Security Report 8.6
Uploaded by
rajakumarrockzSecurity Report 8.6
Uploaded by
rajakumarrockzWeb Application Report
This report includes important security information about your web application.
Security Report
This report was created by IBM Security AppScan Standard8.6.0.0,Rules:99
Scan started:22/07/2012 09:12:42 AM
Table of Contents
Introduction
General Information
LoginSettings
Executive Summary
IssueTypes
VulnerableURLs
FixRecommendations
SecurityRisks
Causes
WASCThreatClassification
Issues Sorted by Issue Type
AuthenticationBypassUsingSQLInjection 1
BlindSQLInjection
1
CrossSiteScripting 11
DOMBasedCrossSiteScripting 3
PoisonNullByteWindowsFilesRetrieval
1
PredictableLoginCredentials 1
SQLInjection
12
UnencryptedLoginRequest 6
XPathInjection 1
CrossSiteRequestForgery
6
DirectoryListing 2
HTTPResponseSplitting
1
InadequateAccountLockout 1
LinkInjection(facilitatesCrossSiteRequestForgery) 6
OpenRedirect
2
PhishingThroughFrames 6
SessionIdentifierNotUpdated
1
AutocompleteHTMLAttributeNotDisabledforPasswordField 4
DatabaseErrorPatternFound 16
DirectAccesstoAdministrationPages
2
EmailAddressPatternFoundinParameterValue 2
HiddenDirectoryDetected
3
MicrosoftASP.NETDebuggingEnabled 3
MissingHttpOnlyAttributeinSessionCookie 4
PermanentCookieContainsSensitiveSessionInformation
1
Unencrypted__VIEWSTATEParameter 4
Unsigned__VIEWSTATEParameter
4
ApplicationError 15
ApplicationTestScriptDetected 1
EmailAddressPatternFound
3
21/08/2012 1
HTMLCommentsSensitiveInformationDisclosure 5
PossibleServerPathDisclosurePatternFound
1
21/08/2012 2
Introduction
ThisreportcontainstheresultsofawebapplicationsecurityscanperformedbyIBMSecurityAppScanStandard.
Highseverityissues: 37
Mediumseverityissues: 25
Lowseverityissues: 43
Informationalseverityissues: 25
Totalsecurityissuesincludedinthereport: 130
Totalsecurityissuesdiscoveredinthescan: 130
General Information
Scan file name: demo.testfire.net
Scan started: 22/07/201209:12:42AM
Test policy: Default
Host demo.testfire.net
Operating system: Win32
Web server: IIS
Application server: Any
Login Settings
Login method: Recordedlogin
Concurrent logins: Enabled
JavaScript execution: Disabled
In-session detection: Enabled
In-session pattern: >Sign Off<
Tracked or session ID cookies: ASP.NET_SessionId
amSessionId
amUserInfo
amUserId
amCreditOffer
Tracked or session ID parameters:
Login sequence: http://demo.testfire.net/
http://demo.testfire.net/bank/login.aspx
http://demo.testfire.net/bank/login.aspx
http://demo.testfire.net/bank/main.aspx
21/08/2012 3
TOC
TOC
Executive Summary
Issue Types 32
Issue Type Number of Issues
H AuthenticationBypassUsingSQLInjection 1
H BlindSQLInjection 1
H CrossSiteScripting 11
H DOMBasedCrossSiteScripting 3
H PoisonNullByteWindowsFilesRetrieval 1
H PredictableLoginCredentials 1
H SQLInjection 12
H UnencryptedLoginRequest 6
H XPathInjection 1
M CrossSiteRequestForgery 6
M DirectoryListing 2
M HTTPResponseSplitting 1
M InadequateAccountLockout 1
M LinkInjection(facilitatesCrossSiteRequestForgery) 6
M OpenRedirect 2
M PhishingThroughFrames 6
M SessionIdentifierNotUpdated 1
L AutocompleteHTMLAttributeNotDisabledforPasswordField 4
L DatabaseErrorPatternFound 16
L DirectAccesstoAdministrationPages 2
L EmailAddressPatternFoundinParameterValue 2
L HiddenDirectoryDetected 3
L MicrosoftASP.NETDebuggingEnabled 3
L MissingHttpOnlyAttributeinSessionCookie 4
L PermanentCookieContainsSensitiveSessionInformation 1
L Unencrypted__VIEWSTATEParameter 4
L Unsigned__VIEWSTATEParameter 4
I ApplicationError 15
I ApplicationTestScriptDetected 1
I EmailAddressPatternFound 3
I HTMLCommentsSensitiveInformationDisclosure 5
I PossibleServerPathDisclosurePatternFound 1
Vulnerable URLs 29
URL Number of Issues
21/08/2012 4
TOC
Root 0
H http://demo.testfire.net/bank/login.aspx 22
H http://demo.testfire.net/bank/account.aspx 5
H http://demo.testfire.net/bank/apply.aspx 4
H http://demo.testfire.net/bank/customize.aspx 8
H http://demo.testfire.net/bank/transfer.aspx 16
H http://demo.testfire.net/comment.aspx 5
H http://demo.testfire.net/search.aspx 3
H http://demo.testfire.net/subscribe.aspx 7
H http://demo.testfire.net/survey_complete.aspx 5
H http://demo.testfire.net/disclaimer.htm 4
H http://demo.testfire.net/high_yield_investments.htm 1
H http://demo.testfire.net/default.aspx 1
H http://demo.testfire.net/bank/transaction.aspx 12
H http://demo.testfire.net/bank/ws.asmx 9
H http://demo.testfire.net/admin/admin.aspx 5
H http://demo.testfire.net/admin/login.aspx 5
H http://demo.testfire.net/bank/queryxpath.aspx 4
M http://demo.testfire.net/bank/ 1
M http://demo.testfire.net/pr/ 1
L http://demo.testfire.net/admin/clients.xls 2
L http://demo.testfire.net/survey_questions.aspx 3
L http://demo.testfire.net/admin/ 1
L http://demo.testfire.net/aspnet_client/ 1
L http://demo.testfire.net/images/ 1
L http://demo.testfire.net/bank/main.aspx 1
L http://demo.testfire.net/ 1
I http://demo.testfire.net/bank/mozxpath.js 1
I http://demo.testfire.net/feedback.aspx 1
Fix Recommendations 23
Remediation Task Number of Issues
H AlwaysuseSSLandPOST(body)parameterswhensendingsensitiveinformation. 6
H Analyzeclientsidecodeandsanitizeitsinputsources 3
H Changethelogincredentialstoastrongercombination 1
H Ensurethataccessedfilesresideinthevirtualpathandhavecertainextensions
removespecialcharactersfromuserinput
1
H Reviewpossiblesolutionsforhazardouscharacterinjection 55
M Analyzeandhardenclientside(JavaScript)code. 2
M Declinemaliciousrequests 6
M Donotacceptexternallycreatedsessionidentifiers 1
M Enforceaccountlockoutafterseveralfailedloginattempts 1
M Modifytheserverconfigurationtodenydirectorylisting,andinstallthelatestsecurity
patchesavailable
2
L Addthe'HttpOnly'attributetoallsessioncookies 4
21/08/2012 5
TOC
L Applyproperauthorizationtoadministrationscripts 2
L Avoidstoringsensitivesessioninformationinpermanentcookies 1
L Correctlysetthe"autocomplete"attributeto"off" 4
L DisableDebuggingonMicrosoftASP.NET 3
L Downloadtherelevantsecuritypatchforyourwebserverorwebapplication. 1
L Issuea"404NotFound"responsestatuscodeforaforbiddenresource,orremoveit
completely
3
L ModifythepropertyofeachASP.NETpagetosigntheVIEWSTATEparameter 4
L ModifyyourWeb.ConfigfiletoencrypttheVIEWSTATEparameter 4
L Removeemailaddressesfromthewebsite 5
L RemovesensitiveinformationfromHTMLcomments 5
L Removetestscriptsfromtheserver 1
L Verifythatparametervaluesareintheirexpectedrangesandtypes.Donotoutput
debuggingerrormessagesandexceptions
15
Security Risks 19
Risk Number of Issues
H Itmaybepossibletobypassthewebapplication'sauthenticationmechanism 5
H Itispossibletoview,modifyordeletedatabaseentriesandtables 29
H Itispossibletostealormanipulatecustomersessionandcookies,whichmightbe
usedtoimpersonatealegitimateuser,allowingthehackertovieworalteruser
records,andtoperformtransactionsasthatuser
32
H Itispossibletoviewthecontentsofanyfile(forexample,databases,userinformation
orconfigurationfiles)onthewebserver(underthepermissionrestrictionsoftheweb
serveruser)
1
H Itmightbepossibletoescalateuserprivilegesandgainadministrativepermissions
overthewebapplication
4
H Itmaybepossibletostealuserlogininformationsuchasusernamesandpasswords
thataresentunencrypted
6
H Itispossibletoaccessinformationstoredinasensitivedataresource 1
M Itispossibletoviewanddownloadthecontentsofcertainwebapplicationvirtual
directories,whichmightcontainrestrictedfiles
2
M Itispossibletodefacethesitecontentthroughwebcachepoisoning 1
M Itispossibletopersuadeanaiveusertosupplysensitiveinformationsuchas
username,password,creditcardnumber,socialsecuritynumberetc.
12
M Itispossibletoupload,modifyordeletewebpages,scriptsandfilesonthewebserver 6
M Itispossibleforanattackertousethewebservertoattackothersites,which
increaseshisorheranonymity
2
L Itispossibletogathersensitiveinformationaboutthewebapplicationsuchas
usernames,passwords,machinenameand/orsensitivefilelocations
17
L Itispossibletoretrieveinformationaboutthesite'sfilesystemstructure,whichmay
helptheattackertomapthewebsite
3
L Itmaybepossibletostealsessioninformation(cookies)thatwaskeptondiskas
permanentcookies
1
L Itmightbepossibletoundermineapplicationlogic 4
I Itispossibletogathersensitivedebugginginformation 15
I Itispossibletodownloadtemporaryscriptfiles,whichcanexposetheapplicationlogic
andothersensitiveinformationsuchasusernamesandpasswords
1
I Itispossibletoretrievetheabsolutepathofthewebserverinstallation,whichmight 1
21/08/2012 6
TOC
TOC
helpanattackertodevelopfurtherattacksandtogaininformationaboutthefilesystem
structureofthewebapplication
Causes 16
Cause Number of Issues
H Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput 56
H Thewebapplicationusesclientsidelogictocreatewebpages 3
H Userinputisnotcheckedforthe'..'(dotdot)string 1
H Insecurewebapplicationprogrammingorconfiguration 23
H Sensitiveinputfieldssuchasusernames,passwordandcreditcardnumbersare
passedunencrypted
6
M Insufficientauthenticationmethodwasusedbytheapplication 6
M Directorybrowsingisenabled 2
M Thewebapplicationperformsaredirectiontoanexternalsite 2
L Thewebserverorapplicationserverareconfiguredinaninsecureway 5
L ThewebapplicationsetssessioncookieswithouttheHttpOnlyattribute 4
L Thewebapplicationstoressensitivesessioninformationinapermanentcookie(on
disk)
1
I Properboundscheckingwerenotperformedonincomingparametervalues 15
I Novalidationwasdoneinordertomakesurethatuserinputmatchesthedatatype
expected
15
I Temporaryfileswereleftinproductionenvironment 1
I Debugginginformationwasleftbytheprogrammerinwebpages 5
I Latestpatchesorhotfixesfor3rd.partyproductswerenotinstalled 1
WASC Threat Classification
Threat Number of Issues
AbuseofFunctionality 4
ApplicationPrivacyTests 14
ApplicationQualityTests 15
BruteForce 2
ContentSpoofing 12
CrosssiteRequestForgery 6
CrosssiteScripting 14
DirectoryIndexing 2
HTTPResponseSplitting 1
InformationLeakage 21
InsufficientAuthentication 1
InsufficientSessionExpiration 1
NullByteInjection 1
PredictableResourceLocation 3
SessionFixation 1
21/08/2012 7
SQLInjection 29
URLRedirectorAbuse 2
XPathInjection 1
21/08/2012 8
TOC
TOC
Issues Sorted by Issue Type
H Authentication Bypass Using SQL Injection 1 TOC
Issue 1 of 1
Authentication Bypass Using SQL Injection
Severity:
High
URL: http://demo.testfire.net/bank/login.aspx
Entity: uid(Parameter)
Risk: Itmaybepossibletobypassthewebapplication'sauthenticationmechanism
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: Thetestresultseemstoindicateavulnerabilitybecausewhenfourtypesofrequestweresentavalidlogin,aninvalid
login,anSQLattack,andanotherinvalidlogintheresponsestothetwoinvalidloginswerethesame,whilethe
responsetotheSQLattackseemssimilartheresponsetothevalidlogin.
H Blind SQL Injection 1 TOC
Issue 1 of 1
Valid Login Test Login
21/08/2012 9
Blind SQL Injection
Severity:
High
URL: http://demo.testfire.net/bank/account.aspx
Entity: listAccounts(Parameter)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: Thetestresultseemstoindicateavulnerabilitybecauseitshowsthatvaluescanbeappendedtoparametervalues,
indicatingthattheywereembeddedinanSQLquery.HEX(0D)HEX(0A)Inthistest,three(orsometimesfour)requests
aresent.Thelastislogicallyequaltotheoriginal,andthenexttolastisdifferent.Anyothersareforcontrolpurposes.A
comparisonofthelasttworesponseswiththefirst(thelastissimilartoit,andthenexttolastisdifferent)indicatesthat
theapplicationisvulnerable.
H Cross-Site Scripting 11 TOC
Original Response Test Response (last)
Original Response Test Response (next-to-last)
21/08/2012 10
TOC
Issue 1 of 11
Cross-Site Scripting
Severity:
High
URL: http://demo.testfire.net/search.aspx
Entity: txtSearch(Parameter)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecauseAppscansuccessfullyembeddedascriptintheresponse,
whichwillbeexecutedwhenthepageloadsintheuser'sbrowser.
Test Response
Raw Test Response:
...
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322;
Simulationofthepopupthat
appearswhenthispageis
openedinabrowser
268
21/08/2012 11
TOC
Issue 2 of 11
Cross-Site Scripting
Severity:
High
URL: http://demo.testfire.net/survey_complete.aspx
Entity: txtEmail(Parameter)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecauseAppscansuccessfullyembeddedascriptintheresponse,
whichwillbeexecutedwhenthepageloadsintheuser'sbrowser.
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:27:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=iso-8859-1
Content-Length: 7261
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head id="_ctl0__ctl0_head"><title>
Altoro Mutual: Search Results
...
...
</td>
<td valign="top" colspan="3" class="bb">
<div class="fl" style="width: 99%;">
<h1>Search Results</h1>
<p>No results were found for the query:<br /><br />
<span id="_ctl0__ctl0_Content_Main_lblSearch"><script>alert(1727)</script></span></p>
</div>
</td>
</tr>
</table>
...
Test Response
21/08/2012 12
Raw Test Response:
...
<li><a id="_ctl0__ctl0_Content_MenuHyperLink18" href="default.aspx?content=inside_careers.htm">Careers</a></li>
</ul>
</td>
<td valign="top" colspan="3" class="bb">
<div style="width: 99%;">
<h1><span id="_ctl0__ctl0_Content_Main_lblTitle">Thanks</span></h1>
<span id="_ctl0__ctl0_Content_Main_lblContent"><p>Thanks for your entry. We will contact you shortly at:<br /><br />
<b>[email protected]<script>alert(18)</script></b></p></span>
</div>
</td>
</tr>
</table>
...
Simulationofthepopupthat
appearswhenthispageis
openedinabrowser
49
21/08/2012 13
TOC
TOC
Issue 3 of 11
Cross-Site Scripting
Severity:
High
URL: http://demo.testfire.net/comment.aspx
Entity: name(Parameter)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecauseAppscansuccessfullyembeddedascriptintheresponse,
whichwillbeexecutedwhenthepageloadsintheuser'sbrowser.
Issue 4 of 11
Raw Test Response:
...
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:04:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
Content-Length: 7229
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head id="_ctl0__ctl0_head"><title>
Altoro Mutual: Thank-You
...
...
</ul>
</td>
<td valign="top" colspan="3" class="bb">
<div class="fl" style="width: 99%;">
<h1>Thank You</h1>
<p>Thank you for your comments, 1234'"><iframe src=javascript:alert(13)>. They will be reviewed by our Customer Service staff and
given the full attention that they deserve.</p>
</div>
</td>
</tr>
</table>
...
21/08/2012 14
Cross-Site Scripting
Severity:
High
URL: http://demo.testfire.net/comment.aspx
Entity: comment.aspx(Page)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecauseAppscansuccessfullyembeddedascriptintheresponse,
whichwillbeexecutedwhenthepageloadsintheuser'sbrowser.
Test Response
Raw Test Response:
...
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:04:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Simulationofthepopupthat
appearswhenthispageis
openedinabrowser
1
21/08/2012 15
TOC
Issue 5 of 11
Cross-Site Scripting
Severity:
High
URL: http://demo.testfire.net/subscribe.aspx
Entity: txtEmail(Parameter)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecauseAppscansuccessfullyembeddedascriptintheresponse,
whichwillbeexecutedwhenthepageloadsintheuser'sbrowser.
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
Content-Length: 7219
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head id="_ctl0__ctl0_head"><title>
Altoro Mutual: Thank-You
...
...
</ul>
</td>
<td valign="top" colspan="3" class="bb">
<div class="fl" style="width: 99%;">
<h1>Thank You</h1>
<p>Thank you for your comments, >"'><script>alert(10)</script>. They will be reviewed by our Customer Service staff and
given the full attention that they deserve.</p>
</div>
</td>
</tr>
</table>
...
Test Response
21/08/2012 16
Raw Test Response:
...
<h1>Subscribe</h1>
<p>We recognize that things are always evolving and changing here at Altoro Mutual.
Please enter your email below and we will automatically notify of noteworthy events.</p>
<form action="subscribe.aspx" method="post" name="subscribe" id="subscribe" onsubmit="return confirmEmail(txtEmail.value);">
<table>
<tr>
<td colspan="2">
<span id="_ctl0__ctl0_Content_Main_message" style="color:Red;font-size:12pt;font-weight:bold;">Thank you. Your email
[email protected]<script>alert(130)</script> has been accepted.</span>
</td>
</tr>
<tr>
<td>
Email:
</td>
<td>
<input type="text" id="txtEmail" name="txtEmail" value="" style="width: 150px;">
</td>
...
Simulationofthepopupthat
appearswhenthispageis
openedinabrowser
805
21/08/2012 17
TOC
Issue 6 of 11
Cross-Site Scripting
Severity:
High
URL: http://demo.testfire.net/bank/apply.aspx
Entity: amCreditOffer(Cookie)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecauseAppscansuccessfullyembeddedascriptintheresponse,
whichwillbeexecutedwhenthepageloadsintheuser'sbrowser.
Test Response
Raw Test Response:
...
Visa Application</h1>
<!--
userid = userCookie.Values["UserID"].ToString();
Simulationofthepopupthat
appearswhenthispageis
openedinabrowser
208
21/08/2012 18
TOC
Issue 7 of 11
Cross-Site Scripting
Severity:
High
URL: http://demo.testfire.net/bank/customize.aspx
Entity: customize.aspx(Page)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecauseAppscansuccessfullyembeddedascriptintheresponse,
whichwillbeexecutedwhenthepageloadsintheuser'sbrowser.
cLimit = Request.Cookies["Limit"].Value;
cInterest = Request.Cookies["Interest"].Value;
cType = Request.Cookies["CardType"].Value;
-->
<span id="_ctl0__ctl0_Content_Main_lblMessage">Your new Altoro Mutual Gold VISA with a $10000 and 7.9<script>alert(53)</script>% APR will
be sent in the mail.</span>
<!--
Password is not revalidated but stored in
mainframe for non-repudiation purposes.
-->
</div>
...
Test Response
21/08/2012 19
Raw Test Response:
...
__VIEWSTATE=%2FwEPDwUJMjA2OTMxMDA4ZGQ%3D
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:25:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=iso-8859-1
Content-Length: 5628
Set-Cookie: lang=>"'><script>alert(1539)</script>; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head id="_ctl0__ctl0_head"><title>
...
...
<span id="_ctl0__ctl0_Content_Administration"></span>
</td>
<td valign="top" colspan="3" class="bb">
<div class="fl" style="width: 99%;">
Simulationofthepopupthat
appearswhenthispageis
openedinabrowser
95
21/08/2012 20
TOC
Issue 8 of 11
Cross-Site Scripting
Severity:
High
URL: http://demo.testfire.net/bank/login.aspx
Entity: uid(Parameter)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecauseAppscansuccessfullyembeddedascriptintheresponse,
whichwillbeexecutedwhenthepageloadsintheuser'sbrowser.
<h1>Customize Site Language</h1>
<form name="aspnetForm" method="post" action="customize.aspx?lang=%3e%22'%3e%3cscript%3ealert(1539)%3c%2fscript%3e" id="aspnetForm">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJMjA2OTMxMDA4ZGQ=" />
<p>
<span id="_ctl0__ctl0_Content_Main_Label1">Curent Language: </span>
<span id="_ctl0__ctl0_Content_Main_langLabel">>"'><script>alert(1539)</script></span>
</p>
<p>
<span id="_ctl0__ctl0_Content_Main_Label2">You can change the language setting by choosing:</span>
...
Test Response
21/08/2012 21
Raw Test Response:
...
<p><span id="_ctl0__ctl0_Content_Main_message" style="color:#FF0066;font-size:12pt;font-weight:bold;">Login Failed: We're sorry, but this
username was not found in our system. Please try again.</span></p>
<form action="login.aspx" method="post" name="login" id="login" onsubmit="return (confirminput(login));">
<table>
<tr>
<td>
Username:
</td>
<td>
<input type="text" id="uid" name="uid" value="jsmith"onmouseover="alert(144)"" style="width: 150px;">
</td>
<td>
</td>
</tr>
<tr>
<td>
Password:
</td>
<td>
...
Simulationofthepopupthat
appearswhenthispageis
openedinabrowser
951
21/08/2012 22
TOC
Issue 9 of 11
Cross-Site Scripting
Severity:
High
URL: http://demo.testfire.net/bank/transfer.aspx
Entity: debitAccount(Parameter)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecauseAppscansuccessfullyembeddedascriptintheresponse,
whichwillbeexecutedwhenthepageloadsintheuser'sbrowser.
Raw Test Response:
...
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:39:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
Content-Length: 9466
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head id="_ctl0__ctl0_head"><title>
Altoro Mutual: Transfer Funds
...
...
</tr>
<tr>
<td colspan="2" align="center"><input type="button" name="transfer" value="Transfer Money" onclick="doTransfer();"
ID="transfer"></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td colspan="2" align="center">
<span id="_ctl0__ctl0_Content_Main_postResp" align="center"><span style='color: Red'>System.Data.OleDb.OleDbException: Syntax error
in string in query expression 'accountid=1001160141'"><iframe src=javascript:alert(2434)>'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteScalar()
at Altoro.Services.TransferBalance(MoneyTransfer transDetails) in d:\downloads\AltoroMutual_v6\website\App_Code\WebService.cs:line
146</span></span>
<span id="soapResp" name="soapResp" align="center" />
</td>
...
21/08/2012 23
TOC
Issue 10 of 11
Cross-Site Scripting
Severity:
High
URL: http://demo.testfire.net/bank/transfer.aspx
Entity: creditAccount(Parameter)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecauseAppscansuccessfullyembeddedascriptintheresponse,
whichwillbeexecutedwhenthepageloadsintheuser'sbrowser.
Raw Test Response:
...
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:39:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
Content-Length: 9466
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head id="_ctl0__ctl0_head"><title>
Altoro Mutual: Transfer Funds
...
...
</tr>
<tr>
<td colspan="2" align="center"><input type="button" name="transfer" value="Transfer Money" onclick="doTransfer();"
ID="transfer"></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td colspan="2" align="center">
<span id="_ctl0__ctl0_Content_Main_postResp" align="center"><span style='color: Red'>System.Data.OleDb.OleDbException: Syntax error
in string in query expression 'accountid=1001160141'"><iframe src=javascript:alert(2435)>'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteScalar()
at Altoro.Services.TransferBalance(MoneyTransfer transDetails) in d:\downloads\AltoroMutual_v6\website\App_Code\WebService.cs:line
155</span></span>
<span id="soapResp" name="soapResp" align="center" />
</td>
...
21/08/2012 24
TOC
Issue 11 of 11
Cross-Site Scripting
Severity:
High
URL: http://demo.testfire.net/bank/customize.aspx
Entity: lang(Parameter)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecauseAppscansuccessfullyembeddedascriptintheresponse,
whichwillbeexecutedwhenthepageloadsintheuser'sbrowser.
Test Response
Raw Test Response:
...
<div class="fl" style="width: 99%;">
Simulationofthepopupthat
appearswhenthispageis
openedinabrowser
687
21/08/2012 25
TOC
TOC
H DOM Based Cross-Site Scripting 3 TOC
Issue 1 of 3
DOM Based Cross-Site Scripting
Severity:
High
URL: http://demo.testfire.net/high_yield_investments.htm
Entity: high_yield_investments.htm:101(Page)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: Thewebapplicationusesclientsidelogictocreatewebpages
Fix: Analyzeclientsidecodeandsanitizeitsinputsources
Reasoning: Reasoningisnotavailableforthisissue.
Issue 2 of 3
<h1>Customize Site Language</h1>
<form name="aspnetForm" method="post" action="customize.aspx?lang=international%3cscript%3ealert(124)%3c%2fscript%3e" id="aspnetForm">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJMjA2OTMxMDA4ZGQ=" />
<p>
<span id="_ctl0__ctl0_Content_Main_Label1">Curent Language: </span>
<span id="_ctl0__ctl0_Content_Main_langLabel">international<script>alert(124)</script></span>
</p>
<p>
<span id="_ctl0__ctl0_Content_Main_Label2">You can change the language setting by choosing:</span>
</p>
<p>
<a id="_ctl0__ctl0_Content_Main_HyperLink1" href="customize.aspx?lang=international">International</a>
<a id="_ctl0__ctl0_Content_Main_HyperLink2" href="customize.aspx?lang=english">English</a>
...
<script> var h = document.location.hash.substring(1) if (h && h != "") { var re = new RegExp
(".+@.+") if (h.match(re)) { document.getElementById("email").innerHTML += " ("+h+")" } }
21/08/2012 26
TOC
TOC
DOM Based Cross-Site Scripting
Severity:
High
URL: http://demo.testfire.net/disclaimer.htm
Entity: disclaimer.htm:16(Page)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: Thewebapplicationusesclientsidelogictocreatewebpages
Fix: Analyzeclientsidecodeandsanitizeitsinputsources
Reasoning: Reasoningisnotavailableforthisissue.
Issue 3 of 3
DOM Based Cross-Site Scripting
Severity:
High
URL: http://demo.testfire.net/disclaimer.htm
Entity: disclaimer.htm:19(Page)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: Thewebapplicationusesclientsidelogictocreatewebpages
Fix: Analyzeclientsidecodeandsanitizeitsinputsources
Reasoning: Reasoningisnotavailableforthisissue.
H Poison Null Byte Windows Files Retrieval 1 TOC
Issue 1 of 1
function go() { var iPos = document.URL.indexOf("url=")+4 var sDst = document.URL.substring
(iPos,document.URL.length) if (window.opener) { window.opener.location.href = sDst cl
() } else { window.location.href = sDst
function go() { var iPos = document.URL.indexOf("url=")+4 var sDst = document.URL.substring
(iPos,document.URL.length) if (window.opener) { window.opener.location.href = sDst cl
() } else { window.location.href = sDst } }
21/08/2012 27
TOC
Poison Null Byte Windows Files Retrieval
Severity:
High
URL: http://demo.testfire.net/default.aspx
Entity: content(Parameter)
Risk: Itispossibletoviewthecontentsofanyfile(forexample,databases,userinformationorconfigurationfiles)onthewebserver
(underthepermissionrestrictionsofthewebserveruser)
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Userinputisnotcheckedforthe'..'(dotdot)string
Fix: Ensurethataccessedfilesresideinthevirtualpathandhavecertainextensionsremovespecialcharactersfromuserinput
Reasoning: Thetestresultseemstoindicateavulnerabilitybecausethereponsecontainedthecontentsofthe"boot.ini"file,
provingthattheserverallowsremoteuserstodownloadthecontentsofsystemfiles.
H Predictable Login Credentials 1 TOC
Issue 1 of 1
Predictable Login Credentials
Severity:
High
URL: http://demo.testfire.net/bank/login.aspx
Entity: login.aspx(Page)
Risk: Itmightbepossibletoescalateuserprivilegesandgainadministrativepermissionsoverthewebapplication
Causes: Insecurewebapplicationprogrammingorconfiguration
Fix: Changethelogincredentialstoastrongercombination
Raw Test Response:
...
<li><a id="_ctl0__ctl0_Content_MenuHyperLink17" href="default.aspx?content=inside_press.htm">Press Room</a></li>
<li><a id="_ctl0__ctl0_Content_MenuHyperLink18" href="default.aspx?content=inside_careers.htm">Careers</a></li>
</ul>
</td>
<td valign="top" colspan="3" class="bb">
<span id="_ctl0__ctl0_Content_Main_lblContent">[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Enterprise" /fastdetect /bootlogo /noguiboot
</span>
</td>
</tr>
</table>
</div>
...
21/08/2012 28
TOC
Reasoning: Thistestconsistsoffourrequests:validlogin,invalidlogin,loginwithpredictablecredentials,andanotherinvalidlogin.
Iftheresponsetothepredictablecredentialslookslikethevalidlogin(anddifferenttotheinvalidlogins),AppScan
establishesthattheapplicationisvulnerabletothisissue.
H SQL Injection 12 TOC
Issue 1 of 12
SQL Injection
Severity:
High
URL: http://demo.testfire.net/subscribe.aspx
Entity: txtEmail(Parameter)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
Valid Login Test Login
Raw Test Response:
...
<div id="wrapper" style="width: 99%;">
<div class="err" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<h2>Summary:</h2>
<p><b><span id="_ctl0_Content_lblSummary">Syntax error in query expression ''[email protected]';')'.
</span></b></p>
<h2>Error Message:</h2>
21/08/2012 29
TOC
Issue 2 of 12
SQL Injection
Severity:
High
URL: http://demo.testfire.net/bank/transaction.aspx
Entity: before(Parameter)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error in query expression ''[email protected]';')'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteNonQuery()
at Altoro.Subscribe.Page_Load(Object sender, EventArgs e) in d:\downloads\AltoroMutual_v6\website\subscribe.aspx.cs:line 48
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
...
Raw Test Response:
...
<div id="wrapper" style="width: 99%;">
<div class="err" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<h2>Summary:</h2>
<p><b><span id="_ctl0_Content_lblSummary">Syntax error in string in query expression '1=1 and t.trans_date >= 1234 and t.trans_date
<= 1234'; and a.userid = 100116014 ORDER BY 1 DESC'.
</span></b></p>
<h2>Error Message:</h2>
<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error in string in query expression '1=1 and
t.trans_date >= 1234 and t.trans_date <= 1234'; and a.userid = 100116014 ORDER BY 1 DESC'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String
srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command,
CommandBehavior behavior)
...
21/08/2012 30
TOC
TOC
Issue 3 of 12
SQL Injection
Severity:
High
URL: http://demo.testfire.net/bank/transaction.aspx
Entity: after(Parameter)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
Issue 4 of 12
Raw Test Response:
...
<div id="wrapper" style="width: 99%;">
<div class="err" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<h2>Summary:</h2>
<p><b><span id="_ctl0_Content_lblSummary">Syntax error in string in query expression '1=1 and t.trans_date >= 1234'; and t.trans_date
<= 1234 and a.userid = 100116014 ORDER BY 1 DESC'.
</span></b></p>
<h2>Error Message:</h2>
<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error in string in query expression '1=1 and
t.trans_date >= 1234'; and t.trans_date <= 1234 and a.userid = 100116014 ORDER BY 1 DESC'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String
srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command,
CommandBehavior behavior)
...
21/08/2012 31
TOC
SQL Injection
Severity:
High
URL: http://demo.testfire.net/bank/transfer.aspx
Entity: amUserId(Cookie)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
Issue 5 of 12
SQL Injection
Severity:
High
URL: http://demo.testfire.net/bank/account.aspx
Entity: amUserId(Cookie)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
Raw Test Response:
...
<div id="wrapper" style="width: 99%;">
<div class="err" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<h2>Summary:</h2>
<p><b><span id="_ctl0_Content_lblSummary">Syntax error in string in query expression 'userid = 100116014''.
</span></b></p>
<h2>Error Message:</h2>
<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error in string in query expression 'userid =
100116014''.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String
srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command,
CommandBehavior behavior)
...
21/08/2012 32
TOC
Issue 6 of 12
SQL Injection
Severity:
High
URL: http://demo.testfire.net/bank/transaction.aspx
Entity: amUserId(Cookie)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
Raw Test Response:
...
<div id="wrapper" style="width: 99%;">
<div class="err" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<h2>Summary:</h2>
<p><b><span id="_ctl0_Content_lblSummary">Syntax error in string in query expression 'userid = 100116014''.
</span></b></p>
<h2>Error Message:</h2>
<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error in string in query expression 'userid =
100116014''.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String
srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command,
CommandBehavior behavior)
...
Raw Test Response:
...
<div id="wrapper" style="width: 99%;">
<div class="err" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<h2>Summary:</h2>
<p><b><span id="_ctl0_Content_lblSummary">Syntax error in string in query expression '1=1 and t.trans_date >= 1234 and t.trans_date
<= 1234 and a.userid = 100116014' ORDER BY 1 DESC'.
</span></b></p>
<h2>Error Message:</h2>
21/08/2012 33
TOC
Issue 7 of 12
SQL Injection
Severity:
High
URL: http://demo.testfire.net/bank/login.aspx
Entity: uid(Parameter)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error in string in query expression '1=1 and
t.trans_date >= 1234 and t.trans_date <= 1234 and a.userid = 100116014' ORDER BY 1 DESC'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String
srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command,
CommandBehavior behavior)
...
Raw Test Response:
...
<div id="wrapper" style="width: 99%;">
<div class="err" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<h2>Summary:</h2>
<p><b><span id="_ctl0_Content_lblSummary">Characters found after end of SQL statement.
</span></b></p>
<h2>Error Message:</h2>
<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Characters found after end of SQL statement.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String
srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command,
CommandBehavior behavior)
...
21/08/2012 34
TOC
TOC
Issue 8 of 12
SQL Injection
Severity:
High
URL: http://demo.testfire.net/bank/login.aspx
Entity: passw(Parameter)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
Issue 9 of 12
Raw Test Response:
...
<div id="wrapper" style="width: 99%;">
<div class="err" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<h2>Summary:</h2>
<p><b><span id="_ctl0_Content_lblSummary">Characters found after end of SQL statement.
</span></b></p>
<h2>Error Message:</h2>
<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Characters found after end of SQL statement.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String
srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command,
CommandBehavior behavior)
...
21/08/2012 35
TOC
SQL Injection
Severity:
High
URL: http://demo.testfire.net/bank/transfer.aspx
Entity: creditAccount(Parameter)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
Issue 10 of 12
SQL Injection
Severity:
High
URL: http://demo.testfire.net/bank/transfer.aspx
Entity: debitAccount(Parameter)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
Raw Test Response:
...
</tr>
<tr>
<td colspan="2" align="center"><input type="button" name="transfer" value="Transfer Money" onclick="doTransfer();"
ID="transfer"></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td colspan="2" align="center">
<span id="_ctl0__ctl0_Content_Main_postResp" align="center"><span style='color: Red'>System.Data.OleDb.OleDbException: Syntax error
in string in query expression 'accountid=1001160141';'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteScalar()
at Altoro.Services.TransferBalance(MoneyTransfer transDetails) in d:\downloads\AltoroMutual_v6\website\App_Code\WebService.cs:line
155</span></span>
<span id="soapResp" name="soapResp" align="center" />
</td>
...
Raw Test Response:
...
21/08/2012 36
TOC
Issue 11 of 12
SQL Injection
Severity:
High
URL: http://demo.testfire.net/bank/ws.asmx
Entity: [SOAP]debitAccount_1(Parameter)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
</tr>
<tr>
<td colspan="2" align="center"><input type="button" name="transfer" value="Transfer Money" onclick="doTransfer();"
ID="transfer"></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td colspan="2" align="center">
<span id="_ctl0__ctl0_Content_Main_postResp" align="center"><span style='color: Red'>System.Data.OleDb.OleDbException: Syntax error
in string in query expression 'accountid=1001160141';'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteScalar()
at Altoro.Services.TransferBalance(MoneyTransfer transDetails) in d:\downloads\AltoroMutual_v6\website\App_Code\WebService.cs:line
146</span></span>
<span id="soapResp" name="soapResp" align="center" />
</td>
...
Raw Test Response:
...
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:36:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
Content-Length: 1220
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><TransferBalanceResponse
xmlns="http://www.altoromutual.com/bank/ws/"><TransferBalanceResult><Success>false</Success><Message>System.Data.OleDb.OleDbException:
Syntax error in query expression 'accountid=1001160141%27%3B'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteScalar()
at Altoro.Services.TransferBalance(MoneyTransfer transDetails) in d:\downloads\AltoroMutual_v6\website\App_Code\WebService.cs:line
146</Message></TransferBalanceResult></TransferBalanceResponse></soap:Body></soap:Envelope>
...
21/08/2012 37
TOC
TOC
Issue 12 of 12
SQL Injection
Severity:
High
URL: http://demo.testfire.net/bank/ws.asmx
Entity: [SOAP]creditAccount_2(Parameter)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
H Unencrypted Login Request 6 TOC
Issue 1 of 6
Raw Test Response:
...
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:37:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
Content-Length: 1235
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><TransferBalanceResponse
xmlns="http://www.altoromutual.com/bank/ws/"><TransferBalanceResult><Success>false</Success><Message>System.Data.OleDb.OleDbException:
Syntax error (missing operator) in query expression 'accountid=10011601411+'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteScalar()
at Altoro.Services.TransferBalance(MoneyTransfer transDetails) in d:\downloads\AltoroMutual_v6\website\App_Code\WebService.cs:line
155</Message></TransferBalanceResult></TransferBalanceResponse></soap:Body></soap:Envelope>
...
21/08/2012 38
TOC
TOC
Unencrypted Login Request
Severity:
High
URL: http://demo.testfire.net/bank/login.aspx
Entity: login.aspx(Page)
Risk: Itmaybepossibletostealuserlogininformationsuchasusernamesandpasswordsthataresentunencrypted
Causes: Sensitiveinputfieldssuchasusernames,passwordandcreditcardnumbersarepassedunencrypted
Fix: AlwaysuseSSLandPOST(body)parameterswhensendingsensitiveinformation.
Reasoning: AppScanidentifiedaloginrequestthatwasnotsentoverSSL.
Issue 2 of 6
Unencrypted Login Request
Severity:
High
URL: http://demo.testfire.net/bank/login.aspx
Entity: passw(Parameter)
Risk: Itmaybepossibletostealuserlogininformationsuchasusernamesandpasswordsthataresentunencrypted
Causes: Sensitiveinputfieldssuchasusernames,passwordandcreditcardnumbersarepassedunencrypted
Fix: AlwaysuseSSLandPOST(body)parameterswhensendingsensitiveinformation.
Reasoning: AppScanidentifiedapasswordparameterthatwasnotsentoverSSL.
Issue 3 of 6
Unencrypted Login Request
Severity:
High
URL: http://demo.testfire.net/bank/apply.aspx
Entity: passwd(Parameter)
Risk: Itmaybepossibletostealuserlogininformationsuchasusernamesandpasswordsthataresentunencrypted
Causes: Sensitiveinputfieldssuchasusernames,passwordandcreditcardnumbersarepassedunencrypted
Fix: AlwaysuseSSLandPOST(body)parameterswhensendingsensitiveinformation.
Reasoning: AppScanidentifiedapasswordparameterthatwasnotsentoverSSL.
Original Request
uid=jsmith&passw=demo1234&btnSubmit=Login
Original Request
uid=jsmith&passw=demo1234&btnSubmit=Login
Original Request
21/08/2012 39
TOC
TOC
TOC
Issue 4 of 6
Unencrypted Login Request
Severity:
High
URL: http://demo.testfire.net/admin/admin.aspx
Entity: password1(Parameter)
Risk: Itmaybepossibletostealuserlogininformationsuchasusernamesandpasswordsthataresentunencrypted
Causes: Sensitiveinputfieldssuchasusernames,passwordandcreditcardnumbersarepassedunencrypted
Fix: AlwaysuseSSLandPOST(body)parameterswhensendingsensitiveinformation.
Reasoning: AppScanidentifiedapasswordparameterthatwasnotsentoverSSL.
Issue 5 of 6
Unencrypted Login Request
Severity:
High
URL: http://demo.testfire.net/admin/admin.aspx
Entity: password2(Parameter)
Risk: Itmaybepossibletostealuserlogininformationsuchasusernamesandpasswordsthataresentunencrypted
Causes: Sensitiveinputfieldssuchasusernames,passwordandcreditcardnumbersarepassedunencrypted
Fix: AlwaysuseSSLandPOST(body)parameterswhensendingsensitiveinformation.
Reasoning: AppScanidentifiedapasswordparameterthatwasnotsentoverSSL.
Issue 6 of 6
passwd=Demo1234&Submit=Submit
Original Request
password1=Demo1234&password2=Demo1234&change=Change+Password
Original Request
password1=Demo1234&password2=Demo1234&change=Change+Password
21/08/2012 40
TOC
Unencrypted Login Request
Severity:
High
URL: http://demo.testfire.net/admin/login.aspx
Entity: _ctl0:_ctl0:Content:Main:Password(Parameter)
Risk: Itmaybepossibletostealuserlogininformationsuchasusernamesandpasswordsthataresentunencrypted
Causes: Sensitiveinputfieldssuchasusernames,passwordandcreditcardnumbersarepassedunencrypted
Fix: AlwaysuseSSLandPOST(body)parameterswhensendingsensitiveinformation.
Reasoning: AppScanidentifiedapasswordparameterthatwasnotsentoverSSL.
H XPath Injection 1 TOC
Issue 1 of 1
XPath Injection
Severity:
High
URL: http://demo.testfire.net/bank/queryxpath.aspx
Entity: _ctl0:_ctl0:Content:Main:TextBox1(Parameter)
Risk: Itispossibletoaccessinformationstoredinasensitivedataresource
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsanXPathexception.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheXPathqueryitself,byinjectinghazardouscharacters.
Original Request
__VIEWSTATE=%2FwEPDwUKMTY5ODYzNjk3NWRk&__EVENTVALIDATION=%2FwEWBAKm%2FPqICgKaqvKtBQKWuPeSCgL73pWUBA%3D%3D&_ctl0%3A_ctl0%3AContent%3AMain%
3ACodeNumberTextBox=9876543210&_ctl0%3A_ctl0%3AContent%3AMain%3APassword=Demo1234&_ctl0%3A_ctl0%3AContent%3AMain%3ASubmitButton=Submit
Raw Test Response:
...
<h1>An Error Has Occurred</h1>
<h2>Summary:</h2>
<p><b><span id="_ctl0_Content_lblSummary">'string(/news/publication[contains(title,'"'') and (isPublic/text()='True')]/title/text
())' has an invalid token.
</span></b></p>
<h2>Error Message:</h2>
<p><span id="_ctl0_Content_lblDetails">System.Xml.XPath.XPathException: 'string(/news/publication[contains(title,'"'') and
(isPublic/text()='True')]/title/text())' has an invalid token.
at MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t)
at MS.Internal.Xml.XPath.XPathParser.ParseMethod(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseFilterExpr(AstNode qyInput)
21/08/2012 41
TOC
TOC
M Cross-Site Request Forgery 6 TOC
Issue 1 of 6
Cross-Site Request Forgery
Severity:
Medium
URL: http://demo.testfire.net/bank/login.aspx
Entity: login.aspx(Page)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: Insufficientauthenticationmethodwasusedbytheapplication
Fix: Declinemaliciousrequests
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheTestResponse(ontheright)isidenticaltotheOriginal
Response(ontheleft),indicatingthattheloginattemptwassuccessful,eventhoughitincludedhazardouscharacters.
Issue 2 of 6
at MS.Internal.Xml.XPath.XPathParser.ParsePathExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseUnionExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseUnaryExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseMultiplicativeExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseAdditiveExpr(AstNode qyInput)
...
Original Response Test Response
21/08/2012 42
TOC
Cross-Site Request Forgery
Severity:
Medium
URL: http://demo.testfire.net/bank/transfer.aspx
Entity: transfer.aspx(Page)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: Insufficientauthenticationmethodwasusedbytheapplication
Fix: Declinemaliciousrequests
Reasoning: Thetestresultseemstoindicateavulnerabilitybecausethesamerequestwassenttwiceindifferentsessions,and
thesameresponsewasreceived.Thisshowsthatnoneoftheparametersaredynamic(sessionidentifiersaresent
onlyincookies)andthereforethattheapplicationisvulnerabletoCSRF.
Issue 3 of 6
Test Request: Test Response
POST /bank/transfer.aspx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: ASP.NET_SessionId=wh542tn0dduonh55mkqtnr55;
amSessionId=334738728;
amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014;
amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9
Accept-Language: en-US
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://bogus.referer.ibm.com
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR
1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 68
debitAccount=1001160141&creditAccount=1001160141&transferAmount=1234
POST /bank/transfer.aspx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: ASP.NET_SessionId=wh542tn0dduonh55mkqtnr55;
amSessionId=334738728;
amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014;
amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9
Accept-Language: en-US
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://bogus.referer.ibm.com
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR
1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 68
debitAccount=1001160141&creditAccount=1001160141&transferAmount=1234
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:25:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
...
21/08/2012 43
TOC
Cross-Site Request Forgery
Severity:
Medium
URL: http://demo.testfire.net/bank/transaction.aspx
Entity: transaction.aspx(Page)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: Insufficientauthenticationmethodwasusedbytheapplication
Fix: Declinemaliciousrequests
Reasoning: Thetestresultseemstoindicateavulnerabilitybecausethesamerequestwassenttwiceindifferentsessions,and
thesameresponsewasreceived.Thisshowsthatnoneoftheparametersaredynamic(sessionidentifiersaresent
onlyincookies)andthereforethattheapplicationisvulnerabletoCSRF.
Issue 4 of 6
Test Request: Test Response
POST /bank/transaction.aspx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: ASP.NET_SessionId=wh542tn0dduonh55mkqtnr55;
amSessionId=334738728;
amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014;
amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9
Accept-Language: en-US
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://bogus.referer.ibm.com
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET
CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 176
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%
2FwEPDwUKMTYzNDg3OTA4NmRk&__EVENTVALIDATION=%
2FwEWBgKV3oKhDgK3oeuaBAK3oaesDgK3oZPRBQK3oa%2BJCgK3oZuuAQ%3D%
3D&after=1234&before=1234
POST /bank/transaction.aspx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: ASP.NET_SessionId=wh542tn0dduonh55mkqtnr55;
amSessionId=334738728;
amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014;
amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9
Accept-Language: en-US
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://bogus.referer.ibm.com
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET
CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 176
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%
2FwEPDwUKMTYzNDg3OTA4NmRk&__EVENTVALIDATION=%
2FwEWBgKV3oKhDgK3oeuaBAK3oaesDgK3oZPRBQK3oa%2BJCgK3oZuuAQ%3D%
3D&after=1234&before=1234
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:03:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
...
21/08/2012 44
TOC
Cross-Site Request Forgery
Severity:
Medium
URL: http://demo.testfire.net/bank/customize.aspx
Entity: customize.aspx(Page)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: Insufficientauthenticationmethodwasusedbytheapplication
Fix: Declinemaliciousrequests
Reasoning: Thetestresultseemstoindicateavulnerabilitybecausethesamerequestwassenttwiceindifferentsessions,and
thesameresponsewasreceived.Thisshowsthatnoneoftheparametersaredynamic(sessionidentifiersaresent
onlyincookies)andthereforethattheapplicationisvulnerabletoCSRF.
Issue 5 of 6
Test Request: Test Response
POST /bank/customize.aspx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: ASP.NET_SessionId=wh542tn0dduonh55mkqtnr55;
amSessionId=334738728;
amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014;
amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9; lang=
Accept-Language: en-US
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://bogus.referer.ibm.com
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET
CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 40
__VIEWSTATE=%2FwEPDwUJMjA2OTMxMDA4ZGQ%3D
POST /bank/customize.aspx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: ASP.NET_SessionId=wh542tn0dduonh55mkqtnr55;
amSessionId=334738728;
amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014;
amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9; lang=
Accept-Language: en-US
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://bogus.referer.ibm.com
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET
CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 40
__VIEWSTATE=%2FwEPDwUJMjA2OTMxMDA4ZGQ%3D
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:03:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=iso-8859-1
Content-Length: 5542
...
21/08/2012 45
TOC
Cross-Site Request Forgery
Severity:
Medium
URL: http://demo.testfire.net/bank/account.aspx
Entity: account.aspx(Page)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: Insufficientauthenticationmethodwasusedbytheapplication
Fix: Declinemaliciousrequests
Reasoning: Thetestresultseemstoindicateavulnerabilitybecausethesamerequestwassenttwiceindifferentsessions,and
thesameresponsewasreceived.Thisshowsthatnoneoftheparametersaredynamic(sessionidentifiersaresent
onlyincookies)andthereforethattheapplicationisvulnerabletoCSRF.
Issue 6 of 6
Test Request: Test Response
POST /bank/account.aspx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: ASP.NET_SessionId=wh542tn0dduonh55mkqtnr55;
amSessionId=334738728;
amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014;
amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9
Accept-Language: en-US
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://bogus.referer.ibm.com
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET
CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 23
listAccounts=1001160141
POST /bank/account.aspx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: ASP.NET_SessionId=wh542tn0dduonh55mkqtnr55;
amSessionId=334738728;
amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014;
amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9
Accept-Language: en-US
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://bogus.referer.ibm.com
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET
CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 23
listAccounts=1001160141
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:24:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
...
21/08/2012 46
TOC
Cross-Site Request Forgery
Severity:
Medium
URL: http://demo.testfire.net/admin/admin.aspx
Entity: admin.aspx(Page)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: Insufficientauthenticationmethodwasusedbytheapplication
Fix: Declinemaliciousrequests
Reasoning: Thetestresultseemstoindicateavulnerabilitybecausethesamerequestwassenttwiceindifferentsessions,and
thesameresponsewasreceived.Thisshowsthatnoneoftheparametersaredynamic(sessionidentifiersaresent
onlyincookies)andthereforethattheapplicationisvulnerabletoCSRF.
M Directory Listing 2 TOC
Issue 1 of 2
Test Request: Test Response
POST /admin/admin.aspx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: ASP.NET_SessionId=eu0qbsjngqgirw45q0opxa45;
amSessionId=3545750533;
amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014;
amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9
Accept-Language: en-US
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://bogus.referer.ibm.com
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET
CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 17
accttypes=Savings
POST /admin/admin.aspx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: ASP.NET_SessionId=eu0qbsjngqgirw45q0opxa45;
amSessionId=3545750533;
amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014;
amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9
Accept-Language: en-US
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://bogus.referer.ibm.com
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET
CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 17
accttypes=Savings
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:17:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
...
21/08/2012 47
TOC
Directory Listing
Severity:
Medium
URL: http://demo.testfire.net/bank/
Entity: bank/(Page)
Risk: Itispossibletoviewanddownloadthecontentsofcertainwebapplicationvirtualdirectories,whichmightcontainrestrictedfiles
Causes: Directorybrowsingisenabled
Fix: Modifytheserverconfigurationtodenydirectorylisting,andinstallthelatestsecuritypatchesavailable
Reasoning: Theresponsecontainsthecontentofadirectory(directorylisting).Thisindicatesthattheserverallowsthelistingof
directories,whichisnotusuallyrecommended.
Issue 2 of 2
Test Response
21/08/2012 48
TOC
Directory Listing
Severity:
Medium
URL: http://demo.testfire.net/pr/
Entity: pr/(Page)
Risk: Itispossibletoviewanddownloadthecontentsofcertainwebapplicationvirtualdirectories,whichmightcontainrestrictedfiles
Causes: Directorybrowsingisenabled
Fix: Modifytheserverconfigurationtodenydirectorylisting,andinstallthelatestsecuritypatchesavailable
Reasoning: Theresponsecontainsthecontentofadirectory(directorylisting).Thisindicatesthattheserverallowsthelistingof
directories,whichisnotusuallyrecommended.
M HTTP Response Splitting 1 TOC
Issue 1 of 1
Test Response
21/08/2012 49
TOC
HTTP Response Splitting
Severity:
Medium
URL: http://demo.testfire.net/bank/customize.aspx
Entity: lang(Parameter)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Itispossibletodefacethesitecontentthroughwebcachepoisoning
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheGlobalValidationfeaturefoundanembeddedscriptinthe
response,whichwasprobablyinjectedbyaprevioustest.
M Inadequate Account Lockout 1 TOC
Issue 1 of 1
Inadequate Account Lockout
Severity:
Medium
URL: http://demo.testfire.net/bank/login.aspx
Entity: passw(Parameter)
Risk: Itmightbepossibletoescalateuserprivilegesandgainadministrativepermissionsoverthewebapplication
Causes: Insecurewebapplicationprogrammingorconfiguration
Fix: Enforceaccountlockoutafterseveralfailedloginattempts
Raw Test Response:
...
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322;
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:36:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
AppScanHeader: AppScanValue/1.2-3
SecondAppScanHeader: whatever; path=/
Cache-Control: private
Content-Type: text/html; charset=iso-8859-1
Content-Length: 5706
Set-Cookie: lang=Foobar
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
...
21/08/2012 50
TOC
Reasoning: Twolegitimateloginattemptsweresent,withseveralfalseloginattemptsinbetween.Thelastresponsewasidentical
tothefirst.Thissuggeststhatthereisinadequateaccountlockoutenforcement,allowingbruteforceattacksonthe
loginpage.(Thisistrueevenifthefirstresponsewasnotasuccessfulloginpage.)
M Link Injection (facilitates Cross-Site Request Forgery) 6 TOC
Issue 1 of 6
Link Injection (facilitates Cross-Site Request Forgery)
Severity:
Medium
URL: http://demo.testfire.net/search.aspx
Entity: txtSearch(Parameter)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Itispossibletopersuadeanaiveusertosupplysensitiveinformationsuchasusername,password,creditcardnumber,social
securitynumberetc.
Itispossibletoupload,modifyordeletewebpages,scriptsandfilesonthewebserver
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: Thetestresultseemstoindicateavulnerabilitybecausethetestresponsecontainedalinktothefile"WF_XSRF.html".
Test Response (first) Test Response (last)
Test Response
21/08/2012 51
TOC
Issue 2 of 6
Link Injection (facilitates Cross-Site Request Forgery)
Severity:
Medium
URL: http://demo.testfire.net/survey_complete.aspx
Entity: txtEmail(Parameter)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Itispossibletopersuadeanaiveusertosupplysensitiveinformationsuchasusername,password,creditcardnumber,social
securitynumberetc.
Itispossibletoupload,modifyordeletewebpages,scriptsandfilesonthewebserver
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: Thetestresultseemstoindicateavulnerabilitybecausethetestresponsecontainedalinktothefile"WF_XSRF.html".
Test Response
21/08/2012 52
TOC
Issue 3 of 6
Link Injection (facilitates Cross-Site Request Forgery)
Severity:
Medium
URL: http://demo.testfire.net/comment.aspx
Entity: name(Parameter)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Itispossibletopersuadeanaiveusertosupplysensitiveinformationsuchasusername,password,creditcardnumber,social
securitynumberetc.
Itispossibletoupload,modifyordeletewebpages,scriptsandfilesonthewebserver
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: Thetestresultseemstoindicateavulnerabilitybecausethetestresponsecontainedalinktothefile"WF_XSRF.html".
Test Response
21/08/2012 53
TOC
Issue 4 of 6
Link Injection (facilitates Cross-Site Request Forgery)
Severity:
Medium
URL: http://demo.testfire.net/bank/transfer.aspx
Entity: debitAccount(Parameter)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Itispossibletopersuadeanaiveusertosupplysensitiveinformationsuchasusername,password,creditcardnumber,social
securitynumberetc.
Itispossibletoupload,modifyordeletewebpages,scriptsandfilesonthewebserver
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: Thetestresultseemstoindicateavulnerabilitybecausethetestresponsecontainedalinktothefile"WF_XSRF.html".
Test Response
21/08/2012 54
TOC
Issue 5 of 6
Link Injection (facilitates Cross-Site Request Forgery)
Severity:
Medium
URL: http://demo.testfire.net/bank/transfer.aspx
Entity: creditAccount(Parameter)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Itispossibletopersuadeanaiveusertosupplysensitiveinformationsuchasusername,password,creditcardnumber,social
securitynumberetc.
Itispossibletoupload,modifyordeletewebpages,scriptsandfilesonthewebserver
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: Thetestresultseemstoindicateavulnerabilitybecausethetestresponsecontainedalinktothefile"WF_XSRF.html".
Test Response
21/08/2012 55
TOC
Issue 6 of 6
Link Injection (facilitates Cross-Site Request Forgery)
Severity:
Medium
URL: http://demo.testfire.net/bank/customize.aspx
Entity: lang(Parameter)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Itispossibletopersuadeanaiveusertosupplysensitiveinformationsuchasusername,password,creditcardnumber,social
securitynumberetc.
Itispossibletoupload,modifyordeletewebpages,scriptsandfilesonthewebserver
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: Thetestresultseemstoindicateavulnerabilitybecausethetestresponsecontainedalinktothefile"WF_XSRF.html".
Test Response
21/08/2012 56
TOC
M Open Redirect 2 TOC
Issue 1 of 2
Open Redirect
Severity:
Medium
URL: http://demo.testfire.net/disclaimer.htm
Entity: disclaimer.htm:32(Page)
Risk: Itispossibleforanattackertousethewebservertoattackothersites,whichincreaseshisorheranonymity
Causes: Thewebapplicationperformsaredirectiontoanexternalsite
Fix: Analyzeandhardenclientside(JavaScript)code.
Reasoning: Reasoningisnotavailableforthisissue.
} var iPos = document.URL.indexOf("url=")+4 var sDst = document.URL.substring
(iPos,document.URL.length) // if redirection is in the application's domain, don't ask for authorization if ( sDst.indexOf
21/08/2012 57
TOC
TOC
Issue 2 of 2
Open Redirect
Severity:
Medium
URL: http://demo.testfire.net/disclaimer.htm
Entity: disclaimer.htm:35(Page)
Risk: Itispossibleforanattackertousethewebservertoattackothersites,whichincreaseshisorheranonymity
Causes: Thewebapplicationperformsaredirectiontoanexternalsite
Fix: Analyzeandhardenclientside(JavaScript)code.
Reasoning: Reasoningisnotavailableforthisissue.
M Phishing Through Frames 6 TOC
Issue 1 of 6
Phishing Through Frames
Severity:
Medium
URL: http://demo.testfire.net/search.aspx
Entity: txtSearch(Parameter)
Risk: Itispossibletopersuadeanaiveusertosupplysensitiveinformationsuchasusername,password,creditcardnumber,social
securitynumberetc.
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: Thetestresultseemstoindicateavulnerabilitybecausethetestresponsecontainedaframe/iframetoURL
"http://demo.testfire.net/phishing.html".
("http") == 0 && sDst.indexOf(document.location.hostname) !=
1 ) { if (window.opener) { window.opener.location.href = "http" + sDst.substring(4) cl
() } else { window.location.href = "http" + sDst.substring(4)
} var iPos = document.URL.indexOf("url=")+4 var sDst = document.URL.substring
(iPos,document.URL.length) // if redirection is in the application's domain, don't ask for authorization if ( sDst.indexOf
("http") == 0 && sDst.indexOf(document.location.hostname) !=
1 ) { if (window.opener) { window.opener.location.href = "http" + sDst.substring(4) cl
() } else { window.location.href = "http" + sDst.substring(4) } }
Test Response
21/08/2012 58
TOC
Issue 2 of 6
Phishing Through Frames
Severity:
Medium
URL: http://demo.testfire.net/survey_complete.aspx
Entity: txtEmail(Parameter)
Risk: Itispossibletopersuadeanaiveusertosupplysensitiveinformationsuchasusername,password,creditcardnumber,social
securitynumberetc.
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: Thetestresultseemstoindicateavulnerabilitybecausethetestresponsecontainedaframe/iframetoURL
"http://demo.testfire.net/phishing.html".
Test Response
21/08/2012 59
TOC
Issue 3 of 6
Phishing Through Frames
Severity:
Medium
URL: http://demo.testfire.net/comment.aspx
Entity: name(Parameter)
Risk: Itispossibletopersuadeanaiveusertosupplysensitiveinformationsuchasusername,password,creditcardnumber,social
securitynumberetc.
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: Thetestresultseemstoindicateavulnerabilitybecausethetestresponsecontainedaframe/iframetoURL
"http://demo.testfire.net/phishing.html".
Test Response
21/08/2012 60
TOC
Issue 4 of 6
Phishing Through Frames
Severity:
Medium
URL: http://demo.testfire.net/bank/transfer.aspx
Entity: debitAccount(Parameter)
Risk: Itispossibletopersuadeanaiveusertosupplysensitiveinformationsuchasusername,password,creditcardnumber,social
securitynumberetc.
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: Thetestresultseemstoindicateavulnerabilitybecausethetestresponsecontainedaframe/iframetoURL
"http://demo.testfire.net/phishing.html".
Test Response
21/08/2012 61
TOC
Issue 5 of 6
Phishing Through Frames
Severity:
Medium
URL: http://demo.testfire.net/bank/transfer.aspx
Entity: creditAccount(Parameter)
Risk: Itispossibletopersuadeanaiveusertosupplysensitiveinformationsuchasusername,password,creditcardnumber,social
securitynumberetc.
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: Thetestresultseemstoindicateavulnerabilitybecausethetestresponsecontainedaframe/iframetoURL
"http://demo.testfire.net/phishing.html".
Test Response
21/08/2012 62
TOC
Issue 6 of 6
Phishing Through Frames
Severity:
Medium
URL: http://demo.testfire.net/bank/customize.aspx
Entity: lang(Parameter)
Risk: Itispossibletopersuadeanaiveusertosupplysensitiveinformationsuchasusername,password,creditcardnumber,social
securitynumberetc.
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: Thetestresultseemstoindicateavulnerabilitybecausethetestresponsecontainedaframe/iframetoURL
"http://demo.testfire.net/phishing.html".
Test Response
21/08/2012 63
TOC
M Session Identifier Not Updated 1 TOC
Issue 1 of 1
Session Identifier Not Updated
Severity:
Medium
URL: http://demo.testfire.net/bank/login.aspx
Entity: login.aspx(Page)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: Insecurewebapplicationprogrammingorconfiguration
Fix: Donotacceptexternallycreatedsessionidentifiers
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausethesessionidentifiersintheOriginalRequest(ontheleft)
andintheResponse(ontheright)areidentical.Theyshouldhavebeenupdatedintheresponse.
L Autocomplete HTML Attribute Not Disabled for Password Field 4 TOC
21/08/2012 64
TOC
TOC
Issue 1 of 4
Autocomplete HTML Attribute Not Disabled for Password Field
Severity:
Low
URL: http://demo.testfire.net/bank/login.aspx
Entity: login.aspx(Page)
Risk: Itmaybepossibletobypassthewebapplication'sauthenticationmechanism
Causes: Insecurewebapplicationprogrammingorconfiguration
Fix: Correctlysetthe"autocomplete"attributeto"off"
Reasoning: AppScanhasfoundthatapasswordfielddoesnotenforcethedisablingoftheautocompletefeature.
Issue 2 of 4
Autocomplete HTML Attribute Not Disabled for Password Field
Severity:
Low
URL: http://demo.testfire.net/bank/apply.aspx
Entity: apply.aspx(Page)
Risk: Itmaybepossibletobypassthewebapplication'sauthenticationmechanism
Causes: Insecurewebapplicationprogrammingorconfiguration
Fix: Correctlysetthe"autocomplete"attributeto"off"
Reasoning: AppScanhasfoundthatapasswordfielddoesnotenforcethedisablingoftheautocompletefeature.
Raw Test Response:
...
</td>
<td>
</td>
</tr>
<tr>
<td>
Password:
</td>
<td>
<input type="password" id="passw" name="passw" style="width: 150px;">
</td>
</tr>
<tr>
<td></td>
<td>
<input type="submit" name="btnSubmit" value="Login">
</td>
</tr>
</table>
...
Raw Test Response:
...
Visa Application</h1>
21/08/2012 65
TOC
Issue 3 of 4
Autocomplete HTML Attribute Not Disabled for Password Field
Severity:
Low
URL: http://demo.testfire.net/admin/login.aspx
Entity: login.aspx(Page)
Risk: Itmaybepossibletobypassthewebapplication'sauthenticationmechanism
Causes: Insecurewebapplicationprogrammingorconfiguration
Fix: Correctlysetthe"autocomplete"attributeto"off"
Reasoning: AppScanhasfoundthatapasswordfielddoesnotenforcethedisablingoftheautocompletefeature.
<!--
userid = userCookie.Values["UserID"].ToString();
cLimit = Request.Cookies["Limit"].Value;
cInterest = Request.Cookies["Interest"].Value;
cType = Request.Cookies["CardType"].Value;
-->
<span id="_ctl0__ctl0_Content_Main_lblMessage"><p><b>No application is needed.</b>To approve your new $10000 Altoro Mutual Gold
Visa<br />with an 7.9% APR simply enter your password below.</p><form method="post" name="Credit" action="apply.aspx"><table
border=0><tr><td>Password:</td><td><input type="password" name="passwd"></td></tr><tr><td></td><td><input type="submit" name="Submit"
value="Submit"></td></tr></table></form></span>
<!--
Password is not revalidated but stored in
mainframe for non-repudiation purposes.
-->
</div>
...
Raw Test Response:
...
<form name="aspnetForm" method="post" action="login.aspx" id="aspnetForm">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTY5ODYzNjk3NWRk" />
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWBAKm/PqICgKaqvKtBQKWuPeSCgL73pWUBA==" />
<img id="captcha" src="captcha.aspx" /><br />
<p>
<strong>Enter the code shown above:</strong><br />
<input name="_ctl0:_ctl0:Content:Main:CodeNumberTextBox" type="text" id="_ctl0__ctl0_Content_Main_CodeNumberTextBox" /><br /><br />
<strong>Enter the administrative password:</strong><br />
<input name="_ctl0:_ctl0:Content:Main:Password" type="password" id="_ctl0__ctl0_Content_Main_Password" /><br /><br />
<input type="submit" name="_ctl0:_ctl0:Content:Main:SubmitButton" value="Submit" id="_ctl0__ctl0_Content_Main_SubmitButton" /><br />
</p>
<p><span id="_ctl0__ctl0_Content_Main_MessageLabel"></span></p>
</form>
<script>
window.onload = document.forms[1].elements[1].focus();
</script>
...
21/08/2012 66
TOC
Issue 4 of 4
Autocomplete HTML Attribute Not Disabled for Password Field
Severity:
Low
URL: http://demo.testfire.net/admin/admin.aspx
Entity: admin.aspx(Page)
Risk: Itmaybepossibletobypassthewebapplication'sauthenticationmechanism
Causes: Insecurewebapplicationprogrammingorconfiguration
Fix: Correctlysetthe"autocomplete"attributeto"off"
Reasoning: AppScanhasfoundthatapasswordfielddoesnotenforcethedisablingoftheautocompletefeature.
Raw Test Response:
...
Confirm:
</th>
<th> </th>
</tr>
<tr>
<td>
<select id="" name="" ><option value="1">1 admin</option><option value="2">2 tuser</option><option value="100116013">100116013
sjoe</option><option value="100116014">100116014 jsmith</option><option value="100116015">100116015 cclay</option><option
value="100116018">100116018 sspeed</option></select>
</td>
<td>
<input type="password" name="password1">
</td>
<td>
<input type="password" name="password2">
</td>
<td>
<input type="submit" name="change" value="Change Password">
</td>
</tr>
</form>
<form method="post" name="addUser" action="admin.aspx" id="addUser" onsubmit="return confirmpass(this);">
<tr>
<td colspan="4"><h2>Add an new user.</h2></td>
...
...
<td>
<input type="text" name="firstname">
<br>
<input type="text" name="lastname">
</td>
<td>
<input type="text" name="username">
</td>
<td>
<input type="password" name="password1">
<br>
<input type="password" name="password2">
</td>
<td>
<input type="submit" name="add" value="Add User">
</td>
</tr>
<tr>
<td colspan="4">It is highly recommended that you leave the username as first
initial last name. The user id will be created automatically.
</td>
...
21/08/2012 67
TOC
TOC
L Database Error Pattern Found 16 TOC
Issue 1 of 16
Database Error Pattern Found
Severity:
Low
URL: http://demo.testfire.net/subscribe.aspx
Entity: subscribe.aspx(Global)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
Issue 2 of 16
Raw Test Response:
...
<div id="wrapper" style="width: 99%;">
<div class="err" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<h2>Summary:</h2>
<p><b><span id="_ctl0_Content_lblSummary">Syntax error (missing operator) in query expression ''>"'><script>alert(1524)
</script>')'.
</span></b></p>
<h2>Error Message:</h2>
<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error (missing operator) in query expression
''>"'><script>alert(1524)</script>')'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteNonQuery()
at Altoro.Subscribe.Page_Load(Object sender, EventArgs e) in d:\downloads\AltoroMutual_v6\website\subscribe.aspx.cs:line 48
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
...
21/08/2012 68
TOC
Database Error Pattern Found
Severity:
Low
URL: http://demo.testfire.net/subscribe.aspx
Entity: txtEmail(Global)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
Issue 3 of 16
Database Error Pattern Found
Severity:
Low
URL: http://demo.testfire.net/bank/transaction.aspx
Entity: before(Global)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
Raw Test Response:
...
<div id="wrapper" style="width: 99%;">
<div class="err" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<h2>Summary:</h2>
<p><b><span id="_ctl0_Content_lblSummary">Syntax error in string in query expression ''[email protected]'")/>')'.
</span></b></p>
<h2>Error Message:</h2>
<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error in string in query expression
''[email protected]'")/>')'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteNonQuery()
at Altoro.Subscribe.Page_Load(Object sender, EventArgs e) in d:\downloads\AltoroMutual_v6\website\subscribe.aspx.cs:line 48
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
...
Raw Test Response:
21/08/2012 69
TOC
Issue 4 of 16
Database Error Pattern Found
Severity:
Low
URL: http://demo.testfire.net/bank/transaction.aspx
Entity: after(Global)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
...
<div id="wrapper" style="width: 99%;">
<div class="err" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<h2>Summary:</h2>
<p><b><span id="_ctl0_Content_lblSummary">Syntax error (missing operator) in query expression '1=1 and t.trans_date >= 1234 and
t.trans_date <= 1234WFXSSProbe and a.userid = 100116014'.
</span></b></p>
<h2>Error Message:</h2>
<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error (missing operator) in query expression '1=1 and
t.trans_date >= 1234 and t.trans_date <= 1234WFXSSProbe and a.userid = 100116014'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String
srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command,
CommandBehavior behavior)
...
Raw Test Response:
...
<div id="wrapper" style="width: 99%;">
<div class="err" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<h2>Summary:</h2>
<p><b><span id="_ctl0_Content_lblSummary">Syntax error (missing operator) in query expression '1=1 and t.trans_date >= 1234WFXSSProbe
and t.trans_date <= 1234 and a.userid = 100116014'.
</span></b></p>
<h2>Error Message:</h2>
21/08/2012 70
TOC
Issue 5 of 16
Database Error Pattern Found
Severity:
Low
URL: http://demo.testfire.net/bank/login.aspx
Entity: login.aspx(Global)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error (missing operator) in query expression '1=1 and
t.trans_date >= 1234WFXSSProbe and t.trans_date <= 1234 and a.userid = 100116014'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String
srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command,
CommandBehavior behavior)
...
Raw Test Response:
...
<div id="wrapper" style="width: 99%;">
<div class="err" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<h2>Summary:</h2>
<p><b><span id="_ctl0_Content_lblSummary">Syntax error (missing operator) in query expression 'username =
'>"'><script>alert(1549)</script>' AND password = '>"'><script>alert(1549)</script>''.
</span></b></p>
<h2>Error Message:</h2>
<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error (missing operator) in query expression 'username =
'>"'><script>alert(1549)</script>' AND password = '>"'><script>alert(1549)</script>''.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String
srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command,
CommandBehavior behavior)
...
21/08/2012 71
TOC
TOC
Issue 6 of 16
Database Error Pattern Found
Severity:
Low
URL: http://demo.testfire.net/bank/login.aspx
Entity: amUserId(Global)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
Issue 7 of 16
Raw Test Response:
...
<div id="wrapper" style="width: 99%;">
<div class="err" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<h2>Summary:</h2>
<p><b><span id="_ctl0_Content_lblSummary">Syntax error (missing operator) in query expression 'userid = 100116014WFXSSProbe'.
</span></b></p>
<h2>Error Message:</h2>
<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error (missing operator) in query expression 'userid =
100116014WFXSSProbe'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String
srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command,
CommandBehavior behavior)
...
21/08/2012 72
TOC
Database Error Pattern Found
Severity:
Low
URL: http://demo.testfire.net/bank/transfer.aspx
Entity: amUserId(Global)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
Issue 8 of 16
Database Error Pattern Found
Severity:
Low
URL: http://demo.testfire.net/bank/account.aspx
Entity: amUserId(Global)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
Raw Test Response:
...
<div id="wrapper" style="width: 99%;">
<div class="err" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<h2>Summary:</h2>
<p><b><span id="_ctl0_Content_lblSummary">Syntax error (missing operator) in query expression 'userid = 100116014WFXSSProbe'.
</span></b></p>
<h2>Error Message:</h2>
<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error (missing operator) in query expression 'userid =
100116014WFXSSProbe'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String
srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command,
CommandBehavior behavior)
...
21/08/2012 73
TOC
Issue 9 of 16
Database Error Pattern Found
Severity:
Low
URL: http://demo.testfire.net/bank/transaction.aspx
Entity: amUserId(Global)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
Raw Test Response:
...
<div id="wrapper" style="width: 99%;">
<div class="err" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<h2>Summary:</h2>
<p><b><span id="_ctl0_Content_lblSummary">Syntax error (missing operator) in query expression 'userid = 100116014WFXSSProbe'.
</span></b></p>
<h2>Error Message:</h2>
<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error (missing operator) in query expression 'userid =
100116014WFXSSProbe'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String
srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command,
CommandBehavior behavior)
...
Raw Test Response:
...
<div id="wrapper" style="width: 99%;">
<div class="err" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<h2>Summary:</h2>
<p><b><span id="_ctl0_Content_lblSummary">Syntax error (missing operator) in query expression '1=1 and t.trans_date >= 1234 and
t.trans_date <= 1234 and a.userid = 100116014WFXSSProbe'.
</span></b></p>
<h2>Error Message:</h2>
21/08/2012 74
TOC
Issue 10 of 16
Database Error Pattern Found
Severity:
Low
URL: http://demo.testfire.net/bank/transaction.aspx
Entity: transaction.aspx(Global)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error (missing operator) in query expression '1=1 and
t.trans_date >= 1234 and t.trans_date <= 1234 and a.userid = 100116014WFXSSProbe'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String
srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command,
CommandBehavior behavior)
...
Raw Test Response:
...
<div id="wrapper" style="width: 99%;">
<div class="err" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<h2>Summary:</h2>
<p><b><span id="_ctl0_Content_lblSummary">Syntax error (missing operator) in query expression '1=1 and t.trans_date >=
>"'><script>alert(1478)</script> and t.trans_date <= >"'><script>alert(1478)</script>
and a.userid = 100116014 ORDER BY 1 DESC'.
</span></b></p>
<h2>Error Message:</h2>
<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error (missing operator) in query expression '1=1 and
t.trans_date >= >"'><script>alert(1478)</script> and t.trans_date <= >"'><script>alert
(1478)</script> and a.userid = 100116014 ORDER BY 1 DESC'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String
srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command,
CommandBehavior behavior)
...
21/08/2012 75
TOC
TOC
Issue 11 of 16
Database Error Pattern Found
Severity:
Low
URL: http://demo.testfire.net/bank/login.aspx
Entity: passw(Global)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
Issue 12 of 16
Raw Test Response:
...
<div id="wrapper" style="width: 99%;">
<div class="err" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<h2>Summary:</h2>
<p><b><span id="_ctl0_Content_lblSummary">Syntax error in string in query expression 'username = 'jsmith' AND password =
'demo1234WFXSSProbe'")/>''.
</span></b></p>
<h2>Error Message:</h2>
<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error in string in query expression 'username = 'jsmith'
AND password = 'demo1234WFXSSProbe'")/>''.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String
srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command,
CommandBehavior behavior)
...
21/08/2012 76
TOC
Database Error Pattern Found
Severity:
Low
URL: http://demo.testfire.net/bank/login.aspx
Entity: uid(Global)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
Issue 13 of 16
Database Error Pattern Found
Severity:
Low
URL: http://demo.testfire.net/bank/transfer.aspx
Entity: creditAccount(Global)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
Raw Test Response:
...
<div id="wrapper" style="width: 99%;">
<div class="err" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<h2>Summary:</h2>
<p><b><span id="_ctl0_Content_lblSummary">Syntax error in string in query expression 'username = 'jsmithWFXSSProbe'")/>' AND
password = 'demo1234''.
</span></b></p>
<h2>Error Message:</h2>
<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error in string in query expression 'username =
'jsmithWFXSSProbe'")/>' AND password = 'demo1234''.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String
srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command,
CommandBehavior behavior)
...
21/08/2012 77
TOC
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
Issue 14 of 16
Database Error Pattern Found
Severity:
Low
URL: http://demo.testfire.net/bank/transfer.aspx
Entity: debitAccount(Global)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
Raw Test Response:
...
</tr>
<tr>
<td colspan="2" align="center"><input type="button" name="transfer" value="Transfer Money" onclick="doTransfer();"
ID="transfer"></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td colspan="2" align="center">
<span id="_ctl0__ctl0_Content_Main_postResp" align="center"><span style='color: Red'>System.Data.OleDb.OleDbException: Syntax error
in string in query expression 'accountid=1001160141'"><iframe src=javascript:alert(2435)>'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteScalar()
at Altoro.Services.TransferBalance(MoneyTransfer transDetails) in d:\downloads\AltoroMutual_v6\website\App_Code\WebService.cs:line
155</span></span>
<span id="soapResp" name="soapResp" align="center" />
</td>
...
Raw Test Response:
...
</tr>
<tr>
<td colspan="2" align="center"><input type="button" name="transfer" value="Transfer Money" onclick="doTransfer();"
ID="transfer"></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td colspan="2" align="center">
<span id="_ctl0__ctl0_Content_Main_postResp" align="center"><span style='color: Red'>System.Data.OleDb.OleDbException: Syntax error
(missing operator) in query expression 'accountid=1001160141WFXSSProbe'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
21/08/2012 78
TOC
TOC
Issue 15 of 16
Database Error Pattern Found
Severity:
Low
URL: http://demo.testfire.net/bank/ws.asmx
Entity: [SOAP]creditAccount_2(Global)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
Issue 16 of 16
at System.Data.OleDb.OleDbCommand.ExecuteScalar()
at Altoro.Services.TransferBalance(MoneyTransfer transDetails) in d:\downloads\AltoroMutual_v6\website\App_Code\WebService.cs:line
146</span></span>
<span id="soapResp" name="soapResp" align="center" />
</td>
...
Raw Test Response:
...
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:36:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
Content-Length: 1243
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><TransferBalanceResponse
xmlns="http://www.altoromutual.com/bank/ws/"><TransferBalanceResult><Success>false</Success><Message>System.Data.OleDb.OleDbException:
Syntax error (missing operator) in query expression 'accountid=1001160141WFXSSProbe'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteScalar()
at Altoro.Services.TransferBalance(MoneyTransfer transDetails) in d:\downloads\AltoroMutual_v6\website\App_Code\WebService.cs:line
155</Message></TransferBalanceResult></TransferBalanceResponse></soap:Body></soap:Envelope>
...
21/08/2012 79
TOC
Database Error Pattern Found
Severity:
Low
URL: http://demo.testfire.net/bank/ws.asmx
Entity: [SOAP]debitAccount_1(Global)
Risk: Itispossibletoview,modifyordeletedatabaseentriesandtables
Causes: Sanitationofhazardouscharacterswasnotperformedcorrectlyonuserinput
Fix: Reviewpossiblesolutionsforhazardouscharacterinjection
Reasoning: ThetestresultseemstoindicateavulnerabilitybecausetheresponsecontainsSQLServererrors.Thissuggeststhat
thetestmanagedtopenetratetheapplicationandreachtheSQLqueryitself,byinjectinghazardouscharacters.
L Direct Access to Administration Pages 2 TOC
Issue 1 of 2
Direct Access to Administration Pages
Severity:
Low
URL: http://demo.testfire.net/survey_questions.aspx
Entity: admin.aspx(Page)
Risk: Itmightbepossibletoescalateuserprivilegesandgainadministrativepermissionsoverthewebapplication
Causes: Thewebserverorapplicationserverareconfiguredinaninsecureway
Fix: Applyproperauthorizationtoadministrationscripts
Reasoning: AppScanrequestedafilewhichisprobablynotalegitimatepartoftheapplication.Theresponsestatuswas200OK.
Raw Test Response:
...
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:36:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
Content-Length: 1243
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><TransferBalanceResponse
xmlns="http://www.altoromutual.com/bank/ws/"><TransferBalanceResult><Success>false</Success><Message>System.Data.OleDb.OleDbException:
Syntax error (missing operator) in query expression 'accountid=1001160141WFXSSProbe'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteScalar()
at Altoro.Services.TransferBalance(MoneyTransfer transDetails) in d:\downloads\AltoroMutual_v6\website\App_Code\WebService.cs:line
146</Message></TransferBalanceResult></TransferBalanceResponse></soap:Body></soap:Envelope>
...
21/08/2012 80
TOC
Thisindicatesthatthetestsucceededinretrievingthecontentoftherequestedfile.
Issue 2 of 2
Direct Access to Administration Pages
Severity:
Low
URL: http://demo.testfire.net/admin/clients.xls
Entity: admin.aspx(Page)
Risk: Itmightbepossibletoescalateuserprivilegesandgainadministrativepermissionsoverthewebapplication
Causes: Thewebserverorapplicationserverareconfiguredinaninsecureway
Fix: Applyproperauthorizationtoadministrationscripts
Reasoning: AppScanrequestedafilewhichisprobablynotalegitimatepartoftheapplication.Theresponsestatuswas200OK.
Thisindicatesthatthetestsucceededinretrievingthecontentoftherequestedfile.
Test Request: Test Response
GET /admin/admin.aspx HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/xaml+xml,
application/vnd.ms-xpsdocument, application/x-ms-xbap,
application/x-ms-application, application/vnd.ms-excel,
application/msword, */*
Referer: http://demo.testfire.net/survey_questions.aspx?step=a
Accept-Language: en-us
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET
CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Connection: Keep-Alive
Host: demo.testfire.net
Cookie: ASP.NET_SessionId=wh542tn0dduonh55mkqtnr55;
amSessionId=334738728;
amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014;
amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9
...
Referer: http://demo.testfire.net/survey_questions.aspx?step=a
Accept-Language: en-us
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET
CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Connection: Keep-Alive
Host: demo.testfire.net
Cookie: ASP.NET_SessionId=wh542tn0dduonh55mkqtnr55;
amSessionId=334738728;
amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014;
amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:17:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
Content-Length: 7861
...
Test Request: Test Response
21/08/2012 81
TOC
L Email Address Pattern Found in Parameter Value 2 TOC
Issue 1 of 2
Email Address Pattern Found in Parameter Value
Severity:
Low
URL: http://demo.testfire.net/survey_complete.aspx
Entity: txtEmail(Parameter)
Risk: Itispossibletogathersensitiveinformationaboutthewebapplicationsuchasusernames,passwords,machinenameand/or
sensitivefilelocations
Causes: Insecurewebapplicationprogrammingorconfiguration
Fix: Removeemailaddressesfromthewebsite
Reasoning: Aparametervaluecontainsanemailaddressthatmaybeprivate.
GET /admin/admin.aspx HTTP/1.1
Cookie: ASP.NET_SessionId=wh542tn0dduonh55mkqtnr55;
amSessionId=334738728;
amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014;
amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9
Accept-Language: en-US
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://demo.testfire.net/default.aspx?
content=personal_other.htm
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET
CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
...
GET /admin/admin.aspx HTTP/1.1
Cookie: ASP.NET_SessionId=wh542tn0dduonh55mkqtnr55;
amSessionId=334738728;
amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014;
amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9
Accept-Language: en-US
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://demo.testfire.net/default.aspx?
content=personal_other.htm
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET
CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:17:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
Content-Length: 7861
...
Raw Test Response:
GET /[email protected] HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-
xpsdocument, application/x-ms-xbap, application/x-ms-application, application/vnd.ms-excel, application/msword, */*
Referer: http://demo.testfire.net/survey_complete.aspx
21/08/2012 82
TOC
Issue 2 of 2
Email Address Pattern Found in Parameter Value
Severity:
Low
URL: http://demo.testfire.net/subscribe.aspx
Entity: txtEmail(Parameter)
Risk: Itispossibletogathersensitiveinformationaboutthewebapplicationsuchasusernames,passwords,machinenameand/or
sensitivefilelocations
Causes: Insecurewebapplicationprogrammingorconfiguration
Fix: Removeemailaddressesfromthewebsite
Reasoning: Aparametervaluecontainsanemailaddressthatmaybeprivate.
Accept-Language: en-us
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322;
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Connection: Keep-Alive
Host: demo.testfire.net
Cookie: ASP.NET_SessionId=rccg0sjfeksi0g45p2smc0ui; amSessionId=322838539; amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014; amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:02:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=iso-8859-1
Content-Length: 7256
...
Raw Test Response:
POST /subscribe.aspx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: ASP.NET_SessionId=k14vue55ie00airp0c2bhvqo; amSessionId=324838572; amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014; amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://demo.testfire.net/subscribe.aspx
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322;
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 52
txtEmail=test%40altoromutual.com&btnSubmit=Subscribe
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:03:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
...
21/08/2012 83
TOC
L Hidden Directory Detected 3 TOC
Issue 1 of 3
Hidden Directory Detected
Severity:
Low
URL: http://demo.testfire.net/images/
Entity: images/(Page)
Risk: Itispossibletoretrieveinformationaboutthesite'sfilesystemstructure,whichmayhelptheattackertomapthewebsite
Causes: Thewebserverorapplicationserverareconfiguredinaninsecureway
Fix: Issuea"404NotFound"responsestatuscodeforaforbiddenresource,orremoveitcompletely
Reasoning: Thetesttriedtodetecthiddendirectoriesontheserver.The403Forbiddenresponserevealstheexistenceofthe
directory,eventhoughaccessisnotallowed.
Test Response
21/08/2012 84
TOC
TOC
Issue 2 of 3
Hidden Directory Detected
Severity:
Low
URL: http://demo.testfire.net/admin/
Entity: admin/(Page)
Risk: Itispossibletoretrieveinformationaboutthesite'sfilesystemstructure,whichmayhelptheattackertomapthewebsite
Causes: Thewebserverorapplicationserverareconfiguredinaninsecureway
Fix: Issuea"404NotFound"responsestatuscodeforaforbiddenresource,orremoveitcompletely
Reasoning: Thetesttriedtodetecthiddendirectoriesontheserver.The403Forbiddenresponserevealstheexistenceofthe
directory,eventhoughaccessisnotallowed.
Issue 3 of 3
Test Response
21/08/2012 85
TOC
Hidden Directory Detected
Severity:
Low
URL: http://demo.testfire.net/aspnet_client/
Entity: aspnet_client/(Page)
Risk: Itispossibletoretrieveinformationaboutthesite'sfilesystemstructure,whichmayhelptheattackertomapthewebsite
Causes: Thewebserverorapplicationserverareconfiguredinaninsecureway
Fix: Issuea"404NotFound"responsestatuscodeforaforbiddenresource,orremoveitcompletely
Reasoning: Thetesttriedtodetecthiddendirectoriesontheserver.The403Forbiddenresponserevealstheexistenceofthe
directory,eventhoughaccessisnotallowed.
L Microsoft ASP.NET Debugging Enabled 3 TOC
Issue 1 of 3
Test Response
21/08/2012 86
TOC
Microsoft ASP.NET Debugging Enabled
Severity:
Low
URL: http://demo.testfire.net/survey_questions.aspx
Entity: AppScan.aspx(Page)
Risk: Itispossibletogathersensitiveinformationaboutthewebapplicationsuchasusernames,passwords,machinenameand/or
sensitivefilelocations
Causes: Insecurewebapplicationprogrammingorconfiguration
Fix: DisableDebuggingonMicrosoftASP.NET
Reasoning: AppScansentarequestinDebugmode.TheresponseindicatesthatdebuggingsupportinASP.NETcanbeenabled.
Thismayallowaccesstoinformationabouttheserverandapplication.
Issue 2 of 3
Microsoft ASP.NET Debugging Enabled
Severity:
Low
URL: http://demo.testfire.net/bank/main.aspx
Entity: AppScan.aspx(Page)
Risk: Itispossibletogathersensitiveinformationaboutthewebapplicationsuchasusernames,passwords,machinenameand/or
sensitivefilelocations
Causes: Insecurewebapplicationprogrammingorconfiguration
Fix: DisableDebuggingonMicrosoftASP.NET
Reasoning: AppScansentarequestinDebugmode.TheresponseindicatesthatdebuggingsupportinASP.NETcanbeenabled.
Thismayallowaccesstoinformationabouttheserverandapplication.
Raw Test Response:
...
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:18:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 2
OK
...
Raw Test Response:
...
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:18:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
21/08/2012 87
TOC
TOC
Issue 3 of 3
Microsoft ASP.NET Debugging Enabled
Severity:
Low
URL: http://demo.testfire.net/admin/clients.xls
Entity: AppScan.aspx(Page)
Risk: Itispossibletogathersensitiveinformationaboutthewebapplicationsuchasusernames,passwords,machinenameand/or
sensitivefilelocations
Causes: Insecurewebapplicationprogrammingorconfiguration
Fix: DisableDebuggingonMicrosoftASP.NET
Reasoning: AppScansentarequestinDebugmode.TheresponseindicatesthatdebuggingsupportinASP.NETcanbeenabled.
Thismayallowaccesstoinformationabouttheserverandapplication.
L Missing HttpOnly Attribute in Session Cookie 4 TOC
Issue 1 of 4
Content-Type: text/html; charset=utf-8
Content-Length: 2
OK
...
Raw Test Response:
...
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:18:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 2
OK
...
21/08/2012 88
TOC
Missing HttpOnly Attribute in Session Cookie
Severity:
Low
URL: http://demo.testfire.net/
Entity: amSessionId(Cookie)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: ThewebapplicationsetssessioncookieswithouttheHttpOnlyattribute
Fix: Addthe'HttpOnly'attributetoallsessioncookies
Reasoning: AppScanfoundthatasessioncookieisusedwithoutthe"HttpOnly"attribute.
Issue 2 of 4
Missing HttpOnly Attribute in Session Cookie
Severity:
Low
URL: http://demo.testfire.net/bank/login.aspx
Entity: amCreditOffer(Cookie)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: ThewebapplicationsetssessioncookieswithouttheHttpOnlyattribute
Fix: Addthe'HttpOnly'attributetoallsessioncookies
Reasoning: AppScanfoundthatasessioncookieisusedwithoutthe"HttpOnly"attribute.
Original Response
GET / HTTP/1.1
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322;
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:03:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
Content-Length: 9645
Set-Cookie: ASP.NET_SessionId=n5pgfuf5tyl2ds553uu5bn55; path=/; HttpOnly
Set-Cookie: amSessionId=332438668; path=/
...
Original Response
POST /bank/login.aspx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: ASP.NET_SessionId=k14vue55ie00airp0c2bhvqo; amSessionId=324838572; amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014; amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
21/08/2012 89
TOC
TOC
Issue 3 of 4
Missing HttpOnly Attribute in Session Cookie
Severity:
Low
URL: http://demo.testfire.net/bank/login.aspx
Entity: amUserId(Cookie)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: ThewebapplicationsetssessioncookieswithouttheHttpOnlyattribute
Fix: Addthe'HttpOnly'attributetoallsessioncookies
Reasoning: AppScanfoundthatasessioncookieisusedwithoutthe"HttpOnly"attribute.
Issue 4 of 4
Referer: http://demo.testfire.net/bank/login.aspx
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322;
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 41
uid=jsmith&passw=demo1234&btnSubmit=Login
HTTP/1.1 302 Found
Date: Sun, 22 Jul 2012 08:03:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: /bank/main.aspx
Cache-Control: no-cache
Pragma: no-cache
...
Original Response
POST /bank/login.aspx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: ASP.NET_SessionId=k14vue55ie00airp0c2bhvqo; amSessionId=324838572; amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014; amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://demo.testfire.net/bank/login.aspx
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322;
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 41
uid=jsmith&passw=demo1234&btnSubmit=Login
HTTP/1.1 302 Found
Date: Sun, 22 Jul 2012 08:03:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: /bank/main.aspx
Cache-Control: no-cache
Pragma: no-cache
...
21/08/2012 90
TOC
Missing HttpOnly Attribute in Session Cookie
Severity:
Low
URL: http://demo.testfire.net/bank/login.aspx
Entity: amUserInfo(Cookie)
Risk: Itispossibletostealormanipulatecustomersessionandcookies,whichmightbeusedtoimpersonatealegitimateuser,
allowingthehackertovieworalteruserrecords,andtoperformtransactionsasthatuser
Causes: ThewebapplicationsetssessioncookieswithouttheHttpOnlyattribute
Fix: Addthe'HttpOnly'attributetoallsessioncookies
Reasoning: AppScanfoundthatasessioncookieisusedwithoutthe"HttpOnly"attribute.
L Permanent Cookie Contains Sensitive Session Information 1 TOC
Issue 1 of 1
Permanent Cookie Contains Sensitive Session Information
Severity:
Low
URL: http://demo.testfire.net/bank/login.aspx
Entity: amUserInfo(Cookie)
Risk: Itmaybepossibletostealsessioninformation(cookies)thatwaskeptondiskaspermanentcookies
Causes: Thewebapplicationstoressensitivesessioninformationinapermanentcookie(ondisk)
Fix: Avoidstoringsensitivesessioninformationinpermanentcookies
Reasoning: AppScanfoundthatasessionidcookieisstoredontheclientmachine.
Original Response
POST /bank/login.aspx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: ASP.NET_SessionId=k14vue55ie00airp0c2bhvqo; amSessionId=324838572; amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014; amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://demo.testfire.net/bank/login.aspx
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322;
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 41
uid=jsmith&passw=demo1234&btnSubmit=Login
HTTP/1.1 302 Found
Date: Sun, 22 Jul 2012 08:03:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: /bank/main.aspx
Cache-Control: no-cache
Pragma: no-cache
...
Original Response
21/08/2012 91
TOC
L Unencrypted __VIEWSTATE Parameter 4 TOC
Issue 1 of 4
Unencrypted __VIEWSTATE Parameter
Severity:
Low
URL: http://demo.testfire.net/bank/transaction.aspx
Entity: __VIEWSTATE(Parameter)
Risk: Itispossibletogathersensitiveinformationaboutthewebapplicationsuchasusernames,passwords,machinenameand/or
sensitivefilelocations
Causes: Insecurewebapplicationprogrammingorconfiguration
Fix: ModifyyourWeb.ConfigfiletoencrypttheVIEWSTATEparameter
Reasoning: AppScandecodedthe__VIEWSTATEparametervalueandfoundittobeunencrypted.
POST /bank/login.aspx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: ASP.NET_SessionId=k14vue55ie00airp0c2bhvqo; amSessionId=324838572; amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014; amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://demo.testfire.net/bank/login.aspx
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322;
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 41
uid=jsmith&passw=demo1234&btnSubmit=Login
HTTP/1.1 302 Found
Date: Sun, 22 Jul 2012 08:03:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: /bank/main.aspx
Cache-Control: no-cache
Pragma: no-cache
...
Original Request
...
</td>
<td valign="top" colspan="3" class="bb">
<div class="fl" style="width: 99%;">
<h1>Recent Transactions</h1>
<form name="aspnetForm" method="post" action="transaction.aspx" id="aspnetForm">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTYzNDg3OTA4NmRk" />
<table border="0" style="padding-bottom:10px;">
<tr>
<td valign=top>After</td>
<td><input name="after" type="text" value="1234" /><br /><span class="credit">mm/dd/yyyy</span></td>
<td valign=top>Before</td>
21/08/2012 92
TOC
TOC
Issue 2 of 4
Unencrypted __VIEWSTATE Parameter
Severity:
Low
URL: http://demo.testfire.net/bank/queryxpath.aspx
Entity: __VIEWSTATE(Parameter)
Risk: Itispossibletogathersensitiveinformationaboutthewebapplicationsuchasusernames,passwords,machinenameand/or
sensitivefilelocations
Causes: Insecurewebapplicationprogrammingorconfiguration
Fix: ModifyyourWeb.ConfigfiletoencrypttheVIEWSTATEparameter
Reasoning: AppScandecodedthe__VIEWSTATEparametervalueandfoundittobeunencrypted.
Issue 3 of 4
<td><input name="before" type="text" value="1234" /><br /><span class="credit">mm/dd/yyyy</span></td>
<td valign=top><input type=submit value=Submit /></td>
</tr>
...
Original Request
...
</td>
<td valign="top" colspan="3" class="bb">
<div class="fl" style="width: 99%;">
<h1>Search News Articles</h1>
<form name="aspnetForm" method="get" action="queryxpath.aspx?_ctl0%3a_ctl0%3aContent%3aMain%3aTextBox1=Enter+title+(e.g.+IBM)&_ctl0%
3a_ctl0%3aContent%3aMain%3aButton1=Query" id="aspnetForm">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTEzMDczNTAxOWRk" />
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWAwLNx+2YBwKw59eKCgKcjoPABw==" />
<span id="_ctl0__ctl0_Content_Main_Label1">Search our news articles database</span>
<br /><br />
<input name="_ctl0:_ctl0:Content:Main:TextBox1" type="text" value="Enter title (e.g. IBM)" id="_ctl0__ctl0_Content_Main_TextBox1"
style="width:300px;" />
<input type="submit" name="_ctl0:_ctl0:Content:Main:Button1" value="Query" id="_ctl0__ctl0_Content_Main_Button1" style="width:75px;" />
<br /><br />
<span id="_ctl0__ctl0_Content_Main_Label2">News title not found, try again</span>
</form>
...
21/08/2012 93
TOC
Unencrypted __VIEWSTATE Parameter
Severity:
Low
URL: http://demo.testfire.net/bank/customize.aspx
Entity: __VIEWSTATE(Parameter)
Risk: Itispossibletogathersensitiveinformationaboutthewebapplicationsuchasusernames,passwords,machinenameand/or
sensitivefilelocations
Causes: Insecurewebapplicationprogrammingorconfiguration
Fix: ModifyyourWeb.ConfigfiletoencrypttheVIEWSTATEparameter
Reasoning: AppScandecodedthe__VIEWSTATEparametervalueandfoundittobeunencrypted.
Issue 4 of 4
Unencrypted __VIEWSTATE Parameter
Severity:
Low
URL: http://demo.testfire.net/admin/login.aspx
Entity: __VIEWSTATE(Parameter)
Risk: Itispossibletogathersensitiveinformationaboutthewebapplicationsuchasusernames,passwords,machinenameand/or
sensitivefilelocations
Causes: Insecurewebapplicationprogrammingorconfiguration
Fix: ModifyyourWeb.ConfigfiletoencrypttheVIEWSTATEparameter
Reasoning: AppScandecodedthe__VIEWSTATEparametervalueandfoundittobeunencrypted.
Original Request
...
</td>
<td valign="top" colspan="3" class="bb">
<div class="fl" style="width: 99%;">
<h1>Customize Site Language</h1>
<form name="aspnetForm" method="post" action="customize.aspx" id="aspnetForm">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJMjA2OTMxMDA4ZGQ=" />
<p>
<span id="_ctl0__ctl0_Content_Main_Label1">Curent Language: </span>
<span id="_ctl0__ctl0_Content_Main_langLabel"></span>
</p>
<p>
<span id="_ctl0__ctl0_Content_Main_Label2">You can change the language setting by choosing:</span>
</p>
...
Original Request
...
</td>
<td valign="top" colspan="3" class="bb">
21/08/2012 94
TOC
L Unsigned __VIEWSTATE Parameter 4 TOC
Issue 1 of 4
Unsigned __VIEWSTATE Parameter
Severity:
Low
URL: http://demo.testfire.net/bank/transaction.aspx
Entity: __VIEWSTATE(Parameter)
Risk: Itmightbepossibletoundermineapplicationlogic
Causes: Insecurewebapplicationprogrammingorconfiguration
Fix: ModifythepropertyofeachASP.NETpagetosigntheVIEWSTATEparameter
Reasoning: AppScandeterminedthatthe__VIEWSTATEparametervalueisunsigned.
<h1>Administration Login</h1>
<!-- Password: Altoro1234 -->
<form name="aspnetForm" method="post" action="login.aspx" id="aspnetForm">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTY5ODYzNjk3NWRk" />
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWBAKm/PqICgKaqvKtBQKWuPeSCgL73pWUBA==" />
<img id="captcha" src="captcha.aspx" /><br />
<p>
<strong>Enter the code shown above:</strong><br />
<input name="_ctl0:_ctl0:Content:Main:CodeNumberTextBox" type="text" id="_ctl0__ctl0_Content_Main_CodeNumberTextBox" /><br /><br />
<strong>Enter the administrative password:</strong><br />
<input name="_ctl0:_ctl0:Content:Main:Password" type="password" id="_ctl0__ctl0_Content_Main_Password" /><br /><br />
<input type="submit" name="_ctl0:_ctl0:Content:Main:SubmitButton" value="Submit" id="_ctl0__ctl0_Content_Main_SubmitButton" /><br />
...
Original Request
...
</td>
<td valign="top" colspan="3" class="bb">
<div class="fl" style="width: 99%;">
<h1>Recent Transactions</h1>
<form name="aspnetForm" method="post" action="transaction.aspx" id="aspnetForm">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTYzNDg3OTA4NmRk" />
<table border="0" style="padding-bottom:10px;">
<tr>
<td valign=top>After</td>
<td><input name="after" type="text" value="1234" /><br /><span class="credit">mm/dd/yyyy</span></td>
<td valign=top>Before</td>
<td><input name="before" type="text" value="1234" /><br /><span class="credit">mm/dd/yyyy</span></td>
<td valign=top><input type=submit value=Submit /></td>
</tr>
...
21/08/2012 95
TOC
TOC
Issue 2 of 4
Unsigned __VIEWSTATE Parameter
Severity:
Low
URL: http://demo.testfire.net/bank/queryxpath.aspx
Entity: __VIEWSTATE(Parameter)
Risk: Itmightbepossibletoundermineapplicationlogic
Causes: Insecurewebapplicationprogrammingorconfiguration
Fix: ModifythepropertyofeachASP.NETpagetosigntheVIEWSTATEparameter
Reasoning: AppScandeterminedthatthe__VIEWSTATEparametervalueisunsigned.
Issue 3 of 4
Unsigned __VIEWSTATE Parameter
Severity:
Low
URL: http://demo.testfire.net/bank/customize.aspx
Entity: __VIEWSTATE(Parameter)
Risk: Itmightbepossibletoundermineapplicationlogic
Causes: Insecurewebapplicationprogrammingorconfiguration
Fix: ModifythepropertyofeachASP.NETpagetosigntheVIEWSTATEparameter
Original Request
...
</td>
<td valign="top" colspan="3" class="bb">
<div class="fl" style="width: 99%;">
<h1>Search News Articles</h1>
<form name="aspnetForm" method="get" action="queryxpath.aspx?_ctl0%3a_ctl0%3aContent%3aMain%3aTextBox1=Enter+title+(e.g.+IBM)&_ctl0%
3a_ctl0%3aContent%3aMain%3aButton1=Query" id="aspnetForm">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTEzMDczNTAxOWRk" />
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWAwLNx+2YBwKw59eKCgKcjoPABw==" />
<span id="_ctl0__ctl0_Content_Main_Label1">Search our news articles database</span>
<br /><br />
<input name="_ctl0:_ctl0:Content:Main:TextBox1" type="text" value="Enter title (e.g. IBM)" id="_ctl0__ctl0_Content_Main_TextBox1"
style="width:300px;" />
<input type="submit" name="_ctl0:_ctl0:Content:Main:Button1" value="Query" id="_ctl0__ctl0_Content_Main_Button1" style="width:75px;" />
<br /><br />
<span id="_ctl0__ctl0_Content_Main_Label2">News title not found, try again</span>
</form>
...
21/08/2012 96
TOC
Reasoning: AppScandeterminedthatthe__VIEWSTATEparametervalueisunsigned.
Issue 4 of 4
Unsigned __VIEWSTATE Parameter
Severity:
Low
URL: http://demo.testfire.net/admin/login.aspx
Entity: __VIEWSTATE(Parameter)
Risk: Itmightbepossibletoundermineapplicationlogic
Causes: Insecurewebapplicationprogrammingorconfiguration
Fix: ModifythepropertyofeachASP.NETpagetosigntheVIEWSTATEparameter
Reasoning: AppScandeterminedthatthe__VIEWSTATEparametervalueisunsigned.
Original Request
...
</td>
<td valign="top" colspan="3" class="bb">
<div class="fl" style="width: 99%;">
<h1>Customize Site Language</h1>
<form name="aspnetForm" method="post" action="customize.aspx" id="aspnetForm">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJMjA2OTMxMDA4ZGQ=" />
<p>
<span id="_ctl0__ctl0_Content_Main_Label1">Curent Language: </span>
<span id="_ctl0__ctl0_Content_Main_langLabel"></span>
</p>
<p>
<span id="_ctl0__ctl0_Content_Main_Label2">You can change the language setting by choosing:</span>
</p>
...
Original Request
...
</td>
<td valign="top" colspan="3" class="bb">
<h1>Administration Login</h1>
<!-- Password: Altoro1234 -->
<form name="aspnetForm" method="post" action="login.aspx" id="aspnetForm">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTY5ODYzNjk3NWRk" />
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWBAKm/PqICgKaqvKtBQKWuPeSCgL73pWUBA==" />
<img id="captcha" src="captcha.aspx" /><br />
<p>
<strong>Enter the code shown above:</strong><br />
<input name="_ctl0:_ctl0:Content:Main:CodeNumberTextBox" type="text" id="_ctl0__ctl0_Content_Main_CodeNumberTextBox" /><br /><br />
<strong>Enter the administrative password:</strong><br />
<input name="_ctl0:_ctl0:Content:Main:Password" type="password" id="_ctl0__ctl0_Content_Main_Password" /><br /><br />
<input type="submit" name="_ctl0:_ctl0:Content:Main:SubmitButton" value="Submit" id="_ctl0__ctl0_Content_Main_SubmitButton" /><br />
...
21/08/2012 97
TOC
TOC
I Application Error 15 TOC
Issue 1 of 15
Application Error
Severity:
Informational
URL: http://demo.testfire.net/comment.aspx
Entity: cfile(Parameter)
Risk: Itispossibletogathersensitivedebugginginformation
Causes: Properboundscheckingwerenotperformedonincomingparametervalues
Novalidationwasdoneinordertomakesurethatuserinputmatchesthedatatypeexpected
Fix: Verifythatparametervaluesareintheirexpectedrangesandtypes.Donotoutputdebuggingerrormessagesandexceptions
Reasoning: Theapplicationhasrespondedwithanerrormessage,indicatinganundefinedstatethatmayexposesensitive
information.
Issue 2 of 15
Raw Test Response:
...
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://demo.testfire.net/feedback.aspx
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322;
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 79
name=1234&email_addr=753+Main+Street&subject=1234&comments=1234&submit=+Submit+
HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 22 Jul 2012 08:04:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
...
21/08/2012 98
TOC
Application Error
Severity:
Informational
URL: http://demo.testfire.net/subscribe.aspx
Entity: txtEmail(Parameter)
Risk: Itispossibletogathersensitivedebugginginformation
Causes: Properboundscheckingwerenotperformedonincomingparametervalues
Novalidationwasdoneinordertomakesurethatuserinputmatchesthedatatypeexpected
Fix: Verifythatparametervaluesareintheirexpectedrangesandtypes.Donotoutputdebuggingerrormessagesandexceptions
Reasoning: Theapplicationhasrespondedwithanerrormessage,indicatinganundefinedstatethatmayexposesensitive
information.
Issue 3 of 15
Application Error
Severity:
Informational
URL: http://demo.testfire.net/bank/queryxpath.aspx
Entity: _ctl0:_ctl0:Content:Main:TextBox1(Parameter)
Risk: Itispossibletogathersensitivedebugginginformation
Causes: Properboundscheckingwerenotperformedonincomingparametervalues
Novalidationwasdoneinordertomakesurethatuserinputmatchesthedatatypeexpected
Fix: Verifythatparametervaluesareintheirexpectedrangesandtypes.Donotoutputdebuggingerrormessagesandexceptions
Reasoning: Theapplicationhasrespondedwithanerrormessage,indicatinganundefinedstatethatmayexposesensitive
information.
Raw Test Response:
...
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://demo.testfire.net/subscribe.aspx
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322;
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 32
txtEmail=%27&btnSubmit=Subscribe
HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 22 Jul 2012 08:37:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
...
Raw Test Response:
...
21/08/2012 99
TOC
Issue 4 of 15
Application Error
Severity:
Informational
URL: http://demo.testfire.net/bank/ws.asmx
Entity: WSDL(Parameter)
Risk: Itispossibletogathersensitivedebugginginformation
Causes: Properboundscheckingwerenotperformedonincomingparametervalues
Novalidationwasdoneinordertomakesurethatuserinputmatchesthedatatypeexpected
Fix: Verifythatparametervaluesareintheirexpectedrangesandtypes.Donotoutputdebuggingerrormessagesandexceptions
Reasoning: Theapplicationhasrespondedwithanerrormessage,indicatinganundefinedstatethatmayexposesensitive
information.
GET /bank/queryxpath.aspx?__VIEWSTATE=%2FwEPDwUKMTEzMDczNTAxOWRk&__EVENTVALIDATION=%2FwEWAwLNx%2B2YBwKw59eKCgKcjoPABw%3D%3D&_ctl0%
3A_ctl0%3AContent%3AMain%3ATextBox1=%27&_ctl0%3A_ctl0%3AContent%3AMain%3AButton1=Query HTTP/1.1
Cookie: ASP.NET_SessionId=wh542tn0dduonh55mkqtnr55; amSessionId=334738728; amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014; amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://demo.testfire.net/bank/queryxpath.aspx
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322;
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 22 Jul 2012 08:29:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
...
Raw Test Response:
...
GET /bank/ws.asmx?WSDL=%00 HTTP/1.1
Cookie: ASP.NET_SessionId=eu0qbsjngqgirw45q0opxa45; amSessionId=3545750533; amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014; amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://demo.testfire.net/bank/ws.asmx
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322;
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
HTTP/1.1 500 Internal Server Error
Date: Sun, 22 Jul 2012 09:06:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 44
XML Web service description was not found.
...
21/08/2012 100
TOC
TOC
Issue 5 of 15
Application Error
Severity:
Informational
URL: http://demo.testfire.net/bank/transfer.aspx
Entity: debitAccount(Parameter)
Risk: Itispossibletogathersensitivedebugginginformation
Causes: Properboundscheckingwerenotperformedonincomingparametervalues
Novalidationwasdoneinordertomakesurethatuserinputmatchesthedatatypeexpected
Fix: Verifythatparametervaluesareintheirexpectedrangesandtypes.Donotoutputdebuggingerrormessagesandexceptions
Reasoning: Theapplicationhasrespondedwithanerrormessage,indicatinganundefinedstatethatmayexposesensitive
information.
Issue 6 of 15
Raw Test Response:
...
</tr>
<tr>
<td colspan="2" align="center"><input type="button" name="transfer" value="Transfer Money" onclick="doTransfer();"
ID="transfer"></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td colspan="2" align="center">
<span id="_ctl0__ctl0_Content_Main_postResp" align="center"><span style='color: Red'>System.Data.OleDb.OleDbException: Syntax error
(missing operator) in query expression 'accountid='.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteScalar()
at Altoro.Services.TransferBalance(MoneyTransfer transDetails) in d:\downloads\AltoroMutual_v6\website\App_Code\WebService.cs:line
146</span></span>
<span id="soapResp" name="soapResp" align="center" />
</td>
...
21/08/2012 101
TOC
Application Error
Severity:
Informational
URL: http://demo.testfire.net/bank/transfer.aspx
Entity: creditAccount(Parameter)
Risk: Itispossibletogathersensitivedebugginginformation
Causes: Properboundscheckingwerenotperformedonincomingparametervalues
Novalidationwasdoneinordertomakesurethatuserinputmatchesthedatatypeexpected
Fix: Verifythatparametervaluesareintheirexpectedrangesandtypes.Donotoutputdebuggingerrormessagesandexceptions
Reasoning: Theapplicationhasrespondedwithanerrormessage,indicatinganundefinedstatethatmayexposesensitive
information.
Issue 7 of 15
Application Error
Severity:
Informational
URL: http://demo.testfire.net/bank/transfer.aspx
Entity: transferAmount(Parameter)
Risk: Itispossibletogathersensitivedebugginginformation
Causes: Properboundscheckingwerenotperformedonincomingparametervalues
Novalidationwasdoneinordertomakesurethatuserinputmatchesthedatatypeexpected
Fix: Verifythatparametervaluesareintheirexpectedrangesandtypes.Donotoutputdebuggingerrormessagesandexceptions
Reasoning: Theapplicationhasrespondedwithanerrormessage,indicatinganundefinedstatethatmayexposesensitive
information.
Raw Test Response:
...
</tr>
<tr>
<td colspan="2" align="center"><input type="button" name="transfer" value="Transfer Money" onclick="doTransfer();"
ID="transfer"></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td colspan="2" align="center">
<span id="_ctl0__ctl0_Content_Main_postResp" align="center"><span style='color: Red'>System.Data.OleDb.OleDbException: Syntax error
in string in query expression 'accountid=''.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteScalar()
at Altoro.Services.TransferBalance(MoneyTransfer transDetails) in d:\downloads\AltoroMutual_v6\website\App_Code\WebService.cs:line
155</span></span>
<span id="soapResp" name="soapResp" align="center" />
</td>
...
Raw Test Response:
21/08/2012 102
TOC
Issue 8 of 15
Application Error
Severity:
Informational
URL: http://demo.testfire.net/bank/login.aspx
Entity: uid(Parameter)
Risk: Itispossibletogathersensitivedebugginginformation
Causes: Properboundscheckingwerenotperformedonincomingparametervalues
Novalidationwasdoneinordertomakesurethatuserinputmatchesthedatatypeexpected
Fix: Verifythatparametervaluesareintheirexpectedrangesandtypes.Donotoutputdebuggingerrormessagesandexceptions
Reasoning: Theapplicationhasrespondedwithanerrormessage,indicatinganundefinedstatethatmayexposesensitive
information.
...
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://demo.testfire.net/bank/transfer.aspx
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322;
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 67
debitAccount=1001160141&creditAccount=1001160141&transferAmount=%27
HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 22 Jul 2012 08:39:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
...
Raw Test Response:
...
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://demo.testfire.net/bank/login.aspx
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322;
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 38
uid=%27&passw=demo1234&btnSubmit=Login
HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 22 Jul 2012 08:40:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
21/08/2012 103
TOC
TOC
Issue 9 of 15
Application Error
Severity:
Informational
URL: http://demo.testfire.net/bank/login.aspx
Entity: passw(Parameter)
Risk: Itispossibletogathersensitivedebugginginformation
Causes: Properboundscheckingwerenotperformedonincomingparametervalues
Novalidationwasdoneinordertomakesurethatuserinputmatchesthedatatypeexpected
Fix: Verifythatparametervaluesareintheirexpectedrangesandtypes.Donotoutputdebuggingerrormessagesandexceptions
Reasoning: Theapplicationhasrespondedwithanerrormessage,indicatinganundefinedstatethatmayexposesensitive
information.
Issue 10 of 15
...
Raw Test Response:
...
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://demo.testfire.net/bank/login.aspx
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322;
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 36
uid=jsmith&passw=%27&btnSubmit=Login
HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 22 Jul 2012 08:40:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
...
21/08/2012 104
TOC
Application Error
Severity:
Informational
URL: http://demo.testfire.net/bank/ws.asmx
Entity: [SOAP]creditAccount_2(Parameter)
Risk: Itispossibletogathersensitivedebugginginformation
Causes: Properboundscheckingwerenotperformedonincomingparametervalues
Novalidationwasdoneinordertomakesurethatuserinputmatchesthedatatypeexpected
Fix: Verifythatparametervaluesareintheirexpectedrangesandtypes.Donotoutputdebuggingerrormessagesandexceptions
Reasoning: Theapplicationhasrespondedwithanerrormessage,indicatinganundefinedstatethatmayexposesensitive
information.
Issue 11 of 15
Application Error
Severity:
Informational
URL: http://demo.testfire.net/bank/ws.asmx
Entity: [SOAP]debitAccount_1(Parameter)
Risk: Itispossibletogathersensitivedebugginginformation
Causes: Properboundscheckingwerenotperformedonincomingparametervalues
Novalidationwasdoneinordertomakesurethatuserinputmatchesthedatatypeexpected
Fix: Verifythatparametervaluesareintheirexpectedrangesandtypes.Donotoutputdebuggingerrormessagesandexceptions
Reasoning: Theapplicationhasrespondedwithanerrormessage,indicatinganundefinedstatethatmayexposesensitive
information.
Raw Test Response:
...
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:37:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
Content-Length: 1207
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><TransferBalanceResponse
xmlns="http://www.altoromutual.com/bank/ws/"><TransferBalanceResult><Success>false</Success><Message>System.Data.OleDb.OleDbException:
Syntax error in query expression 'accountid=%27'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteScalar()
at Altoro.Services.TransferBalance(MoneyTransfer transDetails) in d:\downloads\AltoroMutual_v6\website\App_Code\WebService.cs:line
155</Message></TransferBalanceResult></TransferBalanceResponse></soap:Body></soap:Envelope>
...
Raw Test Response:
...
21/08/2012 105
TOC
Issue 12 of 15
Application Error
Severity:
Informational
URL: http://demo.testfire.net/bank/ws.asmx
Entity: [SOAP]transferDate(Parameter)
Risk: Itispossibletogathersensitivedebugginginformation
Causes: Properboundscheckingwerenotperformedonincomingparametervalues
Novalidationwasdoneinordertomakesurethatuserinputmatchesthedatatypeexpected
Fix: Verifythatparametervaluesareintheirexpectedrangesandtypes.Donotoutputdebuggingerrormessagesandexceptions
Reasoning: Theapplicationhasrespondedwithanerrormessage,indicatinganundefinedstatethatmayexposesensitive
information.
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:36:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
Content-Length: 1207
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><TransferBalanceResponse
xmlns="http://www.altoromutual.com/bank/ws/"><TransferBalanceResult><Success>false</Success><Message>System.Data.OleDb.OleDbException:
Syntax error in query expression 'accountid=%27'.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteScalar()
at Altoro.Services.TransferBalance(MoneyTransfer transDetails) in d:\downloads\AltoroMutual_v6\website\App_Code\WebService.cs:line
146</Message></TransferBalanceResult></TransferBalanceResponse></soap:Body></soap:Envelope>
...
Raw Test Response:
...
<transferDate>%27</transferDate>
<debitAccount>1001160141</debitAccount>
<creditAccount>1001160141</creditAccount>
<transferAmount>1234</transferAmount>
</transDetails>
</TransferBalance>
</soap:Body>
</soap:Envelope>
HTTP/1.1 500 Internal Server Error
Date: Sun, 22 Jul 2012 08:36:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Content-Length: 481
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><soap:Fault><faultcode>soap:Client</faultcode><faultstring>Server was unable to
read request. ---> There is an error in XML document (8, 37). ---> The string '%27' is not a valid AllXsd
value.</faultstring><detail /></soap:Fault></soap:Body></soap:Envelope>
...
21/08/2012 106
TOC
TOC
Issue 13 of 15
Application Error
Severity:
Informational
URL: http://demo.testfire.net/bank/ws.asmx
Entity: [SOAP]transferAmount_3(Parameter)
Risk: Itispossibletogathersensitivedebugginginformation
Causes: Properboundscheckingwerenotperformedonincomingparametervalues
Novalidationwasdoneinordertomakesurethatuserinputmatchesthedatatypeexpected
Fix: Verifythatparametervaluesareintheirexpectedrangesandtypes.Donotoutputdebuggingerrormessagesandexceptions
Reasoning: Theapplicationhasrespondedwithanerrormessage,indicatinganundefinedstatethatmayexposesensitive
information.
Issue 14 of 15
Raw Test Response:
...
<transferDate>2000-01-01</transferDate>
<debitAccount>1001160141</debitAccount>
<creditAccount>1001160141</creditAccount>
<transferAmount>%27</transferAmount>
</transDetails>
</TransferBalance>
</soap:Body>
</soap:Envelope>
HTTP/1.1 500 Internal Server Error
Date: Sun, 22 Jul 2012 08:37:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Content-Length: 478
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><soap:Fault><faultcode>soap:Client</faultcode><faultstring>Server was unable to
read request. ---> There is an error in XML document (11, 41). ---> Input string was not in a correct
format.</faultstring><detail /></soap:Fault></soap:Body></soap:Envelope>
...
21/08/2012 107
TOC
Application Error
Severity:
Informational
URL: http://demo.testfire.net/bank/transaction.aspx
Entity: before(Parameter)
Risk: Itispossibletogathersensitivedebugginginformation
Causes: Properboundscheckingwerenotperformedonincomingparametervalues
Novalidationwasdoneinordertomakesurethatuserinputmatchesthedatatypeexpected
Fix: Verifythatparametervaluesareintheirexpectedrangesandtypes.Donotoutputdebuggingerrormessagesandexceptions
Reasoning: Theapplicationhasrespondedwithanerrormessage,indicatinganundefinedstatethatmayexposesensitive
information.
Issue 15 of 15
Application Error
Severity:
Informational
URL: http://demo.testfire.net/bank/transaction.aspx
Entity: after(Parameter)
Risk: Itispossibletogathersensitivedebugginginformation
Causes: Properboundscheckingwerenotperformedonincomingparametervalues
Novalidationwasdoneinordertomakesurethatuserinputmatchesthedatatypeexpected
Fix: Verifythatparametervaluesareintheirexpectedrangesandtypes.Donotoutputdebuggingerrormessagesandexceptions
Reasoning: Theapplicationhasrespondedwithanerrormessage,indicatinganundefinedstatethatmayexposesensitive
information.
Raw Test Response:
...
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://demo.testfire.net/bank/transaction.aspx
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322;
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 175
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTYzNDg3OTA4NmRk&__EVENTVALIDATION=%2FwEWBgKV3oKhDgK3oeuaBAK3oaesDgK3oZPRBQK3oa%
2BJCgK3oZuuAQ%3D%3D&after=1234&before=%27
HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 22 Jul 2012 08:30:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
...
Raw Test Response:
21/08/2012 108
TOC
I Application Test Script Detected 1 TOC
Issue 1 of 1
Application Test Script Detected
Severity:
Informational
URL: http://demo.testfire.net/survey_questions.aspx
Entity: test.aspx(Page)
Risk: Itispossibletodownloadtemporaryscriptfiles,whichcanexposetheapplicationlogicandothersensitiveinformationsuchas
usernamesandpasswords
Causes: Temporaryfileswereleftinproductionenvironment
Fix: Removetestscriptsfromtheserver
Reasoning: AppScanrequestedafilewhichisprobablynotalegitimatepartoftheapplication.Theresponsestatuswas200OK.
Thisindicatesthatthetestsucceededinretrievingthecontentoftherequestedfile.
...
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://demo.testfire.net/bank/transaction.aspx
Host: demo.testfire.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322;
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 175
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTYzNDg3OTA4NmRk&__EVENTVALIDATION=%2FwEWBgKV3oKhDgK3oeuaBAK3oaesDgK3oZPRBQK3oa%
2BJCgK3oZuuAQ%3D%3D&after=%27&before=1234
HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 22 Jul 2012 08:30:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
...
Test Request: Test Response
21/08/2012 109
TOC
I Email Address Pattern Found 3 TOC
Issue 1 of 3
Email Address Pattern Found
Severity:
Informational
URL: http://demo.testfire.net/subscribe.aspx
Entity: subscribe.aspx(Page)
Risk: Itispossibletogathersensitiveinformationaboutthewebapplicationsuchasusernames,passwords,machinenameand/or
sensitivefilelocations
Causes: Insecurewebapplicationprogrammingorconfiguration
Fix: Removeemailaddressesfromthewebsite
Reasoning: Theresponsecontainsanemailaddressthatmaybeprivate.
GET /test.aspx HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/xaml+xml,
application/vnd.ms-xpsdocument, application/x-ms-xbap,
application/x-ms-application, application/vnd.ms-excel,
application/msword, */*
Referer: http://demo.testfire.net/survey_questions.aspx?step=a
Accept-Language: en-us
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET
CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Connection: Keep-Alive
Host: demo.testfire.net
Cookie: ASP.NET_SessionId=wh542tn0dduonh55mkqtnr55;
amSessionId=334738728;
amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014;
amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9
...
Referer: http://demo.testfire.net/survey_questions.aspx?step=a
Accept-Language: en-us
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET
CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Connection: Keep-Alive
Host: demo.testfire.net
Cookie: ASP.NET_SessionId=wh542tn0dduonh55mkqtnr55;
amSessionId=334738728;
amUserInfo=UserName=anNtaXRo&Password=ZGVtbzEyMzQ=;
amUserId=100116014;
amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9
HTTP/1.1 200 OK
Date: Sun, 22 Jul 2012 08:20:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 558
...
Raw Test Response:
...
<h1>Subscribe</h1>
<p>We recognize that things are always evolving and changing here at Altoro Mutual.
21/08/2012 110
TOC
Issue 2 of 3
Email Address Pattern Found
Severity:
Informational
URL: http://demo.testfire.net/survey_complete.aspx
Entity: survey_complete.aspx(Page)
Risk: Itispossibletogathersensitiveinformationaboutthewebapplicationsuchasusernames,passwords,machinenameand/or
sensitivefilelocations
Causes: Insecurewebapplicationprogrammingorconfiguration
Fix: Removeemailaddressesfromthewebsite
Reasoning: Theresponsecontainsanemailaddressthatmaybeprivate.
Please enter your email below and we will automatically notify of noteworthy events.</p>
<form action="subscribe.aspx" method="post" name="subscribe" id="subscribe" onsubmit="return confirmEmail(txtEmail.value);">
<table>
<tr>
<td colspan="2">
<span id="_ctl0__ctl0_Content_Main_message" style="color:Red;font-size:12pt;font-weight:bold;">Thank you. Your email
[email protected] has been accepted.</span>
</td>
</tr>
<tr>
<td>
Email:
</td>
<td>
<input type="text" id="txtEmail" name="txtEmail" value="" style="width: 150px;">
</td>
...
Raw Test Response:
...
<li><a id="_ctl0__ctl0_Content_MenuHyperLink18" href="default.aspx?content=inside_careers.htm">Careers</a></li>
</ul>
</td>
<td valign="top" colspan="3" class="bb">
<div style="width: 99%;">
<h1><span id="_ctl0__ctl0_Content_Main_lblTitle">Thanks</span></h1>
<span id="_ctl0__ctl0_Content_Main_lblContent"><p>Thanks for your entry. We will contact you shortly at:<br /><br />
<b>[email protected]</b></p></span>
</div>
</td>
</tr>
</table>
...
21/08/2012 111
TOC
TOC
Issue 3 of 3
Email Address Pattern Found
Severity:
Informational
URL: http://demo.testfire.net/bank/mozxpath.js
Entity: mozxpath.js(Page)
Risk: Itispossibletogathersensitiveinformationaboutthewebapplicationsuchasusernames,passwords,machinenameand/or
sensitivefilelocations
Causes: Insecurewebapplicationprogrammingorconfiguration
Fix: Removeemailaddressesfromthewebsite
Reasoning: Theresponsecontainsanemailaddressthatmaybeprivate.
I HTML Comments Sensitive Information Disclosure 5 TOC
Issue 1 of 5
Raw Test Response:
...
Content-Length: 1414
Content-Type: application/x-javascript
Last-Modified: Thu, 13 Jan 2011 04:14:33 GMT
Accept-Ranges: bytes
ETag: "9670cb61d8b2cb1:104e"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 22 Jul 2012 08:03:08 GMT
// mozXPath [http://km0ti0n.blunted.co.uk/mozxpath/] [email protected]
// Code licensed under Creative Commons Attribution-ShareAlike License
// http://creativecommons.org/licenses/by-sa/2.5/
if( document.implementation.hasFeature("XPath", "3.0") )
{
XMLDocument.prototype.selectNodes = function(cXPathString, xNode)
{
if( !xNode ) { xNode = this; }
var oNSResolver = this.createNSResolver(this.documentElement)
...
21/08/2012 112
TOC
HTML Comments Sensitive Information Disclosure
Severity:
Informational
URL: http://demo.testfire.net/bank/account.aspx
Entity: TomodifyaccountinformationdonotconnecttoSQLsourcedirectly.Makeallchanges(Page)
Risk: Itispossibletogathersensitiveinformationaboutthewebapplicationsuchasusernames,passwords,machinenameand/or
sensitivefilelocations
Causes: Debugginginformationwasleftbytheprogrammerinwebpages
Fix: RemovesensitiveinformationfromHTMLcomments
Reasoning: AppScandiscoveredHTMLcommentscontainingwhatappearstobesensitiveinformation.
Issue 2 of 5
HTML Comments Sensitive Information Disclosure
Severity:
Informational
URL: http://demo.testfire.net/bank/login.aspx
Entity: Togetthelatestadminlogin,pleasecontactSiteOpsat4155556159(Page)
Risk: Itispossibletogathersensitiveinformationaboutthewebapplicationsuchasusernames,passwords,machinenameand/or
sensitivefilelocations
Causes: Debugginginformationwasleftbytheprogrammerinwebpages
Fix: RemovesensitiveinformationfromHTMLcomments
Reasoning: AppScandiscoveredHTMLcommentscontainingwhatappearstobesensitiveinformation.
Original Response
...
<br style="line-height: 10px;"/>
<b>I WANT TO ...</b>
<ul class="sidebar">
<li><a id="_ctl0__ctl0_Content_MenuHyperLink1" href="main.aspx">View Account Summary</a></li>
<li><a id="_ctl0__ctl0_Content_MenuHyperLink2" href="transaction.aspx">View Recent Transactions</a></li>
<li><a id="_ctl0__ctl0_Content_MenuHyperLink3" href="transfer.aspx">Transfer Funds</a></li>
<li><a id="_ctl0__ctl0_Content_MenuHyperLink4" href="queryxpath.aspx">Search News Articles</a></li>
<li><a id="_ctl0__ctl0_Content_MenuHyperLink5" href="customize.aspx">Customize Site Language</a></li>
</ul>
<span id="_ctl0__ctl0_Content_Administration"></span>
</td>
<td valign="top" colspan="3" class="bb">
<div class="fl" style="width: 99%;">
<!-- To modify account information do not connect to SQL source directly. Make all changes
through the admin page. -->
<h1>Account History - <span id="_ctl0__ctl0_Content_Main_accountid">1001160141</span></h1>
<table width="590" border="0">
<tr>
<td colspan=2>
<table cellSpacing="0" cellPadding="1" width="100%" border="1">
<tr>
<th colSpan="2">
...
21/08/2012 113
Original Response
...
</ul>
</td>
<td valign="top" colspan="3" class="bb">
<div class="fl" style="width: 99%;">
<h1>Online Banking Login</h1>
<!-- To get the latest admin login, please contact SiteOps at 415-555-6159 -->
<p><span id="_ctl0__ctl0_Content_Main_message" style="color:#FF0066;font-size:12pt;font-weight:bold;"></span></p>
<form action="login.aspx" method="post" name="login" id="login" onsubmit="return (confirminput(login));">
<table>
<tr>
<td>
Username:
</td>
<td>
<input type="text" id="uid" name="uid" value="jsmith" style="width: 150px;">
</td>
<td>
</td>
</tr>
<tr>
<td>
Password:
</td>
<td>
<input type="password" id="passw" name="passw" style="width: 150px;">
</td>
</tr>
<tr>
<td></td>
<td>
<input type="submit" name="btnSubmit" value="Login">
</td>
</tr>
</table>
</form>
</div>
<script>
function setfocus() {
if (document.login.uid.value=="") {
document.login.uid.focus();
} else {
document.login.passw.focus();
}
}
function confirminput(myform) {
if (myform.uid.value.length && myform.passw.value.length) {
return (true);
} else if (!(myform.uid.value.length)) {
myform.reset();
myform.uid.focus();
alert ("You must enter a valid username");
return (false);
} else {
myform.passw.focus();
alert ("You must enter a valid password");
return (false);
}
}
window.onload = setfocus;
</script>
</td>
</tr>
...
21/08/2012 114
TOC
Issue 3 of 5
HTML Comments Sensitive Information Disclosure
Severity:
Informational
URL: http://demo.testfire.net/bank/apply.aspx
Entity: Passwordisnotrevalidatedbutstoredin(Page)
Risk: Itispossibletogathersensitiveinformationaboutthewebapplicationsuchasusernames,passwords,machinenameand/or
sensitivefilelocations
Causes: Debugginginformationwasleftbytheprogrammerinwebpages
Fix: RemovesensitiveinformationfromHTMLcomments
Reasoning: AppScandiscoveredHTMLcommentscontainingwhatappearstobesensitiveinformation.
Original Response
...
<br style="line-height: 10px;"/>
<b>I WANT TO ...</b>
<ul class="sidebar">
<li><a id="_ctl0__ctl0_Content_MenuHyperLink1" href="main.aspx">View Account Summary</a></li>
<li><a id="_ctl0__ctl0_Content_MenuHyperLink2" href="transaction.aspx">View Recent Transactions</a></li>
<li><a id="_ctl0__ctl0_Content_MenuHyperLink3" href="transfer.aspx">Transfer Funds</a></li>
<li><a id="_ctl0__ctl0_Content_MenuHyperLink4" href="queryxpath.aspx">Search News Articles</a></li>
<li><a id="_ctl0__ctl0_Content_MenuHyperLink5" href="customize.aspx">Customize Site Language</a></li>
</ul>
<span id="_ctl0__ctl0_Content_Administration"></span>
</td>
<td valign="top" colspan="3" class="bb">
<div class="fl" style="width: 99%;">
<h1>Altoro Mutual
<span id="_ctl0__ctl0_Content_Main_lblType">Gold</span>
Visa Application</h1>
...
...
Visa Application</h1>
<!--
userid = userCookie.Values["UserID"].ToString();
cLimit = Request.Cookies["Limit"].Value;
cInterest = Request.Cookies["Interest"].Value;
cType = Request.Cookies["CardType"].Value;
-->
<span id="_ctl0__ctl0_Content_Main_lblMessage"><p><b>No application is needed.</b>To approve your new $10000 Altoro Mutual Gold
Visa<br />with an 7.9% APR simply enter your password below.</p><form method="post" name="Credit" action="apply.aspx"><table
border=0><tr><td>Password:</td><td><input type="password" name="passwd"></td></tr><tr><td></td><td><input type="submit" name="Submit"
value="Submit"></td></tr></table></form></span>
<!--
Password is not revalidated but stored in
mainframe for non-repudiation purposes.
-->
</div>
</td>
</tr>
</table>
...
21/08/2012 115
TOC
Issue 4 of 5
HTML Comments Sensitive Information Disclosure
Severity:
Informational
URL: http://demo.testfire.net/admin/admin.aspx
Entity: Becarefulwhatyouchange.AllchangesaremadedirectlytoAltoro.mdbdatabase.(Page)
Risk: Itispossibletogathersensitiveinformationaboutthewebapplicationsuchasusernames,passwords,machinenameand/or
sensitivefilelocations
Causes: Debugginginformationwasleftbytheprogrammerinwebpages
Fix: RemovesensitiveinformationfromHTMLcomments
Reasoning: AppScandiscoveredHTMLcommentscontainingwhatappearstobesensitiveinformation.
Original Response
...
Content-Type: text/html; charset=iso-8859-1
Content-Length: 7861
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head id="_ctl0__ctl0_head"><title>
Altoro Mutual: Administration
</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><link href="../style.css" rel="stylesheet"
type="text/css" /></head>
<body style="margin-top:5px;">
<div id="header" style="margin-bottom:5px; width: 99%;">
<form id="frmSearch" method="get" action="/search.aspx">
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td rowspan="2"><a id="_ctl0__ctl0_HyperLink1" href="../default.aspx" style="height:80px;width:183px;"><img
src="../images/logo.gif" border="0" /></a></td>
<td align="right" valign="top">
...
...
<td width="25%" class="cc bt br bb"><div id="Header3"><a id="_ctl0__ctl0_Content_LinkHeader3" class="focus" href="../default.aspx?
content=business.htm">SMALL BUSINESS</a></div></td>
<td width="25%" class="cc bt bb"><div id="Header4"><a id="_ctl0__ctl0_Content_LinkHeader4" class="focus" href="../default.aspx?
content=inside.htm">INSIDE ALTORO MUTUAL</a></div></td>
</tr>
<tr>
<td valign="top" class="cc br bb">
<br style="line-height: 10px;"/>
<b>I WANT TO ...</b>
<ul class="sidebar">
<li><a id="_ctl0__ctl0_Content_MenuHyperLink1" href="application.aspx">View Application Values</a></li>
<li><a id="_ctl0__ctl0_Content_MenuHyperLink2" href="admin.aspx">Edit Users</a></li>
</ul>
</td>
<td valign="top" colspan="3" class="bb">
<div class="fl" style="width: 99%;">
<script language="javascript">
function confirmpass(myform)
{
21/08/2012 116
if (myform.password1.value.length && (myform.password1.value==myform.password2.value))
{
return true;
}
else
{
myform.password1.value="";
myform.password2.value="";
myform.password1.focus();
alert ("Passwords do not match");
return false;
}
}
</script>
<!-- Be careful what you change. All changes are made directly to Altoro.mdb database. -->
<h1>Edit User Information</h1>
<table width="100%" border="0">
<form id="addAccount" name="addAccount" action="admin.aspx" method="post">
<tr>
<td colspan="4">
<h2>Add an account to an existing user.</h2>
</td>
</tr>
<tr>
<th>
Users:
</th>
<th>
Account Types:
</th>
<th> </th>
<th> </th>
</tr>
<tr>
<td>
<select id="" name="" ><option value="1">1 admin</option><option value="2">2 tuser</option><option value="100116013">100116013
sjoe</option><option value="100116014">100116014 jsmith</option><option value="100116015">100116015 cclay</option><option
value="100116018">100116018 sspeed</option></select>
</td>
<td>
<Select name="accttypes">
<option Value="Checking">Checking</option>
<option Value="Savings" Selected>Savings</option>
<option Value="IRA">IRA</option>
</Select></td>
<td></td>
<td><input type="submit" value="Add Account"></td>
...
...
<Select name="accttypes">
<option Value="Checking">Checking</option>
<option Value="Savings" Selected>Savings</option>
<option Value="IRA">IRA</option>
</Select></td>
<td></td>
<td><input type="submit" value="Add Account"></td>
</tr>
</form>
<form id="changePass" name="changePass" action="admin.aspx" method="post" onsubmit="return confirmpass(this);">
<tr>
<td colspan="4"><h2>Change user's password.</h2></td>
</tr>
<tr>
<th>
Users:
</th>
<th>
Password:
</th>
<th>
Confirm:
</th>
<th> </th>
</tr>
<tr>
<td>
<select id="" name="" ><option value="1">1 admin</option><option value="2">2 tuser</option><option value="100116013">100116013
21/08/2012 117
TOC
Issue 5 of 5
HTML Comments Sensitive Information Disclosure
Severity:
Informational
URL: http://demo.testfire.net/admin/login.aspx
Entity: Password:Altoro1234(Page)
Risk: Itispossibletogathersensitiveinformationaboutthewebapplicationsuchasusernames,passwords,machinenameand/or
sensitivefilelocations
Causes: Debugginginformationwasleftbytheprogrammerinwebpages
Fix: RemovesensitiveinformationfromHTMLcomments
Reasoning: AppScandiscoveredHTMLcommentscontainingwhatappearstobesensitiveinformation.
sjoe</option><option value="100116014">100116014 jsmith</option><option value="100116015">100116015 cclay</option><option
value="100116018">100116018 sspeed</option></select>
</td>
<td>
<input type="--begin_...
Original Response
...
Content-Type: text/html; charset=iso-8859-1
Content-Length: 8215
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head id="_ctl0__ctl0_head"><title>
Altoro Mutual: Administration
</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><link href="../style.css" rel="stylesheet"
type="text/css" /></head>
<body style="margin-top:5px;">
<div id="header" style="margin-bottom:5px; width: 99%;">
<form id="frmSearch" method="get" action="/search.aspx">
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td rowspan="2"><a id="_ctl0__ctl0_HyperLink1" href="../default.aspx" style="height:80px;width:183px;"><img
src="../images/logo.gif" border="0" /></a></td>
<td align="right" valign="top">
...
...
</table>
</form>
</div>
<div id="wrapper" style="width: 99%;">
<table cellspacing="0" width="100%">
<tr>
<td width="25%" class="bt br bb"><div id="Header1"><img id="_ctl0__ctl0_Content_Image1" src="../images/pf_lock.gif" alt="Secure
Login" align="absbottom" border="0" style="height:14px;width:12px;" /> <a id="_ctl0__ctl0_Content_AccountLink" title="You do not
appear to have authenticated yourself with the application. Click here to enter your valid username and password." class="focus"
href="../bank/login.aspx">ONLINE BANKING LOGIN</a></div></td>
<td width="25%" class="cc bt br bb"><div id="Header2"><a id="_ctl0__ctl0_Content_LinkHeader2" class="focus" href="../default.aspx?
content=personal.htm">PERSONAL</a></div></td>
<td width="25%" class="cc bt br bb"><div id="Header3"><a id="_ctl0__ctl0_Content_LinkHeader3" class="focus" href="../default.aspx?
content=business.htm">SMALL BUSINESS</a></div></td>
<td width="25%" class="cc bt bb"><div id="Header4"><a id="_ctl0__ctl0_Content_LinkHeader4" class="focus" href="../default.aspx?
21/08/2012 118
TOC
I Possible Server Path Disclosure Pattern Found 1 TOC
Issue 1 of 1
content=inside.htm">INSIDE ALTORO MUTUAL</a></div></td>
</tr>
<tr>
<td valign="top" class="cc br bb">
<br style="line-height: 10px;"/>
<a id="_ctl0__ctl0_Content_CatLink1" class="subheader" href="../default.aspx?content=personal.htm">PERSONAL</a>
<ul class="sidebar">
...
...
<li><a id="_ctl0__ctl0_Content_MenuHyperLink15" href="../cgi.exe">Locations</a></li>
<li><a id="_ctl0__ctl0_Content_MenuHyperLink16" href="../default.aspx?content=inside_investor.htm">Investor
Relations</a></li>
<li><a id="_ctl0__ctl0_Content_MenuHyperLink17" href="../default.aspx?content=inside_press.htm">Press Room</a></li>
<li><a id="_ctl0__ctl0_Content_MenuHyperLink18" href="../default.aspx?content=inside_careers.htm">Careers</a></li>
</ul>
</td>
<td valign="top" colspan="3" class="bb">
<h1>Administration Login</h1>
<!-- Password: Altoro1234 -->
<form name="aspnetForm" method="post" action="login.aspx" id="aspnetForm">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTY5ODYzNjk3NWRk" />
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWBAKm/PqICgKaqvKtBQKWuPeSCgL73pWUBA==" />
<img id="captcha" src="captcha.aspx" /><br />
<p>
<strong>Enter the code shown above:</strong><br />
<input name="_ctl0:_ctl0:Content:Main:CodeNumberTextBox" type="text" id="_ctl0__ctl0_Content_Main_CodeNumberTextBox" /><br /><br />
...
...
<form name="aspnetForm" method="post" action="login.aspx" id="aspnetForm">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTY5ODYzNjk3NWRk" />
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWBAKm/PqICgKaqvKtBQKWuPeSCgL73pWUBA==" />
<img id="captcha" src="captcha.aspx" /><br />
<p>
<strong>Enter the code shown above:</strong><br />
<input name="_ctl0:_ctl0:Content:Main:CodeNumberTextBox" type="text" id="_ctl0__ctl0_Content_Main_CodeNumberTextBox" /><br /><br />
<strong>Enter the administrative password:</strong><br />
<input name="_ctl0:_ctl0:Content:Main:Password" type="password" id="_ctl0__ctl0_Content_Main_Password" /><br /><br />
<input type="submit" name="_ctl0:_ctl0:Content:Main:SubmitButton" value="Submit" id="_ctl0__ctl0_Content_Main_SubmitButton" /><br />
</p>
<p><span id="_ctl0__ctl0_Content_Main_MessageLabel"></span></p>
</form>
<script>
window.onload = document.forms[1].elements[1].focus();
</scrip...
21/08/2012 119
Possible Server Path Disclosure Pattern Found
Severity:
Informational
URL: http://demo.testfire.net/feedback.aspx
Entity: feedback.aspx(Page)
Risk: Itispossibletoretrievetheabsolutepathofthewebserverinstallation,whichmighthelpanattackertodevelopfurtherattacksand
togaininformationaboutthefilesystemstructureofthewebapplication
Causes: Latestpatchesorhotfixesfor3rd.partyproductswerenotinstalled
Fix: Downloadtherelevantsecuritypatchforyourwebserverorwebapplication.
Reasoning: Theresponsecontainstheabsolutepathsand/orfilenamesoffilesontheserver.
Raw Test Response:
...
<p>Our Frequently Asked Questions area will help you with many of your inquiries.<br />
If you can't find your question, return to this page and use the e-mail form below.</p>
<p><b>IMPORTANT!</b> This feedback facility is not secure. Please do not send any <br />
account information in a message sent from here.</p>
<form name="cmt" method="post" action="comment.aspx">
<!--- Dave- Hard code this into the final script - Possible security problem.
Re-generated every Tuesday and old files are saved to .bak format at L:\backup\website\oldfiles --->
<input type="hidden" name="cfile" value="comments.txt">
<table border=0>
<tr>
<td align=right>To:</td>
<td valign=top><b>Online Banking</b> </td>
</tr>
<tr>
<td align=right>Your Name:</td>
...
21/08/2012 120
You might also like
- @FsKnockouT-1. Active Directory Enumeration & AttacksNo ratings yet@FsKnockouT-1. Active Directory Enumeration & Attacks368 pages
- Exploiting of Metasploit Machine Assessment Report: Assignment-3No ratings yetExploiting of Metasploit Machine Assessment Report: Assignment-329 pages
- Attacking Authentication Mechanisms - @CyberFreeCoursesNo ratings yetAttacking Authentication Mechanisms - @CyberFreeCourses78 pages
- Privilege Escalation and Executing Applications100% (1)Privilege Escalation and Executing Applications7 pages
- Mycoursefree - Click - 001 Microsoft-Word-Password-Cracking-with-JohnNo ratings yetMycoursefree - Click - 001 Microsoft-Word-Password-Cracking-with-John22 pages
- Android Pentest Course - 231111 - 234710No ratings yetAndroid Pentest Course - 231111 - 2347107 pages
- Active Directory Exploitation Cheat Sheet: Share100% (1)Active Directory Exploitation Cheat Sheet: Share14 pages
- How To Install DVWA On Your Personal Machine For Testing: Instructions For Linux, Mac OS, and WindowsNo ratings yetHow To Install DVWA On Your Personal Machine For Testing: Instructions For Linux, Mac OS, and Windows3 pages
- Phonetics & Stress: For Internal Use OnlyNo ratings yetPhonetics & Stress: For Internal Use Only18 pages
- © 2019 Caendra Inc. - Hera For Waptxv2 - Xxe LabsNo ratings yet© 2019 Caendra Inc. - Hera For Waptxv2 - Xxe Labs16 pages
- WsCube Tech - Penetration Testing (WS-PEN) Course100% (1)WsCube Tech - Penetration Testing (WS-PEN) Course6 pages
- Application User Interface: Orientation 2No ratings yetApplication User Interface: Orientation 218 pages
- Scripted Dish's Hashed HXBXBXBD BZBZBZBXBNo ratings yetScripted Dish's Hashed HXBXBXBD BZBZBZBXB1 page
- Bhabha Atomic Research Centre Training Schools (OCES/DGFS-2012) Information Brochure For Candidates From Engineering DisciplinesNo ratings yetBhabha Atomic Research Centre Training Schools (OCES/DGFS-2012) Information Brochure For Candidates From Engineering Disciplines9 pages
- Course Highlights: Advanced Penetration TestingNo ratings yetCourse Highlights: Advanced Penetration Testing2 pages
- Recruitment JE (ATC) AndJE (Electronics) 030915No ratings yetRecruitment JE (ATC) AndJE (Electronics) 03091511 pages
- WWW - Paradiprefinery.in Iocl Recruitment AdvertisementNo ratings yetWWW - Paradiprefinery.in Iocl Recruitment Advertisement3 pages
- Sub: Participants Certificate For Two Day Program On ISO 27001:2013 Transition Requirements:-RegNo ratings yetSub: Participants Certificate For Two Day Program On ISO 27001:2013 Transition Requirements:-Reg1 page
- The Web Application Hacker's Handbook: Finding and Exploiting Security FlawsFrom EverandThe Web Application Hacker's Handbook: Finding and Exploiting Security Flaws2.5/5 (3)
