Penetration Testing Report

This Penetration Testing Report provides a comprehensive security assessment using Nmap and other widely adopted Vulnerability Assessment testing tools. It includes detailed findings on network vulnerabilities, open ports, and potential security risks, offering valuable insights for strengthening system defenses.

1. Introduction

1.1 Purpose of this Report

This document provides a high-level summary of the penetration test performed against the target environment. The goal of this engagement was to assess the security posture of the identified assets by identifying vulnerabilities, misconfigurations, and potential attack vectors.

1.2 Scope of Assessment

• Target IP(s)/Host(s): threshpower.com
• Date of Assessment: 23/05/2025
• Testing Methodology:
  • Passive reconnaissance
  • Active scanning
  • Exploitation testing (if authorized)
  • Post-exploitation (if applicable)
  • Reporting and remediation recommendations

1.3 Tools Used

• Nmap (Network discovery & service enumeration) ingested via surveilr
• ZAP (Zed Attack Proxy) (Web application security scanner)
• SQLMAP (SQL injection testing tool)
• Nuclei (Vulnerability scanner)
• Burpsuite (Web application security scanner)
• Testssl (Cryptographic Vulnerability Scanner)
• Dirsearch (Directory Enumeration Tool)
• Whatweb (Identify Technologies)
• Subfinder(Subdomain Enumeration)

2. Executive Summary

This section provides a high-level overview of the findings, focusing on critical vulnerabilities and security risks.

• Overall Security Posture:
• Critical Vulnerabilities Identified:
• Key Remediation Recommendations:
• Impact Assessment:

Overall Security Posture:

The security posture of the target environment is relatively stable, with no critical and high vulnerabilities identified during the assessment. However, there are several areas that require attention to enhance the overall security posture.The overall risk level of the assessed application is medium, based on the identified vulnerabilities. A total of 2 Medium-risk issue was found, 4 Low-risk findings were identified, which should be addressed to enhance the application’s overall security posture.

Critical Vulnerabilities Identified:

IIS Tilde Enumeration and Missing Major Security Headers

Key Remediation Recommendations:

IIS Tilde Enumeration: Disable 8.3 name creation on NTFS volumes and use URL filtering or a Web Application Firewall (WAF) to block requests containing tildes (~) to prevent IIS tilde enumeration attacks.

Content Security Policy (CSP) Header Not Set(Severity: Medium): Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.

Cross-Domain Misconfiguration (Severity: Medium): Enforce a strict CORS policy by explicitly specifying trusted domains in the Access-Control-Allow-Origin header, and validate incoming Origin headers to ensure only authorized requests are processed.

Missing Anti-clickjacking Header (Severity: Medium): Modern Web browsers support the Content-Security-Policy and X Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app. If you expect the page to be framed only by pages on your server (e.g. it’s part of a FRAMESET) then you’ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy’s “frame-ancestors” directive.

Server Leaks Information via “X-Powered-By” HTTP Response Header Field(s) (Severity: Low): Ensure that your web server, application server, load balancer, etc. is configured to suppress “X-Powered-By” headers.

X-Content-Type-Options Header Missing (Severity: Low): Configure your web server, application, or CDN to include the “X-Content-Type-Options: nosniff” header on all HTTP responses. This setting ensures browsers strictly adhere to the declared Content-Type and do not attempt MIME-type sniffing, reducing the risk of executing malicious content.

Impact Assessment:

IIS tilde enumeration exploits the legacy 8.3 short filename feature in Windows to reveal the existence of hidden or restricted directories and files on a web server. By probing filenames with truncated names (e.g., admin~1), an attacker can infer valid folder or file names without direct access. This can aid in further attacks like brute-forcing or path traversal. While it doesn’t grant immediate access, it significantly increases information disclosure and the attack surface of the application.

Content Security Policy (CSP) Header Not Set (Severity: Medium): The absence of a CSP header increases the risk of Cross-Site Scripting (XSS), data injection attacks, and clickjacking, which can lead to data theft, session hijacking, and website defacement. Attackers can inject malicious scripts that manipulate page content, steal user credentials, or distribute malware. This impacts both data integrity and user trust, making the application more vulnerable to client-side attacks.

Cross-Domain Misconfiguration (Severity: Medium): A misconfigured CORS policy allows untrusted origins to access sensitive resources, potentially exposing data and enabling unauthorized actions.

Missing Anti-clickjacking Header (Severity: Medium): Without an X-Frame-Options or frame-ancestors directive in the Content Security Policy, the application is susceptible to Clickjacking attacks. An attacker could embed the website in an invisible iframe and trick users into clicking buttons or links unknowingly, potentially leading to unauthorized actions, information leaks, or financial loss. This vulnerability is particularly critical for applications handling sensitive transactions or authentication processes.

Server Leaks Information via “X-Powered-By” HTTP Response Header Field(s) (Severity: Low): The exposure of the “X Powered-By” header reveals internal technology details, which can assist attackers in identifying vulnerabilities associated with the disclosed software stack.

X-Content-Type-Options Header Missing (Severity: Low): The missing X-Content-Type-Options: nosniff header allows browsers to perform MIME-sniffing, which can lead to content-type confusion attacks. Attackers could exploit this behavior to execute malicious scripts disguised as legitimate file types, leading to XSS attacks and unauthorized code execution. This poses a significant risk when handling user-uploaded content or sensitive files, potentially compromising system security.

3. Methodology

The penetration test was conducted using the following phased approach:

3.1 Reconnaissance & Information Gathering

• Passive reconnaissance: OSINT (Open-Source Intelligence) and WHOIS lookups.
• Active scanning: Identified live hosts and open ports using Nmap.
• Subdomain enumeration: [Tool used, e.g., Subfinder]
• Technologies fingerprinted: [Tool used, e.g., Whatweb, Nuclei]

3.2 Scanning & Enumeration

The following scans were conducted to gather information about the target:

3.2.1 Nmap Scan Results

Key open ports and services detected:

3.2.2 ZAP

ZAP (Zed Attack Proxy) is an open-source web application security scanner developed by OWASP. It helps find vulnerabilities in web apps through automated and manual testing, making it useful for developers and security testers.

3.2.3 SUBFINDER

subfinder is a subdomain discovery tool that returns valid subdomains for websites, using passive online sources. It has a simple, modular architecture and is optimized for speed. subfinder is built for doing one thing only - passive subdomain enumeration, and it does that very well.

Features

• Fast and powerful resolution and wildcard elimination modules
• Curated passive sources to maximize results
• Multiple output formats supported (JSON, file, stdout)
• Optimized for speed and lightweight on resources
• STDIN/OUT support enables easy integration into workflows

3.2.4 SQLMAP

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches including database fingerprinting, over data fetching from the database, accessing the underlying file system, and executing commands on the operating system via out-of-band connections.

3.2.5 Nuclei

Nuclei is a modern, high-performance vulnerability scanner that leverages simple YAML-based templates. It empowers you to design custom vulnerability detection scenarios that mimic real-world conditions, leading to zero false positives.

• Simple YAML format for creating and customizing vulnerability templates.
• Contributed by thousands of security professionals to tackle trending vulnerabilities.
• Reduce false positives by simulating real-world steps to verify a vulnerability.
• Ultra-fast parallel scan processing and request clustering.
• Integrate into CI/CD pipelines for vulnerability detection and regression testing.
• Supports multiple protocols like TCP, DNS, HTTP, SSL, WHOIS JavaScript, Code and more.
• Integrate with Jira, Splunk, GitHub, Elastic, GitLab.

3.3 Web Application Scanning

3.3.1 DIR Search Results

3.3.2 BURP Results

3.3.3 WhatWeb Results

3.3.4 Test SSL Results

5. Conclusion

This penetration test identified 2 medium, and 4 low-severity vulnerabilities. The most concerning issue was Missing Security Header and IIS Tilde Enumeration which could lead to information disclosure and unauthorized access to hidden files or directories. Immediate remediation is advised

6. References

• OWASP Top 10: https://owasp.org/www-project-top-ten/
• CVE Database: https://cve.mitre.org/
• NIST Vulnerability Database: https://nvd.nist.gov/

Prepared By: Netspective
Date: 26/05/2025
Confidentiality Notice: This document is confidential and should not be shared outside authorized personnel.