WEB Pentesting

nuclei -u https://dubaisportstrack.ae

wpscan --api-token O74ZXsv92RHPURgNh2aNb8PUwAXPc4RRsd3ZOvcs0BI --detection-mode aggressive --url https://www.mcbislamicbank.com/

nikto -url https://www.mcbislamicbank.com/

nmap -sS -sV --script vuln dubaisportstrack.ae

sslscan eregistration.punjab-zameen.gov.pk

Discover security vulnerabilities using Nmap

Step 1: Install Nmap-Vulners
cd /usr/share/nmap/scripts/
git clone https://github.com/vulnersCom/nmap-vulners.git
git clone https://github.com/scipag/vulscan.git
ls vulscan/*.csv
---------------------------
Step 2: Scanning with Nmap-Vulners
nmap --script nmap-vulners/ -sV 72.62.72.223
nmap --script vulscan/ -sV 72.62.72.223
nmap --script vulscan/ --script-args vulscandb=scipvuldb.csv -sV 72.62.72.223
nmap --script vulscan/ --script-args vulscandb=exploitdb.csv -sV 72.62.72.223
nmap --script vulscan/ --script-args vulscandb=securitytracker.csv -sV 72.62.72.223

Bug 1: Origin IP Disclosure Vulnerability

checked for an Origin IP disclosure vulnerability with Shodan Extension and found out that it was directly accessible.

Example: https://170.104.110.50/

Impact: The server’s origin IP address is exposed, potentially allowing attackers to bypass security protections like CDN or WAF, enabling direct attacks on the backend server.

Bug 2: Server Version Disclosure

Then fired up Burp Suite and captured the request and noticed that the server's name and version was disclosed. This is also a bug.

Impact: The server reveals its version number in the HTTP response headers, exposing potentially vulnerable software details to attackers.

Bug 3: Weak Password Policy

I checked their register endpoint. www.target.com/register and there was a create account page, tried to test the input fields, but it was sanitized however the password aaaaaaaaaaaa was accepted when registered. Which is also a bug.

Impact: The application allows weak passwords, increasing the risk of brute force attacks and unauthorized access.

Bug 4: Invalid/Improper Session management after password reset

Now that created an account and logged in, I opened two browsers Edge and Firefox logged in simultaneously with the same credentials test@xyz.com aaaaaaaaaaaa

On the Edge browser, I changed the password to bbbbbbbbbbbb and it was changed and logged out, However the session on the Firefox was still active even after the password reset and failed to validate session. That my friend is also a bug!

Impact: The application does not invalidate existing sessions after a password reset, allowing attackers to retain access even after credential changes.

Bug 5: No-Rate Limit on Password Reset

On the login page, there was a “Forgot password” button and when I clicked on password reset the password reset was sent to my email. Tested once, then intercepted and captured the password reset request on the second trial and sent it to intruder and set the payload to 100 iterations on language $0.5$ to repeat the process 100 times with minimal delay.

And guess what there was no rate limit, and my emails were flooded with password reset link.

Impact: The password reset functionality lacks rate limiting, allowing attackers to attempt an unlimited number of reset requests, potentially enabling brute force attacks.

Bug 6: Broken Links to Hijack

check its social media links to see if there were any vulnerable Broken Links to Hijack.

Companies often have mobile applications in the Google Play Store or Apple App Store and those links are usually included on their websites. I checked whether the links were working fine or not, The Apple App Store link was working fine but the Google Play Store link returned a 404 error. The link was broken.

Broken Link Hijacking happens when a website links to a page or account that no longer exists. An attacker can claim that abandoned link, redirecting users to their own content.