SECT Internship Project
Cybersecurity Reports β Reconnaissance, Vulnerability Assessment, Data Breach Analysis and OWASP Mapping Report
Project maintained by yottajunaid
Hosted on GitHub Pages — Theme by mattgraham
π‘οΈ SECT Internship π‘οΈ
Thanks to Civora Nexus
π Project Timeline
| Week |
Title |
Download Report |
| β
Week 1 |
π Reconnaissance & Surface Mapping |
View PDF π |
| β
Week 2 |
π‘οΈ Vulnerability Assessment & Proof of Concept |
View PDF π |
| β
Week 3 |
π₯ Data Breach Analysis & OWASP Mapping |
View PDF π |
π Access the full project site: yottajunaid.github.io/SECT_Internship_Project
Week 1: Passive Reconnaissance & Threat Modeling
π― Project Objective
To simulate an attackerβs reconnaissance phase using passive information gathering techniques β without interacting directly with the target and evaluate what assets are exposed to the public internet.
Target Website: http://tendermines.com
π§ Reconnaissance Techniques Used
- π WHOIS & DNS Lookups (via who.is and MXToolbox)
- π BuiltWith Analysis (to identify tech stack and hosting infra)
- π΅οΈββοΈ Google Dorking (to find exposed endpoints, documents, logins)
- π‘ Subdomain Enumeration (via DNSDumpster, crt.sh, VirusTotal)
- π SSL/TLS Analysis (or lack thereof)
- π Website Social Engineering Audit
- π€ Social Media Reconnaissance (LinkedIn, GitHub, etc.)
- π Dark Web Filtering (IntelX leak validation)
π³οΈ Dark Web Leak Reference
π Included Files
Week_1/reconnaissance_sect.pdf β Full PDF report with:
- Screenshots of tools
- Threat modeling table
- Risk assessment matrix
- Recommendations
This project demonstrates the importance of passive reconnaissance in understanding an organizationβs public exposure. Through ethical OSINT and threat modeling, we can simulate how attackers gather intelligence and propose defensive actions before real exploitation happens.
Week 2: Web Vulnerability Analysis
Target: http://tendermines.com
π§ͺ Key Activities:
- XSS Testing: Injected common payloads in URL parameters, search bar, and contact form.
- SQL Injection (Error-Based): Entered payloads like
' OR 'x'='x in login form.
- SSL/TLS Verification: Site served over HTTP without HTTPS, HSTS, or secure cookies.
- Email Security: Missing SPF, DKIM, and DMARC DNS records β vulnerable to email spoofing.
- Info Disclosure: SQL error outputs revealed internal server paths and database structure.
- Admin/Login Page Indexing:
/login page publicly accessible and potentially indexed; lacked protections.
- Security Headers:
X-Frame-Options present, but CSP, HSTS, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy were missing.
β
Risk Assessment β Summary Table:
| # |
Issue |
Risk Level |
| 1 |
SQL Injection (Error-Based) |
π΄ High |
| 2 |
Leaked Sensitive Info |
π΄ High |
| 3 |
Missing HTTPS/TLS |
π΄ High |
| 4 |
Missing Email Auth (SPF/DKIM/DMARC) |
π΄ High |
| 5 |
Admin Page Indexed |
π Medium |
| 6 |
Missing Security Headers |
π Medium |
| 7 |
No XSS Found |
βͺ N/A |
π Included Files
Week_2/vulnerabilityreport_sect β Full PDF report with:
- Screenshots of tools
- Threat modeling table
- Risk assessment matrix
- Recommendations
Week 3: A Real-World Breach Analysis + OWASP Mapping Report
Target: http://tendermines.com
π Key Activities
- IntelX Dark Web Intelligence β Discovered tendermines.com.sql database leak, first indexed Nov 1, 2023.
- Incident Timeline Construction β Traced key events from reconnaissance, vulnerability findings to breach disclosure.
- Technical Root Cause Analysis β Identified critical flaws: SQL Injection, missing HTTPS, exposed admin endpoints, verbose error disclosures, misconfigured DNS/email policies.
- OWASP & CIA Impact Mapping β Mapped vulnerabilities to OWASP Topβ―10 categories and assessed impact across Confidentiality, Integrity, and Availability dimensions.
- Threat Modeling (STRIDE) β Detailed threat vectors and attack flows including SQLi, spoofing, bruteβforce, and data exfiltration.
- Remediation Roadmap β Developed a prioritized strategy matrix covering secure coding, infrastructure hardening, email protections, monitoring, and policy enforcement.
- Visual Architecture & Flow Diagrams β Included threat mapping, deployment pipeline, security architecture, and stakeholder impact visuals.
π Included Files
Week_3/breach_analysis_and_OWASP_mapping_sect.pdf β Full PDF report with:
- Screenshots of tools
- Technical Root Cause Analysis
- Threat modeling table
- Affected Stakeholders
- CIA Triad Impact Mapping
- OWASP Top 10 Mapping
- Incident Timeline
- Risk assessment matrix
- Recommendations
βοΈ Author
Junaid Quadri
SECT Cybersecurity Intern β July 2025
cybersecurity osint reconnaissance sect-internship darkweb social-engineering bugbounty tls dns-security