Upwork

Performing my first security audit was fun but also quite scary since if a tool was set-up incorrectly, or if I went out the scope of my operation then that means damaging the site or someone elses. To perform my tests I used nmap, burpsuite, sqlmap, wpscan and also the tor browser.

I wrote a report for my scans, whilst I didn't manage to get into the site I did find many vulnerabilities which I noted and provided a few remedations and future advice. However I did uncover a vuln in the contact us page on their site that allowed SQL commands to be entered and the end result was a list of every email sent to the site and also the email addresses linked to the question. Also on the contact us page I found that the file upload option allowed for any data type to be uploaded, this could be used to upload some php code that allows a buffer overflow, database dump, or possibly to edit some account details.