Scribd
Upload
361 views

Error in Code of Movie File

The document summarizes the findings of debugging a movie booking application. It identifies 10 issues found in the application's PHP files and database, including undefined functions, missing connectivity between forms and the database, and undefined session variables. It then summarizes the results of a vulnerability scan on the application, finding medium risks of HTTP TRACE support enabling cross-site tracing and cookie theft, and possible source code disclosure. A low risk of directory listing was also identified.

Uploaded by

Jacqueline Oneal
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
361 views

Error in Code of Movie File

The document summarizes the findings of debugging a movie booking application. It identifies 10 issues found in the application's PHP files and database, including undefined functions, missing connectivity between forms and the database, and undefined session variables. It then summarizes the results of a vulnerability scan on the application, finding medium risks of HTTP TRACE support enabling cross-site tracing and cookie theft, and possible source code disclosure. A low risk of directory listing was also identified.

Uploaded by

Jacqueline Oneal
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 34

A comprehensive deliverables of given case study (Movie_booking)

Debugged Information of given php file and database


1.
2.
3.
4.

session_register() // function undefined in checklogin.php


myusername and mypassword // credentials does not pass through checklogin.php
mysql_fetch_object() // function not used in checklogin.php
There were no connectivity between select movie to the database in first.php i.e.
<option value="">--Select movie--</option>
<?php $tbl_name="movie"; // Table name ?>
<?php $result= mysql_query("SELECT * FROM $tbl_name"); ?>
<?php while($row= mysql_fetch_assoc($result)) { ?>
<option value="<?php echo $row['movie_id'];?>">
<?php echo $row['movie_name']; ?>
</option>
<?php } ?>
5. $username = $_SESSION['myusername'];// function Undefined in first page in first.php
6. <option value="">--Select City--</option> //there were undefined value. Value should
be;
7. <option value="">--Select City--</option> // Table name ?>
<?php $result= mysql_query("SELECT * FROM $tbl_name"); ?>
<?php while($row= mysql_fetch_assoc($result)) { ?>
<option value="<?php echo $row['city_id'];?>">
<?php echo $row['city_name']; ?>
</option>
8. $_SESSION variables, values of a variable that doesn't exist in schedule.php
<?php
session_start();
$city= $_POST['city'];
$movie= $_POST['movie'];
$date = $_POST['date'];
$city = stripslashes($city);
$movie = stripslashes($movie);
$date = stripslashes($date);
//session_register("city");
//session_register("movie");
//session_register("date");
?>
9. $username = $_SESSION['myusername']; // function undefined in schedule.php
10. $username = $_SESSION['myusername']; // function not define in book.php

Vulnerability has been identified in given application: Vega Tool used


After debugging the source code of given file and database, performed the said tool and find the
vulnerability as below;

http://localhost/Movie/main.php

Medium Risk: Two has been Identified


1.Http trace support detected
Classification

Configuration Error

Resource

Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22

Method

TRACE

Risk

Medium

REQUEST
TRACE /
RESOURCE CONTENT
TRACE / HTTP/1.1
SQUEEM1SH: OSS1FR4GE
Accept-Encoding: gzip,deflate
Host: localhost
Connection: Keep-Alive
User-Agent: UserAgent

DISCUSSION
HTTP TRACE is an HTTP method that requests that the server echo the TRACE request back to
the client. This includes headers that were sent along with the request. Support for HTTP
TRACE can be abused in scenarios where a cross-site scripting vulnerability has been found, but
cannot be exploited to retrieve cookie values because the target cookies are set with the HttpOnly
flag. The HttpOnly flag instructs browsers not to permit access to the cookie by Javascript. If a
cross-site scripting vulnerability is found, but the session cookie is set HttpOnly, support for
HTTP TRACE will open an oppportunity for cookie theft. An attacker can use the cross-site
scripting vulnerability to have the target user's browser issue a TRACE request to the server via

XMLHttpRequest (or a similar function) and then retrieve the cookie from the response, which
will contain the request that was sent by the browser, including cookies.
IMPACT
Allowing HTTP TRACE can permit cross-site tracing.
Attackers may be able to use cross-site tracing with cross-site scripting retrieve the value
of HttpOnly cookies.
REMEDIATION
For Apache based servers, the TraceEnable directive can be used to disable support for
HTTP TRACE.
For IIS based servers, the EnableTraceMethod registry setting controls support for HTTP
TRACE..
Code Disclosure
2. Possible source code disclosure
Classification

Information

Resource

/Movie/main.php

Risk

Medium

REQUEST
GET /Movie/main.php
RESOURCE CONTENT
Possible PHP code:
<?
session_start();
//session_destroy();
?>
DISCUSSION
Vega has detected fragments of text that match signatures of application source code.
Application source code unintentedly visible to remote clients can be a security vulnerability.
This can occur in applications using technologies such as PHP and JSP, which allow for code to
be mixed with static presentation content. For example, in-line code is sometimes commented

using HTML comments, resulting in it being transmitted to remote clients. For an attacker,
source code can reveal information about the nature of the application, such as its design or the
use of third-party components. Sometimes sensitive information, such as a database connection
string, can be included in source code.
IMPACT
Could result in disclosure of sensitive information to attackers.
Source code fragments can include information about the design/structure of the
application, including use of third-party components.
This information may not otherwise be easily known by an adversary.
Sometimes source code also contains highly sensitive information, such as passwords
(database connection strings).
REMEDIATION
The developer should verify that the output detected by Vega is in fact application source
code.
Low Risk: One identified
1. Directory Listing Detected
Classification

Configuration Error

Resource

/Movie/

Risk

Low

REQUEST
GET /Movie/
RESOURCE CONTENT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /Movie</title>
</head>
<body>
<h1>Index of /Movie</h1>
<table>

<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a


href="?C=N;O=D">Name</a></th><th><a
href="?C=M;O=A">Last
modified</a></th><th><a
href="?C=S;O=A">Size</a></th><th><a
href="?C=D;O=A">Description</a></th></tr>
<tr><t...
DISCUSSION
Listing directory contents when no index file is present in a common misconfiguration. The
directory contents can provide useful information to an attacker, especially if there are files that
are not meant to be accessible, such as source code or backups. The directory listing may also
provide useful information about the habits of the server administration and/or web developers,
such as file naming convention, that could be used to increase the probable success of brute-force
or other attacks.
IMPACT
The server is outputting the contents of directories.
This could expose files not meant for user retrieval (old htaccess files, backups, source
code).
The directory listing may additionally provide useful information about the system layout
and characteristics, such as naming conventions used by the developers and
administrators.
This information can increase the probability of success for blind attacks and brute force
guessing.
REMEDIATION
For Apache, do one of the following: add "IndexIgnore *" to the directory's .htaccess file,
or alternatively remove "Indexes" from the line "Options All Indexes FollowSymLinks
MultiViews" in your Apache configuration file.
For lighttpd, change "dir-listing.activate = "enable"" to "dir-listing.activate = "disable""
in your lighttpd configuration file.

http://localhost/Movie/first.php

Medium Risk: 3 Identified


1. Http trace support detected
Classification

Configuration Error

Resource

Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22

Method

TRACE

Risk

Medium

REQUEST
TRACE /
RESOURCE CONTENT
TRACE / HTTP/1.1
SQUEEM1SH: OSS1FR4GE
Accept-Encoding: gzip,deflate
Host: localhost
Connection: Keep-Alive
User-Agent: UserAgent

DISCUSSION
HTTP TRACE is an HTTP method that requests that the server echo the TRACE request back to
the client. This includes headers that were sent along with the request. Support for HTTP
TRACE can be abused in scenarios where a cross-site scripting vulnerability has been found, but
cannot be exploited to retrieve cookie values because the target cookies are set with the HttpOnly
flag. The HttpOnly flag instructs browsers not to permit access to the cookie by Javascript. If a
cross-site scripting vulnerability is found, but the session cookie is set HttpOnly, support for
HTTP TRACE will open an oppportunity for cookie theft. An attacker can use the cross-site
scripting vulnerability to have the target user's browser issue a TRACE request to the server via
XMLHttpRequest (or a similar function) and then retrieve the cookie from the response, which
will contain the request that was sent by the browser, including cookies.
IMPACT
Allowing HTTP TRACE can permit cross-site tracing.
Attackers may be able to use cross-site tracing with cross-site scripting retrieve the value
of HttpOnly cookies.
REMEDIATION
For Apache based servers, the TraceEnable directive can be used to disable support for
HTTP TRACE.

For IIS based servers, the EnableTraceMethod registry

2. Local Filesystem Paths Found


Classification

Information

Resource

/Movie/first.php

Risk

Medium

REQUEST
GET /Movie/first.php
RESOURCE CONTENT
C:\xampp\htdocs\Movie\first.php
DISCUSSION
Vega has detected a possible absolute filesystem path (i.e. one that is not relative to the web
root). This information is sensitive, as it may reveal things about the server environment to an
attacker. Knowing filesystem layout can increase the chances of success for blind attacks. Full
system paths are very often found in error output. This output should never be sent to clients on
production systems. It should be redirected to another output channel (such as an error log) for
analysis by developers and system administrators.
IMPACT
Vega has detected what may be absolute filesystem paths in scanned content.
Disclosure of these paths reveals information about the filesystem layout.
This information can be sensitive, its disclosure can increase the chances of success for
other attacks.
REMEDIATION
Absolute paths are often found in error output.
Both the system administrators and developers should be made aware, as the problem
may be due to an application error or server misconfiguration.
Error output containing sensitive information such as absolute system paths should not be
sent to remote clients on production servers.
This output should be sent to another output stream, such as an error log.

3. Possible Source Code DisclosureClassification

Information

Resource

/Movie/first.php

Risk

Medium

REQUEST
GET /Movie/first.php
RESOURCE CONTENT
Possible PHP code:
<?
session_start();
if(!$_SESSION['myusername']){
header("location:main.php");
}
?>
DISCUSSION
Vega has detected fragments of text that match signatures of application source code.
Application source code unintentedly visible to remote clients can be a security vulnerability.
This can occur in applications using technologies such as PHP and JSP, which allow for code to
be mixed with static presentation content. For example, in-line code is sometimes commented
using HTML comments, resulting in it being transmitted to remote clients. For an attacker,
source code can reveal information about the nature of the application, such as its design or the
use of third-party components. Sometimes sensitive information, such as a database connection
string, can be included in source code.
IMPACT
Could result in disclosure of sensitive information to attackers.
Source code fragments can include information about the design/structure of the
application, including use of third-party components.
This information may not otherwise be easily known by an adversary.
Sometimes source code also contains highly sensitive information, such as passwords
(database connection strings).
REMEDIATION

The developer should verify that the output detected by Vega is in fact application source
code.
The cause should be determined, and the material removed or prevented from being
output.
Low Risk: 1 indentified
1. Directory Listing DetectedClassification

Configuration Error

Resource

/Movie/

Risk

Low

REQUEST
GET /Movie/
RESOURCE CONTENT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /Movie</title>
</head>
<body>
<h1>Index of /Movie</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a
href="?C=N;O=D">Name</a></th><th><a
href="?C=M;O=A">Last
modified</a></th><th><a
href="?C=S;O=A">Size</a></th><th><a
href="?C=D;O=A">Description</a></th></tr>
<tr><t...
DISCUSSION
Listing directory contents when no index file is present in a common misconfiguration. The
directory contents can provide useful information to an attacker, especially if there are files that
are not meant to be accessible, such as source code or backups. The directory listing may also
provide useful information about the habits of the server administration and/or web developers,
such as file naming convention, that could be used to increase the probable success of brute-force
or other attacks.

IMPACT
The server is outputting the contents of directories.
This could expose files not meant for user retrieval (old htaccess files, backups, source
code).
The directory listing may additionally provide useful information about the system layout
and characteristics, such as naming conventions used by the developers and
administrators.
This information can increase the probability of success for blind attacks and brute force
guessing.
REMEDIATION
For Apache, do one of the following: add "IndexIgnore *" to the directory's .htaccess file,
or alternatively remove "Indexes" from the line "Options All Indexes FollowSymLinks
MultiViews" in your Apache configuration file.
For lighttpd, change "dir-listing.activate = "enable"" to "dir-listing.activate = "disable""
in your lighttpd configuration file.
Info: Possible AJAX code detected
Classification

Information

Resource

/Movie/first.php

Risk

Info

REQUEST
GET /Movie/first.php
RESOURCE CONTENT
function showmovie(str)
{
if (str=="")
{
document.getElementById("movie").innerHTML="";
return;
}
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
...

DISCUSSION
AJAX (Asynchronous Javascript and XML) refers to a collection of technologies used to make
the user experience of web applications more interactive. AJAX functionality often involves the
asynchronous sending of requests and processing of their responses using Javascript, without
requiring page reloads. The endpoints on the server side often accept parameters, making them
injection points where vulnerabilities could exist.
IMPACT
Vega has detected content the use of AJAX, indicating the existence of possible injection
points where vulnerabilities may exist.
The AJAX backend API should be manually inspected for vulnerabilities.
REMEDIATION
This is not a vulnerability. This alert is only to flag that code associated with use of
AJAX has been detected in scanned content. Backend AJAX interfaces can expose
possible vulnerabilities and manual inspection should be included in any comprehensive
security assessment.

http://localhost /Movie/schedule.php

High Risk- 2 found


1. Session Cookie Without HttpOnly Flag
Classification

Information

Resource

/Movie/schedule.php

Risk

High

REQUEST
GET /Movie/schedule.php
RESOURCE CONTENT
PHPSESSID=n0uan01hclpp8r9l14fos1eg66; path=/
DISCUSSION

Vega has detected that a session cookie may have been set without the HttpOnly flag. When this
flag is not present, it is possible to access the cookie via client-side script code. The HttpOnly
flag is a security measure that can help mitigate the risk of cross-site scripting attacks that target
session cookies of the victim. If the HttpOnly flag is set and the browser supports this feature,
attacker-supplied script code will not be able to access the cookie.
REMEDIATION
When creating the cookie in the code, set the HttpOnly flag to true.
2. Session Cookie Without Secure Flag
Classification

Information

Resource

/Movie/schedule.php

Risk

High

REQUEST
GET /Movie/schedule.php
RESOURCE CONTENT
PHPSESSID=n0uan01hclpp8r9l14fos1eg66; path=/
DISCUSSION
Vega has detected that a known session cookie may have been set without the secure flag.
IMPACT
Cookies can be exposed to network eavesdroppers.
Session cookies are authentication credentials; attackers who obtain them can get
unauthorized access to affected web applications.
REMEDIATION
When creating the cookie in the code, set the secure flag to true.
Medium Risk: 2 Identified
1. HTTP Trace Support Detected-

Classification

Configuration Error

Resource

Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22

Method

TRACE

Risk

Medium

REQUEST
TRACE /
RESOURCE CONTENT
TRACE / HTTP/1.1
SQUEEM1SH: OSS1FR4GE
Accept-Encoding: gzip,deflate
Host: localhost
Connection: Keep-Alive
User-Agent: UserAgent

DISCUSSION
HTTP TRACE is an HTTP method that requests that the server echo the TRACE request back to
the client. This includes headers that were sent along with the request. Support for HTTP
TRACE can be abused in scenarios where a cross-site scripting vulnerability has been found, but
cannot be exploited to retrieve cookie values because the target cookies are set with the HttpOnly
flag. The HttpOnly flag instructs browsers not to permit access to the cookie by Javascript. If a
cross-site scripting vulnerability is found, but the session cookie is set HttpOnly, support for
HTTP TRACE will open an oppportunity for cookie theft. An attacker can use the cross-site
scripting vulnerability to have the target user's browser issue a TRACE request to the server via
XMLHttpRequest (or a similar function) and then retrieve the cookie from the response, which
will contain the request that was sent by the browser, including cookies.
IMPACT
Allowing HTTP TRACE can permit cross-site tracing.
Attackers may be able to use cross-site tracing with cross-site scripting retrieve the value
of HttpOnly cookies.
REMEDIATION

For Apache based servers, the TraceEnable directive can be used to disable support for
HTTP TRACE.
For IIS based servers, the EnableTraceMethod registry setting controls support for HTTP
TRACE
2. Local File System Paths FoundClassification

Information

Resource

/Movie/schedule.php

Risk

Medium

REQUEST
GET /Movie/schedule.php
RESOURCE CONTENT
C:\xampp\htdocs\Movie\schedule.php
DISCUSSION
Vega has detected a possible absolute filesystem path (i.e. one that is not relative to the web
root). This information is sensitive, as it may reveal things about the server environment to an
attacker. Knowing filesystem layout can increase the chances of success for blind attacks. Full
system paths are very often found in error output. This output should never be sent to clients on
production systems. It should be redirected to another output channel (such as an error log) for
analysis by developers and system administrators.
IMPACT
Vega has detected what may be absolute filesystem paths in scanned content.
Disclosure of these paths reveals information about the filesystem layout.
This information can be sensitive, its disclosure can increase the chances of success for
other attacks.
REMEDIATION
Absolute paths are often found in error output.
Both the system administrators and developers should be made aware, as the problem
may be due to an application error or server misconfiguration.
Error output containing sensitive information such as absolute system paths should not be
sent to remote clients on production servers.

This output should be sent to another output stream, such as an error log.

Low Risk: 1 Found


Directory Listing DetectedClassification

Configuration Error

Resource

/Movie/

Risk

Low

REQUEST
GET /Movie/
RESOURCE CONTENT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /Movie</title>
</head>
<body>
<h1>Index of /Movie</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a
href="?C=N;O=D">Name</a></th><th><a
href="?C=M;O=A">Last
modified</a></th><th><a
href="?C=S;O=A">Size</a></th><th><a
href="?C=D;O=A">Description</a></th></tr>
<tr><t...
DISCUSSION
Listing directory contents when no index file is present in a common misconfiguration. The
directory contents can provide useful information to an attacker, especially if there are files that
are not meant to be accessible, such as source code or backups. The directory listing may also
provide useful information about the habits of the server administration and/or web developers,
such as file naming convention, that could be used to increase the probable success of brute-force
or other attacks.
IMPACT

The server is outputting the contents of directories.


This could expose files not meant for user retrieval (old htaccess files, backups, source
code).
The directory listing may additionally provide useful information about the system layout
and characteristics, such as naming conventions used by the developers and
administrators.
This information can increase the probability of success for blind attacks and brute force
guessing.
REMEDIATION
For Apache, do one of the following: add "IndexIgnore *" to the directory's .htaccess file,
or alternatively remove "Indexes" from the line "Options All Indexes FollowSymLinks
MultiViews" in your Apache configuration file.
For lighttpd, change "dir-listing.activate = "enable"" to "dir-listing.activate = "disable""
in your lighttpd configuration file.

http://localhost /Movie/book.php

Medium Risk: 3 Found


1. HTTP Trace Support Detected
Classification

Configuration Error

Resource

Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22

Method

TRACE

Risk

Medium

REQUEST
TRACE /
RESOURCE CONTENT
TRACE / HTTP/1.1
SQUEEM1SH: OSS1FR4GE
Accept-Encoding: gzip,deflate
Host: localhost
Connection: Keep-Alive

User-Agent: UserAgent

DISCUSSION
HTTP TRACE is an HTTP method that requests that the server echo the TRACE request back to
the client. This includes headers that were sent along with the request. Support for HTTP
TRACE can be abused in scenarios where a cross-site scripting vulnerability has been found, but
cannot be exploited to retrieve cookie values because the target cookies are set with the HttpOnly
flag. The HttpOnly flag instructs browsers not to permit access to the cookie by Javascript. If a
cross-site scripting vulnerability is found, but the session cookie is set HttpOnly, support for
HTTP TRACE will open an oppportunity for cookie theft. An attacker can use the cross-site
scripting vulnerability to have the target user's browser issue a TRACE request to the server via
XMLHttpRequest (or a similar function) and then retrieve the cookie from the response, which
will contain the request that was sent by the browser, including cookies.
IMPACT
Allowing HTTP TRACE can permit cross-site tracing.
Attackers may be able to use cross-site tracing with cross-site scripting retrieve the value
of HttpOnly cookies.
REMEDIATION
For Apache based servers, the TraceEnable directive can be used to disable support for
HTTP TRACE.
For IIS based servers, the EnableTraceMethod registry setting controls support for HTTP
TRACE..
2. Local Filesystem Paths Found
Classification

Information

Resource

/Movie/book.php

Risk

Medium

REQUEST
GET /Movie/book.php
RESOURCE CONTENT

C:\xampp\htdocs\Movie\book.php
DISCUSSION
Vega has detected a possible absolute filesystem path (i.e. one that is not relative to the web
root). This information is sensitive, as it may reveal things about the server environment to an
attacker. Knowing filesystem layout can increase the chances of success for blind attacks. Full
system paths are very often found in error output. This output should never be sent to clients on
production systems. It should be redirected to another output channel (such as an error log) for
analysis by developers and system administrators.
IMPACT
Vega has detected what may be absolute filesystem paths in scanned content.
Disclosure of these paths reveals information about the filesystem layout.
This information can be sensitive, its disclosure can increase the chances of success for
other attacks.
REMEDIATION
Absolute paths are often found in error output.
Both the system administrators and developers should be made aware, as the problem
may be due to an application error or server misconfiguration.
Error output containing sensitive information such as absolute system paths should not be
sent to remote clients on production servers.
This output should be sent to another output stream, such as an error log.
3. Possible Source Code Disclosure
Classification

Information

Resource

/Movie/book.php

Risk

Medium

REQUEST
GET /Movie/book.php
RESOURCE CONTENT
Possible PHP code:
<?

session_start();
?>
DISCUSSION
Vega has detected fragments of text that match signatures of application source code.
Application source code unintentedly visible to remote clients can be a security vulnerability.
This can occur in applications using technologies such as PHP and JSP, which allow for code to
be mixed with static presentation content. For example, in-line code is sometimes commented
using HTML comments, resulting in it being transmitted to remote clients. For an attacker,
source code can reveal information about the nature of the application, such as its design or the
use of third-party components. Sometimes sensitive information, such as a database connection
string, can be included in source code.
IMPACT
Could result in disclosure of sensitive information to attackers.
Source code fragments can include information about the design/structure of the
application, including use of third-party components.
This information may not otherwise be easily known by an adversary.
Sometimes source code also contains highly sensitive information, such as passwords
(database connection strings).
REMEDIATION
The developer should verify that the output detected by Vega is in fact application source
code.
The cause should be determined, and the material removed or prevented from being
output.
Low Risk: 1 Found
1. Directory Listing Detected
Classification

Configuration Error

Resource

/Movie/

Risk

Low

REQUEST
GET /Movie/

RESOURCE CONTENT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /Movie</title>
</head>
<body>
<h1>Index of /Movie</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a
href="?C=N;O=D">Name</a></th><th><a
href="?C=M;O=A">Last
modified</a></th><th><a
href="?C=S;O=A">Size</a></th><th><a
href="?C=D;O=A">Description</a></th></tr>
<tr><t...
DISCUSSION
Listing directory contents when no index file is present in a common misconfiguration. The
directory contents can provide useful information to an attacker, especially if there are files that
are not meant to be accessible, such as source code or backups. The directory listing may also
provide useful information about the habits of the server administration and/or web developers,
such as file naming convention, that could be used to increase the probable success of brute-force
or other attacks.
IMPACT
The server is outputting the contents of directories.
This could expose files not meant for user retrieval (old htaccess files, backups, source
code).
The directory listing may additionally provide useful information about the system layout
and characteristics, such as naming conventions used by the developers and
administrators.
This information can increase the probability of success for blind attacks and brute force
guessing.
REMEDIATION
For Apache, do one of the following: add "IndexIgnore *" to the directory's .htaccess file,
or alternatively remove "Indexes" from the line "Options All Indexes FollowSymLinks
MultiViews" in your Apache configuration file.
For lighttpd, change "dir-listing.activate = "enable"" to "dir-listing.activate = "disable""
in your lighttpd configuration file.

http://localhost /Movie/booked.php

Medium Risk: 2 Found


1. HTTP Trace Support DetectedClassification

Configuration Error

Resource

Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22

Method

TRACE

Risk

Medium

REQUEST
TRACE /
RESOURCE CONTENT
TRACE / HTTP/1.1
SQUEEM1SH: OSS1FR4GE
Accept-Encoding: gzip,deflate
Host: localhost
Connection: Keep-Alive
User-Agent: UserAgent

DISCUSSION
HTTP TRACE is an HTTP method that requests that the server echo the TRACE request back to
the client. This includes headers that were sent along with the request. Support for HTTP
TRACE can be abused in scenarios where a cross-site scripting vulnerability has been found, but
cannot be exploited to retrieve cookie values because the target cookies are set with the HttpOnly
flag. The HttpOnly flag instructs browsers not to permit access to the cookie by Javascript. If a
cross-site scripting vulnerability is found, but the session cookie is set HttpOnly, support for
HTTP TRACE will open an oppportunity for cookie theft. An attacker can use the cross-site
scripting vulnerability to have the target user's browser issue a TRACE request to the server via
XMLHttpRequest (or a similar function) and then retrieve the cookie from the response, which
will contain the request that was sent by the browser, including cookies.
IMPACT

Allowing HTTP TRACE can permit cross-site tracing.


Attackers may be able to use cross-site tracing with cross-site scripting retrieve the value
of HttpOnly cookies.
REMEDIATION
For Apache based servers, the TraceEnable directive can be used to disable support for
HTTP TRACE.
For IIS based servers, the EnableTraceMethod registry setting controls support for HTTP
TRACE..
2. Possible Source Code DisclosureClassification

Information

Resource

/Movie/booked.php

Risk

Medium

REQUEST
GET /Movie/booked.php
RESOURCE CONTENT
Possible PHP code:
<?
session_start();
?>
DISCUSSION
Vega has detected fragments of text that match signatures of application source code.
Application source code unintentedly visible to remote clients can be a security vulnerability.
This can occur in applications using technologies such as PHP and JSP, which allow for code to
be mixed with static presentation content. For example, in-line code is sometimes commented
using HTML comments, resulting in it being transmitted to remote clients. For an attacker,
source code can reveal information about the nature of the application, such as its design or the
use of third-party components. Sometimes sensitive information, such as a database connection
string, can be included in source code.
IMPACT
Could result in disclosure of sensitive information to attackers.

Source code fragments can include information about the design/structure of the
application, including use of third-party components.
This information may not otherwise be easily known by an adversary.
Sometimes source code also contains highly sensitive information, such as passwords
(database connection strings).
REMEDIATION
The developer should verify that the output detected by Vega is in fact application source
code.
The cause should be determined, and the material removed or prevented from being
output.
Low Risk: 1 found
1. Directory Listing Detected
Classification

Configuration Error

Resource

/Movie/

Risk

Low

REQUEST
GET /Movie/
RESOURCE CONTENT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /Movie</title>
</head>
<body>
<h1>Index of /Movie</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a
href="?C=N;O=D">Name</a></th><th><a
href="?C=M;O=A">Last
modified</a></th><th><a
href="?C=S;O=A">Size</a></th><th><a
href="?C=D;O=A">Description</a></th></tr>
<tr><t...
DISCUSSION

Listing directory contents when no index file is present in a common misconfiguration. The
directory contents can provide useful information to an attacker, especially if there are files that
are not meant to be accessible, such as source code or backups. The directory listing may also
provide useful information about the habits of the server administration and/or web developers,
such as file naming convention, that could be used to increase the probable success of brute-force
or other attacks.
IMPACT
The server is outputting the contents of directories.
This could expose files not meant for user retrieval (old htaccess files, backups, source
code).
The directory listing may additionally provide useful information about the system layout
and characteristics, such as naming conventions used by the developers and
administrators.
This information can increase the probability of success for blind attacks and brute force
guessing.
REMEDIATION
For Apache, do one of the following: add "IndexIgnore *" to the directory's .htaccess file,
or alternatively remove "Indexes" from the line "Options All Indexes FollowSymLinks
MultiViews" in your Apache configuration file.
For lighttpd, change "dir-listing.activate = "enable"" to "dir-listing.activate = "disable""
in your lighttpd configuration file.
Info:1 found
1. Character Set Not Specified
Classification

Information

Resource

/Movie/booked.php

Risk

Info

REQUEST
GET /Movie/booked.php
RESOURCE CONTENT
/Movie/booked.php
DISCUSSION

Vega has detected that the resource has not specified a character set in the response. If the
character set is not specified, the browser may make assumptions about the character set based
on resource content. This may present a security concern if the affected resource contains
dynamically-generated content that originates from users. In such a case, malicious users may
potentially take advantage of how specific browsers interpret characters to cause malicious
content to be rendered. For example, an attacker may be able to bypass a cross-site scripting
filter by encoding their malicious payload in an alternate character set, which may be executed
depending on how the browser interprets the encoded content.
REMEDIATION
Specify a well-defined character set (such as UTF-8) within the response header contenttype or the response body.

Log details of tool used and observation

11:32:03 PM [INFO] (scanner) Starting crawling phase


Publishing Alert: (vdirlist) [/Movie/]
Publishing Alert: (vdirlist) [/Movie/]
Publishing Alert: (vinfo-source) [/Movie/main.php]
Publishing Alert: (vinfo-source) [/Movie/main.php]
11:32:11 PM [INFO] (scanner) Crawler finished
11:32:11 PM [INFO] (scanner) Scanner completed
11:32:11 PM [INFO] (scanner) Scanning module runtime statistics:
11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.727 ms [worst: 1 ms @(/) ] for
Path Disclosure
11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
HTTP Authentication Over Unencrypted HTTP
11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 1.636 ms [worst: 6 ms @(/Movie/)
] for Error Page Detection
11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 2.000 ms [worst: 10 ms @(/Movie/)
] for Insecure Cross-Domain Policy
11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 3.364 ms [worst: 14 ms @(/) ] for
File Upload Detection
11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
WSDL Detector
11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.455 ms [worst: 5 ms @(/Movie/)
] for RSS/Atom/OPL Feed Detector
11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.364 ms [worst: 1 ms @(/) ] for
HTTP Header Checks
11:32:11 PM [INFO] (scanner) Invocations: 11 Average:
0.818 ms [worst:
2 ms
@(/Movie/main.php) ] for Insecure Script Include
11:32:11 PM [INFO] (scanner) Invocations: 11 Average:
0.091 ms [worst:
1 ms
@(/Movie/main.php) ] for Internal IP Addressess

11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for


Cookie Security Module
11:32:11 PM [INFO] (scanner) Invocations: 11 Average:
1.545 ms [worst:
4 ms
@(/Movie/main.php) ] for Cleartext Password Over HTTP
11:32:11 PM [INFO] (scanner) Invocations: 11 Average:
4.182 ms [worst:
35 ms
@(/Movie/main.php) ] for Source Code Disclosure Module
11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.273 ms [worst: 1 ms @(/) ] for
Character Set Not Specified
11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for
Empty Reponse Body Module
11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.364 ms [worst: 2 ms @(/Movie/)
] for Unsafe Or Unrecognized Character Set
11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 7.545 ms [worst: 29 ms @(/Movie/)
] for Interesting Meta Tag Detection
11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
Oracle Application Server Fingerprint Module
11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 1.091 ms [worst: 2 ms @(/Movie/)
] for Form autocomplete
11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
AJAX Detector
11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
Version Control String Detection
11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 6.727 ms [worst: 56 ms @(/Movie/)
] for Directory Listing Detection
11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for
Cookie Scope Detection
11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 1.000 ms [worst: 5 ms @(STATE:
[GET /]) ] for Eval Code Injection
11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE:
[GET /]) ] for XML Injection checks
11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE:
[GET /]) ] for HTTP Header Injection checks
11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Remote File Include Checks
11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE:
[GET /Movie/main.php]) ] for Shell Injection Checks
11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 7.000 ms [worst: 15 ms @(STATE:
[GET /Movie/main.php]) ] for HTTP Trace Probes
11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE:
[GET /]) ] for Blind SQL Injection Arithmetic Evaluation Differential Checks
11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for URL Injection checks
11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.400 ms [worst: 1 ms @(STATE:
[GET /]) ] for Cross Domain Policy Auditor
11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Local File Include Checks

11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:


[GET /]) ] for Bash Environment Variable Blind OS Injection (CVE-2014-6271, CVE-20146278) Checks
11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Blind SQL Text Injection Differential Checks
11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for XSS Injection checks
11:32:46 PM [INFO] (scanner) Starting crawling phase
Publishing Alert: (vdirlist) [/Movie/]
Publishing Alert: (vdirlist) [/Movie/]
Publishing Alert: (vinfo-paths) [/Movie/first.php]
Publishing Alert: (vinfo-source) [/Movie/first.php]
Publishing Alert: (vinfo-ajax) [/Movie/first.php]
Publishing Alert: (vinfo-paths) [/Movie/first.php]
Publishing Alert: (vinfo-source) [/Movie/first.php]
Publishing Alert: (vinfo-ajax) [/Movie/first.php]
Publishing Alert: (vinfo-paths) [/Movie/first.php]
Publishing Alert: (vinfo-ajax) [/Movie/first.php]
Publishing Alert: (vinfo-paths) [/Movie/first.php]
Publishing Alert: (vinfo-source) [/Movie/first.php]
Publishing Alert: (vinfo-ajax) [/Movie/first.php]
11:33:09 PM [INFO] (scanner) Crawler finished
11:33:09 PM [INFO] (scanner) Scanner completed
11:33:09 PM [INFO] (scanner) Scanning module runtime statistics:
11:33:09 PM [INFO] (scanner) Invocations: 11 Average:
7.091 ms [worst:
53 ms
@(/Movie/first.php) ] for Path Disclosure
11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
HTTP Authentication Over Unencrypted HTTP
11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 1.273 ms [worst: 2 ms @(/Movie/)
] for Error Page Detection
11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 1.545 ms [worst: 10 ms @(/Movie/)
] for Insecure Cross-Domain Policy
11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.727 ms [worst: 1 ms @(/) ] for
File Upload Detection
11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
WSDL Detector
11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.364 ms [worst: 1 ms @(/) ] for
RSS/Atom/OPL Feed Detector
11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
HTTP Header Checks
11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.455 ms [worst: 1 ms @(/) ] for
Insecure Script Include
11:33:09 PM [INFO] (scanner) Invocations: 11 Average:
0.091 ms [worst:
1 ms
@(/Movie/first.php) ] for Internal IP Addressess
11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
Cookie Security Module

11:33:09 PM [INFO] (scanner) Invocations: 11 Average:


0.909 ms [worst:
2 ms
@(/Movie/first.php) ] for Cleartext Password Over HTTP
11:33:09 PM [INFO] (scanner) Invocations: 11 Average:
1.909 ms [worst:
9 ms
@(/Movie/first.php) ] for Source Code Disclosure Module
11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
Character Set Not Specified
11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
Empty Reponse Body Module
11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.182 ms [worst: 1 ms @(/) ] for
Unsafe Or Unrecognized Character Set
11:33:09 PM [INFO] (scanner) Invocations: 11 Average:
5.364 ms [worst:
13 ms
@(/Movie/first.php) ] for Interesting Meta Tag Detection
11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
Oracle Application Server Fingerprint Module
11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.818 ms [worst: 1 ms @(/) ] for
Form autocomplete
11:33:09 PM [INFO] (scanner) Invocations: 11 Average:
1.909 ms [worst:
11 ms
@(/Movie/first.php) ] for AJAX Detector
11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
Version Control String Detection
11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 2.818 ms [worst: 15 ms @(/Movie/)
] for Directory Listing Detection
11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
Cookie Scope Detection
11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Eval Code Injection
11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for XML Injection checks
11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE:
[GET /Movie/first.php]) ] for HTTP Header Injection checks
11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Remote File Include Checks
11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Shell Injection Checks
11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 20.400 ms [worst: 86 ms @(STATE:
[GET /Movie/first.php]) ] for HTTP Trace Probes
11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Blind SQL Injection Arithmetic Evaluation Differential Checks
11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for URL Injection checks
11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Cross Domain Policy Auditor
11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE:
[GET /]) ] for Local File Include Checks

11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.400 ms [worst: 1 ms @(STATE:


[GET /]) ] for Bash Environment Variable Blind OS Injection (CVE-2014-6271, CVE-20146278) Checks
11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Blind SQL Text Injection Differential Checks
11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for XSS Injection checks
11:35:45 PM [INFO] (scanner) Starting crawling phase
Publishing Alert: (vdirlist) [/Movie/]
Publishing Alert: (vdirlist) [/Movie/]
Publishing Alert: (vinfo-paths) [/Movie/schedule.php]
Publishing Alert: (vinfo-sessioncookie-secure) [/Movie/schedule.php]
Publishing Alert: (vinfo-sessioncookie-httponly) [/Movie/schedule.php]
Publishing Alert: (vinfo-paths) [/Movie/schedule.php]
Publishing Alert: (vinfo-sessioncookie-secure) [/Movie/schedule.php]
Publishing Alert: (vinfo-sessioncookie-httponly) [/Movie/schedule.php]
Publishing Alert: (vinfo-paths) [/Movie/schedule.php]
Publishing Alert: (vinfo-sessioncookie-secure) [/Movie/schedule.php]
Publishing Alert: (vinfo-sessioncookie-httponly) [/Movie/schedule.php]
Publishing Alert: (vinfo-paths) [/Movie/schedule.php]
Publishing Alert: (vinfo-sessioncookie-secure) [/Movie/schedule.php]
Publishing Alert: (vinfo-sessioncookie-httponly) [/Movie/schedule.php]
11:36:27 PM [INFO] (scanner) Crawler finished
11:36:27 PM [INFO] (scanner) Scanner completed
11:36:27 PM [INFO] (scanner) Scanning module runtime statistics:
11:36:27 PM [INFO] (scanner) Invocations: 11 Average:
4.000 ms [worst:
24 ms
@(/Movie/schedule.php) ] for Path Disclosure
11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
HTTP Authentication Over Unencrypted HTTP
11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.909 ms [worst: 2 ms @(/Movie/)
] for Error Page Detection
11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 1.455 ms [worst: 12 ms @(/Movie/)
] for Insecure Cross-Domain Policy
11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.909 ms [worst: 2 ms @(/) ] for
File Upload Detection
11:36:27 PM [INFO] (scanner) Invocations: 11 Average:
0.091 ms [worst:
1 ms
@(/Movie/schedule.php) ] for WSDL Detector
11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.182 ms [worst: 1 ms @(/) ] for
RSS/Atom/OPL Feed Detector
11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
HTTP Header Checks
11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.636 ms [worst: 1 ms @(/) ] for
Insecure Script Include
11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
Internal IP Addressess

11:36:27 PM [INFO] (scanner) Invocations: 11 Average:


5.909 ms [worst:
41 ms
@(/Movie/schedule.php) ] for Cookie Security Module
11:36:27 PM [INFO] (scanner) Invocations: 11 Average:
0.909 ms [worst:
2 ms
@(/Movie/schedule.php) ] for Cleartext Password Over HTTP
11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.273 ms [worst: 1 ms @(/) ] for
Source Code Disclosure Module
11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.182 ms [worst: 1 ms @(/Movie/)
] for Character Set Not Specified
11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for
Empty Reponse Body Module
11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
Unsafe Or Unrecognized Character Set
11:36:27 PM [INFO] (scanner) Invocations: 11 Average:
4.091 ms [worst:
9 ms
@(/Movie/schedule.php) ] for Interesting Meta Tag Detection
11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
Oracle Application Server Fingerprint Module
11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.727 ms [worst: 1 ms @(/) ] for
Form autocomplete
11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
AJAX Detector
11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
Version Control String Detection
11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 2.182 ms [worst: 15 ms @(/Movie/)
] for Directory Listing Detection
11:36:27 PM [INFO] (scanner) Invocations: 11 Average:
0.091 ms [worst:
1 ms
@(/Movie/schedule.php) ] for Cookie Scope Detection
11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE:
[GET /Movie/schedule.php]) ] for Eval Code Injection
11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE:
[GET /Movie/]) ] for XML Injection checks
11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE:
[GET /]) ] for HTTP Header Injection checks
11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Remote File Include Checks
11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Shell Injection Checks
11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 4.800 ms [worst: 6 ms @(STATE:
[GET /]) ] for HTTP Trace Probes
11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE:
[GET /]) ] for Blind SQL Injection Arithmetic Evaluation Differential Checks
11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for URL Injection checks
11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Cross Domain Policy Auditor
11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Local File Include Checks

11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:


[GET /]) ] for Bash Environment Variable Blind OS Injection (CVE-2014-6271, CVE-20146278) Checks
11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Blind SQL Text Injection Differential Checks
11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for XSS Injection checks
11:36:53 PM [INFO] (scanner) Starting crawling phase
Publishing Alert: (vdirlist) [/Movie/]
Publishing Alert: (vdirlist) [/Movie/]
Publishing Alert: (vinfo-paths) [/Movie/book.php]
Publishing Alert: (vinfo-source) [/Movie/book.php]
Publishing Alert: (vinfo-paths) [/Movie/book.php]
Publishing Alert: (vinfo-source) [/Movie/book.php]
Publishing Alert: (vinfo-paths) [/Movie/book.php]
Publishing Alert: (vinfo-source) [/Movie/book.php]
Publishing Alert: (vinfo-paths) [/Movie/book.php]
Publishing Alert: (vinfo-source) [/Movie/book.php]
11:37:16 PM [INFO] (scanner) Crawler finished
11:37:16 PM [INFO] (scanner) Scanner completed
11:37:16 PM [INFO] (scanner) Scanning module runtime statistics:
11:37:16 PM [INFO] (scanner) Invocations: 11 Average:
4.182 ms [worst:
26 ms
@(/Movie/book.php) ] for Path Disclosure
11:37:16 PM [INFO] (scanner) Invocations: 11 Average:
0.091 ms [worst:
1 ms
@(/Movie/book.php) ] for HTTP Authentication Over Unencrypted HTTP
11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.909 ms [worst: 2 ms @(/Movie/)
] for Error Page Detection
11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 1.545 ms [worst: 11 ms @(/Movie/)
] for Insecure Cross-Domain Policy
11:37:16 PM [INFO] (scanner) Invocations: 11 Average:
1.000 ms [worst:
3 ms
@(/Movie/book.php) ] for File Upload Detection
11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
WSDL Detector
11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.364 ms [worst: 1 ms @(/) ] for
RSS/Atom/OPL Feed Detector
11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
HTTP Header Checks
11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.727 ms [worst: 1 ms @(/) ] for
Insecure Script Include
11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
Internal IP Addressess
11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
Cookie Security Module
11:37:16 PM [INFO] (scanner) Invocations: 11 Average:
1.000 ms [worst:
2 ms
@(/Movie/book.php) ] for Cleartext Password Over HTTP

11:37:16 PM [INFO] (scanner) Invocations: 11 Average:


2.091 ms [worst:
10 ms
@(/Movie/book.php) ] for Source Code Disclosure Module
11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for
Character Set Not Specified
11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
Empty Reponse Body Module
11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
Unsafe Or Unrecognized Character Set
11:37:16 PM [INFO] (scanner) Invocations: 11 Average:
4.727 ms [worst:
11 ms
@(/Movie/book.php) ] for Interesting Meta Tag Detection
11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
Oracle Application Server Fingerprint Module
11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.818 ms [worst: 1 ms @(/) ] for
Form autocomplete
11:37:16 PM [INFO] (scanner) Invocations: 11 Average:
0.091 ms [worst:
1 ms
@(/Movie/book.php) ] for AJAX Detector
11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
Version Control String Detection
11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 2.455 ms [worst: 14 ms @(/Movie/)
] for Directory Listing Detection
11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
Cookie Scope Detection
11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE:
[GET /Movie/book.php]) ] for Eval Code Injection
11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE:
[GET /Movie/]) ] for XML Injection checks
11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE:
[GET /]) ] for HTTP Header Injection checks
11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Remote File Include Checks
11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Shell Injection Checks
11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 5.000 ms [worst: 7 ms @(STATE:
[GET /]) ] for HTTP Trace Probes
11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Blind SQL Injection Arithmetic Evaluation Differential Checks
11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for URL Injection checks
11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.400 ms [worst: 1 ms @(STATE:
[GET /]) ] for Cross Domain Policy Auditor
11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Local File Include Checks
11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Bash Environment Variable Blind OS Injection (CVE-2014-6271, CVE-20146278) Checks

11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE:


[GET /Movie/book.php]) ] for Blind SQL Text Injection Differential Checks
11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for XSS Injection checks
11:38:11 PM [INFO] (scanner) Starting crawling phase
Publishing Alert: (vdirlist) [/Movie/]
Publishing Alert: (vdirlist) [/Movie/]
Publishing Alert: (vinfo-source) [/Movie/booked.php]
Publishing Alert: (vinfo-missing-charset) [/Movie/booked.php]
Publishing Alert: (vinfo-source) [/Movie/booked.php]
Publishing Alert: (vinfo-missing-charset) [/Movie/booked.php]
Publishing Alert: (vinfo-missing-charset) [/Movie/booked.php]
Publishing Alert: (vinfo-source) [/Movie/booked.php]
Publishing Alert: (vinfo-missing-charset) [/Movie/booked.php]
11:38:34 PM [INFO] (scanner) Crawler finished
11:38:34 PM [INFO] (scanner) Scanner completed
11:38:34 PM [INFO] (scanner) Scanning module runtime statistics:
11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.818 ms [worst: 1 ms @(/) ] for
Path Disclosure
11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
HTTP Authentication Over Unencrypted HTTP
11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 1.000 ms [worst: 2 ms @(/Movie/)
] for Error Page Detection
11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 1.091 ms [worst: 11 ms @(/Movie/)
] for Insecure Cross-Domain Policy
11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.818 ms [worst: 1 ms @(/) ] for
File Upload Detection
11:38:34 PM [INFO] (scanner) Invocations: 11 Average:
0.091 ms [worst:
1 ms
@(/Movie/booked.php) ] for WSDL Detector
11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.273 ms [worst: 1 ms @(/) ] for
RSS/Atom/OPL Feed Detector
11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for
HTTP Header Checks
11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.727 ms [worst: 1 ms @(/) ] for
Insecure Script Include
11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
Internal IP Addressess
11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for
Cookie Security Module
11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.818 ms [worst: 1 ms @(/) ] for
Cleartext Password Over HTTP
11:38:34 PM [INFO] (scanner) Invocations: 11 Average:
3.909 ms [worst:
24 ms
@(/Movie/booked.php) ] for Source Code Disclosure Module
11:38:34 PM [INFO] (scanner) Invocations: 11 Average:
2.182 ms [worst:
16 ms
@(/Movie/booked.php) ] for Character Set Not Specified

11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for


Empty Reponse Body Module
11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.182 ms [worst: 1 ms @(/Movie/)
] for Unsafe Or Unrecognized Character Set
11:38:34 PM [INFO] (scanner) Invocations: 11 Average:
4.182 ms [worst:
10 ms
@(/Movie/booked.php) ] for Interesting Meta Tag Detection
11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for
Oracle Application Server Fingerprint Module
11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.545 ms [worst: 1 ms @(/) ] for
Form autocomplete
11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/Movie/)
] for AJAX Detector
11:38:34 PM [INFO] (scanner) Invocations: 11 Average:
0.091 ms [worst:
1 ms
@(/Movie/booked.php) ] for Version Control String Detection
11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 2.727 ms [worst: 24 ms @(/Movie/)
] for Directory Listing Detection
11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for
Cookie Scope Detection
11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Eval Code Injection
11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for XML Injection checks
11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE:
[GET /Movie/booked.php]) ] for HTTP Header Injection checks
11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Remote File Include Checks
11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Shell Injection Checks
11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 5.400 ms [worst: 6 ms @(STATE:
[GET /]) ] for HTTP Trace Probes
11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Blind SQL Injection Arithmetic Evaluation Differential Checks
11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for URL Injection checks
11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for Cross Domain Policy Auditor
11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE:
[GET /Movie/]) ] for Local File Include Checks
11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE:
[GET /]) ] for Bash Environment Variable Blind OS Injection (CVE-2014-6271, CVE-20146278) Checks
11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE:
[GET /Movie/booked.php]) ] for Blind SQL Text Injection Differential Checks
11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE:
[GET /]) ] for XSS Injection checks

You might also like