0% found this document useful (0 votes)

133 views64 pages

Phase2 Security Report

This report summarizes the results of a security scan of a web application. It found a total of 106 issues, including 22 high severity issues related to cross-site scripting and session hijacking. The report provides details on the types of vulnerabilities found, the vulnerable URLs, recommendations for fixing the issues, and potential security risks.

Uploaded by

Anonymous r3xb805E

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

133 views64 pages

Phase2 Security Report

Uploaded by

Anonymous r3xb805E

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 64

Web Application Report

This report includes important security information about your web

application.

Security Report
This report was created by IBM Security AppScan Standard 9.0.3, Rules: 1957
Scan started: 4/27/2019 2:58:47 AM
Table of Contents

Introduction
General Information
Login Settings

Summary
Issue Types
Vulnerable URLs
Fix Recommendations
Security Risks
Causes
WASC Threat Classification

Issues Sorted by Issue Type

Cross-Site Scripting 18
DOM Based Cross-Site Scripting 1
Host allows flash access from any domain 1
Parameter System Call Code Injection 1
Stored Cross-Site Scripting 1
Padding Oracle On Downgraded Legacy Encryption (a.k.a. POODLE) 1

Apache Multiviews Attack 1

Autocomplete HTML Attribute Not Disabled for Password Field 1
Bash Shell History File Retrieval 1
Body Parameters Accepted in Query 2
eShoplifting 1
Hidden Directory Detected 3
Missing "Content-Security-Policy" header 20
Missing "X-Content-Type-Options" header 20
Missing "X-XSS-Protection" header 20
TRACE and TRACK HTTP Methods Enabled 1
Application Error 4
Client-Side (JavaScript) Cookie References 1
Email Address in Hidden Parameter 1

4/28/2019 1
Email Address Pattern Found 2
HTML Comments Sensitive Information Disclosure 2

Link to unclassified site 2

Possible Server Path Disclosure Pattern Found 1

4/28/2019 2
Introduction
This report contains the results of a web application security scan performed by IBM Security AppScan Standard.

High severity issues: 22

Medium severity issues: 1
Low severity issues: 70
Informational severity issues: 13
Total security issues included in the report: 106
Total security issues discovered in the scan: 106

General Information
Scan file name: Phase2
Scan started: 4/27/2019 2:58:47 AM
Test policy: Default(Modified)
Host 192.168.58.129
Operating system: Unknown
Web server: Apache
Application server: Any

4/28/2019 3
Summary

Issue Types 23 TOC

Issue Type Number of Issues

H Cross-Site Scripting 18
H DOM Based Cross-Site Scripting 1
H Host allows flash access from any domain 1
H Parameter System Call Code Injection 1
H Stored Cross-Site Scripting 1
M Padding Oracle On Downgraded Legacy Encryption (a.k.a. 1
POODLE)
L Apache Multiviews Attack 1
L Autocomplete HTML Attribute Not Disabled for Password Field 1
L Bash Shell History File Retrieval 1
L Body Parameters Accepted in Query 2
L eShoplifting 1
L Hidden Directory Detected 3
L Missing "Content-Security-Policy" header 20
L Missing "X-Content-Type-Options" header 20
L Missing "X-XSS-Protection" header 20
L TRACE and TRACK HTTP Methods Enabled 1
I Application Error 4
I Client-Side (JavaScript) Cookie References 1
I Email Address in Hidden Parameter 1
I Email Address Pattern Found 2
I HTML Comments Sensitive Information Disclosure 2
I Link to unclassified site 2
I Possible Server Path Disclosure Pattern Found 1

Vulnerable URLs 25 TOC

4/28/2019 4
URL Number of Issues

H http://192.168.58.129/WebGoat/attack 42
L http://192.168.58.129/ 2
L http://192.168.58.129/WebGoat/lessons/General/redirect.jsp 1
L http://192.168.58.129/doc/ 1
L http://192.168.58.129/doc/packages/ 1
L http://192.168.58.129/javascript/ 1
L http://192.168.58.129/WebGoat/javascript/DOMXSS.js 3
L http://192.168.58.129/WebGoat/javascript/clientSideFiltering.js 3
L http://192.168.58.129/WebGoat/javascript/clientSideValidation.js 3
L http://192.168.58.129/WebGoat/javascript/escape.js 3
L http://192.168.58.129/WebGoat/javascript/eval.js 3
L http://192.168.58.129/WebGoat/javascript/javascript.js 3
L http://192.168.58.129/WebGoat/javascript/lessonNav.js 3
L http://192.168.58.129/WebGoat/javascript/makeWindow.js 3
L http://192.168.58.129/WebGoat/javascript/menu_system.js 3
L http://192.168.58.129/WebGoat/javascript/sameOrigin.js 3
L http://192.168.58.129/WebGoat/javascript/toggle.js 3
L http://192.168.58.129/WebGoat/lesson_solutions/HttpOnly_files/color 3
schememapping.xml
L http://192.168.58.129/WebGoat/lesson_solutions/HttpOnly_files/them 3
edata.thmx
L http://192.168.58.129/WebGoat/lessons/Ajax/eval.jsp 3
L http://192.168.58.129/WebGoat/lessons/Ajax/sameOrigin.jsp 3
L http://192.168.58.129/WebGoat/reportBug.jsp 4
L http://192.168.58.129/WebGoat/services/WSDLScanning 3
L http://192.168.58.129/WebGoat/services/WsSqlInjection 3
L http://192.168.58.129/WebGoat/source 3

Fix Recommendations 21 TOC

Remediation Task Number of Issues

H Analyze client side code and sanitize its input sources 1
H Review possible solutions for hazardous character injection 20
H Set the domain attribute of the allow-access-from entity in the 1
crossdomain.xml file to include specific domain names instead of any
domain.
M Implement TLS_FALLBACK_SCSV. Additionally, either disable 1
SSLv3 altogether, or disable all cipher suites that operate in CBC
mode over SSLv3.

4/28/2019 5
L Config your server to use the "Content-Security-Policy" header 20
L Config your server to use the "X-Content-Type-Options" header 20
L Config your server to use the "X-XSS-Protection" header 20
L Correctly set the "autocomplete" attribute to "off" 1
L Disable HTTP TRACE support in your web server 1
L Do not accept body parameters that are sent in the query string 2
L Download the relevant security patch for your web server or web 1
application.
L Examine the link to determine whether it is indeed supposed to be 2
included in the web application
L Issue a "404 - Not Found" response status code for a forbidden 3
resource, or remove it completely
L Modify the server configuration to disable the Multiviews feature 1
L Remove business and security logic from the client side 1
L Remove e-mail addresses from the website 2
L Remove sensitive information from HTML comments 2
L Remove the Bash shell history file or restrict access to it 1
L Remove the recipient e-mail address hidden parameter 1
L Stop using hidden parameters, or verify reliability of incoming data 1
L Verify that parameter values are in their expected ranges and types. 4
Do not output debugging error messages and exceptions

Security Risks 12 TOC

Risk Number of Issues

H It may be possible to steal or manipulate customer session and 22
cookies, which might be used to impersonate a legitimate user,
allowing the hacker to view or alter user records, and to perform
transactions as that user
H It is possible to run remote commands on the web server. This 1
usually means complete compromise of the server and its contents
M It is possible to gather sensitive information about the web application 68
such as usernames, passwords, machine name and/or sensitive file
locations
L It is possible to retrieve the absolute path of the web server 2
installation, which might help an attacker to develop further attacks
and to gain information about the file system structure of the web
application
L It may be possible to bypass the web application's authentication 1
mechanism
L It is possible to persuade a naive user to supply sensitive information 62
such as username, password, credit card number, social security
number etc.
L It is possible to steal goods or services (eShoplifting) 1
L It is possible to retrieve information about the site's file system 3

4/28/2019 6
structure, which may help the attacker to map the web site
I It is possible to gather sensitive debugging information 4
I The worst case scenario for this attack depends on the context and 1
role of the cookies that are created at the client side
I It is possible to send e-mails through your web application, using 1
spoofed e-mail addresses
I N/A 2

Causes 12 TOC

Cause Number of Issues

H Sanitation of hazardous characters was not performed correctly on 20
user input
H The web application uses client-side logic to create web pages 1
H The web server or application server are configured in an insecure 8
way
L Insecure web application programming or configuration 65
L Parameter value manipulation was permitted by the application logic 1
I Proper bounds checking were not performed on incoming parameter 4
values
I No validation was done in order to make sure that user input matches 4
the data type expected
I Cookies are created at the client side 1
I Parameter values were 'hardcoded' in the HTML as a read-only 1
parameter
I Debugging information was left by the programmer in web pages 2
I N/A 2
I Latest patches or hotfixes for 3rd. party products were not installed 1

WASC Threat Classification TOC

Threat Number of Issues

Abuse of Functionality 3
Cross-site Scripting 21
Information Leakage 79
Malicious Content Tests 2
OS Commanding 1

4/28/2019 7
Issues Sorted by Issue Type

H Cross-Site Scripting 18 TOC

Issue 1 of 18 TOC

Cross-Site Scripting
Severity: High
CVSS Score: 7.5
URL: http://192.168.58.129/WebGoat/attack
Entity: attack (Page)
Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform
transactions as that user
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded
a script in the response, which will be executed when the page loads in the user's browser.

Issue 2 of 18 TOC

4/28/2019 8
Cross-Site Scripting
Severity: High
CVSS Score: 7.5
URL: http://192.168.58.129/WebGoat/attack
Entity: station (Parameter)
Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform
transactions as that user
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded
a script in the response, which will be executed when the page loads in the user's browser.

Issue 3 of 18 TOC

Cross-Site Scripting
Severity: High
CVSS Score: 7.5
URL: http://192.168.58.129/WebGoat/attack
Entity: field1 (Parameter)
Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform
transactions as that user
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded
a script in the response, which will be executed when the page loads in the user's browser.

Issue 4 of 18 TOC

4/28/2019 9
Cross-Site Scripting
Severity: High
CVSS Score: 7.5
URL: http://192.168.58.129/WebGoat/attack
Entity: subject (Parameter)
Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform
transactions as that user
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded
a script in the response, which will be executed when the page loads in the user's browser.

Issue 5 of 18 TOC

Cross-Site Scripting
Severity: High
CVSS Score: 7.5
URL: http://192.168.58.129/WebGoat/attack
Entity: field4 (Parameter)
Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform
transactions as that user
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded
a script in the response, which will be executed when the page loads in the user's browser.

Issue 6 of 18 TOC

4/28/2019 10
Cross-Site Scripting
Severity: High
CVSS Score: 7.5
URL: http://192.168.58.129/WebGoat/attack
Entity: field6 (Parameter)
Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform
transactions as that user
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded
a script in the response, which will be executed when the page loads in the user's browser.

Issue 7 of 18 TOC

Cross-Site Scripting
Severity: High
CVSS Score: 7.5
URL: http://192.168.58.129/WebGoat/attack
Entity: field3 (Parameter)
Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform
transactions as that user
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded
a script in the response, which will be executed when the page loads in the user's browser.

Issue 8 of 18 TOC

4/28/2019 11
Cross-Site Scripting
Severity: High
CVSS Score: 7.5
URL: http://192.168.58.129/WebGoat/attack
Entity: field2 (Parameter)
Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform
transactions as that user
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded
a script in the response, which will be executed when the page loads in the user's browser.

Issue 9 of 18 TOC

Cross-Site Scripting
Severity: High
CVSS Score: 7.5
URL: http://192.168.58.129/WebGoat/attack
Entity: account_number (Parameter)
Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform
transactions as that user
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded
a script in the response, which will be executed when the page loads in the user's browser.

Issue 10 of 18 TOC

4/28/2019 12
Cross-Site Scripting
Severity: High
CVSS Score: 7.5
URL: http://192.168.58.129/WebGoat/attack
Entity: field7 (Parameter)
Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform
transactions as that user
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded
a script in the response, which will be executed when the page loads in the user's browser.

Issue 11 of 18 TOC

Cross-Site Scripting
Severity: High
CVSS Score: 7.5
URL: http://192.168.58.129/WebGoat/attack
Entity: field5 (Parameter)
Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform
transactions as that user
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded
a script in the response, which will be executed when the page loads in the user's browser.

Issue 12 of 18 TOC

4/28/2019 13
Cross-Site Scripting
Severity: High
CVSS Score: 7.5
URL: http://192.168.58.129/WebGoat/attack
Entity: msg (Parameter)
Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform
transactions as that user
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded
a script in the response, which will be executed when the page loads in the user's browser.

Issue 13 of 18 TOC

Cross-Site Scripting
Severity: High
CVSS Score: 7.5
URL: http://192.168.58.129/WebGoat/attack
Entity: HelpFile (Parameter)
Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform
transactions as that user
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded
a script in the response, which will be executed when the page loads in the user's browser.

Issue 14 of 18 TOC

4/28/2019 14
Cross-Site Scripting
Severity: High
CVSS Score: 7.5
URL: http://192.168.58.129/WebGoat/attack
Entity: Resource (Parameter)
Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform
transactions as that user
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded
a script in the response, which will be executed when the page loads in the user's browser.

Issue 15 of 18 TOC

Cross-Site Scripting
Severity: High
CVSS Score: 7.5
URL: http://192.168.58.129/WebGoat/attack
Entity: to (Parameter)
Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform
transactions as that user
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded
a script in the response, which will be executed when the page loads in the user's browser.

Issue 16 of 18 TOC

4/28/2019 15
Cross-Site Scripting
Severity: High
CVSS Score: 7.5
URL: http://192.168.58.129/WebGoat/attack
Entity: File (Parameter)
Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform
transactions as that user
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded
a script in the response, which will be executed when the page loads in the user's browser.

Issue 17 of 18 TOC

Cross-Site Scripting
Severity: High
CVSS Score: 7.5
URL: http://192.168.58.129/WebGoat/attack
Entity: User (Parameter)
Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform
transactions as that user
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded
a script in the response, which will be executed when the page loads in the user's browser.

Issue 18 of 18 TOC

4/28/2019 16
Cross-Site Scripting
Severity: High
CVSS Score: 7.5
URL: http://192.168.58.129/WebGoat/attack
Entity: username (Parameter)
Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform
transactions as that user
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded
a script in the response, which will be executed when the page loads in the user's browser.

H DOM Based Cross-Site Scripting 1 TOC

Issue 1 of 1 TOC

DOM Based Cross-Site Scripting

Severity: High
CVSS Score: 7.5
URL: http://192.168.58.129/WebGoat/attack
Entity: menu_system.js:409 (Page)
Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform
transactions as that user
Causes: The web application uses client-side logic to create web pages
Fix: Analyze client side code and sanitize its input sources

Reasoning: Reasoning is not available for this issue.

H Host allows flash access from any domain 1 TOC

4/28/2019 17
Issue 1 of 1 TOC

Host allows flash access from any domain

Severity: High
CVSS Score: 7.5
URL: http://192.168.58.129/WebGoat/attack
Entity: 192.168.58.129 (Page)
Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform
transactions as that user
Causes: The web server or application server are configured in an insecure way
Fix: Set the domain attribute of the allow-access-from entity in the crossdomain.xml file to include
specific domain names instead of any domain.

Reasoning: The allow-access-from entity in the crossdomain.xml file was set to asterisk (meaning any
domain)

H Parameter System Call Code Injection 1 TOC

Issue 1 of 1 TOC

Parameter System Call Code Injection

Severity: High
CVSS Score: 10.0
URL: http://192.168.58.129/WebGoat/attack
Entity: HelpFile (Parameter)
Risk: It is possible to run remote commands on the web server. This usually means complete
compromise of the server and its contents
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because the test response contains the
output of the Unix "id" command, indicating that the command was executed successfully
on the server.

4/28/2019 18
H Stored Cross-Site Scripting 1 TOC

Issue 1 of 1 TOC

Stored Cross-Site Scripting

Severity: High
CVSS Score: 7.5
URL: http://192.168.58.129/WebGoat/attack
Entity: HelpFile (Global)
Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform
transactions as that user
Causes: Sanitation of hazardous characters was not performed correctly on user input
Fix: Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because the Global Validation feature
found an embedded script in the response, which was probably injected by a previous test.

4/28/2019 19
M Padding Oracle On Downgraded Legacy Encryption (a.k.a. POODLE) 1 TOC

Issue 1 of 1 TOC

Padding Oracle On Downgraded Legacy Encryption (a.k.a. POODLE)

Severity: Medium
CVSS Score: 6.4
URL: http://192.168.58.129/WebGoat/attack
Entity: 192.168.58.129 (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
Causes: The web server or application server are configured in an insecure way
Fix: Implement TLS_FALLBACK_SCSV. Additionally, either disable SSLv3 altogether, or disable all
cipher suites that operate in CBC mode over SSLv3.

Reasoning: The server responded with a Handshake to AppScan's SSLv3 Client Hello with CBC cipher
suites that contain TLS_FALLBACK_SCSV

4/28/2019 20
L Apache Multiviews Attack 1 TOC

Issue 1 of 1 TOC

Apache Multiviews Attack

Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/
Entity: index (Page)
Risk: It is possible to retrieve the absolute path of the web server installation, which might help an
attacker to develop further attacks and to gain information about the file system structure of the web
application
Causes: The web server or application server are configured in an insecure way
Fix: Modify the server configuration to disable the Multiviews feature

Reasoning: The test response indicates that the server reveals some of its pages names in the
response

L Autocomplete HTML Attribute Not Disabled for Password Field 1 TOC

Issue 1 of 1 TOC

4/28/2019 21
Autocomplete HTML Attribute Not Disabled for Password Field
Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/attack
Entity: attack (Page)
Risk: It may be possible to bypass the web application's authentication mechanism
Causes: Insecure web application programming or configuration
Fix: Correctly set the "autocomplete" attribute to "off"

Reasoning: AppScan has found that a password field does not enforce the disabling of the
autocomplete feature.

L Bash Shell History File Retrieval 1 TOC

Issue 1 of 1 TOC

Bash Shell History File Retrieval

Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/
Entity: .bash_history (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
Causes: The web server or application server are configured in an insecure way
Fix: Remove the Bash shell history file or restrict access to it

Reasoning: AppScan requested a file which is probably not a legitimate part of the application. The
response status was 200 OK. This indicates that the test succeeded in retrieving the
content of the requested file.

L Body Parameters Accepted in Query 2 TOC

4/28/2019 22
Issue 1 of 2 TOC

Body Parameters Accepted in Query

Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/attack
Entity: attack (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Do not accept body parameters that are sent in the query string

Reasoning: The test result seems to indicate a vulnerability because the Test Response is similar to
the Original Response, indicating that the application processed body parameters that were
submitted in the query

Issue 2 of 2 TOC

Body Parameters Accepted in Query

Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/lessons/General/redirect.jsp
Entity: redirect.jsp (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Do not accept body parameters that are sent in the query string

L eShoplifting 1 TOC

4/28/2019 23
Issue 1 of 1 TOC

eShoplifting
Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/attack
Entity: Price (Parameter)
Risk: It is possible to steal goods or services (eShoplifting)
Causes: Parameter value manipulation was permitted by the application logic
Fix: Stop using hidden parameters, or verify reliability of incoming data

Reasoning: The test modified a price parameter, and the application accepted it and embedded it in a
returning form. This may indicate that the application is vulnerable to eShoplifting.

L Hidden Directory Detected 3 TOC

Issue 1 of 3 TOC

Hidden Directory Detected

Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/doc/
Entity: doc/ (Page)
Risk: It is possible to retrieve information about the site's file system structure, which may help the
attacker to map the web site
Causes: The web server or application server are configured in an insecure way
Fix: Issue a "404 - Not Found" response status code for a forbidden resource, or remove it completely

Reasoning: The test tried to detect hidden directories on the server. The 403 Forbidden response
reveals the existence of the directory, even though access is not allowed.

4/28/2019 24
Issue 2 of 3 TOC

Hidden Directory Detected

Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/javascript/
Entity: javascript/ (Page)
Risk: It is possible to retrieve information about the site's file system structure, which may help the
attacker to map the web site
Causes: The web server or application server are configured in an insecure way
Fix: Issue a "404 - Not Found" response status code for a forbidden resource, or remove it completely

Reasoning: The test tried to detect hidden directories on the server. The 403 Forbidden response
reveals the existence of the directory, even though access is not allowed.

Issue 3 of 3 TOC

Hidden Directory Detected

Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/doc/packages/
Entity: packages/ (Page)
Risk: It is possible to retrieve information about the site's file system structure, which may help the
attacker to map the web site
Causes: The web server or application server are configured in an insecure way
Fix: Issue a "404 - Not Found" response status code for a forbidden resource, or remove it completely

Reasoning: The test tried to detect hidden directories on the server. The 403 Forbidden response
reveals the existence of the directory, even though access is not allowed.

L Missing "Content-Security-Policy" header 20 TOC

Issue 1 of 20 TOC

4/28/2019 25
Missing "Content-Security-Policy" header
Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/javascript/javascript.js
Entity: javascript.js (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "Content-Security-Policy" header

Reasoning: AppScan detected that the Content-Security-Policy response header is missing, which
increases exposure to various cross-site injection attacks

Issue 2 of 20 TOC

Missing "Content-Security-Policy" header

Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/source
Entity: source (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "Content-Security-Policy" header

Reasoning: AppScan detected that the Content-Security-Policy response header is missing, which
increases exposure to various cross-site injection attacks

Issue 3 of 20 TOC

4/28/2019 26
Missing "Content-Security-Policy" header
Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/services/WsSqlInjection
Entity: WsSqlInjection (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "Content-Security-Policy" header

Reasoning: AppScan detected that the Content-Security-Policy response header is missing, which
increases exposure to various cross-site injection attacks

Issue 4 of 20 TOC

Missing "Content-Security-Policy" header

Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/javascript/menu_system.js
Entity: menu_system.js (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "Content-Security-Policy" header

Reasoning: AppScan detected that the Content-Security-Policy response header is missing, which
increases exposure to various cross-site injection attacks

Issue 5 of 20 TOC

4/28/2019 27
Missing "Content-Security-Policy" header
Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/attack
Entity: attack (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "Content-Security-Policy" header

Reasoning: AppScan detected that the Content-Security-Policy response header is missing, which
increases exposure to various cross-site injection attacks

Issue 6 of 20 TOC

Missing "Content-Security-Policy" header

Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/javascript/lessonNav.js
Entity: lessonNav.js (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "Content-Security-Policy" header

Reasoning: AppScan detected that the Content-Security-Policy response header is missing, which
increases exposure to various cross-site injection attacks

Issue 7 of 20 TOC

4/28/2019 28
Missing "Content-Security-Policy" header
Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/javascript/makeWindow.js
Entity: makeWindow.js (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "Content-Security-Policy" header

Reasoning: AppScan detected that the Content-Security-Policy response header is missing, which
increases exposure to various cross-site injection attacks

Issue 8 of 20 TOC

Missing "Content-Security-Policy" header

Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/javascript/toggle.js
Entity: toggle.js (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "Content-Security-Policy" header

Reasoning: AppScan detected that the Content-Security-Policy response header is missing, which
increases exposure to various cross-site injection attacks

Issue 9 of 20 TOC

4/28/2019 29
Missing "Content-Security-Policy" header
Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/javascript/DOMXSS.js
Entity: DOMXSS.js (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "Content-Security-Policy" header

Reasoning: AppScan detected that the Content-Security-Policy response header is missing, which
increases exposure to various cross-site injection attacks

Issue 10 of 20 TOC

Missing "Content-Security-Policy" header

Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/javascript/escape.js
Entity: escape.js (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "Content-Security-Policy" header

Reasoning: AppScan detected that the Content-Security-Policy response header is missing, which
increases exposure to various cross-site injection attacks

Issue 11 of 20 TOC

4/28/2019 30
Missing "Content-Security-Policy" header
Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/javascript/sameOrigin.js
Entity: sameOrigin.js (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "Content-Security-Policy" header

Reasoning: AppScan detected that the Content-Security-Policy response header is missing, which
increases exposure to various cross-site injection attacks

Issue 12 of 20 TOC

Missing "Content-Security-Policy" header

Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/javascript/eval.js
Entity: eval.js (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "Content-Security-Policy" header

Reasoning: AppScan detected that the Content-Security-Policy response header is missing, which
increases exposure to various cross-site injection attacks

Issue 13 of 20 TOC

4/28/2019 31
Missing "Content-Security-Policy" header
Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/reportBug.jsp
Entity: reportBug.jsp (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "Content-Security-Policy" header

Reasoning: AppScan detected that the Content-Security-Policy response header is missing, which
increases exposure to various cross-site injection attacks

Issue 14 of 20 TOC

Missing "Content-Security-Policy" header

Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/lessons/Ajax/eval.jsp
Entity: eval.jsp (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "Content-Security-Policy" header

Reasoning: AppScan detected that the Content-Security-Policy response header is missing, which
increases exposure to various cross-site injection attacks

Issue 15 of 20 TOC

4/28/2019 32
Missing "Content-Security-Policy" header
Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/lessons/Ajax/sameOrigin.jsp
Entity: sameOrigin.jsp (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "Content-Security-Policy" header

Reasoning: AppScan detected that the Content-Security-Policy response header is missing, which
increases exposure to various cross-site injection attacks

Issue 16 of 20 TOC

Missing "Content-Security-Policy" header

Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/javascript/clientSideFiltering.js
Entity: clientSideFiltering.js (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "Content-Security-Policy" header

Reasoning: AppScan detected that the Content-Security-Policy response header is missing, which
increases exposure to various cross-site injection attacks

Issue 17 of 20 TOC

4/28/2019 33
Missing "Content-Security-Policy" header
Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/javascript/clientSideValidation.js
Entity: clientSideValidation.js (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "Content-Security-Policy" header

Reasoning: AppScan detected that the Content-Security-Policy response header is missing, which
increases exposure to various cross-site injection attacks

Issue 18 of 20 TOC

Missing "Content-Security-Policy" header

Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/lesson_solutions/HttpOnly_files/themedata.thmx
Entity: themedata.thmx (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "Content-Security-Policy" header

Reasoning: AppScan detected that the Content-Security-Policy response header is missing, which
increases exposure to various cross-site injection attacks

Issue 19 of 20 TOC

4/28/2019 34
Missing "Content-Security-Policy" header
Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/lesson_solutions/HttpOnly_files/colorschememapping.xml
Entity: colorschememapping.xml (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "Content-Security-Policy" header

Reasoning: AppScan detected that the Content-Security-Policy response header is missing, which
increases exposure to various cross-site injection attacks

Issue 20 of 20 TOC

Missing "Content-Security-Policy" header

Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/services/WSDLScanning
Entity: WSDLScanning (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "Content-Security-Policy" header

Reasoning: AppScan detected that the Content-Security-Policy response header is missing, which
increases exposure to various cross-site injection attacks

L Missing "X-Content-Type-Options" header 20 TOC

Issue 1 of 20 TOC

4/28/2019 35
Missing "X-Content-Type-Options" header
Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/reportBug.jsp
Entity: reportBug.jsp (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "X-Content-Type-Options" header

Reasoning: AppScan detected that the X-Content-Type-Options response header is missing, which
increases exposure to drive-by download attacks

Issue 2 of 20 TOC

Missing "X-Content-Type-Options" header

Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/javascript/javascript.js
Entity: javascript.js (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "X-Content-Type-Options" header

Reasoning: AppScan detected that the X-Content-Type-Options response header is missing, which
increases exposure to drive-by download attacks

Issue 3 of 20 TOC

4/28/2019 36
Missing "X-Content-Type-Options" header
Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/javascript/menu_system.js
Entity: menu_system.js (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "X-Content-Type-Options" header

Reasoning: AppScan detected that the X-Content-Type-Options response header is missing, which
increases exposure to drive-by download attacks

Issue 4 of 20 TOC

Missing "X-Content-Type-Options" header

Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/attack
Entity: attack (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "X-Content-Type-Options" header

Reasoning: AppScan detected that the X-Content-Type-Options response header is missing, which
increases exposure to drive-by download attacks

Issue 5 of 20 TOC

4/28/2019 37
Missing "X-Content-Type-Options" header
Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/source
Entity: source (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "X-Content-Type-Options" header

Reasoning: AppScan detected that the X-Content-Type-Options response header is missing, which
increases exposure to drive-by download attacks

Issue 6 of 20 TOC

Missing "X-Content-Type-Options" header

Reasoning: AppScan detected that the X-Content-Type-Options response header is missing, which
increases exposure to drive-by download attacks

Issue 7 of 20 TOC

4/28/2019 38
Missing "X-Content-Type-Options" header
Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/javascript/makeWindow.js
Entity: makeWindow.js (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "X-Content-Type-Options" header

Reasoning: AppScan detected that the X-Content-Type-Options response header is missing, which
increases exposure to drive-by download attacks

Issue 8 of 20 TOC

Missing "X-Content-Type-Options" header

Reasoning: AppScan detected that the X-Content-Type-Options response header is missing, which
increases exposure to drive-by download attacks

Issue 9 of 20 TOC

4/28/2019 39
Missing "X-Content-Type-Options" header
Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/javascript/toggle.js
Entity: toggle.js (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "X-Content-Type-Options" header

Reasoning: AppScan detected that the X-Content-Type-Options response header is missing, which
increases exposure to drive-by download attacks

Issue 10 of 20 TOC

Missing "X-Content-Type-Options" header

Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/javascript/DOMXSS.js
Entity: DOMXSS.js (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "X-Content-Type-Options" header

Reasoning: AppScan detected that the X-Content-Type-Options response header is missing, which
increases exposure to drive-by download attacks

Issue 11 of 20 TOC

4/28/2019 40
Missing "X-Content-Type-Options" header
Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/services/WsSqlInjection
Entity: WsSqlInjection (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "X-Content-Type-Options" header

Reasoning: AppScan detected that the X-Content-Type-Options response header is missing, which
increases exposure to drive-by download attacks

Issue 12 of 20 TOC

Missing "X-Content-Type-Options" header

Reasoning: AppScan detected that the X-Content-Type-Options response header is missing, which
increases exposure to drive-by download attacks

Issue 13 of 20 TOC

4/28/2019 41
Missing "X-Content-Type-Options" header
Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/javascript/sameOrigin.js
Entity: sameOrigin.js (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "X-Content-Type-Options" header

Reasoning: AppScan detected that the X-Content-Type-Options response header is missing, which
increases exposure to drive-by download attacks

Issue 14 of 20 TOC

Missing "X-Content-Type-Options" header

Reasoning: AppScan detected that the X-Content-Type-Options response header is missing, which
increases exposure to drive-by download attacks

Issue 15 of 20 TOC

4/28/2019 42
Missing "X-Content-Type-Options" header
Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/lessons/Ajax/eval.jsp
Entity: eval.jsp (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "X-Content-Type-Options" header

Reasoning: AppScan detected that the X-Content-Type-Options response header is missing, which
increases exposure to drive-by download attacks

Issue 16 of 20 TOC

Missing "X-Content-Type-Options" header

Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/lessons/Ajax/sameOrigin.jsp
Entity: sameOrigin.jsp (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "X-Content-Type-Options" header

Reasoning: AppScan detected that the X-Content-Type-Options response header is missing, which
increases exposure to drive-by download attacks

Issue 17 of 20 TOC

4/28/2019 43
Missing "X-Content-Type-Options" header
Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/javascript/clientSideFiltering.js
Entity: clientSideFiltering.js (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "X-Content-Type-Options" header

Reasoning: AppScan detected that the X-Content-Type-Options response header is missing, which
increases exposure to drive-by download attacks

Issue 18 of 20 TOC

Missing "X-Content-Type-Options" header

Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/javascript/clientSideValidation.js
Entity: clientSideValidation.js (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "X-Content-Type-Options" header

Reasoning: AppScan detected that the X-Content-Type-Options response header is missing, which
increases exposure to drive-by download attacks

Issue 19 of 20 TOC

4/28/2019 44
Missing "X-Content-Type-Options" header
Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/lesson_solutions/HttpOnly_files/themedata.thmx
Entity: themedata.thmx (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "X-Content-Type-Options" header

Reasoning: AppScan detected that the X-Content-Type-Options response header is missing, which
increases exposure to drive-by download attacks

Issue 20 of 20 TOC

Missing "X-Content-Type-Options" header

Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/lesson_solutions/HttpOnly_files/colorschememapping.xml
Entity: colorschememapping.xml (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "X-Content-Type-Options" header

Reasoning: AppScan detected that the X-Content-Type-Options response header is missing, which
increases exposure to drive-by download attacks

L Missing "X-XSS-Protection" header 20 TOC

Issue 1 of 20 TOC

4/28/2019 45
Missing "X-XSS-Protection" header
Severity: Low
CVSS Score: 5.0
URL: http://192.168.58.129/WebGoat/javascript/javascript.js
Entity: javascript.js (Page)
Risk: It is possible to gather sensitive information about the web application such as usernames,
passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password,
credit card number, social security number etc.
Causes: Insecure web application programming or configuration
Fix: Config your server to use the "X-XSS-Protection" header