| name | security-audit |
| description | tools and instructions for performing a security audit and penetration testing on the KMP application. |
Security Audit and Penetration Testing Instructions
Perform comprehensive security testing of the KMP application using both static code analysis and dynamic terminal-based testing.
Application Context
- Stack: CakePHP 5.x backend, Stimulus.js frontend, MySQL database
- Application URL:
http://localhost:8080
- Test Password:
TestPassword (for all dev users)
- App Directory:
/workspaces/KMP/app
- Reports Directory:
/workspaces/KMP/security-reports
Test User Credentials for Authorization Testing
Security Testing Phases
Phase 1: Static Code Analysis
Analyze the codebase for security vulnerabilities without executing code.
1.1 SQL Injection Vulnerabilities
Search for raw SQL queries and unsafe database operations:
grep -rn "query(" app/src/ --include="*.php"
grep -rn "\$this->connection" app/src/ --include="*.php"
grep -rn "execute(" app/src/ --include="*.php"
grep -rn "WHERE.*\\\$" app/src/ --include="*.php"
grep -rn "SELECT.*\\\$" app/src/ --include="*.php"
Look for:
- Direct variable interpolation in SQL strings
- Missing parameter binding
- Dynamic table/column names without whitelisting
1.2 Cross-Site Scripting (XSS)
Search for unescaped output and unsafe JavaScript:
grep -rn "<?=" app/templates/ --include="*.php" | grep -v " h("
grep -rn "echo \$" app/src/ --include="*.php"
grep -rn "innerHTML" app/assets/js/ --include="*.js"
grep -rn "document.write" app/assets/js/ --include="*.js"
grep -rn "eval(" app/assets/js/ --include="*.js"
Look for:
- Output without
h() helper function
- Direct DOM manipulation with user input
- Unsafe template rendering
1.3 Authentication & Session Security
cat app/src/Application.php | grep -A 50 "getAuthenticationService"
grep -rn "Session" app/src/ --include="*.php"
grep -rn "cookie" app/config/ --include="*.php"
grep -rn "password" app/src/ --include="*.php"
grep -rn "bcrypt\|hash\|PASSWORD_DEFAULT" app/src/ --include="*.php"
Look for:
- Weak session configuration
- Missing CSRF protection
- Insecure password storage
- Session fixation vulnerabilities
1.4 Authorization Bypass
find app/src/Policy -name "*.php" -exec cat {} \;
grep -rn "authorize\|canAccess\|isAuthorized" app/src/Controller/ --include="*.php"
grep -rn "public function" app/src/Controller/ --include="*.php" | head -50
Look for:
- Controllers without authorization checks
- IDOR (Insecure Direct Object Reference) vulnerabilities
- Privilege escalation paths
1.5 File Upload Vulnerabilities
grep -rn "upload\|getClientFilename\|moveTo" app/src/ --include="*.php"
grep -rn "file_put_contents\|move_uploaded_file" app/src/ --include="*.php"
grep -rn "mime\|extension\|ALLOWED" app/src/ --include="*.php"
Look for:
- Missing file type validation
- Path traversal in filenames
- Executable file uploads
1.6 Sensitive Data Exposure
grep -rn "password\s*=\s*['\"]" app/src/ --include="*.php"
grep -rn "api_key\|secret\|token" app/src/ --include="*.php"
grep -rn "API_KEY\|SECRET" app/config/ --include="*.php"
cat app/config/.env 2>/dev/null || echo ".env not found"
grep -rn "Log::" app/src/ --include="*.php" | grep -i "password\|token\|secret"
1.7 Command Injection
grep -rn "exec(\|shell_exec\|system(\|passthru\|popen\|proc_open" app/src/ --include="*.php"
grep -rn "``" app/src/ --include="*.php"
1.8 Dependency Vulnerabilities
cd /workspaces/KMP/app && composer audit
cd /workspaces/KMP/app && npm audit 2>/dev/null || echo "No package-lock.json"
Phase 2: Dynamic Security Testing
Execute runtime tests against the running application.
2.1 Prerequisite Checks
curl -s -o /dev/null -w "%{http_code}" http://localhost:8080
mkdir -p /workspaces/KMP/security-reports
2.2 Authentication Testing
Test login functionality for common vulnerabilities:
curl -s -X POST http://localhost:8080/members/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "email=nonexistent@test.com&password=wrong" | grep -i "error\|invalid\|incorrect"
curl -s -X POST http://localhost:8080/members/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "email=admin@amp.ansteorra.org&password=wrong" | grep -i "error\|invalid\|incorrect"
for i in {1..5}; do
curl -s -X POST http://localhost:8080/members/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "email=admin@amp.ansteorra.org&password=wrong$i" -o /dev/null -w "%{http_code}\n"
done
2.3 SQL Injection Testing
curl -s "http://localhost:8080/members/view/1'" | head -20
curl -s "http://localhost:8080/members/view/1%20OR%201=1" | head -20
curl -s "http://localhost:8080/members?search=test'%20OR%20'1'='1" | head -20
2.4 XSS Testing
curl -s "http://localhost:8080/members?search=<script>alert(1)</script>" | grep -o "<script>alert(1)</script>"
curl -s "http://localhost:8080/members?search=%3Cscript%3Ealert(1)%3C/script%3E" | grep -o "<script>"
2.5 CSRF Protection
curl -s http://localhost:8080/members/login | grep -i "csrf\|_token\|_csrfToken"
curl -s -X POST http://localhost:8080/members/add \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "name=test" -w "%{http_code}"
2.6 Directory Traversal
curl -s "http://localhost:8080/../../../etc/passwd" -o /dev/null -w "%{http_code}"
curl -s "http://localhost:8080/..%2F..%2F..%2Fetc%2Fpasswd" -o /dev/null -w "%{http_code}"
curl -s "http://localhost:8080/.env" -o /dev/null -w "%{http_code}"
curl -s "http://localhost:8080/config/app.php" -o /dev/null -w "%{http_code}"
curl -s "http://localhost:8080/.git/config" -o /dev/null -w "%{http_code}"
2.7 Security Headers Check
curl -s -I http://localhost:8080 | grep -iE "x-frame-options|x-content-type|x-xss-protection|strict-transport|content-security-policy"
2.8 IDOR Testing (Requires Authentication)
curl -c cookies.txt -X POST http://localhost:8080/members/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "email=iris@ampdemo.com&password=TestPassword" -L
curl -b cookies.txt "http://localhost:8080/members/view/1" -o /dev/null -w "%{http_code}"
curl -b cookies.txt "http://localhost:8080/members/edit/1" -o /dev/null -w "%{http_code}"
rm -f cookies.txt
Phase 3: Automated Security Scanners
Use available security tools for comprehensive scanning.
3.1 PHP Security Checker
cd /workspaces/KMP/app
local-php-security-checker 2>/dev/null || echo "local-php-security-checker not installed"
3.2 OWASP Dependency Check
dependency-check --project "KMP" \
--scan "/workspaces/KMP/app" \
--out "/workspaces/KMP/security-reports/dependency-check" \
--format HTML 2>/dev/null || echo "dependency-check not installed"
3.3 Nikto Web Scanner
nikto -h http://localhost:8080 \
-o /workspaces/KMP/security-reports/nikto-report.html \
-Format html 2>/dev/null || echo "nikto not installed"
3.4 Nuclei Vulnerability Scanner
nuclei -u http://localhost:8080 \
-o /workspaces/KMP/security-reports/nuclei-report.txt \
-silent 2>/dev/null || echo "nuclei not installed"
Phase 4: CakePHP-Specific Security Checks
4.1 Debug Mode Check
grep -r "debug" app/config/app.php app/config/app_local.php 2>/dev/null
4.2 Security Component Configuration
grep -rn "Security" app/src/Controller/ --include="*.php"
grep -rn "FormProtection" app/src/Controller/ --include="*.php"
4.3 Safe Query Practices
echo "=== ORM Usage (Safe) ==="
grep -c "->find\|->get\|->save\|->delete" app/src/Model/Table/*.php 2>/dev/null || echo "No Table files found"
echo "=== Raw Queries (Review Needed) ==="
grep -rn "getConnection\|query(" app/src/ --include="*.php"
Reporting Template
When reporting findings, use this format:
Vulnerability Report
| Severity | Category | Location | Description | Remediation |
|---|
| CRITICAL | SQL Injection | src/Controller/X.php:42 | Raw query with user input | Use parameter binding |
| HIGH | XSS | templates/Members/view.php:15 | Unescaped output | Use h() helper |
| MEDIUM | Auth | src/Application.php | Weak session timeout | Increase session security |
| LOW | Headers | N/A | Missing X-Frame-Options | Add security headers |
Risk Levels
- CRITICAL: Immediate exploitation possible, data breach risk
- HIGH: Significant security flaw, needs priority fix
- MEDIUM: Security weakness, should be addressed
- LOW: Minor issue, best practice recommendation
- INFO: Informational finding, no direct security impact
Testing Workflow
- Start with Phase 1 - Analyze code without running app
- Verify app is running - Check
http://localhost:8080 responds
- Run Phase 2 - Dynamic tests against running app
- Run Phase 3 - Automated scanners if available
- Run Phase 4 - CakePHP-specific checks
- Compile Report - Document all findings with severity ratings
- Suggest Remediation - Provide fix recommendations for each issue
Security Testing Best Practices
- Never test in production without authorization
- Document all findings immediately
- Verify false positives before reporting
- Prioritize findings by risk level
- Provide actionable remediation steps
- Re-test after fixes are applied