See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/361823397

Penetration testing report(netflix.com )

Research · May 2021

CITATIONS READS

0 18

1 author:

Gihan Pradeep
Sri Lanka Institute of Information Technology
6 PUBLICATIONS 0 CITATIONS

SEE PROFILE

All content following this page was uploaded by Gihan Pradeep on 07 July 2022.

The user has requested enhancement of the downloaded file.

Sri Lanka Institute of Information Technology

Year 3 Semester 2

Applied Information Assurance

IE3022

Assignment 02

Penetration testing report

Submitted by:

Student Registration Number Student Name

IT19986418 Bogahawatta L.B.G.D.P.K

0
Table of Contents
Terms of References ............................................................................................................................... 2
Introduction ............................................................................................................................................ 2
Red Team ................................................................................................................................................ 2
Foot Printing and Reconnaissance ...................................................................................................... 2
1. Maltego ................................................................................................................................... 3
2. Network Mapper (Nmap)........................................................................................................ 4
3. The Harvester .......................................................................................................................... 5
Enumeration ....................................................................................................................................... 6
1. Nslookup ................................................................................................................................. 6
2. Host ......................................................................................................................................... 7
3. Dig ........................................................................................................................................... 7
Blue Team ............................................................................................................................................... 9
Vulnerability Scanning ........................................................................................................................ 9
1. Nikto ........................................................................................................................................ 9
2. Metasploit Framework.......................................................................................................... 10
SSH Exploitation ................................................................................................................................ 10
Purple Team .......................................................................................................................................... 11
1. SQL Injection ......................................................................................................................... 11
2. Wildcard Directive................................................................................................................. 11
3. Application Error Disclosure ................................................................................................. 12
4. Missing X-Frame-Option Header........................................................................................... 12
5. Cross-Domain Misconfiguration ........................................................................................... 13
6. Incomplete or No Cache-control and Pragma HTTP Header Set .......................................... 13
7. Absence of Anti-CSRF Tokens ............................................................................................... 14
8. Cross-Domain JavaScript Source File Inclusion ..................................................................... 14
9. Cookie without SameSite Attribute. ..................................................................................... 15
10. Missing “X-XSS protection header” ................................................................................... 15

1
Terms of References
The audit was executed on the "netflix.com" website in order to detect vulnerabilities and
current level security issues presented by technology in the modern environment. Standard
penetration tools such as Nikto, Owasp Zap, Sublist3r, Anubis Subdomain Enumerator,
Netsparker, and others were used in the testing.

Introduction
This report is categorized into three groups (red, blue, and purple) based on the work.

• The red team is the attacking portion (footprinting and reconnaissance, enumeration,
and exploits).
• The blue team is the defensive section (vulnerability scanning included).
• The purple team analyzes and summarizes the mitigation strategies for such assaults.

Red Team
Foot Printing and Reconnaissance
The process of gathering information on a target system is called to as footprinting. It is the
first stage of an attack in which the attacker attempts to learn as much as possible about the
target in order to discover a way into the system.

2
1. Maltego
Maltego is software used for open-source intelligence and forensics

3
2. Network Mapper (Nmap)
The most well-known scanning tool used by penetration testers is Nmap. In this post, we'll
go over some of Nmap's most important features as well as a few essential commands.

4
3. The Harvester
This tool helps to gather information about email, subdomains, host, employee names and so
on.

➢ No vulnerability found.
➢ Risk level is low.

5
Enumeration

1. Nslookup
This function may be used to get the IP address of a particular domain name as well as the
domain name for that IP address.

6
2. Host
Host command/utility is used to determine what domain particular IP address resolves to.

3. Dig
Dig is a network administration command-line tool for querying the Domain Name System. dig is useful
for network troubleshooting and for educational purposes.

7
➢ Risk level is high vulnerability: - disclosure and brute-force
➢ Found user login details, server details, port details, work group information, common
vulnerabilities (CVEs)
➢ Effect: Dependent on the website's goal and, as a result, what data an attacker can
access, a hacker can have both a direct and indirect impact. In certain cases, just
releasing sensitive data can have a tremendous impact on the people concerned. The
information on the server can be rerouted to a third party. Integrity and confidentiality
will be compromised as a result of this. The company's reputation will be tarnished.

8
➢ Recommendations
• Check to see whether any of the services running on the server's exposed ports
release data about their releases or editions.

• Ensure that appropriate access controls and authorizations are in place on all web
servers, services, and online applications to prevent attackers from getting access.

• On the web server, disable directory listing and make sure the web site always shows
a default web page.

• Passwords should be longer and more complicated (More choices and characters
lengthen the time it takes to brute-force crack).

• Make use of Captcha.

Blue Team
Vulnerability Scanning

1. Nikto
This tool can be used to scan a web-server and exploit vulnerabilities and lead to the server’s
compromise.

9
2. Metasploit Framework
SSH Exploitation

10
Purple Team
The blue team exploited the vulnerabilities and mitigation methods

1. SQL Injection

The SQL injection vulnerability has been named to the OWASP Top 10 list of the most widely
exploited security flaws. = (Severity – High)

Recommendation :

Using parameterized queries and safe it.

The database engine will check to see if the string to be used matches the column's string
when utilizing parameterized queries. The database engine will verify if the user-supplied
input is an integer if the database column is specified to contain integers.

2. Wildcard Directive
The probability of an XSS attack is increased by a badly set 'Content-Security-Policy' header that
allows wildcard or excessively wide sources. = (Severity – Medium)

Recommendation :

To set up the Content-Security-Policy header, your web server, application server, load
balancer, and other servers are built properly.

11
.

3. Application Error Disclosure

It's conceivable that the hacker will be able to access all of the data in your application. There
is a chance that sensitive information, such as private server settings, API key credentials, and
resource location, will be exposed. (Severity – Medium)

Recommendation :

• Customize your web application's error pages.

• Review the source code of the page.

4. Missing X-Frame-Option Header

Because the X-Frame-Options header is missing, this website may be vulnerable to a
clickjacking attack.

Impact:

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser
should be allowed to render a page in a <frame> or <iframe> Sites can use this to avoid
clickjacking attacks, by ensuring that their content is not embedded into other sites. This
vulnerability affects Web Server (Severity – Medium)

Recommendations:

12
5. Cross-Domain Misconfiguration
When this protocol is implemented improperly, it allows a domain controlled by a hostile
party to send queries to your domain. (Severity – Medium)

Recommendation :

6. Incomplete or No Cache-control and Pragma HTTP Header Set

Session or cookie storage is used by web applications to briefly store data. As a result, these
data may continue long after the session has ended.

In both requests and replies, the 'Cache-control' HTTP header contains instructions for
caching. For backwards compatibility with HTTP/1.0, which does not yet have the 'Cache-
control' header, the 'Pragma' header is utilized. (Severity – Low)

Recommendation :

13
7. Absence of Anti-CSRF Tokens

Without Anti-CSRF tokens, a Cross-Site Request Forgery attack might cause the administrator
account to conduct a specified application action as another signed in user, such as hijacking
their account by altering their email and password, or secretly adding a new admin user
account. (Severity – Low)

Recommendation :

8. Cross-Domain JavaScript Source File Inclusion

(Severity – Low)

The Cross-Domain JavaScript Source File Inclusion warning warns that the page contains and
may execute one or more JavaScript files from a third-party domain.

The JavaScript file used by the user's application might be changed with malicious material
that includes dangerous code or steals sensitive information/resources from the application
users if users don't manage and maintain the external script location.

Impact:

• Possible execution of malicious javascript

• Possible user data manipulation and leakage
• Possible functionality change and redirection of data
• Malware infection

Recommendation :

• The basic principle is to store all of your application files on servers that you control
or that are administered by a publicly trusted and recognized third-party service.
• It is advised that owners manage web applications by themselves. You can give the
privileges to third parties for managing websites, but be careful that they are publicly
recognized and trusted.
• Avoid placing sensitive information inside javascript files or JSONP.
• Always try to sanitize user entries that are stored in JSON files.
• Use subresource integrity. It helps browsers to check whether the fetched resources
are unnecessarily manipulated or not.

14
9. Cookie without SameSite Attribute.
(Severity – Low)

A cookie has been set without the SameSite property, indicating that it can be delivered in
response to a 'cross-site' request. Cross-site request forgery, cross-site script inclusion, and
timing assaults all benefit from the SameSite property.

Recommendation :

10. Missing “X-XSS protection header”

(Severity – Low)

Modern browsers provide the HTTP 'X-XSS-Protection' response header, which allows
websites to regulate their XSS auditors. Because the server isn't set up to return a 'X-XSS-
Protection' header, every page on this site might be vulnerable to a Cross-Site Scripting (XSS)
attack.

Browser include a feature called the HTTP response header that allows websites to regulate
their XSS detection.

If the server is set to return the missing X-XSS-protection header, then any pages on this
website might be vulnerable to a Cross-Site Scripting attack (XSS). The following diagram
depicts the fundamental syntax for this header.

An XSS attack occurs when a hacker utilizes a web application to send malicious code to a
different end user, generally in the form of a browser side script.

15
Recommendations:

• Include a value of '1; mode=block' in the X-XSS-Protection header on all web server
pages.

16

View publication stats