Vulnerabilities Report (Page 2 of 2)

 Scan Name: Webscantest
 Date: 9/12/2017 9:33:08 PM
 Authenticated User: testuser
 Total Links / Attackable Links: 409 / 409
 Target URL: http://webscantest.com/
https://webscantest.com/
 Reports:
<< <<

Summary


Vulnerabilities by Risk

Root Causes: 268

Vulnerabilities by Who Will Fix

Most Vulnerable Sites

Vulnerability Type

Root Causes

Variances

Blind SQL Injection  14   48 
Browser Cache directive (leaking sensitive information)  19   28 
Brute Force Form based Authentication  1   1 
Buffer Overflow  6   14 
Business Logic Abuse  3   5 
Command Injection  2   6 
Content Security Policy Headers  2   3 
Content Type Charset Check  100   146 
Credentials Over Un Encrypted Channel  2   2 
Cross-Site Request Forgery (CSRF)  21   33 
Custom Directory Check  2   2 
Custom Parameter Check  10   10 
Custom Passive Check  10   10 
Directory Indexing  3   3 
DOM based Cross-site scripting (XSS)  1   1 
HTTP Verb Tampering  1   2 
HttpOnly attribute  7   7 
Information Disclosure  12   12 
Information Leakage  4   4 
Parameter Fuzzing  6   24 
Persistent Cross-site scripting (XSS)  2   2 
Predictable Resource Location  2   2 
Reflected Cross-site scripting (XSS)  19   85 
Server Type Disclosure  2   2 
Session Fixation  1   1 
Session Strength  1   1 
SQL Information Leakage  3   5 
SQL Injection  7   28 
SQL injection Auth Bypass  1   3 
SQL Parameter Check  1   1 
XPath Injection  3   11 
Total:  268   502 

Details

   Disable Validate Applet
  Collapse All Attacks   Collapse All

Collapse Cross-Site Request Forgery (CSRF)

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/crosstraining/aboutyou2.php Root Cause #152: (1 Attack Variance)  Expand
URL: http://webscantest.com/crosstraining/request.php Root Cause #153: (2 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/review.php Root Cause #154: (2 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/search.php Root Cause #155: (2 Attack Variances)  Expand
URL: http://webscantest.com/csrf/csrfpost.php Root Cause #156: (1 Attack Variance)  Expand
URL: http://webscantest.com/csrf/token.php Root Cause #157: (1 Attack Variance)  Expand
URL: http://webscantest.com/datastore/search_by_id.php Root Cause #158: (2 Attack Variances)  Expand
URL: http://webscantest.com/datastore/search_by_name.php Root Cause #159: (2 Attack Variances)  Expand
URL: http://webscantest.com/datastore/search_double_by_name.php Root Cause #160: (2 Attack Variances)  Expand
URL: http://webscantest.com/datastore/search_single_by_name.php Root Cause #161: (2 Attack Variances)  Expand
URL: http://webscantest.com/infodb/comment.php Root Cause #162: (1 Attack Variance)  Expand
URL: http://webscantest.com/infodb/search_by_name.php Root Cause #163: (1 Attack Variance)  Expand
URL: http://webscantest.com/osrun/whois.php Root Cause #164: (1 Attack Variance)  Expand
URL: http://webscantest.com/osrun/whois_nv.php Root Cause #165: (1 Attack Variance)  Expand
URL: http://webscantest.com/payment_analysis/checkdata.php Root Cause #166: (2 Attack Variances)  Expand
URL: http://webscantest.com/shutterdb/filter_by_name.php Root Cause #167: (2 Attack Variances)  Expand
URL: http://webscantest.com/shutterdb/search_by_id.php Root Cause #168: (2 Attack Variances)  Expand
URL: http://webscantest.com/shutterdb/search_by_name.php Root Cause #169: (2 Attack Variances)  Expand
URL: http://webscantest.com/soap/demo/api/ Root Cause #170: (2 Attack Variances)  Expand

Description:  

Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's e-mail address, home address, or password, or purchase something. CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data.
For most sites, browsers will automatically include with such requests any credentials associated with the site, such as the user's session cookie, basic auth credentials, IP address, Windows domain credentials, etc. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish this from a legitimate user request.
In this way, the attacker can make the victim perform actions that they didn't intend to, such as logout, purchase item, change account information, retrieve account information, or any other function provided by the vulnerable website.
Sometimes, it is possible to store the CSRF attack on the vulnerable site itself. Such vulnerabilities are called Stored CSRF flaws. This can be accomplished by simply storing an IMG or IFRAME tag in a field that accepts HTML, or by a more complex cross-site scripting attack. If the attack can store a CSRF attack in the site, the severity of the attack is amplified. In particular, the likelihood is increased because the victim is more likely to view the page containing the attack than some random page on the Internet. The likelihood is also increased because the victim is sure to be authenticated to the site already.
Synonyms: CSRF attacks are also known by a number of other names, including XSRF, "Sea Surf", Session Riding, Cross-Site Reference Forgery, Hostile Linking. Microsoft refers to this type of attack as a One-Click attack in their threat modeling process and many places in their online documentation.


Recommendations:  

Web sites have various CSRF countermeasures available:

  • Requiring a secret, user-specific token in all form submissions and side-effect URLs prevents CSRF; the attacker's site cannot put the right token in its submissions
  • Requiring the client to provide authentication data in the same HTTP Request used to perform any operation with security implications (money transfer, etc.)
  • Limiting the lifetime of session cookies
  • Ensuring that there is no clientaccesspolicy.xml file granting unintended access to Silverlight controls
  • Ensuring that there is no crossdomain.xml file granting unintended access to Flash movies

An easy and effective solution is to use a CSRF filter such as OWASP's CSRFGuard. The filter intercepts responses, detects if it is a html document and inserts a token in to the forms and optionally inserts script to insert tokens in ajax functions. The filter also intercepts requests to check that the token is present.


Collapse Custom Directory Check

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/ Root Cause #171: (1 Attack Variance)  Expand
some text
  Collapse Site: http://www.webscantest.com:80
URL: http://www.webscantest.com/ Root Cause #172: (1 Attack Variance)  Expand

Description:  

The description for the Example Directory Attack.


Recommendations:  

Refer to your web server's documentation for instructions.


Collapse Custom Parameter Check

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/css/style.css Root Cause #173: (Parameter: File / 1 Attack Variance)  Expand
URL: http://webscantest.com/jsmenu/auto_crosstraining.php Root Cause #174: (Parameter: File / 1 Attack Variance)  Expand
URL: http://webscantest.com/jsmenu/auto_osrun.php Root Cause #175: (Parameter: File / 1 Attack Variance)  Expand
URL: http://webscantest.com/jsmenu/auto_shutterdb.php Root Cause #176: (Parameter: Directory / 1 Attack Variance)  Expand
URL: http://webscantest.com/jsmenu/cookie_set_coffeepits.php Root Cause #177: (Parameter: File / 1 Attack Variance)  Expand
URL: http://webscantest.com/jsmenu/dynalink_myfiles.php Root Cause #178: (Parameter: File / 1 Attack Variance)  Expand
URL: http://webscantest.com/jsmenu/gotoajax.php Root Cause #179: (Parameter: File / 1 Attack Variance)  Expand
URL: http://webscantest.com/jsmenu/gotoframeme.php Root Cause #180: (Parameter: File / 1 Attack Variance)  Expand
URL: http://webscantest.com/privacy.php Root Cause #181: (Parameter: File / 1 Attack Variance)  Expand
URL: http://webscantest.com/soap/demo/ Root Cause #182: (Parameter: Directory[1] / 1 Attack Variance)  Expand

Description:  

The description for the Example Parameter Attack.


Recommendations:  

Refer to your web server's documentation for instructions.


Collapse Custom Passive Check

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/crosstraining/product.php Root Cause #183: (1 Attack Variance)  Expand
URL: http://webscantest.com/crosstraining/products.php Root Cause #184: (1 Attack Variance)  Expand
URL: http://webscantest.com/crosstraining/review.php Root Cause #185: (1 Attack Variance)  Expand
URL: http://webscantest.com/datastore/search_get_by_id.php Root Cause #186: (1 Attack Variance)  Expand
URL: http://webscantest.com/shutterdb/filter_by_name.php Root Cause #187: (1 Attack Variance)  Expand
URL: http://webscantest.com/shutterdb/search_get_by_id.php Root Cause #188: (1 Attack Variance)  Expand
URL: http://webscantest.com/shutterdb/search_get_by_id2.php Root Cause #189: (1 Attack Variance)  Expand
URL: http://webscantest.com/shutterdb/search_get_by_id3.php Root Cause #190: (1 Attack Variance)  Expand
URL: http://webscantest.com/shutterdb/search_get_by_id4.php Root Cause #191: (1 Attack Variance)  Expand
URL: http://webscantest.com/shutterdb/search_get_by_id5.php Root Cause #192: (1 Attack Variance)  Expand

Description:  

The description for the Example Passive Attack.


Recommendations:  

Refer to your web server's documentation for instructions.


Collapse Directory Indexing

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/css/ Root Cause #193:  Validate Expand
URL: http://webscantest.com/images/ Root Cause #194:  Validate Expand
URL: http://webscantest.com/myfiles/ Root Cause #195:  Validate Expand

Description:  

A full list of a directory's content can be viewed. This reveals each file and subdirectory, regardless of whether or not it is related to the web application. A directory listing may also reveal backup files, include files, or configuration files that are not normally viewable by users. When these types of files can be found, they often disclose sensitive information about the application.


Recommendations:  

Refer to your web server's documentation for instructions on prohibiting directory listings.


Collapse DOM based Cross-site scripting (XSS)

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/crosstraining/sample.php Root Cause #196: (1 Attack Variance)  Expand

Description:  

DOM-based Cross-Site Scripting is the de-facto name for XSS bugs which are the result of active content on a page, typically JavaScript, obtaining user input and then doing something unsafe with it to lead to execution of injected code. This document will only discuss JavaScript bugs which lead to XSS.

The DOM, or Document Object Model, is the structural format that may be used to represent documents in the browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie. The DOM is also used by the browser for security - for example to limit scripts on different domains obtaining session cookies for other domains. A DOM-based cross site scripting vulnerability may occur when active content, such as a JavaScript function, is modified by a specially crafted request such that a DOM element that can be controlled by an attacker.

There have been very few papers published on this topic and, as such, very little standardization of its meaning and formalized testing exists.


Recommendations:  

Not all XSS bugs require the attacker to control the content returned from the server, but can instead abuse poor JavaScript coding practices to achieve the same results. The consequences are the same as a typical XSS flaw, only the means of delivery is different.

In comparison to other cross site scripting vulnerabilities (reflected and stored XSS), where an unsanitized parameter is passed by the server, returned to the user and executed in the context of the user's browser, a DOM based cross site scripting vulnerability controls the flow of the code by using elements of the Document Object Model (DOM) along with code crafted by the attacker to change the flow.

Due to their nature, DOM based XSS vulnerabilities can be executed in many instances without the server being able to determine what is actually being executed. This may result in many of the general XSS filtering and detection rules impotent against such attacks.
The consequences of DOM based cross site scripting flaws are as wide ranging as those seen in more well known forms of XSS, including cookie retrieval, further malicious script injection, etc. and should therefore be treated with the same severity as such.


Collapse HTTP Verb Tampering

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/crosstraining/review.php Root Cause #197: (2 Attack Variances)  Expand

Description:  

A page which is expecting only POST requests, is requested by HTTP method GET.

This attack module sends a GET request to a page which has only been used for POSTs.
HTTP Verb tampering is generally used in conjunction with syntactic and semantic attacks as way to bypass certain defense measures.
When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user.
By requesting the link with a modified http verb, the page renders the parameter values.
Recommendations:  

Some resources may allow both GET and POST methods e.g. an edit form may be hyperlinked using a parameter value defining the record to be edited, but the form is submitted by POST to itself. Users may bookmark a page that is the result of a POST and return to it at a later date.

To protect yourself from syntactic HTTP verb manipulation attacks, make sure you only include user-supplied data from where it’s expected to be received (Query string or POST data), or sanity check them both the same if necessary. Also only include the parameter names in the session object you expect to receive. Don’t allow attackers to add arbitrary name/value pairs.


Collapse HttpOnly attribute

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/crosstraining/request.php Root Cause #198: (Parameter: firstname / 1 Attack Variance)  Expand
URL: http://webscantest.com/datastore/search_get_by_id.php Root Cause #199: (Parameter: last_search / 1 Attack Variance)  Expand
URL: http://webscantest.com/login.php Root Cause #200: (Parameter: NB_SRVID / 1 Attack Variance)  Expand
URL: http://webscantest.com/login.php Root Cause #201: (Parameter: TEST_SESSIONID / 1 Attack Variance)  Expand
URL: http://webscantest.com/login.php Root Cause #202: (Parameter: login_error / 1 Attack Variance)  Expand
URL: http://webscantest.com/shutterdb/search_get_by_id4.php Root Cause #203: (Parameter: last_search4 / 1 Attack Variance)  Expand
URL: http://webscantest.com/shutterdb/search_get_by_id5.php Root Cause #204: (Parameter: last_search5 / 1 Attack Variance)  Expand

Description:  

The HttpOnly attribute directs browsers to use cookies via the HTTP protocol only. An HttpOnly cookie is not accessible via non-HTTP methods, such as calls via JavaScript (e.g., referencing "document.cookie"), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique).


Recommendations:  

If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.


Collapse Information Disclosure

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/rest/demo/%7C/bin/cat%20/etc/hosts Root Cause #205: (1 Attack Variance)  Expand
URL: http://webscantest.com/rest/demo/%7C/bin/cat%20/etc/hosts%7C Root Cause #206: (1 Attack Variance)  Expand
URL: http://webscantest.com/rest/demo/%7C/bin/cat%20/etc/passwd Root Cause #207: (1 Attack Variance)  Expand
URL: http://webscantest.com/rest/demo/%7C/bin/cat%20/etc/passwd%7C Root Cause #208: (1 Attack Variance)  Expand
URL: http://webscantest.com/rest/demo/%7C/bin/cat%20/usr/bin/id Root Cause #209: (1 Attack Variance)  Expand
URL: http://webscantest.com/rest/demo/%7C/bin/cat%20/usr/bin/id%7C Root Cause #210: (1 Attack Variance)  Expand
URL: http://webscantest.com/rest/demo/|/bin/cat /etc/hosts Root Cause #211: (1 Attack Variance)  Expand
URL: http://webscantest.com/rest/demo/|/bin/cat /etc/hosts| Root Cause #212: (1 Attack Variance)  Expand
URL: http://webscantest.com/rest/demo/|/bin/cat /etc/passwd Root Cause #213: (1 Attack Variance)  Expand
URL: http://webscantest.com/rest/demo/|/bin/cat /etc/passwd| Root Cause #214: (1 Attack Variance)  Expand
URL: http://webscantest.com/rest/demo/|/bin/cat /usr/bin/id Root Cause #215: (1 Attack Variance)  Expand
URL: http://webscantest.com/rest/demo/|/bin/cat /usr/bin/id| Root Cause #216: (1 Attack Variance)  Expand

Description:  

A path was found in the error information returned by the server. This can give an attacker clues as to the directory topology and setup of your web application.


Recommendations:  

Remove all references to local path from the web application.


Collapse Information Leakage

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/cors_private.php Root Cause #217: (1 Attack Variance)  Expand
URL: http://webscantest.com/cors_public.php Root Cause #218: (1 Attack Variance)  Expand
some text
  Collapse Site: http://www.webscantest.com:80
URL: http://www.webscantest.com/cors_private.php Root Cause #219: (1 Attack Variance)  Expand
URL: http://www.webscantest.com/cors_public.php Root Cause #220: (1 Attack Variance)  Expand

Description:  

Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack. An information leak occurs when system data or debugging information leaves the program through an output stream or logging function.


Recommendations:  

Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a remote user. In some cases the error message tells the attacker precisely what sort of an attack the system will be vulnerable to.
For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system.
In the example above, the search path could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.


Collapse Parameter Fuzzing

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/payment_analysis/checkdata.php Root Cause #221: (Parameter: number / 4 Attack Variances)  Expand
URL: http://webscantest.com/payment_analysis/checkdata.php Root Cause #222: (Parameter: alpha_only / 4 Attack Variances)  Expand
URL: http://webscantest.com/payment_analysis/checkdata.php Root Cause #223: (Parameter: letters_only / 4 Attack Variances)  Expand
URL: http://webscantest.com/payment_analysis/checkdata_get.php Root Cause #224: (Parameter: number / 4 Attack Variances)  Expand
URL: http://webscantest.com/payment_analysis/checkdata_get.php Root Cause #225: (Parameter: alpha_only / 4 Attack Variances)  Expand
URL: http://webscantest.com/payment_analysis/checkdata_get.php Root Cause #226: (Parameter: letters_only / 4 Attack Variances)  Expand


Description:  

An invalid character submitted in a URL parameter causes an error in the database query or script execution. This indicates that the application has not fully validated user-supplied input. These errors can lead to HTML injection, SQL injection, or arbitrary code execution.


Recommendations:  

  • Normalize all user-supplied data before applying filters, regular expressions, or submitting the data to a database. This means that all URL-encoded (%xx), HTML-encoded (&#xx;), or other encoding schemes should be reduced to the internal character representation expected by the application. This prevents attackers from using alternate encoding schemes to bypass filters.
  • Implement positive filters that examine user-supplied data for expected characters. Define data types for user-supplied values and ensure that submitted data match these types, such as numeric or date. String or text values should be carefully matched to a limited subset of characters such as alpha, numeric, spaces, or certain punctuation characters as necessary. If any value received by the application contains an unexpected character, then it should be rejected.
  • Negative filtering can also prevent attacks, but may be more unreliable or more difficult to implement for language sets that require non-ASCII characters. Examine all data received from the web browser for SQL syntax characters. If any of these characters are present, then they should be escaped or removed. The single quote (') or double quote (") are often used to envelope parameters in a SQL query. Other malicious characters include the asterisk, semi-colon, dash (minus sign), and parentheses. These characters could be used to prematurely end a query statement.


Collapse Persistent Cross-site scripting (XSS)

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/crosstraining/dom.php Root Cause #227: (1 Attack Variance)  Expand
URL: http://webscantest.com/crosstraining/sitereviews.php Root Cause #228: (1 Attack Variance)  Expand

Description:  

Persistent XSS attacks are those where the injected script is permanently stored in database, message forum, visitor log, or other trusted data store. The victim then retrieves the malicious script from the server when it requests the stored information. For example, the attacker might inject XSS into a log message, which might not be handled properly when an administrator views the logs.


Recommendations:  

  • Filter all information sent to the client with a particular emphasis on filtering out HTML-specific characters.
  • Understand the context in which your data will be used and the encoding that will be expected.
  • For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side.


Collapse Predictable Resource Location

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/robots.txt Root Cause #229:  Validate Expand
some text
  Collapse Site: http://www.webscantest.com:80
URL: http://www.webscantest.com/robots.txt Root Cause #230:  Validate Expand

Description:  

A robots.txt file is present in the directory. The robots.txt file provides a list of directories that crawling engines are requested to ignore. There is no way to force the crawling engine to honor the robots.txt file. Depending on the content of the file, it may reveal administrator interfaces or alternate URLs that are supposed to be hidden from users.


Recommendations:  

  1. Ensure that the robots.txt file does not divulge directories that are intended to be hidden from users.
  2. The security of sensitive directories should not rely on hiding their presence. Restrict access to sensitive directories (e.g. admin) by password and IP address or network location.
  3. Amend your deployment policy to include the removal of sensitive directories from robots.txt files.


Collapse Reflected Cross-site scripting (XSS)

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/bjax/servertime.php Root Cause #231: (Parameter: msg / 5 Attack Variances)  Expand
URL: http://webscantest.com/business/account.php Root Cause #232: (Parameter: accountId / 5 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/ Root Cause #233: (Parameter: Referer / 4 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/aboutyou.php Root Cause #234: (Parameter: fname / 5 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/aboutyou2.php Root Cause #235: (Parameter: returnto / 5 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/aboutyou2.php Root Cause #236: (Parameter: nick / 5 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/aboutyou2.php Root Cause #237: (Parameter: fname / 5 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/blockedbyns.php Root Cause #238: (Parameter: Comment / 2 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/index.php Root Cause #239: (Parameter: Referer / 4 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/request.php Root Cause #240: (Parameter: fname / 5 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/reservation_submit.php Root Cause #241: (Parameter: arrive_date / 5 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/sitereviews.php Root Cause #242: (Parameter: description / 2 Attack Variances)  Expand
URL: http://webscantest.com/csrf/csrfpost.php Root Cause #243: (Parameter: property / 5 Attack Variances)  Expand
URL: http://webscantest.com/csrf/session.php Root Cause #244: (Parameter: jsession / 5 Attack Variances)  Expand
URL: http://webscantest.com/csrf/token.php Root Cause #245: (Parameter: token / 5 Attack Variances)  Expand
URL: http://webscantest.com/csrf/token.php Root Cause #246: (Parameter: property / 5 Attack Variances)  Expand
URL: http://webscantest.com/infodb/search_by_name.php Root Cause #247: (Parameter: fname / 5 Attack Variances)  Expand
URL: http://webscantest.com/login.php Root Cause #248: (Parameter: login_error / 5 Attack Variances)  Expand
URL: http://webscantest.com/myfiles/ Root Cause #249: (Parameter: Unnamed / 3 Attack Variances)  Expand


Description:  

Reflected Cross-site Scripting (XSS) is another name for non-persistent XSS, where the attack doesn't load with the vulnerable web application but is originated by the victim loading the offending URI. In this article we will see some ways to test a web application for this kind of vulnerability.


Recommendations:  

Reflected XSS attacks are also known as type 1 or non-persistent XSS attacks, and are the most frequent type of XSS attacks found nowadays.

When a web application is vulnerable to this type of attack, it will pass unvalidated input sent through requests to the client. The common modus operandi of the attack includes a design step, in which the attacker creates and tests an offending URI, a social engineering step, in which she convinces her victims to load this URI on their browsers, and the eventual execution of the offending code - using the victim's credentials.

Commonly the attacker's code is written in the Javascript language, but other scripting languages are also used, e.g., ActionScript and VBScript.

Attackers typically leverage these vulnerabilities to install key loggers, steal victim cookies, perform clipboard theft, and change the content of the page (e.g., download links).

One of the important matters about exploiting XSS vulnerabilities is character encoding. In some cases, the web server or the web application may not be filtering some encodings of characters, so, for example, the web application might filter out "<script>", but might not filter "%3Cscript%3E" which simply includes another encoding of tags. A nice tool for testing character encodings is OWASP's CAL9000.


Description:  

The application does not filter text or other data for potentially malicious HTML content. This enables an attacker to craft arbitrary HTML content. This vulnerability typically requires that an attacker be able to submit JavaScript <script> tags as part of a field that is re-displayed to one or more users. The <script> tag contains instructions that are executed in a user's web browser, not on the web application server. JavaScript functions can be used to write raw HTML, read cookie values, pull JavaScript code from a third-party web server, or send data to a third-party web server.

Consequently, a user could cause arbitrary HTML such as JavaScript tags to be displayed to other users. Usually, an attacker will attempt to manipulate an XSS vulnerability in order to present malicious HTML as if it came from a legitimate source. This attack is often combined with a social engineering attack that attempts to trick users into divulging their passwords, financial, or personal information.

Recommendations:  

Cross-Site Scripting and HTML injection attacks can be defeated by applying robust input validation filters for all data received from the web browser. Strong countermeasures include:

  • Do not permit users to include HTML content in posts, notes, or other data that will be displayed by the application.
  • If users are permitted to include HTML entities, then limit access to specific elements or attributes.
    • Formatting elements such as <b>, <i>, and <u> should be checked to ensure they only contain the expected character (b, i, or u).
    • Elements such as <a ...> and <img ...> should only permit the href or src attribute to be modified. Check the content of these attributes to ensure that dynamic code (JavaScript, VBscript, etc.) has not been inserted.
    • Use validation filters that match allowed, expected items and reject all unmatched items. Do not attempt to use validation filters that reject known malicious strings because they can often be bypassed by alternate character encoding. The validation filter should deny all HTML entities by default.
  • Use output filters to strip malicious tags or convert angle brackets to their HTML-encoded equivalent.
  • Use the programming language's built-in routines to remove potentially malicious characters.
    • The PHP htmlentities() function prevents potentially malicious HTML characters from being passed through variables. The following example demonstrates how to protect a parameter (screen) from HTML injection:
      $screen_safe = htmlentities($_REQUEST["screen"]);

Collapse Server Type Disclosure

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/ Root Cause #250:  Validate Expand
some text
  Collapse Site: http://www.webscantest.com:80
URL: http://www.webscantest.com/ Root Cause #251:  Validate Expand

Description:  

Default configurations of web servers often provide too much information about their platform and version in HTTP headers and on error pages. This data is not itself dangerous, but it can help an attacker focus on vulnerabilities associated with your specific web server platform/version.


Recommendations:  

Configure your web server to avoid having it announce its own details. For example in Apache you would want these two configuration directives in your config file:

  • ServerSignature Off
  • ServerTokens Prod

Collapse Session Fixation

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/login.php Root Cause #252: (1 Attack Variance)  Expand

Description:  

Session Fixation is an attack that permits an attacker to hijack a valid user session. It fits within the more general framework of attacks that exploit a violation of best practice where the server authenticates by changing (promoting) the authentication state of the session ID cookie value so it can continue to use the same cookie value. Servers that accept session data in the URL or in POST data in particular are vulnerable. The attack follows this pattern:

  • Attacker ascertains session ID name, value. Either the server accepts anything or the attacker visits the site and snoops the response.
  • Attacker entices victim to visit the site with extra payload in the URL to the effect of "https://www.thesite.com/?SID=ascertained_value."
  • Victim logs in and that SID gets promoted.
  • Attacker now has authenticated access.

  • Recommendations:  

    This attack can be largely avoided by changing the session ID when users log in. Also, do NOT accept session ID's in GET or POST parameters; use HTTP cookies at the very least to encode session information. These two rules of thumb establish a sufficient level of security for most applications. However, for those willing to incur further development and maintenance effort for higher security, the SID can be regenerated on a per-request basis and also, on systems that support it, SSL/TLS session identifiers may be used.


    Collapse Session Strength

    some text
      Collapse Site: http://webscantest.com:80
    Root Cause #253: Session Token Details Computed Session Randomness Optimal Session Randomness
    Name: NB_SRVID
    Domain: webscantest.com
    Path: /
    SSL Only: No
    HTTP Only: No
    Tokens Collected: 512


    Description:  

    Session tokens that exhibit low entropy ("randomness") are often susceptible to prediction attacks. Insecure tokens can be due to inadequate pseudo-random number generator, time-based values, static values, or values based on user attributes (username or user ID). This means that an attacker would be able to guess a valid session token after monitoring the application for a short period of time and gathering the session tokens it creates. If the attacker determines a valid session token for another user, then it may be possible to view, modify, or delete arbitrary users' data without ha