Web Penetration testing : Finding and evaluating vulnerabilities in a web page based on C#, .NET and Episerver

Abstract: Today’s society is highly dependent on functional and secure digital resources, to protect users and to deliver different kinds of services. To achieve this, it is important to evaluate the security of such resources, to find vulnerabilities and handle them before they are exploited. This study aimed to see if web applications based on C#, .NET and Episerver had vulnerabilities, by performing different penetration tests and a security audit. The penetration tests utilized were SQL injection, Cross Site Scripting, HTTP request tampering and Directory Traversal attacks. These attacks were performed using Kali Linux and the Burp Suite tool on a specific web application. The results showed that the web application could withstand the penetration tests without disclosing any personal or sensitive information. However, the web application returned many different types of HTTP error status codes, which could potentially reveal areas of interest to a hacker. Furthermore, the security audit showed that it was possible to access the admin page of the web application with nothing more than a username and password. It was also found that having access to the URL of a user’s invoice file was all that was needed to access it.