A black-box Vulnerability Assessment and Penetration Test (VAPT) was conducted against http://testphp.vulnweb.com — an intentionally vulnerable PHP web application maintained by Acunetix as a legal penetration testing practice environment. The assessment identified 7 vulnerabilities with an overall security posture rated CRITICAL — Immediate Remediation Required.
Description: Unsanitised user input passed directly to SQL queries. Authentication bypass, full database dump, and OS-level command execution possible.
Evidence: Payload ' OR 1=1-- in username field → authentication bypassed. SQLMap extracted 5 tables including users, cards, orders.
Remediation: Parameterised queries for all DB interactions. ORM framework. Input validation + WAF.
Evidence: <script>alert('XSS-NexSecure')</script> executed in search field. Stored XSS confirmed in comment section — persists across page loads.
Remediation: HTML entity encoding. Content Security Policy (CSP). Validate and sanitise all user inputs.
Evidence: showimage.php?file=../../etc/passwd returned server's /etc/passwd content.
Remediation: Strict file path whitelisting. Never use user-supplied input in filesystem operations. Apply realpath() validation.
Evidence: Default credentials admin:test worked. 1,000 Burp Intruder attempts — no lockout, no CAPTCHA triggered.
Remediation: Strong password policy. Account lockout after 5 failed attempts. MFA enforcement.
Evidence: Wireshark capture of login POST — credentials transmitted in plaintext. Session cookies lack Secure flag.
Remediation: Migrate to HTTPS with TLS 1.2+. HSTS. Secure + HttpOnly cookie flags.
Evidence: /images/ directory returns full listing. /admin/ partially exposed.
Remediation: Apache: Options -Indexes. Authenticate all sensitive directories.
Missing: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy — confirmed via Nikto scan.
Remediation: Implement all headers via web server or middleware. Validate at securityheaders.com.
The assessment revealed a critically vulnerable application. SQL Injection and XSS alone could allow full database compromise and user credential theft without authentication. Root cause: lack of input validation, no parameterised queries, unencrypted transmission, missing security headers — all OWASP Top 10 issues. All Critical/High findings must be remediated before any production use.
Analyst: O.T. Nathaniel, AMICDFA, CCEP, CBTP, CTIGA | NexSecure Bootcamp Final Project | March 2026