Remediation Report for Application Developer (Page 1 of 2)

Scan Name:	WebScantest
Date:	12/13/2011 4:15:27 PM
Authenticated User:	(none)
Total Links / Attackable Links:	266 / 218
Target URL:	http://www.webscantest.com/
Reports:

Security Status - Complete

Vulnerability

Best Practice

Exposure

Vulnerability Trend

Summary

Vulnerability Type	Root Causes		Vulnerabilities
Arbitrary File Upload		4		4
Authentication Form SQL Injection		2		2
Authentication Testing		1		1
Blind SQL		15		91
Cross-Site Scripting		25		217
Cross-Site Scripting - DOM Based		1		1
HTTP Response Splitting		1		1
OS Commanding		1		5
SQL Injection		11		105
Parameter Analysis		12		28
Session Strength Analysis		2		2
Total:		75		457

By Risk

Vulnerabilities: 457

Details by Module

Disable Validate Applet

Arbitrary File Upload

Site: http://www.webscantest.com:80

http://www.webscantest.com:80/picshare/upload.pl

Root Cause #1:

1 parameter / 1 vuln

URL: http://www.webscantest.com:80/picshare/upload.pl

Root Cause #1:

file

Vulnerable Parameter

Original Value

Method

file

POST

Attack Type

Attack Value

Error

HTML File Upload

<html><script>alert('h4iqrepu');</script></html>

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

http://www.webscantest.com:80/picshare/upload.pl

Root Cause #2:

1 parameter / 1 vuln

Root Cause #2:

file

Vulnerable Parameter

Original Value

Method

file

POST

Attack Type

Attack Value

Error

PHP File Upload

<?
echo 'foobar i120c1l4';
?>

foobar i120c1l4

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

http://www.webscantest.com:80/picshare/uploadpic.php

Root Cause #3:

1 parameter / 1 vuln

URL: http://www.webscantest.com:80/picshare/uploadpic.php

Root Cause #3:

userfile

Vulnerable Parameter

Original Value

Method

userfile

POST

Attack Type

Attack Value

Error

PHP File Upload

<?
echo 'foobar fahi0jiy';
?>

foobar fahi0jiy

Original Traffic

Attack Traffic #1

Attack Traffic #2

http://www.webscantest.com:80/picshare/uploadpic.php

Root Cause #4:

1 parameter / 1 vuln

Root Cause #4:

userfile

Vulnerable Parameter

Original Value

Method

userfile

POST

Attack Type

Attack Value

Error

HTML File Upload

<html><script>alert('g0xitxdk');</script></html>

Original Traffic

Attack Traffic #1

Attack Traffic #2

Description:	It has proven possible to use file upload facilities made available by the web application to upload an executable application to the server.
Recommendations:	Intercept file upload attempts and ensure that only the intended types are being uploaded before allowing the upload to succeed.

Authentication Form SQL Injection

Site: http://www.webscantest.com:80

URL: http://www.webscantest.com:80/login.php

Root Cause #5:

Root Cause #6:

Description:

It was discovered that SQL Injection techniques can be used to fool the application into authenticating without the attacker needing valid credentials. SQL Injection vulnerabilities on login pages expose an application to unauthorized access and quite probably at the administrator level, thereby severely compromising the security of the application.

Recommendations:

Normalize all user-supplied login data before applying filters, regular expressions, or submitting the login data to a database. This means that all URL-encoded (%xx), HTML-encoded (&#xx;), or other encoding schemes should be reduced to the internal character representation expected by the application. This prevents attackers from using alternate encoding schemes to bypass filters.
Implement positive filters that examine user-supplied login data for expected characters. Define data types for user-supplied values and ensure that submitted login data match these types, such as numeric or acceptable password characters (i.e. consider disallowing as many HTML syntax characters as password characters as possible without compromising password resistance to dictionary attacks). String or text values should be carefully matched to a limited subset of characters such as alpha, numeric, spaces, or certain punctuation characters as necessary. If any value received by the application contains an unexpected character, then it should be rejected.
Negative filtering can also prevent attacks, but may be more unreliable or more difficult to implement for language sets that require non-ASCII characters. Examine all login data received from the web browser for SQL syntax characters. If any of these characters are present, then they should be escaped or removed. The single quote (') or double quote (") are often used to envelope parameters in a SQL query. Other malicious characters include the asterisk, semi-colon, dash (minus sign), and parentheses. These characters could be used to prematurely end a query statement.

Authentication Testing

Site: http://www.webscantest.com:80

URL: http://www.webscantest.com:80/login.php

Root Cause #7:

Description:	A valid username and password combination was discovered for the application. Default passwords and trivial passwords expose an application to unauthorized access. If a user chooses a very insecure password, then that user's account information can be compromised and the account can be used to attempt to compromise the application.
Recommendations:	Enforce a strong password security policy. Require that all passwords have a six-character minimum length. Require that all passwords have mixed-case alphanumeric content Have all passwords expire every 180 days and do not allow uesrs to re-use previously expired passwords. includes rules for password content, password expiration, and password re-use.

Blind SQL

Site: http://www.webscantest.com:80

http://www.webscantest.com:80/datastore/search_double_by_name.php

Root Cause #8:

1 parameter / 4 vulns

URL: http://www.webscantest.com:80/datastore/search_double_by_name.php

Root Cause #8:

name

Vulnerable Parameter

Original Value

Method

name

Rake

POST

Attack Type

Attack Value

Error

Logical Or

Rake' OR 3=3 #

The following parameter values were submitted to test for this vulnerability:
#1, Passed: Rake' OR 1=1 # - the response should be different from the original. Alternate value.
#2, Passed: Rake' OR 1=0 # - the response should be the same as the original.
#3, Passed: Rake' OR 2=2 # - the response should be the same as the response from the Alternate value.
#4, Passed: Rake' OR 2=1 # - the response should be the same as the original.
#5, Passed: Rake' OR 3=3 # - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Equivalence

Rake' AND '2'='3

The following parameter values were submitted to test for this vulnerability:
#1, Passed: Rake' AND '1'='0 - the response should be different from the original. Alternate value.
#2, Passed: Rake' AND '1'='1 - the response should be the same as the original.
#3, Passed: Rake' AND '1'='2 - the response should be the same as the response from the Alternate value.
#4, Passed: Rake' AND '2'='2 - the response should be the same as the original.
#5, Passed: Rake' AND '2'='3 - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Or

Rake' OR '3'='3

The following parameter values were submitted to test for this vulnerability:
#1, Passed: Rake' OR '1'='1 - the response should be different from the original. Alternate value.
#2, Passed: Rake' OR '1'='0 - the response should be the same as the original.
#3, Passed: Rake' OR '2'='2 - the response should be the same as the response from the Alternate value.
#4, Passed: Rake' OR '2'='1 - the response should be the same as the original.
#5, Passed: Rake' OR '3'='3 - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Equivalence

Rake' AND 2='3/*

The following parameter values were submitted to test for this vulnerability:
#1, Passed: Rake' AND 1='0/* - the response should be different from the original. Alternate value.
#2, Passed: Rake' AND 1='1/* - the response should be the same as the original.
#3, Passed: Rake' AND 1='2/* - the response should be the same as the response from the Alternate value.
#4, Passed: Rake' AND 2='2/* - the response should be the same as the original.
#5, Passed: Rake' AND 2='3/* - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

http://www.webscantest.com:80/datastore/search_by_id.php

Root Cause #9:

1 parameter / 9 vulns

URL: http://www.webscantest.com:80/datastore/search_by_id.php

Root Cause #9:

Vulnerable Parameter

Original Value

Method

POST

Attack Type

Attack Value

Error

Logical Or

1 OR 3=3

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 1 OR 1=1 - the response should be different from the original. Alternate value.
#2, Passed: 1 OR 1=0 - the response should be the same as the original.
#3, Passed: 1 OR 2=2 - the response should be the same as the response from the Alternate value.
#4, Passed: 1 OR 2=1 - the response should be the same as the original.
#5, Passed: 1 OR 3=3 - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Modulo Equivalence

MOD(9,7)

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 2 - the response should be different from the original. Alternate value.
#2, Passed: MOD(3,2) - the response should be the same as the original.
#3, Passed: MOD(7,5) - the response should be the same as the response from the Alternate value.
#4, Passed: MOD(5,2) - the response should be the same as the original.
#5, Passed: MOD(9,7) - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Equivalence

1 AND 2=3

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 1 AND 1=0 - the response should be different from the original. Alternate value.
#2, Passed: 1 AND 1=1 - the response should be the same as the original.
#3, Passed: 1 AND 1=2 - the response should be the same as the response from the Alternate value.
#4, Passed: 1 AND 2=2 - the response should be the same as the original.
#5, Passed: 1 AND 2=3 - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Modulo Equivalence

9 % 7

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 2 - the response should be different from the original. Alternate value.
#2, Passed: 3 % 2 - the response should be the same as the original.
#3, Passed: 7 % 5 - the response should be the same as the response from the Alternate value.
#4, Passed: 5 % 2 - the response should be the same as the original.
#5, Passed: 9 % 7 - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

SQL Coalesce

COALESCE(NULL,NULL,0x71)

The following parameter values were submitted to test for this vulnerability:
#1, Passed: COALESCE(0x71,NULL,0x31) - the response should be different from the original.
#2, Passed: COALESCE(NULL,NULL,0x31) - the response should be the same as the original.
#3, Passed: COALESCE(NULL,0x71,0x31) - the response should be different from the original.
#4, Passed: COALESCE(NULL,0x31,0x71) - the response should be the same as the original.
#5, Passed: COALESCE(NULL,NULL,0x71) - the response should be different from the original.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Additive Equivalence

0%2B2

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 2 - the response should be different from the original. Alternate value.
#2, Passed: 1+0 - the response should be the same as the original.
#3, Passed: 1+1 - the response should be the same as the response from the Alternate value.
#4, Passed: 0+1 - the response should be the same as the original.
#5, Passed: 0+2 - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Modulo Equivalence

9 MOD 7

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 2 - the response should be different from the original. Alternate value.
#2, Passed: 3 MOD 2 - the response should be the same as the original.
#3, Passed: 7 MOD 5 - the response should be the same as the response from the Alternate value.
#4, Passed: 5 MOD 2 - the response should be the same as the original.
#5, Passed: 9 MOD 7 - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

SQL Repeat

REPEAT(0x31,2)

The following parameter values were submitted to test for this vulnerability:
#1, Passed: REPEAT(0x31,2) - the response should be different from the original. Alternate value.
#2, Passed: REPEAT(0x31,1) - the response should be the same as the original.
#3, Passed: REPEAT(0x31,2) - the response should be the same as the response from the Alternate value.
#4, Passed: REPEAT(0x31,1) - the response should be the same as the original.
#5, Passed: REPEAT(0x31,2) - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Subtractive Equivalence

4-2

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 2 - the response should be different from the original. Alternate value.
#2, Passed: 2-1 - the response should be the same as the original.
#3, Passed: 3-1 - the response should be the same as the response from the Alternate value.
#4, Passed: 3-2 - the response should be the same as the original.
#5, Passed: 4-2 - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

http://www.webscantest.com:80/shutterdb/search_by_name.php

Root Cause #10:

1 parameter / 4 vulns

URL: http://www.webscantest.com:80/shutterdb/search_by_name.php

Root Cause #10:

name

Vulnerable Parameter

Original Value

Method

name

Rake

POST

Attack Type

Attack Value

Error

Logical Equivalence

Rake' AND 2='3/*

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Equivalence

Rake' AND '2'='3

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Or

Rake' OR '3'='3

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Or

Rake' OR 3=3 #

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

http://www.webscantest.com:80/shutterdb/item.php

Root Cause #11:

1 parameter / 1 vuln

URL: http://www.webscantest.com:80/shutterdb/item.php?id=3

Root Cause #11:

Vulnerable Parameter

Original Value

Method

GET

Attack Type

Attack Value

Error

Modulo Equivalence

MOD(9,7)

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 2 - the response should be different from the original. Alternate value.
#2, Passed: MOD(7,4) - the response should be the same as the original.
#3, Passed: MOD(7,5) - the response should be the same as the response from the Alternate value.
#4, Passed: MOD(11,4) - the response should be the same as the original.
#5, Passed: MOD(9,7) - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

http://www.webscantest.com:80/datastore/search_get_by_name.php

Root Cause #12:

1 parameter / 4 vulns

URL: http://www.webscantest.com:80/datastore/search_get_by_name.php?name=Rake

Root Cause #12:

name

Vulnerable Parameter

Original Value

Method

name

Rake

GET

Attack Type

Attack Value

Error

Logical Equivalence

Rake'%20AND%202='3/*

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Or

Rake'%20OR%20'3'='3

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Or

Rake%27%20OR%203%3D3%20%23

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Equivalence

Rake'%20AND%20'2'='3

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

http://www.webscantest.com:80/shutterdb/search_by_id.php

Root Cause #13:

1 parameter / 9 vulns

URL: http://www.webscantest.com:80/shutterdb/search_by_id.php

Root Cause #13:

Vulnerable Parameter

Original Value

Method

POST

Attack Type

Attack Value

Error

Subtractive Equivalence

4-2

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Modulo Equivalence

9 % 7

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Or

1 OR 3=3

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Equivalence

1 AND 2=3

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Additive Equivalence

0%2B2

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

SQL Coalesce

COALESCE(NULL,NULL,0x71)

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Modulo Equivalence

9 MOD 7

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

SQL Repeat

REPEAT(0x31,2)

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Modulo Equivalence

MOD(9,7)

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

http://www.webscantest.com:80/datastore/getimage_by_id.php

Root Cause #14:

1 parameter / 9 vulns

URL: http://www.webscantest.com:80/datastore/getimage_by_id.php?id=3

Root Cause #14:

Vulnerable Parameter

Original Value

Method

GET

Attack Type

Attack Value

Error

SQL Repeat

REPEAT(0x33,2)

The following parameter values were submitted to test for this vulnerability:
#1, Passed: REPEAT(0x33,2) - the response should be different from the original. Alternate value.
#2, Passed: REPEAT(0x33,1) - the response should be the same as the original.
#3, Passed: REPEAT(0x33,2) - the response should be the same as the response from the Alternate value.
#4, Passed: REPEAT(0x33,1) - the response should be the same as the original.
#5, Passed: REPEAT(0x33,2) - the response should be the same as the response from the Alternate value.

Vulnerable areas in the responses are not highlighted: Binary Response

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Modulo Equivalence

MOD(9,7)

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 2 - the response should be different from the original. Alternate value.
#2, Passed: MOD(7,4) - the response should be the same as the original.
#3, Passed: MOD(7,5) - the response should be the same as the response from the Alternate value.
#4, Passed: MOD(11,4) - the response should be the same as the original.
#5, Passed: MOD(9,7) - the response should be the same as the response from the Alternate value.

Vulnerable areas in the responses are not highlighted: Binary Response

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Subtractive Equivalence

4-2

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 2 - the response should be different from the original. Alternate value.
#2, Passed: 4-1 - the response should be the same as the original.
#3, Passed: 3-1 - the response should be the same as the response from the Alternate value.
#4, Passed: 5-2 - the response should be the same as the original.
#5, Passed: 4-2 - the response should be the same as the response from the Alternate value.

Vulnerable areas in the responses are not highlighted: Binary Response

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Or

3%20OR%203=3

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 3 OR 1=1 - the response should be different from the original. Alternate value.
#2, Passed: 3 OR 1=0 - the response should be the same as the original.
#3, Passed: 3 OR 2=2 - the response should be the same as the response from the Alternate value.
#4, Passed: 3 OR 2=1 - the response should be the same as the original.
#5, Passed: 3 OR 3=3 - the response should be the same as the response from the Alternate value.

Vulnerable areas in the responses are not highlighted: Binary Response

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

SQL Coalesce

COALESCE(NULL,NULL,0x71)

The following parameter values were submitted to test for this vulnerability:
#1, Passed: COALESCE(0x71,NULL,0x33) - the response should be different from the original.
#2, Passed: COALESCE(NULL,NULL,0x33) - the response should be the same as the original.
#3, Passed: COALESCE(NULL,0x71,0x33) - the response should be different from the original.
#4, Passed: COALESCE(NULL,0x33,0x71) - the response should be the same as the original.
#5, Passed: COALESCE(NULL,NULL,0x71) - the response should be different from the original.

Vulnerable areas in the responses are not highlighted: Binary Response

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Additive Equivalence

0%2b2

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 2 - the response should be different from the original. Alternate value.
#2, Passed: 2+1 - the response should be the same as the original.
#3, Passed: 1+1 - the response should be the same as the response from the Alternate value.
#4, Passed: 0+3 - the response should be the same as the original.
#5, Passed: 0+2 - the response should be the same as the response from the Alternate value.

Vulnerable areas in the responses are not highlighted: Binary Response

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Equivalence

3%20AND%202=3

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 3 AND 1=0 - the response should be different from the original. Alternate value.
#2, Passed: 3 AND 1=1 - the response should be the same as the original.
#3, Passed: 3 AND 1=2 - the response should be the same as the response from the Alternate value.
#4, Passed: 3 AND 2=2 - the response should be the same as the original.
#5, Passed: 3 AND 2=3 - the response should be the same as the response from the Alternate value.

Vulnerable areas in the responses are not highlighted: Binary Response

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Modulo Equivalence

9%20%%207

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 2 - the response should be different from the original. Alternate value.
#2, Passed: 7 % 4 - the response should be the same as the original.
#3, Passed: 7 % 5 - the response should be the same as the response from the Alternate value.
#4, Passed: 11 % 4 - the response should be the same as the original.
#5, Passed: 9 % 7 - the response should be the same as the response from the Alternate value.

Vulnerable areas in the responses are not highlighted: Binary Response

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Modulo Equivalence

9%20MOD%207

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 2 - the response should be different from the original. Alternate value.
#2, Passed: 7 MOD 4 - the response should be the same as the original.
#3, Passed: 7 MOD 5 - the response should be the same as the response from the Alternate value.
#4, Passed: 11 MOD 4 - the response should be the same as the original.
#5, Passed: 9 MOD 7 - the response should be the same as the response from the Alternate value.

Vulnerable areas in the responses are not highlighted: Binary Response

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

http://www.webscantest.com:80/shutterdb/search_get_by_id4.php

Root Cause #15:

1 parameter / 8 vulns

URL: http://www.webscantest.com:80/shutterdb/search_get_by_id4.php?id=1

Root Cause #15:

Vulnerable Parameter

Original Value

Method

GET

Attack Type

Attack Value

Error

Additive Equivalence

0%2b2

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Modulo Equivalence

9%20MOD%207

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

SQL Coalesce

COALESCE(NULL,NULL,0x71)

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Modulo Equivalence

9%20%%207

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Modulo Equivalence

MOD(9,7)

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

SQL Repeat

REPEAT(0x31,2)

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Equivalence

1%20AND%202=3

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Subtractive Equivalence

4-2

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

http://www.webscantest.com:80/datastore/search_get_by_id.php

Root Cause #16:

1 parameter / 9 vulns

URL: http://www.webscantest.com:80/datastore/search_get_by_id.php?id=3

Root Cause #16:

Vulnerable Parameter

Original Value

Method

GET

Attack Type

Attack Value

Error

Modulo Equivalence

9%20%25%207

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Equivalence

3%20AND%202=3

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

SQL Repeat

REPEAT(0x33,2)

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

SQL Coalesce

COALESCE(NULL,NULL,0x71)

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Modulo Equivalence

MOD(9,7)

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 2 - the response should be different from the original. Alternate value.
#2, Passed: MOD(7,4) - the response should be the same as the original.
#3, Passed: MOD(7,5) - the response should be the same as the response from the Alternate value.
#4, Passed: MOD(11,4) - the response should be the same as the original.
#5, Passed: MOD(9,7) - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Subtractive Equivalence

4-2

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Modulo Equivalence

9%20MOD%207

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Or

3%20OR%203=3

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Additive Equivalence

0%2b2

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

http://www.webscantest.com:80/shutterdb/search_get_by_id.php

Root Cause #17:

1 parameter / 9 vulns

URL: http://www.webscantest.com:80/shutterdb/search_get_by_id.php?id=1

Root Cause #17:

Vulnerable Parameter

Original Value

Method

GET

Attack Type

Attack Value

Error

SQL Repeat

REPEAT(0x31,2)

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Modulo Equivalence

9%20MOD%207

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Additive Equivalence

0%2b2

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Modulo Equivalence

9%20%%207

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Or

1%20OR%203=3

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Equivalence

1%20AND%202=3

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Subtractive Equivalence

4-2

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

SQL Coalesce

COALESCE(NULL,NULL,0x71)

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Modulo Equivalence

MOD(9,7)

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

http://www.webscantest.com:80/login.php

Root Cause #18:

1 parameter / 1 vuln

URL: http://www.webscantest.com:80/login.php

Root Cause #18:

Vulnerable Parameter

Original Value

Method

iX06sH28

POST

Attack Type

Attack Value

Error

Logical Or

iX06sH28' OR 3=3 #

The following parameter values were submitted to test for this vulnerability:
#1, Passed: iX06sH28' OR 1=1 # - the response should be different from the original. Alternate value.
#2, Passed: iX06sH28' OR 1=0 # - the response should be the same as the original.
#3, Passed: iX06sH28' OR 2=2 # - the response should be the same as the response from the Alternate value.
#4, Passed: iX06sH28' OR 2=1 # - the response should be the same as the original.
#5, Passed: iX06sH28' OR 3=3 # - the response should be the same as the response from the Alternate value.

Vulnerable areas in the responses are not highlighted: Redirect Response

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

http://www.webscantest.com:80/datastore/search_by_name.php

Root Cause #19:

1 parameter / 4 vulns

URL: http://www.webscantest.com:80/datastore/search_by_name.php

Root Cause #19:

name

Vulnerable Parameter

Original Value

Method

name

Rake

POST

Attack Type

Attack Value

Error

Logical Equivalence

Rake' AND 2='3/*

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Equivalence

Rake' AND '2'='3

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Or

Rake%27+OR+%273%27%3D%273

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Or

Rake' OR 3=3 #

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

http://www.webscantest.com:80/shutterdb/search_get_by_id3.php

Root Cause #20:

1 parameter / 9 vulns

URL: http://www.webscantest.com:80/shutterdb/search_get_by_id3.php?id=7

Root Cause #20:

Vulnerable Parameter

Original Value

Method

GET

Attack Type

Attack Value

Error

SQL Coalesce

COALESCE(NULL,NULL,0x71)

The following parameter values were submitted to test for this vulnerability:
#1, Passed: COALESCE(0x71,NULL,0x37) - the response should be different from the original.
#2, Passed: COALESCE(NULL,NULL,0x37) - the response should be the same as the original.
#3, Passed: COALESCE(NULL,0x71,0x37) - the response should be different from the original.
#4, Passed: COALESCE(NULL,0x37,0x71) - the response should be the same as the original.
#5, Passed: COALESCE(NULL,NULL,0x71) - the response should be different from the original.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Additive Equivalence

0%2b2

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 2 - the response should be different from the original. Alternate value.
#2, Passed: 4+3 - the response should be the same as the original.
#3, Passed: 1+1 - the response should be the same as the response from the Alternate value.
#4, Passed: 2+5 - the response should be the same as the original.
#5, Passed: 0+2 - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Equivalence

7%20AND%202=3

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 7 AND 1=0 - the response should be different from the original. Alternate value.
#2, Passed: 7 AND 1=1 - the response should be the same as the original.
#3, Passed: 7 AND 1=2 - the response should be the same as the response from the Alternate value.
#4, Passed: 7 AND 2=2 - the response should be the same as the original.
#5, Passed: 7 AND 2=3 - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Modulo Equivalence

MOD(9,7)

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 2 - the response should be different from the original. Alternate value.
#2, Passed: MOD(15,8) - the response should be the same as the original.
#3, Passed: MOD(7,5) - the response should be the same as the response from the Alternate value.
#4, Passed: MOD(23,8) - the response should be the same as the original.
#5, Passed: MOD(9,7) - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Modulo Equivalence

9%20%%207

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 2 - the response should be different from the original. Alternate value.
#2, Passed: 15 % 8 - the response should be the same as the original.
#3, Passed: 7 % 5 - the response should be the same as the response from the Alternate value.
#4, Passed: 23 % 8 - the response should be the same as the original.
#5, Passed: 9 % 7 - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Modulo Equivalence

9%20MOD%207

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 2 - the response should be different from the original. Alternate value.
#2, Passed: 15 MOD 8 - the response should be the same as the original.
#3, Passed: 7 MOD 5 - the response should be the same as the response from the Alternate value.
#4, Passed: 23 MOD 8 - the response should be the same as the original.
#5, Passed: 9 MOD 7 - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Or

7%20OR%203=3

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 7 OR 1=1 - the response should be different from the original. Alternate value.
#2, Passed: 7 OR 1=0 - the response should be the same as the original.
#3, Passed: 7 OR 2=2 - the response should be the same as the response from the Alternate value.
#4, Passed: 7 OR 2=1 - the response should be the same as the original.
#5, Passed: 7 OR 3=3 - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

SQL Repeat

REPEAT(0x37,2)

The following parameter values were submitted to test for this vulnerability:
#1, Passed: REPEAT(0x37,2) - the response should be different from the original. Alternate value.
#2, Passed: REPEAT(0x37,1) - the response should be the same as the original.
#3, Passed: REPEAT(0x37,2) - the response should be the same as the response from the Alternate value.
#4, Passed: REPEAT(0x37,1) - the response should be the same as the original.
#5, Passed: REPEAT(0x37,2) - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Subtractive Equivalence

4-2

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 2 - the response should be different from the original. Alternate value.
#2, Passed: 10-3 - the response should be the same as the original.
#3, Passed: 3-1 - the response should be the same as the response from the Alternate value.
#4, Passed: 11-4 - the response should be the same as the original.
#5, Passed: 4-2 - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

http://www.webscantest.com:80/shutterdb/search_get_by_id2.php

Root Cause #21:

1 parameter / 9 vulns

URL: http://www.webscantest.com:80/shutterdb/search_get_by_id2.php?id=5

Root Cause #21:

Vulnerable Parameter

Original Value

Method

GET

Attack Type

Attack Value

Error

Logical Equivalence

5%20AND%202=3

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 5 AND 1=0 - the response should be different from the original. Alternate value.
#2, Passed: 5 AND 1=1 - the response should be the same as the original.
#3, Passed: 5 AND 1=2 - the response should be the same as the response from the Alternate value.
#4, Passed: 5 AND 2=2 - the response should be the same as the original.
#5, Passed: 5 AND 2=3 - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Modulo Equivalence

MOD(9,7)

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 2 - the response should be different from the original. Alternate value.
#2, Passed: MOD(11,6) - the response should be the same as the original.
#3, Passed: MOD(7,5) - the response should be the same as the response from the Alternate value.
#4, Passed: MOD(17,6) - the response should be the same as the original.
#5, Passed: MOD(9,7) - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Additive Equivalence

0%2b2

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 2 - the response should be different from the original. Alternate value.
#2, Passed: 3+2 - the response should be the same as the original.
#3, Passed: 1+1 - the response should be the same as the response from the Alternate value.
#4, Passed: 1+4 - the response should be the same as the original.
#5, Passed: 0+2 - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Modulo Equivalence

9%20%%207

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 2 - the response should be different from the original. Alternate value.
#2, Passed: 11 % 6 - the response should be the same as the original.
#3, Passed: 7 % 5 - the response should be the same as the response from the Alternate value.
#4, Passed: 17 % 6 - the response should be the same as the original.
#5, Passed: 9 % 7 - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Or

5%20OR%203=3

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 5 OR 1=1 - the response should be different from the original. Alternate value.
#2, Passed: 5 OR 1=0 - the response should be the same as the original.
#3, Passed: 5 OR 2=2 - the response should be the same as the response from the Alternate value.
#4, Passed: 5 OR 2=1 - the response should be the same as the original.
#5, Passed: 5 OR 3=3 - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Modulo Equivalence

9%20MOD%207

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 2 - the response should be different from the original. Alternate value.
#2, Passed: 11 MOD 6 - the response should be the same as the original.
#3, Passed: 7 MOD 5 - the response should be the same as the response from the Alternate value.
#4, Passed: 17 MOD 6 - the response should be the same as the original.
#5, Passed: 9 MOD 7 - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

SQL Repeat

REPEAT(0x35,2)

The following parameter values were submitted to test for this vulnerability:
#1, Passed: REPEAT(0x35,2) - the response should be different from the original. Alternate value.
#2, Passed: REPEAT(0x35,1) - the response should be the same as the original.
#3, Passed: REPEAT(0x35,2) - the response should be the same as the response from the Alternate value.
#4, Passed: REPEAT(0x35,1) - the response should be the same as the original.
#5, Passed: REPEAT(0x35,2) - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Subtractive Equivalence

4-2

The following parameter values were submitted to test for this vulnerability:
#1, Passed: 2 - the response should be different from the original. Alternate value.
#2, Passed: 7-2 - the response should be the same as the original.
#3, Passed: 3-1 - the response should be the same as the response from the Alternate value.
#4, Passed: 8-3 - the response should be the same as the original.
#5, Passed: 4-2 - the response should be the same as the response from the Alternate value.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

SQL Coalesce

COALESCE(NULL,NULL,0x71)

The following parameter values were submitted to test for this vulnerability:
#1, Passed: COALESCE(0x71,NULL,0x35) - the response should be different from the original.
#2, Passed: COALESCE(NULL,NULL,0x35) - the response should be the same as the original.
#3, Passed: COALESCE(NULL,0x71,0x35) - the response should be different from the original.
#4, Passed: COALESCE(NULL,0x35,0x71) - the response should be the same as the original.
#5, Passed: COALESCE(NULL,NULL,0x71) - the response should be different from the original.

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

http://www.webscantest.com:80/datastore/getimage_by_name.php

Root Cause #22:

1 parameter / 2 vulns

URL: http://www.webscantest.com:80/datastore/getimage_by_name.php?name=Rake

Root Cause #22:

name

Vulnerable Parameter

Original Value

Method

name

Rake

GET

Attack Type

Attack Value

Error

Logical Equivalence

Rake'%20AND%20'2'='3

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Logical Equivalence

Rake'%20AND%202='3/*

Original Traffic

Attack Traffic #1

Attack Traffic #2

Attack Traffic #3

Attack Traffic #4

Attack Traffic #5

Description:

These SQL injection techniques analyze the application's response to parameter values that are designed to be interpreted and executed by a database. These requests contain arguments that are not affected by input validation filters. The application submits the original payload to the database, where the database interprets the payload as a valid SQL query. This implies that arbitrary SQL commands may be executed through this parameter value. These tests do not generate database errors, nor should database errors appear in the HTML response.
Vulnerabilities identified by this module highlight problems with input validation routines and the creation of SQL queries. They should be addressed by the fundamental approaches taken to counter common SQL injection exploits.

Recommendations:

Several techniques can be used to block database injection attacks. These techniques complement each other and address security at different points in the application. The impact of a SQL injection attack is minimized by implementing multiple defense measures.

Normalize all user-supplied data before applying filters, regular expressions, or submitting the data to a database. This means that all URL-encoded (%xx), HTML-encoded (&#xx;), or other encoding schemes should be reduced to the internal character representation expected by the application. This prevents attackers from using alternate encoding schemes to bypass filters.
Implement positive filters that examine user-supplied data for expected characters. Define data types for user-supplied values and ensure that submitted data match these types, such as numeric or date. String or text values should be carefully matched to a limited subset of characters such as alpha, numeric, spaces, or certain punctuation characters as necessary. If any value received by the application contains an unexpected character, then it should be rejected.
Negative filtering can also prevent attacks, but may be more unreliable or more difficult to implement for language sets that require non-ASCII characters. Examine all data received from the web browser for SQL syntax characters. If any of these characters are present, then they should be escaped or removed. The single quote (') or double quote (") are often used to envelope parameters in a SQL query. Other malicious characters include the asterisk, semi-colon, dash (minus sign), and parentheses. These characters could be used to prematurely end a query statement.
Avoid string concatenation for SQL query construction. String concatenation, where the query is created programmatically by appending values together, makes an injection attack easier to accomplish because the syntax of the query can be easily disrupted by malicious characters.
SQL statements should use pre-defined views, parameterized functions, or stored procedures to query the database. These techniques do not enable the content of a parameter to affect the structure of a SQL statement. Even if a parameter contains malicious characters, then the function will always return an error due to incorrect values.
Store user-supplied values with appropriate data types within the database. For example, dates should be stored as DATE types (if available) instead of a VARCHAR string.

Cross-Site Scripting

Site: http://www.webscantest.com:80

http://www.webscantest.com:80/crosstraining/review.php

Root Causes #23 - 24:

2 parameters / 20 vulns

URL: http://www.webscantest.com:80/crosstraining/review.php

Root Cause #23:

Vulnerable Parameter

Original Value

Method

jjF59664@example.com

POST

Attack Type

Attack Value

Error

Quotes in attribute

Injected: jjF59664@example.com" onmouseover=alert(/kMbCoIuI/) "

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	/kmbcoiui/

Original Traffic

Attack Traffic #1

Attack Traffic #2

Quotes in attribute

Injected: jjF59664@example.com" onmouseover=alert('g5lY55uY') "

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	g5ly55uy

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered input parameter

Injected: " onmouseover=alert('n6yM22xU') "

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	n6ym22xu

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered input parameter

Injected: " onmouseover=alert('jQ4D0C4M') "

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	jq4d0c4m

Original Traffic

Attack Traffic #1

Attack Traffic #2

Quotes in attribute

Injected: jjF59664@example.com" onmouseover=alert(/n6h8rMx8/) "

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	/n6h8rmx8/

Original Traffic

Attack Traffic #1

Attack Traffic #2

Quotes in attribute

Injected: jjF59664@example.com" onmouseover=alert('kVuKj6nU') "

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	kvukj6nu

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered style expression

Injected: foobar"/style="w:expression(alert('l27V4GvG'))

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	l27v4gvg

Original Traffic

Attack Traffic #1

Attack Traffic #2

Quotes in attribute

Injected: jjF59664@example.com" onmouseover=alert(String.fromCharCode(102,67,110,50,98,80,56,65)) "

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	fcn2bp8a

Original Traffic

Attack Traffic #1

Attack Traffic #2

Quotes in attribute

Injected: jjF59664@example.com" onmouseover=alert("kH28fHnQ") "

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	kh28fhnq

Original Traffic

Attack Traffic #1

Attack Traffic #2

Quotes in attribute

Injected: jjF59664@example.com" onmouseover=alert("g74DvVj8") "

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	g74dvvj8

Original Traffic

Attack Traffic #1

Attack Traffic #2

Root Cause #24:

description

Vulnerable Parameter

Original Value

Method

description

POST

Attack Type

Attack Value

Error

Unfiltered style expression

Injected: <a style=width:expression(alert(/jO5LmIkK/))>abc

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	/jo5lmikk/

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered javascript

Injected: <div onmouseover=alert('iRaDjF72')>abc

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	iradjf72

Original Traffic

Attack Traffic #1

Attack Traffic #2

Reflection is inside <title> tag

Injected: </title><script>alert(/hB54lFtO/)</script>

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	/hb54lfto/

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered javascript

Injected: <div onmouseover=alert('mY72l3m8')>abc

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	my72l3m8

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered javascript

Injected: <div onmouseover=alert(String.fromCharCode(105,87,55,68,98,49,120,52))>abc

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	iw7db1x4

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered javascript

Injected: <div onmouseover=alert(String.fromCharCode(97,68,100,48,121,73,55,73))>abc

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	add0yi7i

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered <script>

Injected: <script>alert(/k9wXwZiI/)</script>

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	/k9wxwzii/

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered <script>

Injected: <script>alert(/iK7R1VaC/)</script>

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	/ik7r1vac/

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered <script>

Injected: <script>alert("lPwF0Oy0")</script>

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	lpwf0oy0

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered <script> within HTML element

Injected: <script>alert(String.fromCharCode(108,68,121,49,56,49,103,48))</script>

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	ldy181g0

Original Traffic

Attack Traffic #1

Attack Traffic #2

http://www.webscantest.com:80/crosstraining/review.php

Root Causes #25 - 26:

2 parameters / 20 vulns

Root Cause #25:

Vulnerable Parameter

Original Value

Method

jjF59664@example.com

POST

Attack Type

Attack Value

Error

Unfiltered style expression

Injected: foobar"/style="w:expression(alert(/b2vWxWtQ/))

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	/b2vwxwtq/

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered input parameter

Injected: " onmouseover=alert(String.fromCharCode(100,51,116,78,119,69,54,83)) "

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	d3tnwe6s

Original Traffic

Attack Traffic #1

Attack Traffic #2

Quotes in attribute

Injected: jjF59664@example.com" onmouseover=alert(String.fromCharCode(101,66,108,88,116,74,119,77)) "

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	eblxtjwm

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered input parameter

Injected: " onmouseover=alert("g19OuQr2") "

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	g19ouqr2

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered input parameter

Injected: " onmouseover=alert('k53KnR2G') "

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	k53knr2g

Original Traffic

Attack Traffic #1

Attack Traffic #2

Quotes in attribute

Injected: jjF59664@example.com" onmouseover=alert(String.fromCharCode(97,66,104,79,121,70,100,77)) "

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	abhoyfdm

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered input parameter

Injected: " onmouseover=alert('hDuOfItC') "

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	hduofitc

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered style expression

Injected: foobar"/style="w:expression(alert(String.fromCharCode(104,88,106,71,53,89,117,71)))

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	hxjg5yug

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered input parameter

Injected: " onmouseover=alert(/eKxDwI9Y/) "

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	/ekxdwi9y/

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered <a> tag with onmouseover handler

Injected: " onmouseover=alert("mC416CiO") "

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	mc416cio

Original Traffic

Attack Traffic #1

Attack Traffic #2

Root Cause #26:

description

Vulnerable Parameter

Original Value

Method

description

POST

Attack Type

Attack Value

Error

Unfiltered javascript

Injected: <div onmouseover=alert('eBw8w7rM')>abc

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	ebw8w7rm

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered <script>

Injected: <script>alert(/eJr4hMp2/)</script>

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	/ejr4hmp2/

Original Traffic

Attack Traffic #1

Attack Traffic #2

Reflection is inside <title> tag

Injected: </title><script>alert(/jY3Mh87U/)</script>

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	/jy3mh87u/

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered javascript href

Injected: <a href=javascript:alert(/d1vKmZ2I/)>abc</a>

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	/d1vkmz2i/

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered javascript

Injected: <div onmouseover=alert(/aM7Hl7oC/)>abc

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	/am7hl7oc/

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered <script>

Injected: <script>alert("lPtSyEhG")</script>

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	lptsyehg

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered <script>

Injected: <script>eval(alert(String.fromCharCode(102,85,106,83,54,52,111,56)))</script>

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	fujs64o8

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered javascript

Injected: <div onmouseover=alert(/aC8QvFyM/)>abc

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	/ac8qvfym/

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered javascript

Injected: <div onmouseover=alert("cH6TlZlY")>abc

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	ch6tlzly

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered <script> within HTML element

Injected: <script>alert(String.fromCharCode(99,80,55,55,110,81,110,81))</script>

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	cp77nqnq

Original Traffic

Attack Traffic #1

Attack Traffic #2

http://www.webscantest.com:80/crosstraining/review.php

Root Causes #27 - 28:

2 parameters / 20 vulns

Root Cause #27:

Vulnerable Parameter

Original Value

Method

jjF59664@example.com

POST

Attack Type

Attack Value

Error

Unfiltered input parameter

Injected: " onmouseover=alert('n6yM22xU') "

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	n6ym22xu

Original Traffic

Attack Traffic #1

Attack Traffic #2

Quotes in attribute

Injected: jjF59664@example.com" onmouseover=alert(/kMbCoIuI/) "

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	/kmbcoiui/

Original Traffic

Attack Traffic #1

Attack Traffic #2

Quotes in attribute

Injected: jjF59664@example.com" onmouseover=alert(/n6h8rMx8/) "

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	/n6h8rmx8/

Original Traffic

Attack Traffic #1

Attack Traffic #2

Unfiltered input parameter

Injected: " onmouseover=alert("jYb27Ro2") "

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	jyb27ro2

Original Traffic

Attack Traffic #1

Attack Traffic #2

Quotes in attribute

Injected: jjF59664@example.com" onmouseover=alert(String.fromCharCode(98,75,103,77,108,86,121,69)) "

Persists in:http://www.webscantest.com:80/crosstraining/review.php

	Successful XSS Attack
	bkgmlvye

Remediation Report for Application Developer (Page 1 of 2)

Security Status - Complete

Summary

Vulnerability Type

Root Causes

Vulnerabilities

By Risk

Details by Module

Arbitrary File Upload

Site: http://www.webscantest.com:80

Authentication Form SQL Injection

Site: http://www.webscantest.com:80

Authentication Testing

Site: http://www.webscantest.com:80

Blind SQL

Site: http://www.webscantest.com:80

Cross-Site Scripting

Site: http://www.webscantest.com:80