Web Application Report

Similar documents
Web Application Report

Using Free Tools To Test Web Application Security

Adobe Systems Incorporated

MANAGED SECURITY TESTING

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

The Top Web Application Attacks: Are you vulnerable?

Overview of the Penetration Test Implementation and Service. Peter Kanters

Web Application Penetration Testing

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Attack Vector Detail Report Atlassian

Cloud Security:Threats & Mitgations

Passing PCI Compliance How to Address the Application Security Mandates

Where every interaction matters.

05.0 Application Development

Web Application Security Assessment and Vulnerability Mitigation Tests

Web Engineering Web Application Security Issues

Pentests more than just using the proper tools

Pentests more than just using the proper tools

Web Application Vulnerability Testing with Nessus

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Testing the OWASP Top 10 Security Issues

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Reducing Application Vulnerabilities by Security Engineering

OWASP Top Ten Tools and Tactics

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Security Testing and Vulnerability Management Process. e-governance

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Online Vulnerability Scanner Quick Start Guide

Magento Security and Vulnerabilities. Roman Stepanov

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

OWASP TOP 10 ILIA

Essential IT Security Testing

Columbia University Web Security Standards and Practices. Objective and Scope

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Web Application Attacks And WAF Evasion

Security Assessment through Google Tools -Focusing on the Korea University Website

SOFTARE SECURTY OF WEB APPLICATION AND WEB ATTACKS

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

How to complete the Secure Internet Site Declaration (SISD) form

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Vulnerability Scans Remote Support 15.1

Sitefinity Security and Best Practices

Table of Contents. Page 2/13

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Rational AppScan & Ounce Products

Security and Vulnerability Testing How critical it is?

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.

Web App Security Audit Services

Development Processes (Lecture outline)

How To Understand And Understand The Security Of A Web Browser (For Web Users)

Thick Client Application Security

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Learning objectives for today s session

Web application security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

white SECURITY TESTING WHITE PAPER

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

The Electronic Arms Race of Cyber Security 4.2 Lecture 7

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

How To Fix A Web Application Security Vulnerability

Guidelines for Web applications protection with dedicated Web Application Firewall

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Penta Security 3rd Generation Web Application Firewall No Signature Required.

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

NNT CIS Microsoft SQL Server 2008R2 Database Engine Level 1 Benchmark Report 0514a

Penetration Test Report

From the Bottom to the Top: The Evolution of Application Monitoring

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Web Security - Hardening estudy

Ethical Hacking as a Professional Penetration Testing Technique

How To Write A Web Application Vulnerability Scanner And Security Auditor

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

Hardening Moodle. Concept and Realization of a Security Component in Moodle. a project by

OWASP AND APPLICATION SECURITY

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Early Vulnerability Detection for Supporting Secure Programming

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Web application security: automated scanning versus manual penetration testing.

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Penetration: from Application down to OS

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

FortiWeb Web Application Firewall. Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE

Integrating Security Testing into Quality Control

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Secure Coding in Node.js

Transcription:

Web Application Report This report includes important security information about your Web Application. OWASP Top Ten 2010 The Ten Most Critical Web Application Report This report was created by IBM Rational AppScan 8.5.0.1 4/11/2013 4:16:57 PM 4/11/2013 4:16:58 PM Copyright IBM Corp. 2000, 2011. All Rights Reserved. 1/17

OWASP Top Ten 2010 The Ten Most Critical Web Application Web Application Report Scanned Web Application: http://10.172.2.190:8080/bse Scan Name: bse110413 Content This report contains the following sections: Description Compliance Scan Results Unique Compliance-related Issues Detected Compliance-Related Issues and Section References IMPORTANT INFORMATION ABOUT THIS REPORT This Compliance Scan Results Report is based on the results of an automated Web Application Security scan, performed by AppScan. An AppScan scan attempts to uncover security-related issues in web applications, testing both the http frameworks (e.g. web servers) and the code of the application itself (e.g. dynamic pages). The testing is performed over HTTP, and is limited only to those issues that are specified for testing and identified in an automated fashion via the HTTP channel. The scan is also limited to those specific issues included in an automatic and/or manual explore performed during the scan. The security-related issues detected are compared to selected regulatory or industry standard requirements to produce this report. There may be areas of compliance risk associated with such regulation or standard that are not specified for testing by AppScan. This report will not detect any compliance-related issues in areas of compliance risk that are not tested by AppScan. The report identifies areas where there may be a compliance risk, but the exact impact of each uncovered issue type depends on the individual application, environment, and the subject regulation or standard. Regulations and standards are subject to change, and the scans performed by AppScan may not reflect all such changes. It is the user s responsibility to interpret the results in this report for determination of impact, actual compliance violations, and appropriate remedial measures, if any. Section references to regulations are provided for reference purposes only. The issues reported are general compliance-related risks and are not to be interpreted as excerpts from any regulation. The information provided does not constitute legal advice. IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer's business and any actions the customer may need to take to comply with such laws. 4/11/2013 4:16:58 PM 2/17

Description Summary Description The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. Development projects should address these potential risks in their requirements documents and design, build and test their applications to ensure that they have taken the necessary measures to reduce these risks to the minimum. Project managers should include time and budget for application security activities including developer training, application security policy development, security mechanism design and development, penetration testing, and security code review as part over the overall effort to address the risks. The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security risks. The Top 10 provides basic guidance on how to address against these risks and where to go to learn more on how to address them. Although setout as an education piece, rather than a standard or a regulation, it is important to note that several prominent industry and government regulators are referencing the OWASP top ten. These bodies include among others VISA USA, MasterCard International and the American Federal Trade Commission (FTC). However, according to the OWASP team the OWASP top ten first and foremost an education piece, not a standard. The OWASP team suggests to any organization about to adopt the Top Ten paper as a policy or standard to consult with the OWASP team first. The OWASP Top 10 2010 is a significant update to the previous version of OWASP top ten (2007). It presents a more concise, risk focused list of the Top 10 Most Critical Web Application security risks and how to asses them. Each item in the top 10 is presented with the general likelihood and consequence factors that are used to categorize the typical severity of the risk. Covered Entities All companies and other entities that develop any kind of web application code are encouraged to address the top ten list as part of their over all security risk management. Adopting the OWASP Top Ten is an effective first step towards changing the software development culture within the organization into one that produces secure code. For more information on OWASP Top Ten, please review the OWASP Top Ten 2010 The Ten Most Critical Web Application, at http://www.owasp.org For more information on securing web applications, please visit http://www- 01.ibm.com/software/rational/offerings/websecurity (*) DISCLAIMER The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstrate potential vulnerabilities in your application that should be corrected in order to reduce the likelihood that your information will be compromised. As legal advice must be tailored to the specific application of each law, and laws are constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel. IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer's business and any actions the customer may need to take to comply with such laws. 4/11/2013 4:16:58 PM 3/17

Compliance Scan Results 48 unique issues detected across 10 sections of the regulation: 1. Section Injection (A1) No. of Issues - 2. 3. 4. 5. 6. 7. 8. 9. 10. Cross site scripting (XSS) - (A2) Broken authentication and session management - (A3) Insecure direct object reference 45 (A4) Cross site request forgery (CSRF) - (A5) Security Misconfiguration 42 (A6) Insecure cryptographic storage 3 (A7) Failure to restrict URL access. 48 (A8) Insufficient transport layer protection - (A9) UnvalidatedRedirects and Forwards - (A10) 4/11/2013 4:16:58 PM 4/17

Unique Compliance-related Issues Detected 48 unique issues detected across 10 sections of the regulation: ID URL Parameter/Cookie Test Name Sections 1 http://10.172.2.190:8080/1.0 2 http://10.172.2.190:8080/images/ 3 http://10.172.2.190:8080/aux/ Hidden Directory Detected 4, 8 4 http://10.172.2.190:8080/cgi-bin/ Hidden Directory Detected 4, 8 5 http://10.172.2.190:8080/com1/ Hidden Directory Detected 4, 8 6 http://10.172.2.190:8080/com2/ Hidden Directory Detected 4, 8 7 http://10.172.2.190:8080/com3/ Hidden Directory Detected 4, 8 8 http://10.172.2.190:8080/bse/ Robots.txt File Web Site Structure 4, 8 Exposure 9 http://10.172.2.190:8080/bse/sites/ 10 http://10.172.2.190:8080/bse/sites/all/ 11 http://10.172.2.190:8080/bse/sites/all/modules/ 12 http://10.172.2.190:8080/bse/sites/all/modules/jq uery_update/ 13 http://10.172.2.190:8080/bse/sites/all/modules/jq UERY~1/ 14 http://10.172.2.190:8080/bse/sites/all/modules/jq uery_update/replace/ 15 http://10.172.2.190:8080/bse/sites/all/modules/jq uery_update/replace/jquery/ 16 http://10.172.2.190:8080/bse/sites/all/modules/jq uery_update/replace/jquery/1.8/ 17 http://10.172.2.190:8080/bse/misc/ 18 http://10.172.2.190:8080/bse/sites/all/modules/jq uery_update/replace/ui/ 19 http://10.172.2.190:8080/bse/sites/all/modules/jq uery_update/replace/ui/external/ 20 http://10.172.2.190:8080/bse/sites/all/modules/jq uery_update/replace/misc/ 21 http://10.172.2.190:8080/bse/sites/all/modules/ex ternal/ 22 http://10.172.2.190:8080/bse/sites/all/modules/lig htbox2/ 23 http://10.172.2.190:8080/bse/sites/all/modules/li GHTB~1/ 24 http://10.172.2.190:8080/bse/sites/all/modules/lig htbox2/js/ 25 http://10.172.2.190:8080/bse/sites/all/modules/nic e_menus/ 26 http://10.172.2.190:8080/bse/sites/all/modules/ni CE_M~1/ 4/11/2013 4:16:58 PM 5/17

ID URL Parameter/Cookie Test Name Sections 27 http://10.172.2.190:8080/bse/sites/all/modules/nic e_menus/superfish/ 28 http://10.172.2.190:8080/bse/sites/all/modules/nic e_menus/superf~1/ 29 http://10.172.2.190:8080/bse/sites/all/modules/nic e_menus/superfish/js/ 30 http://10.172.2.190:8080/bse/sites/all/modules/sc roll_to_top/ 31 http://10.172.2.190:8080/bse/sites/all/modules/s CROLL~1/ 32 http://10.172.2.190:8080/bse/sites/all/modules/vie ws_ticker/ 33 http://10.172.2.190:8080/bse/sites/all/modules/vi EWS_~1/ 34 http://10.172.2.190:8080/bse/sites/all/modules/vie ws_ticker/js/ 35 http://10.172.2.190:8080/bse/sites/all/modules/vie ws/ 36 http://10.172.2.190:8080/bse/sites/all/modules/vie ws/js/ 37 http://10.172.2.190:8080/bse/sites/all/modules/niv o_slider/ 38 http://10.172.2.190:8080/bse/sites/all/modules/ni VO_S~1/ 39 http://10.172.2.190:8080/bse/sites/all/modules/niv o_slider/js/ 40 http://10.172.2.190:8080/bse/sites/all/libraries/ 41 http://10.172.2.190:8080/bse/sites/all/librar~1/ 42 http://10.172.2.190:8080/bse/sites/all/libraries/niv o-slider/ 43 http://10.172.2.190:8080/bse/sites/all/libraries/ni VO-S~1/ 44 http://10.172.2.190:8080/bse 45 http://10.172.2.190:8080/bse/sites/all/modules/jq uery_update/replace/ui/external/jquery.cookie.js 46 http://10.172.2.190:8080/bse/ 47 http://10.172.2.190:8080/bse/sites/all/modules/we bform/ 48 http://10.172.2.190:8080/bse/sites/all/modules/we bform/js/ Internal IP Disclosure Pattern Found 6, 7, 8 Email Address Pattern Found 6, 7, 8 Internal IP Disclosure Pattern Found 6, 7, 8 4/11/2013 4:16:58 PM 6/17

Compliance-Related Issues and Section References 1) Injection (A1) No issues. 2) Cross site scripting (XSS) (A2) No issues. 3) Broken authentication and session management (A3) No issues. 4) Insecure direct object reference (A4) 45 Issues Directory Listing - It is possible to view and download the contents of certain web application virtual directories, which might contain restricted files - Directory browsing is enabled Modify the server configuration to deny directory listing, and install the latest security patches available 1 http://10.172.2.190:8080/1.0 4/11/2013 4:16:58 PM 7/17

2 http://10.172.2.190:8080/images/ 9 http://10.172.2.190:8080/bse/sites/ 10 http://10.172.2.190:8080/bse/sites/all/ 11 http://10.172.2.190:8080/bse/sites/all/modules/ 12 http://10.172.2.190:8080/bse/sites/all/modules/jquery_update/ 13 http://10.172.2.190:8080/bse/sites/all/modules/jquery~1/ 14 15 16 j query/ j query/1.8/ 17 http://10.172.2.190:8080/bse/misc/ 18 19 20 ui/ ui/external/ misc/ 21 http://10.172.2.190:8080/bse/sites/all/modules/external/ 22 http://10.172.2.190:8080/bse/sites/all/modules/lightbox2/ 23 http://10.172.2.190:8080/bse/sites/all/modules/lightb~1/ 24 http://10.172.2.190:8080/bse/sites/all/modules/lightbox2/js/ 25 http://10.172.2.190:8080/bse/sites/all/modules/nice_menus/ 26 http://10.172.2.190:8080/bse/sites/all/modules/nice_m~1/ 27 http://10.172.2.190:8080/bse/sites/all/modules/nice_menus/superfish/ 28 29 http://10.172.2.190:8080/bse/sites/all/modules/nice_menus/superf~ 1/ http://10.172.2.190:8080/bse/sites/all/modules/nice_menus/superfish/j s/ 30 http://10.172.2.190:8080/bse/sites/all/modules/scroll_to_top/ 31 http://10.172.2.190:8080/bse/sites/all/modules/scroll~1/ 32 http://10.172.2.190:8080/bse/sites/all/modules/views_ticker/ 33 http://10.172.2.190:8080/bse/sites/all/modules/views_~1/ 34 http://10.172.2.190:8080/bse/sites/all/modules/views_ticker/js/ 35 http://10.172.2.190:8080/bse/sites/all/modules/views/ 36 http://10.172.2.190:8080/bse/sites/all/modules/views/js/ 37 http://10.172.2.190:8080/bse/sites/all/modules/nivo_slider/ 38 http://10.172.2.190:8080/bse/sites/all/modules/nivo_s~1/ 4/11/2013 4:16:58 PM 8/17

39 http://10.172.2.190:8080/bse/sites/all/modules/nivo_slider/js/ 40 http://10.172.2.190:8080/bse/sites/all/libraries/ 41 http://10.172.2.190:8080/bse/sites/all/librar~1/ 42 http://10.172.2.190:8080/bse/sites/all/libraries/nivo-slider/ 43 http://10.172.2.190:8080/bse/sites/all/libraries/nivo-s~1/ 47 http://10.172.2.190:8080/bse/sites/all/modules/webform/ 48 http://10.172.2.190:8080/bse/sites/all/modules/webform/js/ Hidden Directory Detected - It is possible to retrieve information about the site's file system structure, which may help the attacker to map the web site - The web server or application server are configured in an insecure way Issue a "404 - Not Found" response status code for a forbidden resource, or remove it completely 3 http://10.172.2.190:8080/aux/ 4 http://10.172.2.190:8080/cgi-bin/ 5 http://10.172.2.190:8080/com1/ 6 http://10.172.2.190:8080/com2/ 7 http://10.172.2.190:8080/com3/ 4/11/2013 4:16:58 PM 9/17

Robots.txt File Web Site Structure Exposure - It is possible to retrieve information about the site's file system structure, which may help the attacker to map the web site - The web server or application server are configured in an insecure way Move sensitive content to an isolated location to exclude it from web robot search 8 http://10.172.2.190:8080/bse/ 5) Cross site request forgery (CSRF) (A5) No issues. 6) Security Misconfiguration (A6) 42 Issues Directory Listing - It is possible to view and download the contents of certain web application virtual directories, which might contain restricted files - Directory browsing is enabled Modify the server configuration to deny directory listing, and install the latest security patches available 1 http://10.172.2.190:8080/1.0 4/11/2013 4:16:58 PM 10/17

2 http://10.172.2.190:8080/images/ 9 http://10.172.2.190:8080/bse/sites/ 10 http://10.172.2.190:8080/bse/sites/all/ 11 http://10.172.2.190:8080/bse/sites/all/modules/ 12 http://10.172.2.190:8080/bse/sites/all/modules/jquery_update/ 13 http://10.172.2.190:8080/bse/sites/all/modules/jquery~1/ 14 15 16 j query/ j query/1.8/ 17 http://10.172.2.190:8080/bse/misc/ 18 19 20 ui/ ui/external/ misc/ 21 http://10.172.2.190:8080/bse/sites/all/modules/external/ 22 http://10.172.2.190:8080/bse/sites/all/modules/lightbox2/ 23 http://10.172.2.190:8080/bse/sites/all/modules/lightb~1/ 24 http://10.172.2.190:8080/bse/sites/all/modules/lightbox2/js/ 25 http://10.172.2.190:8080/bse/sites/all/modules/nice_menus/ 26 http://10.172.2.190:8080/bse/sites/all/modules/nice_m~1/ 27 http://10.172.2.190:8080/bse/sites/all/modules/nice_menus/superfish/ 28 29 http://10.172.2.190:8080/bse/sites/all/modules/nice_menus/superf~ 1/ http://10.172.2.190:8080/bse/sites/all/modules/nice_menus/superfish/j s/ 30 http://10.172.2.190:8080/bse/sites/all/modules/scroll_to_top/ 31 http://10.172.2.190:8080/bse/sites/all/modules/scroll~1/ 32 http://10.172.2.190:8080/bse/sites/all/modules/views_ticker/ 33 http://10.172.2.190:8080/bse/sites/all/modules/views_~1/ 34 http://10.172.2.190:8080/bse/sites/all/modules/views_ticker/js/ 35 http://10.172.2.190:8080/bse/sites/all/modules/views/ 36 http://10.172.2.190:8080/bse/sites/all/modules/views/js/ 37 http://10.172.2.190:8080/bse/sites/all/modules/nivo_slider/ 38 http://10.172.2.190:8080/bse/sites/all/modules/nivo_s~1/ 4/11/2013 4:16:58 PM 11/17

39 http://10.172.2.190:8080/bse/sites/all/modules/nivo_slider/js/ 40 http://10.172.2.190:8080/bse/sites/all/libraries/ 41 http://10.172.2.190:8080/bse/sites/all/librar~1/ 42 http://10.172.2.190:8080/bse/sites/all/libraries/nivo-slider/ 43 http://10.172.2.190:8080/bse/sites/all/libraries/nivo-s~1/ 47 http://10.172.2.190:8080/bse/sites/all/modules/webform/ 48 http://10.172.2.190:8080/bse/sites/all/modules/webform/js/ Email Address Pattern Found - It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations - Insecure web application programming or configuration Remove e-mail addresses from the website 45 ui/external/jquery.cookie.js Internal IP Disclosure Pattern Found - It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations - Insecure web application programming or configuration Remove internal IP addresses from your website 44 http://10.172.2.190:8080/bse 46 http://10.172.2.190:8080/bse/ 4/11/2013 4:16:58 PM 12/17

7) Insecure cryptographic storage (A7) 3 Issues Email Address Pattern Found - It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations - Insecure web application programming or configuration Remove e-mail addresses from the website 45 ui/external/jquery.cookie.js Internal IP Disclosure Pattern Found - It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations - Insecure web application programming or configuration Remove internal IP addresses from your website 44 http://10.172.2.190:8080/bse 46 http://10.172.2.190:8080/bse/ 4/11/2013 4:16:58 PM 13/17

8) Failure to restrict URL access. (A8) 48 Issues Directory Listing - It is possible to view and download the contents of certain web application virtual directories, which might contain restricted files - Directory browsing is enabled Modify the server configuration to deny directory listing, and install the latest security patches available 1 http://10.172.2.190:8080/1.0 2 http://10.172.2.190:8080/images/ 9 http://10.172.2.190:8080/bse/sites/ 10 http://10.172.2.190:8080/bse/sites/all/ 11 http://10.172.2.190:8080/bse/sites/all/modules/ 12 http://10.172.2.190:8080/bse/sites/all/modules/jquery_update/ 13 http://10.172.2.190:8080/bse/sites/all/modules/jquery~1/ 14 15 16 j query/ j query/1.8/ 17 http://10.172.2.190:8080/bse/misc/ 18 19 20 ui/ ui/external/ misc/ 21 http://10.172.2.190:8080/bse/sites/all/modules/external/ 22 http://10.172.2.190:8080/bse/sites/all/modules/lightbox2/ 23 http://10.172.2.190:8080/bse/sites/all/modules/lightb~1/ 24 http://10.172.2.190:8080/bse/sites/all/modules/lightbox2/js/ 4/11/2013 4:16:58 PM 14/17

25 http://10.172.2.190:8080/bse/sites/all/modules/nice_menus/ 26 http://10.172.2.190:8080/bse/sites/all/modules/nice_m~1/ 27 http://10.172.2.190:8080/bse/sites/all/modules/nice_menus/superfish/ 28 29 http://10.172.2.190:8080/bse/sites/all/modules/nice_menus/superf~ 1/ http://10.172.2.190:8080/bse/sites/all/modules/nice_menus/superfish/j s/ 30 http://10.172.2.190:8080/bse/sites/all/modules/scroll_to_top/ 31 http://10.172.2.190:8080/bse/sites/all/modules/scroll~1/ 32 http://10.172.2.190:8080/bse/sites/all/modules/views_ticker/ 33 http://10.172.2.190:8080/bse/sites/all/modules/views_~1/ 34 http://10.172.2.190:8080/bse/sites/all/modules/views_ticker/js/ 35 http://10.172.2.190:8080/bse/sites/all/modules/views/ 36 http://10.172.2.190:8080/bse/sites/all/modules/views/js/ 37 http://10.172.2.190:8080/bse/sites/all/modules/nivo_slider/ 38 http://10.172.2.190:8080/bse/sites/all/modules/nivo_s~1/ 39 http://10.172.2.190:8080/bse/sites/all/modules/nivo_slider/js/ 40 http://10.172.2.190:8080/bse/sites/all/libraries/ 41 http://10.172.2.190:8080/bse/sites/all/librar~1/ 42 http://10.172.2.190:8080/bse/sites/all/libraries/nivo-slider/ 43 http://10.172.2.190:8080/bse/sites/all/libraries/nivo-s~1/ 47 http://10.172.2.190:8080/bse/sites/all/modules/webform/ 48 http://10.172.2.190:8080/bse/sites/all/modules/webform/js/ Email Address Pattern Found - It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations - Insecure web application programming or configuration Remove e-mail addresses from the website 4/11/2013 4:16:58 PM 15/17

45 ui/external/jquery.cookie.js Hidden Directory Detected - It is possible to retrieve information about the site's file system structure, which may help the attacker to map the web site - The web server or application server are configured in an insecure way Issue a "404 - Not Found" response status code for a forbidden resource, or remove it completely 3 http://10.172.2.190:8080/aux/ 4 http://10.172.2.190:8080/cgi-bin/ 5 http://10.172.2.190:8080/com1/ 6 http://10.172.2.190:8080/com2/ 7 http://10.172.2.190:8080/com3/ Internal IP Disclosure Pattern Found - It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations - Insecure web application programming or configuration Remove internal IP addresses from your website 44 http://10.172.2.190:8080/bse 46 http://10.172.2.190:8080/bse/ 4/11/2013 4:16:58 PM 16/17

Robots.txt File Web Site Structure Exposure - It is possible to retrieve information about the site's file system structure, which may help the attacker to map the web site - The web server or application server are configured in an insecure way Move sensitive content to an isolated location to exclude it from web robot search 8 http://10.172.2.190:8080/bse/ 9) Insufficient transport layer protection (A9) No issues. 10) UnvalidatedRedirects and Forwards (A10) No issues. 4/11/2013 4:16:58 PM 17/17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information