An example of an enterprise penetration test report

Throughout this book, we will build a secure design for an event ticketing system. Envision a software system that allows a box office or a website to sell tickets to a famous musical concert or theatre event. A simplified sample penetration test report is detailed in the following:

High-level summary

A workstation, web server, and database server were analyzed. The workstations were found to be vulnerable if malware was installed. The malware may be able to modify and read the API calls. The web server had some common web vulnerabilities, which are included in the Vega report. The database server had a single potential SQL injection vulnerability. The recommendations are included in the following individual host analysis section. Periodic scanning of the web and database servers is included in the recommendations.

Host analysis

This section of the report will document the reconnaissance, vulnerability analysis, exploitation, and recommendations for machines involved in the penetration testing:

Web server

Reconnaissance

• Tool used: NMap
• IP address: 192.168.1.1
• Subnet: 255.255.255.0
• MAC address: 00-A5-B1-65-C2-32
• Operating system: RHEL 9
• Other software discovered: Apache, PHP

Vulnerability analysis

• Tools used: Vega
• Many vulnerabilities were discovered when utilizing Vega; see the attached listing. The examples include the following:
  • XSS in ticketbasket.php
  • SQL injection in ticketpayment.php

Exploitation

• An XSS attack was developed and delivered against the ticketbasket.php page

Important note

We discussed XSS attacks in Chapter 9, Standard Web Application Vulnerabilities.

Recommendations

• Fix all attached vulnerabilities and run a Vega scan nightly.

Database server

Reconnaissance

• Tool used: NMap
• IP address: 192.168.1.121
• Subnet: 255.255.255.0
• MAC address: 00-E5-B1-23-A2-54
• Operating system: RHEL 9
• API connectivity: MySQL API
• Other software discovered: MySQL 8.2

Vulnerability analysis

• Tools used: SQLMap
• Potential SQL injection in the stored procedure: spLockSeats

Important note

We discuss this type of vulnerability and mitigations in Chapter 10, Database Security.

Exploitation

• SQLMap was utilized to attempt exploitation without success.

Recommendations

• Fix the stored procedure and run an Nmap scan against a backup server weekly.

Bos office workstation

Reconnaissance

• Tool used: NMap
• IP address: 192.168.1.120
• Subnet: 255.255.255.0
• MAC address: 00-F5-A1-63-D2-52
• Operating system: Windows 11
• API connectivity: REST
• Other software discovered: MS Teams, MS RDP

Vulnerability analysis

• Tools used: Burp Suite
• Malware can modify HTTPS requests to REST API

Important note

We did not directly discuss this, but it is part of the input sanitization and validation in Chapter 8.

Exploitation

• A malware was developed and deployed that mutated the REST calls to cause a denial of service in the application.

Recommendations

• Use X.509 client certificates