capability Endpoints: Testing for SQL injection with payloads like:
```
{    "contentId": "' OR '1' = '1",    ...}
```
Page Customization Features: Including custom headers, footers, and footer links.
Field Validations: Ensuring specific field types (email, phone number, host) are resistant to injection attacks.

Test Results:

Type	Endpoint	Result
XSS	Basic Script Execution	OK
XSS	[Image Error Trigger](https://confluence-qa.kz-test.ovh/content/1047/amirparsa_shiva?param=<img> src="invalid" onerror=alert('XSS'))	OK
XSS	[Div Hover](https://confluence-qa.kz-test.ovh/content/1047/amirparsa_shiva?param=<div> onmouseover="alert('XSS')">Hover me!</div>)	OK
XSS	URL-based Script Execution	OK
XSS	[Event Handler](https://confluence-qa.kz-test.ovh/content/1047/amirparsa_shiva?param=<input> type="text" onfocus="alert('XSS')" autofocus>)	OK
SQL Injection	[Time Delay Test](https://ces-qa.warsawdynamics.com/access?uuid=8d4ea0db-d5ab-44db-aa3c-8c497bff58ad'; WAITFOR DELAY '0:0:10'%20--&redirect=https://confluence-qa.kz-test.ovh/content/1047/amirparsa_shiva&incorrectPassword=true)	OK
SQL Injection	[Union-based Test](https://ces-qa.warsawdynamics.com/access?uuid=8d4ea0db-d5ab-44db-aa3c-8c497bff58ad' UNION SELECT null, username, password FROM users--&redirect=https://confluence-qa.kz-test.ovh/content/1047/amirparsa_shiva&incorrectPassword=true)	OK
SQL Injection	[OR-based Test](https://ces-qa.warsawdynamics.com/access?uuid=8d4ea0db-d5ab-44db-aa3c-8c497bff58ad' OR '1'='1'--&redirect=https://confluence-qa.kz-test.ovh/content/1047/amirparsa_shiva&incorrectPassword=true)	OK
HTML Manipulation	Field and user manipulations were not feasible	OK
Field Validation	Unable to enforce incorrect fields type values	OK

Findings and Recommendations:

No significant vulnerabilities were found during the testing phase. The application demonstrated robust defense against common security threats like XSS and SQL injections.

Conclusion:

"External Share for Confluence" shows a strong resilience to common web security threats, ensuring a secure experience for its users.

Risk Assessment

Java app dependencies: Medium - Please check conclusion for more information.
SQL Injection: None.
XSS: None.
Outdated Server Software: None – Update to new OS recommended within 180 days.

Conclusion

Issues have been identified with dependencies in the Java application. One of the dependencies is a false positive, while two are utilized solely during the app's initialization phase. These components do not involve user interaction. Nevertheless, we are committed to updating these dependencies.

Document draft prepared by Krzysztof Bogdan.
Tests performed by:

Krzysztof Surdacki
Parsa Shiva

Appendices:

Warsaw Dynamics-SECURITY POSTURE REPORT.pdf
Warsaw Dynamics-Security Summary Report.pdf

Activity

Show:

Automation for Jira 16 January 2024, 10:30

Hello @Krzysztof Bogdan,

Please merge code to dev branch.
This is the best moment to add more information that can be helpful to prepare release notes.

Can you prepare short overview of change that can be used in release notes?
Please provide short GIF that showcase feature.
If GIF make no sense, can you provide image that highlights feature that can be used in release notes (cropped & annotated)?

Automation for Jira 16 January 2024, 10:29

Hello @Krzysztof Bogdan ]

This is the best moment to add more information that can be helpful for tester.

What areas are affected?
What are potential edge cases?
Was it checked for XSS problems?
Does change affect security, is new data exposed?

Please attach - Before / After screenshot if possible.

Automation for Jira 16 January 2024, 10:29

Hello @Krzysztof Bogdan,
Task is ready for review.

@Krzysztof Bogdan please make sure reviewer
have easy access to contend to be reviewed.

If this is code change. Please make sure PR is created.
If this is new documentation, blogpost, etc. Please provide link to page.

Released

Details

Priority

Medium

Created

9 January 2024, 11:16

Updated

15 November 2024, 15:54

Created: 9 January 2024, 10:16 Updated: 15 November 2024, 14:54

Delete this comment?

Delete this attachment?

Unlink this work item?