Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Demo Account
http://tes thtml5.vulnweb.com/#/popular
Confidential
Confidentiality
This document contains s ens itive and/or confidential information, do not dis tribute, email, fax or trans fer via any
electronic mechanis m without proper authorization. Information contained with in this document s hould be handled with
appropriate caution. While reas onable attempts have been made to confirm the accuracy of the data contained herein,
Indus Guard, as s umes no liability for the completenes s , us e of, or conclus ions drawn from s uch data.
Disclaimer
This , or any other, Security Audit cannot and does not guarantee s ecurity. Indus Guard makes no warranty or claim of any
kind, whats oever, about the accuracy or us efulnes s of any information provided herein. By us ing this information you
agree that Indus Guard s hall be held harmles s in any event. Indus Guard makes this information available s olely under its
Terms of Service Agreement publis hed at s oc.indus guard.com.
Executive Summary
Total number of vulnerability(s ) identified are 13
Page 2 of 12
Severity Total
Critical 1
High 1
Medium 1
Low 9
Info 1
Page 3 of 12
Title Total
Vulnerabilities
Description:
The HTTP Bas ic Authentication s cheme is not cons idered to be a s ecure method of us er authentication (unles s us ed in
conjunction with s ome external s ecure s ys tem s uch as TLS/SSL), as the us er name and pas s word are pas s ed over the
network as cleartext.
Solution:
Us e Bas ic Authentication over TLS/SSL (HTTPS)
Enable HTTPS on the Web s erver. The TLS/SSL protocol will protect cleartext Bas ic Authentication credentials .
Us e Diges t Authentication
Replace Bas ic Authentication with the alternative Diges t Authentication s cheme. By modern cryptographic
s tandards Diges t Authentication is weak. But for a large range of purpos es it is valuable as a replacement for Bas ic
Authentication. It remedies s ome, but not all, weaknes s es of Bas ic Authentication. See RFC 2617, s ection 4. Security
Cons iderations for more information.
Request Header:
GET /admin HTTP/1.1 Referer: http://tes thtml5.vulnweb.com Us er-Agent: Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31 Accept: */* Hos t:
tes thtml5.vulnweb.com Connection: Clos e
Response Header:
HTTP/1.1 401 Unauthorized Connection: clos e Content-Length: 90 Content-Type: text/html; chars et=utf-8
Date: Mon, 16 Jan 2017 10:21:29 GMT Server: nginx/1.4.1 WWW-Authenticate: Bas ic realm="Login
Required"
Result:
Line No:6 Server: nginx/1.4.1
Line No:7 WWW-Authenticate: Basic realm ="Login Required"
Page 4 of 12
References:
http://tools .ietf.org/html/rfc2617
Description:
The Web application is vulnerable to cros s -s ite s cripting (XSS), which allows attackers to take advantage of Web s erver
s cripts to inject JavaScript or HTML code that is executed on the client-s ide brows er. This vulnerability is often caus ed by
s erver-s ide s cripts written in languages s uch as PHP, ASP, .NET, Perl or Java, which do not adequately filter data s ent
along with page reques ts or by vulnerable HTTP s ervers . This malicious code appears to come from your Web
application when it runs in the brows er of an uns us pecting us er.
An attacker can do the following damage with an expoloit s cript:
acces s other s ites ins ide another client's private intranet
modify another client's s ubmitted form data before it reaches the s erver
s ubmit a form to your Web application on the us er's behalf that modifies pas s words or other application data
In both s cenarios , the URL will generally link to the trus ted s ite, but will contain additional data that is us ed to trigger the
XSS attack.
Note that SSL connectivity does not protect agains t this is s ue.
Solution:
Fix Cros s Site Scripting Vulnerability
Audit the affected url and other s imilar dynamic pages or s cripts that could be relaying untrus ted malicious data from
the us er input. In general, the following practices s hould be followed while developing dynamic web content:
Explicitly s et the character s et encoding for each page generated by the web s erver
Page 5 of 12
For more information on the above practices , read the following CERT advis ory: CERT Advis ory CA-2000-02
For ASP.NET applications , the validateReques t attribute can be added to the page or the web.config. For example:
OR
<system.web>
<pages validateRequest="true" />
</system.web>
For PHP applications , input data s hould be validated us ing functions s uch as s trip_tags and utf8_decode. Dynamic
content s hould be HTML encoded us ing htmlentities .
For Perl applications , input data s hould be validated whenever pos s ible us ing regular expres s ions . Dynamic content
s hould be HTML encoded us ing HTML::Entities ::encode or Apache::Util::html_encode (when us ing mod_perl).
Request Header:
POST /login HTTP/1.1 Referer: http://tes thtml5.vulnweb.com Us er-Agent: Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31 Accept: */* Content-Type:
application/x-www-form-urlencoded Hos t: tes thtml5.vulnweb.com Cookie:
us ername="\"><s CrIpT>alert(391700)</s CrIpT>" Connection: Clos e
us ername="><s CrIpT>alert(391700)</s CrIpT>&pas s word=tes tpas s @1234&s ubmit=Submit
Response Header:
HTTP/1.1 200 OK Connection: clos e Acces s -Control-Allow-Origin: * Content-Length: 6011 Content-Type:
text/html; chars et=utf-8 Date: Mon, 16 Jan 2017 10:21:02 GMT Server: nginx/1.4.1
Response URL:
http://tes thtml5.vulnweb.com/
Result:
Line No:53
Line No:54 Welcom e <b>"><sC rIpT>alert(391700)</sC rIpT></b> | <a href='/logout'>Logout</a>
Line No:55
References:
http://www.us -cert.gov/cas /techalerts /CA-2000-02.html
Description:
A web form contains fields with data that is probably s ens itive in nature. This form data is s ubmitted over an unencrypted
connection, which could allow hackers to s niff the network and view the data in plaintext.
Page 6 of 12
Description:
The Web form contains pas s words or other s ens itive text fields for which the brows er auto-complete feature is enabled.
Auto-complete s tores completed form field and pas s words locally in the brows er, s o that thes e fields are filled
automatically when the us er vis its the s ite again.
Sens itive data and pas s words can be s tolen if the us er's s ys tem is compromis ed.
Note, however, that form auto-complete is a non-s tandard, brows er-s ide feature that each brows er handles differently.
Opera, for example, dis regards the feature, requiring the us er to enter credentials for each Web s ite vis it.
Solution:
Dis able autocomplete for all s ens itive fields
For each s ens itive field in the HTML, s et the "autocomplete" attribute to "off". For example:
If there are many fields , it may be fas ter to s et the "autocomplete" attribute to "off" in the outer <form> tag. For example:
Request Header:
GET / HTTP/1.1 Hos t: tes thtml5.vulnweb.com Referer: http://tes thtml5.vulnweb.com Us er-Agent: Mozilla/4.0
(compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET
CLR 3.0.30729; Media Center PC 6.0; MDDS; InfoPath.2; .NET4.0C; .NET4.0E; Tablet PC 2.0)
Result:
Autocom plete enabled for sensitive form field: password
Page 7 of 12
Description:
Rather than an actual vulnerability, this attack is informational, indicating that acces s to s ome res ource is not granted.
The res ource is predictable and although it is not acces s ible via any URL links in the web application, probing us ing
intelligent brute force methods or commonly us ed res ource names indicates pres ence of the res ource.
Solution:
A cus tom error page s hould be dis played to handle all s uch reques ts .
Request Header:
GET /cgi-bin HTTP/1.1 Referer: http://tes thtml5.vulnweb.com Us er-Agent: Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31 Accept: */* Hos t:
tes thtml5.vulnweb.com Connection: Clos e
Response Header:
HTTP/1.1 403 Forbidden Connection: clos e Vary: Accept-Encoding Content-Length: 263 Content-Type:
text/html; chars et=is o-8859-1 Date: Mon, 16 Jan 2017 10:21:07 GMT Server: nginx/1.4.1
Result:
http://testhtm l5.vulnweb.com /cgi-bin/
References:
http://projects .webapps ec.org/w/page/13246953/Predictable%20Res ource%20Location
Description:
Rather than an actual vulnerability, this attack is informational, indicating that acces s to s ome res ource is not granted.
The res ource is predictable and although it is not acces s ible via any URL links in the web application, probing us ing
intelligent brute force methods or commonly us ed res ource names indicates pres ence of the res ource.
Solution:
A cus tom error page s hould be dis played to handle all s uch reques ts .
Request Header:
GET /cgi-bin HTTP/1.1 Referer: http://tes thtml5.vulnweb.com Us er-Agent: Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31 Accept: */* Hos t:
tes thtml5.vulnweb.com Connection: Clos e
Response Header:
HTTP/1.1 403 Forbidden Connection: clos e Vary: Accept-Encoding Content-Length: 263 Content-Type:
text/html; chars et=is o-8859-1 Date: Mon, 16 Jan 2017 10:21:35 GMT Server: nginx/1.4.1
Result:
http://testhtm l5.vulnweb.com /cgi-bin
References:
http://projects .webapps ec.org/w/page/13246953/Predictable%20Res ource%20Location
Page 8 of 12
Description:
Rather than an actual vulnerability, this attack is informational, indicating that acces s to s ome res ource is not granted.
The res ource is predictable and although it is not acces s ible via any URL links in the web application, probing us ing
intelligent brute force methods or commonly us ed res ource names indicates pres ence of the res ource.
Solution:
A cus tom error page s hould be dis played to handle all s uch reques ts .
Request Header:
GET /s tatic/app HTTP/1.1 Referer: http://tes thtml5.vulnweb.com Us er-Agent: Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31 Accept: */* Hos t:
tes thtml5.vulnweb.com Connection: Clos e
Response Header:
HTTP/1.1 403 Forbidden Connection: clos e Content-Length: 570 Content-Type: text/html Date: Mon, 16 Jan
2017 10:21:39 GMT Server: nginx/1.4.1
Result:
http://testhtm l5.vulnweb.com /static/app/
References:
http://projects .webapps ec.org/w/page/13246953/Predictable%20Res ource%20Location
Description:
Rather than an actual vulnerability, this attack is informational, indicating that acces s to s ome res ource is not granted.
The res ource is predictable and although it is not acces s ible via any URL links in the web application, probing us ing
intelligent brute force methods or commonly us ed res ource names indicates pres ence of the res ource.
Solution:
A cus tom error page s hould be dis played to handle all s uch reques ts .
Request Header:
GET /s tatic/cs s HTTP/1.1 Referer: http://tes thtml5.vulnweb.com Us er-Agent: Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31 Accept: */* Hos t:
tes thtml5.vulnweb.com Connection: Clos e
Response Header:
Page 9 of 12
References:
http://projects .webapps ec.org/w/page/13246953/Predictable%20Res ource%20Location
Description:
Rather than an actual vulnerability, this attack is informational, indicating that acces s to s ome res ource is not granted.
The res ource is predictable and although it is not acces s ible via any URL links in the web application, probing us ing
intelligent brute force methods or commonly us ed res ource names indicates pres ence of the res ource.
Solution:
A cus tom error page s hould be dis played to handle all s uch reques ts .
Request Header:
GET /s tatic/app/libs HTTP/1.1 Referer: http://tes thtml5.vulnweb.com Us er-Agent: Mozilla/5.0 (Windows NT
6.1) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31 Accept: */* Hos t:
tes thtml5.vulnweb.com Connection: Clos e
Response Header:
HTTP/1.1 403 Forbidden Connection: clos e Content-Length: 570 Content-Type: text/html Date: Mon, 16 Jan
2017 10:21:45 GMT Server: nginx/1.4.1
Result:
http://testhtm l5.vulnweb.com /static/app/libs/
References:
http://projects .webapps ec.org/w/page/13246953/Predictable%20Res ource%20Location
Description:
Rather than an actual vulnerability, this attack is informational, indicating that acces s to s ome res ource is not granted.
The res ource is predictable and although it is not acces s ible via any URL links in the web application, probing us ing
intelligent brute force methods or commonly us ed res ource names indicates pres ence of the res ource.
Solution:
Page 10 of 12
References:
http://projects .webapps ec.org/w/page/13246953/Predictable%20Res ource%20Location
Description:
Rather than an actual vulnerability, this attack is informational, indicating that acces s to s ome res ource is not granted.
The res ource is predictable and although it is not acces s ible via any URL links in the web application, probing us ing
intelligent brute force methods or commonly us ed res ource names indicates pres ence of the res ource.
Solution:
A cus tom error page s hould be dis played to handle all s uch reques ts .
Request Header:
GET /s tatic/app/s ervices HTTP/1.1 Referer: http://tes thtml5.vulnweb.com Us er-Agent: Mozilla/5.0 (Windows
NT 6.1) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31 Accept: */* Hos t:
tes thtml5.vulnweb.com Connection: Clos e
Response Header:
HTTP/1.1 403 Forbidden Connection: clos e Content-Length: 570 Content-Type: text/html Date: Mon, 16 Jan
2017 10:21:50 GMT Server: nginx/1.4.1
Result:
http://testhtm l5.vulnweb.com /static/app/services/
References:
http://projects .webapps ec.org/w/page/13246953/Predictable%20Res ource%20Location
Page 11 of 12
Description:
Rather than an actual vulnerability, this attack is informational, indicating that acces s to s ome res ource is not granted.
The res ource is predictable and although it is not acces s ible via any URL links in the web application, probing us ing
intelligent brute force methods or commonly us ed res ource names indicates pres ence of the res ource.
Solution:
A cus tom error page s hould be dis played to handle all s uch reques ts .
Request Header:
GET /s tatic/img HTTP/1.1 Referer: http://tes thtml5.vulnweb.com Us er-Agent: Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31 Accept: */* Hos t:
tes thtml5.vulnweb.com Connection: Clos e
Response Header:
HTTP/1.1 403 Forbidden Connection: clos e Content-Length: 570 Content-Type: text/html Date: Mon, 16 Jan
2017 10:21:52 GMT Server: nginx/1.4.1
Result:
http://testhtm l5.vulnweb.com /static/im g/
References:
http://projects .webapps ec.org/w/page/13246953/Predictable%20Res ource%20Location
Description:
HTTP web s erver information is dis clos ed in HTTP headers . This information may revel s oftware name, vers ion etc. It may
help an attacker to look for s pecific web s erver vers ion related vulnerabilities .
Solution:
Vers ions and types information s hould be omitted where pos s ible.
Request Header:
GET /Cros s domain.xml HTTP/1.1 Referer: http://tes thtml5.vulnweb.com Us er-Agent: Mozilla/5.0 (Windows
NT 6.1) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31 Accept: */* Hos t:
tes thtml5.vulnweb.com Connection: Clos e
Response Header:
HTTP/1.1 404 NotFound Connection: clos e Content-Length: 238 Content-Type: text/html Date: Mon, 16 Jan
2017 10:20:56 GMT Server: nginx/1.4.1
Result:
nginx/1.4.1
References:
http://os vdb.org/91
Page 12 of 12