Target: itsecgames.com Date: 29-31 October 2025 Assessor: Security Analyst (Kali Linux),
The purpose of this assessment was to evaluate the overall security of the target domain and identify potential vulnerabilities, misconfigurations, and outdated software.
- Identify vulnerabilities using publicly available tools.
- Detect potential misconfigurations, outdated software, and CVEs.
- Assess SSL/TLS configuration and certificate health.
- Highlight any exposed information that could help attackers.
- Provide a prioritized list of findings with clear mitigation steps.
| Category | Tools Used | Purpose |
|---|---|---|
| Reconnaissance | WhatWeb, Wappalyzer, httpx | Fingerprint technologies & verify live hosts |
| Directory & File Discovery | ffuf, gobuster | Discover hidden panels, uploads, backups |
| Vulnerability Scanning | Nmap + NSE, Nikto, Nuclei | Find CVEs, misconfigurations, weak services |
| Web Proxy Testing | OWASP ZAP | Analyze headers, cookies, and CSP policies |
| SQL Injection Testing | SQLMap | Detect injection vulnerabilities |
| SSL/TLS Scanning | SSLScan, OpenSSL, testssl.sh | Check certificate and encryption configuration |
| Validation | Manual header review & response analysis | Confirm automated findings |
| Item | Detail |
|---|---|
| Domain | itsecgames.com |
| IP Address | 31.3.96.40 |
| Server | Apache HTTPD |
| CMS / Framework | Drupal 7, bWAPP |
| Open Ports | 22 (SSH), 80 (HTTP), 443 (HTTPS) |
| Detected Software | Apache, PHP, Drupal 7, OpenSSH 6.7p1 |
| SSL/TLS Support | TLS 1.2 only, RSA 2048-bit certificate |
| Certificate Hostname | mmebv.be (mismatch) |
Evidence:
Nmap and Nikto and Nuclei found /CHANGELOG.txt, /INSTALL.txt, and /README.txt confirming Drupal 7.
This version is end-of-life and no longer receives security patches.
Impact: Outdated CMS versions are commonly targeted for remote code execution. Known CVEs include:
- CVE-2023-48795 (Vurnable to Terrapin)
- CVE-2014-3704 (Drupalgeddon)
- CVE-2018-7600 (Drupalgeddon2)
Mitigation:
- Upgrade to Drupal 9 or newer.
- Remove or restrict public access to installation and changelog files.
- Restrict admin pages to authorized IPs or VPN users.
- Deploy a WAF to mitigate known exploits.
Evidence: OWASP ZAP and Nikto flagged missing headers:
Content-Security-PolicyX-Frame-OptionsX-Content-Type-Options
Impact: Increases exposure to XSS, clickjacking, and MIME-type sniffing.
Mitigation: Add the following in Apache config:
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Content-Security-Policy "default-src 'self';"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"Evidence: SSLScan showed:
- TLSv1.3 disabled
- TLSv1.2 only
- Certificate issued for
mmebv.be, notitsecgames.com
Impact: This allows downgrade or certificate mismatch attacks.
Mitigation:
- Enable TLS 1.3.
- Reissue certificate for
itsecgames.com. - Disable weak ciphers; use modern Mozilla configuration.
Evidence:
Server headers reveal βApacheβ.
Files like /robots.txt, /rss.xml, and /README.txt are accessible.
Page content confirms presence of bWAPP (buggy web app).
Impact: Revealing technologies and directory structures helps attackers tailor exploits.
Mitigation:
ServerTokens Prod
ServerSignature Off
Options -Indexes- Remove development or demo applications from production.
- Restrict access to unnecessary files.
Evidence: Nuclei flagged OpenSSH vulnerable to Terrapin Attack. SSH also allows weak HMAC algorithms and password-based login.
Mitigation:
- Update OpenSSH to 9.6 or newer.
- Disable password login (
PasswordAuthentication no). - Remove SHA-1 and legacy MACs.
Evidence: Nmap found potential files like:
/admin/download/backup.sql
/.git/HEAD
/usuarios.sql
Impact: If accessible, these files may leak sensitive data or source code.
Mitigation:
- Remove all backup and repository folders from the webroot.
- Block access via
.htaccessor server rules.
Evidence: Nmapβs CSRF script reported none found, and manual inspection confirmed forms lack CSRF protection.
Mitigation:
- Add CSRF tokens to all POST requests.
- Validate tokens server-side before processing.
Evidence: SQLMap tested multiple payloads and reported:
Parameter 'id' does not appear to be injectable.
Mitigation:
- Continue using parameterized queries.
- Validate and sanitize all inputs.
| Attribute | Result |
|---|---|
| SSLv2 / SSLv3 | Disabled |
| TLSv1.0 / 1.1 | Disabled |
| TLSv1.2 | Enabled |
| TLSv1.3 | Disabled |
| Certificate Validity | Oct 5, 2025 β Jan 3, 2026 |
| Key Size | 2048-bit |
| Heartbleed | Not vulnerable |
| Severity | Finding | Evidence | Recommendation |
|---|---|---|---|
| π΄ High | Outdated Drupal 7 CMS | Nmap, Nikto | Upgrade or patch immediately |
| π Medium | Missing Security Headers | ZAP, Nikto | Add CSP, XFO, XCTO, HSTS |
| π Medium | Weak TLS Config | SSLScan | Enable TLS 1.3, fix certificate |
| π Medium | Info Disclosure | Nmap, Nikto | Hide server info, remove files |
| π Medium | SSH CVE-2023-48795 | Nuclei | Update OpenSSH |
| π‘ Low | Backup Files | Nmap | Remove backup and repo data |
| π‘ Low | Missing CSRF Tokens | Manual | Implement CSRF protection |
| βͺ Info | No SQL Injection | SQLMap | Maintain input validation |
- Remove or restrict Drupal installation and changelog files.
- Take bWAPP offline from any public-facing server.
- Add all missing HTTP security headers.
- Enable TLS 1.3 and reissue SSL certificate.
- Upgrade to a supported Drupal version.
- Patch and harden OpenSSH.
- Verify backup and .git directories are not exposed.
- Schedule automated scans with Nuclei, Nikto, and OpenVAS.
- Regularly monitor SSL expiry and renewals.
- Maintain software updates and centralized logging.
| Category | Rating |
|---|---|
| Overall Risk | |
| Primary Concerns | Outdated CMS, missing headers, weak TLS |
| System Health | Moderate β requires patching and configuration fixes |
---