diff --git a/xml/doc/examples/examplequickscope.xml b/xml/doc/examples/examplequickscope.xml
index 1a4ef1e..55fed40 100644
--- a/xml/doc/examples/examplequickscope.xml
+++ b/xml/doc/examples/examplequickscope.xml
@@ -31,7 +31,7 @@
TP Country
-
+
@@ -60,5 +60,5 @@
40000
-
+
diff --git a/xml/dtd/common.xsd b/xml/dtd/common.xsd
index cede145..a72e9d7 100644
--- a/xml/dtd/common.xsd
+++ b/xml/dtd/common.xsd
@@ -156,7 +156,14 @@
-
+
+
+
+
+
+
+
+
@@ -168,6 +175,7 @@
+
diff --git a/xml/dtd/ir_quickscope.xsd b/xml/dtd/ir_quickscope.xsd
index 30db9a8..19cc677 100644
--- a/xml/dtd/ir_quickscope.xsd
+++ b/xml/dtd/ir_quickscope.xsd
@@ -11,7 +11,7 @@
-
+
@@ -28,7 +28,7 @@
-
+
diff --git a/xml/dtd/offerte.xsd b/xml/dtd/offerte.xsd
index e00f2bb..bb176df 100644
--- a/xml/dtd/offerte.xsd
+++ b/xml/dtd/offerte.xsd
@@ -45,12 +45,12 @@
-
-
-
-
-
-
+
+
+
+
+
+
diff --git a/xml/dtd/pentestreport.xsd b/xml/dtd/pentestreport.xsd
index ec11d0b..b2a2a9a 100644
--- a/xml/dtd/pentestreport.xsd
+++ b/xml/dtd/pentestreport.xsd
@@ -47,14 +47,14 @@
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
diff --git a/xml/dtd/quickscope.xsd b/xml/dtd/quickscope.xsd
index ad290bc..00ed0fe 100644
--- a/xml/dtd/quickscope.xsd
+++ b/xml/dtd/quickscope.xsd
@@ -9,7 +9,7 @@
-
+
@@ -38,7 +38,7 @@
-
+
@@ -55,7 +55,6 @@
-
diff --git a/xml/source/ir_quickscope.xml b/xml/source/ir_quickscope.xml
index 3577e80..27b5424 100644
--- a/xml/source/ir_quickscope.xml
+++ b/xml/source/ir_quickscope.xml
@@ -20,7 +20,7 @@
-
+
100000
@@ -35,6 +35,6 @@
250
-
+
diff --git a/xml/source/quickscope.xml b/xml/source/quickscope.xml
index e6682ad..3343b92 100644
--- a/xml/source/quickscope.xml
+++ b/xml/source/quickscope.xml
@@ -35,7 +35,7 @@
XXX
-->
-
+
0
@@ -59,5 +59,5 @@
0
-
+
diff --git a/xml/source/tocsv.xsl b/xml/source/tocsv.xsl
new file mode 100644
index 0000000..e4ad71c
--- /dev/null
+++ b/xml/source/tocsv.xsl
@@ -0,0 +1,39 @@
+
+
+
+ ;
+
+
+
+
+
+
+ #
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/xml/target/execsummary.fo b/xml/target/execsummary.fo
new file mode 100644
index 0000000..7ea63c3
--- /dev/null
+++ b/xml/target/execsummary.fo
@@ -0,0 +1,64 @@
+ConfidentialConfidential/Radically Open Security B.V. - 60628081/Radically Open Security B.V. - 60628081
+ PENETRATION TEST MANAGEMENT SUMMARYforSitting Duck B.V. V1.0AmsterdamJanuary 26th, 2015Document PropertiesClientSitting Duck B.V.TitlePENETRATION TEST MANAGEMENT SUMMARYTargetfishinabarrel.sittingduck.comVersion1.0PentestersMelanie Rieback, Aristotle, George Boole, William of Ockham, Ludwig Josef Johann WittgensteinAuthorsPatricia Piolon, Ernest Hemingway, JRR Tolkien, Arthur Conan DoyleReviewed byMelanie RiebackApproved byMelanie RiebackVersion controlVersionDateAuthorDescription 0.1January 19th, 2015Patricia PiolonInitial draft 0.2January 20th, 2015Ernest HemingwayStructure & contents revision 0.3January 21st, 2015Patricia PiolonAdded threat levels and recommendations 0.4January 22nd, 2015Patricia Piolon, JRR TolkienRevision 0.5January 23rd, 2015Patricia PiolonRevision1.0January 26th, 2015Arthur Conan DoyleFinalizingContactFor more information about this Document and its
+ contents please contact Radically Open Security B.V.NameMelanie RiebackAddressZieseniskade 211017 RT AmsterdamThe NetherlandsPhone+31 6 10 21 32 40Emailinfo@radicallyopensecurity.com
+
+ Table of Contents
+
+
+
+
+
+
+ 1 Methodology 1.1 Planning 1.2 Risk Classification
+
+
+
+
+
+
+
+
+
+
+ 1 Methodology
+
+ 1.1 Planning
+ Our general approach during this penetration test was as follows:
+ 1. ReconnaissanceWe attempted to gather as much information as possible about the
+ target. Reconnaissance can take two forms: active and passive. A
+ passive attack is always the best starting point as this would normally defeat
+ intrusion detection systems and other forms of protection, etc., afforded to the
+ network. This would usually involve trying to discover publicly available
+ information by utilizing a web browser and visiting newsgroups etc. An active form
+ would be more intrusive and may show up in audit logs and may take the form of a
+ social engineering type of attack.2. EnumerationWe used varied operating system fingerprinting tools to determine
+ what hosts are alive on the network and more importantly what services and operating
+ systems they are running. Research into these services would be carried out to
+ tailor the test to the discovered services.3. ScanningThrough the use of vulnerability scanners, all discovered hosts would be tested
+ for vulnerabilities. The result would be analyzed to determine if there any
+ vulnerabilities that could be exploited to gain access to a target host on a
+ network.4. Obtaining AccessThrough the use of published exploits or weaknesses found in
+ applications, operating system and services access would then be attempted. This may
+ be done surreptitiously or by more brute force methods.
+
+
+ 1.2 Risk Classification
+ Throughout the document, each vulnerability or risk identified has been labeled and
+ categorized as:
+ •ExtremeExtreme risk of security controls being compromised with the possibility
+ of catastrophic financial/reputational losses occurring as a result.•HighHigh risk of security controls being compromised with the potential for
+ significant financial/reputational losses occurring as a result.•ElevatedElevated risk of security controls being compromised with the potential
+ for material financial/reputational losses occurring as a result.•ModerateModerate risk of security controls being compromised with the potential
+ for limited financial/reputational losses occurring as a result.•LowLow risk of security controls being compromised with measurable negative
+ impacts as a result.
+ Please note that this risk rating system was taken from the Penetration Testing Execution
+ Standard (PTES). For more information, see:
+ http://www.pentest-standard.org/index.php/Reporting.
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/xml/target/invoice.fo b/xml/target/invoice.fo
new file mode 100644
index 0000000..e094d23
--- /dev/null
+++ b/xml/target/invoice.fo
@@ -0,0 +1,239 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Radically Open Security B.V.
+ Zieseniskade 21
+ 1017 RT Amsterdam
+ The Netherlands
+
+
+
+
+
+
+
+
+
+ www.radicallyopensecurity.com
+ info@radicallyopensecurity.com
+ Chamber of Commerce 60628081
+ VAT number 853989655B01
+
+
+
+
+
+
+
+
+
+
+
+
+ Please keep digital unless absolutely required.
+ Read the (unique) terms and conditions of Radically Open Security at:
+ https://radicallyopensecurity.com/TermsandConditions.pdf
+
+
+
+
+
+ Please keep digital unless absolutely required.
+ Read the (unique) terms and conditions of Radically Open Security at:
+ https://radicallyopensecurity.com/TermsandConditions.pdf
+
+
+
+
+
+ Invoice no. 001/17
+
+ Sitting Duck B.V.
+
+ Reed Street 42
+ 0000 Pond City
+ Amazonia
+ freemoney@sittingduck.com
+
+ June 8, 2017
+ Services delivered
+
+
+
+
+
+
+
+ 2-day retest Sitting Duck
+
+
+ € 0.--
+
+
+
+
+ VAT
+ 21%
+
+
+ € 0.--
+
+
+
+
+ Total amount to be paid
+
+
+ € 0.--
+
+
+
+
+
+ Radically Open Security B.V. donates > 90% of its entire profits to charity.
+
+ Please be so kind to pay within 30 days by money
+ transfer, to the following account:
+
+
+ Radically Open Security B.V.
+ IBAN: NL06 RABO 0188 2813 12
+ Reference: 001/17
+
+ Kind regards,
+ your dedicated team at
+ Radically Open Security B.V.
+
+
+
+
diff --git a/xml/target/report.fo b/xml/target/report.fo
new file mode 100644
index 0000000..7494a88
--- /dev/null
+++ b/xml/target/report.fo
@@ -0,0 +1,340 @@
+ConfidentialConfidential/Radically Open Security B.V. - 60628081/Radically Open Security B.V. - 60628081
+ PENETRATION TEST REPORTforSitting Duck B.V. V1.0AmsterdamJanuary 26th, 2015Document PropertiesClientSitting Duck B.V.TitlePENETRATION TEST REPORTTargetfishinabarrel.sittingduck.comVersion1.0PentestersMelanie Rieback, Aristotle, George Boole, William of Ockham, Ludwig Josef Johann WittgensteinAuthorsPatricia Piolon, Ernest Hemingway, JRR Tolkien, Arthur Conan DoyleReviewed byMelanie RiebackApproved byMelanie RiebackVersion controlVersionDateAuthorDescription 0.1January 19th, 2015Patricia PiolonInitial draft 0.2January 20th, 2015Ernest HemingwayStructure & contents revision 0.3January 21st, 2015Patricia PiolonAdded threat levels and recommendations 0.4January 22nd, 2015Patricia Piolon, JRR TolkienRevision 0.5January 23rd, 2015Patricia PiolonRevision1.0January 26th, 2015Arthur Conan DoyleFinalizingContactFor more information about this Document and its
+ contents please contact Radically Open Security B.V.NameMelanie RiebackAddressZieseniskade 211017 RT AmsterdamThe NetherlandsPhone+31 6 10 21 32 40Emailinfo@radicallyopensecurity.com
+
+ Table of Contents
+
+
+
+
+ 1 Executive Summary 1.1 Introduction 1.2 Scope of work 1.3 Project objectives 1.4 Timeline 1.5 Results in a Nutshell 1.6 Summary of Findings 1.7 Summary of Recommendations 1.8 Charts 1.8.1 Findings by Threat Level 1.8.2 Findings by Type
+
+ 2 Methodology 2.1 Planning 2.2 Risk Classification
+
+ 3 Reconnaissance and Fingerprinting 3.1 Automated Scans 3.2 nmap
+ 4 Pentest Technical Summary 4.1 Findings 4.1.1 SID-001 — PHPInfo Disclosure 4.1.2 SID-002 — A terrible XSS issue 4.1.3 SID-003 — A not quite so terrible XSS issue 4.2 Non-Findings 4.2.1 NF-001 — FTP 4.2.2 NF-002 — Mail Server 4.2.3 NF-003 — SQL Code Injection 4.2.4 NF-004 — Heartbleed 4.2.5 NF-005 — Windows XP
+ 5 Conclusion
+ Appendix 1 Testing team
+
+
+
+ 1 Executive Summary
+
+ 1.1 Introduction
+ Sitting Duck B.V. (“Sitting Duck”) has assigned the task of performing a 6-day
+ Penetration Test of the FishInABarrel Web Application to Radically
+ Open Security BV (hereafter “ROS”). Sitting Duck has made this
+ request to better evaluate the security of the application and to
+ identify application level vulnerabilities in order to see whether
+ the FishInABarrel Web Application is ready, security-wise, for
+ production deployment.
+ This report contains our findings as well as detailed explanations of
+ exactly how ROS performed the penetration test.
+
+
+ 1.2 Scope of work
+ The scope of the Sitting Duck penetration test was limited to the
+ following target:
+ •fishinabarrel.sittingduck.com
+ The penetration test was carried out from a black box perspective: no
+ information regarding the system(s) tested was provided by Sitting
+ Duck or FishInABarrel, although FishInABarrel did provide ROS with
+ two test user accounts.
+
+
+ 1.3 Project objectives
+ The objective of the security assessment is to gain insight into the
+ security of the host and the FishInABarrel Web Application.
+
+
+ 1.4 Timeline
+ The FishInABarrel Security Audit took place between January 14 and
+ January 16, 2015.
+
+
+ 1.5 Results in a Nutshell
+ During this pentest, we found quite a number of different security
+ problems – Cross-site Scripting (XSS) vulnerabilities, both stored
+ and reflected, Cross-site Request Forgery (CSRF) vulnerabilities,
+ information disclosures (multiple instances), and lack of brute
+ force protection.
+
+
+ 1.6 Summary of Findings
+ IDTypeDescriptionThreat levelSID-002XSS
+ A general description of the problem.
+ HighSID-001Information Leak
+ The phpinfo() function of the PHP language is readable,
+ resulting in a listing of all the runtime
+ information of the environment, thus disclosing
+ potentially valuable information to attackers.
+ ModerateSID-003XSS
+ A description of the problem.
+ Low
+
+
+
+ 1.7 Summary of Recommendations
+ IDTypeRecommendationSID-001Information Leak
+ Here is where we write some tips to solve the
+ problem.
+ SID-002XSS
+ This is where we solve everything and the sun starts
+ shining again.
+ SID-003XSS
+ A ready solution.
+
+
+
+
+ 1.8 Charts
+
+ 1.8.1 Findings by Threat Level
+ 33.3%33.3%33.3%High (1)Moderate (1)Low (1)
+
+
+ 1.8.2 Findings by Type
+ 33.3%66.7%XSS (2)Information leak (1)
+
+
+
+
+
+
+
+ 2 Methodology
+
+ 2.1 Planning
+ Our general approach during this penetration test was as follows:
+ 1. ReconnaissanceWe attempted to gather as much information as possible about the
+ target. Reconnaissance can take two forms: active and passive. A
+ passive attack is always the best starting point as this would normally defeat
+ intrusion detection systems and other forms of protection, etc., afforded to the
+ network. This would usually involve trying to discover publicly available
+ information by utilizing a web browser and visiting newsgroups etc. An active form
+ would be more intrusive and may show up in audit logs and may take the form of a
+ social engineering type of attack.2. EnumerationWe used varied operating system fingerprinting tools to determine
+ what hosts are alive on the network and more importantly what services and operating
+ systems they are running. Research into these services would be carried out to
+ tailor the test to the discovered services.3. ScanningThrough the use of vulnerability scanners, all discovered hosts would be tested
+ for vulnerabilities. The result would be analyzed to determine if there any
+ vulnerabilities that could be exploited to gain access to a target host on a
+ network.4. Obtaining AccessThrough the use of published exploits or weaknesses found in
+ applications, operating system and services access would then be attempted. This may
+ be done surreptitiously or by more brute force methods.
+
+
+ 2.2 Risk Classification
+ Throughout the document, each vulnerability or risk identified has been labeled and
+ categorized as:
+ •ExtremeExtreme risk of security controls being compromised with the possibility
+ of catastrophic financial/reputational losses occurring as a result.•HighHigh risk of security controls being compromised with the potential for
+ significant financial/reputational losses occurring as a result.•ElevatedElevated risk of security controls being compromised with the potential
+ for material financial/reputational losses occurring as a result.•ModerateModerate risk of security controls being compromised with the potential
+ for limited financial/reputational losses occurring as a result.•LowLow risk of security controls being compromised with measurable negative
+ impacts as a result.
+ Please note that this risk rating system was taken from the Penetration Testing Execution
+ Standard (PTES). For more information, see:
+ http://www.pentest-standard.org/index.php/Reporting.
+
+
+
+
+ 3 Reconnaissance and Fingerprinting
+ Through automated scans we were able to gain the following information about the
+ software and infrastructure. Detailed scan output can be found in the
+ sections below.
+
+
+ Fingerprinted Information
+
+ Windows XPMicrosoft IIS 6.0PHP 5.4.29jQuery
+ 1.7.2Mailserver XYZFTPserver ABC
+
+
+
+ 3.1 Automated Scans
+ As part of our active reconnaissance we used the following automated
+ scans:
+ •nmap – http://nmap.org•skipfish -
+ https://code.google.com/p/skipfish/•sqlmap – http://sqlmap.org•Wapiti –
+ http://wapiti.sourceforge.net
+ Of these, only the output of nmap turned out to be useful; consequently
+ only nmap and output will be discussed in this section.
+
+
+ 3.2 nmap
+ Command:
+ $ nmap -vvvv -oA fishinabarrel.sittingduck.com_complete -sV -sC -A -p1-65535 -T5
+fishinabarrel.sittingduck.com
+
+ Outcome:
+ Nmap scan report for fishinabarrel.sittingduck.com (10.10.10.1)
+Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:43 EST
+Initiating ARP Ping Scan against 10.10.10.1 [1 port] at 15:43
+The ARP Ping Scan took 0.01s to scan 1 total hosts.
+Initiating SYN Stealth Scan against fishinabarrel.sittingduck.com (10.10.10.1) [1680 ports] at 15:43
+Discovered open port 22/tcp on 10.10.10.1
+Discovered open port 80/tcp on 10.10.10.1
+Discovered open port 8888/tcp on 10.10.10.1
+Discovered open port 111/tcp on 10.10.10.1
+Discovered open port 3306/tcp on 10.10.10.1
+Discovered open port 957/tcp on 10.10.10.1
+The SYN Stealth Scan took 0.30s to scan 1680 total ports.
+Host fishinabarrel.sittingduck.com (10.10.10.1) appears to be up ... good.
+Interesting ports on fishinabarrel.sittingduck.com (10.10.10.1):
+Not shown: 1674 closed ports
+PORT STATE SERVICE
+22/tcp open ssh
+25/tcp open smtp
+80/tcp open http
+110/tcp open pop3
+111/tcp open rpcbind
+957/tcp open unknown
+3306/tcp open mysql
+4000/tcp open dangerous service
+
+Nmap finished: 1 IP address (1 host up) scanned in 0.485 seconds
+Raw packets sent: 1681 (73.962KB) | Rcvd: 1681 (77.322KB)
+
+ The scan revealed a very large number of open services on this machine,
+ which greatly increases the attack surface; see SID-002 (page ) for
+ more information on the security risk.
+
+
+
+
+
+ 4 Pentest Technical Summary
+
+ 4.1 Findings
+
+ We have identified the following issues:
+
+
+ 4.1.1 SID-001 — PHPInfo DisclosureVulnerability ID: SID-001Vulnerability type: Information LeakThreat level: Moderate
+ Description:
+ The phpinfo() function of the PHP language is readable,
+ resulting in a listing of all the runtime
+ information of the environment, thus disclosing
+ potentially valuable information to attackers.
+
+ Technical description:
+ This is where the good stuff goes. We give a detailed
+ technical description of the problem.
+ Illustrative picture of an evil hacker pondering dark
+ deeds:
+
+
+ Impact:
+ This is where we explain how the sh*t is hitting the fan,
+ exactly.
+
+ Recommendation:
+ Here is where we write some tips to solve the
+ problem.
+
+
+
+
+ 4.1.2 SID-002 — A terrible XSS issueVulnerability ID: SID-002Vulnerability type: XSSThreat level: High
+ Description:
+ A general description of the problem.
+
+ Technical description:
+ This is we go into great detail about the
+ vulnerability.
+
+ Impact:
+ This is where we explain why this vulnerability is a
+ problem.
+
+ Recommendation:
+ This is where we solve everything and the sun starts
+ shining again.
+
+
+
+
+ 4.1.3 SID-003 — A not quite so terrible XSS issueVulnerability ID: SID-003Vulnerability type: XSSThreat level: Low
+ Description:
+ A description of the problem.
+
+ Technical description:
+ Vulnerability described in detail.
+
+ Impact:
+ Impact on security.
+
+ Recommendation:
+ A ready solution.
+
+
+
+
+
+ 4.2 Non-Findings
+ In this section we list some of the things that were tried but turned out
+ to be dead ends.
+
+
+ 4.2.1 NF-001 — FTP
+ The server was running FTPserver ABC, the most recent version of
+ this particular piece of software. Anonymous login was
+ turned off and no relevant vulnerabilities or exploits were
+ found.
+
+
+ 4.2.2 NF-002 — Mail Server
+ The server was running Mailserver XYZ, the most recent version of
+ this particular piece of software. No relevant
+ vulnerabilities or exploits were found.
+
+
+ 4.2.3 NF-003 — SQL Code Injection
+ The following parameters are not vulnerable to SQL injection.
+ All parameters have been checked manually.
+ -file1.php
+-file2.php
+-file3.php
+
+
+
+ 4.2.4 NF-004 — Heartbleed
+ System was not vulnerable to heartbleed.
+
+
+ 4.2.5 NF-005 — Windows XP
+ The host is running Windows XP. As we all know, Windows XP is
+ bulletproof.
+
+
+
+
+ 5 Conclusion
+ In the course of this penetration test, we have demonstrated that the
+ FishInABarrel Web Application faces a range of security issues which makes
+ it vulnerable to a number of different attacks. Vulnerabilities found
+ included: cross-site scripting (both stored and reflected), cross-site
+ request forgery, information disclosure and lack of brute force
+ protection.
+ Our conclusion is that there are a number of things that FishInABarrel BV has to
+ fix before Sitting Duck should use their software. A number of the security
+ issues highlighted in this report have fairly simple solutions, but these
+ should nevertheless be fixed before use of the FishInABarrel Web App
+ continues.
+ We finally want to emphasize that security is a process – and this penetration
+ test is just a one-time snapshot. Security posture must be continuously
+ evaluated and improved. Regular audits and ongoing improvements are
+ essential in order to maintain control of your corporate information
+ security. We hope that this pentest report (and the detailed explanations of
+ our findings) will contribute meaningfully towards that end. Don't hesitate
+ to let us know if you have any further questions or need further
+ clarification of anything in this report.
+
+
+ Appendix 1 Testing team
+ AristotleGreek philosopher and scientist born in the Macedonian city of Stagira, Chalkidice, on the northern periphery of Classical Greece.George BooleEnglish mathematician, philosopher and logician. Works in the fields of differential equations and algebraic logic, and is now best known as the author of The Laws of Thought.William of OckhamEnglish Franciscan friar and scholastic philosopher and theologian. Considered to be one of the major figures of medieval thought. At the centre of some major intellectual and political controversies.Ludwig Josef Johann WittgensteinAustrian-British philosopher who works primarily in logic, the philosophy of mathematics, the philosophy of mind, and the philosophy of language.Melanie RiebackMelanie Rieback is a former Asst. Prof. of Computer Science from the VU,
+who is also the co-founder/CEO of Radically Open Security.
+
+
\ No newline at end of file
diff --git a/xml/target/report.pdf b/xml/target/report.pdf
new file mode 100644
index 0000000..7a65380
Binary files /dev/null and b/xml/target/report.pdf differ
diff --git a/xml/target/reportpat.fo b/xml/target/reportpat.fo
new file mode 100644
index 0000000..c15358e
--- /dev/null
+++ b/xml/target/reportpat.fo
@@ -0,0 +1,340 @@
+ConfidentialConfidential/Radically Open Security B.V. - 60628081/Radically Open Security B.V. - 60628081
+ PENETRATION TEST REPORTforSitting Duck B.V. V1.0AmsterdamJanuary 26th, 2015Document PropertiesClientSitting Duck B.V.TitlePENETRATION TEST REPORTTargetfishinabarrel.sittingduck.comVersion1.0PentestersMelanie Rieback, Aristotle, George Boole, William of Ockham, Ludwig Josef Johann WittgensteinAuthorsPatricia Piolon, Ernest Hemingway, JRR Tolkien, Arthur Conan DoyleReviewed byMelanie RiebackApproved byMelanie RiebackVersion controlVersionDateAuthorDescription 0.1January 19th, 2015Patricia PiolonInitial draft 0.2January 20th, 2015Ernest HemingwayStructure & contents revision 0.3January 21st, 2015Patricia PiolonAdded threat levels and recommendations 0.4January 22nd, 2015Patricia Piolon, JRR TolkienRevision 0.5January 23rd, 2015Patricia PiolonRevision1.0January 26th, 2015Arthur Conan DoyleFinalizingContactFor more information about this Document and its
+ contents please contact Radically Open Security B.V.NameMelanie RiebackAddressZieseniskade 211017 RT AmsterdamThe NetherlandsPhone+31 6 10 21 32 40Emailinfo@radicallyopensecurity.com
+
+ Table of Contents
+
+
+
+
+ 1 Executive Summary 1.1 Introduction 1.2 Scope of work 1.3 Project objectives 1.4 Timeline 1.5 Results in a Nutshell 1.6 Summary of Findings 1.7 Summary of Recommendations 1.8 Charts 1.8.1 Findings by Threat Level 1.8.2 Findings by Type
+
+ 2 Methodology 2.1 Planning 2.2 Risk Classification
+
+ 3 Reconnaissance and Fingerprinting 3.1 Automated Scans 3.2 nmap
+ 4 Pentest Technical Summary 4.1 Findings 4.1.1 SID-001 — PHPInfo Disclosure 4.1.2 SID-002 — A terrible XSS issue 4.1.3 SID-003 — A not quite so terrible XSS issue 4.2 Non-Findings 4.2.1 FTP 4.2.2 Mail Server 4.2.3 SQL Code Injection 4.2.4 Heartbleed 4.2.5 Windows XP
+ 5 Conclusion
+ Appendix 1 Testing team
+
+
+
+ 1 Executive Summary
+
+ 1.1 Introduction
+ Sitting Duck B.V. (“Sitting Duck”) has assigned the task of performing a
+ Penetration Test of the FishInABarrel Web Application to Radically
+ Open Security BV (hereafter “ROS”). Sitting Duck has made this
+ request to better evaluate the security of the application and to
+ identify application level vulnerabilities in order to see whether
+ the FishInABarrel Web Application is ready, security-wise, for
+ production deployment.
+ This report contains our findings as well as detailed explanations of
+ exactly how ROS performed the penetration test.
+
+
+ 1.2 Scope of work
+ The scope of the Sitting Duck penetration test was limited to the
+ following target:
+ •fishinabarrel.sittingduck.com
+ The penetration test was carried out from a black box perspective: no
+ information regarding the system(s) tested was provided by Sitting
+ Duck or FishInABarrel, although FishInABarrel did provide ROS with
+ two test user accounts.
+
+
+ 1.3 Project objectives
+ The objective of the security assessment is to gain insight into the
+ security of the host and the FishInABarrel Web Application.
+
+
+ 1.4 Timeline
+ The FishInABarrel Security Audit took place between January 14 and
+ January 16, 2015.
+
+
+ 1.5 Results in a Nutshell
+ During this pentest, we found quite a number of different security
+ problems – Cross-site Scripting (XSS) vulnerabilities, both stored
+ and reflected, Cross-site Request Forgery (CSRF) vulnerabilities,
+ information disclosures (multiple instances), and lack of brute
+ force protection.
+
+
+ 1.6 Summary of Findings
+ IDTypeDescriptionThreat levelSID-002XSS
+ A general description of the problem.
+ HighSID-001Information Leak
+ The phpinfo() function of the PHP language is readable,
+ resulting in a listing of all the runtime
+ information of the environment, thus disclosing
+ potentially valuable information to attackers.
+ ModerateSID-003XSS
+ A description of the problem.
+ Low
+
+
+
+ 1.7 Summary of Recommendations
+ IDTypeRecommendationSID-001Information Leak
+ Here is where we write some tips to solve the
+ problem.
+ SID-002XSS
+ This is where we solve everything and the sun starts
+ shining again.
+ SID-003XSS
+ A ready solution.
+
+
+
+
+ 1.8 Charts
+
+ 1.8.1 Findings by Threat Level
+ 33.3%33.3%33.3%High (1)Moderate (1)Low (1)
+
+
+ 1.8.2 Findings by Type
+ 33.3%66.7%XSS (2)Information leak (1)
+
+
+
+
+
+
+
+ 2 Methodology
+
+ 2.1 Planning
+ Our general approach during this penetration test was as follows:
+ 1. ReconnaissanceWe attempted to gather as much information as possible about the
+ target. Reconnaissance can take two forms: active and passive. A
+ passive attack is always the best starting point as this would normally defeat
+ intrusion detection systems and other forms of protection, etc., afforded to the
+ network. This would usually involve trying to discover publicly available
+ information by utilizing a web browser and visiting newsgroups etc. An active form
+ would be more intrusive and may show up in audit logs and may take the form of a
+ social engineering type of attack.2. EnumerationWe used varied operating system fingerprinting tools to determine
+ what hosts are alive on the network and more importantly what services and operating
+ systems they are running. Research into these services would be carried out to
+ tailor the test to the discovered services.3. ScanningThrough the use of vulnerability scanners, all discovered hosts would be tested
+ for vulnerabilities. The result would be analyzed to determine if there any
+ vulnerabilities that could be exploited to gain access to a target host on a
+ network.4. Obtaining AccessThrough the use of published exploits or weaknesses found in
+ applications, operating system and services access would then be attempted. This may
+ be done surreptitiously or by more brute force methods.
+
+
+ 2.2 Risk Classification
+ Throughout the document, each vulnerability or risk identified has been labeled and
+ categorized as:
+ •ExtremeExtreme risk of security controls being compromised with the possibility
+ of catastrophic financial/reputational losses occurring as a result.•HighHigh risk of security controls being compromised with the potential for
+ significant financial/reputational losses occurring as a result.•ElevatedElevated risk of security controls being compromised with the potential
+ for material financial/reputational losses occurring as a result.•ModerateModerate risk of security controls being compromised with the potential
+ for limited financial/reputational losses occurring as a result.•LowLow risk of security controls being compromised with measurable negative
+ impacts as a result.
+ Please note that this risk rating system was taken from the Penetration Testing Execution
+ Standard (PTES). For more information, see:
+ http://www.pentest-standard.org/index.php/Reporting.
+
+
+
+
+ 3 Reconnaissance and Fingerprinting
+ Through automated scans we were able to gain the following information about the
+ software and infrastructure. Detailed scan output can be found in the
+ sections below.
+
+
+ Fingerprinted Information
+
+ Windows XPMicrosoft IIS 6.0PHP 5.4.29jQuery
+ 1.7.2Mailserver XYZFTPserver ABC
+
+
+
+ 3.1 Automated Scans
+ As part of our active reconnaissance we used the following automated
+ scans:
+ •nmap – http://nmap.org•skipfish -
+ https://code.google.com/p/skipfish/•sqlmap – http://sqlmap.org•Wapiti –
+ http://wapiti.sourceforge.net
+ Of these, only the output of nmap turned out to be useful; consequently
+ only nmap and output will be discussed in this section.
+
+
+ 3.2 nmap
+ Command:
+ $ nmap -vvvv -oA fishinabarrel.sittingduck.com_complete -sV -sC -A -p1-65535 -T5
+fishinabarrel.sittingduck.com
+
+ Outcome:
+ Nmap scan report for fishinabarrel.sittingduck.com (10.10.10.1)
+Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:43 EST
+Initiating ARP Ping Scan against 10.10.10.1 [1 port] at 15:43
+The ARP Ping Scan took 0.01s to scan 1 total hosts.
+Initiating SYN Stealth Scan against fishinabarrel.sittingduck.com (10.10.10.1) [1680 ports] at 15:43
+Discovered open port 22/tcp on 10.10.10.1
+Discovered open port 80/tcp on 10.10.10.1
+Discovered open port 8888/tcp on 10.10.10.1
+Discovered open port 111/tcp on 10.10.10.1
+Discovered open port 3306/tcp on 10.10.10.1
+Discovered open port 957/tcp on 10.10.10.1
+The SYN Stealth Scan took 0.30s to scan 1680 total ports.
+Host fishinabarrel.sittingduck.com (10.10.10.1) appears to be up ... good.
+Interesting ports on fishinabarrel.sittingduck.com (10.10.10.1):
+Not shown: 1674 closed ports
+PORT STATE SERVICE
+22/tcp open ssh
+25/tcp open smtp
+80/tcp open http
+110/tcp open pop3
+111/tcp open rpcbind
+957/tcp open unknown
+3306/tcp open mysql
+4000/tcp open dangerous service
+
+Nmap finished: 1 IP address (1 host up) scanned in 0.485 seconds
+Raw packets sent: 1681 (73.962KB) | Rcvd: 1681 (77.322KB)
+
+ The scan revealed a very large number of open services on this machine,
+ which greatly increases the attack surface; see SID-002 (page ) for
+ more information on the security risk.
+
+
+
+
+
+ 4 Pentest Technical Summary
+
+ 4.1 Findings
+
+ We have identified the following issues:
+
+
+ 4.1.1 SID-001 — PHPInfo DisclosureVulnerability ID: SID-001Vulnerability type: Information LeakThreat level: Moderate
+ Description:
+ The phpinfo() function of the PHP language is readable,
+ resulting in a listing of all the runtime
+ information of the environment, thus disclosing
+ potentially valuable information to attackers.
+
+ Technical description:
+ This is where the good stuff goes. We give a detailed
+ technical description of the problem.
+ Illustrative picture of an evil hacker pondering dark
+ deeds:
+
+
+ Impact:
+ This is where we explain how the sh*t is hitting the fan,
+ exactly.
+
+ Recommendation:
+ Here is where we write some tips to solve the
+ problem.
+
+
+
+
+ 4.1.2 SID-002 — A terrible XSS issueVulnerability ID: SID-002Vulnerability type: XSSThreat level: High
+ Description:
+ A general description of the problem.
+
+ Technical description:
+ This is we go into great detail about the
+ vulnerability.
+
+ Impact:
+ This is where we explain why this vulnerability is a
+ problem.
+
+ Recommendation:
+ This is where we solve everything and the sun starts
+ shining again.
+
+
+
+
+ 4.1.3 SID-003 — A not quite so terrible XSS issueVulnerability ID: SID-003Vulnerability type: XSSThreat level: Low
+ Description:
+ A description of the problem.
+
+ Technical description:
+ Vulnerability described in detail.
+
+ Impact:
+ Impact on security.
+
+ Recommendation:
+ A ready solution.
+
+
+
+
+
+ 4.2 Non-Findings
+ In this section we list some of the things that were tried but turned out
+ to be dead ends.
+
+
+ 4.2.1 FTP
+ The server was running FTPserver ABC, the most recent version of
+ this particular piece of software. Anonymous login was
+ turned off and no relevant vulnerabilities or exploits were
+ found.
+
+
+ 4.2.2 Mail Server
+ The server was running Mailserver XYZ, the most recent version of
+ this particular piece of software. No relevant
+ vulnerabilities or exploits were found.
+
+
+ 4.2.3 SQL Code Injection
+ The following parameters are not vulnerable to SQL injection.
+ All parameters have been checked manually.
+ -file1.php
+-file2.php
+-file3.php
+
+
+
+ 4.2.4 Heartbleed
+ System was not vulnerable to heartbleed.
+
+
+ 4.2.5 Windows XP
+ The host is running Windows XP. As we all know, Windows XP is
+ bulletproof.
+
+
+
+
+ 5 Conclusion
+ In the course of this penetration test, we have demonstrated that the
+ FishInABarrel Web Application faces a range of security issues which makes
+ it vulnerable to a number of different attacks. Vulnerabilities found
+ included: cross-site scripting (both stored and reflected), cross-site
+ request forgery, information disclosure and lack of brute force
+ protection.
+ Our conclusion is that there are a number of things that FishInABarrel BV has to
+ fix before Sitting Duck should use their software. A number of the security
+ issues highlighted in this report have fairly simple solutions, but these
+ should nevertheless be fixed before use of the FishInABarrel Web App
+ continues.
+ We finally want to emphasize that security is a process – and this penetration
+ test is just a one-time snapshot. Security posture must be continuously
+ evaluated and improved. Regular audits and ongoing improvements are
+ essential in order to maintain control of your corporate information
+ security. We hope that this pentest report (and the detailed explanations of
+ our findings) will contribute meaningfully towards that end. Don't hesitate
+ to let us know if you have any further questions or need further
+ clarification of anything in this report.
+
+
+ Appendix 1 Testing team
+ AristotleGreek philosopher and scientist born in the Macedonian city of Stagira, Chalkidice, on the northern periphery of Classical Greece.George BooleEnglish mathematician, philosopher and logician. Works in the fields of differential equations and algebraic logic, and is now best known as the author of The Laws of Thought.William of OckhamEnglish Franciscan friar and scholastic philosopher and theologian. Considered to be one of the major figures of medieval thought. At the centre of some major intellectual and political controversies.Ludwig Josef Johann WittgensteinAustrian-British philosopher who works primarily in logic, the philosophy of mathematics, the philosophy of mind, and the philosophy of language.Melanie RiebackMelanie Rieback is a former Asst. Prof. of Computer Science from the VU,
+who is also the co-founder/CEO of Radically Open Security.
+
+
\ No newline at end of file
diff --git a/xml/xslt/ir2offerte.xsl b/xml/xslt/ir2offerte.xsl
index ea384b3..2f14fa1 100644
--- a/xml/xslt/ir2offerte.xsl
+++ b/xml/xslt/ir2offerte.xsl
@@ -70,7 +70,7 @@
-
+
@@ -103,7 +103,7 @@
-
+
@@ -128,136 +128,9 @@
-
-
-
-
-
-
-
diff --git a/xml/xslt/placeholders.xslt b/xml/xslt/placeholders.xslt
index d6d844f..0ba7361 100644
--- a/xml/xslt/placeholders.xslt
+++ b/xml/xslt/placeholders.xslt
@@ -191,8 +191,14 @@
-
-
+
+
+
+
+
+
+
+
@@ -424,18 +430,24 @@
+
-
+
+ test="(self::contract_end_date or self::contract_start_date or self::generate_raterevisiondate or self::start or self::end) and string(.) castable as xs:date">
+
+
+ TBD
+
diff --git a/xml/xslt/qs2offerte.xsl b/xml/xslt/qs2offerte.xsl
index 2418932..b8c8258 100644
--- a/xml/xslt/qs2offerte.xsl
+++ b/xml/xslt/qs2offerte.xsl
@@ -89,35 +89,36 @@
-
+
duration of pentest, in working days
-
+
duration of pentest, in persondays
-
-
-
- date or date range in text, e.g. May 18th until May 25th, 2016
+
+
+
+
+ start and end dates, in ISO format: YYYY-MM-DD
-
+
date or date range in text, e.g. May 18th until May 25th, 2016
-
+
-
+
please choose one of the following: black-box, grey-box, crystal-box
-
+
(eur|usd|gbp)
-
+
-
+
name of application/service to be tested (if any; if none, DELETE target_application element)
@@ -150,7 +151,7 @@
-
+
@@ -176,134 +177,10 @@
-
-
-
+
-
-
diff --git a/xml/xslt/rep2off.xsl b/xml/xslt/rep2off.xsl
index e5739c5..0e3e60a 100644
--- a/xml/xslt/rep2off.xsl
+++ b/xml/xslt/rep2off.xsl
@@ -82,19 +82,20 @@
duration of pentest, in working days
2
duration of pentest, in persondays
-
-
-
-
-
- TBD
-
-
- date or date range in text, e.g. May 18th until May 25th, 2015
+
+
+ date in ISO format: YYYY-MM-DD
+ YYYY-MM-DD
+
+
+ date in ISO format: YYYY-MM-DD
+ YYYY-MM-DD
+
+
-
+
TBD
@@ -103,7 +104,7 @@
-
+
time-boxed
@@ -111,7 +112,7 @@
-
+
crystal-box
@@ -119,9 +120,9 @@
please choose one of the following: black-box, grey-box, crystal-box
0
(eur|usd|gbp)
-
+
-
+