REPORT TITLEPrepared for: Bank of CharlesSTUDENTS NAME-4603751397000

REPORT TITLEPrepared for: Bank of CharlesSTUDENTS NAME-4603751397000

Contents

TOC o "1-3" h z u REPORT TITLE PAGEREF _Toc165583617 h 1Prepared for: Bank of Charles PAGEREF _Toc165583618 h 1STUDENTS NAME PAGEREF _Toc165583619 h 1Executive Summary PAGEREF _Toc165583620 h 3Technical Summary PAGEREF _Toc165583621 h 4Scope PAGEREF _Toc165583622 h 4Key Findings PAGEREF _Toc165583623 h 4Key Recommendations PAGEREF _Toc165583624 h 4Findings and Recommendations PAGEREF _Toc165583625 h 5Findings PAGEREF _Toc165583626 h 5SQL Injection PAGEREF _Toc165583627 h 5Appendices PAGEREF _Toc165583628 h 6Appendix A Risk Matrix PAGEREF _Toc165583629 h 6

Executive SummaryHigh level summary of what was tested, who was engaged, what the outcome was, etc.

Technical SummaryScopeInformation about the scope of your assessment

Attribute Value

IP / Hostname Testing Type User Key FindingsA few dot points on the key findings:

Key RecommendationsA few dot points on the key recommendations:

Findings and RecommendationsFindingsThe body of the report, that contains the findings/vulnerabilities.

SQL InjectionRisk: X Likelihood: Y Consequence: Z

Description

Impact

Evidence

Recommendation and Actions Taken

References

AppendicesAppendix A Risk MatrixConsequence

Likelihood Insignificant Minor Moderate Major Catastrophic

Very Likely Low Medium High Critical Critical

Likely Low Low Medium High Critical

Possible Informational Low Medium High High

Unlikely Informational Low Low Medium High

Very Unlikely Informational Informational Low Medium Medium

Requirements

Hello,

Im Carter, the CTO of Charles Bank. One of the worlds most secure banks. Our commitment to security sees us conducting Penetration Testing regularly. We require your services. Weve recently rearchitected our rewards platform, and I suspect there may be some security issues.

Can you please conduct a code review and web application penetration test. Ive provided you with the source code, you can run the whole app locally on your Kali VM.

We want you to use our report template, which has been provided to you.

Security issues

Potential security issues are shown below:

Authorisation / Authentication issues

XSS

CSRF

SQL Injection

Bonus vulnerabilities

Instructions

The application is a flask app and is designed to be unzipped and run in your Kali vm.

The application will start and serve a website on http://localhost:5000

You can visit this site, and use Burpsuite to investigate requests, etc.

Ensure you are *not connected* to the VPN when running this exam, as you need Internet.

Fixing the code

Flask is running in debug mode, and each time you make a change to a file, it'll update automatically.

Instructions to deploy the Flask app environment for penetration testing on their Kali Linux machines, follow these steps:

1. Download and Extract Source Code

Download the provided source code file (source-code.zip).

Extract the contents to a directory on your Kali Linux machine using this command:

Command: unzip source-code.zip -d {desired/directory}

Navigate to the extracted directory:

Command: cd {desired/directory}

2. Set Up Dependencies

Make sure you have Python and the necessary dependencies. You can install Python and pip (Python package manager) as follows:

Commands: sudo apt update

sudo apt install python3 python3-venv python3-pip -y

3. Run the Provided Setup Script

The setup script, run-app.sh, automates the deployment. Execute the following command to set up the app:

Command:. ./run-app.sh

Errors

You may receive an error such as the below when first running the script. To fix, run the script again.

Figure SEQ Figure * ARABIC 1: Failed Script

Figure SEQ Figure * ARABIC 2: Successful Run of Script

4. Access the Application

Once the setup is complete, access the Flask web app by opening your browser and navigating to http://localhost:5000.

Ensure that no VPNs or proxies interfere with accessing the app.

5. Penetration Testing

Utilize tools like Burp Suite to analyze HTTP requests and identify potential security issues, including:

Authorization/Authentication Issues

Cross-Site Scripting (XSS)

Cross-Site Request Forgery (CSRF)

SQL Injection

Other vulnerabilities

6. Reporting

Document your findings using the provided report template. Make sure to follow the given structure and thoroughly explain the vulnerabilities detected.

7. Fixing Vulnerabilities

Flask will update automatically in debug mode when you make changes to the source code files. Utilize this feature to test fixes in real-time.

Notes:

Always review your results for accuracy.

Perform this work in a controlled environment without connecting to any networks unless explicitly required for testing.