π― Target: YoungSkilledIndia.com
This repository documents a Black-Box Web Application Penetration Test conducted on YoungSkilledIndia.com, an educational platform providing professional development and certification courses.
- Assessment Type: Black-box (no source code access)
- Duration: July 2025 β August 2025
- Testing Model: Based on OWASP WSTG & OWASP Top 10 (2021)
- Tools Used:
- Reconnaissance β Sublist3r, theHarvester, crt.sh
- Scanning & Enumeration β Nmap, WPScan, WhatWeb, Wappalyzer
- Proxy Testing β Burp Suite (Community Edition)
- Utilities β Dig, Dirsearch, SSL Labs
- Permission: Explicit written approval obtained from the site owner
| Category | Details |
|---|---|
| Target URL | https://www.youngskilledindia.com/ |
| Test Type | External Black-box |
| Authentication | Public areas only |
| Forbidden Actions | DoS/DDoS, brute force beyond PoC, social engineering, live data exploitation, destructive testing |
Testing followed a structured approach:
- Reconnaissance β Passive info gathering (WHOIS, DNS, SSL, Subdomains).
- Enumeration β Active probing (directories, services, components).
- Vulnerability Analysis β Testing against OWASP Top 10 categories.
- Exploitation (Non-Destructive) β Controlled PoC demonstrations.
- Risk Assessment β Severity scoring via CVSS v3.1.
- Reporting β Structured findings with business impact & remediation.
| OWASP 2021 Category | Finding ID | Severity | Status | Description |
|---|---|---|---|---|
| A01: Broken Authentication | A01-01 | N/A | Not Vulnerable | No username enumeration/session issues |
| A02: Cryptographic Failures | A02-001 | Low | Informational | HTTPS enforced, TLS strong, minor cipher notice |
| A03: Injection | A03-001 | Medium | Vulnerable | SQLi suspected in login form |
| A04: Insecure Design | A04-001 | Medium | Vulnerable | No MFA, no CAPTCHA, unlimited login attempts |
| A05: Security Misconfiguration | A05-001 | Low | Vulnerable | Minor file access anomalies (200/403/404 codes) |
| A06: Vulnerable & Outdated Components | A06-001 | High | Vulnerable | Astra theme outdated, PHP 7.4 EOL, readme.html exposed |
| A07: Identification & Authentication Failures | A07-001 | Medium | Vulnerable | Weak password policy, no brute force prevention |
| A08: Software & Data Integrity Failures | A08-001 | Medium | Vulnerable | No plugin/theme integrity validation |
- Outdated Components: PHP 7.4 (EOL), Astra theme outdated β Risk of RCE.
- Authentication Weaknesses: No CAPTCHA, no MFA, weak password enforcement.
- SQL Injection Indicators: Variances in login responses hint possible SQLi.
- Security Misconfigurations: Exposed readme.html, misleading HTTP codes.
- No WAF Detected: Site directly exposed to automated exploit attempts.
- BurpSuite captures (login requests, brute-force attempts).
- Nmap SSL/TLS scan results.
- WPScan output (outdated theme/plugins).
- Screenshots of exposed files (e.g.,
/readme.html).
(Evidence included in /evidence folder of this repo)
- Patch Management: Upgrade PHP β₯ 8.2, update Astra theme & plugins.
- Authentication Security: Enforce MFA, strong password policy, CAPTCHA.
- Configuration Hardening: Remove /readme.html, restrict sensitive files.
- Network Protection: Deploy WAF (Cloudflare, ModSecurity).
- Monitoring: Enable brute-force detection, implement incident response plan.
The assessment revealed critical and medium-risk vulnerabilities that, if exploited, could lead to RCE, site defacement, or data compromise.
By addressing outdated components, hardening authentication, and adopting a proactive vulnerability management strategy, YoungSkilledIndia.com can significantly strengthen its security posture.
README.md(this file)/reportβ Full penetration testing report (Major Project.docx)