Application Threat Modeling Report

 Scan Name: Webscantest
 Date: 9/12/2017 9:33:08 PM
 Authenticated User: testuser
 Total Links / Attackable Links: 409 / 409
 Target URL:


Attack Points by Site Layer

Crawl Statistics

  Links Discovered 409  
  Unique Forms 21  

Site Links & Interdependencies

Finding Statistics

  Module Performed Variances  
  Information Disclosure     12    
  Hard-Coded Password        
  X-Frame-Options     20    
  Web Service Parameter Fuzzing        
  Form Session Strength analysis        
  Browser Cache directive (web application performance)     10    
  Reverse Clickjacking        
  Predictable Resource Location  5,395       
  IP Address        
  HttpOnly attribute        
  Reverse Proxy        
  Privilege Escalation  271       
  SQL Parameter Check        
  Brute Force HTTP Authentication        
  Apache Struts 2 Framework Checks  44       
  Remote File Include (RFI)  2,081       
  Source Code Disclosure  82       
  Custom Parameter Check  412    10    
  Social Security Number        
  Unrestricted File Upload        
  Command Injection  6,431       
  Local File Include (LFI)  477       
  Form re-submission     31    
  URL rewriting (Session IDs exposed in the URL)        
  Local Storage Usage        
  SQL Injection  5,659    28    
  HTTP Response Splitting  2,001       
  Sensitive data sent over Un Encrypted Channel     15    
  Web Beacon        
  Autocomplete Attribute        
  Server Type Disclosure        
  Phone Number        
  Session Fixation        
  Directory Indexing  44       
  HTTP Strict Transport Security        
  Custom Directory Check  44       
  Reflected Cross-site scripting (XSS)  2,820    85    
  Sensitive Data in URL        
  Cross-site tracing (XST)        
  Information Leakage        
  Blind SQL Injection  4,677    48    
  SSL Strength        
  Expression Language Injection  390       
  ASP.NET ViewState security        
  Reflection analysis  390    113    
  Apache Struts Framework Detection        
  Secure and non-secure content mix        
  Credentials Over Un Encrypted Channel        
  Custom Passive Check     10    
  Unvalidated URL Redirect  1,008       
  Server Side Include (SSI) Injection  546       
  Clients Cross-Domain Policy Files  88       
  Parameter Fuzzing  976    24    
  HTTP Authentication Check        
  Credit Card type        
  Integer Overflow  176       
  XML External Entity        
  HTTP Verb Tampering  68       
  Content Type Charset Check     146    
  Cross-Site Request Forgery (CSRF)  62    33    
  SQL Information Leakage        
  Nginx NULL code vulnerability  232       
  SQL injection Auth Bypass  16       
  DOM based Cross-site scripting (XSS)        
  Browser Cache directive (leaking sensitive information)     28    
  Cleartext Credentials        
  Sensitive Information sent with GET method        
  PHP Code Execution  151       
  Collecting Sensitive Personal Information     32    
  Java files checks        
  Secure attribute        
  Cross Origin Resources Sharing (CORS)  1,152       
  Buffer Overflow  416    14    
  Session Strength        
  Microsoft FrontPage Server Extensions Checks  16       
  Brute Force Form based Authentication  152       
  HTTPS to HTTP Downgrade        
  Business Logic Abuse  38       
  XPath Injection  1,488    11    
  Persistent Cross-site scripting (XSS)        
  Credentials sent with GET method        
  Unsecure Data Transmission        
  Content Security Policy Headers        
  Forced Browsing  383       
  Credit Card number        
  Email Address        
  ASP.NET Misconfiguration  44       

Resource Maps