Acunetix Website Audit. 5 November, 2014. Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build 20120808)



Similar documents
Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Cross-Site Scripting

Web Application Security

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Information Security Office

Magento Security and Vulnerabilities. Roman Stepanov

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

A Tale of the Weaknesses of Current Client-side XSS Filtering

HTTPParameter Pollution. ChrysostomosDaniel

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

HTTP Response Splitting

Adobe Systems Incorporated

The Top Web Application Attacks: Are you vulnerable?

Web Security Threat Report: January April Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots

reference: HTTP: The Definitive Guide by David Gourley and Brian Totty (O Reilly, 2002)

Web Application Guidelines

Pwning Intranets with HTML5

Webapps Vulnerability Report

Security-Assessment.com White Paper Leveraging XSRF with Apache Web Server Compatibility with older browser feature and Java Applet

Chapter 1 Web Application (In)security 1

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Defending against XSS,CSRF, and Clickjacking David Bishop

Are AJAX Applications Vulnerable to Hack Attacks?

(WAPT) Web Application Penetration Testing

Java Web Application Security

COMP 112 Assignment 1: HTTP Servers

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011

Rational AppScan & Ounce Products

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Sitefinity Security and Best Practices

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Web Engineering Web Application Security Issues

A Tale of the Weaknesses of Current Client-Side XSS Filtering

Web Application Security

Check list for web developers

QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014

Web Application Attacks And WAF Evasion

Introduction to Computer Security

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 20

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Where every interaction matters.

Finding Your Way in Testing Jungle. A Learning Approach to Web Security Testing.

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

Web Security Testing Cookbook*

DNS Pinning and Web Proxies

EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS

Penetration Test Report

Web Security Scan. 10 November, Developer Report

Attack and Penetration Testing 101

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Högskoleexamen. Web application Security. Sektionen för informationsvetenskap, data- och elektroteknik. Rapport för Högskoleexamen, January 2013

Last update: February 23, 2004

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

Web Application Report

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Common Security Vulnerabilities in Online Payment Systems

An Analysis of the Effectiveness of Black-Box Web Application Scanners in Detection of Stored XSSI Vulnerabilities

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Using Free Tools To Test Web Application Security

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Web application security: Testing for vulnerabilities

How To Protect A Web Application From Attack From A Trusted Environment

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

What is Web Security? Motivation

Implementation of Web Application Security Solution using Open Source Gaurav Gupta 1, B. K. Murthy 2, P. N. Barwal 3

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

HP WebInspect Tutorial

OWASP Top Ten Tools and Tactics

Cross Site Scripting Prevention

WebCruiser Web Vulnerability Scanner User Guide

How To Fix A Web Application Security Vulnerability

APPLICATION SECURITY AND ITS IMPORTANCE

Web Vulnerability Assessment Report

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

OWASP AND APPLICATION SECURITY

Towards More Security in Data Exchange

Top 10 Web Application Security Vulnerabilities - with focus on PHP

Understanding Cross Site Scripting

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Web Vulnerability Scanners Evaluation - January 2009 ( anantasec@gmail.com

Transcription:

Acunetix Website Audit 5 November, 2014 Developer Report Generated by Acunetix WVS Reporter (v8.0 Build 20120808)

Scan of http://filesbi.go.id:80/ Scan details Scan information Starttime 05/11/2014 14:44:06 Finish time 05/11/2014 14:47:02 Scan time 2 minutes, 56 seconds Profile Default Server information Responsive Server banner Server OS Server technologies True Apache/2.2.25 (Win32) PHP/5.2.3 Windows PHP Threat level Acunetix Threat Level 3 One or more high-severity type vulnerabilities have been discovered by the scanner. A malicious user can exploit these vulnerabilities and compromise the backend database and/or deface your website. Alerts distribution Total alerts found 2 High 2 Knowledge base List of file extensions File extensions can provide information on what technologies are being used on this website. List of file extensions detected: - css => 2 file(s) - txt => 3 file(s) - js => 2 file(s) - php => 1 file(s) Top 10 response times The files listed bellow had the slowest response times measured during the crawling process. The average response time for this site was 16,97 ms. These files could be targetted in denial of service attacks. 1. /scripts/extjs3/ext-all.js, response time 2386 ms GET /scripts/extjs3/ext-all.js HTTP/1.1 Pragma: no-cache Referer: http://filesbilateral.bilateral.go.id/ Acunetix-Aspect: enabled Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c Acunetix-Aspect-Queries: filelist;aspectalerts Cookie: extplorer=nsvgtbm94tjcxkdacx0qwrurbwsydo4p Acunetix Website Audit 2

Host: filesbilateral.bilateral.go.id Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept: */* List of client scripts These files contain Javascript code referenced from the website. - /scripts/extjs3/adapter/ext/ext-base.js - /scripts/extjs3/ext-all.js List of files with inputs These files have at least one input (GET or POST). - /index.php - 1 inputs List of external hosts These hosts were linked from this website but they were not scanned because they are not listed in the list of hosts allowed.(settings->scanners settings->scanner->list of hosts allowed). - extplorer.net - www.google.com List of email addresses List of all email addresses found on this host. - colonelxc@users.sourceforge.net - licensing@extjs.com - licensing@sencha.com Alerts summary Cross Site Scripting Affects Variations /index.php 1 Cross Site Scripting (verified) Affects Variations /index.php 1 Alert details Cross Site Scripting Severity High Type Validation Reported by module Scripting (XSS_in_URI.script) Description

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. Impact Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user. Recommendation Your script should filter metacharacters from user input. References Cross site scripting How To: Prevent Cross-Site Scripting in ASP.NET Allowing HTML and Preventing XSS Microsoft ASP.NET request filtering flaw OWASP PHP Top 5 XSS cheat sheet XSS Annihilation OWASP Cross Site Scripting The Cross Site Scripting Faq Security Focus - Penetration Testing for Web Applications (Part Two) Acunetix Cross Site Scripting Attack ASP.NET Unicode Character Conversion XSS Affected items /index.php Details URI was set to 957266"():;988165 The input is reflected inside <script> tag between double quotes. Request headers GET /index.php/957266%22():;988165 HTTP/1.1 Cookie: extplorer=mkco3s0cmvg8cb5ero6gtsfc73uvou9w Host: filesbilateral.bilateral.go.id Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept: */* Acunetix Website Audit 5

Cross Site Scripting (verified) Severity High Type Validation Reported by module Scripting (XSS_in_URI.script) Description This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. Impact Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user. Recommendation Your script should filter metacharacters from user input. References ASP.NET Unicode Character Conversion XSS Acunetix Cross Site Scripting Attack Security Focus - Penetration Testing for Web Applications (Part Two) The Cross Site Scripting Faq OWASP Cross Site Scripting XSS Annihilation XSS cheat sheet Cross site scripting Microsoft ASP.NET request filtering flaw Allowing HTML and Preventing XSS How To: Prevent Cross-Site Scripting in ASP.NET OWASP PHP Top 5 Affected items /index.php Details URI was set to ö" onmouseover=prompt(930630) // The input is reflected inside a tag parameter between double quotes. Request headers GET /index.php/%f6%22%20onmouseover=prompt(930630)%20// HTTP/1.1 Cookie: extplorer=mkco3s0cmvg8cb5ero6gtsfc73uvou9w Host: filesbilateral.bilateral.go.id Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept: */* Acunetix Website Audit 6

URL: http://filesbilateral.bilateral.go.id/ URL: http://filesbilateral.bilateral.go.id/scripts/extjs3/resources/css/xtheme-blue.css URL: http://filesbilateral.bilateral.go.id/scripts/extjs3/resources/css/ext-all.css URL: http://filesbilateral.bilateral.go.id/scripts/extjs3/adapter/ Acunetix Website Audit 17 URL: http://filesbilateral.bilateral.go.id/scripts/extjs3/ext-all.js URL: http://filesbilateral.bilateral.go.id/index.php 3 input(s) found for this URL Inputs URL: http://filesbilateral.bilateral.go.id/changelog.txt URL: http://filesbilateral.bilateral.go.id/readme.txt

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information