Web

Security Audit Report

for

16 August 2018

ATTENTION: This document contains information from XYSec Labs Pvt. Ltd. that is confidential and privileged. The information is intended for private use of the client. By accepting
this document you agree to keep the contents in confidence and not copy, disclose, or distribute this without written request to and written confirmation from XYSec Labs Pvt. Ltd. If
you are not the intended recipient, be aware that any disclosure, copying, or distribution of the contents of this document is prohibited.


Security Audit Report

Contents
Item No.

Executive Summary 3

Scope of Testing 3

Methodology 4

Summary of Security Assessment 5

Details of Vulnerabilities 6 - 17

Summary of Security Tests 18 - 21

Confidential 2

Security Audit Report

Executive Summary
This document contains security assessment report of HungerBox’s web
application.

The purpose of this assessment was to point out security loopholes, business
logic errors and missing security best practices. The tests were carried out
assuming the identity of an attacker or a malicious user but no harm was made
to functionality or working of the website.

Scope of Testing

Security assessment includes testing for security loopholes in the scope

defined below. Apart from user account, no other information was provided.
Nothing was assumed at the start of the security assessment. The following
applications were covered under the security audit:

• https://paladion.hungerbox.com/
• https://rest.hungerbox.com/ (APIs being called from above app)

Confidential 3

Security Audit Report

Methodology
Exhaustive Vulnerability Assessment and Penetration Testing (VAPT) has be
performed to identify security loopholes in the Web Application that could
potentially allow a malicious user to gain access to the system or perform
malicious operations.

Web Application Security Testing

The Web Application Security Testing is based on the OWASP (Open Web
Application Security Project) Testing Methodologies and the OWASP Testing
Framework. 120+ active security tests have been performed falling under the
following categories:

• Information Gathering • Authorization Testing
• Configuration and Deployment • Session Management Testing
Management Testing • Error Handling

• Known Security Issues (CVE) Testing • Input Validation Testing
• SSL Testing • Cryptography
• Identity Management Testing • Security Best Practices

• Authentication Testing

Tools and Mode of Testing

The security testing is a hybrid of Manual and Automated Vulnerability

Testing. Some of the automated tools used are:

1. ZAP Attack Proxy

2. SQLMap
3. w3af
4. Wapiti
5. Wireshark
6. Dirbuster

Confidential 4

Security Audit Report

Summary of Security Tests Performed

Tests Being Performed Severity Scan Status
Scan Re-Scan

Create confirmed orders as 'Company Paid' without making Found Passed
High
transactions
Parameter injection in SQL Queries High Found Passed
TLSv1.0 is enabled on the server which is non-compliant with PCI Found Passed
Medium
DSS 3.2.1
BugZilla Bug Reports are publicly accessible without Found Passed
High
authentication
Frameable response & Clickjacking Medium Found Passed
Forgot Password feature can be used to 'Email Bomb' Medium Found Passed
PHP error stack trace exposed, causing Full Server Path Found Passed
Medium
Disclosure
OS command injection High Passed Passed
SQL injection High Passed Passed
SQL injection (second order) High Passed Passed
File path traversal High Passed Passed
XML external entity injection High Passed Passed
LDAP injection High Passed Passed
XPath injection High Passed Passed
XML injection Medium Passed Passed
ASP.NET debugging enabled Medium Passed Passed
DoS Locking Customer Accounts High Passed Passed
DoS Buffer Overflows High Passed Passed
Storing too Much Data in Session (DoS) High Passed Passed
Writing User Provided Data to Disk (DoS) High Passed Passed
HTTP Insecure Methods Available on Server High Passed Passed
Out-of-band resource load (HTTP) High Passed Passed
File path manipulation High Passed Passed
Code injection High Passed Passed
Server-side JavaScript code injection High Passed Passed
Perl code injection High Passed Passed
Ruby code injection High Passed Passed
Python code injection High Passed Passed
Expression Language injection High Passed Passed
Unidentified code injection High Passed Passed
Server-side template injection High Passed Passed
SSI injection High Passed Passed
Cross-site scripting (stored) High Passed Passed
HTTP response header injection High Passed Passed
Cross-site scripting (reflected) High Passed Passed

Confidential 5

Security Audit Report
Client-side template injection High Passed Passed
Cross-site scripting (DOM-based) High Passed Passed
Cross-site scripting (reflected DOM-based) High Passed Passed
Cross-site scripting (stored DOM-based) High Passed Passed
JavaScript injection (DOM-based) High Passed Passed
JavaScript injection (reflected DOM-based) High Passed Passed
JavaScript injection (stored DOM-based) High Passed Passed
Path-relative style sheet import Information Passed Passed
Client-side SQL injection (DOM-based) High Passed Passed
Client-side SQL injection (reflected DOM-based) High Passed Passed
Client-side SQL injection (stored DOM-based) High Passed Passed
WebSocket hijacking (DOM-based) High Passed Passed
WebSocket hijacking (reflected DOM-based) High Passed Passed
WebSocket hijacking (stored DOM-based) High Passed Passed
Local file path manipulation (DOM-based) High Passed Passed
Local file path manipulation (reflected DOM-based) High Passed Passed
Local file path manipulation (stored DOM-based) High Passed Passed
Client-side XPath injection (DOM-based) Low Passed Passed
Client-side XPath injection (reflected DOM-based) Low Passed Passed
Client-side XPath injection (stored DOM-based) Low Passed Passed
Client-side JSON injection (DOM-based) Low Passed Passed
Client-side JSON injection (reflected DOM-based) Low Passed Passed
Client-side JSON injection (stored DOM-based) Low Passed Passed
Flash cross-domain policy High Passed Passed
Cross-origin resource sharing Information Passed Passed
Passed Passed
Cross-origin resource sharing: arbitrary origin trusted High
Passed Passed
Cross-origin resource sharing: unencrypted origin trusted Low
Passed Passed
Cross-origin resource sharing: all subdomains trusted Low

Cross-site request forgery Medium Passed Passed

SMTP header injection Medium Passed Passed
Cleartext submission of password High Passed Passed
External service interaction (DNS) High Passed Passed
External service interaction (HTTP) High Passed Passed
External service interaction (SMTP) Information Passed Passed
Referer-dependent response Information Passed Passed
Spoofable client IP address Information Passed Passed
User agent-dependent response Information Passed Passed
Password returned in later response Medium Passed Passed
Password submitted using GET method Low Passed Passed
Password returned in URL query string Low Passed Passed
SQL statement in request parameter Medium Passed Passed

Confidential 6

Security Audit Report
Cross-domain POST Information Passed Passed
ASP.NET ViewState without MAC enabled Low Passed Passed
XML entity expansion Medium Passed Passed
Long redirection response Information Passed Passed
Serialized object in HTTP message High Passed Passed
Duplicate cookies set Information Passed Passed
Input returned in response (stored) Information Passed Passed
Input returned in response (reflected) Information Passed Passed
Suspicious input transformation (reflected) Information Passed Passed
Suspicious input transformation (stored) Information Passed Passed
Open redirection (reflected) Low Passed Passed
Open redirection (stored) Medium Passed Passed
Open redirection (DOM-based) Low Passed Passed
Open redirection (reflected DOM-based) Low Passed Passed
Open redirection (stored DOM-based) Medium Passed Passed
SSL cookie without secure flag set Medium Passed Passed
Cookie scoped to parent domain Low Passed Passed
Cross-domain Referer leakage Information Passed Passed
Cross-domain script include Information Passed Passed
Cookie without HttpOnly flag set Low Passed Passed
Session token in URL Medium Passed Passed
Password field with autocomplete enabled Low Passed Passed
Password value set in cookie Medium Passed Passed
Browser cross-site scripting filter disabled Information Passed Passed
HTTP TRACE method is enabled Information Passed Passed
Cookie manipulation (DOM-based) Low Passed Passed
Cookie manipulation (reflected DOM-based) Low Passed Passed
Cookie manipulation (stored DOM-based) Low Passed Passed
Ajax request header manipulation (DOM-based) Low Passed Passed
Passed Passed
Ajax request header manipulation (reflected DOM-based) Low
Passed Passed
Ajax request header manipulation (stored DOM-based) Low

Denial of service (DOM-based) Information Passed Passed

Denial of service (reflected DOM-based) Information Passed Passed
Denial of service (stored DOM-based) Low Passed Passed
HTML5 web message manipulation (DOM-based) Information Passed Passed
Passed Passed
HTML5 web message manipulation (reflected DOM-based) Information
Passed Passed
HTML5 web message manipulation (stored DOM-based) Information

HTML5 storage manipulation (DOM-based) Information Passed Passed

Passed Passed
HTML5 storage manipulation (reflected DOM-based) Information

Confidential 7

Security Audit Report
HTML5 storage manipulation (stored DOM-based) Information Passed Passed
Link manipulation (DOM-based) Low Passed Passed
Link manipulation (reflected DOM-based) Low Passed Passed
Link manipulation (stored DOM-based) Low Passed Passed
Link manipulation (reflected) Information Passed Passed
Link manipulation (stored) Information Passed Passed
Document domain manipulation (DOM-based) Medium Passed Passed
Passed Passed
Document domain manipulation (reflected DOM-based) Medium
Passed Passed
Document domain manipulation (stored DOM-based) Medium

DOM data manipulation (DOM-based) Information Passed Passed

DOM data manipulation (reflected DOM-based) Information Passed Passed
DOM data manipulation (stored DOM-based) Information Passed Passed
CSS injection (reflected) Medium Passed Passed
CSS injection (stored) Medium Passed Passed
Client-side HTTP parameter pollution (reflected) Low Passed Passed
Client-side HTTP parameter pollution (stored) Low Passed Passed
Form action hijacking (reflected) Medium Passed Passed
Form action hijacking (stored) Medium Passed Passed
Database connection string disclosed Medium Passed Passed
Source code disclosure Low Passed Passed
Directory listing Information Passed Passed
Email addresses disclosed Information Passed Passed
Private IP addresses disclosed Information Passed Passed
Social security numbers disclosed Information Passed Passed
Credit card numbers disclosed Information Passed Passed
Private key disclosed Information Passed Passed
Robots.txt file Information Passed Passed
Cacheable HTTPS response Information Passed Passed
Base64-encoded data in parameter Information Passed Passed
Multiple content types specified Information Passed Passed
HTML does not specify charset Information Passed Passed
HTML uses unrecognized charset Information Passed Passed
Content type incorrectly stated Low Passed Passed
Content type is not specified Information Passed Passed
SSL certificate Medium Passed Passed
Unencrypted communications Low Passed Passed
Strict transport security not enforced Low Passed Passed
Mixed content Information Passed Passed

Confidential 8