Techniques used in Enumerating Website Vulnerabilities and Misconfigurations

Today, 2nd June 2022, we at Enugu Cyber Security Learning (ECSL) had our first Open Day Program. My team, Bit-N-Bytes presented on the topic – Techniques used in Enumerating Website Vulnerabilities and Misconfigurations.

The subject of this topic lies more in those TECHNIQUES which range from vulnerability scanning with tools like Nmap, Nikto, Legion, and Lynis. Other techniques like web application analysis, database assessment, reverse engineering, sniffing and spoofing, social engineering, etc.

ENUMERATION, a list of what is important. The list of information looked out for using those techniques. Information can be on the Domain Network System (DNS), it could be on the web application, servers, ports, page source, files, hosts, etc.

VULNERABILITIES, what is meant are those loopholes and gaps that the website has which could aid an attack or attacks by threat actors. It could be open ports, banner header, not present, anti-clickjacking X Frame header not found, and a lot more. We used our penetration testing lab in Kali Linux to do justice to this topic using two vulnerability scanner tools, Nmap and Nikto.

Using Nmap, an open-source vulnerability scanner used for port scanning Given the IP address, in the Linux command line, Nmap (IP address)

From the result, this website has 988 filtered ports which means that those ones are protected by a firewall. But going down the list, there are over 12 open ports. Even though it is not entirely wrong for some ports to be open, there could still pave the way for attacks based on their state and as such, they are vulnerable.

21/TCP, which is the standard port for File Transfer Protocol (FTP) and it is vulnerable to anonymous authentication and cross-site scripting.

25/TCP, the standard port for Simple Mail Transfer Protocol (SMTP) that sees to exchange of emails is vulnerable to spamming, phishing, DoS attacks, email hijack, etc.

26/TCP, which is port for Simple FTP-like Protocol (RSFTP) is exposed to credential exposure vulnerabilities.

53/TCP, the standard port for Domain is vulnerable to Denial of Service, DoS attack.

Ports 80 and 443/TCP are the standard ports for HTTP and HTTPS (HyperText Transfer Protocol (secure) are vulnerable to SQL injections, Cross-site request forgery, and Buffer overrun.

110/TCP, the port for POP3, through that open port, threat actors can influence the mail server such that data enters the website through untrusted sources and other directory transversal vulnerabilities.

143/TCP, IMAP has a vulnerability associated with a lack of support for strong authentication in the enforcement of multifactor authentication.

Using Nikto, another open-source vulnerability scanner In the command line, Nikto -h (the IP address)

From the results, out here,

• Server: No banner retrieved which made this website vulnerable to banner grabbing, a situation where Threat actors can get to know all the computer systems in this network.

• The anti-clickjacking X-Frame-Options header is not present which makes this website vulnerable to clickjacking. A cyber attack where Attackers embed malicious links under legitimate links. One that can get users to download malware or get redirected to websites where they can get scammed or their have their information stolen.

• The X-XSS Protection header is not defined. A vulnerability for cross-site scripting attack. An attack where user interaction with the website is being compromised. Attackers manipulate vulnerable website as it runs malicious Java Scripts or vulnerable applications to users.

Using only 2 tools in one technique, we were able to enumerate eleven vulnerabilities in a website. There are many more to explore. The field of Cyber security is like an ocean of endless tools and techniques. Some of those open ports as we got in our results are not really bad. But when a port is not in use or and its application can work perfectly if it is closed, such port should be closed. For better and tighter security, open ports should be protected.