Vulnerabilities Report (Page 2 of 3)

 Scan Name: webscantest
 Date: 10/24/2017 7:44:45 AM
 Authenticated User: admin
 Total Links / Attackable Links: 475 / 475
 Target URL: https://webscantest.com
http://webscantest.com
 Reports:
<< >>

Summary


Vulnerabilities by Risk

Root Causes: 278

Vulnerabilities by Who Will Fix

Most Vulnerable Sites

Vulnerability Type

Root Causes

Variances

Blind SQL Injection  14   50 
Browser Cache directive (leaking sensitive information)  23   33 
Brute Force Form based Authentication  1   1 
Buffer Overflow  6   14 
Business Logic Abuse  6   10 
Command Injection  1   4 
Content Security Policy Headers  2   2 
Content Type Charset Check  100   139 
Credentials Over Un Encrypted Channel  2   2 
Cross-Site Request Forgery (CSRF)  24   38 
Directory Indexing  3   3 
DOM based Cross-site scripting (XSS)  2   2 
Forced Browsing  1   1 
HTTP Response Splitting  1   1 
HTTP User-Agent Check  3   3 
HTTP Verb Tampering  1   2 
HttpOnly attribute  7   7 
Information Disclosure  1   2 
Information Leakage  4   4 
Parameter Fuzzing  6   24 
Persistent Cross-site scripting (XSS)  3   7 
Predictable Resource Location  22   22 
Privilege Escalation  1   2 
Reflected Cross-site scripting (XSS)  20   91 
Server Type Disclosure  2   2 
Session Fixation  1   1 
Session Strength  1   2 
Session Upgrade  5   5 
SQL Information Leakage  2   3 
SQL Injection  8   32 
SQL injection Auth Bypass  1   3 
SQL Parameter Check  1   1 
XPath Injection  3   11 
Total:  278   524 

Details

   Disable Validate Applet
  Collapse All Attacks   Collapse All

Collapse Cross-Site Request Forgery (CSRF)

Confidence
Severity
some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/bjax/servertime.php Root Cause #156: (1 Attack Variance)  Expand
URL: http://webscantest.com/crosstraining/aboutyou.php Root Cause #157: (1 Attack Variance)  Expand
URL: http://webscantest.com/crosstraining/aboutyou2.php Root Cause #158: (1 Attack Variance)  Expand
URL: http://webscantest.com/crosstraining/request.php Root Cause #159: (2 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/review.php Root Cause #160: (2 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/search.php Root Cause #161: (2 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/sitereviews.php Root Cause #162: (2 Attack Variances)  Expand
URL: http://webscantest.com/csrf/csrfpost.php Root Cause #163: (1 Attack Variance)  Expand
URL: http://webscantest.com/csrf/token.php Root Cause #164: (1 Attack Variance)  Expand
URL: http://webscantest.com/datastore/search_by_id.php Root Cause #165: (2 Attack Variances)  Expand
URL: http://webscantest.com/datastore/search_by_name.php Root Cause #166: (2 Attack Variances)  Expand
URL: http://webscantest.com/datastore/search_double_by_name.php Root Cause #167: (2 Attack Variances)  Expand
URL: http://webscantest.com/datastore/search_single_by_name.php Root Cause #168: (2 Attack Variances)  Expand
URL: http://webscantest.com/infodb/comment.php Root Cause #169: (1 Attack Variance)  Expand
URL: http://webscantest.com/infodb/search_by_name.php Root Cause #170: (1 Attack Variance)  Expand
URL: http://webscantest.com/osrun/whois.php Root Cause #171: (1 Attack Variance)  Expand
URL: http://webscantest.com/osrun/whois_nv.php Root Cause #172: (1 Attack Variance)  Expand
URL: http://webscantest.com/payment_analysis/checkdata.php Root Cause #173: (2 Attack Variances)  Expand
URL: http://webscantest.com/rest/demo/index.php/products Root Cause #174: (2 Attack Variances)  Expand
URL: http://webscantest.com/rfplaces/script.php Root Cause #175: (1 Attack Variance)  Expand
URL: http://webscantest.com/shutterdb/filter_by_name.php Root Cause #176: (2 Attack Variances)  Expand
URL: http://webscantest.com/shutterdb/search_by_id.php Root Cause #177: (2 Attack Variances)  Expand
URL: http://webscantest.com/shutterdb/search_by_name.php Root Cause #178: (2 Attack Variances)  Expand
URL: http://webscantest.com/soap/demo/api/ Root Cause #179: (2 Attack Variances)  Expand

Description:  

Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's e-mail address, home address, or password, or purchase something. CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data.
For most sites, browsers will automatically include with such requests any credentials associated with the site, such as the user's session cookie, basic auth credentials, IP address, Windows domain credentials, etc. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish this from a legitimate user request.
In this way, the attacker can make the victim perform actions that they didn't intend to, such as logout, purchase item, change account information, retrieve account information, or any other function provided by the vulnerable website.
Sometimes, it is possible to store the CSRF attack on the vulnerable site itself. Such vulnerabilities are called Stored CSRF flaws. This can be accomplished by simply storing an IMG or IFRAME tag in a field that accepts HTML, or by a more complex cross-site scripting attack. If the attack can store a CSRF attack in the site, the severity of the attack is amplified. In particular, the likelihood is increased because the victim is more likely to view the page containing the attack than some random page on the Internet. The likelihood is also increased because the victim is sure to be authenticated to the site already.
Synonyms: CSRF attacks are also known by a number of other names, including XSRF, "Sea Surf", Session Riding, Cross-Site Reference Forgery, Hostile Linking. Microsoft refers to this type of attack as a One-Click attack in their threat modeling process and many places in their online documentation.


Recommendations:  

Web sites have various CSRF countermeasures available:

  • Requiring a secret, user-specific token in all form submissions and side-effect URLs prevents CSRF; the attacker's site cannot put the right token in its submissions
  • Requiring the client to provide authentication data in the same HTTP Request used to perform any operation with security implications (money transfer, etc.)
  • Limiting the lifetime of session cookies
  • Ensuring that there is no clientaccesspolicy.xml file granting unintended access to Silverlight controls
  • Ensuring that there is no crossdomain.xml file granting unintended access to Flash movies

An easy and effective solution is to use a CSRF filter such as OWASP's CSRFGuard. The filter intercepts responses, detects if it is a html document and inserts a token in to the forms and optionally inserts script to insert tokens in ajax functions. The filter also intercepts requests to check that the token is present.


Collapse Directory Indexing

Confidence
Severity
some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/css/ Root Cause #180:  Validate Expand
URL: http://webscantest.com/images/ Root Cause #181:  Validate Expand
URL: http://webscantest.com/myfiles/ Root Cause #182:  Validate Expand

Description:  

A full list of a directory's content can be viewed. This reveals each file and subdirectory, regardless of whether or not it is related to the web application. A directory listing may also reveal backup files, include files, or configuration files that are not normally viewable by users. When these types of files can be found, they often disclose sensitive information about the application.


Recommendations:  

Refer to your web server's documentation for instructions on prohibiting directory listings.


Collapse DOM based Cross-site scripting (XSS)

Confidence
Severity
some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/crosstraining/ Root Cause #183: (1 Attack Variance)  Expand
URL: http://webscantest.com/crosstraining/sample.php Root Cause #184: (1 Attack Variance)  Expand

Description:  

DOM-based Cross-Site Scripting is the de-facto name for XSS bugs which are the result of active content on a page, typically JavaScript, obtaining user input and then doing something unsafe with it to lead to execution of injected code. This document will only discuss JavaScript bugs which lead to XSS.

The DOM, or Document Object Model, is the structural format that may be used to represent documents in the browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie. The DOM is also used by the browser for security - for example to limit scripts on different domains obtaining session cookies for other domains. A DOM-based cross site scripting vulnerability may occur when active content, such as a JavaScript function, is modified by a specially crafted request such that a DOM element that can be controlled by an attacker.

There have been very few papers published on this topic and, as such, very little standardization of its meaning and formalized testing exists.


Recommendations:  

Not all XSS bugs require the attacker to control the content returned from the server, but can instead abuse poor JavaScript coding practices to achieve the same results. The consequences are the same as a typical XSS flaw, only the means of delivery is different.

In comparison to other cross site scripting vulnerabilities (reflected and stored XSS), where an unsanitized parameter is passed by the server, returned to the user and executed in the context of the user's browser, a DOM based cross site scripting vulnerability controls the flow of the code by using elements of the Document Object Model (DOM) along with code crafted by the attacker to change the flow.

Due to their nature, DOM based XSS vulnerabilities can be executed in many instances without the server being able to determine what is actually being executed. This may result in many of the general XSS filtering and detection rules impotent against such attacks.
The consequences of DOM based cross site scripting flaws are as wide ranging as those seen in more well known forms of XSS, including cookie retrieval, further malicious script injection, etc. and should therefore be treated with the same severity as such.


Collapse Forced Browsing

Confidence
Severity
some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/rest/demo/index.php/products Root Cause #185: (Parameter: Directory[1] / 1 Attack Variance)  Expand

Description:  

Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the application, but are still accessible.


Recommendations:  

Ensure Role Based Authentication and Authorization: In web application always try to distinguish users and their roles. If a page is only made for admin, then check whether the user is admin before granting access to the page or user has permission to access the page. This makes it secure and protects URL based forced browsing attack.


Collapse HTTP Response Splitting

Confidence
Severity
some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/hrs/redir.php Root Cause #186: (Parameter: q / 1 Attack Variance)  Expand

Description:  

HTTP Response Splitting is a new application attack technique which can be used to execute various new attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and classic, Cross-Site Scripting (XSS).
These attack techniques are relevant to most web environments and is the result of the applications failure to reject illegal user input, in this case, input containing malicious or unexpected characters.


Recommendations:  

Apply robust input filtering for all user-supplied data.

  1. Prevent users from supplying any special characters, such as line breaks.
  2. Use output filters to strip malicious escape strings or other HTTP header keywords.

Collapse HTTP User-Agent Check

Confidence
Severity
some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/crosstraining/product.php Root Cause #187: (1 Attack Variance)  Expand
URL: http://webscantest.com/crosstraining/reservation_receipt.php Root Cause #188: (1 Attack Variance)  Expand
URL: http://webscantest.com/crosstraining/sitereviews.php Root Cause #189: (1 Attack Variance)  Expand

Description:  

The most common reason to perform user agent sniffing is to determine which type of device the browser runs on.


Recommendations:  

The most common reason to perform user agent sniffing is to determine which type of device the browser runs on.


Collapse HTTP Verb Tampering

Confidence
Severity
some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/crosstraining/review.php Root Cause #190: (2 Attack Variances)  Expand

Description:  

A page which is expecting only POST requests, is requested by HTTP method GET.

This attack module sends a GET request to a page which has only been used for POSTs.
HTTP Verb tampering is generally used in conjunction with syntactic and semantic attacks as way to bypass certain defense measures.
When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user.
By requesting the link with a modified http verb, the page renders the parameter values.
Recommendations:  

Some resources may allow both GET and POST methods e.g. an edit form may be hyperlinked using a parameter value defining the record to be edited, but the form is submitted by POST to itself. Users may bookmark a page that is the result of a POST and return to it at a later date.

To protect yourself from syntactic HTTP verb manipulation attacks, make sure you only include user-supplied data from where it’s expected to be received (Query string or POST data), or sanity check them both the same if necessary. Also only include the parameter names in the session object you expect to receive. Don’t allow attackers to add arbitrary name/value pairs.


Collapse HttpOnly attribute

Confidence
Severity
some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/ Root Cause #191: (Parameter: NB_SRVID / 1 Attack Variance)  Expand
URL: http://webscantest.com/ Root Cause #192: (Parameter: TEST_SESSIONID / 1 Attack Variance)  Expand
URL: http://webscantest.com/crosstraining/request.php Root Cause #193: (Parameter: firstname / 1 Attack Variance)  Expand
URL: http://webscantest.com/datastore/search_get_by_id.php Root Cause #194: (Parameter: last_search / 1 Attack Variance)  Expand
URL: http://webscantest.com/login.php Root Cause #195: (Parameter: login_error / 1 Attack Variance)  Expand
URL: http://webscantest.com/shutterdb/search_get_by_id4.php Root Cause #196: (Parameter: last_search4 / 1 Attack Variance)  Expand
URL: http://webscantest.com/shutterdb/search_get_by_id5.php Root Cause #197: (Parameter: last_search5 / 1 Attack Variance)  Expand

Description:  

The HttpOnly attribute directs browsers to use cookies via the HTTP protocol only. An HttpOnly cookie is not accessible via non-HTTP methods, such as calls via JavaScript (e.g., referencing "document.cookie"), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique).


Recommendations:  

If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.


Collapse Information Disclosure

Confidence
Severity
some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/crosstraining/sitereviews.php Root Cause #198: (2 Attack Variances)  Expand

Description:  

A path was found in the error information returned by the server. This can give an attacker clues as to the directory topology and setup of your web application.


Recommendations:  

Remove all references to local path from the web application.


Collapse Information Leakage

Confidence
Severity
some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/cors_private.php Root Cause #199: (1 Attack Variance)  Expand
URL: http://webscantest.com/cors_public.php Root Cause #200: (1 Attack Variance)  Expand
some text
  Collapse Site: http://www.webscantest.com:80
URL: http://www.webscantest.com/cors_private.php Root Cause #201: (1 Attack Variance)  Expand
URL: http://www.webscantest.com/cors_public.php Root Cause #202: (1 Attack Variance)  Expand

Description:  

Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack. An information leak occurs when system data or debugging information leaves the program through an output stream or logging function.


Recommendations:  

Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a remote user. In some cases the error message tells the attacker precisely what sort of an attack the system will be vulnerable to.
For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system.
In the example above, the search path could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.


Collapse Parameter Fuzzing

Confidence
Severity
some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/payment_analysis/checkdata.php Root Cause #203: (Parameter: number / 4 Attack Variances)  Expand
URL: http://webscantest.com/payment_analysis/checkdata.php Root Cause #204: (Parameter: letters_only / 4 Attack Variances)  Expand
URL: http://webscantest.com/payment_analysis/checkdata.php Root Cause #205: (Parameter: alpha_only / 4 Attack Variances)  Expand
URL: http://webscantest.com/payment_analysis/checkdata_get.php Root Cause #206: (Parameter: number / 4 Attack Variances)  Expand
URL: http://webscantest.com/payment_analysis/checkdata_get.php Root Cause #207: (Parameter: letters_only / 4 Attack Variances)  Expand
URL: http://webscantest.com/payment_analysis/checkdata_get.php Root Cause #208: (Parameter: alpha_only / 4 Attack Variances)  Expand


Description:  

An invalid character submitted in a URL parameter causes an error in the database query or script execution. This indicates that the application has not fully validated user-supplied input. These errors can lead to HTML injection, SQL injection, or arbitrary code execution.


Recommendations:  

  • Normalize all user-supplied data before applying filters, regular expressions, or submitting the data to a database. This means that all URL-encoded (%xx), HTML-encoded (&#xx;), or other encoding schemes should be reduced to the internal character representation expected by the application. This prevents attackers from using alternate encoding schemes to bypass filters.
  • Implement positive filters that examine user-supplied data for expected characters. Define data types for user-supplied values and ensure that submitted data match these types, such as numeric or date. String or text values should be carefully matched to a limited subset of characters such as alpha, numeric, spaces, or certain punctuation characters as necessary. If any value received by the application contains an unexpected character, then it should be rejected.
  • Negative filtering can also prevent attacks, but may be more unreliable or more difficult to implement for language sets that require non-ASCII characters. Examine all data received from the web browser for SQL syntax characters. If any of these characters are present, then they should be escaped or removed. The single quote (') or double quote (") are often used to envelope parameters in a SQL query. Other malicious characters include the asterisk, semi-colon, dash (minus sign), and parentheses. These characters could be used to prematurely end a query statement.


Collapse Persistent Cross-site scripting (XSS)

Confidence
Severity
some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/crosstraining/dom.php Root Cause #209: (1 Attack Variance)  Expand
URL: http://webscantest.com/crosstraining/request.php Root Cause #210: (Parameter: fname / 5 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/reservation_history.php Root Cause #211: (1 Attack Variance)  Expand


Description:  

Persistent XSS attacks are those where the injected script is permanently stored in database, message forum, visitor log, or other trusted data store. The victim then retrieves the malicious script from the server when it requests the stored information. For example, the attacker might inject XSS into a log message, which might not be handled properly when an administrator views the logs.


Recommendations:  

  • Filter all information sent to the client with a particular emphasis on filtering out HTML-specific characters.
  • Understand the context in which your data will be used and the encoding that will be expected.
  • For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side.


Description:  

Persistent Cross-site Scripting (XSS) is the attack that is loaded with the vulnerable web application. The attack is originated by the victim loading the offending URI.


Recommendations:  

  • Filter all information sent to the server via form POST/GET and URL query parameters with a particular emphasis on filtering out HTML-specific characters.
  • Escape the escape characters, which attackers can use to neutralize your attempts to be safe. Use a security-focused encoding library to make sure these rules are properly implemented
  • Never insert untrusted data into your HTML document
  • For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side.


Collapse Predictable Resource Location

Confidence
Severity
some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/rfplaces/conn.inc Root Cause #212:  Validate Expand
URL: http://webscantest.com/rfplaces/consts.inc Root Cause #213:  Validate Expand
URL: http://webscantest.com/rfplaces/database.inc Root Cause #214:  Validate Expand
URL: http://webscantest.com/rfplaces/debug.inc Root Cause #215:  Validate Expand
URL: http://webscantest.com/rfplaces/functions.inc Root Cause #216:  Validate Expand
URL: http://webscantest.com/rfplaces/global.inc Root Cause #217:  Validate Expand
URL: http://webscantest.com/rfplaces/global.js Root Cause #218:  Validate Expand
URL: http://webscantest.com/rfplaces/globals.inc Root Cause #219:  Validate Expand
URL: http://webscantest.com/rfplaces/globals.jsa Root Cause #220:  Validate Expand
URL: http://webscantest.com/rfplaces/include/ Root Cause #221:  Validate Expand
URL: http://webscantest.com/rfplaces/include/consts.inc Root Cause #222:  Validate Expand
URL: http://webscantest.com/rfplaces/include/database.inc Root Cause #223:  Validate Expand
URL: http://webscantest.com/rfplaces/include/debug.inc Root Cause #224:  Validate Expand
URL: http://webscantest.com/rfplaces/include/functions.inc Root Cause #225:  Validate Expand
URL: http://webscantest.com/rfplaces/include/global.inc Root Cause #226:  Validate Expand
URL: http://webscantest.com/rfplaces/include/vars.inc Root Cause #227:  Validate Expand
URL: http://webscantest.com/rfplaces/local.js Root Cause #228:  Validate Expand
URL: http://webscantest.com/rfplaces/somedir2.tar.gz Root Cause #229:  Validate Expand
URL: http://webscantest.com/rfplaces/somedir2.zip Root Cause #230:  Validate Expand
URL: http://webscantest.com/rfplaces/vars.inc Root Cause #231:  Validate Expand
URL: http://webscantest.com/robots.txt Root Cause #232:  Validate Expand
some text
  Collapse Site: http://www.webscantest.com:80
URL: http://www.webscantest.com/robots.txt Root Cause #233:  Validate Expand

Description:  

An "include" file was found within the web document root and its content could be read. Application include files are used to centralize common functions or code that is to be shared among several scripts. They often contain sensitive information such as database connection credentials, database query constructions, and other application logic.


Another significant problem with include files is that their file extension (commonly .inc) is parsed as plain-text by the server, which reveals raw source code. This is different from script files with extensions such as .asp, .cgi, or .php. The content of a script file is interpreted by the server, which sends the result of the script's source code to a user's web browser. If the server does not recognize the file's extension as special, then the file's source code is not interpreted and the raw content is sent to the user's web browser.
Recommendations:  

  1. Make sure that all include files have a file extension that is known to and interpreted by the application engine. For example, all of the include files for an ASP application should have the .asp file extension, whereas include files for a PHP-based application should have a .php extension. The file's functionality will not be affected, but users will be unable to view source code between the application script tags (such as <% or <?).
  2. Amend your deployment policy to include the addition of appropriate file extensions to all include files.


Description:  

An "include" directory was found within the web document root. These directories often contain files with common functions or code that is to be shared among several scripts. Files within these directories often contain sensitive information such as database connection credentials, database query constructions, and other application logic.

Another significant problem with include files is that their file extension (commonly .inc) is parsed as plain-text by the server, which reveals raw source code. This is different from script files with extensions such as .asp, .cgi, or .php. The content of a script file is interpreted by the server, which sends the result of the script's source code to a user's web browser. If the server does not recognize the file's extension as special, then the file's source code is not interpreted and the raw content is sent to the user's web browser.


Recommendations:  

These types of application include files are intended to be loaded by other executable scripts within the application, such as ASP, JSP, or PHP files. Users are intended to access and browse the main application script files, but should never have to directly access one the application's include files.

  1. Move these files to a location outside of the web document root. Make sure that the web server still has read privileges to the directory so that its scripts can load and parse the include files.

Note: If the files in this directory contain HTML or generate HTML and are intended to be viewed within a web browser, then this finding can be ignored.


Description:  

A backup file was discovered. Binary archives or application files with an alternate file extension may expose source code and application logic to an attacker. If a script's file extension does not match an application extension (such as .asp, .jsp, or .php), then the server usually considers the file equivalent to plain text. When this happens, the server presents the user with the raw source code of the file instead of executing the script and providing interpreted output.
Depending on the content of the script file, the exposure of data varies between simple function calls to database connection credentials to administration passwords.


File archives such as .tgz, .tar.gz, or .zip files should never be stored within the web application's document root. If these files contain an archive of the application's source code, then it will be trivial for an attacker to download and examine the code.
Recommendations:  

  • Remove all backup files, binary archives, alternate versions of files, and test files from the web document root of production servers.
  • Amend your deployment policy to include the removal of these file types by an administrator.


Description:  

A robots.txt file is present in the directory. The robots.txt file provides a list of directories that crawling engines are requested to ignore. There is no way to force the crawling engine to honor the robots.txt file. Depending on the content of the file, it may reveal administrator interfaces or alternate URLs that are supposed to be hidden from users.


Recommendations:  

  1. Ensure that the robots.txt file does not divulge directories that are intended to be hidden from users.
  2. The security of sensitive directories should not rely on hiding their presence. Restrict access to sensitive directories (e.g. admin) by password and IP address or network location.
  3. Amend your deployment policy to include the removal of sensitive directories from robots.txt files.


Collapse Privilege Escalation

Confidence
Severity
some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/payment_analysis/checkdata_get.php Root Cause #234: (2 Attack Variances)  Expand

Description:  

Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation/changes should have been prevented by the application. This is usually caused by a flaw in the application. The result is that the application performs actions with more privileges than those intended by the developer or system administrator


Recommendations:  

Collapse Reflected Cross-site scripting (XSS)

Confidence
Severity
some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/bjax/servertime.php Root Cause #235: (Parameter: msg / 5 Attack Variances)  Expand
URL: http://webscantest.com/business/account.php Root Cause #236: (Parameter: accountId / 5 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/aboutyou.php Root Cause #237: (Parameter: fname / 5 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/aboutyou2.php Root Cause #238: (Parameter: fname / 5 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/aboutyou2.php Root Cause #239: (Parameter: nick / 5 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/aboutyou2.php Root Cause #240: (Parameter: returnto / 5 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/blockedbyns.php Root Cause #241: (Parameter: Comment / 2 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/checkitem_lookup.php Root Cause #242: (Parameter: q / 5 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/request.php Root Cause #243: (Parameter: fname / 5 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/reservation_submit.php Root Cause #244: (Parameter: arrive_date / 5 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/sitereviews.php Root Cause #245: (Parameter: description / 1 Attack Variance)  Expand
URL: http://webscantest.com/csrf/csrfpost.php Root Cause #246: (Parameter: property / 5 Attack Variances)  Expand
URL: http://webscantest.com/csrf/session.php Root Cause #247: (Parameter: jsession / 5 Attack Variances)  Expand
URL: http://webscantest.com/csrf/token.php Root Cause #248: (Parameter: token / 5 Attack Variances)  Expand
URL: http://webscantest.com/csrf/token.php Root Cause #249: (Parameter: property / 5 Attack Variances)  Expand
URL: http://webscantest.com/hrs/redir.php Root Cause #250: (Parameter: q / 5 Attack Variances)  Expand