POLICY_PENTEST on ZAP

.env Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information.

.htaccess Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer.

Absence of Anti-CSRF Tokens

Mon, 01 Jan 0001 00:00:00 +0000

No Anti-CSRF tokens were found in a HTML submission form. A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.

Advanced SQL Injection

Mon, 01 Jan 0001 00:00:00 +0000

A SQL injection may be possible using the attached payload.

Anti-CSRF Tokens Check

Mon, 01 Jan 0001 00:00:00 +0000

A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.

Application Error Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.

ASP.NET ViewState Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

An ASP.NET ViewState was disclosed by the application/web server.

ASP.NET ViewState Integrity

Mon, 01 Jan 0001 00:00:00 +0000

The application does not use a Message Authentication Code (MAC) to protect the integrity of the ASP.NET ViewState, which can be tampered with by a malicious client.

Authentication Credentials Captured

Mon, 01 Jan 0001 00:00:00 +0000

An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted. The attacker eavesdrops on the network until an authentication has completed.

Backup File Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

A backup of the file was disclosed by the web server.

Base64 Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

Base64 encoded data was disclosed by the application/web server. Note: in the interests of performance not all base64 strings in the response were analyzed individually, the entire response should be looked at by the analyst/security team/developer(s).

Big Redirect Detected (Potential Sensitive Information Leak)

Mon, 01 Jan 0001 00:00:00 +0000

The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.).

Buffer Overflow

Mon, 01 Jan 0001 00:00:00 +0000

Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way.

Bypassing 403

Mon, 01 Jan 0001 00:00:00 +0000

Bypassing 403 endpoints may be possible, the scan rule sent a payload that caused the response to be accessible (status code 200).

Charset Mismatch

Mon, 01 Jan 0001 00:00:00 +0000

This check identifies responses where the HTTP Content-Type header declares a charset different from the charset defined by the body of the HTML or XML. When there’s a charset mismatch between the HTTP header and content body Web browsers can be forced into an undesirable content-sniffing mode to determine the content’s correct character set.

Charset Mismatch (Header Versus Meta Charset)

Mon, 01 Jan 0001 00:00:00 +0000

Charset Mismatch (Header Versus Meta Content-Type Charset)

Mon, 01 Jan 0001 00:00:00 +0000

Charset Mismatch (Meta Charset Versus Meta Content-Type Charset)

Mon, 01 Jan 0001 00:00:00 +0000

Cloud Metadata Potentially Exposed

Mon, 01 Jan 0001 00:00:00 +0000

The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure. All of these providers provide metadata via an internal unroutable IP address ‘169.254.169.254’ - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field.

Content Security Policy (CSP) Header Not Set

Mon, 01 Jan 0001 00:00:00 +0000

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

Content Security Policy (CSP) Report-Only Header Found

Mon, 01 Jan 0001 00:00:00 +0000

The response contained a Content-Security-Policy-Report-Only header, this may indicate a work-in-progress implementation, or an oversight in promoting pre-Prod to Prod, etc.

Content-Type Header Empty

Mon, 01 Jan 0001 00:00:00 +0000

The Content-Type header was either missing or empty.

Content-Type Header Missing

Mon, 01 Jan 0001 00:00:00 +0000

The Content-Type header was either missing or empty.

Cookie No HttpOnly Flag

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

Cookie Poisoning

Mon, 01 Jan 0001 00:00:00 +0000

This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug.

Cookie Slack Detector

Mon, 01 Jan 0001 00:00:00 +0000

Repeated GET requests: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced.

Cookie with Invalid SameSite Attribute

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set with an invalid SameSite attribute value, which means that the cookie can be sent as a result of a ‘cross-site’ request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.

Cookie with SameSite Attribute None

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set with its SameSite attribute set to “none”, which means that the cookie can be sent as a result of a ‘cross-site’ request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.

Cookie without SameSite Attribute

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a ‘cross-site’ request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.

Cookie Without Secure Flag

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

CORS Header

Mon, 01 Jan 0001 00:00:00 +0000

Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP).

CORS Misconfiguration

Mon, 01 Jan 0001 00:00:00 +0000

This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim’s user agent. In order to perform authenticated AJAX queries, the server must specify the header “Access-Control-Allow-Credentials: true” and the “Access-Control-Allow-Origin” header must be set to null or the malicious page’s domain. Even if this misconfiguration doesn’t allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites). A malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc).

CORS Misconfiguration

Mon, 01 Jan 0001 00:00:00 +0000

CRLF Injection

Mon, 01 Jan 0001 00:00:00 +0000

Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist.

Cross Site Scripting (Persistent)

Mon, 01 Jan 0001 00:00:00 +0000

Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user’s browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology. When an attacker gets a user’s browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.

Cross Site Scripting (Persistent)

Mon, 01 Jan 0001 00:00:00 +0000

Cross Site Scripting (Persistent) - Prime

Mon, 01 Jan 0001 00:00:00 +0000

Cross Site Scripting (Persistent) - Spider

Mon, 01 Jan 0001 00:00:00 +0000

Cross Site Scripting (Reflected)

Mon, 01 Jan 0001 00:00:00 +0000

Cross Site Scripting Weakness (Persistent in JSON Response)

Mon, 01 Jan 0001 00:00:00 +0000

A XSS attack was found in a JSON response, this might leave content consumers vulnerable to attack if they don’t appropriately handle the data (response).

Cross-Domain JavaScript Source File Inclusion

Mon, 01 Jan 0001 00:00:00 +0000

The page includes one or more script files from a third-party domain.

Cross-Domain Misconfiguration

Mon, 01 Jan 0001 00:00:00 +0000

Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.

Cross-Domain Misconfiguration - Adobe - Read

Mon, 01 Jan 0001 00:00:00 +0000

Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server.

Cross-Domain Misconfiguration - Adobe - Send

Mon, 01 Jan 0001 00:00:00 +0000

Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server.

Cross-Domain Misconfiguration - Silverlight

Mon, 01 Jan 0001 00:00:00 +0000

Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server.

Cross-Origin-Embedder-Policy Header Missing or Invalid

Mon, 01 Jan 0001 00:00:00 +0000

Cross-Origin-Embedder-Policy header is a response header that prevents a document from loading any cross-origin resources that don’t explicitly grant the document permission (using CORP or CORS).

Cross-Origin-Opener-Policy Header Missing or Invalid

Mon, 01 Jan 0001 00:00:00 +0000

Cross-Origin-Opener-Policy header is a response header that allows a site to control if others included documents share the same browsing context. Sharing the same browsing context with untrusted documents might lead to data leak.

Cross-Origin-Resource-Policy Header Missing or Invalid

Mon, 01 Jan 0001 00:00:00 +0000

Cross-Origin-Resource-Policy header is an opt-in header designed to counter side-channels attacks like Spectre. Resource should be specifically set as shareable amongst different origins.

CSP: Failure to Define Directive with No Fallback

Mon, 01 Jan 0001 00:00:00 +0000

The Content Security Policy fails to define one of the directives that has no fallback. Missing/excluding them is the same as allowing anything.

CSP: Header & Meta

Mon, 01 Jan 0001 00:00:00 +0000

The message contained both CSP specified via header and via Meta tag. It was not possible to union these policies in order to perform an analysis. Therefore, they have been evaluated individually.

CSP: Malformed Policy (Non-ASCII)

Mon, 01 Jan 0001 00:00:00 +0000

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

CSP: Meta Policy Invalid Directive

Mon, 01 Jan 0001 00:00:00 +0000

The policy specified via meta element contains either or both the sandbox or frame-ancestors directive, which are not permitted inside meta CSP definitions.

CSP: Notices

Mon, 01 Jan 0001 00:00:00 +0000

CSP: script-src unsafe-eval

Mon, 01 Jan 0001 00:00:00 +0000

CSP: script-src unsafe-hashes

Mon, 01 Jan 0001 00:00:00 +0000

CSP: script-src unsafe-inline

Mon, 01 Jan 0001 00:00:00 +0000

CSP: style-src unsafe-hashes

Mon, 01 Jan 0001 00:00:00 +0000

CSP: style-src unsafe-inline

Mon, 01 Jan 0001 00:00:00 +0000

CSP: Wildcard Directive

Mon, 01 Jan 0001 00:00:00 +0000

CSP: X-Content-Security-Policy

Mon, 01 Jan 0001 00:00:00 +0000

CSP: X-WebKit-CSP

Mon, 01 Jan 0001 00:00:00 +0000

Dangerous JS Functions

Mon, 01 Jan 0001 00:00:00 +0000

A dangerous JS function seems to be in use that would leave the site vulnerable.

Deprecated Feature Policy Header Set

Mon, 01 Jan 0001 00:00:00 +0000

The header has now been renamed to Permissions-Policy.

Directory Browsing

Mon, 01 Jan 0001 00:00:00 +0000

It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information.

Directory Browsing

Mon, 01 Jan 0001 00:00:00 +0000

It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information.

ELMAH Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information.

Emails Found in the Viewstate

Mon, 01 Jan 0001 00:00:00 +0000

Email addresses were found being serialized in the viewstate field.

Exponential Entity Expansion (Billion Laughs Attack)

Mon, 01 Jan 0001 00:00:00 +0000

An exponential entity expansion, or “billion laughs” attack is a type of denial-of-service (DoS) attack. It is aimed at parsers of markup languages like XML or YAML that allow macro expansions.

Exposed Secrets in Swagger/OpenAPI Path

Mon, 01 Jan 0001 00:00:00 +0000

Swagger UI endpoint exposes sensitive secrets such as client secrets, API keys, or OAuth tokens. These secrets may be accessible in the HTML source and should not be exposed publicly, as this can lead to compromise.

Exposed Session ID

Mon, 01 Jan 0001 00:00:00 +0000

A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files.

Expression Language Injection

Mon, 01 Jan 0001 00:00:00 +0000

The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. In certain versions of Spring 3.0.5 and earlier, there was a vulnerability (CVE-2011-2730) in which Expression Language tags would be evaluated twice, which effectively exposed any application to EL injection. However, even for later versions, this weakness is still possible depending on configuration.

External Redirect

Mon, 01 Jan 0001 00:00:00 +0000

URL redirectors represent common functionality employed by web sites to forward an incoming request to an alternate resource. This can be done for a variety of reasons and is often done to allow resources to be moved within the directory structure and to avoid breaking functionality for users that request the resource at its previous location. URL redirectors may also be used to implement load balancing, leveraging abbreviated URLs or recording outgoing links. It is this last implementation which is often used in phishing attacks as described in the example below. URL redirectors do not necessarily represent a direct security vulnerability but can be abused by attackers trying to social engineer victims into believing that they are navigating to a site other than the true destination.

External Redirect

Mon, 01 Jan 0001 00:00:00 +0000

External Redirect

Mon, 01 Jan 0001 00:00:00 +0000

External Redirect

Mon, 01 Jan 0001 00:00:00 +0000

Format String Error

Mon, 01 Jan 0001 00:00:00 +0000

A Format String error occurs when the submitted data of an input string is evaluated as a command by the application.

Full Path Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

The full path of files which might be sensitive has been exposed to the client.

Generic Padding Oracle

Mon, 01 Jan 0001 00:00:00 +0000

By manipulating the padding on an encrypted string, an attacker is able to generate an error message that indicates a likely ‘padding oracle’ vulnerability. Such a vulnerability can affect any application or framework that uses encryption improperly, such as some versions of ASP.net, Java Server Faces, and Mono. An attacker may exploit this issue to decrypt data and recover encryption keys, potentially viewing and modifying confidential data. This rule should detect the MS10-070 padding oracle vulnerability in ASP.net if CustomErrors are enabled for that.

GET for POST

Mon, 01 Jan 0001 00:00:00 +0000

A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible.

Hash Disclosure - BCrypt

Mon, 01 Jan 0001 00:00:00 +0000

A hash was disclosed by the web server. - BCrypt

Hash Disclosure - Kerberos AFS DES

Mon, 01 Jan 0001 00:00:00 +0000

A hash was disclosed by the web server. - Kerberos AFS DES

Hash Disclosure - LanMan

Mon, 01 Jan 0001 00:00:00 +0000

A hash was disclosed by the web server. - LanMan

Hash Disclosure - LanMan / DES

Mon, 01 Jan 0001 00:00:00 +0000

A hash was disclosed by the web server. - LanMan / DES

Hash Disclosure - MD4 / MD5

Mon, 01 Jan 0001 00:00:00 +0000

A hash was disclosed by the web server. - MD4 / MD5

Hash Disclosure - MD5 Crypt

Mon, 01 Jan 0001 00:00:00 +0000

A hash was disclosed by the web server. - MD5 Crypt

Hash Disclosure - NTLM

Mon, 01 Jan 0001 00:00:00 +0000

A hash was disclosed by the web server. - NTLM

Hash Disclosure - OpenBSD Blowfish

Mon, 01 Jan 0001 00:00:00 +0000

A hash was disclosed by the web server. - OpenBSD Blowfish

Hash Disclosure - Salted SHA-1

Mon, 01 Jan 0001 00:00:00 +0000

A hash was disclosed by the web server. - Salted SHA-1

Hash Disclosure - SHA-1

Mon, 01 Jan 0001 00:00:00 +0000

A hash was disclosed by the web server. - SHA-1

Hash Disclosure - SHA-224

Mon, 01 Jan 0001 00:00:00 +0000

A hash was disclosed by the web server. - SHA-224

Hash Disclosure - SHA-256

Mon, 01 Jan 0001 00:00:00 +0000

A hash was disclosed by the web server. - SHA-256

Hash Disclosure - SHA-256 Crypt

Mon, 01 Jan 0001 00:00:00 +0000

A hash was disclosed by the web server. - SHA-256 Crypt

Hash Disclosure - SHA-384

Mon, 01 Jan 0001 00:00:00 +0000

A hash was disclosed by the web server. - SHA-384

Hash Disclosure - SHA-512

Mon, 01 Jan 0001 00:00:00 +0000

A hash was disclosed by the web server. - SHA-512

Hash Disclosure - SHA-512 Crypt

Mon, 01 Jan 0001 00:00:00 +0000

A hash was disclosed by the web server. - SHA-512 Crypt

Heartbleed OpenSSL Vulnerability

Mon, 01 Jan 0001 00:00:00 +0000

The TLS implementation in OpenSSL 1.0.1 before 1.0.1g does not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.

Heartbleed OpenSSL Vulnerability (Indicative)

Mon, 01 Jan 0001 00:00:00 +0000

The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.

Hidden File Found

Mon, 01 Jan 0001 00:00:00 +0000

A sensitive file was identified as accessible or available. This may leak administrative, configuration, or credential information which can be leveraged by a malicious individual to further attack the system or conduct social engineering efforts.

HTTP Only Site

Mon, 01 Jan 0001 00:00:00 +0000

The site is only served under HTTP and not HTTPS.

HTTP Parameter Override

Mon, 01 Jan 0001 00:00:00 +0000

Unspecified form action: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable.

HTTP Parameter Pollution

Mon, 01 Jan 0001 00:00:00 +0000

HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.

HTTP to HTTPS Insecure Transition in Form Post

Mon, 01 Jan 0001 00:00:00 +0000

This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed.

Httpoxy - Proxy Header Misuse

Mon, 01 Jan 0001 00:00:00 +0000

The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments. This may allow attackers to:

Proxy the outgoing HTTP requests made by the web application
Direct the server to open outgoing connections to an address and port of their choosing or
Tie up server resources by forcing the vulnerable software to use a malicious proxy.

HTTPS Configuration

Mon, 01 Jan 0001 00:00:00 +0000

Performs HTTPS configuration analysis including certificate details and supported cipher suites.

HTTPS Content Available via HTTP

Mon, 01 Jan 0001 00:00:00 +0000

Content which was initially accessed via HTTPS (i.e.: using SSL/TLS encryption) is also accessible via HTTP (without encryption).

HTTPS Security Configuration Issues

Mon, 01 Jan 0001 00:00:00 +0000

The HTTPS configuration has one or more security issues identified by the TLS risk assessment.

HTTPS to HTTP Insecure Transition in Form Post

Mon, 01 Jan 0001 00:00:00 +0000

This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they’re submitting data to a secure page when in fact they are not.

Image Exposes Location or Privacy Data

Mon, 01 Jan 0001 00:00:00 +0000

The image was found to contain embedded location information, such as GPS coordinates, or another privacy exposure, such as camera serial number. Depending on the context of the image in the website, this information may expose private details of the users of a site. For example, a site that allows users to upload profile pictures taken in the home may expose the home’s address.

In Page Banner Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The server returned a version banner string in the response content. Such information leaks may allow attackers to further target specific issues impacting the product and version in use.

Information Disclosure - Debug Error Messages

Mon, 01 Jan 0001 00:00:00 +0000

The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages.

Information Disclosure - Sensitive Information in HTTP Referrer Header

Mon, 01 Jan 0001 00:00:00 +0000

The HTTP header may have leaked a potentially sensitive parameter to another domain. This can violate PCI and most organizational compliance policies. You can configure the list of strings for this check to add or remove values specific to your environment.

Information Disclosure - Sensitive Information in URL

Mon, 01 Jan 0001 00:00:00 +0000

The request appeared to contain sensitive information leaked in the URL. This can violate PCI and most organizational compliance policies. You can configure the list of strings for this check to add or remove values specific to your environment.

Information Disclosure - Suspicious Comments

Mon, 01 Jan 0001 00:00:00 +0000

The response appears to contain suspicious comments which may help an attacker.

Insecure HTTP Method - CONNECT

Mon, 01 Jan 0001 00:00:00 +0000

The insecure HTTP method [CONNECT] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components.

Insecure HTTP Method - DELETE

Mon, 01 Jan 0001 00:00:00 +0000

The insecure HTTP method [DELETE] is enabled on the web server for this resource. Depending on the web server configuration, and the underlying implementation responsible for serving the resource, this might or might not be exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the HttpOnly flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. The CONNECT method can be used by a web client to create an HTTP tunnel to third party websites or services.

Insecure HTTP Method - PROPFIND

Mon, 01 Jan 0001 00:00:00 +0000

This HTTP method is a WEBDAV method: PROPFIND. If this server is not offering any WEBDAV services, these methods should not be available.

Insecure HTTP Method - PUT

Mon, 01 Jan 0001 00:00:00 +0000

The insecure HTTP method [PUT] is enabled on the web server for this resource. Depending on the web server configuration, and the underlying implementation responsible for serving the resource, this might or might not be exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the HttpOnly flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. The CONNECT method can be used by a web client to create an HTTP tunnel to third party websites or services.

Insecure HTTP Method - PUT

Mon, 01 Jan 0001 00:00:00 +0000

This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for update capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.

Insecure HTTP Method - TRACE

Mon, 01 Jan 0001 00:00:00 +0000

The insecure HTTP method [TRACE] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the HttpOnly flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability.

Insecure JSF ViewState

Mon, 01 Jan 0001 00:00:00 +0000

The response at the following URL contains a ViewState value that has no cryptographic protections.

Integer Overflow Error

Mon, 01 Jan 0001 00:00:00 +0000

An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream.

Java Serialization Object

Mon, 01 Jan 0001 00:00:00 +0000

Java Serialization seems to be in use. If not correctly validated, an attacker can send a specially crafted object. This can lead to a dangerous “Remote Code Execution”. A magic sequence identifying JSO has been detected (Base64: rO0AB, Raw: 0xac, 0xed, 0x00, 0x05).

LDAP Injection

Mon, 01 Jan 0001 00:00:00 +0000

LDAP Injection may be possible. It may be possible for an attacker to bypass authentication controls, and to view and modify arbitrary data in the LDAP directory.

LDAP Injection - activedirectory

Mon, 01 Jan 0001 00:00:00 +0000

LDAP Injection may be possible. It may be possible for an attacker to bypass authentication controls, and to view and modify arbitrary data in the LDAP directory.

Log4Shell (CVE-2021-44228)

Mon, 01 Jan 0001 00:00:00 +0000

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

Log4Shell (CVE-2021-45046)

Mon, 01 Jan 0001 00:00:00 +0000

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments.

Loosely Scoped Cookie

Mon, 01 Jan 0001 00:00:00 +0000

Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent.

Missing Anti-clickjacking Header

Mon, 01 Jan 0001 00:00:00 +0000

The response does not protect against ‘ClickJacking’ attacks. It should include either Content-Security-Policy with ‘frame-ancestors’ directive or X-Frame-Options.

Modern Web Application

Mon, 01 Jan 0001 00:00:00 +0000

The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.

Multiple HREFs Redirect Detected (Potential Sensitive Information Leak)

Mon, 01 Jan 0001 00:00:00 +0000

The server has responded with a redirect that seems to contain multiple links. This may indicate that although the server sent a redirect it also responded with body content links (which may include sensitive details, PII, lead to admin panels, etc.).

Multiple X-Frame-Options Header Entries

Mon, 01 Jan 0001 00:00:00 +0000

X-Frame-Options (XFO) headers were found, a response with multiple XFO header entries may not be predictably treated by all user-agents.

Non-Storable Content

Mon, 01 Jan 0001 00:00:00 +0000

The response contents are not storable by caching components such as proxy servers. If the response does not contain sensitive, personal or user-specific information, it may benefit from being stored and cached, to improve performance.

NoSQL Injection - MongoDB

Mon, 01 Jan 0001 00:00:00 +0000

MongoDB query injection may be possible.

NoSQL Injection - MongoDB (Time Based)

Mon, 01 Jan 0001 00:00:00 +0000

MongoDB query injection may be possible.

Obsolete Content Security Policy (CSP) Header Found

Mon, 01 Jan 0001 00:00:00 +0000

The “X-Content-Security-Policy” and “X-WebKit-CSP” headers are no longer recommended.

Off-site Redirect

Mon, 01 Jan 0001 00:00:00 +0000

Open redirects are one of the OWASP 2010 Top Ten vulnerabilities. This check looks at user-supplied input in query string parameters and POST data to identify where open redirects might be possible. Open redirects occur when an application allows user-supplied input (e.g. https://nottrusted.com) to control an off-site destination. This is generally a pretty accurate way to find where 301 or 302 redirects could be exploited by spammers or phishing attacks.

Old Asp.Net Version in Use

Mon, 01 Jan 0001 00:00:00 +0000

This website uses ASP.NET version 1.0 or 1.1.

Out of Band XSS

Mon, 01 Jan 0001 00:00:00 +0000

Parameter Tampering

Mon, 01 Jan 0001 00:00:00 +0000

Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit.

Path Traversal

Mon, 01 Jan 0001 00:00:00 +0000

The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal.

Path Traversal

Mon, 01 Jan 0001 00:00:00 +0000

Path Traversal

Mon, 01 Jan 0001 00:00:00 +0000

Path Traversal

Mon, 01 Jan 0001 00:00:00 +0000

Path Traversal

Mon, 01 Jan 0001 00:00:00 +0000

Permissions Policy Header Not Set

Mon, 01 Jan 0001 00:00:00 +0000

Permissions Policy Header is an added layer of security that helps to restrict from unauthorized access or usage of browser/client features by web resources. This policy ensures the user privacy by limiting or specifying the features of the browsers can be used by the web resources. Permissions Policy provides a set of standard HTTP headers that allow website owners to limit which features of browsers can be used by the page such as camera, microphone, location, full screen etc.

PII Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

The response contains Personally Identifiable Information, such as CC number, SSN and similar sensitive data.

Possible Username Enumeration

Mon, 01 Jan 0001 00:00:00 +0000

It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the ‘Attack Strength’ Option in ZAP. Please manually check the ‘Other Info’ field to confirm if this is actually an issue.

Potential IP Addresses Found in the Viewstate

Mon, 01 Jan 0001 00:00:00 +0000

Potential IP addresses were found being serialized in the viewstate field.

Private IP Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.

Properties File Disclosure - /WEB-INF folder

Mon, 01 Jan 0001 00:00:00 +0000

A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys.

Proxy Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

1 proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine

A list of targets for an attack against the application.
Potential vulnerabilities on the proxy servers that service the application.
The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated.

Proxy Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

1 proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine

A list of targets for an attack against the application.
Potential vulnerabilities on the proxy servers that service the application.
The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated.

Re-examine Cache-control Directives

Mon, 01 Jan 0001 00:00:00 +0000

The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached.

Referer Exposes Session ID

Mon, 01 Jan 0001 00:00:00 +0000

A hyperlink pointing to another host name was found. As session ID URL rewrite is used, it may be disclosed in referer header to external hosts.

Relative Path Confusion

Mon, 01 Jan 0001 00:00:00 +0000

The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct “relative path” for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the “cross-content” response in a permissive manner, or can be tricked into permissively parsing the “cross-content” response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability.

Remote Code Execution - CVE-2012-1823

Mon, 01 Jan 0001 00:00:00 +0000

Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped “=” character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser.

Remote Code Execution - Shell Shock

Mon, 01 Jan 0001 00:00:00 +0000

The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code.

Remote Code Execution - Shell Shock

Mon, 01 Jan 0001 00:00:00 +0000

The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code.

Remote Code Execution (React2Shell)

Mon, 01 Jan 0001 00:00:00 +0000

The server is running Next.js and vulnerable versions of React Server Components with Next.js which allow remote attackers to execute arbitrary code.

Remote File Inclusion

Mon, 01 Jan 0001 00:00:00 +0000

Remote File Include (RFI) is an attack technique used to exploit “dynamic file include” mechanisms in web applications. When web applications take user input (URL, parameter value, etc.) and pass them into file include commands, the web application might be tricked into including remote files with malicious code.

Remote OS Command Injection

Mon, 01 Jan 0001 00:00:00 +0000

Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs.

Remote OS Command Injection (Time Based)

Mon, 01 Jan 0001 00:00:00 +0000

Retrieved from Cache

Mon, 01 Jan 0001 00:00:00 +0000

The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as “proxy” caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance.

Retrieved from Cache

Mon, 01 Jan 0001 00:00:00 +0000

Reverse Tabnabbing

Mon, 01 Jan 0001 00:00:00 +0000

At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the “noopener” and “noreferrer” keywords in the “rel” attribute, which allows the target page to take control of this page.

Script Served From Malicious Domain (polyfill)

Mon, 01 Jan 0001 00:00:00 +0000

The page includes one or more script files loaded from one of the ‘polyfill’ domains. These are not associated with the polyfill.js library and are known to serve malicious content.

Script Served From Malicious Domain (polyfill)

Mon, 01 Jan 0001 00:00:00 +0000

The page includes one or more script which appear to include a reference to one of the ‘polyfill’ domains. These are not associated with the polyfill.js library and are known to serve malicious content. You should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain.

Sec-Fetch-Dest Header Has an Invalid Value

Mon, 01 Jan 0001 00:00:00 +0000

Specifies how and where the data would be used. For instance, if the value is audio, then the requested resource must be audio data and not any other type of resource.

Sec-Fetch-Dest Header is Missing

Mon, 01 Jan 0001 00:00:00 +0000

Specifies how and where the data would be used. For instance, if the value is audio, then the requested resource must be audio data and not any other type of resource.

Sec-Fetch-Mode Header Has an Invalid Value

Mon, 01 Jan 0001 00:00:00 +0000

Allows to differentiate between requests for navigating between HTML pages and requests for loading resources like images, audio etc.

Sec-Fetch-Mode Header is Missing

Mon, 01 Jan 0001 00:00:00 +0000

Allows to differentiate between requests for navigating between HTML pages and requests for loading resources like images, audio etc.

Sec-Fetch-Site Header Has an Invalid Value

Mon, 01 Jan 0001 00:00:00 +0000

Specifies the relationship between request initiator’s origin and target’s origin.

Sec-Fetch-Site Header is Missing

Mon, 01 Jan 0001 00:00:00 +0000

Specifies the relationship between request initiator’s origin and target’s origin.

Sec-Fetch-User Header Has an Invalid Value

Mon, 01 Jan 0001 00:00:00 +0000

Specifies if a navigation request was initiated by a user.

Sec-Fetch-User Header is Missing

Mon, 01 Jan 0001 00:00:00 +0000

Specifies if a navigation request was initiated by a user.

Secure Pages Include Mixed Content

Mon, 01 Jan 0001 00:00:00 +0000

The page includes mixed content, that is content accessed via HTTP instead of HTTPS.

Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

Mon, 01 Jan 0001 00:00:00 +0000

The web/application server is leaking information via one or more “X-Powered-By” HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to.

Server Leaks its Webserver Application via "Server" HTTP Response Header Field

Mon, 01 Jan 0001 00:00:00 +0000

The web/application server is leaking the application it uses as a webserver via the “Server” HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to. This information alone, i.e. without a version string, is not very dangerous for the security of a server, nevertheless this information in the response header field is almost always useless and thus just an obsolete attacking vector.

Server Leaks Version Information via "Server" HTTP Response Header Field

Mon, 01 Jan 0001 00:00:00 +0000

The web/application server is leaking version information via the “Server” HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.

Server Side Code Injection - ASP Code Injection

Mon, 01 Jan 0001 00:00:00 +0000

A code injection may be possible including custom code that will be evaluated by the scripting engine.

Server Side Code Injection - PHP Code Injection

Mon, 01 Jan 0001 00:00:00 +0000

A code injection may be possible including custom code that will be evaluated by the scripting engine.

Server Side Include

Mon, 01 Jan 0001 00:00:00 +0000

Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed.

Server Side Request Forgery

Mon, 01 Jan 0001 00:00:00 +0000

The web server receives a remote address and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Server Side Template Injection

Mon, 01 Jan 0001 00:00:00 +0000

When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution.

Server Side Template Injection (Blind)

Mon, 01 Jan 0001 00:00:00 +0000

Session Fixation

Mon, 01 Jan 0001 00:00:00 +0000

Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user’s actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim’s browser, to allow the vulnerability to be exploited.

Session Fixation

Mon, 01 Jan 0001 00:00:00 +0000

Session ID Cookie Accessible to JavaScript

Mon, 01 Jan 0001 00:00:00 +0000

A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked.

Session ID Expiry Time/Max-Age is Excessive

Mon, 01 Jan 0001 00:00:00 +0000

A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means.

Session ID in URL Rewrite

Mon, 01 Jan 0001 00:00:00 +0000

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

Session ID in URL Rewrite

Mon, 01 Jan 0001 00:00:00 +0000

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

Session ID Transmitted Insecurely

Mon, 01 Jan 0001 00:00:00 +0000

A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the ‘secure’ flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim’s session.

SOAP Action Spoofing

Mon, 01 Jan 0001 00:00:00 +0000

An unintended SOAP operation was executed by the server.

SOAP XML Injection

Mon, 01 Jan 0001 00:00:00 +0000

Some XML injected code has been interpreted by the server.

Source Code Disclosure - /WEB-INF Folder

Mon, 01 Jan 0001 00:00:00 +0000

Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code.

Source Code Disclosure - CVE-2012-1823

Mon, 01 Jan 0001 00:00:00 +0000

Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped “=” character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML.

Source Code Disclosure - File Inclusion

Mon, 01 Jan 0001 00:00:00 +0000

Source Code Disclosure - Git

Mon, 01 Jan 0001 00:00:00 +0000

The source code for the current page was disclosed by the web server.

Source Code Disclosure - PHP

Mon, 01 Jan 0001 00:00:00 +0000

Application Source Code was disclosed by the web server. - PHP

Source Code Disclosure - SVN

Mon, 01 Jan 0001 00:00:00 +0000

The source code for the current page was disclosed by the web server.

Split Viewstate in Use

Mon, 01 Jan 0001 00:00:00 +0000

This website uses ASP.NET’s Viewstate and its value is split into several chunks.

Spring Actuator Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

Spring Actuator for Health is enabled and may reveal sensitive information about this application. Spring Actuators can be used for real monitoring purposes, but should be used with caution as to not expose too much information about the application or the infrastructure running it.

Spring4Shell

Mon, 01 Jan 0001 00:00:00 +0000

The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding.

SQL Injection

Mon, 01 Jan 0001 00:00:00 +0000

SQL injection may be possible.

SQL Injection - Hypersonic SQL (Time Based)

Mon, 01 Jan 0001 00:00:00 +0000

SQL injection may be possible.

SQL Injection - MsSQL (Time Based)

Mon, 01 Jan 0001 00:00:00 +0000

SQL injection may be possible.

SQL Injection - MySQL (Time Based)

Mon, 01 Jan 0001 00:00:00 +0000

SQL injection may be possible.

SQL Injection - Oracle (Time Based)

Mon, 01 Jan 0001 00:00:00 +0000

SQL injection may be possible.

SQL Injection - PostgreSQL (Time Based)

Mon, 01 Jan 0001 00:00:00 +0000

SQL injection may be possible.

SQL Injection - SQLite (Time Based)

Mon, 01 Jan 0001 00:00:00 +0000

SQL injection may be possible.

SQL Injection - SQLite (Time Based)

Mon, 01 Jan 0001 00:00:00 +0000

SQL injection may be possible.

Storable and Cacheable Content

Mon, 01 Jan 0001 00:00:00 +0000

The response contents are storable by caching components such as proxy servers, and may be retrieved directly from the cache, rather than from the origin server by the caching servers, in response to similar requests from other users. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where “shared” caching servers such as “proxy” caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance.

Storable but Non-Cacheable Content

Mon, 01 Jan 0001 00:00:00 +0000

The response contents are storable by caching components such as proxy servers, but will not be retrieved directly from the cache, without validating the request upstream, in response to similar requests from other users.

Strict-Transport-Security Defined via META (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) META tag was found, defining HTTP Strict Transport Security (HSTS) via a META tag is explicitly not supported by the spec (RFC 6797).

Strict-Transport-Security Disabled

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it contains the directive max-age=0 which disables the control and instructs browsers to reset any previous HSTS related settings. See RFC 6797 for further details. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Header Not Set

Mon, 01 Jan 0001 00:00:00 +0000

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standards track protocol and is specified in RFC 6797.

Strict-Transport-Security Header on Plain HTTP Response

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but HSTS headers are ignored on plain (non-HTTPS) responses. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Malformed Content (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters.

Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Missing Max-Age (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it is missing the max-age directive (or the directive is missing a value). See RFC 6797 for further details. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Multiple Header Entries (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

HTTP Strict Transport Security (HSTS) headers were found, a response with multiple HSTS header entries is not compliant with the specification (RFC 6797) and only the first HSTS header will be processed others will be ignored by user agents or the HSTS policy may be incorrectly applied. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Sub Resource Integrity Attribute Missing

Mon, 01 Jan 0001 00:00:00 +0000

The integrity attribute is missing on a script or link tag served by an external server. The integrity tag prevents an attacker who have gained access to this server from injecting a malicious content.

Suspicious Input Transformation - Arithmetic Evaluation

Mon, 01 Jan 0001 00:00:00 +0000

The application performed a suspicious input transformation that may indicate a security vulnerability. The input was transformed in an unexpected way, suggesting potential issues with input validation, encoding/decoding, or expression evaluation. This could indicate vulnerabilities such as server-side template injection, expression language injection, unicode normalization issues, or other input processing flaws that may be exploitable.

Suspicious Input Transformation - EL Evaluation

Mon, 01 Jan 0001 00:00:00 +0000

Suspicious Input Transformation - Expression Evaluation

Mon, 01 Jan 0001 00:00:00 +0000

Suspicious Input Transformation - Quote Consumption

Mon, 01 Jan 0001 00:00:00 +0000

Suspicious Input Transformation - Template Evaluation

Mon, 01 Jan 0001 00:00:00 +0000

Suspicious Input Transformation - Unicode Byte Truncation

Mon, 01 Jan 0001 00:00:00 +0000

Suspicious Input Transformation - Unicode Case Conversion

Mon, 01 Jan 0001 00:00:00 +0000

Suspicious Input Transformation - Unicode Combining Diacritic

Mon, 01 Jan 0001 00:00:00 +0000

Suspicious Input Transformation - Unicode Normalisation

Mon, 01 Jan 0001 00:00:00 +0000

Suspicious Input Transformation - URL Decoding Error

Mon, 01 Jan 0001 00:00:00 +0000

Text4shell (CVE-2022-42889)

Mon, 01 Jan 0001 00:00:00 +0000

Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults.Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded.The application has been shown to initial contact with remote servers via variable interpolation and may well be vulnerable to Remote Code Execution (RCE).

Timestamp Disclosure - Unix

Mon, 01 Jan 0001 00:00:00 +0000

A timestamp was disclosed by the application/web server. - Unix

Trace.axd Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information.

User Agent Fuzzer

Mon, 01 Jan 0001 00:00:00 +0000

Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response.

User Controllable Charset

Mon, 01 Jan 0001 00:00:00 +0000

This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page.

User Controllable HTML Element Attribute (Potential XSS)

Mon, 01 Jan 0001 00:00:00 +0000

This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability.

User Controllable JavaScript Event (XSS)

Mon, 01 Jan 0001 00:00:00 +0000

Username Hash Found

Mon, 01 Jan 0001 00:00:00 +0000

A hash of a username (admin) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused.

Viewstate without MAC Signature (Sure)

Mon, 01 Jan 0001 00:00:00 +0000

This website uses ASP.NET’s Viewstate but without any MAC.

Viewstate without MAC Signature (Unsure)

Mon, 01 Jan 0001 00:00:00 +0000

This website uses ASP.NET’s Viewstate but maybe without any MAC.

Vulnerable JS Library

Mon, 01 Jan 0001 00:00:00 +0000

The identified library appears to be vulnerable.

Vulnerable Swagger UI Version Detected

Mon, 01 Jan 0001 00:00:00 +0000

This Swagger UI version is known to contain vulnerabilities. Exploitation may allow unauthorized access, XSS, or token theft.

Affected versions:

Swagger UI v2 < 2.2.10
Swagger UI v3 < 3.24.3

Weak Authentication Method

Mon, 01 Jan 0001 00:00:00 +0000

HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network.

Web Cache Deception

Mon, 01 Jan 0001 00:00:00 +0000

Web cache deception may be possible. It may be possible for unauthorised user to view sensitive data on this page.

WSDL File Detection

Mon, 01 Jan 0001 00:00:00 +0000

A WSDL File has been detected.

X-AspNet-Version Response Header

Mon, 01 Jan 0001 00:00:00 +0000

Server leaks information via “X-AspNet-Version”/“X-AspNetMvc-Version” HTTP response header field(s).

X-Backend-Server Header Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems.

X-ChromeLogger-Data (XCOLD) Header Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find: server file system locations, vhost declarations, etc.

X-Content-Type-Options Header Missing

Mon, 01 Jan 0001 00:00:00 +0000

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to ’nosniff’. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

X-Debug-Token Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The response contained an X-Debug-Token or X-Debug-Token-Link header. This indicates that Symfony’s Profiler may be in use and exposing sensitive data.

X-Frame-Options Defined via META (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034).

X-Frame-Options Setting Malformed

Mon, 01 Jan 0001 00:00:00 +0000

An X-Frame-Options header was present in the response but the value was not correctly set.

XML External Entity Attack

Mon, 01 Jan 0001 00:00:00 +0000

This technique takes advantage of a feature of XML to build documents dynamically at the time of processing. An XML message can either provide data explicitly or by pointing to an URI where the data exists. In the attack technique, external entities may replace the entity value with malicious data, alternate referrals or may compromise the security of the data the server/XML application has access to. Attackers may also use External Entities to have the web services server download malicious code or content to the server for use in secondary or follow on attacks.

XPath Injection

Mon, 01 Jan 0001 00:00:00 +0000

XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents. It can be used directly by an application to query an XML document, as part of a larger operation such as applying an XSLT transformation to an XML document, or applying an XQuery to an XML document. The syntax of XPath bears some resemblance to an SQL query, and indeed, it is possible to form SQL-like queries on an XML document using XPath.

XSLT Injection

Mon, 01 Jan 0001 00:00:00 +0000

Injection using XSL transformations may be possible, and may allow an attacker to read system information, read and write files, or execute arbitrary code.