Scribd Logo
Upload

Welcome to Scribd!

  • Untitled

    Uploaded by

    pathak7
    13 views5 pages
    Cyberq was asked to conduct a web application security test on the application p rovided by Office of the Income Tax Settlement Commission, New Delhi. The objective of this testing was to en sure the security of the network and web server from external threats through the web application.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Cyberq was asked to conduct a web application security test on the application p rovided by Office of the Income Tax Settlement Commission, New Delhi. The objective of this testing was to en sure the security of the network and web server from external threats through the web application.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    13 views5 pages

    Untitled

    Uploaded by

    pathak7
    Cyberq was asked to conduct a web application security test on the application p rovided by Office of the Income Tax Settlement Commission, New Delhi. The objective of this testing was to en sure the security of the network and web server from external threats through the web application.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    Web Application Security Test Report

    For
    Income Tax Settelment Commission

    Site URL: http://www.itscindia.gov.in


    Test URL: http://demotemp444.nic.in/index.html

    Level: 1
    Date: 13th May 2010
    V1.0

    CyberQ Consulting Pvt. Ltd.


    1st Floor, 31 Krishna Market, Kalkaji
    New Delhi-19
    INDIA
    Main Switchboard: 91-11-26225512, 91-11-40550735

    Document Control Sheet

    S. No. Ver No. Start Date End Date Prepared By Approved By


    Comments
    1 1.0 05th May 2010 07th May 2010 Rajinder Abrol Abhishek De
    Level 1 Testing

    Auditor: Rajinder Abrol

    Sign Off: D Kar


    TABLE OF CONTENTS
    1 INTRODUCTION ………………………………………………………………...4
    1.1 Objective ………………………………………………………………………..4
    1.2 Scope …………………………………………………………………………….4
    1.3 Methodology ……………………………………………………………………4
    1.4 Tools Used ………………………………………………………………………5
    2 EXECUTIVE SUMMARY …………………………………………………….6
    2.1 Recommendations ……………………………………………………………...6
    2.2 Table of Findings ………………………………………………………………6
    2.3 The OWASP Top 12 and the “ITSC” Website ………………………………7
    3 WEBSITE CRAWL RESULTS ………………………………………………8
    Introduction
    Objective
    CyberQ was asked to conduct a Web Application Security Test on the application p
    rovided by Office of the Income Tax Settlement Commission, New Delhi. Details we
    re provided to the extent mentioned in “Scope of Work”. The testing was carried
    out from the CyberQ Office in New Delhi. The objective of this testing was to en
    sure the security of the network and web server from external threats through th
    e web application.
    Scope
    The application to be audited was https://www.itscindia.gov.in . The audit was c
    arried on the staging URL http://demotemp444.nic.in/index.html
    The scope of the project was limited to find out the vulnerable areas of the Web
    application. Exploiting the vulnerabilities was out of scope for the tests.
    Methodology
    The methodology applied in Web Application Security Testing is explained in the
    diagram below

    1. Information Gathering: One of the first steps of this test is to identif


    y the Web application environment, including the scripting language and Web serv
    er software in use, and the operating system of the target server. However, this
    step is generally omitted if the testing is limited to just the web application
    and not the host.
    2. Test Application: While testing the application, we follow but are not l
    imited to the OWASP standards. The top 10 vulnerabilities are tested for static
    and dynamic web sites. Our testing is done manually as well as using tools. An i
    ndicative list of tools is given in the section below. In case of a critical app
    lication or if an application is being cleared for security, peer test is done b
    y another auditor.
    3. After an exhaustive testing, the findings are compiled and classified ac
    cording to a Risk Level of High, Medium or Low depending on the harm they may ca
    use to the Web Application, server or to the network.
    4. A Report is created highlighting the findings together with details for
    each finding. The report is reviewed and approved by a senior auditor.
    Tools Used
    The following tools are used:
    • Paros
    • Burp
    • Web Sphinx

    Executive Summary
    Recommendations

    The site is safe for hosting as per the OWASP vulnerabilities


    1. The folder containing ‘html’ pages to be given ‘READ’ permissions.
    The Site is “CLEARED” for hosting.
    Note: If any modification in the application is done in the future the website s
    hould be subjected to the security audit as per the directives of NIC

    Table of Findings
    NONE
    The OWASP Top 12 and the “ITSC” Website
    Open Web Applications Security Project (OWASP) has rated the top 12 vulnerabilit
    ies found in web applications worldwide. The table shows how the application sta
    cks up with respect to the OWASP top 12 list.

    S.No. Vulnerabilities Status


    1. Un-validated Input Safe
    2. Broken Access Control Not Applicable
    3. Broken Account and Session Management Not Applicable
    4. Cross-Site Scripting (XSS) Flaws Safe
    5. Buffer Overflows Safe
    6. Injection Flaws Safe
    7. Error Handling Problems Safe
    8. Insecure storage Not Applicable
    9. Denial of service Safe
    10. Insecure Configuration Management Not Appl
    icable
    OWASP 2007 vulnerabilities
    11. Cross Site Request Forgery Not Applicable
    12. Remote File Inclusion Not Applicable

    Website Crawl Results


    http://demotemp444.nic.in/index.html
    http://demotemp444.nic.in/aboutus.html
    http://demotemp444.nic.in/composition.html
    http://demotemp444.nic.in/ra_rules.html
    http://demotemp444.nic.in/procedurerules.html
    http://demotemp444.nic.in/caselaws.html
    http://demotemp444.nic.in/form.html
    http://demotemp444.nic.in/jurisdiction.html
    http://demotemp444.nic.in/supreme_court.html
    http://demotemp444.nic.in/high_court.html
    http://demotemp444.nic.in/bench_delhi.html
    http://demotemp444.nic.in/bench_mumbai.html
    http://demotemp444.nic.in/bench_kolkata.html
    http://demotemp444.nic.in/bench_chennai.html

    You might also like