0% found this document useful (0 votes)

113 views6 pages

Sample Report

This vulnerability assessment report found several high risk vulnerabilities in the tested website, including 41 high severity issues. The top vulnerabilities were SQL injection vulnerabilities, cross-site scripting vulnerabilities, and various other issues that could allow attackers to access sensitive files or data. The report provides recommendations to address each identified vulnerability in order to safeguard the website and business.

Uploaded by

Karthik

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

113 views6 pages

Sample Report

Uploaded by

Karthik

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 6

VULNERABILITY ASSESSMENT REPORT

This document contains confidential information

about your website
CONFIDENTIAL

This report contains a comprehensive vulnerability assessment of your

website's security measures. It highlights potential vulnerabilities that
may pose a risk to your business. Our security experts have analyzed the
results and compiled a detailed report with recommended steps to
address any identified vulnerabilities. Please ensure that you take the
necessary measures to safeguard your website and business.
Executive Summary

Our executive summary provides a clear, concise, and easy-to-understand

overview of your website's security posture, highlighting any
vulnerabilities that may pose a risk to your business. This allows you to
quickly identify areas of concern and take action to address them.
Scan of testphp.vulnweb.com
Threat level

Skilled Scan Threat Level 3

One or more high-severity type vulnerabilities have been discovered by the scanner. A malicious user
can exploit these vulnerabilities and compromise the backend database and/or deface your website.

Alerts distribution

Total alerts found 74

High 41
Medium 20
Low 4
Informational 9

Executive summary
Alert group Severity Alert count
SQL injection

SQL injection is a type of cyber attack where an attacker can take

advantage of a vulnerability in a website or application to execute
their own malicious SQL commands. In simpler terms, it means that a
hacker can manipulate the code of a website to access and steal
sensitive data such as usernames, passwords, credit card
information, and other personal information. This vulnerability can be High 19
caused by poor coding practices or lack of input validation, which
allows the attacker to inject their own SQL commands into a website's
database. SQL injection attacks can be very damaging and can result
in financial loss, identity theft, and other serious consequences.
Therefore, it is important for website developers and administrators to
take proper security measures to prevent SQL injection attacks.

Cross site scripting

Cross-site scripting (XSS) is a type of cyber attack that involves an

attacker injecting malicious code into a website or web application
that can then be executed by unsuspecting users who visit the
affected site. The malicious code can be used to steal sensitive
information, such as login credentials or credit card numbers, or even
take control of the user's computer. Think of it like a burglar who hides
High 17
a key under a doormat. The attacker hides their malicious code on a
legitimate website, just like a burglar hides a key under a doormat.
When a user visits that website, their web browser executes the
malicious code, just like someone who uses the key to enter a house.
XSS attacks can be prevented by using secure coding practices that
validate user input and encode output to prevent malicious code from
being executed. Users can also protect themselves by being cautious
when clicking on links or entering personal information on websites,
and by keeping their web browser up-to-date with security patches.

Directory traversal

Directory traversal is a type of cyber attack that allows an attacker to

access files and directories outside of the web root directory of a web
application. In simpler terms, it's like a burglar breaking into a house
and being able to access all of the rooms, including those that are
locked or hidden. For example, a web application might use a URL
parameter to load a specific file. An attacker could manipulate that
High 1
parameter by inserting "../" to navigate up the directory structure and
access files outside of the web root directory. This can allow them to
view sensitive files, such as configuration files, that should not be
accessible to the public. Directory traversal attacks can be prevented
by using secure coding practices, such as validating user input and
enforcing proper file access permissions. Regular security audits and
testing can also help identify and address vulnerabilities in web
applications. Overall, it's important to take appropriate measures to
prevent directory traversal attacks and keep sensitive data secure.

File inclusion

File inclusion is a type of cyber attack that allows an attacker to

access and execute files on a web server. In simpler terms, it's like a
burglar breaking into a house and being able to use the owner's tools
or appliances to carry out their own activities. For example, a web
application might use a file inclusion function to include a header or
footer file in every page. An attacker could manipulate that function by High 1
inserting a file path that points to a malicious script, which could then
be executed by the web server. This can allow them to steal sensitive
information or take control of the server. File inclusion attacks can be
prevented by using secure coding practices, such as validating user
input and using proper file access permissions. Regular security
audits and testing can also help identify and address vulnerabilities in
web applications. Overall, it's important to take appropriate measures
to prevent file inclusion attacks and keep sensitive data secure.

PHP allow_url_fopen enabled

The "allow_url_fopen" vulnerability in PHP is a security issue that can

allow an attacker to execute malicious code on a server that has this
setting enabled. In simpler terms, it's like a burglar finding an
unlocked door or window that allows them to enter a house and steal
or damage items. When the "allow_url_fopen" setting is enabled in
PHP, it allows PHP scripts to open and read data from URLs, just like
they can open and read files on the server. However, if an attacker High 1
can manipulate the data that is being read from a URL, they can
potentially execute their own code on the server, which could result in
data theft or server compromise. This vulnerability can be prevented
by disabling the "allow_url_fopen" setting in PHP, or by using other
secure coding practices, such as input validation and output
encoding. Regular security audits and testing can also help identify
and address vulnerabilities in web applications. Overall, it's important
to take appropriate measures to prevent the "allow_url_fopen"
vulnerability and keep web applications secure.

Possible database backup

A possible database backup vulnerability is a security issue that

occurs when a database backup file is accessible to unauthorized
users, which can lead to data theft or compromise. In simpler terms,
it's like a burglar finding a spare key to a house and being able to
enter and steal valuable items. Database backups are essential for
disaster recovery and continuity planning, but if they are not properly
secured, they can be a source of vulnerability. If an attacker can
High 1
access a database backup file, they can potentially gain access to
sensitive data, such as customer information or login credentials. To
prevent this vulnerability, it is important to ensure that database
backup files are properly secured and only accessible to authorized
users. This can be done by encrypting the backup file, storing it in a
secure location, and limiting access to only those who need it.
Regular security audits and testing can also help identify and address
vulnerabilities in database backup processes. Overall, it's important to
take appropriate measures to prevent database backup vulnerabilities
and keep sensitive data secure.

Vulnerable package dependencies [high]

Vulnerable package dependencies are a type of security issue that

occurs when a software package depends on other packages that
have known vulnerabilities. In simpler terms, it's like a burglar finding
a weak link in a security system and being able to bypass it to gain
access to a house. Software packages often rely on other packages
or libraries to function properly, but if those dependencies have known
vulnerabilities, they can be exploited by attackers to gain access to a High 1
system. This can happen if the vulnerable package is used in a way
that allows an attacker to execute malicious code or carry out other
attacks. To prevent this vulnerability, it is important to regularly update
software packages and their dependencies to the latest, secure
versions. It is also recommended to use tools like vulnerability
scanners or dependency checkers to identify and remediate
vulnerable packages. Overall, it's important to take appropriate
measures to prevent vulnerable package dependencies and keep
software systems secure.

Backup files

Backup files can be a source of vulnerability when they are not

properly secured. In simpler terms, it's like a burglar finding a key to a
house and being able to enter and steal valuable items. Backup files
are important for disaster recovery and continuity planning, but if they
are not properly secured, they can be exploited by attackers to gain
access to sensitive data. This can happen if backup files are
Medium 2
accessible to unauthorized users or if they are not encrypted or
password-protected. To prevent this vulnerability, it is important to
ensure that backup files are stored in a secure location, encrypted or
password-protected, and only accessible to authorized users. It is
also recommended to regularly test backup and recovery procedures
to ensure that they are working properly. Regular security audits and
testing can also help identify and address vulnerabilities in backup
processes. Overall, it's important to take appropriate measures to
prevent backup file vulnerabilities and keep sensitive data secure.

.htaccess file readable

The ".htaccess" file readable vulnerability is a security issue that

occurs when the .htaccess file, which is used to configure web server
settings, is readable by unauthorized users. In simpler terms, it's like a
burglar finding a key to a house and being able to enter and steal
valuable items. The .htaccess file is used to control access to a
website and its resources, but if it is readable by unauthorized users,
it can be exploited to gain access to sensitive information, such as
Medium 1
user credentials or configuration details. This can happen if the file
permissions are set improperly or if the file is located in a publicly
accessible directory. To prevent this vulnerability, it is important to
ensure that the .htaccess file is only readable by authorized users and
is located in a secure directory. This can be done by setting proper file
permissions and restricting access to the directory where the file is
located. Regular security audits and testing can also help identify and
address vulnerabilities related to .htaccess files. Overall, it's important
to take appropriate measures to prevent .htaccess file vulnerabilities
and keep web applications secure.

JetBrains .idea project directory

The JetBrains .idea project directory vulnerability is a security issue

that occurs when the .idea directory, which is used by JetBrains IDEs
to store project settings, is inadvertently exposed to unauthorized
users. In simpler terms, it's like a burglar finding a key to a house and
being able to enter and steal valuable items. The .idea directory
contains project-specific settings for JetBrains IDEs, such as code
styles, run configurations, and inspection profiles. However, if the
directory is accessible to unauthorized users, it can be exploited to
gain access to sensitive information about the project, including file Medium 1
paths, usernames, and passwords. This can happen if the directory is
uploaded to a publicly accessible repository or if file permissions are
set improperly. To prevent this vulnerability, it is important to ensure
that the .idea directory is not uploaded to a publicly accessible
repository and is only accessible to authorized users. This can be
done by configuring proper file permissions and restricting access to
the directory where the file is located. It is also recommended to
review and remove any sensitive information that may be stored in the
.idea directory before sharing project files. Overall, it's important to
take appropriate measures to prevent JetBrains .idea project directory
vulnerabilities and keep software projects secure.

WS_FTP log file found

The WS_FTP log file found vulnerability is a security issue that occurs
when log files generated by the WS_FTP server, a popular FTP
server software, are inadvertently exposed to unauthorized users. In
simpler terms, it's like a burglar finding a key to a house and being
able to enter and steal valuable items. WS_FTP server log files
contain information about the FTP server's activity, including user
logins, file transfers, and server errors. If these log files are accessible
to unauthorized users, they can be exploited to gain sensitive Medium 1
information about the server and its users. This can happen if the log
files are not stored in a secure location or if file permissions are set
improperly. To prevent this vulnerability, it is important to ensure that
WS_FTP log files are stored in a secure location and are only
accessible to authorized users. This can be done by configuring
proper file permissions and restricting access to the directory where
the log files are located. Regular security audits and testing can also
help identify and address vulnerabilities related to log files. Overall, it's
important to take appropriate measures to prevent WS_FTP log file
vulnerabilities and keep FTP servers secure.
Developer Report

Our detailed report provides a comprehensive analysis of your website's

security measures and highlights any potential vulnerabilities that may
pose a risk to your business. Our report also includes technical details,
which are essential for IT professionals to understand the vulnerabilities
in-depth. This report serves as a valuable tool for your IT team to make
informed decisions about implementing security measures to protect
your website and your business from potential threats.
Scan of testphp.vulnweb.com
Scan details
Scan information
Start time 2023-05-04T03:51:21.913146+05:30
Start url http://testphp.vulnweb.com/
Host testphp.vulnweb.com
Server information nginx/1.19.0
Responsive True
Server OS Unknown
Server technologies PHP

Threat level

SkilledScan Threat Level 3

One or more high-severity type vulnerabilities have been discovered by the scanner. A malicious user
can exploit these vulnerabilities and compromise the backend database and/or deface your website.

Alerts distribution

Total alerts found 74

High 41
Medium 20
Low 4
Informational 9

Affected items
Web Server
Alert group Cross site scripting
Severity High
Cross-site Scripting (XSS) refers to client-side code injection attack
wherein an attacker can execute malicious scripts into a legitimate
Description website or web application. XSS occurs when a web application makes
use of unvalidated or unencoded user input within the output it
generates.
Apply context-dependent encoding and/or validation to user input
Recommendations
rendered on a page
Alert variants
URI was set to 1<ScRiPt>Tj0s(9493)</ScRiPt>
Details
The input is reflected inside a text element.
GET /404.php?1<ScRiPt>Tj0s(9493)</ScRiPt> HTTP/1.1

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

/AJAX/showxml.php
Alert group Cross site scripting (verified)
Severity High
Cross-site Scripting (XSS) refers to client-side code injection attack
wherein an attacker can execute malicious scripts into a legitimate
Description website or web application. XSS occurs when a web application makes
use of unvalidated or unencoded user input within the output it
generates.
Apply context-dependent encoding and/or validation to user input
Recommendations
rendered on a page
Alert variants
Cookie input mycookie was set to 3'"()&%<zzz><ScRiPt >Hgly(9891)
Details
</ScRiPt>
POST /AJAX/showxml.php HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Referer: https://www.google.com/search?hl=en&q=testing

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Cookie: mycookie=3'"()&%<zzz><ScRiPt%20>Hgly(9891)</ScRiPt>

Content-Length: 0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

Host: testphp.vulnweb.com

Connection: Keep-alive

/comment.php
Alert group Cross site scripting (verified)
Severity High
Cross-site Scripting (XSS) refers to client-side code injection attack
wherein an attacker can execute malicious scripts into a legitimate
Description website or web application. XSS occurs when a web application makes
use of unvalidated or unencoded user input within the output it
generates.
Apply context-dependent encoding and/or validation to user input
Recommendations
rendered on a page
Alert variants
URL encoded POST input name was set to <your name here>'"()&%
Details
<zzz><ScRiPt >lcyA(9740)</ScRiPt>
POST /comment.php HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Content-Type: application/x-www-form-urlencoded

Referer: http://testphp.vulnweb.com/

Content-Length: 132

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Submit=Submit&comment=555&name=<your%20name%20here>'"()%26%25<zzz>
<ScRiPt%20>lcyA(9740)</ScRiPt>&phpaction=echo%20%24_POST[comment];

/guestbook.php
Alert group Cross site scripting (verified)
Severity High
Cross-site Scripting (XSS) refers to client-side code injection attack
wherein an attacker can execute malicious scripts into a legitimate
Description website or web application. XSS occurs when a web application makes
use of unvalidated or unencoded user input within the output it
generates.
Apply context-dependent encoding and/or validation to user input
Recommendations
rendered on a page
Alert variants
URL encoded POST input name was set to anonymous user'"()&%
Details
<zzz><ScRiPt >SU7r(9732)</ScRiPt>
POST /guestbook.php HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Content-Type: application/x-www-form-urlencoded

Referer: http://testphp.vulnweb.com/

Content-Length: 96

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

name=anonymous%20user'"()%26%25<zzz><ScRiPt%20>SU7r(9732)
</ScRiPt>&submit=add%20message&text=555

/guestbook.php
Alert group Cross site scripting (verified)
Severity High
Cross-site Scripting (XSS) refers to client-side code injection attack
wherein an attacker can execute malicious scripts into a legitimate
Description website or web application. XSS occurs when a web application makes
use of unvalidated or unencoded user input within the output it
generates.
Apply context-dependent encoding and/or validation to user input
Recommendations
rendered on a page
Alert variants
URL encoded POST input text was set to 555'"()&%<zzz><ScRiPt
Details
>SU7r(9977)</ScRiPt>
POST /guestbook.php HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Content-Type: application/x-www-form-urlencoded

Referer: http://testphp.vulnweb.com/

Content-Length: 96

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

name=anonymous%20user&submit=add%20message&text=555'"()%26%25<zzz>
<ScRiPt%20>SU7r(9977)</ScRiPt>

/hpp/
Alert group Cross site scripting (verified)
Severity High
Cross-site Scripting (XSS) refers to client-side code injection attack
wherein an attacker can execute malicious scripts into a legitimate
Description website or web application. XSS occurs when a web application makes
use of unvalidated or unencoded user input within the output it
generates.
Apply context-dependent encoding and/or validation to user input
Recommendations
rendered on a page
Alert variants
URL encoded GET input pp was set to 12'"()&%<zzz><ScRiPt
Details
>Nyti(9095)</ScRiPt>
GET /hpp/?pp=12'"()%26%25<zzz><ScRiPt%20>Nyti(9095)</ScRiPt> HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

/hpp/params.php
Alert group Cross site scripting (verified)
Severity High
Cross-site Scripting (XSS) refers to client-side code injection attack
wherein an attacker can execute malicious scripts into a legitimate
Description website or web application. XSS occurs when a web application makes
use of unvalidated or unencoded user input within the output it
generates.
Apply context-dependent encoding and/or validation to user input
Recommendations
rendered on a page
Alert variants
URL encoded GET input p was set to 1'"()&%<zzz><ScRiPt
Details
>ktJB(9020)</ScRiPt>
GET /hpp/params.php?p=1'"()%26%25<zzz><ScRiPt%20>ktJB(9020)</ScRiPt>
HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

/hpp/params.php
Alert group Cross site scripting (verified)
Severity High
Cross-site Scripting (XSS) refers to client-side code injection attack
wherein an attacker can execute malicious scripts into a legitimate
Description website or web application. XSS occurs when a web application makes
use of unvalidated or unencoded user input within the output it
generates.
Apply context-dependent encoding and/or validation to user input
Recommendations
rendered on a page
Alert variants
URL encoded GET input pp was set to 12'"()&%<zzz><ScRiPt
Details
>xXto(9433)</ScRiPt>
GET /hpp/params.php?p=valid&pp=12'"()%26%25<zzz><ScRiPt%20>xXto(9433)
</ScRiPt> HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

/listproducts.php
Alert group Cross site scripting (verified)
Severity High
Cross-site Scripting (XSS) refers to client-side code injection attack
wherein an attacker can execute malicious scripts into a legitimate
Description website or web application. XSS occurs when a web application makes
use of unvalidated or unencoded user input within the output it
generates.
Apply context-dependent encoding and/or validation to user input
Recommendations
rendered on a page
Alert variants
URL encoded GET input artist was set to 1'"()&%<zzz><ScRiPt
Details
>fUJU(9650)</ScRiPt>
GET /listproducts.php?artist=1'"()%26%25<zzz><ScRiPt%20>fUJU(9650)
</ScRiPt> HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

/listproducts.php
Alert group Cross site scripting (verified)
Severity High
Cross-site Scripting (XSS) refers to client-side code injection attack
wherein an attacker can execute malicious scripts into a legitimate
Description website or web application. XSS occurs when a web application makes
use of unvalidated or unencoded user input within the output it
generates.
Apply context-dependent encoding and/or validation to user input
Recommendations
rendered on a page
Alert variants
URL encoded GET input cat was set to 1'"()&%<zzz><ScRiPt
Details
>FN8b(9046)</ScRiPt>
GET /listproducts.php?cat=1'"()%26%25<zzz><ScRiPt%20>FN8b(9046)</ScRiPt>
HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

/search.php
Alert group Cross site scripting (verified)
Severity High
Cross-site Scripting (XSS) refers to client-side code injection attack
wherein an attacker can execute malicious scripts into a legitimate
Description website or web application. XSS occurs when a web application makes
use of unvalidated or unencoded user input within the output it
generates.
Apply context-dependent encoding and/or validation to user input
Recommendations
rendered on a page
Alert variants
POST (multipart) input searchFor was set to the'"()&%<zzz><ScRiPt
Details
>ugFU(9844)</ScRiPt>
POST /search.php?test=query HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw

Accept: */*

Referer: http://testphp.vulnweb.com/

Content-Length: 148

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

------------YWJkMTQzNDcw

Content-Disposition: form-data; name="searchFor"

the'"()&%<zzz><ScRiPt >ugFU(9844)</ScRiPt>

------------YWJkMTQzNDcw--

/secured/newuser.php
Alert group Cross site scripting (verified)
Severity High
Cross-site Scripting (XSS) refers to client-side code injection attack
wherein an attacker can execute malicious scripts into a legitimate
Description website or web application. XSS occurs when a web application makes
use of unvalidated or unencoded user input within the output it
generates.
Apply context-dependent encoding and/or validation to user input
Recommendations
rendered on a page
Alert variants
URL encoded POST input uaddress was set to 555'"()&%<zzz>
Details
<ScRiPt >01Pf(9919)</ScRiPt>
POST /secured/newuser.php HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Content-Type: application/x-www-form-urlencoded

Referer: http://testphp.vulnweb.com/

Content-Length: 220

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

signup=signup&uaddress=555'"()%26%25<zzz><ScRiPt%20>01Pf(9919)
</ScRiPt>&ucc=4111111111111111&uemail=testing%40example.com&upass=u]H[ww6K
rA9F.x-F&upass2=u]H[ww6KrA9F.x-F&uphone=555-666-
0606&urname=pHqghUme&uuname=pHqghUme

/secured/newuser.php
Alert group Cross site scripting (verified)
Severity High
Cross-site Scripting (XSS) refers to client-side code injection attack
wherein an attacker can execute malicious scripts into a legitimate
Description website or web application. XSS occurs when a web application makes
use of unvalidated or unencoded user input within the output it
generates.
Apply context-dependent encoding and/or validation to user input
Recommendations
rendered on a page
Alert variants
URL encoded POST input ucc was set to 4111111111111111'"()&%
Details
<zzz><ScRiPt >01Pf(9597)</ScRiPt>
POST /secured/newuser.php HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Content-Type: application/x-www-form-urlencoded

Referer: http://testphp.vulnweb.com/

Content-Length: 220

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

signup=signup&uaddress=555&ucc=4111111111111111'"()%26%25<zzz>
<ScRiPt%20>01Pf(9597)
</ScRiPt>&uemail=testing%40example.com&upass=u]H[ww6KrA9F.x-
F&upass2=u]H[ww6KrA9F.x-F&uphone=555-666-
0606&urname=pHqghUme&uuname=pHqghUme

/secured/newuser.php
Alert group Cross site scripting (verified)
Severity High
Cross-site Scripting (XSS) refers to client-side code injection attack
wherein an attacker can execute malicious scripts into a legitimate
Description website or web application. XSS occurs when a web application makes
use of unvalidated or unencoded user input within the output it
generates.
Apply context-dependent encoding and/or validation to user input
Recommendations
rendered on a page
Alert variants
URL encoded POST input uemail was set to [email protected]'"
Details
()&%<zzz><ScRiPt >01Pf(9203)</ScRiPt>
POST /secured/newuser.php HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Content-Type: application/x-www-form-urlencoded

Referer: http://testphp.vulnweb.com/

Content-Length: 220

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

signup=signup&uaddress=555&ucc=4111111111111111&uemail=testing%40example.c
om'"()%26%25<zzz><ScRiPt%20>01Pf(9203)</ScRiPt>&upass=u]H[ww6KrA9F.x-
F&upass2=u]H[ww6KrA9F.x-F&uphone=555-666-
0606&urname=pHqghUme&uuname=pHqghUme

/secured/newuser.php
Alert group Cross site scripting (verified)
Severity High
Cross-site Scripting (XSS) refers to client-side code injection attack
wherein an attacker can execute malicious scripts into a legitimate
Description website or web application. XSS occurs when a web application makes
use of unvalidated or unencoded user input within the output it
generates.
Apply context-dependent encoding and/or validation to user input
Recommendations
rendered on a page
Alert variants
URL encoded POST input uphone was set to 555-666-0606'"()&%
Details
<zzz><ScRiPt >01Pf(9871)</ScRiPt>
POST /secured/newuser.php HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Content-Type: application/x-www-form-urlencoded

Referer: http://testphp.vulnweb.com/

Content-Length: 220

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

signup=signup&uaddress=555&ucc=4111111111111111&uemail=testing%40example.c
om&upass=u]H[ww6KrA9F.x-F&upass2=u]H[ww6KrA9F.x-F&uphone=555-666-0606'"
()%26%25<zzz><ScRiPt%20>01Pf(9871)
</ScRiPt>&urname=pHqghUme&uuname=pHqghUme

/secured/newuser.php
Alert group Cross site scripting (verified)
Severity High
Cross-site Scripting (XSS) refers to client-side code injection attack
wherein an attacker can execute malicious scripts into a legitimate
Description website or web application. XSS occurs when a web application makes
use of unvalidated or unencoded user input within the output it
generates.
Apply context-dependent encoding and/or validation to user input
Recommendations
rendered on a page
Alert variants
URL encoded POST input urname was set to pHqghUme'"()&%<zzz>
Details
<ScRiPt >01Pf(9064)</ScRiPt>
POST /secured/newuser.php HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Content-Type: application/x-www-form-urlencoded

Referer: http://testphp.vulnweb.com/

Content-Length: 220

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

signup=signup&uaddress=555&ucc=4111111111111111&uemail=testing%40example.c
om&upass=u]H[ww6KrA9F.x-F&upass2=u]H[ww6KrA9F.x-F&uphone=555-666-
0606&urname=pHqghUme'"()%26%25<zzz><ScRiPt%20>01Pf(9064)
</ScRiPt>&uuname=pHqghUme

/secured/newuser.php
Alert group Cross site scripting (verified)
Severity High
Cross-site Scripting (XSS) refers to client-side code injection attack
wherein an attacker can execute malicious scripts into a legitimate
Description website or web application. XSS occurs when a web application makes
use of unvalidated or unencoded user input within the output it
generates.
Apply context-dependent encoding and/or validation to user input
Recommendations
rendered on a page
Alert variants
URL encoded POST input uuname was set to pHqghUme'"()&%<zzz>
Details
<ScRiPt >01Pf(9757)</ScRiPt>
POST /secured/newuser.php HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Content-Type: application/x-www-form-urlencoded

Referer: http://testphp.vulnweb.com/

Content-Length: 220

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

signup=signup&uaddress=555&ucc=4111111111111111&uemail=testing%40example.c
om&upass=u]H[ww6KrA9F.x-F&upass2=u]H[ww6KrA9F.x-F&uphone=555-666-
0606&urname=pHqghUme&uuname=pHqghUme'"()%26%25<zzz><ScRiPt%20>01Pf(9757)
</ScRiPt>

/showimage.php
Alert group Directory traversal (verified)
Severity High
This script is possibly vulnerable to directory traversal attacks.

Description Directory Traversal is a vulnerability which allows attackers to access

restricted directories and read files outside of the web server's root
directory.
Recommendations Your script should filter metacharacters from user input.
Alert variants
URL encoded GET input file was set to 1531486/../../xxx\..\..\413439
Details

GET /showimage.php?file=1531486/../../xxx%5C..%5C..%5C413439&size=160
HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

/showimage.php
Alert group File inclusion
Severity High
This script is possibly vulnerable to file inclusion attacks.

Description It seems that this script includes a file which name is determined using
user-supplied data. This data is not properly validated before being
passed to the include function.
Edit the source code to ensure that input is properly validated. Where is
possible, it is recommended to make a list of accepted filenames and
restrict the input to that list.
Recommendations
For PHP, the option allow_url_fopen would normally allow a
programmer to open, include or otherwise use a remote file using a URL
rather than a local file path. It is recommended to disable this option from
php.ini.
Alert variants
URL encoded GET input file was set to showimage.php

Pattern found:

<?php

// header("Content-Length: 1" /. filesize($name)/);

if( isset($_GET["file"]) && !isset($_GET["size"]) ){

// open the file in a binary mode

header("Content-Type: image/jpeg");

$name = $_GET["file"];

// restrict urls

Details if (filter_var($name, FILTER_VALIDATE_URL)) {

exit();

$fp = fopen($name, 'rb');

// send the right headers

header("Content-Type: image/jpeg");

// dump the picture and stop the script

...

GET /showimage.php?file=showimage.php&size=160 HTTP/1.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Web Server
Alert group PHP allow_url_fopen enabled (verified)
Severity High
The PHP configuration directive allow_url_fopen is enabled. When
enabled, this directive allows data retrieval from remote locations (web
site or FTP server). A large number of code injection vulnerabilities
Description reported in PHP-based web applications are caused by the combination
of enabling allow_url_fopen and bad input filtering.

allow_url_fopen is enabled by default.

You can disable allow_url_fopen from either php.ini (for PHP versions
newer than 4.3.4) or .htaccess (for PHP versions up to 4.3.4).

php.ini
Recommendations
allow_url_fopen = 'off'

.htaccess
php_flag allow_url_fopen off
Alert variants
Current setting is : allow_url_fopen = on
Details
Observed on /

/admin/create.sql
Alert group Possible database backup
Severity High
Manual confirmation is required for this alert.

One or more possible database backups were identified. A database

backup contains a record of the table structure and/or the data from a
Description
database and is usually in the form of a list of SQL statements. A
database backup is most often used for backing up a database so that
its contents can be restored in the event of data loss. This information is
highly sensitive and should never be found on a production system.
Sensitive files such as database backups should never be stored in a
Recommendations directory that is accessible to the web server. As a workaround, you
could restrict access to these file(s).
Alert variants
Pages with possible database backups:
Details

GET /admin/create.sql HTTP/1.1

Range: bytes=0-99999

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Web Server
Alert group SQL injection (verified)
Severity High
SQL injection (SQLi) refers to an injection attack wherein an attacker can
Description execute malicious SQL statements that control a web application's
database server.
Use parameterized queries when dealing with SQL queries that contain
user input. Parameterized queries allow the database to understand
Recommendations
which parts of the SQL query should be considered as user input,
therefore solving SQL injection.
Alert variants
Path Fragment input /<s>/<s>-[*].html was set to
Details 1Start463531'"392457End

GET /Mod_Rewrite_Shop/RateProduct-1Start463531'"392457End.html HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

/AJAX/infoartist.php
Alert group SQL injection (verified)
Severity High
SQL injection (SQLi) refers to an injection attack wherein an attacker can
Description execute malicious SQL statements that control a web application's
database server.
Use parameterized queries when dealing with SQL queries that contain
user input. Parameterized queries allow the database to understand
Recommendations
which parts of the SQL query should be considered as user input,
therefore solving SQL injection.
Alert variants
URL encoded GET input id was set to 1Start021115'"677640End
Details

GET /AJAX/infoartist.php?id=1Start021115'"677640End HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Accept: */*

Referer: http://testphp.vulnweb.com/

Cookie: mycookie=3

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

/AJAX/infocateg.php
Alert group SQL injection (verified)
Severity High
SQL injection (SQLi) refers to an injection attack wherein an attacker can
Description execute malicious SQL statements that control a web application's
database server.
Use parameterized queries when dealing with SQL queries that contain
user input. Parameterized queries allow the database to understand
Recommendations
which parts of the SQL query should be considered as user input,
therefore solving SQL injection.
Alert variants
URL encoded GET input id was set to 1Start882013'"169051End
Details

GET /AJAX/infocateg.php?id=1Start882013'"169051End HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Accept: */*

Referer: http://testphp.vulnweb.com/

Cookie: mycookie=3

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

/AJAX/infotitle.php
Alert group SQL injection (verified)
Severity High
SQL injection (SQLi) refers to an injection attack wherein an attacker can
Description execute malicious SQL statements that control a web application's
database server.
Use parameterized queries when dealing with SQL queries that contain
user input. Parameterized queries allow the database to understand
Recommendations
which parts of the SQL query should be considered as user input,
therefore solving SQL injection.
Alert variants
URL encoded POST input id was set to 1Start765121'"385116End
Details

POST /AJAX/infotitle.php HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Content-Type: application/x-www-form-urlencoded

Accept: */*

Referer: http://testphp.vulnweb.com/

Cookie: mycookie=3

Content-Length: 32

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

id=1Start765121'"385116End

/artists.php
Alert group SQL injection (verified)
Severity High
SQL injection (SQLi) refers to an injection attack wherein an attacker can
Description execute malicious SQL statements that control a web application's
database server.
Use parameterized queries when dealing with SQL queries that contain
user input. Parameterized queries allow the database to understand
Recommendations
which parts of the SQL query should be considered as user input,
therefore solving SQL injection.
Alert variants
URL encoded GET input artist was set to 1Start227726'"415005End
Details

GET /artists.php?artist=1Start227726'"415005End HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

/listproducts.php
Alert group SQL injection (verified)
Severity High
SQL injection (SQLi) refers to an injection attack wherein an attacker can
Description execute malicious SQL statements that control a web application's
database server.
Use parameterized queries when dealing with SQL queries that contain
user input. Parameterized queries allow the database to understand
Recommendations
which parts of the SQL query should be considered as user input,
therefore solving SQL injection.
Alert variants
URL encoded GET input artist was set to 1Start437204'"411370End
Details

GET /listproducts.php?artist=1Start437204'"411370End HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

GET /listproducts.php?cat=1Start207412'"968828End HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

/Mod_Rewrite_Shop/Bu
yProduct-1/
Alert group SQL injection (verified)
Severity High
SQL injection (SQLi) refers to an injection attack wherein an attacker can
Description execute malicious SQL statements that control a web application's
database server.
Use parameterized queries when dealing with SQL queries that contain
user input. Parameterized queries allow the database to understand
Recommendations
which parts of the SQL query should be considered as user input,
therefore solving SQL injection.
Alert variants
Details
GET /Mod_Rewrite_Shop/BuyProduct-1/?id=1START'"END HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

User-Agent: 1'"2000

referer: 1'"3000

client-ip: 1'"4000

x-forwarded-for: 1'"5000

accept-language: 1'"6000

via: 1'"7000

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

Host: testphp.vulnweb.com

Connection: Keep-alive

/Mod_Rewrite_Shop/Bu
yProduct-2/
Alert group SQL injection (verified)
Severity High
SQL injection (SQLi) refers to an injection attack wherein an attacker can
Description execute malicious SQL statements that control a web application's
database server.
Use parameterized queries when dealing with SQL queries that contain
user input. Parameterized queries allow the database to understand
Recommendations
which parts of the SQL query should be considered as user input,
therefore solving SQL injection.
Alert variants
Details
GET /Mod_Rewrite_Shop/BuyProduct-2/?id=1START'"END HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

User-Agent: 1'"2000

referer: 1'"3000

client-ip: 1'"4000

x-forwarded-for: 1'"5000

accept-language: 1'"6000

via: 1'"7000

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

Host: testphp.vulnweb.com

Connection: Keep-alive

/Mod_Rewrite_Shop/Bu
yProduct-3/
Alert group SQL injection (verified)
Severity High
SQL injection (SQLi) refers to an injection attack wherein an attacker can
Description execute malicious SQL statements that control a web application's
database server.
Use parameterized queries when dealing with SQL queries that contain
user input. Parameterized queries allow the database to understand
Recommendations
which parts of the SQL query should be considered as user input,
therefore solving SQL injection.
Alert variants
Details
GET /Mod_Rewrite_Shop/BuyProduct-3/?id=1START'"END HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

User-Agent: 1'"2000

referer: 1'"3000

client-ip: 1'"4000

x-forwarded-for: 1'"5000

accept-language: 1'"6000

via: 1'"7000

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

Host: testphp.vulnweb.com

Connection: Keep-alive

/Mod_Rewrite_Shop/Det
ails/color-printer/3/
Alert group SQL injection (verified)
Severity High
SQL injection (SQLi) refers to an injection attack wherein an attacker can
Description execute malicious SQL statements that control a web application's
database server.
Use parameterized queries when dealing with SQL queries that contain
user input. Parameterized queries allow the database to understand
Recommendations
which parts of the SQL query should be considered as user input,
therefore solving SQL injection.
Alert variants
Details
GET /Mod_Rewrite_Shop/Details/color-printer/3/?id=1START'"END HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

User-Agent: 1'"2000

referer: 1'"3000

client-ip: 1'"4000

x-forwarded-for: 1'"5000

accept-language: 1'"6000

via: 1'"7000

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

Host: testphp.vulnweb.com

Connection: Keep-alive

/Mod_Rewrite_Shop/Det
ails/network-attached-
storage-dlink/1/
Alert group SQL injection (verified)
Severity High
SQL injection (SQLi) refers to an injection attack wherein an attacker can
Description execute malicious SQL statements that control a web application's
database server.
Use parameterized queries when dealing with SQL queries that contain
user input. Parameterized queries allow the database to understand
Recommendations
which parts of the SQL query should be considered as user input,
therefore solving SQL injection.
Alert variants
Details
GET /Mod_Rewrite_Shop/Details/network-attached-storage-dlink/1/?
id=1START'"END HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

User-Agent: 1'"2000

referer: 1'"3000

client-ip: 1'"4000

x-forwarded-for: 1'"5000

accept-language: 1'"6000

via: 1'"7000

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

Host: testphp.vulnweb.com

Connection: Keep-alive

/Mod_Rewrite_Shop/Det
ails/web-camera-
a4tech/2/
Alert group SQL injection (verified)
Severity High
SQL injection (SQLi) refers to an injection attack wherein an attacker can
Description execute malicious SQL statements that control a web application's
database server.
Use parameterized queries when dealing with SQL queries that contain
user input. Parameterized queries allow the database to understand
Recommendations
which parts of the SQL query should be considered as user input,
therefore solving SQL injection.
Alert variants
Details
GET /Mod_Rewrite_Shop/Details/web-camera-a4tech/2/?id=1START'"END HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

User-Agent: 1'"2000

referer: 1'"3000

client-ip: 1'"4000

x-forwarded-for: 1'"5000

accept-language: 1'"6000

via: 1'"7000

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

Host: testphp.vulnweb.com

Connection: Keep-alive

/product.php
Alert group SQL injection (verified)
Severity High
SQL injection (SQLi) refers to an injection attack wherein an attacker can
Description execute malicious SQL statements that control a web application's
database server.
Use parameterized queries when dealing with SQL queries that contain
user input. Parameterized queries allow the database to understand
Recommendations
which parts of the SQL query should be considered as user input,
therefore solving SQL injection.
Alert variants
URL encoded GET input pic was set to 1Start914352'"611484End
Details

GET /product.php?pic=1Start914352'"611484End HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

/search.php
Alert group SQL injection (verified)
Severity High
SQL injection (SQLi) refers to an injection attack wherein an attacker can
Description execute malicious SQL statements that control a web application's
database server.
Use parameterized queries when dealing with SQL queries that contain
user input. Parameterized queries allow the database to understand
Recommendations
which parts of the SQL query should be considered as user input,
therefore solving SQL injection.
Alert variants
POST (multipart) input searchFor was set to 1Start609544'"738136End
Details

POST /search.php?test=query HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw

Accept: */*

Referer: http://testphp.vulnweb.com/

Content-Length: 135

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

------------YWJkMTQzNDcw

Content-Disposition: form-data; name="searchFor"

1Start609544'"738136End

------------YWJkMTQzNDcw--

/search.php
Alert group SQL injection (verified)
Severity High
SQL injection (SQLi) refers to an injection attack wherein an attacker can
Description execute malicious SQL statements that control a web application's
database server.
Use parameterized queries when dealing with SQL queries that contain
user input. Parameterized queries allow the database to understand
Recommendations
which parts of the SQL query should be considered as user input,
therefore solving SQL injection.
Alert variants
URL encoded GET input test was set to 1Start187637'"566108End
Details

POST /search.php?test=1Start187637'"566108End HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw

Accept: */*

Referer: http://testphp.vulnweb.com/

Content-Length: 109

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

------------YWJkMTQzNDcw

Content-Disposition: form-data; name="searchFor"

the

------------YWJkMTQzNDcw--

/secured/newuser.php
Alert group SQL injection (verified)
Severity High
SQL injection (SQLi) refers to an injection attack wherein an attacker can
Description execute malicious SQL statements that control a web application's
database server.
Use parameterized queries when dealing with SQL queries that contain
user input. Parameterized queries allow the database to understand
Recommendations
which parts of the SQL query should be considered as user input,
therefore solving SQL injection.
Alert variants
URL encoded POST input uuname was set to
Details 1Start866597'"192117End

POST /secured/newuser.php HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Content-Type: application/x-www-form-urlencoded

Referer: http://testphp.vulnweb.com/

Content-Length: 196

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

signup=signup&uaddress=555&ucc=4111111111111111&uemail=testing%40example.c
om&upass=u]H[ww6KrA9F.x-F&upass2=u]H[ww6KrA9F.x-F&uphone=555-666-
0606&urname=pHqghUme&uuname=1Start866597'"192117End

/userinfo.php
Alert group SQL injection (verified)
Severity High
SQL injection (SQLi) refers to an injection attack wherein an attacker can
Description execute malicious SQL statements that control a web application's
database server.
Use parameterized queries when dealing with SQL queries that contain
user input. Parameterized queries allow the database to understand
Recommendations
which parts of the SQL query should be considered as user input,
therefore solving SQL injection.
Alert variants
URL encoded POST input pass was set to 1Start379432'"263652End
Details

POST /userinfo.php HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Content-Type: application/x-www-form-urlencoded

Referer: http://testphp.vulnweb.com/

Content-Length: 49

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

pass=1Start379432'"263652End&uname=pHqghUme

POST /userinfo.php HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Content-Type: application/x-www-form-urlencoded

Referer: http://testphp.vulnweb.com/

Content-Length: 57

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

pass=u]H[ww6KrA9F.x-F&uname=1Start823519'"541292End

/vendor/installed.json
Alert group Vulnerable package dependencies [high]
Severity High
One or more packages that are used in your web application are
Description affected by known vulnerabilities. Please consult the details section for
more information about each affected package.
It's recommended to update the vulnerable packages to the latest
version (if a fix exists). If a fix does not exist, you may want to suggest
Recommendations
changes that address the vulnerability to the package maintainer or
remove the package from your dependency tree.
Alert variants
List of vulnerable composer packages:

Package: phpmailer/phpmailer
Version: 6.1.8.0
CVE: CVE-2021-34551
Title: Unrestricted Upload of File with Dangerous Type
Description: PHPMailer before 6.5.0 on Windows allows remote code
execution if lang_path is untrusted data and has a UNC pathname.
CVSS V2: AV:N/AC:H/Au:N/C:P/I:P/A:P
CVSS V3: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
References:
https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md
https://lists.fedoraproject.org/archives/list/package-
[email protected]/message/3YRMWGA4VTMXFB22KIC
MB7YMFZNFV3EJ/
https://lists.fedoraproject.org/archives/list/package-
[email protected]/message/FJYSOFCUBS67J3TKR74S
D3C454N7VTYM/

Package: phpmailer/phpmailer
Version: 6.1.8.0
CVE: CVE-2021-3603
Title: Inclusion of Functionality from Untrusted Control Sphere
Description: PHPMailer 6.4.1 and earlier contain a vulnerability that can
result in untrusted code being called (if such code is injected into the
host project's scope by other means). If the $patternselect parameter to
validateAddress() is set to 'php' (the default, defined by
PHPMailer::$validator), and the global namespace contains a function
called php, it will be called in preference to the built-in validator of the
same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple
strings as validator function names.
CVSS V2: AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS V3: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-829
References:

https://github.com/PHPMailer/PHPMailer/commit/45f3c18dc6a2de1cb1bf
49b9b249a9ee36a5f7f3
https://www.huntr.dev/bounties/1-PHPMailer/PHPMailer/
https://lists.fedoraproject.org/archives/list/package-
[email protected]/message/3YRMWGA4VTMXFB22KIC
MB7YMFZNFV3EJ/
https://lists.fedoraproject.org/archives/list/package-
[email protected]/message/FJYSOFCUBS67J3TKR74S
D3C454N7VTYM/

Package: phpmailer/phpmailer
Version: 6.1.8.0
CVE: CVE-2020-36326
Title: Deserialization of Untrusted Data
Description: PHPMailer 6.1.8 through 6.4.0 allows object injection
through Phar Deserialization via addAttachment with a UNC pathname.
NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed
a functionality problem in which UNC pathnames were always
considered unreadable by PHPMailer, even in safe contexts. As an
unintended side effect, this fix eliminated the code that blocked
addAttachment exploitation.
CVSS V2: AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS V3: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
References:

https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba
21d0242c5950c56e4c6f9
https://lists.fedoraproject.org/archives/list/package-
[email protected]/message/KPU66INRFY5BQ3ESVPR
UXJR4DXQAFJVT/
https://lists.fedoraproject.org/archives/list/package-
[email protected]/message/3B5WDPGUFNPG4NAZ6G
4BZX43BKLAVA5B/

Package: phpunit/phpunit
Version: 5.6.2.0
CVE: CVE-2017-9841
Title: Improper Control of Generation of Code ('Code Injection')
Description: Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x
before 5.6.3 allows remote attackers to execute arbitrary PHP code via
HTTP POST data beginning with a "<?php " substring, as demonstrated
by an attack on a site with an exposed /vendor folder, i.e., external
access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
CVSS V2: AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS V3: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
References:
https://github.com/sebastianbergmann/phpunit/pull/1956

https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0
845d23f42974a583d8f59bf5a5
http://www.securityfocus.com/bid/101798
http://www.securitytracker.com/id/1039812
https://security.gentoo.org/glsa/201711-15

http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.c
om/
https://www.oracle.com/security-alerts/cpuoct2021.html

Package: smarty/smarty
Version: 4.0.0.0
CVE: CVE-2021-21408
Title: Improper Input Validation
Description: Smarty is a template engine for PHP, facilitating the
separation of presentation (HTML/CSS) from application logic. Prior to
versions 3.1.43 and 4.0.3, template authors could run restricted static
php methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive
a patch.
CVSS V2: AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS V3: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
References:
https://github.com/smarty-
php/smarty/commit/19ae410bf56007a5ef24441cdc6414619cfaf664
https://github.com/smarty-php/smarty/releases/tag/v3.1.43
https://github.com/smarty-php/smarty/security/advisories/GHSA-
4h9c-v5vg-5m6m
https://github.com/smarty-php/smarty/releases/tag/v4.0.3
https://lists.debian.org/debian-lts-announce/2022/05/msg00005.html
https://www.debian.org/security/2022/dsa-5151
https://security.gentoo.org/glsa/202209-09
https://lists.fedoraproject.org/archives/list/package-
Details
[email protected]/message/L777JIBIWJV34HS7LXPID
WASG7TT4LNI/
https://lists.fedoraproject.org/archives/list/package-
[email protected]/message/BRAJVDRGCIY5UZ2PQHK
DTT7RMKG6WJQQ/

Package: smarty/smarty
Version: 4.0.0.0
CVE: CVE-2021-29454
Title: Improper Neutralization of Special Elements in Output Used by a
Downstream Component ('Injection')
Description: Smarty is a template engine for PHP, facilitating the
separation of presentation (HTML/CSS) from application logic. Prior to
versions 3.1.42 and 4.0.2, template authors could run arbitrary PHP
code by crafting a malicious math string. If a math string was passed
through as user provided data to the math function, external users could
run arbitrary PHP code by crafting a malicious math string. Users should
upgrade to version 3.1.42 or 4.0.2 to receive a patch.
CVSS V2: AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS V3: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-74
References:
https://github.com/smarty-
php/smarty/commit/215d81a9fa3cd63d82fb3ab56ecaf97cf1e7db71
https://github.com/smarty-php/smarty/security/advisories/GHSA-
29gp-2c3m-3j6m
https://packagist.org/packages/smarty/smarty
https://github.com/smarty-php/smarty/releases/tag/v3.1.42
https://www.smarty.net/docs/en/language.function.math.tpl
https://github.com/smarty-php/smarty/releases/tag/v4.0.2
https://lists.debian.org/debian-lts-announce/2022/05/msg00005.html
https://www.debian.org/security/2022/dsa-5151
https://security.gentoo.org/glsa/202209-09
https://lists.fedoraproject.org/archives/list/package-
[email protected]/message/L777JIBIWJV34HS7LXPID
WASG7TT4LNI/
https://lists.fedoraproject.org/archives/list/package-
[email protected]/message/BRAJVDRGCIY5UZ2PQHK
DTT7RMKG6WJQQ/

Package: smarty/smarty
Version: 4.0.0.0
CVE: CVE-2022-29221
Title: Improper Control of Generation of Code ('Code Injection')
Description: Smarty is a template engine for PHP, facilitating the
separation of presentation (HTML/CSS) from application logic. Prior to
versions 3.1.45 and 4.1.1, template authors could inject php code by
choosing a malicious {block} name or {include} file name. Sites that
cannot fully trust template authors should upgrade to versions 3.1.45 or
4.1.1 to receive a patch for this issue. There are currently no known
workarounds.
CVSS V2: AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS V3: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
References:
https://github.com/smarty-php/smarty/releases/tag/v3.1.45
https://github.com/smarty-php/smarty/security/advisories/GHSA-
634x-pc3q-cf4c
https://github.com/smarty-
php/smarty/commit/64ad6442ca1da31cefdab5c9874262b702cccddd
https://github.com/smarty-php/smarty/releases/tag/v4.1.1
https://www.debian.org/security/2022/dsa-5151
https://lists.debian.org/debian-lts-announce/2022/05/msg00044.html
https://security.gentoo.org/glsa/202209-09
https://lists.fedoraproject.org/archives/list/package-
[email protected]/message/L777JIBIWJV34HS7LXPID
WASG7TT4LNI/
https://lists.fedoraproject.org/archives/list/package-
[email protected]/message/BRAJVDRGCIY5UZ2PQHK
DTT7RMKG6WJQQ/

Package: verot/class.upload.php
Version: 2.0.1.0
CVE: CVE-2019-19576
Title: Unrestricted Upload of File with Dangerous Type
Description: class.upload.php in verot.net class.upload before 1.0.3 and
2.x before 2.0.4, as used in the K2 extension for Joomla! and other
products, omits .phar from the set of dangerous file extensions.
CVSS V2: AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS V3: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
References:
https://github.com/verot/class.upload.php/compare/1.0.2...1.0.3

https://github.com/getk2/k2/commit/d1344706c4b74c2ae7659b286b5a0
66117155124
https://www.verot.net/php_class_upload.htm

https://github.com/verot/class.upload.php/commit/db1b4fe50c175469697
0d8b437f07e7b94a7ebf2
https://github.com/verot/class.upload.php/compare/2.0.3...2.0.4

https://github.com/verot/class.upload.php/commit/5a7505ddec956fdc9e9
c071ae5089865559174f1
https://www.verot.net
https://github.com/jra89/CVE-2019-19576
https://medium.com/@jra8908/cve-2019-19576-e9da712b779
http://packetstormsecurity.com/files/155577/Verot-2.0.3-Remote-
Code-Execution.html

Package: verot/class.upload.php
Version: 2.0.1.0
CVE: CVE-2019-19634
Title: Unrestricted Upload of File with Dangerous Type
Description: class.upload.php in verot.net class.upload through 1.0.3
and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other
products, omits .pht from the set of dangerous file extensions, a similar
issue to CVE-2019-19576.
CVSS V2: AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS V3: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
References:
https://github.com/jra89/CVE-2019-19634

https://github.com/verot/class.upload.php/blob/2.0.4/src/class.upload.php
#L3068
https://medium.com/@jra8908/cve-2019-19634-arbitrary-file-upload-
in-class-upload-php-ccaf9e13875e

/Mod_Rewrite_Shop/
Alert group .htaccess file readable (verified)
Severity Medium
This directory contains an .htaccess file that is readable. This may
indicate a server misconfiguration. htaccess files are designed to be
Description parsed by web server and should not be directly accessible. These files
could contain sensitive information that could help an attacker to conduct
further attacks. It's recommended to restrict access to this file.
Restrict access to the .htaccess file by adjusting the web server
Recommendations
configuration.
Alert variants
Details
GET /Mod_Rewrite_Shop/.htaccess HTTP/1.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Web Server
Alert group Application error messages
Severity Medium
This alert requires manual confirmation

SkilledScan found one or more error/warning messages. Application

error or warning messages may expose sensitive information about an
Description application's internal workings to an attacker.
These messages may also contain the location of the file that produced
an unhandled exception.
Consult the 'Attack details' section for more information about the
affected page(s).
Verify that these page(s) are disclosing error or warning messages and
Recommendations properly configure the application to log errors to a file instead of
displaying the error to the user.
Alert variants
Application error messages:

http://testphp.vulnweb.com/showimage.php
Warning: fopen(): Filename cannot be empty in
/hj/var/www/showimage.php on line 31

http://testphp.vulnweb.com/bxss/adminPan3l/index.php
<b>Warning</b>: mysql_connect(): Access denied for user
'bxss'@'localhost' (using password: YES) in
<b>/hj/var/www//bxss/adminPan3l/index.php</b> on line
<b>2</b><br />

http://testphp.vulnweb.com/listproducts.php
You have an error in your SQL syntax

http://testphp.vulnweb.com/Connections/DB_Connection.php
Fatal error

http://testphp.vulnweb.com/Connections/DB_Connection.php
<b>Warning</b>: mysql_pconnect(): Access denied for user
'root'@'localhost' in
<b>/hj/var/www//Connections/DB_Connection.php</b> on line
<b>9</b><br />

http://testphp.vulnweb.com/secured/database_connect.php
<b>Warning</b>: mysql_connect(): The server requested
authentication method unknown to the client
[caching_sha2_password] in
<b>/hj/var/www//secured/database_connect.php</b> on line
<b>2</b><br />

http://testphp.vulnweb.com/secured/newuser.php
You have an error in your SQL syntax

http://testphp.vulnweb.com/bxss/cleanDatabase.php
<b>Warning</b>: mysql_connect(): Access denied for user
'bxss'@'localhost' (using password: YES) in
<b>/hj/var/www//bxss/cleanDatabase.php</b> on line <b>2</b>
<br />

http://testphp.vulnweb.com/pictures/path-disclosure-unix.html
<b>Warning</b>: Sablotron error on line 1: XML parser error 3:
no element found in
<b>/usr/local/etc/httpd/htdocs2/destination-
ce/destinationce/system/class/xsltTransform.class.php</b> on
line <b>70</b><br />

http://testphp.vulnweb.com/showimage.php
Details Warning: fopen(): Filename cannot be empty in
/hj/var/www/showimage.php on line 13

http://testphp.vulnweb.com/listproducts.php
<b>Warning</b>: mysql_fetch_array() expects parameter 1 to
be resource, null given in
<b>/hj/var/www//listproducts.php</b> on line <b>74</b><br />

http://testphp.vulnweb.com/bxss/vuln.php
<b>Warning</b>: mysql_connect(): Access denied for user
'bxss'@'localhost' (using password: YES) in
<b>/hj/var/www//bxss/vuln.php</b> on line <b>2</b><br />

http://testphp.vulnweb.com/bxss/database_connect.php
<b>Warning</b>: mysql_connect(): Access denied for user
'bxss'@'localhost' (using password: YES) in
<b>/hj/var/www//bxss/database_connect.php</b> on line
<b>2</b><br />

http://testphp.vulnweb.com/bxss/adminPan3l/
<b>Warning</b>: mysql_connect(): Access denied for user
'bxss'@'localhost' (using password: YES) in
<b>/hj/var/www//bxss/adminPan3l/index.php</b> on line
<b>2</b><br />

http://testphp.vulnweb.com/AJAX/infoartist.php
<b>Warning</b>: mysql_fetch_array() expects parameter 1 to
be resource, boolean given in
<b>/hj/var/www//AJAX/infoartist.php</b> on line <b>7</b><br
/>

http://testphp.vulnweb.com/AJAX/infocateg.php
<b>Warning</b>: mysql_fetch_array() expects parameter 1 to
be resource, boolean given in
<b>/hj/var/www//AJAX/infocateg.php</b> on line <b>7</b><br
/>

http://testphp.vulnweb.com/AJAX/infotitle.php
<b>Warning</b>: mysql_fetch_array() expects parameter 1 to
be resource, boolean given in
<b>/hj/var/www//AJAX/infotitle.php</b> on line <b>7</b><br />

http://testphp.vulnweb.com/secured/database_connect.php
<b>Warning</b>: mysql_connect(): Access denied for user
'wauser'@'localhost' (using password: YES) in
<b>/hj/var/www//secured/database_connect.php</b> on line
<b>2</b><br />

GET /showimage.php?file=&size=160 HTTP/1.1

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

/index.bak
Alert group Backup files
Severity Medium
A possible backup file was found on your web-server. These files are
Description
usually created by developers to backup their work.
Remove the file(s) if they are not required on your website. As an
additional step, it is recommended to implement a security policy within
Recommendations
your organization to disallow creation of backup files in directories
accessible from the web.
Alert variants
This file was found using the pattern ${fileName}.bak.
Original filename: index.php
Pattern found:

<?PHP require_once("database_connect.php"); ?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitio
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dyn
<head>
<meta http-equiv="Content-Type" content="text/html; ch

<!-- InstanceBeginEditable name="document_title_rgn" -

</head>
<body>
<div id="mainLayer" style="position:absolute; width:70
<div id="masthead">
<h1 id="siteName">SkilledScan ART</h1>
<h6 id="siteInfo">TEST and Demonstration site for Sk
<div id="globalNav">
<a href="index.php">home</a> | <a href="categories
</a> | <a href="disclaimer.php">disclaimer</a>
<a href="guestbook.php">guestbook</a>
</div>
</div>

<div id="content">
<h2 id="pageName">welcome to our page</h2>
Details <div class="story">
<h3>Test site for WASP.</h3>
</div>
</div>

<div id="navBar">
<div id="search">
<form action="search.php" method="post">
<label>search art</label>
<input name="searchFor" type="text" size="10">
<input name="goButton" type="submit" value="go">
</form>
</div>
<div id="sectionLinks">
<ul>
<li><a href="categories.php">Browse categories</
<li><a href="artists.php">Browse artists</a></li
<li><a href="cart.php">Your cart</a></li>
<li><a href="login.php">Signup</a></li>
<li><a href="userinfo.php">Your profile</a><
<li><a href="guestbook.php">Our guestbook</a
<?PHP if (isset($_COOKIE["login"]))echo '<li
</ul>
</div>
<div class="relatedLinks">
<h3>Links</h3>
<ul>
<li><a href="http://www.SkilledScan.com">Securit
<li><a href="http://www.eclectasy.com/Fracta
</ul>
</div>
<div id="advert">
<p><img src="images/add.jpg" alt="" width="107" he
</div>
</div>

<div id="siteInfo"> <a href="http://www.SkilledScan.c
Map</a> | <a href="privacy.php">Privacy Policy</a> |
SkilledScan Ltd
</div>
<br>
</div>
</body>
</html>

GET /index.bak HTTP/1.1

Range: bytes=0-99999

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

/index.zip
Alert group Backup files
Severity Medium
A possible backup file was found on your web-server. These files are
Description
usually created by developers to backup their work.
Remove the file(s) if they are not required on your website. As an
additional step, it is recommended to implement a security policy within
Recommendations
your organization to disallow creation of backup files in directories
accessible from the web.
Alert variants
This file was found using the pattern ${fileName}.zip.
Details
Original filename: index.php
GET /index.zip HTTP/1.1

Range: bytes=0-99999

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Web Server
Alert group Basic authentication over HTTP (verified)
Severity Medium
In the context of an HTTP transaction, basic access authentication is a
method for an HTTP user agent to provide a user name and password
when making a request.
Description
One or more directories are protected using Basic Authentication over an
HTTP connection. With Basic Authentication the user credentials are
sent as cleartext and because HTTPS is not used, they are vulnerable to
packet sniffing.
Recommendations Use Basic Authentication over an HTTPS connection.
Alert variants
Pages with basic authentication over HTTP:
Details
http://testphp.vulnweb.com/clearguestbook.php

GET /clearguestbook.php HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

SkilledScan-Aspect-Queries: aspectalerts;routes

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

/redir.php
Alert group CRLF injection/HTTP response splitting (verified)
Severity Medium
This script is possibly vulnerable to CRLF injection attacks.

HTTP headers have the structure "Key: Value", where each line is
separated by the CRLF combination. If the user input is injected into the
value section without properly escaping/removing CRLF characters it is
possible to alter the HTTP headers structure.
Description
HTTP Response Splitting is a new application attack technique which
enables various new attacks such as web cache poisoning, cross user
defacement, hijacking pages with sensitive user information and cross-
site scripting (XSS). The attacker sends a single HTTP request that
forces the web server to form an output stream, which is then interpreted
by the target as two HTTP responses instead of one response.
You need to restrict CR(0x13) and LF(0x10) from the user input or
Recommendations properly encode the output in order to prevent the injection of custom
HTTP headers.
Alert variants
URL encoded GET input r was set to START END
Details

GET /redir.php?r=START%0D%0AEND HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Web Server
Alert group Directory listings (verified)
Severity Medium
Directory listing is a web server function that displays the directory
contents when there is no index file in a specific website directory. It is
Description
dangerous to leave this function turned on for the web server because it
leads to information disclosure.
You should make sure no sensitive information is disclosed or you may
Recommendations
want to restrict directory listings from the web server configuration.
Alert variants
Folders with directory listing enabled:

http://testphp.vulnweb.com/wvstests/
http://testphp.vulnweb.com/wvstests/pmwiki_2_1_19/
http://testphp.vulnweb.com/wvstests/pmwiki_2_1_19/scripts/
http://testphp.vulnweb.com/.idea/
http://testphp.vulnweb.com/.idea/scopes/
http://testphp.vulnweb.com/Templates/
http://testphp.vulnweb.com/Flash/
Details
http://testphp.vulnweb.com/CVS/
http://testphp.vulnweb.com/Connections/
http://testphp.vulnweb.com/_mmServerScripts/
http://testphp.vulnweb.com/admin/
http://testphp.vulnweb.com/pictures/
http://testphp.vulnweb.com/vendor/
http://testphp.vulnweb.com/images/
http://testphp.vulnweb.com/Mod_Rewrite_Shop/images/

GET /wvstests/ HTTP/1.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

/hpp/
Alert group HTTP parameter pollution
Severity Medium
This script is possibly vulnerable to HTTP Parameter Pollution attacks.

HPP attacks consist of injecting encoded query string delimiters into

Description
other existing parameters. If the web application does not properly
sanitize the user input, a malicious user can compromise the logic of the
application to perform either clientside or server-side attacks.
The application should properly sanitize user input (URL encode) to
Recommendations
protect against this vulnerability.
Alert variants
URL encoded GET input pp was set to 12&n909574=v912262
Parameter precedence: last occurrence
Details
Affected link: params.php?p=valid&pp=12&n909574=v912262
Affected parameter: p=valid
GET /hpp/?pp=12%26n909574=v912262 HTTP/1.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Web Server
Alert group JetBrains .idea project directory
Severity Medium
The .idea directory contains a set of configuration files (.xml) for your
project. These configuration files contain information core to the project
itself, such as names and locations of its component modules, compiler
settings, etc. If you've defined a data source the file dataSources.ids
contains information for connecting to the database and credentials. The
Description
workspace.xml file stores personal settings such as placement and
positions of your windows, your VCS and History settings, and other
data pertaining to the development environment. It also contains a list of
changed files and other sensitive information. These files should not be
present on a production system.
Remove these files from production systems or restrict access to the
.idea directory. To deny access to all the .idea folders you need to add
the following lines in the appropriate context (either global config, or
vhost/directory, or from .htaccess):

<Directory ~ "\.idea">
Recommendations
Order allow,deny

Deny from all

</Directory>

Alert variants
workspace.xml project file found at : /.idea/workspace.xml
Pattern found:
Details
<project version="4">

GET /.idea/workspace.xml HTTP/1.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

/secured/phpinfo.php
Alert group PHP allow_url_fopen enabled (verified)
Severity Medium
The PHP configuration directive allow_url_fopen is enabled. When
enabled, this directive allows data retrieval from remote locations (web
site or FTP server). A large number of code injection vulnerabilities
Description reported in PHP-based web applications are caused by the combination
of enabling allow_url_fopen and bad input filtering.

allow_url_fopen is enabled by default.

You can disable allow_url_fopen from either php.ini (for PHP versions
newer than 4.3.4) or .htaccess (for PHP versions up to 4.3.4).

php.ini
Recommendations
allow_url_fopen = 'off'

.htaccess
php_flag allow_url_fopen off
Alert variants
This vulnerability was detected using the information from phpinfo()
page.
Details
allow_url_fopen: On
GET /secured/phpinfo.php HTTP/1.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

/secured/phpinfo.php
Alert group PHP errors enabled (verified)
Severity Medium
Application error or warning messages may expose sensitive information
about an application's internal workings to an attacker.
Description
SkilledScan found that the PHP display_errors directive is enabled.
Adjust php.ini or .htaccess (mod_php with Apache HTTP Server) to
Recommendations
disable display_errors (refer to 'Detailed information' section).
Alert variants
This vulnerability was detected using the information from phpinfo()
page.
Details
display_errors: On
GET /secured/phpinfo.php HTTP/1.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Web Server
Alert group PHP errors enabled (verified)
Severity Medium
Application error or warning messages may expose sensitive information
about an application's internal workings to an attacker.
Description
SkilledScan Sensor found that the PHP display_errors directive is
enabled.
Adjust php.ini or .htaccess (mod_php with Apache HTTP Server) to
Recommendations
disable display_errors (refer to 'Detailed information' section).
Alert variants
Current setting is : display_errors = 1
Details
Observed on /

/secured/phpinfo.php
Alert group PHP open_basedir is not set (verified)
Severity Medium
The open_basedir configuration directive will limit the files that can be
opened by PHP to the specified directory-tree. When a script tries to
open a file with, for example, fopen() or gzopen(), the location of the file
is checked. When the file is outside the specified directory-tree, PHP will
Description refuse to open it. open_basedir is a good protection against remote file
inclusion vulnerabilities. For a remote attacker it is not possible to break
out of the open_basedir restrictions if he is only able to inject the name
of a file to be included. Therefore the number of files he will be able to
include with such a local file include vulnerability is limited.
You can set open_basedir from php.ini
Recommendations
php.ini
open_basedir = your_application_directory
Alert variants
This vulnerability was detected using the information from phpinfo()
page.
Details
open_basedir: no value
GET /secured/phpinfo.php HTTP/1.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

/secured/phpinfo.php
Alert group PHP session.use_only_cookies disabled (verified)
Severity Medium
When use_only_cookies is disabled, PHP will pass the session ID via
the URL. This makes the application more vulnerable to session
hijacking attacks. Session hijacking is basically a form of identity theft
Description
wherein a hacker impersonates a legitimate user by stealing his session
ID. When the session token is transmitted in a cookie, and the request is
made on a secure channel (that is, it uses SSL), the token is secure.
You can enabled session.use_only_cookies from php.ini or .htaccess.

php.ini
Recommendations session.use_only_cookies = 'on'

.htaccess
php_flag session.use_only_cookies on
Alert variants
This vulnerability was detected using the information from phpinfo()
page.
Details
session.use_only_cookies: On
GET /secured/phpinfo.php HTTP/1.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Web Server
Alert group PHPinfo pages
Severity Medium
One or more phpinfo() pages were found. The phpinfo() function
exposes a large amount of information about the PHP configuration and
that of its environment. This includes information about PHP compilation
Description
options and extensions, the PHP version, server information, OS version
information, paths, master and local values of configuration options,
HTTP headers, and the PHP License.
Remove either the call to the phpinfo() function from the file(s), or the
Recommendations
file(s) itself.
Alert variants
PHPinfo pages found:

Details /secured/phpinfo.php
<title>phpinfo()</title>

GET /secured/phpinfo.php HTTP/1.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Web Server
Alert group Unencrypted connection (verified)
Severity Medium
This scan target was connected to over an unencrypted connection. A
Description potential attacker can intercept and modify data sent and received from
this site.
The site should send and receive data over a secure (HTTPS)
Recommendations
connection.
Alert variants
Details
GET / HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

SkilledScan-Aspect-Queries: filelist;packages;aspectalerts;routes

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

/redir.php
Alert group URL redirection
Severity Medium
This script is possibly vulnerable to URL redirection attacks.
Description
URL redirection is sometimes used as a part of phishing attacks that
confuse visitors about which web site they are visiting.
Recommendations Your script should properly sanitize user input.
Alert variants
Details URL encoded GET input r was set to http://xfs.bxss.me?vulnweb.com
GET /redir.php?r=http://xfs.bxss.me%3Fvulnweb.com HTTP/1.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Web Server
Alert group User credentials are sent in clear text
Severity Medium
User credentials are transmitted over an unencrypted channel. This
Description information should always be transferred via an encrypted channel
(HTTPS) to avoid being intercepted by malicious users.
Because user credentials are considered sensitive information, should
Recommendations always be transferred to the server over an encrypted connection
(HTTPS).
Alert variants
Forms with credentials sent in clear text:

http://testphp.vulnweb.com/login.php

Form name: loginform

Form action: userinfo.php
Form method: POST
Password input: pass
Details
http://testphp.vulnweb.com/signup.php

Form name: form1

Form action: /secured/newuser.php
Form method: POST
Password input: upass

GET /login.php HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

SkilledScan-Aspect-Queries: aspectalerts;routes

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

/vendor/installed.json
Alert group Vulnerable package dependencies [medium]
Severity Medium
One or more packages that are used in your web application are
Description affected by known vulnerabilities. Please consult the details section for
more information about each affected package.
It's recommended to update the vulnerable packages to the latest
version (if a fix exists). If a fix does not exist, you may want to suggest
Recommendations
changes that address the vulnerability to the package maintainer or
remove the package from your dependency tree.
Alert variants
List of vulnerable composer packages:

Package: smarty/smarty
Version: 4.0.0.0
CVE: CVE-2018-25047
Title: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')
Description: In Smarty before 3.1.47 and 4.x before 4.2.1,
libs/plugins/function.mailto.php allows XSS. A web page that uses
smarty_function_mailto, and that could be parameterized using GET or
POST input parameters, could allow injection of JavaScript code by a
user.
CVSS V2:
CVSS V3: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
References:
https://github.com/smarty-php/smarty/releases/tag/v4.2.1
https://github.com/smarty-php/smarty/releases/tag/v3.1.47
https://bugs.gentoo.org/870100
https://github.com/smarty-php/smarty/issues/454
https://security.gentoo.org/glsa/202209-09
https://lists.debian.org/debian-lts-announce/2023/01/msg00002.html

Package: smarty/smarty
Version: 4.0.0.0
CVE: CVE-2023-28447
Title: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')
Description: Smarty is a template engine for PHP. In affected versions
smarty did not properly escape javascript code. An attacker could exploit
this vulnerability to execute arbitrary JavaScript code in the context of
the user's browser session. This may lead to unauthorized access to
sensitive user data, manipulation of the web application's behavior, or
unauthorized actions performed on behalf of the user. Users are advised
to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There
are no known workarounds for this vulnerability.
CVSS V2:
CVSS V3: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
References:
https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-
h7fp-4vwj
https://github.com/smarty-
php/smarty/commit/685662466f653597428966d75a661073104d713d
https://lists.fedoraproject.org/archives/list/package-
[email protected]/message/HSAUM3YHWHO4UCJXR
GRLQGPJAO3MFOZZ/
https://lists.fedoraproject.org/archives/list/package-
[email protected]/message/JBB35GLYTL6JL6EOM6BO
ZNYP47JKNNHT/
https://lists.fedoraproject.org/archives/list/package-
[email protected]/message/P7O7SKTATM6GAP45S64
QFXNLWIY5I7HP/

Package: tinymce/tinymce
Version: 5.2.0.0
CVE: CVE-2019-1010091
Title: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')
Description: tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper
Details Neutralization of Input During Web Page Generation. The impact is:
JavaScript code execution. The component is: Media element. The
attack vector is: The victim must paste malicious content to media
element's embed tab.
CVSS V2: AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS V3: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
References:
https://github.com/tinymce/tinymce/issues/4394

Package: tinymce/tinymce
Version: 5.2.0.0
CVE: CVE-2020-12648
Title: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')
Description: A cross-site scripting (XSS) vulnerability in TinyMCE 5.2.1
and earlier allows remote attackers to inject arbitrary web script when
configured in classic editing mode.
CVSS V2: AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS V3: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
References:
https://labs.bishopfox.com/advisories/tinymce-version-5.2.1

Package: tinymce/tinymce
Version: 5.2.0.0
CVE: CVE-2022-23494
Title: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')
Description: tinymce is an open source rich text editor. A cross-site
scripting (XSS) vulnerability was discovered in the alert and confirm
dialogs when these dialogs were provided with malicious HTML content.
This can occur in plugins that use the alert or confirm dialogs, such as in
the `image` plugin, which presents these dialogs when certain errors
occur. The vulnerability allowed arbitrary JavaScript execution when an
alert presented in the TinyMCE UI for the current user. This vulnerability
has been patched in TinyMCE 5.10.7 and TinyMCE 6.3.1 by ensuring
HTML sanitization was still performed after unwrapping invalid elements.
Users are advised to upgrade to either 5.10.7 or 6.3.1. Users unable to
upgrade may ensure the the `images_upload_handler` returns a valid
value as per the images_upload_handler documentation.
CVSS V2:
CVSS V3: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
References:

https://github.com/tinymce/tinymce/commit/6923d85eba6de3e08ebc9c5
a387b5abdaa21150e
https://www.tiny.cloud/docs/tinymce/6/file-image-
upload/#images_upload_handler
https://www.tiny.cloud/docs/release-notes/release-
notes5107/#securityfixes

https://github.com/tinymce/tinymce/commit/8bb2d2646d4e1a718fce61a7
75fa22e9d317b32d
https://github.com/tinymce/tinymce/security/advisories/GHSA-gg8r-
xjwq-4w92
https://www.tiny.cloud/docs/tinymce/6/6.3-release-notes/#security-
fixes

/pictures/WS_FTP.LOG
Alert group WS_FTP log file found (verified)
Severity Medium
WS_FTP is a popular FTP client. This application creates a log file
Description named WS_FTP.LOG. This file contains sensitive data such as file
source/destination and file name, date/time of upload etc.
Remove this file from your website or change its permissions to remove
Recommendations
access.
Alert variants
Pattern found:
Details
103.05.06 13:17

GET /pictures/WS_FTP.LOG HTTP/1.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Web Server
Alert group Clickjacking: X-Frame-Options header
Severity Low
Clickjacking (User Interface redress attack, UI redress attack, UI
redressing) is a malicious technique of tricking a Web user into clicking
on something different from what the user perceives they are clicking on,
thus potentially revealing confidential information or taking control of
their computer while clicking on seemingly innocuous web pages.

Description The server did not return an X-Frame-Options header with the value
DENY or SAMEORIGIN, which means that this website could be at risk
of a clickjacking attack. The X-Frame-Options HTTP response header
can be used to indicate whether or not a browser should be allowed to
render a page inside a frame or iframe. Sites can use this to avoid
clickjacking attacks, by ensuring that their content is not embedded into
untrusted sites.
Configure your web server to include an X-Frame-Options header and a
Recommendations CSP header with frame-ancestors directive. Consult Web references for
more information about the possible values for this header.
Alert variants
Paths without secure XFO header:

http://testphp.vulnweb.com/

http://testphp.vulnweb.com/search.php

http://testphp.vulnweb.com/wvstests/pmwiki_2_1_19/scripts/version
.php

http://testphp.vulnweb.com/artists.php

http://testphp.vulnweb.com/bxss/adminPan3l/index.php

http://testphp.vulnweb.com/product.php

http://testphp.vulnweb.com/listproducts.php

http://testphp.vulnweb.com/cart.php

http://testphp.vulnweb.com/AJAX/index.php

http://testphp.vulnweb.com/comment.php

http://testphp.vulnweb.com/Templates/main_dynamic_template.dwt
Details
.php

http://testphp.vulnweb.com/AJAX/showxml.php

http://testphp.vulnweb.com/Mod_Rewrite_Shop/

http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/color-
printer/3/

http://testphp.vulnweb.com/categories.php

http://testphp.vulnweb.com/disclaimer.php

http://testphp.vulnweb.com/Connections/DB_Connection.php

http://testphp.vulnweb.com/_mmServerScripts/MMHTTPDB.php

http://testphp.vulnweb.com/guestbook.php

http://testphp.vulnweb.com/hpp/params.php

http://testphp.vulnweb.com/index.php

GET / HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

SkilledScan-Aspect-Queries: filelist;packages;aspectalerts;routes

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Web Server
Cookies with missing, inconsistent or contradictory properties
Alert group
(verified)
Severity Low
At least one of the following cookies properties causes the cookie to be
invalid or incompatible with either a different property of the same
Description cookie, of with the environment the cookie is being used in. Although this
is not a vulnerability in itself, it will likely lead to unexpected behavior by
the application, which in turn may cause secondary security issues.
Ensure that the cookies configuration complies with the applicable
Recommendations
standards.
Alert variants
List of cookies with missing, inconsistent or contradictory properties:

http://testphp.vulnweb.com/logout.php

Cookie was set with:

Set-Cookie: login=deleted; expires=Thu, 01-Jan-197

Details
This cookie has the following issues:

- Cookie without SameSite attribute.

When cookies lack the SameSite attribute, Web brow

GET /logout.php HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

SkilledScan-Aspect-Queries: aspectalerts;routes

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Web Server
Alert group Cookies without HttpOnly flag set (verified)
Severity Low
One or more cookies don't have the HttpOnly flag set. When a cookie is
set with the HttpOnly flag, it instructs the browser that the cookie can
Description
only be accessed by the server and not by client-side scripts. This is an
important security protection for session cookies.
Recommendations If possible, you should set the HttpOnly flag for these cookies.
Alert variants
Cookies without HttpOnly flag set:

http://testphp.vulnweb.com/logout.php

Details
Set-Cookie: login=deleted; expires=Thu, 01-Jan-197

GET /logout.php HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

SkilledScan-Aspect-Queries: aspectalerts;routes

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Web Server
Alert group Possible sensitive files
Severity Low
A possible sensitive file has been found. This file is not directly linked
from the website. This check looks for common sensitive resources like
Description password files, configuration files, log files, include files, statistics data,
database dumps. Each one of these files could help an attacker to learn
more about his target.
Recommendations Restrict access to this file or remove it from the website.
Alert variants
Possible sensitive files:
Details
http://testphp.vulnweb.com/hpp/test.php

GET /hpp/test.php HTTP/1.1

Accept: ekvlqqru/hxtn

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Web Server
Alert group Content Security Policy (CSP) not implemented
Severity Informational
Content Security Policy (CSP) is an added layer of security that helps to
detect and mitigate certain types of attacks, including Cross Site
Scripting (XSS) and data injection attacks.

Content Security Policy (CSP) can be implemented by adding a

Content-Security-Policy header. The value of this header is a string
containing the policy directives describing your Content Security Policy.
To implement CSP, you should define lists of allowed origins for the all of
the types of resources that your site utilizes. For example, if you have a
simple site that needs to load scripts, stylesheets, and images hosted
locally, as well as from the jQuery library from their CDN, the CSP
header could look like the following:

Description
Content-Security-Policy:

default-src 'self';

script-src 'self' https://code.jquery.com;

It was detected that your web application doesn't implement Content

Security Policy (CSP) as the CSP header is missing from the response.
It's recommended to implement Content Security Policy (CSP) into your
web application.
It's recommended to implement Content Security Policy (CSP) into your
web application. Configuring Content Security Policy involves adding the
Recommendations Content-Security-Policy HTTP header to a web page and giving it
values to control resources the user agent is allowed to load for that
page.
Alert variants
Paths without CSP header:

http://testphp.vulnweb.com/

http://testphp.vulnweb.com/wvstests/pmwiki_2_1_19/scripts/version
.php

http://testphp.vulnweb.com/artists.php

http://testphp.vulnweb.com/bxss/adminPan3l/index.php

http://testphp.vulnweb.com/listproducts.php

http://testphp.vulnweb.com/product.php

http://testphp.vulnweb.com/AJAX/index.php

http://testphp.vulnweb.com/comment.php

http://testphp.vulnweb.com/Templates/main_dynamic_template.dwt
.php

http://testphp.vulnweb.com/Mod_Rewrite_Shop/
Details
http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/color-
printer/3/

http://testphp.vulnweb.com/categories.php

http://testphp.vulnweb.com/disclaimer.php

http://testphp.vulnweb.com/Connections/DB_Connection.php

http://testphp.vulnweb.com/_mmServerScripts/MMHTTPDB.php

http://testphp.vulnweb.com/guestbook.php

http://testphp.vulnweb.com/hpp/params.php

http://testphp.vulnweb.com/index.php

http://testphp.vulnweb.com/secured/database_connect.php

http://testphp.vulnweb.com/login.php

http://testphp.vulnweb.com/images/

GET / HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

SkilledScan-Aspect-Queries: filelist;packages;aspectalerts;routes

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Web Server
Alert group Email addresses
Severity Informational
One or more email addresses have been found on this website. The
majority of spam comes from email addresses harvested off the internet.
The spam-bots (also known as email harvesters and email extractors)
Description
are programs that scour the internet looking for email addresses on any
website they come across. Spambot programs look for strings like
[email protected] and then record any addresses found.
Recommendations Check references for details on how to solve this problem.
Alert variants
Emails found:

http://testphp.vulnweb.com/
[email protected]
http://testphp.vulnweb.com/search.php
[email protected]
http://testphp.vulnweb.com/artists.php
[email protected]
http://testphp.vulnweb.com/product.php
[email protected]
http://testphp.vulnweb.com/listproducts.php
[email protected]
http://testphp.vulnweb.com/cart.php
[email protected]
http://testphp.vulnweb.com/Templates/main_dynamic_template.dwt
.php
[email protected]
Details
http://testphp.vulnweb.com/categories.php
[email protected]
http://testphp.vulnweb.com/disclaimer.php
[email protected]
http://testphp.vulnweb.com/guestbook.php
[email protected]
http://testphp.vulnweb.com/index.php
[email protected]
http://testphp.vulnweb.com/login.php
[email protected]
http://testphp.vulnweb.com/signup.php
[email protected]
http://testphp.vulnweb.com/404.php
[email protected]
http://testphp.vulnweb.com/logout.php
[email protected]

GET / HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

SkilledScan-Aspect-Queries: filelist;aspectalerts;packages

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Web Server
Alert group Internal IP address disclosure
Severity Informational
One or more strings matching an internal IPv4 address were found.
These IPv4 addresses may disclose information about the IP addressing
scheme of the internal network. This information can be used to conduct
Description
further attacks.

The significance of this finding should be confirmed manually.

Recommendations Prevent this information from being displayed to the user.
Alert variants
Pages with internal IPs:

http://testphp.vulnweb.com/404.php
192.168.0.28
Details http://testphp.vulnweb.com/secured/phpinfo.php
192.168.0.5
http://testphp.vulnweb.com/pictures/ipaddresses.txt
192.168.0.26

GET /404.php HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

SkilledScan-Aspect-Queries: aspectalerts;routes

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Web Server
Alert group No HTTP Redirection
Severity Informational
It was detected that your web application uses HTTP protocol, but
Description
doesn't automatically redirect users to HTTPS.
It's recommended to implement best practices of HTTP Redirection into
Recommendations
your web application. Consult web references for more information
Alert variants
Details
GET / HTTP/1.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Web Server
Alert group Permissions-Policy header not implemented
Severity Informational
The Permissions-Policy header allows developers to selectively enable
Description
and disable use of various browser features and APIs.
Recommendations
Alert variants
Locations without Permissions-Policy header:

http://testphp.vulnweb.com/
http://testphp.vulnweb.com/search.php
http://testphp.vulnweb.com/wvstests/pmwiki_2_1_19/scripts/version
.php
http://testphp.vulnweb.com/artists.php
http://testphp.vulnweb.com/bxss/adminPan3l/index.php
http://testphp.vulnweb.com/product.php
http://testphp.vulnweb.com/listproducts.php
http://testphp.vulnweb.com/cart.php
http://testphp.vulnweb.com/AJAX/index.php
http://testphp.vulnweb.com/comment.php
Details http://testphp.vulnweb.com/Templates/main_dynamic_template.dwt
.php
http://testphp.vulnweb.com/AJAX/showxml.php
http://testphp.vulnweb.com/Mod_Rewrite_Shop/
http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/color-
printer/3/
http://testphp.vulnweb.com/categories.php
http://testphp.vulnweb.com/disclaimer.php
http://testphp.vulnweb.com/Connections/DB_Connection.php
http://testphp.vulnweb.com/_mmServerScripts/MMHTTPDB.php
http://testphp.vulnweb.com/guestbook.php
http://testphp.vulnweb.com/hpp/params.php
http://testphp.vulnweb.com/index.php

GET / HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

SkilledScan-Aspect-Queries: filelist;packages;aspectalerts;routes

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Web Server
Alert group PHP Version Disclosure
Severity Informational
The web server is sending the X-Powered-By: response headers,
Description
revealing the PHP version.
Configure your web server to prevent information leakage from its HTTP
Recommendations
response.
Alert variants
Details Version detected: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1.

Web Server
Alert group Possible server path disclosure (Unix)
Severity Informational
One or more fully qualified path names were found. From this
information the attacker may learn the file system structure from the web
Description server. This information can be used to conduct further attacks.

This alert may be a false positive, manual confirmation is required.

Recommendations Prevent this information from being displayed to the user.
Alert variants
Pages with paths being disclosed:

http://testphp.vulnweb.com/pictures/path-disclosure-unix.html
Details >/usr/local/etc/httpd/htdocs2/destination
http://testphp.vulnweb.com/secured/phpinfo.php
:/usr/obj/usr/src/sys/GENERIC

GET /pictures/path-disclosure-unix.html HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

SkilledScan-Aspect-Queries: aspectalerts;routes

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Web Server
Alert group Possible server path disclosure (Windows)
Severity Informational
One or more fully qualified path names were been found. From this
information the attacker may learn the file system structure from the web
Description server. This information can be used to conduct further attacks.

This alert may be a false positive, manual confirmation is required.

Recommendations Prevent this information from being displayed to the user.
Alert variants
Pages with paths being disclosed:

Details http://testphp.vulnweb.com/pictures/path-disclosure-win.html
C:\Inetpub\wwwroot\comparatii.php

GET /pictures/path-disclosure-win.html HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

SkilledScan-Aspect-Queries: aspectalerts;routes

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Web Server
Alert group Possible username or password disclosure
Severity Informational
One or more credential pairs (username+password) were found. This
information could be sensitive.
Description
This alert may be a false positive, manual confirmation is required.
Remove these file(s) from your website or change its permissions to
Recommendations
remove access.
Alert variants
Pages containing credentials:

http://testphp.vulnweb.com/pictures/credentials.txt
Details
username=test

password=something

GET /pictures/credentials.txt HTTP/1.1

SkilledScan-Aspect: enabled

SkilledScan-Aspect-Password: 082119f75623eb7abd7bf357698ff66c

SkilledScan-Aspect-ScanID: 15147751696545358545

SkilledScan-Aspect-Queries: aspectalerts;routes

Referer: http://testphp.vulnweb.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

Host: testphp.vulnweb.com

Connection: Keep-alive

Scanned items (coverage report)

http://testphp.vulnweb.com/
http://testphp.vulnweb.com/.idea/
http://testphp.vulnweb.com/.idea/.name
http://testphp.vulnweb.com/.idea/art.iml
http://testphp.vulnweb.com/.idea/encodings.xml
http://testphp.vulnweb.com/.idea/misc.xml
http://testphp.vulnweb.com/.idea/modules.xml
http://testphp.vulnweb.com/.idea/scopes/
http://testphp.vulnweb.com/.idea/scopes/scope_settings.xml
http://testphp.vulnweb.com/.idea/vcs.xml
http://testphp.vulnweb.com/.idea/workspace.xml
http://testphp.vulnweb.com/_mmServerScripts/
http://testphp.vulnweb.com/_mmServerScripts/MMHTTPDB.php
http://testphp.vulnweb.com/_mmServerScripts/mysql.php
http://testphp.vulnweb.com/404.php
http://testphp.vulnweb.com/admin/
http://testphp.vulnweb.com/admin/create.sql
http://testphp.vulnweb.com/AJAX/
http://testphp.vulnweb.com/AJAX/artists.php
http://testphp.vulnweb.com/AJAX/categories.php
http://testphp.vulnweb.com/AJAX/htaccess.conf
http://testphp.vulnweb.com/AJAX/index.php
http://testphp.vulnweb.com/AJAX/infoartist.php
http://testphp.vulnweb.com/AJAX/infocateg.php
http://testphp.vulnweb.com/AJAX/infotitle.php
http://testphp.vulnweb.com/AJAX/showxml.php
http://testphp.vulnweb.com/AJAX/styles.css
http://testphp.vulnweb.com/AJAX/titles.php
http://testphp.vulnweb.com/artists.php
http://testphp.vulnweb.com/bxss/
http://testphp.vulnweb.com/bxss/adminPan3l/
http://testphp.vulnweb.com/bxss/adminPan3l/index.php
http://testphp.vulnweb.com/bxss/adminPan3l/style.css
http://testphp.vulnweb.com/bxss/cleanDatabase.php
http://testphp.vulnweb.com/bxss/database_connect.php
http://testphp.vulnweb.com/bxss/index.php
http://testphp.vulnweb.com/bxss/test.js
http://testphp.vulnweb.com/bxss/vuln.php
http://testphp.vulnweb.com/cart.php
http://testphp.vulnweb.com/categories.php
http://testphp.vulnweb.com/clearguestbook.php
http://testphp.vulnweb.com/clientaccesspolicy.xml
http://testphp.vulnweb.com/comment.php
http://testphp.vulnweb.com/Connections/
http://testphp.vulnweb.com/Connections/DB_Connection.php
http://testphp.vulnweb.com/crossdomain.xml
http://testphp.vulnweb.com/CVS/
http://testphp.vulnweb.com/CVS/Entries
http://testphp.vulnweb.com/CVS/Entries.Log
http://testphp.vulnweb.com/CVS/Repository
http://testphp.vulnweb.com/CVS/Root
http://testphp.vulnweb.com/database_connect.php
http://testphp.vulnweb.com/disclaimer.php
http://testphp.vulnweb.com/Flash/
http://testphp.vulnweb.com/Flash/add.fla
http://testphp.vulnweb.com/Flash/add.swf
http://testphp.vulnweb.com/guestbook.php
http://testphp.vulnweb.com/hpp/
http://testphp.vulnweb.com/hpp/index.php
http://testphp.vulnweb.com/hpp/params.php
http://testphp.vulnweb.com/hpp/test.php
http://testphp.vulnweb.com/images/
http://testphp.vulnweb.com/index.bak
http://testphp.vulnweb.com/index.php
http://testphp.vulnweb.com/index.zip
http://testphp.vulnweb.com/listproducts.php
http://testphp.vulnweb.com/login.php
http://testphp.vulnweb.com/logout.php
http://testphp.vulnweb.com/medias/
http://testphp.vulnweb.com/medias/css/
http://testphp.vulnweb.com/medias/css/main.css
http://testphp.vulnweb.com/medias/img/
http://testphp.vulnweb.com/medias/js/
http://testphp.vulnweb.com/medias/js/common_functions.js
http://testphp.vulnweb.com/Mod_Rewrite_Shop/
http://testphp.vulnweb.com/Mod_Rewrite_Shop/.htaccess
http://testphp.vulnweb.com/Mod_Rewrite_Shop/buy.php
http://testphp.vulnweb.com/Mod_Rewrite_Shop/BuyProduct-1/
http://testphp.vulnweb.com/Mod_Rewrite_Shop/BuyProduct-2/
http://testphp.vulnweb.com/Mod_Rewrite_Shop/BuyProduct-3/
http://testphp.vulnweb.com/Mod_Rewrite_Shop/details.php
http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/
http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/color-printer/
http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/color-printer/3/
http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/network-attached-storage-dlink/
http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/network-attached-storage-dlink/1/
http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/web-camera-a4tech/
http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/web-camera-a4tech/2/
http://testphp.vulnweb.com/Mod_Rewrite_Shop/images/
http://testphp.vulnweb.com/Mod_Rewrite_Shop/index.php
http://testphp.vulnweb.com/Mod_Rewrite_Shop/rate.php
http://testphp.vulnweb.com/Mod_Rewrite_Shop/RateProduct-1.html
http://testphp.vulnweb.com/Mod_Rewrite_Shop/RateProduct-2.html
http://testphp.vulnweb.com/Mod_Rewrite_Shop/RateProduct-3.html
http://testphp.vulnweb.com/pictures/
http://testphp.vulnweb.com/pictures/1.jpg.tn
http://testphp.vulnweb.com/pictures/2.jpg.tn
http://testphp.vulnweb.com/pictures/3.jpg.tn
http://testphp.vulnweb.com/pictures/4.jpg.tn
http://testphp.vulnweb.com/pictures/5.jpg.tn
http://testphp.vulnweb.com/pictures/6.jpg.tn
http://testphp.vulnweb.com/pictures/7.jpg.tn
http://testphp.vulnweb.com/pictures/8.jpg.tn
http://testphp.vulnweb.com/pictures/credentials.txt
http://testphp.vulnweb.com/pictures/ipaddresses.txt
http://testphp.vulnweb.com/pictures/path-disclosure-unix.html
http://testphp.vulnweb.com/pictures/path-disclosure-win.html
http://testphp.vulnweb.com/pictures/wp-config.bak
http://testphp.vulnweb.com/pictures/WS_FTP.LOG
http://testphp.vulnweb.com/privacy.php
http://testphp.vulnweb.com/product.php
http://testphp.vulnweb.com/redir.php
http://testphp.vulnweb.com/search.php
http://testphp.vulnweb.com/secured/
http://testphp.vulnweb.com/secured/database_connect.php
http://testphp.vulnweb.com/secured/index.php
http://testphp.vulnweb.com/secured/newuser.php
http://testphp.vulnweb.com/secured/office.htm
http://testphp.vulnweb.com/secured/office_files/
http://testphp.vulnweb.com/secured/office_files/filelist.xml
http://testphp.vulnweb.com/secured/phpinfo.php
http://testphp.vulnweb.com/secured/style.css
http://testphp.vulnweb.com/sendcommand.php
http://testphp.vulnweb.com/showimage.php
http://testphp.vulnweb.com/signup.php
http://testphp.vulnweb.com/style.css
http://testphp.vulnweb.com/Templates/
http://testphp.vulnweb.com/Templates/main_dynamic_template.dwt.php
http://testphp.vulnweb.com/userinfo.php
http://testphp.vulnweb.com/vendor/
http://testphp.vulnweb.com/vendor/installed.json
http://testphp.vulnweb.com/wvstests/
http://testphp.vulnweb.com/wvstests/pmwiki_2_1_19/
http://testphp.vulnweb.com/wvstests/pmwiki_2_1_19/scripts/
http://testphp.vulnweb.com/wvstests/pmwiki_2_1_19/scripts/version.php