Vulnerabilities Report (Page 3 of 3)

 Scan Name: Webscantest-includeAPIs-reactjs
 Date: 8/24/2016 11:24:23 PM
 Authenticated User: testuser
 Total Links / Attackable Links: 416 / 416
 Target URL: http://webscantest.com
 Reports:
<< <<

Summary


Vulnerabilities by Risk

Root Causes: 250

Vulnerabilities by Who Will Fix

Most Vulnerable Sites

Vulnerability Type

Root Causes

Variances

Blind SQL Injection  15   48 
Browser Cache directive (leaking sensitive information)  20   31 
Brute Force Form based Authentication  1   1 
Buffer Overflow  6   10 
Business Logic Abuse  5   5 
Command Injection  1   4 
Content Type Charset Check  100   153 
Cross-Site Request Forgery (CSRF)  25   50 
Custom Passive Check  10   10 
Directory Indexing  3   3 
DOM based Cross-site scripting (XSS)  1   1 
HTTP Verb Tampering  1   2 
HttpOnly attribute  5   7 
Information Leakage  4   4 
Parameter Fuzzing  6   16 
Persistent Cross-site scripting (XSS)  2   6 
Predictable Resource Location  2   2 
Reflected Cross-site scripting (XSS)  20   141 
Server Type Disclosure  2   2 
Session Fixation  1   1 
Session Strength  1   1 
SQL Information Leakage  5   7 
SQL Injection  9   36 
SQL injection Auth Bypass  1   3 
SQL Parameter Check  1   1 
XPath Injection  3   11 
Total:  250   556 

Details

   Disable Validate Applet
  Collapse All Attacks   Collapse All

Collapse SQL Injection

Attention! In addition to the usual variety of SQL Injection vulnerabilities presented here, your login mechanisms are susceptible to an attacker using SQL Injection techniques to achieve authenticated access to this website without needing a username/password. Click here for the details in the Authtest section of this report.
some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/datastore/getimage_by_name.php Root Cause #238: (Parameter: name / 4 Attack Variances)  Expand
URL: http://webscantest.com/datastore/search_by_id.php Root Cause #239: (Parameter: id / 4 Attack Variances)  Expand
URL: http://webscantest.com/datastore/search_by_name.php Root Cause #240: (Parameter: name / 4 Attack Variances)  Expand
URL: http://webscantest.com/datastore/search_double_by_name.php Root Cause #241: (Parameter: name / 4 Attack Variances)  Expand
URL: http://webscantest.com/datastore/search_get_by_id.php Root Cause #242: (Parameter: id / 4 Attack Variances)  Expand
URL: http://webscantest.com/datastore/search_get_by_name.php Root Cause #243: (Parameter: name / 4 Attack Variances)  Expand
URL: http://webscantest.com/rest/demo/index.php/products/30 Root Cause #244: (Parameter: Directory[3] / 4 Attack Variances)  Expand
some text
  Collapse Site: http://www.webscantest.com:80
URL: http://www.webscantest.com/soap/demo/api/index.php Root Cause #245: (Parameter: id / 4 Attack Variances)  Expand

Description:   A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

SQL injection errors occur when:

  1. Data enters a program from an untrusted source.
  2. The data used to dynamically construct a SQL query

SQL injection has become a common issue with database-driven web sites. The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind.

Essentially, the attack is accomplished by placing a meta character into data input to then place SQL commands in the control plane, which did not exist there before. This flaw depends on the fact that SQL makes no real distinction between the control and data planes.

Recommendations:  

SQL Injection flaws are introduced when software developers create dynamic database queries that include user supplied input.

Primary Defenses:

  • Use of Prepared Statements (Parameterized Queries)

    Parameterized queries force the developer to first define all the SQL code, and then pass in each parameter to the query later. This coding style allows the database to distinguish between code and data, regardless of what user input is supplied. Prepared statements ensure that an attacker is not able to change the intent of a query, even if SQL commands are inserted by an attacker.

  • Use of Stored Procedures

    Stored procedures have the same effect as the use of prepared statements when implemented safely* which is the norm for most stored procedure languages. They require the developer to just build SQL statements with parameters which are automatically parameterized unless the developer does something largely out of the norm. The difference between prepared statements and stored procedures is that the SQL code for a stored procedure is defined and stored in the database itself, and then called from the application. Both of these techniques have the same effectiveness in preventing SQL injection so your organization should choose which approach makes the most sense for you.

  • Escaping all User Supplied Input

    This technique is to escape user input before putting it in a query. However, this methodology is frail compared to using parameterized queries and we cannot guarantee it will prevent all SQL Injection in all situations. This technique should only be used, with caution, to retrofit legacy code in a cost effective way. Applications built from scratch, or applications requiring low risk tolerance should be built or re-written using parameterized queries.

    Each DBMS supports one or more character escaping schemes specific to certain kinds of queries. If you then escape all user supplied input using the proper escaping scheme for the database you are using, the DBMS will not confuse that input with SQL code written by the developer, thus avoiding any possible SQL injection vulnerabilities. Full details on ESAPI are available at OWASP.

Additional Defenses:
  • Least Privilege

    To minimize the potential damage of a successful SQL injection attack, you should minimize the privileges assigned to every database account in your environment. Do not assign DBA or admin type access rights to your application accounts. We understand that this is easy, and everything just ‘works’ when you do it this way, but it is very dangerous. Start from the ground up to determine what access rights your application accounts require, rather than trying to figure out what access rights you need to take away. Make sure that accounts that only need read access are only granted read access to the tables they need access to. If an account only needs access to portions of a table, consider creating a view that limits access to that portion of the data and assigning the account access to the view instead, rather than the underlying table. Rarely, if ever, grant create or delete access to database accounts.

  • White List Input Validation

    Input validation can be used to detect unauthorized input before it is passed to the SQL query. For more information please see the OWASP Input Validation Cheat Sheet. Proceed with caution here. Validated data is not necessarily safe to insert into SQL queries via string building.


Collapse SQL injection Auth Bypass

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/login.php Root Cause #246: (Parameter: passwd / 3 Attack Variances)  Expand

Description:  

It was discovered that SQL Injection techniques can be used to fool the application into authenticating without the attacker needing valid credentials.
SQL Injection vulnerabilities on login pages expose an application to unauthorized access and quite probably at the administrator level, thereby severely compromising the security of the application.


Recommendations:  

SQL Injection flaws are introduced when software developers create dynamic database queries that include user supplied input.

Primary Defenses:

  • Use of Prepared Statements (Parameterized Queries)

    Parameterized queries force the developer to first define all the SQL code, and then pass in each parameter to the query later. This coding style allows the database to distinguish between code and data, regardless of what user input is supplied. Prepared statements ensure that an attacker is not able to change the intent of a query, even if SQL commands are inserted by an attacker.

  • Use of Stored Procedures

    Stored procedures have the same effect as the use of prepared statements when implemented safely* which is the norm for most stored procedure languages. They require the developer to just build SQL statements with parameters which are automatically parameterized unless the developer does something largely out of the norm. The difference between prepared statements and stored procedures is that the SQL code for a stored procedure is defined and stored in the database itself, and then called from the application. Both of these techniques have the same effectiveness in preventing SQL injection so your organization should choose which approach makes the most sense for you.

  • Escaping all User Supplied Input

    This technique is to escape user input before putting it in a query. However, this methodology is frail compared to using parameterized queries and we cannot guarantee it will prevent all SQL Injection in all situations. This technique should only be used, with caution, to retrofit legacy code in a cost effective way. Applications built from scratch, or applications requiring low risk tolerance should be built or re-written using parameterized queries.

    Each DBMS supports one or more character escaping schemes specific to certain kinds of queries. If you then escape all user supplied input using the proper escaping scheme for the database you are using, the DBMS will not confuse that input with SQL code written by the developer, thus avoiding any possible SQL injection vulnerabilities. Full details on ESAPI are available at OWASP.

Additional Defenses:
  • Least Privilege

    To minimize the potential damage of a successful SQL injection attack, you should minimize the privileges assigned to every database account in your environment. Do not assign DBA or admin type access rights to your application accounts. We understand that this is easy, and everything just ‘works’ when you do it this way, but it is very dangerous. Start from the ground up to determine what access rights your application accounts require, rather than trying to figure out what access rights you need to take away. Make sure that accounts that only need read access are only granted read access to the tables they need access to. If an account only needs access to portions of a table, consider creating a view that limits access to that portion of the data and assigning the account access to the view instead, rather than the underlying table. Rarely, if ever, grant create or delete access to database accounts.

  • White List Input Validation

    Input validation can be used to detect unauthorized input before it is passed to the SQL query. For more information please see the OWASP Input Validation Cheat Sheet. Proceed with caution here. Validated data is not necessarily safe to insert into SQL queries via string building.


Collapse SQL Parameter Check

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/datastore/search_by_statement.php Root Cause #247: (1 Attack Variance)  Expand

Description:  

A SQL syntax was discovered in a parameter. This indicates that a database injection attack could be accomplished. These types of attacks manipulate database queries in order to access, modify, or delete arbitrary data. In many cases these attacks can subvert authentication and authorization schemes, which would enable an attacker to gain privileged access to restricted portions of the application.
If the database injection attack can be used to read arbitrary data, then users' stored information such as authentication credentials, e-mail address, social security number, or financial information will be exposed.
Some databases provide methods for executing system commands via SQL queries. Thus, a successful injection attack could compromise the database host and other hosts on its local network even if they are protected from the Internet by a firewall. a firewall.


Recommendations:  

SQL Injection flaws are introduced when software developers create dynamic database queries that include user supplied input.

Primary Defenses:

  • Use of Prepared Statements (Parameterized Queries)

    Parameterized queries force the developer to first define all the SQL code, and then pass in each parameter to the query later. This coding style allows the database to distinguish between code and data, regardless of what user input is supplied. Prepared statements ensure that an attacker is not able to change the intent of a query, even if SQL commands are inserted by an attacker.

  • Use of Stored Procedures

    Stored procedures have the same effect as the use of prepared statements when implemented safely* which is the norm for most stored procedure languages. They require the developer to just build SQL statements with parameters which are automatically parameterized unless the developer does something largely out of the norm. The difference between prepared statements and stored procedures is that the SQL code for a stored procedure is defined and stored in the database itself, and then called from the application. Both of these techniques have the same effectiveness in preventing SQL injection so your organization should choose which approach makes the most sense for you.

  • Escaping all User Supplied Input

    This technique is to escape user input before putting it in a query. However, this methodology is frail compared to using parameterized queries and we cannot guarantee it will prevent all SQL Injection in all situations. This technique should only be used, with caution, to retrofit legacy code in a cost effective way. Applications built from scratch, or applications requiring low risk tolerance should be built or re-written using parameterized queries.

    Each DBMS supports one or more character escaping schemes specific to certain kinds of queries. If you then escape all user supplied input using the proper escaping scheme for the database you are using, the DBMS will not confuse that input with SQL code written by the developer, thus avoiding any possible SQL injection vulnerabilities. Full details on ESAPI are available at OWASP.

Additional Defenses:
  • Least Privilege

    To minimize the potential damage of a successful SQL injection attack, you should minimize the privileges assigned to every database account in your environment. Do not assign DBA or admin type access rights to your application accounts. We understand that this is easy, and everything just ‘works’ when you do it this way, but it is very dangerous. Start from the ground up to determine what access rights your application accounts require, rather than trying to figure out what access rights you need to take away. Make sure that accounts that only need read access are only granted read access to the tables they need access to. If an account only needs access to portions of a table, consider creating a view that limits access to that portion of the data and assigning the account access to the view instead, rather than the underlying table. Rarely, if ever, grant create or delete access to database accounts.

  • White List Input Validation

    Input validation can be used to detect unauthorized input before it is passed to the SQL query. For more information please see the OWASP Input Validation Cheat Sheet. Proceed with caution here. Validated data is not necessarily safe to insert into SQL queries via string building.


Collapse XPath Injection

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/infodb/search_by_name.php Root Cause #248: (Parameter: fname / 3 Attack Variances)  Expand
URL: http://webscantest.com/xmldb/search_by_name.php Root Cause #249: (Parameter: index / 4 Attack Variances)  Expand
URL: http://webscantest.com/xmldb/search_by_name.php Root Cause #250: (Parameter: id / 4 Attack Variances)  Expand

Description:  

An XPATH syntax character submitted in a URL parameter causes an error in the application query. This indicates that an XPath injection attack could be accomplished. These types of attacks manipulate queries from user-supplied input in order to query or navigate XML documents.
If the XPath injection attack can be used to read arbitrary data, then users' stored information such as authentication credentials, e-mail address, or financial information will be exposed.
Thus, a successful injection attack could compromise the application host and other hosts on its local network even if they are protected from the Internet by a firewall.


Recommendations:  

Several techniques can be used to block XPath injection attacks. These techniques complement each other and address security at different points in the application. The impact of an XPath injection attack is minimized by implementing multiple defense measures.

  • Normalize all user-supplied data before applying filters, regular expressions, or submitting the data to a database. This means that all URL-encoded (%xx), HTML-encoded (&#xx;), or other encoding schemes should be reduced to the internal character representation expected by the application. This prevents attackers from using alternate encoding schemes to bypass filters.
  • Implement positive filters that examine user-supplied data for expected characters. Define data types for user-supplied values and ensure that submitted data match these types, such as numeric or date. String or text values should be carefully matched to a limited subset of characters such as alpha, numeric, spaces, or certain punctuation characters as necessary. If any value received by the application contains an unexpected character, then it should be rejected.
  • Negative filtering can also prevent attacks, but may be more unreliable or more difficult to implement for language sets that require non-ASCII characters. Examine all data received from the web browser for XPath syntax characters. If any of these characters are present, then they should be escaped or removed. The single quote (') or double quote (") are often used to envelope parameters in an XPath query. Other malicious characters include the asterisk, semi-colon, dash (minus sign), and parentheses. These characters could be used to prematurely end a query statement.
  • Avoid string concatenation for XPath query construction. String concatenation, where the query is created programmatically by appending values together, makes an injection attack easier to accomplish because the syntax of the query can be easily disrupted by malicious characters.
  • Store user-supplied values with appropriate data types within the database. For example, dates should be stored as DATE types (if available) instead of a VARCHAR string.


<< <<