Application Threat Modeling Report

 Scan Name: webscantest
 Date: 10/24/2017 7:44:45 AM
 Authenticated User: admin
 Total Links / Attackable Links: 475 / 475
 Target URL:


Attack Points by Site Layer

Crawl Statistics

  Links Discovered 475  
  Unique Forms 22  

Site Links & Interdependencies

Finding Statistics

  Module Performed Variances  
  Unrestricted File Upload        
  Autocomplete Attribute        
  Brute Force HTTP Authentication        
  Brute Force Form based Authentication  152       
  Blind SQL Injection  5,301    50    
  Information Leakage        
  SQL Information Leakage        
  Email Address        
  Forced Browsing  630       
  Information Disclosure        
  HttpOnly attribute        
  Cross-Site Request Forgery (CSRF)  89    38    
  Directory Indexing  32       
  HTTP Response Splitting  2,448       
  Business Logic Abuse  42    10    
  Command Injection  6,969       
  Parameter Fuzzing  1,265    24    
  Reflection analysis  390    125    
  Remote File Include (RFI)  2,072       
  Local File Include (LFI)  520       
  Predictable Resource Location  3,209    22    
  Reverse Proxy        
  Secure and non-secure content mix        
  Server Type Disclosure        
  Session Fixation        
  Form Session Strength analysis  10       
  Session Strength        
  HTTPS to HTTP Downgrade        
  Java files checks        
  Source Code Disclosure  85       
  SQL Injection  6,437    32    
  SQL injection Auth Bypass  16       
  SSL Strength        
  Heartbleed Check        
  Unvalidated URL Redirect  1,078       
  URL rewriting (Session IDs exposed in the URL)        
  Web Beacon        
  Cross-site tracing (XST)        
  Web Service Parameter Fuzzing        
  DOM based Cross-site scripting (XSS)        
  Reflected Cross-site scripting (XSS)  2,445    91    
  Server Side Include (SSI) Injection  714       
  Hard-Coded Password        
  Secure attribute        
  Form re-submission     33    
  Sensitive Data in URL        
  Buffer Overflow  447    14    
  Integer Overflow  320       
  Credit Card type        
  Credit Card number        
  Social Security Number        
  Phone Number        
  IP Address        
  Sensitive data sent over Un Encrypted Channel     15    
  Credentials Over Un Encrypted Channel        
  Apache Struts 2 Framework Checks  32       
  Apache Struts Framework Detection        
  X-Frame-Options     22    
  HTTP Strict Transport Security        
  Cleartext Credentials        
  Unsecure Data Transmission        
  XPath Injection  1,364    11    
  LDAP Injection  1,799       
  ASP.NET ViewState security        
  ASP.NET Misconfiguration  32       
  Browser Cache directive (leaking sensitive information)     33    
  Browser Cache directive (web application performance)     11    
  HTTP Authentication Check        
  SQL Parameter Check        
  Cross Origin Resources Sharing (CORS)  1,338       
  PHP Code Execution  164       
  Collecting Sensitive Personal Information     32    
  Nginx NULL code vulnerability  271       
  Privilege Escalation  302       
  HTTP Verb Tampering  85       
  Content Type Charset Check     139    
  Microsoft FrontPage Server Extensions Checks  16       
  Persistent Cross-site scripting (XSS)  112       
  Reverse Clickjacking  24       
  Local Storage Usage        
  Clients Cross-Domain Policy Files  64       
  Expression Language Injection        
  XML External Entity        
  Subdomain discovery  178       
  Out of Band Cross-site scripting (XSS)  1,026       
  Out of Band Stored Cross-site scripting (XSS)  21       
  Session Upgrade        
  Content Security Policy Headers        
  HTTP User-Agent Check  1,185       
  HTTPS Everywhere     100    
  HTTPS Query Session Check        
  DOM based Cross-site scripting (XSS) Comprehensive  90       
  ASP.NET Serialization Check        

Resource Maps