Case Study: Passive Vulnerability Assessment of Public Sector Infrastructure

1. Overview

This document outlines an independent security assessment conducted on a large-scale, public-sector enterprise web application. The objective was to identify security misconfigurations strictly through passive, non-intrusive web enumeration and Open-Source Intelligence (OSINT).

Ethical Disclaimer: All findings were discovered through passive observation. No active exploitation, authentication bypass, data extraction, or system modification was performed. The findings were compiled into a formal Vulnerability Disclosure Report and safely escalated to the national Computer Emergency Response Team (CERT) for responsible remediation.

2. Target Information (Sanitized)

FieldDetailsSectorPublic Sector / Government EnterpriseWeb ServerMicrosoft-IIS/10.0Backend TechnologyASP / ASP.NET (Classic), Oracle DatabaseAssessment TypePassive Web Enumeration (No Exploitation)

3. Detailed Technical Findings

During the reconnaissance phase, multiple vulnerabilities ranging from Medium to Critical severity were identified.

VUL-01: Oracle Database Schema Publicly Exposed (CRITICAL)

• Description: A publicly accessible text file was discovered in the web root containing the output of Oracle SQL*Plus DESC commands.
• Impact: This exposed the full schema of two internal database tables used by the technical helpdesk, revealing the exact column names for employee Personally Identifiable Information (PII) such as names, emails, and physical addresses. This provides an attacker with the exact blueprint needed to craft highly targeted SQL injection payloads.

VUL-02: Internal IP Address and SMB Share Path Leaked (HIGH)

• Description: A legacy diagnostic script (test.asp) accepted a file parameter that reflected internal Universal Naming Convention (UNC) network paths.
• Impact: The endpoint exposed a hardcoded reference to an internal file server, leaking the internal IP routing scheme (10.x.x.x) and confirming the web server had Server Message Block (SMB) access to the internal network. An attacker could abuse this endpoint via Server-Side Request Forgery (SSRF) to blindly enumerate internal network hosts and services.

VUL-03: Internal HR Portal Exposed Without Authentication (HIGH)

• Description: An internal Human Resources portal used for employee job applications was accessible without any authentication or IP restrictions.
• Impact: The portal included an application lookup feature vulnerable to Insecure Direct Object Reference (IDOR). An attacker could enumerate valid application numbers to systematically retrieve full employee PII records. Additionally, the presence of unauthenticated file upload functionality presented a severe risk.

VUL-04: Unauthenticated Tender Upload Portal Exposed (HIGH)

• Description: An internal administrative portal used for uploading official tender documents lacked a standard username field, requiring only an area selection and a password (capped at 10 characters).
• Impact: The low entropy and missing username made this portal highly susceptible to brute-force attacks. In an ASP.NET environment, gaining unauthorized file upload privileges often leads to the upload of a .aspx web shell, resulting in Remote Code Execution (RCE) and full server compromise.

VUL-05: Sensitive Auction Documents Publicly Enumerable (MEDIUM)

• Description: E-auction documents (including bidder lists and payment schedules in PDF and XLSX formats) were stored using sequential numeric IDs.
• Impact: An attacker could write a simple script to iterate through the sequential IDs and download all commercially sensitive auction data without requiring authentication.

VUL-06: Legacy Technology Stack (MEDIUM)

• Description: The application utilized Classic ASP alongside modern ASP.NET.
• Impact: Classic ASP is an end-of-life technology that lacks modern security frameworks and ORM protections, vastly increasing the attack surface for injection flaws and path traversal.

4. Potential Attack Chain

To demonstrate the business risk of these vulnerabilities, the following theoretical attack path was mapped out (without execution):

1. Recon & Data Exfiltration: An attacker utilizes the exposed database schema (VUL-01) to identify input fields and attempt SQL injection to dump employee emails.
2. Internal Mapping: The attacker abuses the exposed diagnostic script (VUL-02) to perform SSRF, mapping live internal services on the local subnet.
3. Initial Access (RCE): Leveraging the weak authentication on the document upload portal (VUL-04), the attacker bypasses the login and uploads a malicious .aspx web shell, achieving RCE.
4. Lateral Movement: Using the compromised web server as a bridge, the attacker pivots directly into the internal corporate network via the SMB paths discovered during Phase 2.

5. Remediation Recommendations

The following mitigations were recommended in the disclosure report:

• Network Segmentation: Block outbound SMB (port 445) from the web server and isolate the DMZ from the internal network.
• Access Controls: Implement strict authentication (username, strong passwords, account lockouts) and IP whitelisting for all internal portals (HR, Tender Upload).
• Data Protection: Remove exposed .txt schema files, migrate to non-sequential document identifiers (UUIDs), and implement a Web Application Firewall (WAF).