TTP Selection -- Gintaro Kelias Security Assessment

Engagement Context

Multi-vulnerability assessment of the Gintaro Kelias online amber jewelry store, following a phishing incident report. The assessment tests for common web application vulnerabilities beyond the single SQL injection focus of a basic assessment. The client's shop uses a WooCommerce-style platform with customer accounts, product reviews, search functionality, and an administrative backend.

Vulnerability Types and Testing Methods

1. Cross-Site Scripting (XSS) -- Reflected

Target: Search fields, URL parameters, any input that is reflected in the page response.

Method: Inject script payloads into input fields and URL parameters. Test whether the application reflects user input without encoding or sanitization. Start with basic payloads (<script>alert(1)</script>) to confirm the vector, then demonstrate impact (session token access, cookie exfiltration).

Tool: Manual testing directed through Claude, browser developer tools for confirmation.

ATT&CK mapping: T1189 -- Exploit Public-Facing Application

Why this matters: Reflected XSS allows an attacker to craft a malicious link. When a customer clicks it, the script executes in their browser as if it came from Ruta's shop. The attacker could steal the customer's session or redirect them to a fake payment page.

2. Cross-Site Scripting (XSS) -- Stored

Target: Product review submission forms, contact forms, any input that is stored and displayed to other users.

Method: Submit payloads through review forms and verify they persist across page loads. A stored XSS payload executes for every visitor who views the page -- not just the person who submitted it.

Tool: Manual testing directed through Claude, verify persistence by loading the page in a fresh browser context.

ATT&CK mapping: T1189 -- Exploit Public-Facing Application

Why this matters: Stored XSS is higher severity than reflected because it affects every visitor, not just one. If an attacker injects a script into a product review, every customer browsing that product would have the script execute in their browser.

3. Command Injection

Target: Any server-side functionality that processes user-supplied input through system commands (file processing, image handling, export features).

Method: Test input fields that might pass data to shell commands. Look for endpoints that process filenames, paths, or user data through server-side utilities.

Tool: Manual testing directed through Claude.

ATT&CK mapping: T1059.004 -- Command and Scripting Interpreter: Unix Shell

Why this matters: Command injection gives the attacker direct access to the server's operating system. Unlike XSS (which affects the customer's browser), command injection compromises the server itself -- the attacker could read the database, modify files, or install persistent access.

4. Credential Testing

Target: WordPress-style admin login panel, customer account login.

Method: Test for default or weak credentials on administrative interfaces. Use a small, targeted wordlist focusing on common defaults (admin/admin, admin/password).

Tool: Hydra for automated credential testing against the login endpoint.

ATT&CK mapping: T1110.001 -- Brute Force: Password Guessing

Why this matters: If the admin panel uses default credentials, anyone on the internet can log in and access customer data, modify the shop, or install malicious code. Ruta's nephew set up the admin account -- whether he changed the default password determines the severity.

5. SQL Injection

Target: Database-connected input fields (search, login, any form that queries the database).

Method: Use sqlmap against input fields that interact with the MySQL database. This is a carry-forward from P1 -- the same technique, applied to a different application.

Tool: sqlmap for automated testing.

ATT&CK mapping: T1189 -- Exploit Public-Facing Application

Why this matters: SQL injection can expose the entire customer database -- names, email addresses, physical addresses, order history. For Ruta's shop serving 15 countries, a data breach would have legal implications under GDPR.

Priority Guidance

Test and report findings in order of likely business impact:

1. Stored XSS -- affects every visitor to the compromised page
2. Command injection -- server-level access, potential for data theft or persistent compromise
3. Credential weakness -- administrative access without exploitation
4. SQL injection -- database access, customer data exposure
5. Reflected XSS -- requires a crafted link to exploit

This priority ordering reflects Ruta's situation: customer trust and data protection are her primary concerns. Vulnerabilities that affect all customers (stored XSS) or give direct server access (command injection) are higher priority than those requiring specific conditions to exploit (reflected XSS).