Report Developer - LOGON

DeveloperReport

Acunetix Security Audit

22 November 2018

Generated by Acunetix

Scan of testhtml5.vulnweb.com

Scan details

Scan information

Start time 20/11/2018, 12:03:57

Start url http://testhtml5.vulnweb.com/

Host testhtml5.vulnweb.com

Scan time 4 minutes, 26 seconds

Profile Full Scan

Server information nginx/1.4.1

Responsive True

Threat level

Acunetix Threat Level 3

One or more high-severity type vulnerabilities have been discovered by the scanner. A malicious user can exploit thesevulnerabilities and compromise the backend database and/or deface your website.

Alerts distribution

Total alerts found 25

High 11

Medium 3

Low 8

Informational 3

Alerts summary

Cross site scripting

Classification

CVSS2

Base Score: 6.4Access Vector: Network_accessibleAccess Complexity: LowAuthentication: NoneConfidentiality Impact: PartialIntegrity Impact: PartialAvailability Impact: NoneExploitability: Not_definedRemediation Level: Not_definedReport Confidence: Not_definedAvailability Requirement: Not_definedCollateral Damage Potential: Not_definedConfidentiality Requirement: Not_definedIntegrity Requirement: Not_definedTarget Distribution: Not_defined

CVSS3

Base Score: 5.3Attack Vector: NetworkAttack Complexity: LowPrivileges Required: NoneUser Interaction: NoneScope: UnchangedConfidentiality Impact: NoneIntegrity Impact: LowAvailability Impact: None

CWE CWE-79

Affected items Variation

/comment 2

/like 2

/report 2

DOM-based cross site scripting

Classification

CVSS2

Base Score: 4.3Access Vector: Network_accessibleAccess Complexity: MediumAuthentication: NoneConfidentiality Impact: NoneIntegrity Impact: PartialAvailability Impact: NoneExploitability: Not_definedRemediation Level: Not_definedReport Confidence: Not_definedAvailability Requirement: Not_definedCollateral Damage Potential: Not_definedConfidentiality Requirement: Not_definedIntegrity Requirement: Not_definedTarget Distribution: Not_defined

CVSS3

Base Score: 5.3Attack Vector: NetworkAttack Complexity: LowPrivileges Required: NoneUser Interaction: NoneScope: UnchangedConfidentiality Impact: NoneIntegrity Impact: LowAvailability Impact: None

CWE CWE-79


Web Server 2

nginx Integer Overflow

Classification

CVSS2

Base Score: 5.0Access Vector: Network_accessibleAccess Complexity: LowAuthentication: NoneConfidentiality Impact: PartialIntegrity Impact: NoneAvailability Impact: NoneExploitability: Proof_of_conceptRemediation Level: Official_fixReport Confidence: Not_definedAvailability Requirement: Not_definedCollateral Damage Potential: Not_definedConfidentiality Requirement: Not_definedIntegrity Requirement: Not_definedTarget Distribution: Not_defined

CVSS3

Base Score: 7.5Attack Vector: NetworkAttack Complexity: LowPrivileges Required: NoneUser Interaction: NoneScope: UnchangedConfidentiality Impact: HighIntegrity Impact: NoneAvailability Impact: None

CVE CVE-2017-7529

CWE CWE-190


Web Server 1

nginx SPDY heap buffer overflow

Classification

CVSS2

Base Score: 5.1Access Vector: Network_accessibleAccess Complexity: HighAuthentication: NoneConfidentiality Impact: PartialIntegrity Impact: PartialAvailability Impact: PartialExploitability: Proof_of_conceptRemediation Level: Official_fixReport Confidence: Not_definedAvailability Requirement: Not_definedCollateral Damage Potential: Not_definedConfidentiality Requirement: Not_definedIntegrity Requirement: Not_definedTarget Distribution: Not_defined

CVE CVE-2014-0133

CWE CWE-122


Web Server 1

XML external entity injection via external file

Classification

CVSS2

Base Score: 6.8Access Vector: Network_accessibleAccess Complexity: MediumAuthentication: NoneConfidentiality Impact: PartialIntegrity Impact: PartialAvailability Impact: PartialExploitability: Not_definedRemediation Level: Not_definedReport Confidence: Not_definedAvailability Requirement: Not_definedCollateral Damage Potential: Not_definedConfidentiality Requirement: Not_definedIntegrity Requirement: Not_definedTarget Distribution: Not_defined

CVSS3

Base Score: 10.0Attack Vector: NetworkAttack Complexity: LowPrivileges Required: NoneUser Interaction: NoneScope: ChangedConfidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High

CWE CWE-611


/forgotpw 1

HTML form without CSRF protection

Classification

CVSS2

Base Score: 2.6Access Vector: Network_accessibleAccess Complexity: HighAuthentication: NoneConfidentiality Impact: NoneIntegrity Impact: PartialAvailability Impact: NoneExploitability: Not_definedRemediation Level: Not_definedReport Confidence: Not_definedAvailability Requirement: Not_definedCollateral Damage Potential: Not_definedConfidentiality Requirement: Not_definedIntegrity Requirement: Not_definedTarget Distribution: Not_defined

CVSS3

Base Score: 4.3Attack Vector: NetworkAttack Complexity: LowPrivileges Required: NoneUser Interaction: RequiredScope: UnchangedConfidentiality Impact: NoneIntegrity Impact: LowAvailability Impact: None

CWE CWE-352


Web Server 1

User credentials are sent in clear text

Classification

Base Score: 5.0

CVSS2

Access Vector: Network_accessibleAccess Complexity: LowAuthentication: NoneConfidentiality Impact: PartialIntegrity Impact: NoneAvailability Impact: NoneExploitability: HighRemediation Level: WorkaroundReport Confidence: ConfirmedAvailability Requirement: Not_definedCollateral Damage Potential: Not_definedConfidentiality Requirement: Not_definedIntegrity Requirement: Not_definedTarget Distribution: Not_defined

CVSS3

Base Score: 9.1Attack Vector: NetworkAttack Complexity: LowPrivileges Required: NoneUser Interaction: NoneScope: UnchangedConfidentiality Impact: HighIntegrity Impact: HighAvailability Impact: None

CWE CWE-310


Web Server 1

Vulnerable Javascript library

Classification

CVSS2

Base Score: 6.4Access Vector: Network_accessibleAccess Complexity: LowAuthentication: NoneConfidentiality Impact: PartialIntegrity Impact: PartialAvailability Impact: NoneExploitability: Not_definedRemediation Level: Not_definedReport Confidence: Not_definedAvailability Requirement: Not_definedCollateral Damage Potential: Not_definedConfidentiality Requirement: Not_definedIntegrity Requirement: Not_definedTarget Distribution: Not_defined

CVSS3

Base Score: 6.5Attack Vector: NetworkAttack Complexity: LowPrivileges Required: NoneUser Interaction: NoneScope: UnchangedConfidentiality Impact: LowIntegrity Impact: LowAvailability Impact: None

CWE CWE-16


/static/app/libs/sessvars.js 1

Clickjacking: X-Frame-Options header missing

Classification

Base Score: 6.8Access Vector: Network_accessible

CVSS2

Access Complexity: MediumAuthentication: NoneConfidentiality Impact: PartialIntegrity Impact: PartialAvailability Impact: PartialExploitability: Not_definedRemediation Level: Not_definedReport Confidence: Not_definedAvailability Requirement: Not_definedCollateral Damage Potential: Not_definedConfidentiality Requirement: Not_definedIntegrity Requirement: Not_definedTarget Distribution: Not_defined

CWE CWE-693


Web Server 1

Cookie(s) without HttpOnly flag set

Classification

CVSS2

Base Score: 0.0Access Vector: Network_accessibleAccess Complexity: LowAuthentication: NoneConfidentiality Impact: NoneIntegrity Impact: NoneAvailability Impact: NoneExploitability: Not_definedRemediation Level: Not_definedReport Confidence: Not_definedAvailability Requirement: Not_definedCollateral Damage Potential: Not_definedConfidentiality Requirement: Not_definedIntegrity Requirement: Not_definedTarget Distribution: Not_defined

CWE CWE-16


Web Server 1

Cookie(s) without Secure flag set

Classification

CVSS2


CWE CWE-16


Web Server 1

Insecure response with wildcard '*' in Access-Control-Allow-Origin

Classification

CVSS2


CWE CWE-16


Web Server 1

Login page password-guessing attack

Classification

CVSS2

Base Score: 5.0Access Vector: Network_accessibleAccess Complexity: LowAuthentication: NoneConfidentiality Impact: PartialIntegrity Impact: NoneAvailability Impact: NoneExploitability: Not_definedRemediation Level: Not_definedReport Confidence: Not_definedAvailability Requirement: Not_definedCollateral Damage Potential: Not_definedConfidentiality Requirement: Not_definedIntegrity Requirement: Not_definedTarget Distribution: Not_defined

CVSS3

Base Score: 5.3Attack Vector: NetworkAttack Complexity: LowPrivileges Required: NoneUser Interaction: NoneScope: UnchangedConfidentiality Impact: NoneIntegrity Impact: NoneAvailability Impact: Low

CWE CWE-307


/login 1

OPTIONS method is enabled

Classification

CVSS2

Base Score: 5.0Access Vector: Network_accessibleAccess Complexity: LowAuthentication: NoneConfidentiality Impact: PartialIntegrity Impact: NoneAvailability Impact: NoneExploitability: Not_definedRemediation Level: Not_defined

Report Confidence: Not_definedAvailability Requirement: Not_definedCollateral Damage Potential: Not_definedConfidentiality Requirement: Not_definedIntegrity Requirement: Not_definedTarget Distribution: Not_defined

CVSS3


CWE CWE-200


Web Server 1

Possible sensitive directories

Classification

CVSS2

Base Score: 5.0Access Vector: Network_accessibleAccess Complexity: LowAuthentication: NoneConfidentiality Impact: PartialIntegrity Impact: NoneAvailability Impact: NoneExploitability: Not_definedRemediation Level: Not_definedReport Confidence: Not_definedAvailability Requirement: Not_definedCollateral Damage Potential: Not_definedConfidentiality Requirement: Not_definedIntegrity Requirement: Not_definedTarget Distribution: Not_defined

CVSS3


CWE CWE-200


Web Server 1

Possible virtual host found

Classification

CVSS2

Base Score: 5.0Access Vector: Network_accessibleAccess Complexity: LowAuthentication: NoneConfidentiality Impact: PartialIntegrity Impact: NoneAvailability Impact: NoneExploitability: Not_definedRemediation Level: Not_definedReport Confidence: Not_defined

Availability Requirement: Not_definedCollateral Damage Potential: Not_definedConfidentiality Requirement: Not_definedIntegrity Requirement: Not_definedTarget Distribution: Not_defined

CVSS3


CWE CWE-200


Web Server 1

Content Security Policy (CSP) not implemented

Classification

CVSS2


CWE CWE-16


Web Server 1

Password type input with auto-complete enabled

Classification

CVSS2


CVSS3

Base Score: 7.5Attack Vector: NetworkAttack Complexity: LowPrivileges Required: NoneUser Interaction: None

Scope: UnchangedConfidentiality Impact: HighIntegrity Impact: NoneAvailability Impact: None

CWE CWE-200


Web Server 1

Subresource Integrity (SRI) not implemented

Classification

CVSS2


CWE CWE-16


Web Server 1

Alerts details

Cross site scripting

Severity High

Reported by module /Scripts/PerFile/XSS_in_URI_File.script

Description

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into alegitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user inputwithin the output it generates.

Impact

Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and localstorage, which are often used to store session tokens. If an attacker can obtain a user's session cookie, they can thenimpersonate that user.

Furthermore, JavaScript can read and make arbitrary modifications to the contents of a page being displayed to a user.Therefore, XSS in conjunction with some clever social engineering opens up a lot of possibilities for an attacker.

Recommendation

Apply context-dependent encoding and/or validation to user input rendered on a page

References

Cross-site Scripting (XSS) Attack - Acunetix (https://www.acunetix.com/websitesecurity/cross-site-scripting/)Types of XSS - Acunetix (https://www.acunetix.com/websitesecurity/xss/)Cross-site Scripting - OWASP (http://www.owasp.org/index.php/Cross_Site_Scripting)XSS Filter Evasion Cheat Sheet (https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)Excess XSS, a comprehensive tutorial on cross-site scripting (https://excess-xss.com/)Cross site scripting (http://en.wikipedia.org/wiki/Cross-site_scripting )

Affected items

/comment

Details

URI was set to -->1<ScRiPt>uygm(9067)</ScRiPt>1<ScRiPt>uygm(9067)</ScRiPt><ScRiPt >rAT0(9134)</ScRiPt><ScRiPt%20>rAT0(9134)</ScRiPt><!--HTTP/1.1Referer: http://testhtml5.vulnweb.com/

https://www.acunetix.com/websitesecurity/cross-site-scripting/

https://www.acunetix.com/websitesecurity/xss/

http://www.owasp.org/index.php/Cross_Site_Scripting

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

https://excess-xss.com/

http://en.wikipedia.org/wiki/Cross-site_scripting

Connection: keep-aliveCookie: username=eAuthorization: Basic YW5vbnltb3VzOmFub255bW91cw==Accept: */*Accept-Encoding: gzip,deflateHost: testhtml5.vulnweb.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)Chrome/41.0.2228.0 Safari/537.21/like

Details

URI was set to -->1<ScRiPt>trOO(9866)</ScRiPt>1<ScRiPt>trOO(9866)</ScRiPt><ScRiPt >Yvy9(9942)</ScRiPt><ScRiPt%20>Yvy9(9942)</ScRiPt>1<ScRiPt>PjQK(9361)</ScRiPt>1<ScRiPt>PjQK(9361)</ScRiPt><ScRiPt >0Vli(9194)</ScRiPt><!--


Request headers

GET /report?id=696a3680438a7af53a0a54d3d26469bf--><ScRiPt%20>0Vli(9194)</ScRiPt><!--HTTP/1.1Referer: http://testhtml5.vulnweb.com/Connection: keep-aliveCookie: username=eAuthorization: Basic YW5vbnltb3VzOmFub255bW91cw==Accept: */*Accept-Encoding: gzip,deflateHost: testhtml5.vulnweb.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)Chrome/41.0.2228.0 Safari/537.21

DOM-based cross site scripting

Severity High

Reported by module deepscan

Description

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the formof Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in theuser context allowing the attacker to access any cookies or session tokens retained by the browser.

While a traditional cross-site scripting vulnerability occurs on the server-side code, document object model based cross-sitescripting is a type of vulnerability which affects the script code in the client's browser.

Impact

Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order togather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is alsopossible to modify the content of the page presented to the user.

Recommendation

Your script should filter metacharacters from user input.

References

Acunetix Cross Site Scripting Attack (http://www.acunetix.com/websitesecurity/cross-site-scripting.htm)VIDEO: How Cross-Site Scripting (XSS) Works (http://www.acunetix.com/blog/web-security-zone/video-how-cross-site-scripting-xss-works/)The Cross Site Scripting Faq (http://www.cgisecurity.com/xss-faq.html)OWASP Cross Site Scripting (http://www.owasp.org/index.php/Cross_Site_Scripting)XSS Filter Evasion Cheat Sheet (https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)Cross site scripting (http://en.wikipedia.org/wiki/Cross-site_scripting )OWASP PHP Top 5 (http://www.owasp.org/index.php/PHP_Top_5)How To: Prevent Cross-Site Scripting in ASP.NET (http://msdn.microsoft.com/en-us/library/ms998274.aspx)

Affected items

Web Server

Details

Source: Referrer HeaderReferrer: http://www.acunetix-referrer.com/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss")Execution Sink: set HTML code (innerHTML/outerHTML/...)HTML code set:

admin is coming from <b>http://www.acunetix-referrer.com/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss")</xsstag></b> and has visited this page <b>1</b> times. ...

Stack Trace:

http://www.acunetix.com/websitesecurity/cross-site-scripting.htm

http://www.acunetix.com/blog/web-security-zone/video-how-cross-site-scripting-xss-works/

http://www.cgisecurity.com/xss-faq.html

http://www.owasp.org/index.php/Cross_Site_Scripting

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

http://en.wikipedia.org/wiki/Cross-site_scripting

http://www.owasp.org/index.php/PHP_Top_5

http://msdn.microsoft.com/en-us/library/ms998274.aspx

http://code.jquery.com/jquery-1.9.1.min.js:4:27657access@http://code.jquery.com/jquery-1.9.1.min.js:3:6720html@http://code.jquery.com/jquery-1.9.1.min.js:4:27282global code@http://testhtml5.vulnweb.com/static/app/post.js:114:17

Request headers

Web Server

Details

Source: window.namewindow.name: javascript:domxssExecutionSink(2,"'\"><xsstag>()wildxss")Execution Sink: evaluate code (eval/setTimeout/setInterval/...)Evaluated code:

this.myObj=javascript:domxssExecutionSink(2,"'\"><xsstag>()wildxss") ...

Stack Trace:

toObject@http://testhtml5.vulnweb.com/static/app/libs/sessvars.js:105:17init@http://testhtml5.vulnweb.com/static/app/libs/sessvars.js:76:36http://testhtml5.vulnweb.com/static/app/libs/sessvars.js:202:13global code@http://testhtml5.vulnweb.com/static/app/libs/sessvars.js:204:2

Request headers

nginx Integer Overflow

Severity High

Reported by module /Scripts/PerServer/Version_Check.script

Description

A security issue was identified in nginx range filter. A specially crafted request might result in an integer overflow and incorrectprocessing of ranges, potentially resulting in sensitive information leak (CVE-2017-7529). When using nginx with standardmodules this allows an attacker to obtain a cache file header if a response was returned from cache. In some configurations acache file header may contain IP address of the backend server or other sensitive information. Besides, with 3rd party modules itis potentially possible that the issue may lead to a denial of service or a disclosure of a worker process memory.

Impact

Information Disclosure, Denial of Service

Recommendation

Upgrade nginx to the latest version or apply the patch provided by the vendor.

References

nginx security advisory (CVE-2017-7529) (http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html)nginx patch (http://nginx.org/download/patch.2017.ranges.txt)CVE-2017-7529 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7529)

Affected items

Web Server

Details

Current version is : nginx/1.4..

Request headers

http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html

http://nginx.org/download/patch.2017.ranges.txt

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7529

nginx SPDY heap buffer overflow

Severity High

Reported by module /Scripts/PerServer/Version_Check.script

Description

A heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allows remoteattackers to execute arbitrary code via a crafted request. The problem affects nginx compiled with the ngx_http_spdy_modulemodule (which is not compiled by default) and without --with-debug configure option, if the "spdy" option of the "listen" directive isused in a configuration file.

Impact

An attacker can cause a heap memory buffer overflow in a worker process by using a specially crafted request, potentiallyresulting in arbitrary code execution

Recommendation

Upgrade nginx to the latest version or apply the patch provided by the vendor.

References

nginx security advisory (CVE-2014-0133) (http://mailman.nginx.org/pipermail/nginx-announce/2014/000135.html)nginx patch (http://nginx.org/download/patch.2014.spdy2.txt)CVE-2014-0133 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0133)

Affected items

Web Server

Details

Current version is : nginx/1.4.1.

Request headers

XML external entity injection via external file

Severity High

Reported by module /Scripts/PerScheme/XML_External_Entity_Injection.script

Description

XML supports a facility known as "external entities", which instruct an XML processor to retrieve and perform an inline include ofXML located at a particular URI. An external XML entity can be used to append or modify the document type declaration (DTD)associated with an XML document. An external XML entity can also be used to include XML within the content of an XMLdocument.

Now assume that the XML processor parses data originating from a source under attacker control. Most of the time the processorwill not be validating, but it MAY include the replacement text thus initiating an unexpected file open operation, or HTTP transfer, orwhatever system ids the XML processor knows how to access.

below is a sample XML document that will use this functionality to include the contents of a local file (/etc/passwd)

http://mailman.nginx.org/pipermail/nginx-announce/2014/000135.html

http://nginx.org/download/patch.2014.spdy2.txt

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0133

<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE acunetix [

<!ENTITY acunetixent SYSTEM "file:///etc/passwd">

]>

<xxx>&acunetixent;</xxx>

Impact

Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file:schemes or relative paths in the system identifier. Since the attack occurs relative to the application processing the XMLdocument, an attacker may use this trusted application to pivot to other internal systems, possibly disclosing other internal contentvia http(s) requests.

Recommendation

If possible it's recommended to disable parsing of XML external entities.

References

CWE-611: Information Exposure Through XML External Entity Reference (http://cwe.mitre.org/data/definitions/611.html)XXE (Xml eXternal Entity) attack (http://archive.cert.uni-stuttgart.de/bugtraq/2002/10/msg00421.html)XML External Entity (XXE) Processing (https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing)

Affected items

/forgotpw

Details

Custom POST input text/xml was set to <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE acunetix [ <!ENTITYacunetixent SYSTEM "http://hitfQH7MCQr1L.bxss.me/"> ]> <xxx>&acunetixent;</xxx>

An HTTP request was initiated for the domain hitfQH7MCQr1L.bxss.me which indicates that this script is vulnerable to XXEinjection.

HTTP request details:

IP address: 176.28.50.165User agent: Python-urllib/1.17

Request headers

POST /forgotpw HTTP/1.1Content-Type: text/xmlConnection: keep-aliveCookie: username=eAuthorization: Basic YW5vbnltb3VzOmFub255bW91cw==Accept: */*Accept-Encoding: gzip,deflateContent-Length: 156Host: testhtml5.vulnweb.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)Chrome/41.0.2228.0 Safari/537.21<?xml version="1.0" encoding="utf-8"?><!DOCTYPE acunetix [<!ENTITY acunetixent SYSTEM "http://hitfQH7MCQr1L.bxss.me/">]><xxx>&acunetixent;</xxx>

HTML form without CSRF protection

http://cwe.mitre.org/data/definitions/611.html

http://archive.cert.uni-stuttgart.de/bugtraq/2002/10/msg00421.html

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

Severity Medium

Reported by module /Crawler/12-Crawler_Form_NO_CSRF.js

Description

This alert requires manual confirmation

Cross-Site Request Forgery (CSRF, or XSRF) is a vulnerability wherein an attacker tricks a victim into making a request the victimdid not intend to make. Therefore, with CSRF, an attacker abuses the trust a web application has with a victim's browser.

Acunetix found an HTML form with no apparent anti-CSRF protection implemented. Consult the 'Attack details' section for moreinformation about the affected HTML form.

Impact

An attacker could use CSRF to trick a victim into accessing a website hosted by the attacker, or clicking a URL containingmalicious or unauthorized requests.

CSRF is a type of 'confused deputy' attack which leverages the authentication and authorization of the victim when the forgedrequest is being sent to the web server. Therefore, if a CSRF vulnerability could affect highly privileged users such asadministrators full application compromise may be possible.

Recommendation

Verify if this form requires anti-CSRF protection and implement CSRF countermeasures if necessary.

The recommended and the most widely used technique for preventing CSRF attacks is know as an anti-CSRF token, alsosometimes referred to as a synchronizer token. The characteristics of a well designed anti-CSRF system involve the followingattributes.

The anti-CSRF token should be unique for each user sessionThe session should automatically expire after a suitable amount of timeThe anti-CSRF token should be a cryptographically random value of significant lengthThe anti-CSRF token should be cryptographically secure, that is, generated by a strong Pseudo-Random Number Generator(PRNG) algorithmThe anti-CSRF token is added as a hidden field for forms, or within URLs (only necessary if GET requests cause statechanges, that is, GET requests are not idempotent)The server should reject the requested action if the anti-CSRF token fails validation

When a user submits a form or makes some other authenticated request that requires a Cookie, the anti-CSRF token should beincluded in the request. Then, the web application will then verify the existence and correctness of this token before processingthe request. If the token is missing or incorrect, the request can be rejected.

References

What is Cross Site Reference Forgery (CSRF)? (https://www.acunetix.com/websitesecurity/csrf-attacks/)Cross-Site Request Forgery (CSRF) Prevention Cheatsheet (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)The Cross-Site Request Forgery (CSRF/XSRF) FAQ (http://www.cgisecurity.com/csrf-faq.html)Cross-site Request Forgery (https://en.wikipedia.org/wiki/Cross-site_request_forgery)

Affected items

Web Server

Details

Request headers

GET / HTTP/1.1Cookie: username=adminAccept: */*Accept-Encoding: gzip,deflateHost: testhtml5.vulnweb.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)Chrome/41.0.2228.0 Safari/537.21

https://www.acunetix.com/websitesecurity/csrf-attacks/

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

http://www.cgisecurity.com/csrf-faq.html

https://en.wikipedia.org/wiki/Cross-site_request_forgery

Connection: Keep-alive

User credentials are sent in clear text

Severity Medium

Reported by module /Crawler/12-Crawler_User_Credentials_Plain_Text.js

Description

User credentials are transmitted over an unencrypted channel. This information should always be transferred via an encryptedchannel (HTTPS) to avoid being intercepted by malicious users.

Impact

A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.

Recommendation

Because user credentials are considered sensitive information, should always be transferred to the server over an encryptedconnection (HTTPS).

Affected items

Web Server

Details

Request headers

GET / HTTP/1.1Cookie: username=adminAccept: */*Accept-Encoding: gzip,deflateHost: testhtml5.vulnweb.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)Chrome/41.0.2228.0 Safari/537.21Connection: Keep-alive

Vulnerable Javascript library

Severity Medium

Reported by module /Scripts/PerFile/Javascript_Libraries_Audit.script

Description

You are using a vulnerable Javascript library. One or more vulnerabilities were reported for this version of the Javascript library.Consult Attack details and Web References for more information about the affected library and the vulnerabilities that werereported.

Impact

Consult References for more information.

Recommendation

Upgrade to the latest version.

Affected items

/static/app/libs/sessvars.js

Details

Detected Javascript library sessvars version 1.00.

The version was detected from file content.

References:

http://www.thomasfrank.se/sessionvars.html

Request headers

GET /static/app/libs/sessvars.js HTTP/1.1Cookie: username=adminAccept: */*Accept-Encoding: gzip,deflateHost: testhtml5.vulnweb.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)Chrome/41.0.2228.0 Safari/537.21Connection: Keep-alive

Clickjacking: X-Frame-Options header missing

Severity Low

Reported by module /Scripts/PerServer/Clickjacking_X_Frame_Options.script

Description

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user intoclicking on something different from what the user perceives they are clicking on, thus potentially revealing confidentialinformation or taking control of their computer while clicking on seemingly innocuous web pages.

The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. TheX-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a pageinside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into othersites.

Impact

The impact depends on the affected web application.

Recommendation

Configure your web server to include an X-Frame-Options header. Consult Web references for more information about thepossible values for this header.

References

The X-Frame-Options response header (https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options)Clickjacking (http://en.wikipedia.org/wiki/Clickjacking)OWASP Clickjacking (https://www.owasp.org/index.php/Clickjacking)Defending with Content Security Policy frame-ancestors directive(https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Defending_with_Content_Security_Policy_frame-ancestors_directive)Frame Buster Buster (http://stackoverflow.com/questions/958997/frame-buster-buster-buster-code-needed)

Affected items

Web Server

Details

Request headers

GET / HTTP/1.1Connection: keep-aliveCookie: username=adminAccept: */*Accept-Encoding: gzip,deflateHost: testhtml5.vulnweb.com

https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

http://en.wikipedia.org/wiki/Clickjacking

https://www.owasp.org/index.php/Clickjacking

https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Defending_with_Content_Security_Policy_frame-ancestors_directive

http://stackoverflow.com/questions/958997/frame-buster-buster-buster-code-needed

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)Chrome/41.0.2228.0 Safari/537.21

Cookie(s) without HttpOnly flag set

Severity Low

Reported by module /RPA/Cookie_Without_HttpOnly.js

Description

This cookie does not have the HTTPOnly flag set. When a cookie is set with the HTTPOnly flag, it instructs the browser that thecookie can only be accessed by the server and not by client-side scripts. This is an important security protection for sessioncookies.

Impact

None

Recommendation

If possible, you should set the HTTPOnly flag for this cookie.

Affected items

Web Server

Details

[object Object]

Request headers

POST /login HTTP/1.1Content-Type: application/x-www-form-urlencodedCookie: username=adminAccept: */*Accept-Encoding: gzip,deflateContent-Length: 29Host: testhtml5.vulnweb.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)Chrome/41.0.2228.0 Safari/537.21Connection: Keep-alivepassword=admin&username=admin

Cookie(s) without Secure flag set

Severity Low

Reported by module /RPA/Cookie_Without_Secure.js

Description

This cookie does not have the Secure flag set. When a cookie is set with the Secure flag, it instructs the browser that the cookiecan only be accessed over secure SSL channels. This is an important security protection for session cookies.

Impact

None

Recommendation

If possible, you should set the Secure flag for this cookie.

Affected items

Web Server

Details

[object Object]

Request headers

POST /login HTTP/1.1Content-Type: application/x-www-form-urlencodedCookie: username=adminAccept: */*Accept-Encoding: gzip,deflateContent-Length: 29Host: testhtml5.vulnweb.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)Chrome/41.0.2228.0 Safari/537.21Connection: Keep-alivepassword=admin&username=admin

Insecure response with wildcard '*' in Access-Control-Allow-Origin

Severity Low

Reported by module /Scripts/PerFolder/Access_Control_Allow_Origin_Dir.script

Description

Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts) on a web page to berequested from another domain outside the domain from which the resource originated. The Access-Control-Allow-Origin headerindicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in theresponse.

If a website responds with Access-Control-Allow-Origin: * the requested resource allows sharing with every origin. Therefore, anywebsite can make XHR (XMLHTTPRequest) requests to your site and access the responses. It's not recommended to use theAccess-Control-Allow-Origin: * header.

Impact

Any website can make XHR requests to your site and access the responses.

Recommendation

Is recommended not to use Access-Control-Allow-Origin: *. Instead the Access-Control-Allow-Origin header should contain the listof origins that can make COR requests.

References

Test Cross Origin Resource Sharing (OTG-CLIENT-007)(https://www.owasp.org/index.php/Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007))Cross-origin resource sharing (https://en.wikipedia.org/wiki/Cross-origin_resource_sharing)Cross-Origin Resource Sharing (http://www.w3.org/TR/cors/)CrossOriginRequestSecurity (https://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity)

Affected items

Web Server

Details

Request headers

GET / HTTP/1.1Cookie: username=adminAccept: */*Accept-Encoding: gzip,deflateHost: testhtml5.vulnweb.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)Chrome/41.0.2228.0 Safari/537.21

https://www.owasp.org/index.php/Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)

https://en.wikipedia.org/wiki/Cross-origin_resource_sharing

http://www.w3.org/TR/cors/

https://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity

Connection: Keep-alive

Login page password-guessing attack

Severity Low

Reported by module /Scripts/PerScheme/Html_Authentication_Audit.script

Description

A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is anattempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until youdiscover the one correct combination that works.

This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommended toimplement some type of account lockout after a defined number of incorrect password attempts. Consult Web references for moreinformation about fixing this problem.

Impact

An attacker may attempt to discover a weak password by systematically trying every possible combination of letters, numbers, andsymbols until it discovers the one correct combination that works.

Recommendation

It's recommended to implement some type of account lockout after a defined number of incorrect password attempts.

References

Blocking Brute Force Attacks (http://www.owasp.org/index.php/Blocking_Brute_Force_Attacks)

Affected items

/login

Details

The scanner tested 10 invalid credentials and no account lockout was detected.

Request headers

POST /login HTTP/1.1Content-Type: application/x-www-form-urlencodedReferer: http://testhtml5.vulnweb.com/Connection: keep-aliveAccept: */*Accept-Encoding: gzip,deflateContent-Length: 35Host: testhtml5.vulnweb.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)Chrome/41.0.2228.0 Safari/537.21password=xWzJdcPx&username=PqKtYLUH

OPTIONS method is enabled

Severity Low

Reported by module /Scripts/PerServer/Options_Server_Method.script

Description

HTTP OPTIONS method is enabled on this web server. The OPTIONS method provides a list of the methods that are supported bythe web server, it represents a request for information about the communication options available on the request/response chainidentified by the Request-URI.

Impact

http://www.owasp.org/index.php/Blocking_Brute_Force_Attacks

The OPTIONS method may expose sensitive information that may help an malicious user to prepare more advanced attacks.

Recommendation

It's recommended to disable OPTIONS Method on the web server.

References

Testing for HTTP Methods and XST (OWASP-CM-008)(https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_(OWASP-CM-008))

Affected items

Web Server

Details

Methods allowed: HEAD, OPTIONS, GET.

Request headers

OPTIONS / HTTP/1.1Connection: keep-aliveAccept: */*Accept-Encoding: gzip,deflateHost: testhtml5.vulnweb.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)Chrome/41.0.2228.0 Safari/537.21

Possible sensitive directories

Severity Low

Reported by module /Scripts/PerFolder/Possible_Sensitive_Directories.script

Description

A possible sensitive directory has been found. This directory is not directly linked from the website.This check looks for commonsensitive resources like backup directories, database dumps, administration pages, temporary directories. Each one of thesedirectories could help an attacker to learn more about his target.

Impact

This directory may expose sensitive information that could help a malicious user to prepare more advanced attacks.

Recommendation

Restrict access to this directory or remove it from the website.

References

Web Server Security and Database Server Security (http://www.acunetix.com/websitesecurity/webserver-security/)

Affected items

Web Server

Details

Request headers

GET /static/app/services HTTP/1.1Accept: acunetix/wvsRange: bytes=0-99999Connection: keep-aliveCookie: username="WEB-INF\\web.xml"Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==Accept-Encoding: gzip,deflateHost: testhtml5.vulnweb.com

https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_(OWASP-CM-008)

http://www.acunetix.com/websitesecurity/webserver-security/

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)Chrome/41.0.2228.0 Safari/537.21

Possible virtual host found

Severity Low

Reported by module /Scripts/PerServer/VirtualHost_Audit.script

Description

Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server (or pool ofservers). This allows one server to share its resources, such as memory and processor cycles, without requiring all servicesprovided to use the same host name.

This web server is responding differently when the Host header is manipulated and various common virtual hosts are tested. Thiscould indicate there is a Virtual Host present.

Impact

Possible sensitive information disclosure.

Recommendation

Consult the virtual host configuration and check if this virtual host should be publicly accessible.

References

Virtual hosting (http://en.wikipedia.org/wiki/Virtual_hosting)

Affected items

Web Server

Details

Virtual host: localhostResponse:

<!DOCTYPE html><html><head><title>Welcome to nginx!</title><style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; }</style></head><body><h1>Welcome to nginx!</h1><p>If you see this page, the nginx web server is successfully installed andworking. Further configuration is required.</p>

<p>For online documentation and support please refer to<a href="http://nginx.org/">nginx.org</a>.<br/>Commercial support is available at<a href

Virtual host: servicesResponse:

http://en.wikipedia.org/wiki/Virtual_hosting

Request headers

Content Security Policy (CSP) not implemented

Severity Informational

Reported by module /httpdata/CSP_not_implemented.js

Description

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, includingCross Site Scripting (XSS) and data injection attacks.

Content Security Policy (CSP) can be implemented by adding a Content-Security-Policy header. The value of this header is astring containing the policy directives describing your Content Security Policy. To implement CSP, you should define lists ofallowed origins for the all of the types of resources that your site utilizes. For example, if you have a simple site that needs to loadscripts, stylesheets, and images hosted locally, as well as from the jQuery library from their CDN, the CSP header could look likethe following:

Content-Security-Policy:

default-src 'self';

script-src 'self' https://code.jquery.com;

It was detected that your web application doesn't implement Content Security Policy (CSP) as the CSP header is missing from theresponse. It's recommended to implement Content Security Policy (CSP) into your web application.

Impact

CSP can be used to prevent and/or mitigate attacks that involve content/code injection, such as cross-site scripting/XSS attacks,attacks that require embedding a malicious resource, attacks that involve malicious use of iframes, such as clickjacking attacks,and others.

Recommendation

It's recommended to implement Content Security Policy (CSP) into your web application. Configuring Content Security Policyinvolves adding the Content-Security-Policy HTTP header to a web page and giving it values to control resources the user agentis allowed to load for that page.

References

Content Security Policy (CSP) (https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)Implementing Content Security Policy (https://hacks.mozilla.org/2016/02/implementing-content-security-policy/)

Affected items

Web Server

Details

Request headers


https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

https://hacks.mozilla.org/2016/02/implementing-content-security-policy/

Password type input with auto-complete enabled


Reported by module /Crawler/12-Crawler_Password_Input_Autocomplete.js

Description

When a new name and password is entered in a form and the form is submitted, the browser asks if the password should besaved.Thereafter when the form is displayed, the name and password are filled in automatically or are completed as the name isentered. An attacker with local access could obtain the cleartext password from the browser cache.

Impact

Possible sensitive information disclosure.

Recommendation

The password auto-complete should be disabled in sensitive applications. To disable auto-complete, you may use a code similar to:

<INPUT TYPE="password" AUTOCOMPLETE="off">

Affected items

Web Server

Details

Request headers


Subresource Integrity (SRI) not implemented


Reported by module /RPA/SRI_Not_Implemented.js

Description

Subresource Integrity (SRI) is a security feature that enables browsers to verify that third-party resources they fetch (for example,from a CDN) are delivered without unexpected manipulation. It works by allowing developers to provide a cryptographic hash thata fetched file must match.

Third-party resources (such as scripts and stylesheets) can be manipulated. An attacker that has access or has hacked thehosting CDN can manipulate or replace the files. SRI allows developers to specify a base64-encoded cryptographic hash of theresource to be loaded. The integrity attribute containing the hash is then added to the <script> HTML element tag. The integritystring consists of a base64-encoded hash, followed by a prefix that depends on the hash algorithm. This prefix can either besha265, sha384 or sha512.

The script loaded from the external URL specified in the Details section doesn't implement Subresource Integrity (SRI). It'srecommended to implement Subresource Integrity (SRI) for all the scripts loaded from external hosts.

Impact

An attacker that has access or has hacked the hosting CDN can manipulate or replace the files.

Recommendation

Use the SRI Hash Generator link (from the References section) to generate a <script> element that implements SubresourceIntegrity (SRI).

For example, you can use the following <script> element to tell a browser that before executing the https://example.com/example-framework.js script, the browser must first compare the script to the expected hash, and verify that there's a match.

<script src="https://example.com/example-framework.js"

integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"

crossorigin="anonymous"></script>

References

Subresource Integrity (https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)SRI Hash Generator (https://www.srihash.org/)

Affected items

Web Server

Details

Request headers


https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

https://www.srihash.org/

Scanned items (coverage report)

http://testhtml5.vulnweb.com/http://testhtml5.vulnweb.com/ajax/http://testhtml5.vulnweb.com/ajax/archivehttp://testhtml5.vulnweb.com/ajax/latesthttp://testhtml5.vulnweb.com/ajax/popularhttp://testhtml5.vulnweb.com/commenthttp://testhtml5.vulnweb.com/contacthttp://testhtml5.vulnweb.com/forgotpwhttp://testhtml5.vulnweb.com/likehttp://testhtml5.vulnweb.com/loginhttp://testhtml5.vulnweb.com/logouthttp://testhtml5.vulnweb.com/reporthttp://testhtml5.vulnweb.com/static/http://testhtml5.vulnweb.com/static/app/http://testhtml5.vulnweb.com/static/app/app.jshttp://testhtml5.vulnweb.com/static/app/controllers/http://testhtml5.vulnweb.com/static/app/controllers/controllers.jshttp://testhtml5.vulnweb.com/static/app/libs/http://testhtml5.vulnweb.com/static/app/libs/sessvars.jshttp://testhtml5.vulnweb.com/static/app/partials/http://testhtml5.vulnweb.com/static/app/partials/about.htmlhttp://testhtml5.vulnweb.com/static/app/partials/archive.htmlhttp://testhtml5.vulnweb.com/static/app/partials/carousel.htmlhttp://testhtml5.vulnweb.com/static/app/partials/contact.htmlhttp://testhtml5.vulnweb.com/static/app/partials/itemsList.htmlhttp://testhtml5.vulnweb.com/static/app/partials/latest.htmlhttp://testhtml5.vulnweb.com/static/app/partials/popular.htmlhttp://testhtml5.vulnweb.com/static/app/partials/redir.htmlhttp://testhtml5.vulnweb.com/static/app/post.jshttp://testhtml5.vulnweb.com/static/app/services/http://testhtml5.vulnweb.com/static/app/services/itemsService.jshttp://testhtml5.vulnweb.com/static/css/http://testhtml5.vulnweb.com/static/css/style.csshttp://testhtml5.vulnweb.com/static/img/

Report Developer - LOGON

Documents

Transcript of Report Developer - LOGON