Vulnerabilities

The Nuts & Bolts of our testing engine

Command Injection

Command injection is a technique, which allows an attacker to execute system commands by abusing an application feature. The injection typically occurs when the developer is using user input to construct an executable command specific to the pseudo system shell in use.

Expression Language Injection

Expression Language Injection occurs when attacker controlled data enters an interpreter, i.e. the data is evaluated as code.

Default Login

A default login is a kind of login, which is the same for every instance of the application. It’s typically used to grant a first time access to hardware bundled control panels and administration interfaces.

Local File Include

A Local File Include is a vulnerability, which allows attackers to retrieve or execute server-side files. The vulnerability arises by the fact that the developer is allowing not sanitised user-supplied input to be used in functions used to open, read or display the content of files.

Remote Code Injection

Remote Code Injection is a vulnerability, which allows an attacker to remotely inject code into an application in order to change its execution flow. The issue typically occurs due to the fact that the application is written in a language, which allows dynamic evaluation of code at runtime.

Remote File Include

A Remote File Include is a vulnerability, which allows attackers to manipulate the application in order to include a remote file hosted on a 3rd-party server. This file may be executable, typically written in a scripting language.

SQL Injection

SQL Injection is a code injection technique, which exploits a security vulnerability occurring in the database layer of a web application. The vulnerability is present when user input is incorrectly filtered for special characters embedded in a SQL statement and thereby unexpectedly executed, i.e. the input was injected into the SQL statement issued by the web application.

Vanilla SQL Injection

SQL Injection is a code injection technique, which exploits a security vulnerability occurring in the database layer of a web application. The vulnerability is present when user input is incorrectly filtered for special characters embedded in a SQL statement and thereby unexpectedly executed, i.e. the input was injected into the SQL statement issued by the web application.

Weak Session Management

This happens when the web application produces a session cookie, which value is easily guessable. For example the session may be based on unix timestamps or just an MD5 of a timestamp, etc.

Cross-site Scripting

XSS is a type of web application security vulnerability, which allows code injection by malicious web users into the web pages viewed by other users.

LDAP Injection

LDAP Injection is a Code Injection technique used against applications, which construct LDAP statement based on user input. LDAP is an application protocol used to access and maintain distributed directory services like Microsoft’s Active Directory.

Persistent Cross-site Scripting

XSS is a type of web application security vulnerability, which allows code injection by malicious web users into the web pages viewed by other users. Stored Cross-site Scripting is a type of XSS where the injected content is permanently stored on to the web server/application. Whenever a user requests an infected page from the server the payload is directly delivered embedded in the response so it will be executed without the need of user intervention.

Reflected Cross-site Scripting

XSS is a type of web application security vulnerability, which allows code injection by malicious web users into the web pages viewed by other users. Reflected Cross-site Scripting is a type of XSS where the injected code is reflected off the web server. This kind of XSS is short-lived and requires a phishing vector to be delivered to the victim.

XML Injection

XML Injection is a Code Injection variant, which can be used by attackers to include malicious XML block, which is then used by an XML processor.

XPATH Injection

XPATH Injection is a Code Injection technique which is used when an application uses user supplied data to craft XPATH queries to retrieve and write data stored in XML form.

Cross-site Request Forgery

CSRF is an attack which forces an end-user to execute unwanted actions on a web application with which he is currently authenticated. Applications susceptible of this attack have no way to distinguish legit requests from forged ones.

Open Cross Domain Policy

A Cross Domain Policy File is used to enforce the same origin policy in modern web applications (especially Flash and Silverlight based) by preventing some types of content from being accessed or modified from another domain via the client (a browser or a plugin). An open cross-domain is the vulnerability, which occur when the policy file explicitly allows every external domain.

CRLF Injection

CRLF stands for Carriage Return Linefeed, which is a special sequence of characters (0x0D 0x0A in hex) used by the HTTP protocol as a line separator. A CRLF Injection attack occurs when an attacker manages to force the application to return the CRLF sequence plus attacker’s supplied data as part of the response headers.

Directory Traversal

A Directory Traversal is a type of attack which aims to access files or directories that are stored outside the web root folder by injecting characters representing “traverse to parent directory” like ‘../’ in Unix. The goal of this attack is to force an application to access a file that is not intended to be accessible.

Frame Injection

Frame Injection is a type of Code Injection attack where a frame is injected into the web application’s front-facing features. Usually the frame injected is a concealed iframe pointing to an attacker controlled page.

Inadequate Session Revocation

This vulnerability occurs when the session is not properly revoked after an user logout request.

.NET Tracing Capabilities

.NET provides powerful application debugging capabilities, which can be abused by attackers to obtain various pieces of critical information including session cookies and session state.

Open Redirect

An Open Redirect is a vulnerability where the application takes user input to generate some form of redirection without validating the to-be-redirected-to location.

Response Splitting

Response Splitting happens when not sanitised data is passed to the vulnerable application and it is used to build a response header. An attacker may force the web server to form a malformed output stream, which is then interpreted by the victim’s browser as two HTTP responses instead of one. Response splitting is usually useful only with proxies or when the browser is using request pipelining.

Admin Page Discovered

Any administration pages can be used as a potential way of gaining administrative access to the application.

Session Cookie not Flagged as HTTPOnly

The “HTTPOnly” flag applies to the Set-Cookie HTTP response header to indicate that the cookie cannot be accessed by client-side code such as JavaScript, Flash, and other client-side components.

Session Cookie not Flagged as Secure

This flag applies to the Set-Cookie HTTP response header to indicate that the cookie cannot be sent by the browser over insecure channel such as HTTP.

Session Fixation

This may indicate that the application suffers from a “Session Fixation” vulnerability.

Autocomplete Enabled

Autocomplete is a HTML tag attribute used to disable the form auto completion mechanism of the browser.

Directory Listing Enabled

Directory listings may disclose information about the web application and it’s environment that was not intended to be public.

Discovered SOAP Service

SOAP (Simple Object Access Protocol) is a protocol specification for exchanging structured information in the implementation of Web Services. It’s based on XML and it’s primarily used to build API services.

Path Disclosure

Usually this leak is due to descriptive application and server errors.

Source Leakage

This may be due to a misconfigured server or application.

Additional Applications

Unmaintained applications may come with bugs and security vulnerability and can be a threat to the security and integrity of the web server.

Common Files

Common files are files which are usually left by automated/default installations that are not necessarily still required by the web application but may still contain sensitive information.

Dangerous Methods Enabled

Uncommon HTTP methods like PUT, DELETE and all other WEBDAV methods are considered dangerous.

Debug Methods Enabled

The HTTP methods TRACK and TRACE are usually used for debugging purpose.

Directory Listing Denied

This error is generated when there is no index file in the requested directory and the server or application is not configured to reveal the directory contents. This, however, indicates that the directory exists.

File Upload

File upload facilities are usually considered dangerous because they can be abused to leverage various types of attacks.

Microsoft Office Document

Microsoft Office Documents often contain hidden metadata like username, author name, company name, the name of the computer, which was used to create the document and so on.

Open Cross-Origin Resource Sharing

Cross-origin Resource Sharing (CORS) is a specification, which allows Web applications the ability to offer its resources for public consumption from different domains. CORS is typically used in cross-origin APIs designed to be consumed by JavaScript applications.

Password Via GET

Sending passwords via GET parameter is considered a bad programming practice since this information can be easily read from the browser’s address bar, history or from the web server logs.

Permissive Cross-Origin Resource Sharing

Cross-origin Resource Sharing (CORS) is a specification, which allows Web applications the ability to offer its resources for public consumption from different domains. CORS is typically used in cross-origin APIs designed to be consumed by JavaScript applications.

Redirect Response With Body

This is often due to a programming error or a security problem.

Referer Leakage

The HTTP Referer header is used to store the URL of the page from which the user is coming from. Confidential information about the user may be leaked if it is stored in query parameters used by the application.

Strict Transport Security

This header is used to force browsers to connect to the application trough a SSL connection.

Version Control Files

These files are used by version control software to store meta-data and configurations about the repository used to store the application’s source code.

ViewState Not Encrypted

The ViewState is a field used in ASP.NET applications to save the current state of the application. If it’s used to store sensitive data, like user’s details, it should be properly encrypted to maintain the confidentiality of the data.

ViewState not Signed

The ViewState is a field used in ASP.NET applications to save the current state of the application. To avoid data tampering the ViewState value should be signed by enforcing a MAC (Machine Authentication Check) mechanism.

X-Frame-Options Not Used

This header indicates whether or not a browser should be allowed to render a page in a <frame> or <iframe> . Web applications can use this to avoid clickjacking attacks, by ensuring content is not embedded into other sites.

Permissive X-Frame Options Used

This header indicates whether or not a browser should be allowed to render a page in a <frame> or <iframe> . Web applications can use this to avoid clickjacking attacks, by ensuring content is not embedded into other sites.

XSS Protection Disabled

A basic XSS protection mechanism is present in every modern browser. This mechanism is active by default but may be disabled by setting the response header “X-XSS-Protection” to the value “0”.

XSS Protection Error

A basic XSS protection mechanism is present in every modern browser. This mechanism is active by default but may be disabled by setting the response header “X-XSS-Protection” to the value “0”.

CVE Finding

CVE (The Common Vulnerabilities and Exposures) system provides a reference-method for publicly known information-security vulnerabilities and exposures.

OSVDB Finding

Open Source Vulnerability Database (OSVDB) is an independent and open-source database created by and for the community. The goal of the project is to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities.

Virtual Host Discovery

Virtual Hosting is a method that allows a single server to serve resources for multiple web application. The presence of Virtual hosts usually indicate that the target application is sharing resources with other applications, i.e. shared-hosting environment.