Web Application Pentest: Kentapay
Domains Assessed:
[swivel-checkout.kentapay.com]
RECON:
- Dns and basic information Gathering
- Port Scanning
There are no database ports exposed which is pretty good
I used nikto to scan for known vulnerabilities:
Findings: The anti-clickjacking X-Frame-Options header is not present hence could hijack user actions
Recommendation : The x-frame option should be denied
WEB ENUMERATION:
Directory brute forcing:
In this phase i am going to use the gobuster command
Server kept returning HTTP 200 for non-existing directories
Endpoints:
- /assets - redirects to an internal ip (INTERNAL IP EXPOSURE) [https://192.168.10.156:8001/assets/]]
SSL CONFIGURATIONS:
The server enforces strong TLS
INTERCEPT REQUESTS USING BURP:
Filling Dummy data
captured HTTP request in Burp
***swivel-checkout.kentapay.com
The /waiting endpoint is accessible without authentication or session cookies.
Modification on the requests did not yield anything
Security Observations:
Strong TLS configuration (TLS 1.2 with secure ciphers)
Minimal exposed ports (80 & 443 only)
Use of CSRF tokens
Encrypted transaction payloads
Recommendations:
Implement security headers
Fix internal IP exposure
Enforce strict access control
Validate all endpoints consistently
CONCLUSION:
I did not identify any critical exploitable vulnerabilities, but I found several weaknesses in access control, information disclosure, and security headers.