Security Audit and Penetration Testing Instructions
Perform comprehensive security testing of the KMP application using both static code analysis and dynamic terminal-based testing.
Application Context
-
Stack: CakePHP 5.x backend, Stimulus.js frontend, MySQL database
-
Application URL: http://localhost:8080
-
Test Password: TestPassword (for all dev users)
-
App Directory: /workspaces/KMP/app
-
Reports Directory: /workspaces/KMP/security-reports
Test User Credentials for Authorization Testing
-
admin@amp.ansteorra.org - Super admin (full access)
-
iris@ampdemo.com - Basic user (minimal permissions)
-
bryce@ampdemo.com - Local Seneschal (moderate permissions)
-
eirik@ampdemo.com - Kingdom Seneschal (elevated permissions)
Security Testing Phases
Phase 1: Static Code Analysis
Analyze the codebase for security vulnerabilities without executing code.
1.1 SQL Injection Vulnerabilities
Search for raw SQL queries and unsafe database operations:
Find raw SQL queries that might be vulnerable
grep -rn "query(" app/src/ --include=".php" grep -rn "$this->connection" app/src/ --include=".php" grep -rn "execute(" app/src/ --include="*.php"
Check for string concatenation in queries
grep -rn "WHERE.\$" app/src/ --include=".php" grep -rn "SELECT.\$" app/src/ --include=".php"
Look for:
-
Direct variable interpolation in SQL strings
-
Missing parameter binding
-
Dynamic table/column names without whitelisting
1.2 Cross-Site Scripting (XSS)
Search for unescaped output and unsafe JavaScript:
Find potentially unescaped PHP output
grep -rn "<?=" app/templates/ --include=".php" | grep -v " h(" grep -rn "echo $" app/src/ --include=".php"
Check for dangerous JavaScript patterns
grep -rn "innerHTML" app/assets/js/ --include=".js" grep -rn "document.write" app/assets/js/ --include=".js" grep -rn "eval(" app/assets/js/ --include="*.js"
Look for:
-
Output without h() helper function
-
Direct DOM manipulation with user input
-
Unsafe template rendering
1.3 Authentication & Session Security
Check authentication configuration
cat app/src/Application.php | grep -A 50 "getAuthenticationService"
Find session handling
grep -rn "Session" app/src/ --include=".php" grep -rn "cookie" app/config/ --include=".php"
Check password handling
grep -rn "password" app/src/ --include=".php" grep -rn "bcrypt|hash|PASSWORD_DEFAULT" app/src/ --include=".php"
Look for:
-
Weak session configuration
-
Missing CSRF protection
-
Insecure password storage
-
Session fixation vulnerabilities
1.4 Authorization Bypass
Check policy implementations
find app/src/Policy -name "*.php" -exec cat {} ;
Find authorization checks in controllers
grep -rn "authorize|canAccess|isAuthorized" app/src/Controller/ --include="*.php"
Check for missing authorization
grep -rn "public function" app/src/Controller/ --include="*.php" | head -50
Look for:
-
Controllers without authorization checks
-
IDOR (Insecure Direct Object Reference) vulnerabilities
-
Privilege escalation paths
1.5 File Upload Vulnerabilities
Find file upload handling
grep -rn "upload|getClientFilename|moveTo" app/src/ --include=".php" grep -rn "file_put_contents|move_uploaded_file" app/src/ --include=".php"
Check allowed file types
grep -rn "mime|extension|ALLOWED" app/src/ --include="*.php"
Look for:
-
Missing file type validation
-
Path traversal in filenames
-
Executable file uploads
1.6 Sensitive Data Exposure
Find hardcoded credentials or secrets
grep -rn "password\s*=\s*['"]" app/src/ --include=".php" grep -rn "api_key|secret|token" app/src/ --include=".php" grep -rn "API_KEY|SECRET" app/config/ --include="*.php"
Check .env file for sensitive data
cat app/config/.env 2>/dev/null || echo ".env not found"
Find logging of sensitive data
grep -rn "Log::" app/src/ --include="*.php" | grep -i "password|token|secret"
1.7 Command Injection
Find shell command execution
grep -rn "exec(|shell_exec|system(|passthru|popen|proc_open" app/src/ --include=".php" grep -rn "``" app/src/ --include=".php"
1.8 Dependency Vulnerabilities
Check PHP dependencies
cd /workspaces/KMP/app && composer audit
Check JavaScript dependencies
cd /workspaces/KMP/app && npm audit 2>/dev/null || echo "No package-lock.json"
Phase 2: Dynamic Security Testing
Execute runtime tests against the running application.
2.1 Prerequisite Checks
Verify application is running
curl -s -o /dev/null -w "%{http_code}" http://localhost:8080
Create reports directory
mkdir -p /workspaces/KMP/security-reports
2.2 Authentication Testing
Test login functionality for common vulnerabilities:
Test for user enumeration
curl -s -X POST http://localhost:8080/members/login
-H "Content-Type: application/x-www-form-urlencoded"
-d "email=nonexistent@test.com&password=wrong" | grep -i "error|invalid|incorrect"
curl -s -X POST http://localhost:8080/members/login
-H "Content-Type: application/x-www-form-urlencoded"
-d "email=admin@amp.ansteorra.org&password=wrong" | grep -i "error|invalid|incorrect"
Test for brute force protection (try 5 rapid requests)
for i in {1..5}; do
curl -s -X POST http://localhost:8080/members/login
-H "Content-Type: application/x-www-form-urlencoded"
-d "email=admin@amp.ansteorra.org&password=wrong$i" -o /dev/null -w "%{http_code}\n"
done
2.3 SQL Injection Testing
Test common SQL injection patterns
curl -s "http://localhost:8080/members/view/1'" | head -20 curl -s "http://localhost:8080/members/view/1%20OR%201=1" | head -20 curl -s "http://localhost:8080/members?search=test'%20OR%20'1'='1" | head -20
2.4 XSS Testing
Test reflected XSS
curl -s "http://localhost:8080/members?search=<script>alert(1)</script>" | grep -o "<script>alert(1)</script>"
Test for proper encoding
curl -s "http://localhost:8080/members?search=%3Cscript%3Ealert(1)%3C/script%3E" | grep -o "<script>"
2.5 CSRF Protection
Check for CSRF tokens in forms
curl -s http://localhost:8080/members/login | grep -i "csrf|_token|_csrfToken"
Attempt POST without CSRF token (should fail)
curl -s -X POST http://localhost:8080/members/add
-H "Content-Type: application/x-www-form-urlencoded"
-d "name=test" -w "%{http_code}"
2.6 Directory Traversal
Test path traversal
curl -s "http://localhost:8080/../../../etc/passwd" -o /dev/null -w "%{http_code}" curl -s "http://localhost:8080/..%2F..%2F..%2Fetc%2Fpasswd" -o /dev/null -w "%{http_code}"
Check for exposed sensitive files
curl -s "http://localhost:8080/.env" -o /dev/null -w "%{http_code}" curl -s "http://localhost:8080/config/app.php" -o /dev/null -w "%{http_code}" curl -s "http://localhost:8080/.git/config" -o /dev/null -w "%{http_code}"
2.7 Security Headers Check
Check response headers
curl -s -I http://localhost:8080 | grep -iE "x-frame-options|x-content-type|x-xss-protection|strict-transport|content-security-policy"
2.8 IDOR Testing (Requires Authentication)
Login as basic user and try to access admin resources
First get a session cookie (manual step or use browser automation)
curl -c cookies.txt -X POST http://localhost:8080/members/login
-H "Content-Type: application/x-www-form-urlencoded"
-d "email=iris@ampdemo.com&password=TestPassword" -L
Try to access another user's data
curl -b cookies.txt "http://localhost:8080/members/view/1" -o /dev/null -w "%{http_code}" curl -b cookies.txt "http://localhost:8080/members/edit/1" -o /dev/null -w "%{http_code}"
Cleanup
rm -f cookies.txt
Phase 3: Automated Security Scanners
Use available security tools for comprehensive scanning.
3.1 PHP Security Checker
cd /workspaces/KMP/app local-php-security-checker 2>/dev/null || echo "local-php-security-checker not installed"
3.2 OWASP Dependency Check
dependency-check --project "KMP"
--scan "/workspaces/KMP/app"
--out "/workspaces/KMP/security-reports/dependency-check"
--format HTML 2>/dev/null || echo "dependency-check not installed"
3.3 Nikto Web Scanner
nikto -h http://localhost:8080
-o /workspaces/KMP/security-reports/nikto-report.html
-Format html 2>/dev/null || echo "nikto not installed"
3.4 Nuclei Vulnerability Scanner
nuclei -u http://localhost:8080
-o /workspaces/KMP/security-reports/nuclei-report.txt
-silent 2>/dev/null || echo "nuclei not installed"
Phase 4: CakePHP-Specific Security Checks
4.1 Debug Mode Check
Ensure debug mode is off in production config
grep -r "debug" app/config/app.php app/config/app_local.php 2>/dev/null
4.2 Security Component Configuration
Check Security component usage
grep -rn "Security" app/src/Controller/ --include=".php" grep -rn "FormProtection" app/src/Controller/ --include=".php"
4.3 Safe Query Practices
Verify ORM usage (safe) vs raw queries (potentially unsafe)
echo "=== ORM Usage (Safe) ===" grep -c "->find|->get|->save|->delete" app/src/Model/Table/*.php 2>/dev/null || echo "No Table files found"
echo "=== Raw Queries (Review Needed) ===" grep -rn "getConnection|query(" app/src/ --include="*.php"
Reporting Template
When reporting findings, use this format:
Vulnerability Report
Severity Category Location Description Remediation
CRITICAL SQL Injection src/Controller/X.php:42 Raw query with user input Use parameter binding
HIGH XSS templates/Members/view.php:15 Unescaped output Use h() helper
MEDIUM Auth src/Application.php Weak session timeout Increase session security
LOW Headers N/A Missing X-Frame-Options Add security headers
Risk Levels
-
CRITICAL: Immediate exploitation possible, data breach risk
-
HIGH: Significant security flaw, needs priority fix
-
MEDIUM: Security weakness, should be addressed
-
LOW: Minor issue, best practice recommendation
-
INFO: Informational finding, no direct security impact
Testing Workflow
-
Start with Phase 1 - Analyze code without running app
-
Verify app is running - Check http://localhost:8080 responds
-
Run Phase 2 - Dynamic tests against running app
-
Run Phase 3 - Automated scanners if available
-
Run Phase 4 - CakePHP-specific checks
-
Compile Report - Document all findings with severity ratings
-
Suggest Remediation - Provide fix recommendations for each issue
Security Testing Best Practices
-
Never test in production without authorization
-
Document all findings immediately
-
Verify false positives before reporting
-
Prioritize findings by risk level
-
Provide actionable remediation steps
-
Re-test after fixes are applied