Repository: vulndb/data
Branch: master
Commit: 20459bc133f0
Files: 207
Total size: 129.4 KB
Directory structure:
gitextract_2uk6lexw/
├── .circleci/
│ └── config.yml
├── .gitignore
├── LICENSE.md
├── README.md
├── db/
│ └── en/
│ ├── 1-allowed-http-methods.json
│ ├── 10-common-sensitive-file.json
│ ├── 11-cookie-set-for-parent-domain.json
│ ├── 12-credit-card-number-disclosure.json
│ ├── 13-cross-site-request-forgery.json
│ ├── 14-cvs-svn-user-disclosure.json
│ ├── 15-directory-listing.json
│ ├── 16-e-mail-address-disclosure.json
│ ├── 17-file-inclusion.json
│ ├── 18-form-based-file-upload.json
│ ├── 19-missing-strict-transport-security-header.json
│ ├── 2-a-backdoor-file-exists-on-the-server.json
│ ├── 20-misconfiguration-in-limit-directive-of-htaccess-file.json
│ ├── 21-html-object.json
│ ├── 22-httponly-cookie.json
│ ├── 23-publicly-writable-directory.json
│ ├── 24-insecure-client-access-policy.json
│ ├── 25-insecure-cookie.json
│ ├── 26-access-control-allow-origin-star.json
│ ├── 27-insecure-cross-domain-policy-allow-access-from.json
│ ├── 29-interesting-response.json
│ ├── 3-backup-directory.json
│ ├── 30-ldap-injection.json
│ ├── 31-exposed-localstart-asp-page.json
│ ├── 32-mixed-resource.json
│ ├── 33-nosql-injection.json
│ ├── 34-blind-nosql-injection-differential-analysis.json
│ ├── 35-access-restriction-bypass-via-origin-spoof.json
│ ├── 36-operating-system-command-injection.json
│ ├── 38-password-field-with-auto-complete.json
│ ├── 39-path-traversal.json
│ ├── 4-backup-file.json
│ ├── 40-private-ip-address-disclosure.json
│ ├── 41-response-splitting.json
│ ├── 42-remote-file-inclusion.json
│ ├── 43-session-fixation.json
│ ├── 44-source-code-disclosure.json
│ ├── 45-sql-injection.json
│ ├── 46-blind-sql-injection.json
│ ├── 47-blind-sql-injection-timing-attack.json
│ ├── 48-disclosed-us-social-security-number-ssn.json
│ ├── 49-unencrypted-password-form.json
│ ├── 5-captcha-protected-form.json
│ ├── 50-unvalidated-redirect.json
│ ├── 51-unvalidated-dom-redirect.json
│ ├── 52-webdav.json
│ ├── 53-missing-x-frame-options-header.json
│ ├── 54-xpath-injection.json
│ ├── 55-cross-site-scripting-xss.json
│ ├── 56-dom-based-cross-site-scripting-xss.json
│ ├── 6-code-injection.json
│ ├── 63-http-trace.json
│ ├── 64-xml-external-entity.json
│ ├── 65-arbitrary-file-upload.json
│ ├── 66-insecure-ssl-version.json
│ ├── 67-self-signed-ssl-certificate.json
│ ├── 68-shellshock.json
│ ├── 69-insecure-frontpage-configuration.json
│ ├── 70-persistent-xss.json
│ ├── 71-reflected-file-download.json
│ ├── 72-cache-control-headers.json
│ ├── 73-information-leak-stack-trace.json
│ ├── 74-phishing-vector.json
│ ├── 75-guessable-credentials.json
│ ├── 76-x-content-type-options_header_missing.json
│ ├── 77-http-basic-authentication-credentials.json
│ ├── 8-code-injection.json
│ ├── 9-common-directory.json
│ ├── description/
│ │ ├── 1.md
│ │ ├── 10.md
│ │ ├── 11.md
│ │ ├── 12.md
│ │ ├── 13.md
│ │ ├── 14.md
│ │ ├── 15.md
│ │ ├── 16.md
│ │ ├── 17.md
│ │ ├── 18.md
│ │ ├── 19.md
│ │ ├── 2.md
│ │ ├── 20.md
│ │ ├── 21.md
│ │ ├── 22.md
│ │ ├── 23.md
│ │ ├── 24.md
│ │ ├── 25.md
│ │ ├── 26.md
│ │ ├── 27.md
│ │ ├── 29.md
│ │ ├── 3.md
│ │ ├── 30.md
│ │ ├── 31.md
│ │ ├── 32.md
│ │ ├── 33.md
│ │ ├── 34.md
│ │ ├── 35.md
│ │ ├── 36.md
│ │ ├── 38.md
│ │ ├── 39.md
│ │ ├── 4.md
│ │ ├── 40.md
│ │ ├── 41.md
│ │ ├── 42.md
│ │ ├── 43.md
│ │ ├── 44.md
│ │ ├── 45.md
│ │ ├── 46.md
│ │ ├── 47.md
│ │ ├── 48.md
│ │ ├── 49.md
│ │ ├── 5.md
│ │ ├── 50.md
│ │ ├── 51.md
│ │ ├── 52.md
│ │ ├── 53.md
│ │ ├── 54.md
│ │ ├── 55.md
│ │ ├── 56.md
│ │ ├── 6.md
│ │ ├── 63.md
│ │ ├── 64.md
│ │ ├── 65.md
│ │ ├── 66.md
│ │ ├── 67.md
│ │ ├── 68.md
│ │ ├── 69.md
│ │ ├── 70.md
│ │ ├── 71.md
│ │ ├── 72.md
│ │ ├── 73.md
│ │ ├── 74.md
│ │ ├── 75.md
│ │ ├── 76.md
│ │ ├── 77.md
│ │ ├── 8.md
│ │ └── 9.md
│ └── fix/
│ ├── 1.md
│ ├── 10.md
│ ├── 11.md
│ ├── 12.md
│ ├── 13.md
│ ├── 14.md
│ ├── 15.md
│ ├── 16.md
│ ├── 17.md
│ ├── 18.md
│ ├── 19.md
│ ├── 2.md
│ ├── 20.md
│ ├── 21.md
│ ├── 22.md
│ ├── 23.md
│ ├── 24.md
│ ├── 25.md
│ ├── 26.md
│ ├── 27.md
│ ├── 28.md
│ ├── 29.md
│ ├── 3.md
│ ├── 30.md
│ ├── 31.md
│ ├── 32.md
│ ├── 33.md
│ ├── 34.md
│ ├── 35.md
│ ├── 36.md
│ ├── 37.md
│ ├── 38.md
│ ├── 39.md
│ ├── 4.md
│ ├── 40.md
│ ├── 41.md
│ ├── 42.md
│ ├── 43.md
│ ├── 44.md
│ ├── 45.md
│ ├── 46.md
│ ├── 47.md
│ ├── 48.md
│ ├── 49.md
│ ├── 5.md
│ ├── 50.md
│ ├── 51.md
│ ├── 52.md
│ ├── 53.md
│ ├── 54.md
│ ├── 55.md
│ ├── 56.md
│ ├── 57.md
│ ├── 6.md
│ ├── 7.md
│ ├── 8.md
│ └── 9.md
├── schema.json
└── tests/
├── __init__.py
├── requirements.txt
├── test_all_json.py
├── test_json_spec.py
├── test_markdown_refs.py
├── test_references.py
├── test_schema_compatability.py
├── test_valid_markdown.py
└── vulndb_test.py
================================================
FILE CONTENTS
================================================
================================================
FILE: .circleci/config.yml
================================================
#
# This file is used to configure the continuous integration for vulndb/data
#
# As a user you don't need to understand this file.
#
version: 2
jobs:
build:
docker:
- image: circleci/python:2.7.14
steps:
- checkout
- run:
command: |
pip install --upgrade pip
pip install --user --upgrade -r tests/requirements.txt
pip --version
pip freeze
- run:
command: |
/home/circleci/.local/bin/nosetests -s -v tests/
================================================
FILE: .gitignore
================================================
*.py[cod]
*.py~
*~
*.swp
# C extensions
*.so
# Packages
*.egg
*.egg-info
dist
build
eggs
parts
bin
var
sdist
develop-eggs
.installed.cfg
lib
lib64
# Installer logs
pip-log.txt
# Unit test / coverage reports
.coverage
.tox
nosetests.xml
.noseids
noseids.pickle
nose.cfg
# Translations
*.mo
# Mr Developer
.mr.developer.cfg
.project
.pydevproject
.settings/
.idea
# w3af stuff
parser.out
parsetab.py
output-http.txt
output.txt
# This is generated by the setup_moth.py script
django-moth
# Debugging circleci high memory usage
memory-usage.txt
# Ignore sphinx builds
doc/sphinx/_build/
# 404 test stuff
data.shelve
top-1m.csv
top-1m.csv.zip
# docker build temp files
/.dockerignore
/Dockerfile
# To make testing easier
test.w3af
output-w3af.txt
# Ignore some profiling data
*.dump
# Ignore intermediate XML file
w3af/plugins/crawl/phishtank/index.xml
# For debian package build
.pc/
debian/files
debian/w3af-console.debhelper.log
debian/w3af-console.postinst.debhelper
debian/w3af-console.prerm.debhelper
debian/w3af-console.substvars
debian/w3af-console/
debian/w3af.debhelper.log
debian/w3af.postinst.debhelper
debian/w3af.postrm.debhelper
debian/w3af.prerm.debhelper
debian/w3af.substvars
debian/w3af/
docker/kali-debootstrap
*.deb
================================================
FILE: LICENSE.md
================================================
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
(1) Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
(2) Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
(3)The name of the author may not be used to
endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
================================================
FILE: README.md
================================================
User, contributor and developer-friendly vulnerability database. Our goal is to
provide a vulnerability database which is:
* Actionable, easy to read and understand for developers and sysadmins who need
to fix the vulnerability
* Easy to integrate by developers into any vulnerability scanner, report
generator, penetration testing or related tool.
* Trivial to contribute to, by using JSON and Markdown to store the vulnerabilities
## SDKs
This repository holds the vulnerability database itself, in order to make the
information easily accessible from different programming languages these SDKs
are available:
* [python-sdk](https://github.com/vulndb/python-sdk)
* [vulndb-go](https://github.com/vulndb/vulndb-go)
* [php-sdk](https://github.com/vulndb/php-sdk)
## Projects using this database
* [w3af](http://www.w3af.org/)
## Contributing
We would love to receive your [pull-requests](https://help.github.com/articles/using-pull-requests/)!
The easiest way to contribute is:
* Browse our repository and find the JSON file you would like to edit
* Click on the top-right icon in the github UI that will open the online text editor
* Change the file
* Save/commit
## Translations
The vulnerability database [supports translations](https://github.com/vulndb/data/wiki/Translations)
and we're happy to add your native language to reach more users.
## Credits
* JSON format specification by [Andres Riancho](https://github.com/andresriancho/),
[Tasos Laskos](https://github.com/Zapotek) and [Vyacheslav Bakhmutov](https://github.com/m0sth8)
* Initial data provided by the [Arachni scanner](http://www.arachni-scanner.com/) project
## History
The project founders maintain one or more vulnerability scanners, each of those
tools had a different vulnerability database with different fields, formats,
texts and quality. To reduce our documentation efforts we decided to commoditize
the vulnerability database and created this repository.
At the beginning we tried to use the CWE data, but we found several problems with
it:
* The target audience for our vulnerability information is too busy to read the
[long](https://cwe.mitre.org/data/definitions/89.html) descriptions and hundreds
of fields provided by CWE. We want to provide enough information for the users
to know what's wrong and point them to information with more detailed info if
that's what they need.
* The XML format storing the CWE data is simply too complex for our needs.
* Mitre never answered our questions on derivated work
We might still use some paragraphs from the CWE data in our database, but manually
migrated and reviewed for clarity.
It all started with these two github issues ([1](https://github.com/andresriancho/w3af/issues/53),
[2](https://github.com/vulndb/data/issues/5)) and various emails between Slava,
Andres and Tasos.
The initial database information was contributed by the [Arachni scanner](http://www.arachni-scanner.com/)
imported in [this commit](https://github.com/vulndb/data/commit/e27222af21b0569525718f591eaa2c517d4c1da2).
## Build status
[](https://circleci.com/gh/vulndb/data)
================================================
FILE: db/en/1-allowed-http-methods.json
================================================
{
"id": 1,
"title": "Allowed HTTP methods",
"severity": "informational",
"description": {
"$ref": "#/files/description/1"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/39"
}
},
"cwe": [
"749"
],
"tags": [
"web",
"http",
"methods",
"options"
],
"references": [
{
"url": "http://httpd.apache.org/docs/2.2/mod/core.html#limitexcept",
"title": "Apache.org"
}
]
}
================================================
FILE: db/en/10-common-sensitive-file.json
================================================
{
"id": 10,
"title": "Common sensitive file",
"severity": "low",
"description": {
"$ref": "#/files/description/10"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/10"
}
},
"tags": [
"web",
"common",
"path",
"file",
"discovery"
],
"references": [
{
"url": "http://httpd.apache.org/docs/2.0/mod/mod_access.html",
"title": "Apache.org"
}
]
}
================================================
FILE: db/en/11-cookie-set-for-parent-domain.json
================================================
{
"id": 11,
"title": "Cookie set for parent domain",
"severity": "informational",
"description": {
"$ref": "#/files/description/11"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/40"
}
},
"references": [
{
"url": "https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)",
"title": "OWASP"
}
]
}
================================================
FILE: db/en/12-credit-card-number-disclosure.json
================================================
{
"id": 12,
"title": "Credit card number disclosure",
"severity": "medium",
"description": {
"$ref": "#/files/description/12"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/57"
}
},
"cwe": [
"200"
],
"references": [
{
"url": "http://en.wikipedia.org/wiki/Luhn_algorithm",
"title": "Wikipedia - Luhn algorithm"
},
{
"url": "http://en.wikipedia.org/wiki/Bank_card_number",
"title": "Wikipedia - Bank card number"
}
]
}
================================================
FILE: db/en/13-cross-site-request-forgery.json
================================================
{
"id": 13,
"title": "Cross-Site Request Forgery",
"severity": "high",
"description": {
"$ref": "#/files/description/13"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/44"
}
},
"cwe": [
"352"
],
"owasp_top_10": {
"2013": [
8
]
},
"tags": [
"web",
"csrf",
"form",
"token"
],
"references": [
{
"url": "http://www.cgisecurity.com/csrf-faq.html",
"title": "CGI Security - CSRF"
},
{
"url": "http://en.wikipedia.org/wiki/Cross-site_request_forgery",
"title": "Wikipedia - CSRF"
},
{
"url": "https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)",
"title": "OWASP - CSRF"
}
]
}
================================================
FILE: db/en/14-cvs-svn-user-disclosure.json
================================================
{
"id": 14,
"title": "CVS/SVN user disclosure",
"severity": "low",
"description": {
"$ref": "#/files/description/14"
},
"cwe": [
"200",
"527"
],
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/49"
}
}
}
================================================
FILE: db/en/15-directory-listing.json
================================================
{
"id": 15,
"title": "Directory listing",
"severity": "low",
"description": {
"$ref": "#/files/description/15"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/41"
}
},
"cwe": [
"548"
],
"owasp_top_10": {
"2013": [
5
]
},
"tags": [
"web",
"path",
"directory",
"listing",
"index"
],
"references": [
{
"url": "http://projects.webappsec.org/w/page/13246922/Directory%20Indexing",
"title": "WASC"
}
]
}
================================================
FILE: db/en/16-e-mail-address-disclosure.json
================================================
{
"id": 16,
"title": "E-mail address disclosure",
"severity": "informational",
"description": {
"$ref": "#/files/description/16"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/3"
}
}
}
================================================
FILE: db/en/17-file-inclusion.json
================================================
{
"id": 17,
"title": "File Inclusion",
"severity": "high",
"description": {
"$ref": "#/files/description/17"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/13"
}
},
"cwe": [
"98"
],
"owasp_top_10": {
"2013": [
1
]
},
"tags": [
"web",
"file",
"inclusion",
"error",
"injection"
],
"references": [
{
"url": "https://www.owasp.org/index.php/PHP_File_Inclusion",
"title": "OWASP"
}
]
}
================================================
FILE: db/en/18-form-based-file-upload.json
================================================
{
"id": 18,
"title": "Form-based File Upload",
"severity": "informational",
"description": {
"$ref": "#/files/description/18"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/5"
}
},
"tags": [
"web",
"file",
"upload"
],
"references": [
{
"url": "https://www.owasp.org/index.php/Unrestricted_File_Upload",
"title": "owasp.org"
}
]
}
================================================
FILE: db/en/19-missing-strict-transport-security-header.json
================================================
{
"id": 19,
"title": "Missing 'Strict-Transport-Security' header",
"severity": "medium",
"description": {
"$ref": "#/files/description/19"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/48"
}
},
"references": [
{
"url": "http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security",
"title": "Wikipedia - HSTS"
},
{
"url": "https://www.owasp.org/index.php/HTTP_Strict_Transport_Security",
"title": "OWASP - HSTS"
}
]
}
================================================
FILE: db/en/2-a-backdoor-file-exists-on-the-server.json
================================================
{
"id": 2,
"title": "A backdoor file exists on the server",
"severity": "high",
"description": {
"$ref": "#/files/description/2"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/32"
}
},
"cwe": [
"489"
],
"tags": [
"web",
"path",
"backdoor",
"file",
"discovery"
],
"references": [
{
"url": "https://www.blackhat.com/presentations/bh-usa-07/Wysopal_and_Eng/Presentation/bh-usa-07-wysopal_and_eng.pdf",
"title": "Static Detection of Application Backdoors"
}
]
}
================================================
FILE: db/en/20-misconfiguration-in-limit-directive-of-htaccess-file.json
================================================
{
"id": 20,
"title": "Misconfiguration in LIMIT directive of .htaccess file",
"severity": "high",
"description": {
"$ref": "#/files/description/20"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/51"
}
},
"tags": [
"web",
"htaccess",
"server",
"limit"
],
"references": [
{
"url": "http://httpd.apache.org/docs/2.2/mod/core.html#limit",
"title": "Apache.org"
}
]
}
================================================
FILE: db/en/21-html-object.json
================================================
{
"id": 21,
"title": "HTML object",
"severity": "informational",
"description": {
"$ref": "#/files/description/21"
},
"fix": {
"effort": 120,
"guidance": {
"$ref": "#/files/fix/16"
}
}
}
================================================
FILE: db/en/22-httponly-cookie.json
================================================
{
"id": 22,
"title": "HttpOnly cookie",
"severity": "informational",
"description": {
"$ref": "#/files/description/22"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/30"
}
},
"cwe": [
"87"
],
"owasp_top_10": {
"2013": [
2
]
},
"references": [
{
"url": "https://www.owasp.org/index.php/HttpOnly",
"title": "HttpOnly - OWASP"
}
]
}
================================================
FILE: db/en/23-publicly-writable-directory.json
================================================
{
"id": 23,
"title": "Publicly writable directory",
"severity": "high",
"description": {
"$ref": "#/files/description/23"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/23"
}
},
"tags": [
"web",
"http",
"methods",
"put",
"server"
],
"references": [
{
"url": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html",
"title": "RFC-2616 document"
}
]
}
================================================
FILE: db/en/24-insecure-client-access-policy.json
================================================
{
"id": 24,
"title": "Insecure client-access policy",
"severity": "low",
"description": {
"$ref": "#/files/description/24"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/36"
}
},
"cwe": [
"346"
],
"references": [
{
"url": "https://msdn.microsoft.com/en-us/library/cc197955%28v=vs.95%29.aspx",
"title": "MSDN"
},
{
"url": "https://www.owasp.org/index.php/Test_Cross_Origin_Resource_Sharing_%28OTG-CLIENT-007%29",
"title": "OWASP"
}
]
}
================================================
FILE: db/en/25-insecure-cookie.json
================================================
{
"id": 25,
"title": "Insecure cookie",
"severity": "informational",
"description": {
"$ref": "#/files/description/25"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/26"
}
},
"cwe": [
"614"
],
"owasp_top_10": {
"2013": [
2
]
},
"references": [
{
"url": "https://www.owasp.org/index.php/SecureFlag",
"title": "SecureFlag - OWASP"
}
]
}
================================================
FILE: db/en/26-access-control-allow-origin-star.json
================================================
{
"id": 26,
"title": "Access-Control-Allow-Origin header set to '*'",
"severity": "medium",
"description": {
"$ref": "#/files/description/26"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/45"
}
},
"cwe": [
"346"
],
"references": [
{
"url": "https://www.owasp.org/index.php/CORS_OriginHeaderScrutiny",
"title": "CORS security"
},
{
"url": "http://www.w3.org/TR/cors/",
"title": "CORS W3C Specification"
},
{
"url": "https://en.wikipedia.org/wiki/Cross-origin_resource_sharing",
"title": "CORS article at Wikipedia"
}
]
}
================================================
FILE: db/en/27-insecure-cross-domain-policy-allow-access-from.json
================================================
{
"id": 27,
"title": "Insecure cross-domain policy",
"severity": "low",
"description": {
"$ref": "#/files/description/27"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/36"
}
},
"cwe": [
"346"
],
"references": [
{
"url": "http://blogs.adobe.com/stateofsecurity/2007/07/crossdomain_policy_files_1.html",
"title": "Adobe"
},
{
"url": "https://www.owasp.org/index.php/Test_Cross_Origin_Resource_Sharing_%28OTG-CLIENT-007%29",
"title": "OWASP"
}
]
}
================================================
FILE: db/en/29-interesting-response.json
================================================
{
"id": 29,
"title": "Interesting response",
"severity": "informational",
"description": {
"$ref": "#/files/description/29"
},
"fix": {
"effort": 60,
"guidance": {
"$ref": "#/files/fix/7"
}
},
"tags": [
"web",
"interesting",
"response",
"server"
],
"references": [
{
"url": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html",
"title": "RFC-2616"
}
]
}
================================================
FILE: db/en/3-backup-directory.json
================================================
{
"id": 3,
"title": "Backup directory",
"severity": "medium",
"description": {
"$ref": "#/files/description/3"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/21"
}
},
"cwe": [
"530"
],
"owasp_top_10": {
"2013": [
5
]
},
"tags": [
"web",
"path",
"backup",
"file",
"discovery"
],
"references": [
{
"url": "http://www.webappsec.org/projects/threat/classes/information_leakage.shtml",
"title": "WebAppSec"
}
]
}
================================================
FILE: db/en/30-ldap-injection.json
================================================
{
"id": 30,
"title": "LDAP Injection",
"severity": "high",
"description": {
"$ref": "#/files/description/30"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/2"
}
},
"cwe": [
"90"
],
"owasp_top_10": {
"2013": [
1
]
},
"tags": [
"web",
"ldap",
"injection"
],
"references": [
{
"url": "http://projects.webappsec.org/w/page/13246947/LDAP-Injection",
"title": "WASC"
},
{
"url": "https://www.owasp.org/index.php/LDAP_injection",
"title": "OWASP"
}
]
}
================================================
FILE: db/en/31-exposed-localstart-asp-page.json
================================================
{
"id": 31,
"title": "Exposed localstart.asp page",
"severity": "low",
"description": {
"$ref": "#/files/description/31"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/38"
}
},
"tags": [
"web",
"asp",
"iis",
"server"
]
}
================================================
FILE: db/en/32-mixed-resource.json
================================================
{
"id": 32,
"title": "Mixed Resource",
"severity": "medium",
"description": {
"$ref": "#/files/description/32"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/4"
}
},
"tags": [
"web",
"unencrypted",
"resource",
"javascript",
"stylesheet"
],
"references": [
{
"url": "http://googleonlinesecurity.blogspot.com/2011/06/trying-to-end-mixed-scripting.html",
"title": "Google Online Security Blog"
}
]
}
================================================
FILE: db/en/33-nosql-injection.json
================================================
{
"id": 33,
"title": "NoSQL Injection",
"severity": "high",
"description": {
"$ref": "#/files/description/33"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/6"
}
},
"cwe": [
"89"
],
"owasp_top_10": {
"2013": [
1
]
},
"tags": [
"web",
"nosql",
"injection",
"database",
"error"
],
"references": [
{
"url": "https://www.owasp.org/index.php/Testing_for_NoSQL_injection",
"title": "OWASP"
}
]
}
================================================
FILE: db/en/34-blind-nosql-injection-differential-analysis.json
================================================
{
"id": 34,
"title": "Blind NoSQL Injection (differential analysis)",
"severity": "high",
"description": {
"$ref": "#/files/description/34"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/6"
}
},
"cwe": [
"89"
],
"tags": [
"web",
"nosql",
"blind",
"injection",
"database"
],
"references": [
{
"url": "https://www.owasp.org/index.php/Testing_for_NoSQL_injection",
"title": "OWASP"
}
]
}
================================================
FILE: db/en/35-access-restriction-bypass-via-origin-spoof.json
================================================
{
"id": 35,
"title": "Access restriction bypass via origin spoof",
"severity": "high",
"description": {
"$ref": "#/files/description/35"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/46"
}
},
"tags": [
"web",
"access",
"restriction",
"server",
"bypass"
]
}
================================================
FILE: db/en/36-operating-system-command-injection.json
================================================
{
"id": 36,
"title": "Operating system command injection",
"severity": "high",
"description": {
"$ref": "#/files/description/36"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/19"
}
},
"cwe": [
"78"
],
"owasp_top_10": {
"2013": [
1
]
},
"tags": [
"web",
"os",
"command",
"code",
"injection"
],
"references": [
{
"url": "http://projects.webappsec.org/w/page/13246950/OS%20Commanding",
"title": "WASC"
},
{
"url": "https://www.owasp.org/index.php/OS_Command_Injection",
"title": "OWASP"
}
]
}
================================================
FILE: db/en/38-password-field-with-auto-complete.json
================================================
{
"id": 38,
"title": "Password field with auto-complete",
"severity": "low",
"description": {
"$ref": "#/files/description/38"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/18"
}
},
"cwe": [
"522"
],
"owasp_top_10": {
"2013": [
2
]
}
}
================================================
FILE: db/en/39-path-traversal.json
================================================
{
"id": 39,
"title": "Path Traversal",
"severity": "high",
"description": {
"$ref": "#/files/description/39"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/13"
}
},
"cwe": [
"22"
],
"owasp_top_10": {
"2013": [
4
]
},
"tags": [
"web",
"path",
"traversal",
"injection"
],
"references": [
{
"url": "http://projects.webappsec.org/Path-Traversal",
"title": "WASC"
},
{
"url": "https://www.owasp.org/index.php/Path_Traversal",
"title": "OWASP"
}
]
}
================================================
FILE: db/en/4-backup-file.json
================================================
{
"id": 4,
"title": "Backup file",
"severity": "medium",
"description": {
"$ref": "#/files/description/4"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/21"
}
},
"cwe": [
"530"
],
"owasp_top_10": {
"2013": [
5
]
},
"tags": [
"web",
"path",
"backup",
"file",
"discovery"
],
"references": [
{
"url": "http://www.webappsec.org/projects/threat/classes/information_leakage.shtml",
"title": "WebAppSec"
}
]
}
================================================
FILE: db/en/40-private-ip-address-disclosure.json
================================================
{
"id": 40,
"title": "Private IP address disclosure",
"severity": "low",
"description": {
"$ref": "#/files/description/40"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/22"
}
},
"cwe": [
"200"
],
"owasp_top_10": {
"2013": [
6
]
},
"references": [
{
"url": "http://projects.webappsec.org/w/page/13246936/Information%20Leakage",
"title": "WebAppSec"
}
]
}
================================================
FILE: db/en/41-response-splitting.json
================================================
{
"id": 41,
"title": "Response Splitting",
"severity": "medium",
"description": {
"$ref": "#/files/description/41"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/11"
}
},
"tags": [
"web",
"response",
"splitting",
"injection",
"header"
],
"cwe": [
"98"
],
"owasp_top_10": {
"2013": [
1
]
},
"references": [
{
"url": "http://www.securiteam.com/securityreviews/5WP0E2KFGK.html",
"title": "SecuriTeam"
},
{
"url": "https://www.owasp.org/index.php/HTTP_Response_Splitting",
"title": "OWASP"
}
]
}
================================================
FILE: db/en/42-remote-file-inclusion.json
================================================
{
"id": 42,
"title": "Remote File Inclusion",
"severity": "high",
"description": {
"$ref": "#/files/description/42"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/13"
}
},
"cwe": [
"98"
],
"owasp_top_10": {
"2013": [
1
]
},
"tags": [
"web",
"remote",
"file",
"inclusion",
"injection"
],
"references": [
{
"url": "http://projects.webappsec.org/Remote-File-Inclusion",
"title": "WASC"
},
{
"url": "http://en.wikipedia.org/wiki/Remote_File_Inclusion",
"title": "Wikipedia"
}
]
}
================================================
FILE: db/en/43-session-fixation.json
================================================
{
"id": 43,
"title": "Session fixation",
"severity": "high",
"description": {
"$ref": "#/files/description/43"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/15"
}
},
"cwe": [
"384"
],
"owasp_top_10": {
"2013": [
2
]
},
"tags": [
"web",
"session",
"cookie",
"injection",
"fixation",
"hijacking"
],
"references": [
{
"url": "http://projects.webappsec.org/w/page/13246960/Session%20Fixation",
"title": "WASC"
},
{
"url": "https://www.owasp.org/index.php/Session_fixation",
"title": "OWASP - Session fixation"
}
]
}
================================================
FILE: db/en/44-source-code-disclosure.json
================================================
{
"id": 44,
"title": "Source code disclosure",
"severity": "high",
"description": {
"$ref": "#/files/description/44"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/56"
}
},
"cwe": [
"200",
"548"
],
"owasp_top_10": {
"2013": [
6
]
},
"tags": [
"web",
"code",
"source",
"file",
"inclusion",
"disclosure"
]
}
================================================
FILE: db/en/45-sql-injection.json
================================================
{
"id": 45,
"title": "SQL Injection",
"severity": "high",
"description": {
"$ref": "#/files/description/45"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/1"
}
},
"cwe": [
"89"
],
"owasp_top_10": {
"2013": [
1
]
},
"tags": [
"web",
"sql",
"injection",
"database",
"error"
],
"references": [
{
"url": "http://www.securiteam.com/securityreviews/5DP0N1P76E.html",
"title": "SecuriTeam"
},
{
"url": "http://en.wikipedia.org/wiki/SQL_injection",
"title": "Wikipedia"
},
{
"url": "https://www.owasp.org/index.php/SQL_Injection",
"title": "OWASP"
},
{
"url": "http://projects.webappsec.org/w/page/13246963/SQL%20Injection",
"title": "WASC"
},
{
"url": "http://www.w3schools.com/sql/sql_injection.asp",
"title": "W3 Schools"
},
{
"url": "http://unixwiz.net/techtips/sql-injection.html",
"title": "UnixWiz"
}
]
}
================================================
FILE: db/en/46-blind-sql-injection.json
================================================
{
"id": 46,
"title": "Blind SQL Injection",
"severity": "high",
"description": {
"$ref": "#/files/description/46"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/1"
}
},
"cwe": [
"89"
],
"owasp_top_10": {
"2013": [
1
]
},
"tags": [
"web",
"sql",
"blind",
"injection",
"database"
],
"references": [
{
"url": "http://capec.mitre.org/data/definitions/7.html",
"title": "MITRE - CAPEC"
},
{
"url": "http://projects.webappsec.org/w/page/13246963/SQL%20Injection",
"title": "WASC"
},
{
"url": "http://www.w3schools.com/sql/sql_injection.asp",
"title": "W3 Schools"
},
{
"url": "https://www.owasp.org/index.php/Blind_SQL_Injection",
"title": "OWASP"
}
]
}
================================================
FILE: db/en/47-blind-sql-injection-timing-attack.json
================================================
{
"id": 47,
"title": "Blind SQL Injection (timing attack)",
"severity": "high",
"description": {
"$ref": "#/files/description/47"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/1"
}
},
"tags": [
"web",
"sql",
"blind",
"injection",
"database"
],
"references": [
{
"url": "http://capec.mitre.org/data/definitions/7.html",
"title": "MITRE - CAPEC"
},
{
"url": "http://projects.webappsec.org/w/page/13246963/SQL%20Injection",
"title": "WASC"
},
{
"url": "http://www.w3schools.com/sql/sql_injection.asp",
"title": "W3 Schools"
},
{
"url": "https://www.owasp.org/index.php/Blind_SQL_Injection",
"title": "OWASP"
}
]
}
================================================
FILE: db/en/48-disclosed-us-social-security-number-ssn.json
================================================
{
"id": 48,
"title": "Disclosed US Social Security Number (SSN)",
"severity": "high",
"description": {
"$ref": "#/files/description/48"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/28"
}
},
"cwe": [
"213"
],
"references": [
{
"url": "http://www.ssa.gov/pubs/10064.html",
"title": "ssa.gov"
}
]
}
================================================
FILE: db/en/49-unencrypted-password-form.json
================================================
{
"id": 49,
"title": "Unencrypted password form",
"severity": "medium",
"description": {
"$ref": "#/files/description/49"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/8"
}
},
"cwe": [
"319"
],
"tags": [
"web",
"unencrypted",
"password",
"form"
],
"references": [
{
"url": "http://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection",
"title": "OWASP Top 10 2010"
}
]
}
================================================
FILE: db/en/5-captcha-protected-form.json
================================================
{
"id": 5,
"title": "CAPTCHA protected form",
"severity": "informational",
"description": {
"$ref": "#/files/description/5"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/37"
}
}
}
================================================
FILE: db/en/50-unvalidated-redirect.json
================================================
{
"id": 50,
"title": "Unvalidated redirect",
"severity": "medium",
"description": {
"$ref": "#/files/description/50"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/29"
}
},
"cwe": [
"601"
],
"owasp_top_10": {
"2013": [
10
]
},
"tags": [
"web",
"unvalidated",
"redirect",
"injection",
"header",
"location"
],
"references": [
{
"url": "https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards",
"title": "OWASP Top 10 2010"
}
]
}
================================================
FILE: db/en/51-unvalidated-dom-redirect.json
================================================
{
"id": 51,
"title": "Unvalidated DOM redirect",
"severity": "medium",
"description": {
"$ref": "#/files/description/51"
},
"cwe": [
"601"
],
"owasp_top_10": {
"2013": [
10
]
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/29"
}
},
"tags": [
"web",
"unvalidated",
"redirect",
"dom",
"injection"
],
"references": [
{
"url": "https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards",
"title": "OWASP Top 10 2010"
}
]
}
================================================
FILE: db/en/52-webdav.json
================================================
{
"id": 52,
"title": "WebDAV",
"severity": "informational",
"description": {
"$ref": "#/files/description/52"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/52"
}
},
"tags": [
"web",
"webdav",
"options",
"methods",
"server"
],
"references": [
{
"url": "https://tools.ietf.org/html/rfc4918",
"title": "WebDAV.org"
},
{
"url": "http://en.wikipedia.org/wiki/WebDAV",
"title": "Wikipedia"
}
]
}
================================================
FILE: db/en/53-missing-x-frame-options-header.json
================================================
{
"id": 53,
"title": "Missing 'X-Frame-Options' header",
"severity": "low",
"description": {
"$ref": "#/files/description/53"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/17"
}
},
"references": [
{
"url": "http://tools.ietf.org/html/rfc7034",
"title": "RFC-7034"
},
{
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options",
"title": "Mozilla developer network"
},
{
"url": "https://www.owasp.org/index.php/Clickjacking",
"title": "OWASP Clickjacking document"
}
]
}
================================================
FILE: db/en/54-xpath-injection.json
================================================
{
"id": 54,
"title": "XPath Injection",
"severity": "high",
"description": {
"$ref": "#/files/description/54"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/24"
}
},
"cwe": [
"91",
"643"
],
"owasp_top_10": {
"2013": [
1
]
},
"tags": [
"web",
"xpath",
"database",
"error",
"injection"
],
"references": [
{
"url": "http://projects.webappsec.org/w/page/13247005/XPath%20Injection",
"title": "WASC"
},
{
"url": "https://www.owasp.org/index.php/XPATH_Injection",
"title": "OWASP"
}
]
}
================================================
FILE: db/en/55-cross-site-scripting-xss.json
================================================
{
"id": 55,
"title": "Reflected Cross-Site Scripting (XSS)",
"severity": "high",
"description": {
"$ref": "#/files/description/55"
},
"fix": {
"effort": 10,
"guidance": {
"$ref": "#/files/fix/20"
}
},
"cwe": [
"79"
],
"owasp_top_10": {
"2013": [
3
]
},
"tags": [
"web",
"xss",
"injection",
"script"
],
"references": [
{
"url": "http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting",
"title": "WASC"
},
{
"url": "http://secunia.com/advisories/9716/",
"title": "Secunia"
},
{
"url": "https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet",
"title": "OWASP"
}
]
}
================================================
FILE: db/en/56-dom-based-cross-site-scripting-xss.json
================================================
{
"id": 56,
"title": "DOM-based Cross-Site Scripting (XSS)",
"severity": "high",
"description": {
"$ref": "#/files/description/56"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/9"
}
},
"cwe": [
"79"
],
"owasp_top_10": {
"2013": [
3
]
},
"tags": [
"web",
"xss",
"dom",
"injection",
"script"
],
"references": [
{
"url": "http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting",
"title": "WASC"
},
{
"url": "https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet",
"title": "OWASP - Prevention"
},
{
"url": "https://www.owasp.org/index.php/DOM_Based_XSS",
"title": "OWASP"
}
]
}
================================================
FILE: db/en/6-code-injection.json
================================================
{
"id": 6,
"title": "Code injection",
"severity": "high",
"description": {
"$ref": "#/files/description/6"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/47"
}
},
"cwe": [
"94",
"95"
],
"owasp_top_10": {
"2013": [
1
]
},
"tags": [
"web",
"code",
"injection"
],
"references": [
{
"url": "http://docs.python.org/py3k/library/functions.html#eval",
"title": "Python eval documentation"
},
{
"url": "http://www.aspdev.org/asp/asp-eval-execute/",
"title": "ASP eval documentation"
},
{
"url": "http://php.net/manual/en/function.eval.php",
"title": "PHP eval documentation"
},
{
"url": "http://perldoc.perl.org/functions/eval.html",
"title": "Perl eval documentation"
}
]
}
================================================
FILE: db/en/63-http-trace.json
================================================
{
"id": 63,
"title": "HTTP TRACE",
"severity": "medium",
"description": {
"$ref": "#/files/description/63"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/25"
}
},
"owasp_top_10": {
"2013": [
5
]
},
"tags": [
"web",
"xst",
"methods",
"trace",
"server"
],
"references": [
{
"url": "http://capec.mitre.org/data/definitions/107.html",
"title": "CAPEC"
},
{
"url": "http://www.owasp.org/index.php/Cross_Site_Tracing",
"title": "OWASP"
}
]
}
================================================
FILE: db/en/64-xml-external-entity.json
================================================
{
"id": 64,
"title": "XML External Entity",
"severity": "high",
"description": {
"$ref": "#/files/description/64"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/43"
}
},
"cwe": [
"611"
],
"owasp_top_10": {
"2013": [
1
]
},
"references": [
{
"url": "https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing",
"title": "OWASP"
}
]
}
================================================
FILE: db/en/65-arbitrary-file-upload.json
================================================
{
"id": 65,
"title": "Unrestricted file upload",
"severity": "high",
"description": {
"$ref": "#/files/description/65"
},
"fix": {
"effort": 10,
"guidance": {
"$ref": "#/files/fix/5"
}
},
"tags": [
"web",
"file",
"upload"
],
"cwe": [
"434"
],
"owasp_top_10": {
"2013": [
4
]
},
"references": [
{
"url": "https://www.owasp.org/index.php/Unrestricted_File_Upload",
"title": "owasp.org"
}
]
}
================================================
FILE: db/en/66-insecure-ssl-version.json
================================================
{
"id": 66,
"title": "Insecure SSL version enabled",
"severity": "medium",
"description": {
"$ref": "#/files/description/66"
},
"fix": {
"effort": 10,
"guidance": {
"$ref": "#/files/fix/34"
}
},
"tags": [
"web",
"ssl"
],
"cwe": [
"326"
],
"owasp_top_10": {
"2010": [
9
]
},
"references": [
{
"url": "https://support.microsoft.com/en-us/kb/187498",
"title": "How to Disable SSL 2.0 in IIS"
}
]
}
================================================
FILE: db/en/67-self-signed-ssl-certificate.json
================================================
{
"id": 67,
"title": "Self-signed TLS/SSL certificate",
"severity": "medium",
"description": {
"$ref": "#/files/description/67"
},
"fix": {
"effort": 60,
"guidance": {
"$ref": "#/files/fix/12"
}
},
"cwe": [
"296"
],
"tags": [
"web",
"unencrypted",
"tls",
"ssl"
],
"references": [
{
"url": "https://en.wikipedia.org/wiki/Self-signed_certificate",
"title": "Wikipedia article on self-signed certificates"
}
]
}
================================================
FILE: db/en/68-shellshock.json
================================================
{
"id": 68,
"title": "ShellShock",
"severity": "high",
"description": {
"$ref": "#/files/description/68"
},
"fix": {
"effort": 60,
"guidance": {
"$ref": "#/files/fix/33"
}
},
"tags": [
"web",
"bash",
"shellshock"
],
"references": [
{
"url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271",
"title": "CVE-2014-6271"
},
{
"url": "https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29",
"title": "Wikipedia article for Shellshock"
}
]
}
================================================
FILE: db/en/69-insecure-frontpage-configuration.json
================================================
{
"id": 69,
"title": "Insecure Frontpage extensions configuration",
"severity": "high",
"description": {
"$ref": "#/files/description/69"
},
"fix": {
"effort": 10,
"guidance": {
"$ref": "#/files/fix/31"
}
},
"tags": [
"web",
"windows",
"frontpage"
],
"owasp_top_10": {
"2013": [
5
]
},
"references": [
{
"url": "https://msdn.microsoft.com/en-us/library/bb742372.aspx",
"title": "Configuring FrontPage Server Extensions"
}
]
}
================================================
FILE: db/en/70-persistent-xss.json
================================================
{
"id": 70,
"title": "Persistent Cross-Site Scripting (XSS)",
"severity": "high",
"description": {
"$ref": "#/files/description/70"
},
"fix": {
"effort": 10,
"guidance": {
"$ref": "#/files/fix/20"
}
},
"cwe": [
"79"
],
"owasp_top_10": {
"2013": [
3
]
},
"tags": [
"web",
"xss",
"persistent",
"script"
],
"references": [
{
"url": "http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting",
"title": "WASC"
},
{
"url": "http://secunia.com/advisories/9716/",
"title": "Secunia"
},
{
"url": "https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet",
"title": "OWASP"
}
]
}
================================================
FILE: db/en/71-reflected-file-download.json
================================================
{
"id": 71,
"title": "Reflected File Download",
"severity": "medium",
"description": {
"$ref": "#/files/description/71"
},
"fix": {
"effort": 10,
"guidance": {
"$ref": "#/files/fix/27"
}
},
"cwe": [
"79"
],
"owasp_top_10": {
"2013": [
1
]
},
"tags": [
"web",
"rfd",
"reflected"
],
"references": [
{
"url": "https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/",
"title": "Reflected File Download - A New Web Attack Vector"
}
]
}
================================================
FILE: db/en/72-cache-control-headers.json
================================================
{
"id": 72,
"title": "Insecure or no Cache-Control header",
"severity": "low",
"description": {
"$ref": "#/files/description/72"
},
"fix": {
"effort": 10,
"guidance": {
"$ref": "#/files/fix/50"
}
},
"cwe": [
"524",
"525"
],
"owasp_top_10": {
"2013": [
5
]
},
"tags": [
"web",
"browser",
"cache",
"session"
],
"references": [
{
"url": "https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching",
"title": "Session Management Cheat Sheet"
}
]
}
================================================
FILE: db/en/73-information-leak-stack-trace.json
================================================
{
"id": 73,
"title": "Application error message",
"severity": "low",
"description": {
"$ref": "#/files/description/73"
},
"fix": {
"effort": 60,
"guidance": {
"$ref": "#/files/fix/42"
}
},
"cwe": [
"200"
],
"owasp_top_10": {
"2013": [
6
]
},
"tags": [
"web",
"error",
"information leak"
],
"references": [
{
"url": "http://projects.webappsec.org/w/page/13246936/Information%20Leakage",
"title": "WASC threat classification"
}
]
}
================================================
FILE: db/en/74-phishing-vector.json
================================================
{
"id": 74,
"title": "Phishing vector",
"severity": "low",
"description": {
"$ref": "#/files/description/74"
},
"fix": {
"effort": 30,
"guidance": {
"$ref": "#/files/fix/35"
}
},
"cwe": [
"451"
],
"tags": [
"web",
"phishing"
],
"references": [
{
"url": "https://www.owasp.org/index.php/Phishing",
"title": "Phishing - OWASP"
}
]
}
================================================
FILE: db/en/75-guessable-credentials.json
================================================
{
"id": 75,
"title": "Guessable credentials",
"severity": "low",
"description": {
"$ref": "#/files/description/75"
},
"fix": {
"effort": 40,
"guidance": {
"$ref": "#/files/fix/54"
}
},
"cwe": [
"522"
],
"owasp_top_10": {
"2013": [
5
]
},
"tags": [
"guessable",
"credentials",
"weak",
"predictable"
],
"references": [
{
"url": "https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002)",
"title": "OWASP Reference"
}
]
}
================================================
FILE: db/en/76-x-content-type-options_header_missing.json
================================================
{
"id": 76,
"title": "X-Content-Type-Options header missing",
"severity": "low",
"description": {
"$ref": "#/files/description/76"
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/53"
}
},
"cwe": [],
"owasp_top_10": {
"2013": [
7
]
},
"tags": [
"content",
"sniffing",
"missing",
"header"
],
"references": [
{
"url": "https://msdn.microsoft.com/en-us/library/gg622941(v=vs.85).aspx",
"title": "Reducing MIME type security risks"
}
]
}
================================================
FILE: db/en/77-http-basic-authentication-credentials.json
================================================
{
"id": 77,
"title": "HTTP Basic Authentication credentials",
"severity": "low",
"description": {
"$ref": "#/files/description/77"
},
"fix": {
"effort": 60,
"guidance": {
"$ref": "#/files/fix/14"
}
},
"cwe": [
"311"
],
"owasp_top_10": {
"2013": [
2
]
},
"tags": [
"basic",
"authentication",
"clear-text",
"base64"
],
"references": [
{
"url": "https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Weak_Authentication_Methods",
"title": "OWASP Weak Authentication Methods"
}
]
}
================================================
FILE: db/en/8-code-injection.json
================================================
{
"id": 8,
"title": "Code injection (timing attack)",
"severity": "high",
"description": {
"$ref": "#/files/description/8"
},
"cwe": [
"95"
],
"owasp_top_10": {
"2013": [
1
]
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/47"
}
},
"tags": [
"web",
"code",
"injection",
"blind"
],
"references": [
{
"url": "http://docs.python.org/py3k/library/functions.html#eval",
"title": "Python eval documentation"
},
{
"url": "http://www.aspdev.org/asp/asp-eval-execute/",
"title": "ASP eval documentation"
},
{
"url": "http://en.wikipedia.org/wiki/Eval#Ruby",
"title": "Ruby eval documentation"
},
{
"url": "http://php.net/manual/en/function.eval.php",
"title": "PHP eval documentation"
},
{
"url": "http://perldoc.perl.org/functions/eval.html",
"title": "Perl eval documentation"
}
]
}
================================================
FILE: db/en/9-common-directory.json
================================================
{
"id": 9,
"title": "Common directory",
"severity": "medium",
"description": {
"$ref": "#/files/description/9"
},
"cwe": [
"538"
],
"owasp_top_10": {
"2013": [
5
]
},
"fix": {
"effort": 50,
"guidance": {
"$ref": "#/files/fix/55"
}
},
"tags": [
"web",
"path",
"directory",
"common",
"discovery"
],
"references": [
{
"url": "https://www.owasp.org/index.php/Forced_browsing",
"title": "OWASP - Forced browsing"
}
]
}
================================================
FILE: db/en/description/1.md
================================================
There are a number of HTTP methods that can be used on a webserver
(`OPTIONS`, `HEAD`, `GET`, `POST`, `PUT`, `DELETE` etc.). Each of
these methods perform a different function and each have an associated
level of risk when their use is permitted on the webserver.
A client
can use the `OPTIONS` method within a request to query a server to
determine which methods are allowed.
Cyber-criminals will almost
always perform this simple test as it will give a very quick
indication of any high-risk methods being permitted by the server.
The tool discovered that several methods are supported by the server.
================================================
FILE: db/en/description/10.md
================================================
Web applications are often made up of multiple files and directories.
It is possible that over time some files may become unreferenced
(unused) by the web application and forgotten about by the
administrator/developer. Because web applications are built using
common frameworks, they contain common files that can be discovered
(independent of server).
During the initial recon stages of an
attack, cyber-criminals will attempt to locate unreferenced files in
the hope that the file will assist in further compromise of the web
application. To achieve this they will make thousands of requests
using word lists containing common filenames. The response headers
from the server will then indicate if the file exists.
The tool also
contains a list of common file names which it will attempt to access.
================================================
FILE: db/en/description/11.md
================================================
HTTP by itself is a stateless protocol. Therefore the server is unable
to determine which requests are performed by which client, and which
clients are authenticated or unauthenticated.
The use of HTTP cookies
within the headers, allows a web server to identify each individual
client and can therefore determine which clients hold valid
authentication, from those that do not. These are known as session
cookies.
When a cookie is set by the server (sent the header of an
HTTP response) there are several flags that can be set to configure
the properties of the cookie and how it is to be handled by the
browser.
One of these flags represents the host, or domain. for which
the cookie can be used.
When the cookie is set for the parent domain,
rather than the host, this could indicate that the same cookie could
be used to access other hosts within that domain. While there are many
legitimate reasons for this, it could also be misconfiguration
expanding the possible surface of attacks.
================================================
FILE: db/en/description/12.md
================================================
Credit card numbers are used in applications where a user is able to
purchase goods and/or services.
A credit card number is a sensitive
piece of information and should be handled as such. Cyber-criminals
will use various methods to attempt to compromise credit card
information that can then be used for fraudulent purposes.
Through
the use of regular expressions and CC number format validation,
It was possible to discover a credit card number located within the
affected page.
================================================
FILE: db/en/description/13.md
================================================
In the majority of today's web applications, clients are required to
submit forms which can perform sensitive operations.
An example of
such a form being used would be when an administrator wishes to create
a new user for the application.
In the simplest version of the form,
the administrator would fill-in:
* Name * Password * Role (level of
access)
Continuing with this example, Cross Site Request Forgery
(CSRF) would occur when the administrator is tricked into clicking on
a link, which if logged into the application, would automatically
submit the form without any further interaction.
Cyber-criminals will
look for sites where sensitive functions are performed in this manner
and then craft malicious requests that will be used against clients
via a social engineering attack.
There are 3 things that are required
for a CSRF attack to occur:
1. The form must perform some sort of
sensitive action. 2. The victim (the administrator the example above)
must have an active session. 3. Most importantly, all parameter values
must be **known** or **guessable**.
The tool discovered that all
parameters within the form were known or predictable and therefore the
form could be vulnerable to CSRF.
_Manual verification may be
required to check whether the submission will then perform a sensitive
action, such as reset a password, modify user profiles, post content
on a forum, etc._
================================================
FILE: db/en/description/14.md
================================================
Concurrent Version System (CVS) and Subversion (SVN) provide a method
for application developers to control different versions of their
code.
Occasionally, the developer's version or user information can
be stored incorrectly within the code and may be visible to the end
user (either in the HTML or code comments). As one of the initial
steps in information gathering, cyber-criminals will spider a website
and using automated methods attempt to discover any CVS/SVN
information that may be present in the page.
This will aid them in
developing a better understanding of the deployed application
(potentially through the disclosure of version information), or it may
assist in further information gathering or social engineering attacks.
Using the same automated methods, the tool was able to detect CVS or
SVN details stored within the affected page.
================================================
FILE: db/en/description/15.md
================================================
Web servers permitting directory listing are typically used for
sharing files.
Directory listing allows the client to view a simple
list of all the files and folders hosted on the web server. The client
is then able to traverse each directory and download the files.
Cyber-criminals will utilise the presence of directory listing to
discover sensitive files, download protected content, or even just
learn how the web application is structured.
The tool discovered that
the affected page permits directory listing.
================================================
FILE: db/en/description/16.md
================================================
Email addresses are typically found on "Contact us" pages, however,
they can also be found within scripts or code comments of the
application. They are used to provide a legitimate means of contacting
an organisation.
As one of the initial steps in information
gathering, cyber-criminals will spider a website and using automated
methods collect as many email addresses as possible, that they may
then use in a social engineering attack.
Using the same automated
methods, the tool was able to detect one or more email addresses that
were stored within the affected page.
================================================
FILE: db/en/description/17.md
================================================
Web applications occasionally use parameter values to store the
location of a file which will later be required by the server.
An
example of this is often seen in error pages, where the actual file
path for the error page is stored in a parameter value -- for example
`example.com/error.php?page=404.php`.
A file inclusion occurs when
the parameter value (ie. path to file) can be substituted with the
path of another resource on the same server, effectively allowing the
displaying of arbitrary, and possibly restricted/sensitive, files.
The tool discovered that it was possible to substitute a parameter
value with another resource and have the server return the contents of
the resource to the client within the response.
================================================
FILE: db/en/description/18.md
================================================
The design of many web applications require that users be able to
upload files that will either be stored or processed by the receiving
web server.
The tool has flagged this not as a vulnerability, but as a
prompt for the penetration tester to conduct further manual testing on
the file upload function.
An insecure form-based file upload could
allow a cyber-criminal a means to abuse and successfully exploit the
server directly, and/or any third party that may later access the
file. This can occur through uploading a file containing server
side-code (such as PHP) that is then executed when requested by the
client.
================================================
FILE: db/en/description/19.md
================================================
The HTTP protocol by itself is clear text, meaning that any data that
is transmitted via HTTP can be captured and the contents viewed. To
keep data private and prevent it from being intercepted, HTTP is often
tunnelled through either Secure Sockets Layer (SSL) or Transport Layer
Security (TLS). When either of these encryption standards are used, it
is referred to as HTTPS.
HTTP Strict Transport Security (HSTS) is an
optional response header that can be configured on the server to
instruct the browser to only communicate via HTTPS. This will be
enforced by the browser even if the user requests a HTTP resource on
the same server.
Cyber-criminals will often attempt to compromise
sensitive information passed from the client to the server using HTTP.
This can be conducted via various Man-in-The-Middle (MiTM) attacks or
through network packet captures.
The tool discovered that the affected
application is using HTTPS however does not use the HSTS header.
================================================
FILE: db/en/description/2.md
================================================
If a server has been previously compromised, there is a high
probability that the cyber-criminal has installed a backdoor so that
they can easily return to the server if required. One method of
achieving this is to place a web backdoor or web shell within the web
root of the web server. This will then enable the cyber-criminal to
access the server through a HTTP/S session.
Although extremely bad
practice, it is possible that the web backdoor or web shell has been
placed there by an administrator so they can perform administrative
activities remotely.
During the initial recon stages of an attack,
cyber-criminals will attempt to locate these web backdoors or shells
by requesting the names of the most common and well known ones.
By
analysing the response, they are able to determine if a web backdoor
or web shell exists. These web backdoors or web shells can then
provide an easy path for further compromise of the server.
By
utilising the same methods as the cyber-criminals, the tool was able to
discover a possible web backdoor or web shell.
================================================
FILE: db/en/description/20.md
================================================
There are a number of HTTP methods that can be used on a webserver
(for example `OPTIONS`, `HEAD`, `GET`, `POST`, `PUT`, `DELETE `etc.).
Each of these methods perform a different function, and each has an
associated level of risk when their use is permitted on the webserver.
The `<Limit>` directive within Apache's `.htaccess` file allows
administrators to define which of the methods they would like to
block. However, as this is a blacklisting approach, it is inevitable
that a server administrator may accidentally miss adding certain HTTP
methods to be blocked, thus increasing the level of risk to the
application and/or server.
================================================
FILE: db/en/description/21.md
================================================
Most automated tools are not able to analyze the security of client-side
technologies such as Flash and Java applets. This informational finding
serves as a heads-up to the information security specialist to review
the objects in question using a different method.
================================================
FILE: db/en/description/22.md
================================================
HTTP by itself is a stateless protocol. Therefore the server is unable
to determine which requests are performed by which client, and which
clients are authenticated or unauthenticated.
The use of HTTP cookies
within the headers, allows a web server to identify each individual
client and can therefore determine which clients hold valid
authentication, from those that do not. These are known as session
cookies.
When a cookie is set by the server (sent the header of an
HTTP response) there are several flags that can be set to configure
the properties of the cookie and how it is to be handled by the
browser.
The `HttpOnly` flag assists in the prevention of client
side-scripts (such as JavaScript) accessing and using the cookie.
This can help prevent XSS attacks targeting the cookies holding the
client's session token (setting the `HttpOnly` flag does not prevent,
nor safeguard against XSS vulnerabilities themselves).
================================================
FILE: db/en/description/23.md
================================================
There are various methods in which a file (or files) may be uploaded
to a webserver. One method that can be used is the HTTP `PUT` method.
The `PUT` method is mainly used during development of applications and
allows developers to upload (or put) files on the server within the
web root.
By nature of the design, the `PUT` method typically does
not provide any filtering and therefore allows sever side executable
code (PHP, ASP, etc) to be uploaded to the server.
Cyber-criminals
will search for servers supporting the `PUT` method with the intention
of modifying existing pages, or uploading web shells to take control
of the server.
The tool has discovered that the affected path allows
clients to use the `PUT` method. During this test, the tool has `PUT` a
file on the server within the web root and successfully performed a
`GET` request to its location and verified the contents.
================================================
FILE: db/en/description/24.md
================================================
The browser security model normally prevents web content from one
domain from accessing data from another domain. This is commonly known
as the "same origin policy".
URL policy files grant cross-domain
permissions for reading data. They permit operations that are not
permitted by default. The URL policy file for Silverlight is located,
by default, in the root directory of the target server, with the name
`ClientAccessPolicy.xml` (for example, at
`www.example.com/ClientAccessPolicy.xml`).
When a domain is specified
in `ClientAccessPolicy.xml`, the site declares that it is willing to
allow the operators of any servers in that domain to obtain any
document on the server where the policy file resides.
The
`ClientAccessPolicy.xml` file deployed on this website opens the
server to all domains (use of a single asterisk "*" as a pure wildcard
is supported).
================================================
FILE: db/en/description/25.md
================================================
HTTP by itself is a stateless protocol. Therefore the server is unable
to determine which requests are performed by which client, and which
clients are authenticated or unauthenticated.
The use of HTTP cookies
within the headers, allows a web server to identify each individual
client and can therefore determine which clients hold valid
authentication, from those that do not. These are known as session
cookies.
When a cookie is set by the server (sent the header of an
HTTP response) there are several flags that can be set to configure
the properties of the cookie and how it is to be handled by the
browser.
One of these flags is known as the `secure` flag. When the
secure flag is set, the browser will prevent it from being sent over a
clear text channel (HTTP) and only allow it to be sent when an
encrypted channel is used (HTTPS).
The tool discovered that a cookie
was set by the server without the secure flag being set. Although the
initial setting of this cookie was via an HTTPS connection, any HTTP
link to the same server will result in the cookie being send in clear
text.
================================================
FILE: db/en/description/26.md
================================================
Cross-Origin Resource Sharing (CORS) is one of the new HTML5
technologies which is widely implemented to create Web2.0 applications.
CORS allows the browser to perform HTTP requests to a domain outside
the Same-Origin Policy and access the response body. This feature is
secured by a new set of HTTP headers, being `Access-Control-Allow-Origin`
one of the most important ones.
It was possible to identify an HTTP response which contained the
`Access-Control-Allow-Origin` header value set to '*', which allows any
third-party domain to perform requests and read the responses.
While this configuration is not a vulnerability per-se, it's only
recommended for sites which provide information that's public such as
weather or stock prices.
================================================
FILE: db/en/description/27.md
================================================
The browser security model normally prevents web content from one
domain from accessing data from another domain. This is commonly known
as the "same origin policy".
URL policy files grant cross-domain
permissions for reading data. They permit operations that are not
permitted by default. The URL policy file for Silverlight is located,
by default, in the root directory of the target server, with the name
`crossdomain.xml` (for example, at `www.example.com/crossdomain.xml`).
When a domain is specified in `crossdomain.xml`, the site declares
that it is willing to allow the operators of any servers in that
domain to obtain any document on the server where the policy file
resides.
The `crossdomain.xml` file deployed on this website opens
the server to all domains (use of a single asterisk "*" as a pure
wildcard is supported).
================================================
FILE: db/en/description/29.md
================================================
The server responded with a strange HTTP status code. This is a non-issue
however exotic HTTP response status codes can provide useful insights
into the behavior of the web application and assist with the information
security analysis.
================================================
FILE: db/en/description/3.md
================================================
A common practice when administering web applications is to create a
copy/backup of a particular directory prior to making any
modification. Another common practice is to add an extension or change
the name of the original directory to signify that it is a backup
(examples include `.bak`, `.orig`, `.backup`, etc.).
During the
initial recon stages of an attack, cyber-criminals will attempt to
locate backup directories by adding common extensions onto directories
already discovered on the webserver. By analysing the response headers
from the server they are able to determine if a backup directory
exists. These backup directories can then assist in the compromise of
the web application.
By utilising the same method, the tool was able
to discover a possible backup directory.
================================================
FILE: db/en/description/30.md
================================================
Lightweight Directory Access Protocol (LDAP) is used by web
applications to access and maintain directory information services.
One of the most common uses for LDAP is to provide a Single-Sign-On
(SSO) service that will allow clients to authenticate with a web site
without any interaction (assuming their credentials have been
validated by the SSO provider).
LDAP injection occurs when untrusted
data is used by the web application to query the LDAP directory
without prior sanitisation.
This is a serious security risk, as it
could allow cyber-criminals the ability to query, modify, or remove
anything from the LDAP tree. It could also allow other advanced
injection techniques that perform other more serious attacks.
The tool
was able to detect a page that is vulnerable to LDAP injection based
on known error messages.
================================================
FILE: db/en/description/31.md
================================================
To restrict access to specific pages on a webserver, developers can
implement various methods of authentication, therefore only allowing
access to clients with valid credentials. There are several forms of
authentication that can be used. The simplest forms of authentication
are known as 'Basic' and 'Basic Realm'. These methods of
authentication have several known weaknesses such as being susceptible
to brute force attacks.
Additionally, when utilising the NTLM
mechanism in a windows environment, several disclosures of information
exist, and any brute force attack occurs against the server's local
users, or domain users if the web server is a domain member.
Cyber-criminals will attempt to locate protected pages to gain access
to them and also perform brute force attacks to discover valid
credentials.
The tool discovered the following page requires NTLM
based basic authentication in order to be accessed.
================================================
FILE: db/en/description/32.md
================================================
The HTTP protocol by itself is clear text, meaning that any data that
is transmitted via HTTP can be captured and the contents viewed. To
keep data private and prevent it from being intercepted, HTTP is often
tunnelled through either a Secure Sockets Layer (SSL), or Transport
Layer Security (TLS) connection. When either of these encryption
standards are used, it is referred to as HTTPS.
Cyber-criminals will
often attempt to compromise sensitive information passed from the
client to the server using HTTP. This can be conducted via various
different Man-in-The-Middle (MiTM) attacks or through network packet
captures.
The tool discovered that the affected site is utilising both
HTTP and HTTPS. While the HTML code is served over HTTPS, the server
is also serving resources over an unencrypted channel, which can lead
to the compromise of data, while providing a false sense of security
to the user.
================================================
FILE: db/en/description/33.md
================================================
A NoSQL injection occurs when a value originating from the client's
request is used within a NoSQL call without prior sanitisation.
This
can allow cyber-criminals to execute arbitrary NoSQL code and thus
steal data, or use the additional functionality of the database server
to take control of further server components.
The tool discovered that
the affected page and parameter are vulnerable. This injection was
detected as the tool was able to discover known error messages within
the server's response.
================================================
FILE: db/en/description/34.md
================================================
A NoSQL injection occurs when a value originating from the client's
request is used within a NoSQL call without prior sanitisation.
This
can allow cyber-criminals to execute arbitrary NoSQL code and thus
steal data, or use the additional functionality of the database server
to take control of further server components.
The tool discovered that
the affected page and parameter are vulnerable. This injection was
detected as the tool was able to inject specific NoSQL queries that if
vulnerable result in the responses for each injection being different.
This is known as a blind NoSQL injection vulnerability.
================================================
FILE: db/en/description/35.md
================================================
Origin headers are utilised by proxies and/or load balancers to track
the originating IP address of the client.
As the request progresses
through a proxy, the origin header is added to the existing headers,
and the value of the client's IP is then set within this header.
Occasionally, poorly implemented access restrictions are based off of
the originating IP address alone.
For example, any public IP address
may be forced to authenticate, while an internal IP address may not.
Because this header can also be set by the client, it allows
cyber-criminals to spoof their IP address and potentially gain access
to restricted pages.
The tool discovered a resource that it did not
have permission to access, but been granted access after spoofing the
address of localhost (127.0.0.1), thus bypassing any requirement to
authenticate.
================================================
FILE: db/en/description/36.md
================================================
To perform specific actions from within a web application, it is
occasionally required to run Operating System commands and have the
output of these commands captured by the web application and returned
to the client.
OS command injection occurs when user supplied input
is inserted into one of these commands without proper sanitisation and
is then executed by the server.
Cyber-criminals will abuse this
weakness to perform their own arbitrary commands on the server. This
can include everything from simple `ping` commands to map the internal
network, to obtaining full control of the server.
It was possible to inject and verify the execution of specific Operating
System commands which indicates that proper input sanitisation is not
occurring.
================================================
FILE: db/en/description/38.md
================================================
In typical form-based web applications, it is common practice for
developers to allow `autocomplete` within the HTML form to improve the
usability of the page. With `autocomplete` enabled (default), the
browser is allowed to cache previously entered form values.
For
legitimate purposes, this allows the user to quickly re-enter the same
data when completing the form multiple times.
When `autocomplete` is
enabled on either/both the username and password fields, this could
allow a cyber-criminal with access to the victim's computer the
ability to have the victim's credentials automatically entered as the
cyber-criminal visits the affected page.
The tool has discovered that
the affected page contains a form containing a password field that has
not disabled `autocomplete`.
================================================
FILE: db/en/description/39.md
================================================
Web applications occasionally use parameter values to store the
location of a file which will later be required by the server.
An
example of this is often seen in error pages, where the actual file
path for the error page is stored in a parameter value -- for example
`example.com/error.php?page=404.php`.
A path traversal occurs when
the parameter value (ie. path to file being called by the server) can
be substituted with the relative path of another resource which is
located outside of the applications working directory. The server then
loads the resource and includes its contents in the response to the
client.
Cyber-criminals will abuse this vulnerability to view files
that should otherwise not be accessible.
A very common example of
this, on *nix servers, is gaining access to the `/etc/passwd` file in
order to retrieve a list of server users. This attack would look like:
`yoursite.com/error.php?page=../../../../etc/passwd`
As path
traversal is based on the relative path, the payload must first
traverse to the file system's root directory, hence the string of
`../../../../`.
The tool discovered that it was possible to substitute
a parameter value with a relative path to a common operating system
file and have the contents of the file included in the response.
================================================
FILE: db/en/description/4.md
================================================
A common practice when administering web applications is to create a
copy/backup of a particular file or directory prior to making any
modification to the file. Another common practice is to add an
extension or change the name of the original file to signify that it
is a backup (examples include `.bak`, `.orig`, `.backup`, etc.).
During the initial recon stages of an attack, cyber-criminals will
attempt to locate backup files by adding common extensions onto files
already discovered on the webserver. By analysing the response headers
from the server they are able to determine if the backup file exists.
These backup files can then assist in the compromise of the web
application.
By utilising the same method, the tool was able to
discover a possible backup file.
================================================
FILE: db/en/description/40.md
================================================
Private, or non-routable, IP addresses are generally used within a
home or company network and are typically unknown to anyone outside of
that network.
Cyber-criminals will attempt to identify the private IP
address range being used by their victim, to aid in collecting further
information that could then lead to a possible compromise.
The tool
discovered that the affected page returned a RFC 1918 compliant
private IP address and therefore could be revealing sensitive
information.
_This finding typically requires manual verification to
ensure the context is correct, as any private IP address within the
HTML body will trigger it.
================================================
FILE: db/en/description/41.md
================================================
HTTP response splitting occurs when untrusted data is inserted into
the response headers without any sanitisation.
If successful, this
allows cyber-criminals to essentially split the HTTP response in two.
This is abused by cyber-criminals injecting CR (Carriage Return --
`/r`) and LF (Line Feed -- `
`) characters which will then form the
split. If the CR or LF characters are not processed by the server then
it cannot be exploited.
Along with these characters, cyber-criminals
can then construct their own arbitrary response headers and body which
would then form the second response. The second response is entirely
under their control, allowing for a number of other attacks.
================================================
FILE: db/en/description/42.md
================================================
Web applications occasionally use parameter values to store the
location of a file which will later be required by the server.
An
example of this is often seen in error pages, where the actual file
path for the error page is stored in a parameter value -- for example
`example.com/error.php?page=404.php`.
A remote file inclusion occurs
when the parameter value (ie. path to file being called by the server)
can be substituted with the address of remote resource -- for example:
`yoursite.com/error.asp?page=http://anothersite.com/somethingBad.php`
In some cases, the server will process the fetched resource;
therefore, if the resource contains server-side code matching that of
the framework being used (ASP, PHP, JSP, etc.), it is probable that
the resource will be executed as if it were part of the web
application.
The tool discovered that it was possible to substitute a
parameter value with an external resource and have the server fetch it
and include its contents in the response.
================================================
FILE: db/en/description/43.md
================================================
HTTP by itself is a stateless protocol; therefore, the server is
unable to determine which requests are performed by which client and
which clients are authenticated or unauthenticated.
The use of HTTP
cookies within the headers allows a web server to identify each
individual client and can thus determine which clients hold valid
authentication from those that do not. These are known as session
cookies or session tokens.
To prevent clients from being able to
guess each other's session token, each assigned session token should
be entirely random and be different whenever a session is established
with the server.
Session fixation occurs when the client is able to
specify their own session token value and the value of the session
cookie is not changed by the server after successful authentication.
Occasionally, the session token will also remain unchanged for the
user independently of how many times they have authenticated.
Cyber-criminals will abuse this functionality by sending crafted URL
links with a predetermined session token within the link. The
cyber-criminal will then wait for the victim to login and become
authenticated. If successful, the cyber-criminal will know a valid
session ID and therefore have access to the victim's session.
The tool
has discovered that it is able to set its own session token.
================================================
FILE: db/en/description/44.md
================================================
A modern web application will be reliant on several different
programming languages.
These languages can be broken up in two
flavours. These are client-side languages (such as those that run in
the browser -- like JavaScript) and server-side languages (which are
executed by the server -- like ASP, PHP, JSP, etc.) to form the
dynamic pages (client-side code) that are then sent to the client.
Because all server side code should be executed by the server, it
should never be seen by the client. However in some scenarios, it is
possible that:
1. The server side code has syntax errors and therefore is not executed
by the server but is instead sent to the client
2. Using crafted requests it is possible to force the server
into displaying the source code of the application without executing it.
As the server-side source code often contains sensitive
information, such as database connection strings or details into the
application workflow, this can be extremely risky.
Cyber-criminals
will attempt to discover pages that either accidentally or forcefully
allow the server-side source code to be disclosed, to assist in
discovering further vulnerabilities or sensitive information.
The tool
has detected server-side source code within the server's response.
_(False positives may occur when requesting binary files such as
images (.JPG or .PNG) and may require manual verification.)_
================================================
FILE: db/en/description/45.md
================================================
Due to the requirement for dynamic content of today's web
applications, many rely on a database backend to store data that will
be called upon and processed by the web application (or other
programs). Web applications retrieve data from the database by using
Structured Query Language (SQL) queries.
To meet demands of many
developers, database servers (such as MSSQL, MySQL, Oracle etc.) have
additional built-in functionality that can allow extensive control of
the database and interaction with the host operating system itself.
An SQL injection occurs when a value originating from the client's
request is used within a SQL query without prior sanitisation. This
could allow cyber-criminals to execute arbitrary SQL code and steal
data or use the additional functionality of the database server to
take control of more server components.
The successful exploitation
of a SQL injection can be devastating to an organisation and is one of
the most commonly exploited web application vulnerabilities.
This
injection was detected as the tool was able to cause the server to
respond to the request with a database related error.
================================================
FILE: db/en/description/46.md
================================================
Due to the requirement for dynamic content of today's web
applications, many rely on a database backend to store data that will
be called upon and processed by the web application (or other
programs). Web applications retrieve data from the database by using
Structured Query Language (SQL) queries.
To meet demands of many
developers, database servers (such as MSSQL, MySQL, Oracle etc.) have
additional built-in functionality that can allow extensive control of
the database and interaction with the host operating system itself.
An SQL injection occurs when a value originating from the client's
request is used within a SQL query without prior sanitisation. This
could allow cyber-criminals to execute arbitrary SQL code and steal
data or use the additional functionality of the database server to
take control of more server components.
The successful exploitation
of a SQL injection can be devastating to an organisation and is one of
the most commonly exploited web application vulnerabilities.
Injection was detected as it was possible to inject specific SQL
queries, that if vulnerable, result in the responses for each
injection being different. This is known as a blind SQL injection
vulnerability.
================================================
FILE: db/en/description/47.md
================================================
Due to the requirement for dynamic content of today's web
applications, many rely on a database backend to store data that will
be called upon and processed by the web application (or other
programs). Web applications retrieve data from the database by using
Structured Query Language (SQL) queries.
To meet demands of many
developers, database servers (such as MSSQL, MySQL, Oracle etc.) have
additional built-in functionality that can allow extensive control of
the database and interaction with the host operating system itself.
An SQL injection occurs when a value originating from the client's
request is used within a SQL query without prior sanitisation. This
could allow cyber-criminals to execute arbitrary SQL code and steal
data or use the additional functionality of the database server to
take control of more server components.
The successful exploitation
of a SQL injection can be devastating to an organisation and is one of
the most commonly exploited web application vulnerabilities.
This
injection was detected as the tool was able to inject specific SQL
queries, that if vulnerable, result in the responses for each request
being delayed before being sent by the server. This is known as a
time-based blind SQL injection vulnerability.
================================================
FILE: db/en/description/48.md
================================================
The US Social Security Number (SSN) is a personally identifiable
number that is issued to its citizens.
A stolen or leaked SSN can
lead to a compromise, and/or the theft of the affected individual's
identity.
Through the use of regular expressions, the tool has
discovered an SSN located within the response of the affected page.
================================================
FILE: db/en/description/49.md
================================================
The HTTP protocol by itself is clear text, meaning that any data that
is transmitted via HTTP can be captured and the contents viewed.
To
keep data private, and prevent it from being intercepted, HTTP is
often tunnelled through either Secure Sockets Layer (SSL), or
Transport Layer Security (TLS). When either of these encryption
standards are used it is referred to as HTTPS.
Cyber-criminals will
often attempt to compromise credentials passed from the client to the
server using HTTP. This can be conducted via various different
Man-in-The-Middle (MiTM) attacks or through network packet captures.
The tool discovered that the affected page contains a `password` input,
however, the value of the field is not sent to the server utilising
HTTPS. Therefore it is possible that any submitted credential may
become compromised.
================================================
FILE: db/en/description/5.md
================================================
To prevent the automated abuse of a page, applications can implement
what is known as a CAPTCHA.
These are used to ensure human
interaction with the application and are often used on forms where the
application conducts sensitive actions. These typically include user
registration, or submitting emails via "Contact Us" pages etc.
The tool has flagged this not as a vulnerability, but as a prompt for
the penetration tester to conduct further manual testing on the
CAPTCHA function, as The tool cannon audit CAPTCHA protected forms.
Testing for insecurely implemented CAPTCHA is a manual process, and an
insecurely implemented CAPTCHA could allow a cyber-criminal a means to
abuse these sensitive actions.
================================================
FILE: db/en/description/50.md
================================================
Web applications occasionally use parameter values to store the
address of the page to which the client will be redirected -- for
example: `yoursite.com/page.asp?redirect=www.yoursite.com/404.asp`
An
unvalidated redirect occurs when the client is able to modify the
affected parameter value in the request and thus control the location
of the redirection. For example, the following URL
`yoursite.com/page.asp?redirect=www.anothersite.com` will redirect to
`www.anothersite.com`.
Cyber-criminals will abuse these
vulnerabilities in social engineering attacks to get users to
unknowingly visit malicious web sites.
The tool has discovered that
the server does not validate the parameter value prior to redirecting
the client to the injected value.
================================================
FILE: db/en/description/51.md
================================================
Web applications occasionally use DOM input values to store the
address of the page to which the client will be redirected -- for
example: `yoursite.com/#/?redirect=www.yoursite.com/404.asp`
An
unvalidated redirect occurs when the client is able to modify the
affected parameter value and thus control the location of the
redirection. For example, the following URL
`yoursite.com/#/?redirect=www.anothersite.com` will redirect to
`www.anothersite.com`.
Cyber-criminals will abuse these
vulnerabilities in social engineering attacks to get users to
unknowingly visit malicious web sites.
The tool has discovered that
the web page does not validate the parameter value prior to
redirecting the client to the injected value.
================================================
FILE: db/en/description/52.md
================================================
Web Distributed Authoring and Versioning (WebDAV) is a facility that
enables basic file management (reading and writing) to a web server.
It essentially allows the webserver to be mounted by the client as a
traditional file system allowing users a very simplistic means to
access it as they would any other medium or network share.
If
discovered, attackers will attempt to harvest information from the
WebDAV enabled directories, or even upload malicious files that could
then be used to compromise the server.
The tool discovered that the
affected page allows WebDAV access. This was discovered as the server
allowed several specific methods that are specific to WebDAV
(`PROPFIND`, `PROPPATCH`, etc.), however, further testing should be
conducted on the WebDAV component specifically as the tool does support
this feature.
================================================
FILE: db/en/description/53.md
================================================
Clickjacking (User Interface redress attack, UI redress attack, UI
redressing) is a malicious technique of tricking a Web user into
clicking on something different from what the user perceives they are
clicking on, thus potentially revealing confidential information or
taking control of their computer while clicking on seemingly innocuous
web pages.
The server didn't return an `X-Frame-Options` header which
means that this website could be at risk of a clickjacking attack.
The `X-Frame-Options` HTTP response header can be used to indicate
whether or not a browser should be allowed to render a page inside a
frame or iframe. Sites can use this to avoid clickjacking attacks, by
ensuring that their content is not embedded into other sites.
================================================
FILE: db/en/description/54.md
================================================
XML Path Language (XPath) queries are used by web applications for
selecting nodes from XML documents. Once selected, the value of these
nodes can then be used by the application.
A simple example for the
use of XML documents is to store user information. As part of the
authentication process, the application will perform an XPath query to
confirm the login credentials and retrieve that user's information to
use in the following request.
XPath injection occurs where untrusted
data is used to build XPath queries.
Cyber-criminals may abuse this
injection vulnerability to bypass authentication, query other user's
information, or, if the XML document contains privileged user
credentials, allow the cyber-criminal to escalate their privileges.
The tool injected special XPath query characters into the page and
based on the responses from the server, has determined that the page
is vulnerable to XPath injection.
================================================
FILE: db/en/description/55.md
================================================
Client-side scripts are used extensively by modern web applications.
They perform from simple functions (such as the formatting of text) up
to full manipulation of client-side data and Operating System
interaction.
Cross Site Scripting (XSS) allows clients to inject arbitrary scripting
code into a request and have the server return the script to the
client in the response. This occurs because the application is taking
untrusted data (in this example, from the client) and reusing it
without performing any validation or encoding.
================================================
FILE: db/en/description/56.md
================================================
Client-side scripts are used extensively by modern web applications.
They perform from simple functions (such as the formatting of text) up
to full manipulation of client-side data and Operating System
interaction.
Unlike traditional Cross-Site Scripting (XSS), where the
client is able to inject scripts into a request and have the server
return the script to the client, DOM XSS does not require that a
request be sent to the server and may be abused entirely within the
loaded page.
This occurs when elements of the DOM (known as the
sources) are able to be manipulated to contain untrusted data, which
the client-side scripts (known as the sinks) use or execute an unsafe
way.
================================================
FILE: db/en/description/6.md
================================================
A modern web application will be reliant on several different
programming languages.
These languages can be broken up in two
flavours. These are client-side languages (such as those that run in
the browser -- like JavaScript) and server-side languages (which are
executed by the server -- like ASP, PHP, JSP, etc.) to form the
dynamic pages (client-side code) that are then sent to the client.
Because all server-side code should be executed by the server, it
should only ever come from a trusted source.
Code injection occurs
when the server takes untrusted code (ie. from the client) and
executes it.
Cyber-criminals will abuse this weakness to execute
arbitrary code on the server, which could result in complete server
compromise.
The tool was able to inject specific server-side code and
have the executed output from the code contained within the server
response. This indicates that proper input sanitisation is not
occurring.
================================================
FILE: db/en/description/63.md
================================================
The `TRACE` HTTP method allows a client so send a request to the
server, and have the same request then send back in the server's
response. This allows the client to determine if the server is
receiving the request as expected or if specific parts of the request
are not arriving as expected. For example incorrect encoding or a load
balancer has filtered or changed a value. On many default
installations the `TRACE` method is still enabled.
While not
vulnerable by itself, it does provide a method for cyber-criminals to
bypass the `HTTPOnly` cookie flag, and therefore could allow a XSS
attack to successfully access a session token.
The tool has discovered
that the affected page permits the HTTP `TRACE` method.
================================================
FILE: db/en/description/64.md
================================================
An XML External Entity attack is a type of attack against an
application that parses XML input.
This attack occurs when XML input
containing a reference to an external entity is processed by a weakly
configured XML parser.
This attack may lead to the disclosure of
confidential data, denial of service, port scanning from the
perspective of the machine where the parser is located, and other
system impacts.
================================================
FILE: db/en/description/65.md
================================================
Many web applications allow users to upload files that will either be
stored or processed by the receiving web server.
It was possible to identify a form which allows files with arbitrary
content and extension to be uploaded to the remote server, and then
stores the uploaded file to a guessable path in the server's web root.
This could be used by a cyber-criminal to host content from the vulnerable
server for phishing and Cross-Site Scripting attacks. In cases where the
server is configured to execute scripts (PHP, Ruby, etc.) this
vulnerability can be used to gain remote code execution on the server.
================================================
FILE: db/en/description/66.md
================================================
The server accepts SSL connections which use the insecure SSLv2
protocol. SSLv2 is an old implementation of the Secure Sockets Layer
protocol which suffers from a number of security flaws allowing attackers
to capture and alter information passed between a client and the server.
SSLv2 has been deprecated and is no longer recommended. Note that
neither SSLv2 nor SSLv3 meet the U.S. FIPS 140-2 standard, which governs
cryptographic modules for use in federal information systems. Only the
newer TLS (Transport Layer Security) protocol meets FIPS 140-2
requirements.
================================================
FILE: db/en/description/67.md
================================================
The server's TLS/SSL certificate is self-signed. Self-signed
certificates are not trusted by browsers and other HTTP clients,
especially because TLS/SSL man-in-the-middle attacks typically use
self-signed certificates to eavesdrop on TLS/SSL connections.
================================================
FILE: db/en/description/68.md
================================================
GNU Bash through 4.3 processes trailing strings after function
definitions in the values of environment variables, which allows remote
attackers to execute arbitrary code via a crafted environment, as
demonstrated by vectors involving the ForceCommand feature in OpenSSH
sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts
executed by unspecified DHCP clients, and other situations in which
setting the environment occurs across a privilege boundary from Bash
execution, aka 'ShellShock'
================================================
FILE: db/en/description/69.md
================================================
Incorrect permissions and/or missing authentication were discovered on
FrontPage extensions used for publishing content.
A cyber-criminal might use this vulnerability to deface web sites and
potentially gain remote code execution on the server.
================================================
FILE: db/en/description/70.md
================================================
Client-side scripts are used extensively by modern web applications.
They perform from simple functions (such as the formatting of text) up
to full manipulation of client-side data and Operating System
interaction.
Cross Site Scripting (XSS) allows clients to inject arbitrary scripting
code into a request and have the server return the script to the
client in the response. This occurs because the application is taking
untrusted data (in this example, from the client) and reusing it
without performing any validation or encoding.
Persistent Cross Site Scripting vulnerabilities occur when the application
stores user controlled information and then uses it to render HTTP
response bodies to other clients.
This type of vulnerability can be used by a cyber-criminal to perform
session hijacking, phishing or denial of service attacks against other
web application users.
================================================
FILE: db/en/description/71.md
================================================
The reflected file download vulnerability is an application weakness
which allows a cyber-criminal to perform advanced social engineering
attacks where an arbitrary executable file is downloaded by the user from
vulnerable site. The contents of the executable file are controlled by
the attacker and are never uploaded to the vulnerable site.
This vulnerability, like many other Web attacks, begins by sending a
malicious link to a victim. Unlike other attacks the exploitation finishes
outside of the browser context:
1. The user follows a malicious link to a trusted web site
2. An executable file is downloaded and saved on the user's machine.
All security indicators show that the file is 'hosted' on the trusted web
site
3. The user executes the file which contains shell commands that gain
complete control over the computer.
================================================
FILE: db/en/description/72.md
================================================
The `cache-control` and `pragma` HTTP header have not been set properly
allowing the browser and proxies to cache the HTTP response.
================================================
FILE: db/en/description/73.md
================================================
Information Leakage is an application weakness where an application
reveals sensitive data, such as technical details of the web application,
environment, or user-specific data. Sensitive data may be used by an
attacker to exploit the target web application, its hosting network,
or its users.
In its most common form, information leakage is the result of one or more
of the following conditions:
* A failure to scrub out HTML/Script comments containing sensitive
information
* Improper application or server configurations
* Improper application error handling
================================================
FILE: db/en/description/74.md
================================================
The web user interface (UI) does not properly represent critical
information to the user, allowing the information - or its source -
to be obscured or spoofed. This is often a component in phishing attacks.
If an attacker can cause the UI to display erroneous data, or to otherwise
convince the user to display information that appears to come from a
trusted source, then the attacker could trick the user into performing the
wrong action. An example of this vulnerability is the possibility to
control the `src` attribute of an iframe tag using a query string
parameter.
================================================
FILE: db/en/description/75.md
================================================
Web Applications often have predictable usernames and weak password policies set.
This can easily allow an attacker to gain unauthorized access into the application
by guessing the credentials used for authentication.
It was possible to guess and
gain a set a valid credentials for the application is scope.
================================================
FILE: db/en/description/76.md
================================================
'X-Content-Type-Options' is a type of HTTP header that can be used to prevent MIME
content-sniffing attacks in Internet Explorer and Google Chrome. MIME content-sniffing
is a mechanism that allows browsers to inspect and dynamically guess the content
type and file type.
MIME Sniffing checking algorithm has known problems which
might allow users to upload files that might contain malicous code. If an attacker
can spoof a file type/content and upload it to the application successfully, it is
possible to inject malicous code which can be downloaded and viewed by other
users of the application. This can lead to attacks such as persistant Cross-Site Scripting.
================================================
FILE: db/en/description/77.md
================================================
Basic Access Authentication is an authentication method which uses base64 encoding
and transmits login credentials in cleartext between a server and client. This is
considered insecure because credentials are transmitted over unencrypted channels
which makes it vulnerable to network eavesdropping attacks. Furthermore, base64
encoding is considered weak because it can be easily decoded to reveal the original
content.
If an application requires authentication, it will send a `WWW-Authenticate`
header with a `401 Unauthorized` HTTP status code. Then, the client will need to send
the server credentials through an `Authorization` header. The credentials are transmitted
as a 'name:password' string format in the header.A well-positioned attacker can capture
the usernames and passwords by sniffing traffic coming to these services.
================================================
FILE: db/en/description/8.md
================================================
A modern web application will be reliant on several different
programming languages.
These languages can be broken up in two
flavours. These are client-side languages (such as those that run in
the browser -- like JavaScript) and server-side languages (which are
executed by the server -- like ASP, PHP, JSP, etc.) to form the
dynamic pages (client-side code) that are then sent to the client.
Because all server-side code should be executed by the server, it
should only ever come from a trusted source.
Code injection occurs
when the server takes untrusted code (ie. from the client) and
executes it.
Cyber-criminals will abuse this weakness to execute
arbitrary code on the server, which could result in complete server
compromise.
================================================
FILE: db/en/description/9.md
================================================
Web applications are often made up of multiple files and directories.
It is possible that over time some directories may become unreferenced
(unused) by the web application and forgotten about by the
administrator/developer. Because web applications are built using
common frameworks, they contain common directories that can be
discovered (independent of server).
During the initial recon stages
of an attack, cyber-criminals will attempt to locate unreferenced
directories in the hope that the directory will assist in further
compromise of the web application. To achieve this they will make
thousands of requests using word lists containing common names. The
response headers from the server will then indicate if the directory
exists.
The tool also contains a list of common directory names which
it will attempt to access.
================================================
FILE: db/en/fix/1.md
================================================
The only proven method to prevent against SQL injection attacks while
still maintaining full application functionality is to use
parameterized queries (also known as prepared statements). When
utilising this method of querying the database, any value supplied by
the client will be handled as a string value rather than part of the
SQL query.
Additionally, when utilising parameterized queries, the
database engine will automatically check to make sure the string being
used matches that of the column. For example, the database engine will
check that the user supplied input is an integer if the database
column is configured to contain integers.
================================================
FILE: db/en/fix/10.md
================================================
If files are unreferenced then they should be removed from the web
root and/or the application directory.
Preventing access without authentication may also be an option and
can stop a client from being able to view the contents of a file,
however it is still likely that the directory structure will be
able to be discovered.
Using obscure file names is implementing security through
obscurity and is not a recommended option.
================================================
FILE: db/en/fix/11.md
================================================
It is recommended that untrusted data is never used to form the
contents of the response header.
Where any untrusted source is required to be used in the response
headers, it is important to ensure that any hazardous characters
(`/r`, `/n` and potentially others) are sanitised prior to being
used.
This is especially important when setting cookie values,
redirecting, etc..
================================================
FILE: db/en/fix/12.md
================================================
Create a new TLS/SSL certificate, request a trusted certificate
authority (CA) to sign it and replace the self-signed certificate with
the newly generated one.
================================================
FILE: db/en/fix/13.md
================================================
It is recommended that untrusted data is never used to form a file
location to be included.
To validate data, the application should ensure that the supplied
value for a file is permitted. This can be achieved by performing
whitelisting on the parameter value, by matching it against a list
of permitted files. If the supplied value does not match any value
in the whitelist, then the server should redirect to a standard
error page.
In some scenarios, where dynamic content is being requested, it may
not be possible to perform validation against a list of trusted resources,
therefore the list must also become dynamic (updated as the files change),
or perform filtering to remove extraneous user input (such as semicolons,
periods etc.) and only permit `a-z0-9`.
It is also advised that sensitive files are not stored within the
web root and that the user permissions enforced by the directory
are correct.
================================================
FILE: db/en/fix/14.md
================================================
Other methods of authentication, like cookie based authentication must be
used as a replacement. This can still be considered insecure if credentials are
submitted in clear text. TLS Encryption must be used when transmitting sensitive
information.
================================================
FILE: db/en/fix/15.md
================================================
The most important remediation action is to prevent the server from
accepting client supplied data as session tokens.
Additionally, the client's session token should be changed at specific
key stages of the application flow, such as during authentication.
This will ensure that even if clients are able to set their own cookie,
it will not persist into an authenticated session.
================================================
FILE: db/en/fix/16.md
================================================
Analyze the objects using manual analysis techniques such as
a local proxy, decompilation or reverse engineering.
================================================
FILE: db/en/fix/17.md
================================================
Configure your web server to include an `X-Frame-Options` header.
================================================
FILE: db/en/fix/18.md
================================================
The `autocomplete` value can be configured in two different locations.
The first and most secure location is to disable the `autocomplete`
attribute on the `<form>` HTML tag. This will disable `autocomplete`
for all inputs within that form. An example of disabling
`autocomplete` within the form tag is `<form autocomplete=off>`.
The second slightly less desirable option is to disable the `autocomplete`
attribute for a specific `<input>` HTML tag. While this may be the
less desired solution from a security perspective, it may be preferred
method for usability reasons, depending on size of the form. An
example of disabling the `autocomplete` attribute within a password
input tag is `<input type=password autocomplete=off>`.
================================================
FILE: db/en/fix/19.md
================================================
It is recommended that untrusted data is never used to form a command
to be executed by the OS.
To validate data, the application should ensure that the supplied value
contains only the characters that are required to perform the
required action.
For example, where the form field expects an IP address, only numbers
and periods should be accepted. Additionally, all control operators
(`&`, `&&`, `|`, `||`, `$`, `\`, `#`) should be explicitly denied
and never accepted as valid input by the server.
================================================
FILE: db/en/fix/2.md
================================================
It is recommended that untrusted data is never used to form a LDAP
query.
To validate data, the application should ensure that the
supplied value contains only the characters that are required to
perform the required action. For example, where a username is
required, then no non-alphanumeric characters should be accepted.
If this is not possible, special characters should be escaped so they are
treated accordingly. The following characters should be escaped with a
back-slash:
* `&`
* `!`
* `|`
* `=`
* `<`
* `>`
* `,`
* `+`
* `-`
* `"`
* `'`
* `;`
Additional character filtering must be applied to:
* `(`
* `)`
* `\`
* `/`
* `*`
* `NULL`
These characters require ASCII escaping.
================================================
FILE: db/en/fix/20.md
================================================
To remedy XSS vulnerabilities, it is important to never use untrusted
or unfiltered data within the code of a HTML page.
Untrusted data can originate not only form the client but potentially
a third party or previously uploaded file etc. Filtering of untrusted
data typically involves converting special characters to their HTML
entity encoded counterparts (however, other methods do exist, see
references). These special characters include:
* `&`
* `<`
* `>`
* `"`
* `'`
* `/`
An example of HTML entity encoding is converting `<` to `<`. Although
it is possible to filter untrusted input, there are five locations
within an HTML page where untrusted input (even if it has been
filtered) should never be placed:
1. Directly in a script.
2. Inside an HTML comment.
3. In an attribute name.
4. In a tag name.
5. Directly in CSS.
Each of these locations have their own form of escaping and filtering.
_Because many browsers attempt to implement XSS protection, any manual
verification of this finding should be conducted using multiple different
browsers and browser versions._
================================================
FILE: db/en/fix/21.md
================================================
Do not keep obsolete versions of files under the virtual web server
root.
When updating the site, delete or move the files to a directory
outside the virtual root, edit them there, and move (or copy) the
files back to the virtual root. Make sure that only the files that are
actually in use reside under the virtual root.
Preventing access without authentication may also be an option and
stop a client being able to view the contents of a file, however it
is still likely that the filenames will be able to be discovered.
Using obscure filenames is only implementing security through
obscurity and is not a recommended option.
================================================
FILE: db/en/fix/22.md
================================================
Identifying the context in which the affected page displays a Private
IP address is necessary.
If the page is publicly accessible and displays the Private IP of the
affected server (or supporting infrastructure), then measures should
be put in place to ensure that the IP address is removed from any response.
================================================
FILE: db/en/fix/23.md
================================================
Where possible the HTTP `PUT` method should be globally disabled. This
can typically be done with a simple configuration change on the
server. The steps to disable the `PUT` method will differ depending on
the type of server being used (IIS, Apache, etc.).
For cases where the `PUT` method is required to meet application
functionality, such as REST style web services, strict limitations
should be implemented to ensure that only secure (SSL/TLS enabled)
and authorised clients are permitted to use the `PUT` method.
Additionally, the server's file system permissions should also
enforce strict limitations.
================================================
FILE: db/en/fix/24.md
================================================
The preferred way to protect against XPath injection is to utilise
parameterized (also known as prepared) XPath queries. When utilising
this method of querying the XML document any value supplied by the
client will be handled as a string rather than part of the XPath
query.
An alternative to parameterized queries it to use precompiled
XPath queries. Precompiled XPath queries are not generated dynamically
and will therefor never process user supplied input as XPath.
================================================
FILE: db/en/fix/25.md
================================================
The HTTP `TRACE` method is normally not required within production
sites and should therefore be disabled.
Depending on the function being performed by the web application,
the risk level can start low and increase as more functionality
is implemented.
The remediation is typically a very simple configuration change
and in most cases will not have any negative impact on the server
or application.
================================================
FILE: db/en/fix/26.md
================================================
The initial steps to remedy this should be determined on whether the
cookie is sensitive in nature. If the cookie does not contain any
sensitive information then the risk of this vulnerability is reduced;
however, if the cookie does contain sensitive information, then the
server should ensure that the cookie has its `secure` flag set.
================================================
FILE: db/en/fix/27.md
================================================
1. Explicitly set the `filename` attribute in the Content-disposition
HTTP response header.
2. Perform strict whitelist validation on user input before using it
in the creation of HTTP response bodies
================================================
FILE: db/en/fix/28.md
================================================
Initially, the SSN within the response should be checked to ensure its
validity, as it is possible that the regular expression has matched a
similar number with no relation to a real SSN.
If the response does contain a valid SSN, then all efforts should be
taken to remove or further protect this information. This can be
achieved by removing the SSN altogether or by masking the number
so that only the last few digits are present within the response
(eg. _**********123_).
================================================
FILE: db/en/fix/29.md
================================================
The application should ensure that the supplied value for a redirect
is permitted. This can be achieved by performing whitelisting on the
parameter value.
The whitelist should contain a list of pages or
sites that the application is permitted to redirect users to. If the
supplied value does not match any value in the whitelist then the
server should redirect to a standard error page.
================================================
FILE: db/en/fix/3.md
================================================
E-mail addresses should be presented in such a way
that it is hard to process them automatically.
================================================
FILE: db/en/fix/30.md
================================================
The initial step to remedy this would be to determine whether any
client-side scripts (such as JavaScript) need to access the cookie and
if not, set the `HttpOnly` flag.
Additionally, it should be noted
that some older browsers are not compatible with the `HttpOnly` flag,
and therefore setting this flag will not protect those clients against
this form of attack.
================================================
FILE: db/en/fix/31.md
================================================
1. Change the permissions on directories and files accessible via IIS
2. Setup authentication and authorization for FrontPage extension access
================================================
FILE: db/en/fix/32.md
================================================
If manual confirmation reveals that a web backdoor or web shell does
exist on the server, then it should be removed. It is also recommended
that an incident response investigation be conducted on the server to
establish how the web backdoor or web shell came to end up on the
server.
Depending on the environment, investigation into the
compromise of any other services or servers should be conducted.
================================================
FILE: db/en/fix/33.md
================================================
Upgrade Bash to version 4.3.025 or newer
================================================
FILE: db/en/fix/34.md
================================================
Change the web server configuration in order to disable SSLv2
================================================
FILE: db/en/fix/35.md
================================================
* Review the generated HTML source and ensure that none of it's sections
can be used in a UI misrepresentation attack.
* Perform strict data validation (e.g. syntax, length, etc.) before
using the user-provided data to render HTML pages.
================================================
FILE: db/en/fix/36.md
================================================
Carefully evaluate which sites will be allowed to make cross-domain
calls.
Consider network topology and any authentication mechanisms
that will be affected by the configuration or implementation of the
cross-domain policy.
================================================
FILE: db/en/fix/37.md
================================================
Although no remediation may be required based on this finding alone,
manual testing should ensure that:
1. The server keeps track of CAPTCHA tokens in use and has the token
terminated after its first use or after a period of time. Therefore
preventing replay attacks.
2. The CAPTCHA answer is not hidden in plain text within the response
that is sent to the client.
3. The CAPTCHA image should not be weak and easily solved.
================================================
FILE: db/en/fix/38.md
================================================
If the pages being protected are not required for the functionality of
the web application they should be removed, otherwise, it is
recommended that basic and basic realm authentication are not used to
protect against pages requiring authentication.
If NTLM based basic
authentication must be used, then default server and domain accounts
such as `administrator` and `root` should be disabled, as these will
undoubtedly be the first accounts to be targeted in any such attack.
Additionally, the webserver should not be joined to any corporate
domain where usernames are readily available (such as from email
addresses). If the pages are required, and it is possible to remove
the basic authentication, then a stronger and more resilient
form-based authentication mechanism should be implemented to protect
the affected pages.
================================================
FILE: db/en/fix/39.md
================================================
It is recommended that a whitelisting approach be taken to explicitly
permit the HTTP methods required by the application and block all
others.
Typically the only HTTP methods required for most
applications are `GET` and `POST`. All other methods perform actions
that are rarely required or perform actions that are inherently risky.
These risky methods (such as `PUT`, `DELETE`, etc) should be protected
by strict limitations, such as ensuring that the channel is secure
(SSL/TLS enabled) and only authorised and trusted clients are
permitted to use them.
================================================
FILE: db/en/fix/4.md
================================================
All pages and/or resources on the affected site should be secured
equally, utilising the latest and most secure encryption protocols.
These include SSL version 3.0 and TLS version 1.2.
While TLS 1.2 is the latest and the most preferred protocol, not all browsers will
support this encryption method. Therefore, the more common SSL is
included. Older protocols such as SSL version 2, and weak ciphers (<
128 bit) should also be disabled.
================================================
FILE: db/en/fix/40.md
================================================
The first step to remediation is to identify the context in which the
cookie is being set and determine if it is required by the whole
domain, or just the specific host being tested.
If it is only
required by the host, then the domain flag should be set as such.
Depending on the framework being used, the configuration of this flag
will be modified in different ways.
================================================
FILE: db/en/fix/41.md
================================================
Unless the web server is being utilised to share static and
non-sensitive files, enabling directory listing is considered a poor
security practice
This can typically be done with a simple
configuration change on the server. The steps to disable the directory
listing will differ depending on the type of server being used (IIS,
Apache, etc.). If directory listing is required, and permitted, then
steps should be taken to ensure that the risk of such a configuration
is reduced.
These can include:
1. Requiring authentication to access affected pages.
2. Adding the affected path to the `robots.txt` file to prevent the
directory contents being searchable via search engines.
3. Ensuring that sensitive files are not stored within the
web or document root.
4. Removing any files that are not required for the application to
function.
================================================
FILE: db/en/fix/42.md
================================================
* Ensure that the application source handles exceptions and errors in
a such a way that no sensitive information is disclosed to the users
* Configure the application server to handle and log any exceptions
that the application might yield
================================================
FILE: db/en/fix/43.md
================================================
Since the whole XML document is communicated from an untrusted client,
it's not usually possible to selectively validate or escape tainted
data within the system identifier in the DTD.
Therefore, the XML
processor should be configured to use a local static DTD and disallow
any declared DTD included in the XML document.
================================================
FILE: db/en/fix/44.md
================================================
Based on the risk (determined by manual verification) of whether the
form submission performs a sensitive action, the addition of anti-CSRF
tokens may be required.
These tokens can be configured in such a way
that each session generates a new anti-CSRF token or such that each
individual request requires a new token.
It is important that the
server track and maintain the status of each token (in order to reject
requests accompanied by invalid ones) and therefore prevent
cyber-criminals from knowing, guessing or reusing them.
_For examples
of framework specific remediation options, please refer to the
references._
================================================
FILE: db/en/fix/45.md
================================================
All CORS requests include the `Origin` header which indicates
the source domain name. Create a server-side list of trusted
domains which can consume the CORS resources and when a request is
received set the `Access-Control-Allow-Origin` response header
to the right value from the list matching the `Origin` request header.
================================================
FILE: db/en/fix/46.md
================================================
Remediation actions may be vastly different depending on the framework
being used, and how the application has been coded. However, the
origin header should never be used to validate a client's access as it
is trivial to change.
================================================
FILE: db/en/fix/47.md
================================================
It is recommended that untrusted input is never processed as
server-side code.
To validate input, the application should ensure
that the supplied value contains only the data that are required to
perform the relevant action.
For example, where a username is
required, then no non-alpha characters should not be accepted.
================================================
FILE: db/en/fix/48.md
================================================
Depending on the framework being used the implementation methods will
vary, however it is advised that the `Strict-Transport-Security`
header be configured on the server.
One of the options for this
header is `max-age`, which is a representation (in milliseconds)
determining the time in which the client's browser will adhere to the
header policy.
Depending on the environment and the application this
time period could be from as low as minutes to as long as days.
================================================
FILE: db/en/fix/49.md
================================================
CVS and/or SVN information should not be displayed to the end user.
This can be achieved by removing this information all together prior
to deployment, or by putting this information into a server-side (PHP,
ASP, JSP, etc) code comment block, as opposed to an HTML comment.
================================================
FILE: db/en/fix/5.md
================================================
The identified form handler should at a minimum:
1. Whitelist permitted file types and block all others. This should be
conducted on the MIME type of the file rather than its extension.
2. As the file is uploaded, and prior to being handled (written to the
disk) by the server, the filename should be stripped of all control,
special, or Unicode characters.
3. Ensure that the upload is conducted via the HTTP `POST` method rather
than `GET` or `PUT`.
4. Ensure that the file is written to a directory that does not hold
any execute permission and that all files within that directory inherit
the same permissions.
5. Scan (if possible) with an up-to-date virus scanner before being
stored.
6. Ensure that the application handles files as per the host operating
system. For example, the length of the file name is appropriate, there
is adequate space to store the file, protection against overwriting
other files etc.
================================================
FILE: db/en/fix/50.md
================================================
Ensure that the `Cache-control` HTTP response header is set to
`no-cache, no-store` and the `Pragma` header must be set to `no-cache`.
================================================
FILE: db/en/fix/51.md
================================================
The preferred configuration is to prevent the use of unauthorised HTTP
methods by utilising the `<LimitExcept>` directive.
This directive
uses a whitelisting approach to permit HTTP methods while blocking all
others not listed in the directive, and will therefor block any method
tampering attempts.
Most commonly, the only HTTP methods required for
most scenarios are `GET` and `POST`. An example of permitting these
HTTP methods is: `<LimitExcept POST GET> require valid-user
</LimitExcept>`
================================================
FILE: db/en/fix/52.md
================================================
Identification of the requirement to run a WebDAV server should be
considered. If it is not required then it should be disabled. However,
if it is required to meet the application functionality, then it
should be protected by SSL/TLS as well as the implementation of a
strong authentication mechanism.
================================================
FILE: db/en/fix/53.md
================================================
'X-Content-Type-Options: nosniff' header should be implemented which
allows a web server to force the browser into disabling MIME Sniffing
for a served file. The nosniff option will only load any external resource
if the content-type maches what is expected of the file type.
================================================
FILE: db/en/fix/54.md
================================================
Do not have any default credentials set on the application. Any known usernames
or passwords associated with the application framework should also be removed.
Furthermore, Web Applications should implement a strong password policy consisting
of a combination of alphanumeric characters and a minimum length of 8 characters.
================================================
FILE: db/en/fix/55.md
================================================
If directories are unreferenced then they should be removed from the
web root and/or the application directory.
Preventing access without
authentication may also be an option and can stop a client from being
able to view the contents of a file, however it is still likely that
the directory structure will be able to be discovered.
Using obscure
directory names is implementing security through obscurity and is not
a recommended option.
================================================
FILE: db/en/fix/56.md
================================================
It is important that input sanitisation be conducted to prevent
application files (ASP, JSP, PHP or config files) from being called.
It is also important that the file system permissions are correctly
configured and that all unused files are removed from the web root.
If these are not an option, then the vulnerable file should be removed
from the server.
================================================
FILE: db/en/fix/57.md
================================================
Initially, the credit card number within the response should be
checked to ensure its validity, as it is possible that the regular
expression has matched on a similar number with no relation to a real
credit card.
If the response does contain a valid credit card number,
then all efforts should be taken to remove or further protect this
information. This can be achieved by removing the credit card number
altogether, or by masking the number so that only the last few digits
are present within the response. (eg. _**********123_).
Additionally,
credit card numbers should not be stored by the application, unless
the organisation also complies with other security controls as
outlined in the Payment Card Industry Data Security Standard (PCI-
DSS).
================================================
FILE: db/en/fix/6.md
================================================
The most effective remediation against NoSQL injection attacks is to
ensure that NoSQL API calls are not constructed via string
concatenation that includes unsanitized data.
Sanitization is best achieved using existing escaping libraries.
================================================
FILE: db/en/fix/7.md
================================================
Manually inspect the HTTP response status code and body
================================================
FILE: db/en/fix/8.md
================================================
The affected site should be secured utilising the latest and most
secure encryption protocols. These include SSL version 3.0 and TLS
version 1.2. While TLS 1.2 is the latest and the most preferred
protocol, not all browsers will support this encryption method.
Therefore, the more common SSL is included. Older protocols such as
SSL version 2, and weak ciphers (< 128 bit) should also be disabled.
================================================
FILE: db/en/fix/9.md
================================================
Client-side document rewriting, redirection, or other sensitive
action, using untrusted data, should be avoided wherever possible, as
these may not be inspected by server side filtering.
To remedy DOM XSS vulnerabilities where these sensitive document actions
must be used, it is essential to:
1. Ensure any untrusted data is treated as text, as opposed to being
interpreted as code or mark-up within the page.
2. Escape untrusted data prior to being used within the page. Escaping
methods will vary depending on where the untrusted data is being used.
(See references for details.)
3. Use `document.createElement`, `element.setAttribute`,
`element.appendChild`, etc. to build dynamic interfaces as opposed
to HTML rendering methods such as `document.write`,
`document.writeIn`, `element.innerHTML`, or `element.outerHTML `etc.
================================================
FILE: schema.json
================================================
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"title": "Vulnerability schema",
"description": "This schema describes json format for vulnerability",
"definitions": {
"multiString": {
"oneof": [
{
"type": "string",
"maxLength": 90,
"minLength": 30
},
{
"type": "array",
"minItems": 1,
"items": {
"type": "string",
"maxLength": 90
}
}
]
}
},
"properties": {
"id": {
"type": "integer",
"title": "Vulnerability unique id",
"minimum": 1
},
"title": {
"type": "string",
"title": "Vulnerability title",
"minLength": 4,
"maxLength": 255
},
"description": {
"title": "A very long description for vulnerability",
"$ref": "#/definitions/multiString"
},
"severity": {
"type": "string",
"title": "Vulnerability severity",
"enum": [
"high",
"medium",
"low",
"informational"
]
},
"wasc": {
"type": "array",
"title": "WASC identifiers",
"description": "http://projects.webappsec.org/w/page/13246974/Threat%20Classification%20Reference%20Grid",
"uniqueItems": true,
"minItems": 1,
"items": {
"type": "string",
"minLength": 1
}
},
"tags": {
"type": "array",
"uniqueItems": true,
"minItems": 1,
"items": {
"type": "string",
"minLength": 2,
"maxLength": 255
}
},
"cwe": {
"type": "array",
"title": "CWE indentifiers",
"description": "https://cwe.mitre.org/data/index.html",
"uniqueItems": true,
"items": {
"type": "string",
"minLength": 1
}
},
"owasp_top_10": {
"type": "object",
"description": "position in owasp top ten splitted by years",
"patternProperties": {
"^[12][0-9]{3}$": {
"type": "array",
"minItems": 1,
"items": {
"type": "integer",
"minimum": 1
}
}
},
"additionalProperties": false
},
"fix": {
"type": "object",
"properties": {
"guidance": {
"$ref": "#/definitions/multiString",
"title": "A very long text explaining how to fix the vulnerability"
},
"effort": {
"type": "integer",
"minimum": 0
}
},
"additionalProperties": false,
"required": [
"guidance",
"effort"
]
},
"references": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"properties": {
"url": {
"type": "string",
"format": "uri"
},
"title": {
"type": "string",
"minLength": 4,
"maxLength": 255
}
},
"additionalProperties": false,
"required": [
"url",
"title"
]
}
}
},
"additionalProperties": false,
"required": [
"id",
"title",
"description",
"severity",
"fix"
]
}
================================================
FILE: tests/__init__.py
================================================
================================================
FILE: tests/requirements.txt
================================================
vulndb>=0.0.8
requests
jsonschema
pyopenssl
ndg-httpsclient
pyasn1
markdown
nose
================================================
FILE: tests/test_all_json.py
================================================
import unittest
import json
import os
class TestAllFilesAreJSON(unittest.TestCase):
"""
Basic test to make sure that all the files inside the db directory end
with the json extension and have valid json content
"""
maxDiff = None
def test_all_files_JSON(self):
not_json = []
for language in os.listdir('db'):
for _file in os.listdir('db/%s' % language):
if os.path.isfile(_file) and not _file.endswith('.json'):
not_json.append(_file)
self.assertEqual([], not_json)
def test_all_files_JSON_content(self):
not_json = []
for language in os.listdir('db'):
for _file in os.listdir('db/%s' % language):
if not os.path.isfile(_file):
continue
try:
json.loads(file(os.path.join('db', language, _file)).read())
except:
not_json.append(_file)
self.assertEqual([], not_json)
================================================
FILE: tests/test_json_spec.py
================================================
import requests
import os
from tests.vulndb_test import VulnDBTest
from nose.plugins.attrib import attr
from vulndb import DBVuln
from vulndb.constants.owasp import OWASP_TOP10_2010_URL_FMT, OWASP_TOP10_2013_URL_FMT
SEVERITIES = {'high', 'medium', 'low', 'informational'}
class TestAllFilesHaveValidSpec(VulnDBTest):
def test_severity(self):
invalid = []
for language, _file, db_data in self.get_all_json():
if db_data['severity'] not in SEVERITIES:
invalid.append((_file, db_data['severity']))
self.assertEqual(invalid, [])
def test_lengths(self):
invalid = []
for language, _file, db_data in self.get_all_json():
description = self.get_description(language, db_data['description']['$ref'])
if len(description) <= 30:
invalid.append(_file)
guidance = self.get_fix(language, db_data['fix']['guidance']['$ref'])
if len(guidance) <= 30:
invalid.append(_file)
self.assertEqual(invalid, [])
def test_id_match(self):
invalid = []
for language, db_path_file, db_data in self.get_all_json():
json_id = db_data['id']
db_file = os.path.split(db_path_file)[1]
if not db_file.startswith('%s-' % json_id):
invalid.append(db_file)
self.assertEqual(invalid, [])
def test_no_multiple_spaces(self):
invalid = []
for language, db_path_file, db_data in self.get_all_json():
description = self.get_description(language, db_data['description']['$ref'])
guidance = self.get_fix(language, db_data['fix']['guidance']['$ref'])
if ' ' in guidance:
invalid.append((db_path_file, 'fix_guidance'))
if ' ' in description:
invalid.append((db_path_file, 'description'))
self.assertEqual(invalid, [])
@attr('slow')
def test_url_is_not_404(self):
all_urls = set()
invalid = []
for language, db_path_file, db_data in self.get_all_json():
cwe_list = db_data.get('cwe', [])
for cwe_id in cwe_list:
all_urls.add(DBVuln.get_cwe_url(cwe_id))
reference_list = db_data.get('references', [])
for reference in reference_list:
all_urls.add(reference['url'])
owasp_top_10 = db_data.get('owasp_top_10', {})
for version, risk_id_list in owasp_top_10.iteritems():
for risk_id in risk_id_list:
owasp_url = self.get_owasp_url(version, risk_id)
all_urls.add(owasp_url)
session = requests.Session()
for url in all_urls:
if self.url_is_404(session, url):
invalid.append(url)
self.assertEqual(invalid, [])
def get_owasp_url(self, owasp_version, risk_id):
owasp_version = int(owasp_version)
# Just return one of them, 2013 release has priority over 2010
if owasp_version == 2013:
return OWASP_TOP10_2013_URL_FMT % risk_id
if owasp_version == 2010:
return OWASP_TOP10_2010_URL_FMT % risk_id
raise NotImplementedError
def url_is_404(self, session, url):
try:
response = session.get(url)
except KeyboardInterrupt:
raise
except:
return True
else:
return response.status_code == 404
================================================
FILE: tests/test_markdown_refs.py
================================================
import os
from tests.vulndb_test import VulnDBTest
class TestReferences(VulnDBTest):
"""
Ensure that every fix and description field has a corresponding
markdown file, and that every markdown file is referenced by at
least one vulnerability.
"""
def get_references_for_language(self, language):
desc_ids = set()
referenced_desc_ids = set()
fix_ids = set()
referenced_fix_ids = set()
for language_iter, db_path_file, db_data in self.get_all_json():
if language_iter != language:
continue
desc_id = db_data['description']['$ref'].split('/')[-1]
fix_id = db_data['fix']['guidance']['$ref'].split('/')[-1]
referenced_desc_ids.add(desc_id)
referenced_fix_ids.add(fix_id)
description_path = os.path.join('db', language, 'description')
fix_path = os.path.join('db', language, 'fix')
for f in os.listdir(description_path):
fpath = os.path.join(description_path, f)
if not os.path.isfile(fpath):
continue
d_id = f.replace('.md', '').split('-')[0]
desc_ids.add(d_id)
for f in os.listdir(fix_path):
fpath = os.path.join(fix_path, f)
if not os.path.isfile(fpath):
continue
f_id = f.replace('.md', '').split('-')[0]
fix_ids.add(f_id)
return desc_ids, fix_ids, referenced_desc_ids, referenced_fix_ids
def test_description_refs(self):
for language in self.get_all_languages():
desc_ids, _, referenced_desc_ids, _ = self.get_references_for_language(language)
for desc_id in referenced_desc_ids:
self.assertIn(
desc_id, desc_ids,
'description is missing: {}'.format(desc_id)
)
for desc_id in desc_ids:
self.assertIn(
desc_id, referenced_desc_ids,
'description is not referenced: {}'.format(desc_id)
)
def test_fix_refs(self):
for language in self.get_all_languages():
_, fix_ids, _, referenced_fix_ids = self.get_references_for_language(language)
for fix_id in referenced_fix_ids:
self.assertIn(
fix_id, fix_ids,
'fix is missing: {}'.format(fix_id)
)
for fix_id in fix_ids:
self.assertIn(
fix_id, referenced_fix_ids,
'fix is not referenced: {}'.format(fix_id)
)
================================================
FILE: tests/test_references.py
================================================
from tests.vulndb_test import VulnDBTest
class TestReferences(VulnDBTest):
"""
We don't want redundant references. Test for the presence of a
reference URL that contains a cve.mitre.org URL. If an invalid
reference is detected, simply remove the reference and add the
CWE-ID to the "cwe" section of the vulnerability.
"""
def test_no_redundant_cve_mitre_org_urls(self):
invalid = []
for language, db_path_file, db_data in self.get_all_json():
reference_urls = set()
reference_list = db_data.get('references', [])
for reference in reference_list:
reference_urls.add(reference['url'])
for reference in reference_urls:
if 'cwe.mitre.org' in reference:
invalid.append(reference.url)
self.assertEqual(invalid, [])
================================================
FILE: tests/test_schema_compatability.py
================================================
import json
import jsonschema
from tests.vulndb_test import VulnDBTest
SCHEMA_FILENAME = "schema.json"
class TestAllFilesSchemaCompatability(VulnDBTest):
"""
Basic test to make sure that all the files inside the db directory end
with the json extension and have valid json content
"""
def test_all_files_JSON_content(self):
try:
schema = json.loads(file(SCHEMA_FILENAME).read())
except (ValueError, IOError) as e:
self.fail(e)
try:
jsonschema.Draft4Validator.check_schema(schema)
except jsonschema.SchemaError as e:
self.fail(e)
incompatible = []
for language, _file, db_data in self.get_all_json():
try:
jsonschema.validate(db_data, schema)
except jsonschema.ValidationError as e:
incompatible.append((_file, e,))
self.assertEqual(incompatible, [])
================================================
FILE: tests/test_valid_markdown.py
================================================
from markdown import markdown
from tests.vulndb_test import VulnDBTest
class TestValidMarkdown(VulnDBTest):
def test_valid_markdown(self):
invalid = []
for language, _file, db_data in self.get_all_json():
description = self.get_description(language, db_data['description']['$ref'])
try:
markdown(description)
except:
invalid.append(_file)
guidance = self.get_fix(language, db_data['fix']['guidance']['$ref'])
try:
markdown(guidance)
except:
invalid.append(_file)
self.assertEqual(invalid, [])
================================================
FILE: tests/vulndb_test.py
================================================
import os
import json
import unittest
class VulnDBTest(unittest.TestCase):
maxDiff = None
def get_all_json(self):
for language in os.listdir('db'):
for _file in os.listdir('db/%s' % language):
if not _file.endswith('.json'):
continue
file_name = os.path.join('db', language, _file)
fp = file(file_name)
data = json.loads(fp.read())
yield language, file_name, data
def get_all_languages(self):
return os.listdir('db')
def get_file_from_ref(self, language, file_type, file_ref):
file_id = file_ref.split('/')[-1]
with open(os.path.join('db', language, file_type, '%s.md' % file_id)) as ifile:
data = ifile.read()
return data
def get_description(self, language, desc_ref):
return self.get_file_from_ref(language, 'description', desc_ref)
def get_fix(self, language, fix_ref):
return self.get_file_from_ref(language, 'fix', fix_ref)
gitextract_2uk6lexw/
├── .circleci/
│ └── config.yml
├── .gitignore
├── LICENSE.md
├── README.md
├── db/
│ └── en/
│ ├── 1-allowed-http-methods.json
│ ├── 10-common-sensitive-file.json
│ ├── 11-cookie-set-for-parent-domain.json
│ ├── 12-credit-card-number-disclosure.json
│ ├── 13-cross-site-request-forgery.json
│ ├── 14-cvs-svn-user-disclosure.json
│ ├── 15-directory-listing.json
│ ├── 16-e-mail-address-disclosure.json
│ ├── 17-file-inclusion.json
│ ├── 18-form-based-file-upload.json
│ ├── 19-missing-strict-transport-security-header.json
│ ├── 2-a-backdoor-file-exists-on-the-server.json
│ ├── 20-misconfiguration-in-limit-directive-of-htaccess-file.json
│ ├── 21-html-object.json
│ ├── 22-httponly-cookie.json
│ ├── 23-publicly-writable-directory.json
│ ├── 24-insecure-client-access-policy.json
│ ├── 25-insecure-cookie.json
│ ├── 26-access-control-allow-origin-star.json
│ ├── 27-insecure-cross-domain-policy-allow-access-from.json
│ ├── 29-interesting-response.json
│ ├── 3-backup-directory.json
│ ├── 30-ldap-injection.json
│ ├── 31-exposed-localstart-asp-page.json
│ ├── 32-mixed-resource.json
│ ├── 33-nosql-injection.json
│ ├── 34-blind-nosql-injection-differential-analysis.json
│ ├── 35-access-restriction-bypass-via-origin-spoof.json
│ ├── 36-operating-system-command-injection.json
│ ├── 38-password-field-with-auto-complete.json
│ ├── 39-path-traversal.json
│ ├── 4-backup-file.json
│ ├── 40-private-ip-address-disclosure.json
│ ├── 41-response-splitting.json
│ ├── 42-remote-file-inclusion.json
│ ├── 43-session-fixation.json
│ ├── 44-source-code-disclosure.json
│ ├── 45-sql-injection.json
│ ├── 46-blind-sql-injection.json
│ ├── 47-blind-sql-injection-timing-attack.json
│ ├── 48-disclosed-us-social-security-number-ssn.json
│ ├── 49-unencrypted-password-form.json
│ ├── 5-captcha-protected-form.json
│ ├── 50-unvalidated-redirect.json
│ ├── 51-unvalidated-dom-redirect.json
│ ├── 52-webdav.json
│ ├── 53-missing-x-frame-options-header.json
│ ├── 54-xpath-injection.json
│ ├── 55-cross-site-scripting-xss.json
│ ├── 56-dom-based-cross-site-scripting-xss.json
│ ├── 6-code-injection.json
│ ├── 63-http-trace.json
│ ├── 64-xml-external-entity.json
│ ├── 65-arbitrary-file-upload.json
│ ├── 66-insecure-ssl-version.json
│ ├── 67-self-signed-ssl-certificate.json
│ ├── 68-shellshock.json
│ ├── 69-insecure-frontpage-configuration.json
│ ├── 70-persistent-xss.json
│ ├── 71-reflected-file-download.json
│ ├── 72-cache-control-headers.json
│ ├── 73-information-leak-stack-trace.json
│ ├── 74-phishing-vector.json
│ ├── 75-guessable-credentials.json
│ ├── 76-x-content-type-options_header_missing.json
│ ├── 77-http-basic-authentication-credentials.json
│ ├── 8-code-injection.json
│ ├── 9-common-directory.json
│ ├── description/
│ │ ├── 1.md
│ │ ├── 10.md
│ │ ├── 11.md
│ │ ├── 12.md
│ │ ├── 13.md
│ │ ├── 14.md
│ │ ├── 15.md
│ │ ├── 16.md
│ │ ├── 17.md
│ │ ├── 18.md
│ │ ├── 19.md
│ │ ├── 2.md
│ │ ├── 20.md
│ │ ├── 21.md
│ │ ├── 22.md
│ │ ├── 23.md
│ │ ├── 24.md
│ │ ├── 25.md
│ │ ├── 26.md
│ │ ├── 27.md
│ │ ├── 29.md
│ │ ├── 3.md
│ │ ├── 30.md
│ │ ├── 31.md
│ │ ├── 32.md
│ │ ├── 33.md
│ │ ├── 34.md
│ │ ├── 35.md
│ │ ├── 36.md
│ │ ├── 38.md
│ │ ├── 39.md
│ │ ├── 4.md
│ │ ├── 40.md
│ │ ├── 41.md
│ │ ├── 42.md
│ │ ├── 43.md
│ │ ├── 44.md
│ │ ├── 45.md
│ │ ├── 46.md
│ │ ├── 47.md
│ │ ├── 48.md
│ │ ├── 49.md
│ │ ├── 5.md
│ │ ├── 50.md
│ │ ├── 51.md
│ │ ├── 52.md
│ │ ├── 53.md
│ │ ├── 54.md
│ │ ├── 55.md
│ │ ├── 56.md
│ │ ├── 6.md
│ │ ├── 63.md
│ │ ├── 64.md
│ │ ├── 65.md
│ │ ├── 66.md
│ │ ├── 67.md
│ │ ├── 68.md
│ │ ├── 69.md
│ │ ├── 70.md
│ │ ├── 71.md
│ │ ├── 72.md
│ │ ├── 73.md
│ │ ├── 74.md
│ │ ├── 75.md
│ │ ├── 76.md
│ │ ├── 77.md
│ │ ├── 8.md
│ │ └── 9.md
│ └── fix/
│ ├── 1.md
│ ├── 10.md
│ ├── 11.md
│ ├── 12.md
│ ├── 13.md
│ ├── 14.md
│ ├── 15.md
│ ├── 16.md
│ ├── 17.md
│ ├── 18.md
│ ├── 19.md
│ ├── 2.md
│ ├── 20.md
│ ├── 21.md
│ ├── 22.md
│ ├── 23.md
│ ├── 24.md
│ ├── 25.md
│ ├── 26.md
│ ├── 27.md
│ ├── 28.md
│ ├── 29.md
│ ├── 3.md
│ ├── 30.md
│ ├── 31.md
│ ├── 32.md
│ ├── 33.md
│ ├── 34.md
│ ├── 35.md
│ ├── 36.md
│ ├── 37.md
│ ├── 38.md
│ ├── 39.md
│ ├── 4.md
│ ├── 40.md
│ ├── 41.md
│ ├── 42.md
│ ├── 43.md
│ ├── 44.md
│ ├── 45.md
│ ├── 46.md
│ ├── 47.md
│ ├── 48.md
│ ├── 49.md
│ ├── 5.md
│ ├── 50.md
│ ├── 51.md
│ ├── 52.md
│ ├── 53.md
│ ├── 54.md
│ ├── 55.md
│ ├── 56.md
│ ├── 57.md
│ ├── 6.md
│ ├── 7.md
│ ├── 8.md
│ └── 9.md
├── schema.json
└── tests/
├── __init__.py
├── requirements.txt
├── test_all_json.py
├── test_json_spec.py
├── test_markdown_refs.py
├── test_references.py
├── test_schema_compatability.py
├── test_valid_markdown.py
└── vulndb_test.py
SYMBOL INDEX (27 symbols across 7 files)
FILE: tests/test_all_json.py
class TestAllFilesAreJSON (line 6) | class TestAllFilesAreJSON(unittest.TestCase):
method test_all_files_JSON (line 13) | def test_all_files_JSON(self):
method test_all_files_JSON_content (line 23) | def test_all_files_JSON_content(self):
FILE: tests/test_json_spec.py
class TestAllFilesHaveValidSpec (line 12) | class TestAllFilesHaveValidSpec(VulnDBTest):
method test_severity (line 14) | def test_severity(self):
method test_lengths (line 23) | def test_lengths(self):
method test_id_match (line 37) | def test_id_match(self):
method test_no_multiple_spaces (line 50) | def test_no_multiple_spaces(self):
method test_url_is_not_404 (line 66) | def test_url_is_not_404(self):
method get_owasp_url (line 93) | def get_owasp_url(self, owasp_version, risk_id):
method url_is_404 (line 105) | def url_is_404(self, session, url):
FILE: tests/test_markdown_refs.py
class TestReferences (line 6) | class TestReferences(VulnDBTest):
method get_references_for_language (line 12) | def get_references_for_language(self, language):
method test_description_refs (line 52) | def test_description_refs(self):
method test_fix_refs (line 68) | def test_fix_refs(self):
FILE: tests/test_references.py
class TestReferences (line 4) | class TestReferences(VulnDBTest):
method test_no_redundant_cve_mitre_org_urls (line 11) | def test_no_redundant_cve_mitre_org_urls(self):
FILE: tests/test_schema_compatability.py
class TestAllFilesSchemaCompatability (line 9) | class TestAllFilesSchemaCompatability(VulnDBTest):
method test_all_files_JSON_content (line 14) | def test_all_files_JSON_content(self):
FILE: tests/test_valid_markdown.py
class TestValidMarkdown (line 5) | class TestValidMarkdown(VulnDBTest):
method test_valid_markdown (line 6) | def test_valid_markdown(self):
FILE: tests/vulndb_test.py
class VulnDBTest (line 6) | class VulnDBTest(unittest.TestCase):
method get_all_json (line 9) | def get_all_json(self):
method get_all_languages (line 21) | def get_all_languages(self):
method get_file_from_ref (line 24) | def get_file_from_ref(self, language, file_type, file_ref):
method get_description (line 32) | def get_description(self, language, desc_ref):
method get_fix (line 35) | def get_fix(self, language, fix_ref):
Condensed preview — 207 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (152K chars).
[
{
"path": ".circleci/config.yml",
"chars": 530,
"preview": "#\n# This file is used to configure the continuous integration for vulndb/data\n#\n# As a user you don't need to unders"
},
{
"path": ".gitignore",
"chars": 1248,
"preview": "*.py[cod]\n*.py~\n*~\n*.swp\n\n# C extensions\n*.so\n\n# Packages\n*.egg\n*.egg-info\ndist\nbuild\neggs\nparts\nbin\nvar\nsdist\ndevelop-e"
},
{
"path": "LICENSE.md",
"chars": 1373,
"preview": "Redistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the followi"
},
{
"path": "README.md",
"chars": 3205,
"preview": "User, contributor and developer-friendly vulnerability database. Our goal is to\nprovide a vulnerability database which i"
},
{
"path": "db/en/1-allowed-http-methods.json",
"chars": 473,
"preview": "{\n \"id\": 1, \n \"title\": \"Allowed HTTP methods\", \n \"severity\": \"informational\", \n \"description\": {\n \"$ref\": \"#/file"
},
{
"path": "db/en/10-common-sensitive-file.json",
"chars": 447,
"preview": "{\n \"id\": 10, \n \"title\": \"Common sensitive file\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/files/descri"
},
{
"path": "db/en/11-cookie-set-for-parent-domain.json",
"chars": 397,
"preview": "{\n \"id\": 11, \n \"title\": \"Cookie set for parent domain\", \n \"severity\": \"informational\", \n \"description\": {\n \"$ref\""
},
{
"path": "db/en/12-credit-card-number-disclosure.json",
"chars": 528,
"preview": "{\n \"id\": 12, \n \"title\": \"Credit card number disclosure\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/f"
},
{
"path": "db/en/13-cross-site-request-forgery.json",
"chars": 760,
"preview": "{\n \"id\": 13, \n \"title\": \"Cross-Site Request Forgery\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/"
},
{
"path": "db/en/14-cvs-svn-user-disclosure.json",
"chars": 267,
"preview": "{\n \"id\": 14, \n \"title\": \"CVS/SVN user disclosure\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/files/desc"
},
{
"path": "db/en/15-directory-listing.json",
"chars": 534,
"preview": "{\n \"id\": 15, \n \"title\": \"Directory listing\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/files/descriptio"
},
{
"path": "db/en/16-e-mail-address-disclosure.json",
"chars": 239,
"preview": "{\n \"id\": 16, \n \"title\": \"E-mail address disclosure\", \n \"severity\": \"informational\", \n \"description\": {\n \"$ref\": \""
},
{
"path": "db/en/17-file-inclusion.json",
"chars": 518,
"preview": "{\n \"id\": 17, \n \"title\": \"File Inclusion\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/"
},
{
"path": "db/en/18-form-based-file-upload.json",
"chars": 429,
"preview": "{\n \"id\": 18, \n \"title\": \"Form-based File Upload\", \n \"severity\": \"informational\", \n \"description\": {\n \"$ref\": \"#/f"
},
{
"path": "db/en/19-missing-strict-transport-security-header.json",
"chars": 521,
"preview": "{\n \"id\": 19, \n \"title\": \"Missing 'Strict-Transport-Security' header\", \n \"severity\": \"medium\", \n \"description\": {\n "
},
{
"path": "db/en/2-a-backdoor-file-exists-on-the-server.json",
"chars": 576,
"preview": "{\n \"id\": 2, \n \"title\": \"A backdoor file exists on the server\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": "
},
{
"path": "db/en/20-misconfiguration-in-limit-directive-of-htaccess-file.json",
"chars": 467,
"preview": "{\n \"id\": 20, \n \"title\": \"Misconfiguration in LIMIT directive of .htaccess file\", \n \"severity\": \"high\", \n \"descriptio"
},
{
"path": "db/en/21-html-object.json",
"chars": 227,
"preview": "{\n \"id\": 21, \n \"title\": \"HTML object\", \n \"severity\": \"informational\", \n \"description\": {\n \"$ref\": \"#/files/descri"
},
{
"path": "db/en/22-httponly-cookie.json",
"chars": 438,
"preview": "{\n \"id\": 22, \n \"title\": \"HttpOnly cookie\", \n \"severity\": \"informational\", \n \"description\": {\n \"$ref\": \"#/files/de"
},
{
"path": "db/en/23-publicly-writable-directory.json",
"chars": 459,
"preview": "{\n \"id\": 23, \n \"title\": \"Publicly writable directory\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files"
},
{
"path": "db/en/24-insecure-client-access-policy.json",
"chars": 546,
"preview": "{\n \"id\": 24, \n \"title\": \"Insecure client-access policy\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/file"
},
{
"path": "db/en/25-insecure-cookie.json",
"chars": 443,
"preview": "{\n \"id\": 25, \n \"title\": \"Insecure cookie\", \n \"severity\": \"informational\", \n \"description\": {\n \"$ref\": \"#/files/de"
},
{
"path": "db/en/26-access-control-allow-origin-star.json",
"chars": 654,
"preview": "{\n \"id\": 26, \n \"title\": \"Access-Control-Allow-Origin header set to '*'\", \n \"severity\": \"medium\", \n \"description\": {\n"
},
{
"path": "db/en/27-insecure-cross-domain-policy-allow-access-from.json",
"chars": 557,
"preview": "{\n \"id\": 27, \n \"title\": \"Insecure cross-domain policy\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/files"
},
{
"path": "db/en/29-interesting-response.json",
"chars": 448,
"preview": "{\n \"id\": 29, \n \"title\": \"Interesting response\", \n \"severity\": \"informational\", \n \"description\": {\n \"$ref\": \"#/fil"
},
{
"path": "db/en/3-backup-directory.json",
"chars": 545,
"preview": "{\n \"id\": 3, \n \"title\": \"Backup directory\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/descripti"
},
{
"path": "db/en/30-ldap-injection.json",
"chars": 595,
"preview": "{\n \"id\": 30, \n \"title\": \"LDAP Injection\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/"
},
{
"path": "db/en/31-exposed-localstart-asp-page.json",
"chars": 299,
"preview": "{\n \"id\": 31, \n \"title\": \"Exposed localstart.asp page\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/files/"
},
{
"path": "db/en/32-mixed-resource.json",
"chars": 506,
"preview": "{\n \"id\": 32, \n \"title\": \"Mixed Resource\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/descriptio"
},
{
"path": "db/en/33-nosql-injection.json",
"chars": 527,
"preview": "{\n \"id\": 33, \n \"title\": \"NoSQL Injection\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description"
},
{
"path": "db/en/34-blind-nosql-injection-differential-analysis.json",
"chars": 503,
"preview": "{\n \"id\": 34, \n \"title\": \"Blind NoSQL Injection (differential analysis)\", \n \"severity\": \"high\", \n \"description\": {\n "
},
{
"path": "db/en/35-access-restriction-bypass-via-origin-spoof.json",
"chars": 341,
"preview": "{\n \"id\": 35, \n \"title\": \"Access restriction bypass via origin spoof\", \n \"severity\": \"high\", \n \"description\": {\n \""
},
{
"path": "db/en/36-operating-system-command-injection.json",
"chars": 650,
"preview": "{\n \"id\": 36, \n \"title\": \"Operating system command injection\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \""
},
{
"path": "db/en/38-password-field-with-auto-complete.json",
"chars": 319,
"preview": "{\n \"id\": 38, \n \"title\": \"Password field with auto-complete\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/"
},
{
"path": "db/en/39-path-traversal.json",
"chars": 598,
"preview": "{\n \"id\": 39, \n \"title\": \"Path Traversal\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/"
},
{
"path": "db/en/4-backup-file.json",
"chars": 540,
"preview": "{\n \"id\": 4, \n \"title\": \"Backup file\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/description/4\""
},
{
"path": "db/en/40-private-ip-address-disclosure.json",
"chars": 463,
"preview": "{\n \"id\": 40, \n \"title\": \"Private IP address disclosure\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/file"
},
{
"path": "db/en/41-response-splitting.json",
"chars": 651,
"preview": "{\n \"id\": 41, \n \"title\": \"Response Splitting\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/descri"
},
{
"path": "db/en/42-remote-file-inclusion.json",
"chars": 635,
"preview": "{\n \"id\": 42, \n \"title\": \"Remote File Inclusion\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/descr"
},
{
"path": "db/en/43-session-fixation.json",
"chars": 677,
"preview": "{\n \"id\": 43, \n \"title\": \"Session fixation\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/descriptio"
},
{
"path": "db/en/44-source-code-disclosure.json",
"chars": 427,
"preview": "{\n \"id\": 44, \n \"title\": \"Source code disclosure\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/desc"
},
{
"path": "db/en/45-sql-injection.json",
"chars": 1051,
"preview": "{\n \"id\": 45, \n \"title\": \"SQL Injection\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/4"
},
{
"path": "db/en/46-blind-sql-injection.json",
"chars": 851,
"preview": "{\n \"id\": 46, \n \"title\": \"Blind SQL Injection\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/descrip"
},
{
"path": "db/en/47-blind-sql-injection-timing-attack.json",
"chars": 787,
"preview": "{\n \"id\": 47, \n \"title\": \"Blind SQL Injection (timing attack)\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": "
},
{
"path": "db/en/48-disclosed-us-social-security-number-ssn.json",
"chars": 387,
"preview": "{\n \"id\": 48, \n \"title\": \"Disclosed US Social Security Number (SSN)\", \n \"severity\": \"high\", \n \"description\": {\n \"$"
},
{
"path": "db/en/49-unencrypted-password-form.json",
"chars": 511,
"preview": "{\n \"id\": 49, \n \"title\": \"Unencrypted password form\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files"
},
{
"path": "db/en/5-captcha-protected-form.json",
"chars": 235,
"preview": "{\n \"id\": 5, \n \"title\": \"CAPTCHA protected form\", \n \"severity\": \"informational\", \n \"description\": {\n \"$ref\": \"#/fi"
},
{
"path": "db/en/50-unvalidated-redirect.json",
"chars": 596,
"preview": "{\n \"id\": 50, \n \"title\": \"Unvalidated redirect\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/desc"
},
{
"path": "db/en/51-unvalidated-dom-redirect.json",
"chars": 580,
"preview": "{\n \"id\": 51, \n \"title\": \"Unvalidated DOM redirect\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/"
},
{
"path": "db/en/52-webdav.json",
"chars": 521,
"preview": "{\n \"id\": 52, \n \"title\": \"WebDAV\", \n \"severity\": \"informational\", \n \"description\": {\n \"$ref\": \"#/files/description"
},
{
"path": "db/en/53-missing-x-frame-options-header.json",
"chars": 612,
"preview": "{\n \"id\": 53, \n \"title\": \"Missing 'X-Frame-Options' header\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/f"
},
{
"path": "db/en/54-xpath-injection.json",
"chars": 645,
"preview": "{\n \"id\": 54, \n \"title\": \"XPath Injection\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description"
},
{
"path": "db/en/55-cross-site-scripting-xss.json",
"chars": 773,
"preview": "{\n \"id\": 55, \n \"title\": \"Reflected Cross-Site Scripting (XSS)\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\":"
},
{
"path": "db/en/56-dom-based-cross-site-scripting-xss.json",
"chars": 788,
"preview": "{\n \"id\": 56, \n \"title\": \"DOM-based Cross-Site Scripting (XSS)\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\":"
},
{
"path": "db/en/6-code-injection.json",
"chars": 865,
"preview": "{\n \"id\": 6, \n \"title\": \"Code injection\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/6"
},
{
"path": "db/en/63-http-trace.json",
"chars": 586,
"preview": "{\n \"id\": 63, \n \"title\": \"HTTP TRACE\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/description/63"
},
{
"path": "db/en/64-xml-external-entity.json",
"chars": 455,
"preview": "{\n \"id\": 64, \n \"title\": \"XML External Entity\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/descrip"
},
{
"path": "db/en/65-arbitrary-file-upload.json",
"chars": 503,
"preview": "{\n \"id\": 65, \n \"title\": \"Unrestricted file upload\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/de"
},
{
"path": "db/en/66-insecure-ssl-version.json",
"chars": 503,
"preview": "{\n \"id\": 66, \n \"title\": \"Insecure SSL version enabled\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/fi"
},
{
"path": "db/en/67-self-signed-ssl-certificate.json",
"chars": 508,
"preview": "{\n \"id\": 67, \n \"title\": \"Self-signed TLS/SSL certificate\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#"
},
{
"path": "db/en/68-shellshock.json",
"chars": 564,
"preview": "{\n \"id\": 68, \n \"title\": \"ShellShock\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/68\"\n"
},
{
"path": "db/en/69-insecure-frontpage-configuration.json",
"chars": 530,
"preview": "{\n \"id\": 69, \n \"title\": \"Insecure Frontpage extensions configuration\", \n \"severity\": \"high\", \n \"description\": {\n "
},
{
"path": "db/en/70-persistent-xss.json",
"chars": 775,
"preview": "{\n \"id\": 70, \n \"title\": \"Persistent Cross-Site Scripting (XSS)\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\""
},
{
"path": "db/en/71-reflected-file-download.json",
"chars": 592,
"preview": "{\n \"id\": 71, \n \"title\": \"Reflected File Download\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/d"
},
{
"path": "db/en/72-cache-control-headers.json",
"chars": 591,
"preview": "{\n \"id\": 72, \n \"title\": \"Insecure or no Cache-Control header\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \""
},
{
"path": "db/en/73-information-leak-stack-trace.json",
"chars": 543,
"preview": "{\n \"id\": 73, \n \"title\": \"Application error message\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/files/de"
},
{
"path": "db/en/74-phishing-vector.json",
"chars": 420,
"preview": "{\n \"id\": 74, \n \"title\": \"Phishing vector\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/files/description/"
},
{
"path": "db/en/75-guessable-credentials.json",
"chars": 583,
"preview": "{\n \"id\": 75, \n \"title\": \"Guessable credentials\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/files/descri"
},
{
"path": "db/en/76-x-content-type-options_header_missing.json",
"chars": 558,
"preview": "{\n \"id\": 76, \n \"title\": \"X-Content-Type-Options header missing\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\":"
},
{
"path": "db/en/77-http-basic-authentication-credentials.json",
"chars": 616,
"preview": "{\n \"id\": 77, \n \"title\": \"HTTP Basic Authentication credentials\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\":"
},
{
"path": "db/en/8-code-injection.json",
"chars": 995,
"preview": "{\n \"id\": 8, \n \"title\": \"Code injection (timing attack)\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/fil"
},
{
"path": "db/en/9-common-directory.json",
"chars": 537,
"preview": "{\n \"id\": 9, \n \"title\": \"Common directory\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/descripti"
},
{
"path": "db/en/description/1.md",
"chars": 604,
"preview": "There are a number of HTTP methods that can be used on a webserver\n(`OPTIONS`, `HEAD`, `GET`, `POST`, `PUT`, `DELETE` et"
},
{
"path": "db/en/description/10.md",
"chars": 801,
"preview": "Web applications are often made up of multiple files and directories.\nIt is possible that over time some files may becom"
},
{
"path": "db/en/description/11.md",
"chars": 993,
"preview": "HTTP by itself is a stateless protocol. Therefore the server is unable\nto determine which requests are performed by whic"
},
{
"path": "db/en/description/12.md",
"chars": 482,
"preview": "Credit card numbers are used in applications where a user is able to\npurchase goods and/or services.\n\nA credit card numb"
},
{
"path": "db/en/description/13.md",
"chars": 1394,
"preview": "In the majority of today's web applications, clients are required to\nsubmit forms which can perform sensitive operations"
},
{
"path": "db/en/description/14.md",
"chars": 854,
"preview": "Concurrent Version System (CVS) and Subversion (SVN) provide a method\nfor application developers to control different ve"
},
{
"path": "db/en/description/15.md",
"chars": 516,
"preview": "Web servers permitting directory listing are typically used for\nsharing files.\n\nDirectory listing allows the client to v"
},
{
"path": "db/en/description/16.md",
"chars": 572,
"preview": "Email addresses are typically found on \"Contact us\" pages, however,\nthey can also be found within scripts or code commen"
},
{
"path": "db/en/description/17.md",
"chars": 726,
"preview": "Web applications occasionally use parameter values to store the\nlocation of a file which will later be required by the s"
},
{
"path": "db/en/description/18.md",
"chars": 621,
"preview": "The design of many web applications require that users be able to\nupload files that will either be stored or processed b"
},
{
"path": "db/en/description/19.md",
"chars": 964,
"preview": "The HTTP protocol by itself is clear text, meaning that any data that\nis transmitted via HTTP can be captured and the co"
},
{
"path": "db/en/description/2.md",
"chars": 1056,
"preview": "If a server has been previously compromised, there is a high\nprobability that the cyber-criminal has installed a backdoo"
},
{
"path": "db/en/description/20.md",
"chars": 634,
"preview": "There are a number of HTTP methods that can be used on a webserver\n(for example `OPTIONS`, `HEAD`, `GET`, `POST`, `PUT`,"
},
{
"path": "db/en/description/21.md",
"chars": 264,
"preview": "Most automated tools are not able to analyze the security of client-side\ntechnologies such as Flash and Java applets. Th"
},
{
"path": "db/en/description/22.md",
"chars": 930,
"preview": "HTTP by itself is a stateless protocol. Therefore the server is unable\nto determine which requests are performed by whic"
},
{
"path": "db/en/description/23.md",
"chars": 889,
"preview": "There are various methods in which a file (or files) may be uploaded\nto a webserver. One method that can be used is the "
},
{
"path": "db/en/description/24.md",
"chars": 864,
"preview": "The browser security model normally prevents web content from one\ndomain from accessing data from another domain. This i"
},
{
"path": "db/en/description/25.md",
"chars": 1093,
"preview": "HTTP by itself is a stateless protocol. Therefore the server is unable\nto determine which requests are performed by whic"
},
{
"path": "db/en/description/26.md",
"chars": 740,
"preview": "Cross-Origin Resource Sharing (CORS) is one of the new HTML5\ntechnologies which is widely implemented to create Web2.0 a"
},
{
"path": "db/en/description/27.md",
"chars": 835,
"preview": "The browser security model normally prevents web content from one\ndomain from accessing data from another domain. This i"
},
{
"path": "db/en/description/29.md",
"chars": 235,
"preview": "The server responded with a strange HTTP status code. This is a non-issue\nhowever exotic HTTP response status codes can "
},
{
"path": "db/en/description/3.md",
"chars": 783,
"preview": "A common practice when administering web applications is to create a\ncopy/backup of a particular directory prior to maki"
},
{
"path": "db/en/description/30.md",
"chars": 827,
"preview": "Lightweight Directory Access Protocol (LDAP) is used by web\napplications to access and maintain directory information se"
},
{
"path": "db/en/description/31.md",
"chars": 918,
"preview": "To restrict access to specific pages on a webserver, developers can\nimplement various methods of authentication, therefo"
},
{
"path": "db/en/description/32.md",
"chars": 906,
"preview": "The HTTP protocol by itself is clear text, meaning that any data that\nis transmitted via HTTP can be captured and the co"
},
{
"path": "db/en/description/33.md",
"chars": 507,
"preview": "A NoSQL injection occurs when a value originating from the client's\nrequest is used within a NoSQL call without prior sa"
},
{
"path": "db/en/description/34.md",
"chars": 612,
"preview": "A NoSQL injection occurs when a value originating from the client's\nrequest is used within a NoSQL call without prior sa"
},
{
"path": "db/en/description/35.md",
"chars": 833,
"preview": "Origin headers are utilised by proxies and/or load balancers to track\nthe originating IP address of the client.\n\nAs the "
},
{
"path": "db/en/description/36.md",
"chars": 754,
"preview": "To perform specific actions from within a web application, it is\noccasionally required to run Operating System commands "
},
{
"path": "db/en/description/38.md",
"chars": 781,
"preview": "In typical form-based web applications, it is common practice for\ndevelopers to allow `autocomplete` within the HTML for"
},
{
"path": "db/en/description/39.md",
"chars": 1286,
"preview": "Web applications occasionally use parameter values to store the\nlocation of a file which will later be required by the s"
},
{
"path": "db/en/description/4.md",
"chars": 771,
"preview": "A common practice when administering web applications is to create a\ncopy/backup of a particular file or directory prior"
},
{
"path": "db/en/description/40.md",
"chars": 639,
"preview": "Private, or non-routable, IP addresses are generally used within a\nhome or company network and are typically unknown to "
},
{
"path": "db/en/description/41.md",
"chars": 682,
"preview": "HTTP response splitting occurs when untrusted data is inserted into\nthe response headers without any sanitisation.\n\nIf s"
},
{
"path": "db/en/description/42.md",
"chars": 993,
"preview": "Web applications occasionally use parameter values to store the\nlocation of a file which will later be required by the s"
},
{
"path": "db/en/description/43.md",
"chars": 1333,
"preview": "HTTP by itself is a stateless protocol; therefore, the server is\nunable to determine which requests are performed by whi"
},
{
"path": "db/en/description/44.md",
"chars": 1396,
"preview": "A modern web application will be reliant on several different\nprogramming languages.\n\nThese languages can be broken up i"
},
{
"path": "db/en/description/45.md",
"chars": 1130,
"preview": "Due to the requirement for dynamic content of today's web\napplications, many rely on a database backend to store data th"
},
{
"path": "db/en/description/46.md",
"chars": 1214,
"preview": "Due to the requirement for dynamic content of today's web\napplications, many rely on a database backend to store data th"
},
{
"path": "db/en/description/47.md",
"chars": 1258,
"preview": "Due to the requirement for dynamic content of today's web\napplications, many rely on a database backend to store data th"
},
{
"path": "db/en/description/48.md",
"chars": 331,
"preview": "The US Social Security Number (SSN) is a personally identifiable\nnumber that is issued to its citizens.\n\nA stolen or lea"
},
{
"path": "db/en/description/49.md",
"chars": 827,
"preview": "The HTTP protocol by itself is clear text, meaning that any data that\nis transmitted via HTTP can be captured and the co"
},
{
"path": "db/en/description/5.md",
"chars": 706,
"preview": "To prevent the automated abuse of a page, applications can implement\nwhat is known as a CAPTCHA.\n\nThese are used to ensu"
},
{
"path": "db/en/description/50.md",
"chars": 749,
"preview": "Web applications occasionally use parameter values to store the\naddress of the page to which the client will be redirect"
},
{
"path": "db/en/description/51.md",
"chars": 724,
"preview": "Web applications occasionally use DOM input values to store the\naddress of the page to which the client will be redirect"
},
{
"path": "db/en/description/52.md",
"chars": 826,
"preview": "Web Distributed Authoring and Versioning (WebDAV) is a facility that\nenables basic file management (reading and writing)"
},
{
"path": "db/en/description/53.md",
"chars": 746,
"preview": "Clickjacking (User Interface redress attack, UI redress attack, UI\nredressing) is a malicious technique of tricking a We"
},
{
"path": "db/en/description/54.md",
"chars": 920,
"preview": "XML Path Language (XPath) queries are used by web applications for\nselecting nodes from XML documents. Once selected, th"
},
{
"path": "db/en/description/55.md",
"chars": 536,
"preview": "Client-side scripts are used extensively by modern web applications.\nThey perform from simple functions (such as the for"
},
{
"path": "db/en/description/56.md",
"chars": 682,
"preview": "Client-side scripts are used extensively by modern web applications.\nThey perform from simple functions (such as the for"
},
{
"path": "db/en/description/6.md",
"chars": 937,
"preview": "A modern web application will be reliant on several different\nprogramming languages.\n\nThese languages can be broken up i"
},
{
"path": "db/en/description/63.md",
"chars": 718,
"preview": "The `TRACE` HTTP method allows a client so send a request to the\nserver, and have the same request then send back in the"
},
{
"path": "db/en/description/64.md",
"chars": 409,
"preview": "An XML External Entity attack is a type of attack against an\napplication that parses XML input.\n\nThis attack occurs when"
},
{
"path": "db/en/description/65.md",
"chars": 614,
"preview": "Many web applications allow users to upload files that will either be\nstored or processed by the receiving web server.\n\n"
},
{
"path": "db/en/description/66.md",
"chars": 569,
"preview": "The server accepts SSL connections which use the insecure SSLv2\nprotocol. SSLv2 is an old implementation of the Secure S"
},
{
"path": "db/en/description/67.md",
"chars": 254,
"preview": "The server's TLS/SSL certificate is self-signed. Self-signed\ncertificates are not trusted by browsers and other HTTP cli"
},
{
"path": "db/en/description/68.md",
"chars": 509,
"preview": "GNU Bash through 4.3 processes trailing strings after function\ndefinitions in the values of environment variables, which"
},
{
"path": "db/en/description/69.md",
"chars": 247,
"preview": "Incorrect permissions and/or missing authentication were discovered on\nFrontPage extensions used for publishing content."
},
{
"path": "db/en/description/70.md",
"chars": 882,
"preview": "Client-side scripts are used extensively by modern web applications.\nThey perform from simple functions (such as the for"
},
{
"path": "db/en/description/71.md",
"chars": 839,
"preview": "The reflected file download vulnerability is an application weakness\nwhich allows a cyber-criminal to perform advanced s"
},
{
"path": "db/en/description/72.md",
"chars": 132,
"preview": "The `cache-control` and `pragma` HTTP header have not been set properly\nallowing the browser and proxies to cache the HT"
},
{
"path": "db/en/description/73.md",
"chars": 568,
"preview": "Information Leakage is an application weakness where an application\nreveals sensitive data, such as technical details of"
},
{
"path": "db/en/description/74.md",
"chars": 574,
"preview": "The web user interface (UI) does not properly represent critical\ninformation to the user, allowing the information - or "
},
{
"path": "db/en/description/75.md",
"chars": 308,
"preview": "Web Applications often have predictable usernames and weak password policies set.\nThis can easily allow an attacker to g"
},
{
"path": "db/en/description/76.md",
"chars": 664,
"preview": "'X-Content-Type-Options' is a type of HTTP header that can be used to prevent MIME\ncontent-sniffing attacks in Internet "
},
{
"path": "db/en/description/77.md",
"chars": 835,
"preview": "Basic Access Authentication is an authentication method which uses base64 encoding\nand transmits login credentials in cl"
},
{
"path": "db/en/description/8.md",
"chars": 737,
"preview": "A modern web application will be reliant on several different\nprogramming languages.\n\nThese languages can be broken up i"
},
{
"path": "db/en/description/9.md",
"chars": 830,
"preview": "Web applications are often made up of multiple files and directories.\nIt is possible that over time some directories may"
},
{
"path": "db/en/fix/1.md",
"chars": 648,
"preview": "The only proven method to prevent against SQL injection attacks while\nstill maintaining full application functionality i"
},
{
"path": "db/en/fix/10.md",
"chars": 432,
"preview": "If files are unreferenced then they should be removed from the web\nroot and/or the application directory.\n\nPreventing ac"
},
{
"path": "db/en/fix/11.md",
"chars": 377,
"preview": "It is recommended that untrusted data is never used to form the\ncontents of the response header.\n\nWhere any untrusted so"
},
{
"path": "db/en/fix/12.md",
"chars": 159,
"preview": "Create a new TLS/SSL certificate, request a trusted certificate\nauthority (CA) to sign it and replace the self-signed ce"
},
{
"path": "db/en/fix/13.md",
"chars": 914,
"preview": "It is recommended that untrusted data is never used to form a file\nlocation to be included.\n\nTo validate data, the appli"
},
{
"path": "db/en/fix/14.md",
"chars": 247,
"preview": "Other methods of authentication, like cookie based authentication must be\nused as a replacement. This can still be consi"
},
{
"path": "db/en/fix/15.md",
"chars": 382,
"preview": "The most important remediation action is to prevent the server from\naccepting client supplied data as session tokens.\n\nA"
},
{
"path": "db/en/fix/16.md",
"chars": 113,
"preview": "Analyze the objects using manual analysis techniques such as\na local proxy, decompilation or reverse engineering."
},
{
"path": "db/en/fix/17.md",
"chars": 65,
"preview": "Configure your web server to include an `X-Frame-Options` header."
},
{
"path": "db/en/fix/18.md",
"chars": 730,
"preview": "The `autocomplete` value can be configured in two different locations.\nThe first and most secure location is to disable "
},
{
"path": "db/en/fix/19.md",
"chars": 502,
"preview": "It is recommended that untrusted data is never used to form a command\nto be executed by the OS.\n\nTo validate data, the a"
},
{
"path": "db/en/fix/2.md",
"chars": 690,
"preview": "It is recommended that untrusted data is never used to form a LDAP\nquery.\n\nTo validate data, the application should ensu"
},
{
"path": "db/en/fix/20.md",
"chars": 1085,
"preview": "To remedy XSS vulnerabilities, it is important to never use untrusted\nor unfiltered data within the code of a HTML page."
},
{
"path": "db/en/fix/21.md",
"chars": 630,
"preview": "Do not keep obsolete versions of files under the virtual web server\nroot.\n\nWhen updating the site, delete or move the fi"
},
{
"path": "db/en/fix/22.md",
"chars": 310,
"preview": "Identifying the context in which the affected page displays a Private\nIP address is necessary.\n\nIf the page is publicly "
},
{
"path": "db/en/fix/23.md",
"chars": 610,
"preview": "Where possible the HTTP `PUT` method should be globally disabled. This\ncan typically be done with a simple configuration"
},
{
"path": "db/en/fix/24.md",
"chars": 470,
"preview": "The preferred way to protect against XPath injection is to utilise\nparameterized (also known as prepared) XPath queries."
},
{
"path": "db/en/fix/25.md",
"chars": 400,
"preview": "The HTTP `TRACE` method is normally not required within production\nsites and should therefore be disabled.\n\nDepending on"
},
{
"path": "db/en/fix/26.md",
"chars": 336,
"preview": "The initial steps to remedy this should be determined on whether the\ncookie is sensitive in nature. If the cookie does n"
},
{
"path": "db/en/fix/27.md",
"chars": 202,
"preview": "1. Explicitly set the `filename` attribute in the Content-disposition\nHTTP response header.\n\n2. Perform strict whitelist"
},
{
"path": "db/en/fix/28.md",
"chars": 476,
"preview": "Initially, the SSN within the response should be checked to ensure its\nvalidity, as it is possible that the regular expr"
},
{
"path": "db/en/fix/29.md",
"chars": 387,
"preview": "The application should ensure that the supplied value for a redirect\nis permitted. This can be achieved by performing wh"
},
{
"path": "db/en/fix/3.md",
"chars": 97,
"preview": "E-mail addresses should be presented in such a way\nthat it is hard to process them automatically."
},
{
"path": "db/en/fix/30.md",
"chars": 365,
"preview": "The initial step to remedy this would be to determine whether any\nclient-side scripts (such as JavaScript) need to acces"
},
{
"path": "db/en/fix/31.md",
"chars": 144,
"preview": " 1. Change the permissions on directories and files accessible via IIS\n\n2. Setup authentication and authorization for Fr"
},
{
"path": "db/en/fix/32.md",
"chars": 402,
"preview": "If manual confirmation reveals that a web backdoor or web shell does\nexist on the server, then it should be removed. It "
},
{
"path": "db/en/fix/33.md",
"chars": 40,
"preview": "Upgrade Bash to version 4.3.025 or newer"
},
{
"path": "db/en/fix/34.md",
"chars": 61,
"preview": "Change the web server configuration in order to disable SSLv2"
},
{
"path": "db/en/fix/35.md",
"chars": 240,
"preview": " * Review the generated HTML source and ensure that none of it's sections\ncan be used in a UI misrepresentation attack.\n"
},
{
"path": "db/en/fix/36.md",
"chars": 224,
"preview": "Carefully evaluate which sites will be allowed to make cross-domain\ncalls.\n\nConsider network topology and any authentica"
},
{
"path": "db/en/fix/37.md",
"chars": 428,
"preview": "Although no remediation may be required based on this finding alone,\nmanual testing should ensure that:\n\n1. The server k"
},
{
"path": "db/en/fix/38.md",
"chars": 826,
"preview": "If the pages being protected are not required for the functionality of\nthe web application they should be removed, other"
},
{
"path": "db/en/fix/39.md",
"chars": 557,
"preview": "It is recommended that a whitelisting approach be taken to explicitly\npermit the HTTP methods required by the applicatio"
},
{
"path": "db/en/fix/4.md",
"chars": 437,
"preview": "All pages and/or resources on the affected site should be secured\nequally, utilising the latest and most secure encrypti"
},
{
"path": "db/en/fix/40.md",
"chars": 369,
"preview": "The first step to remediation is to identify the context in which the\ncookie is being set and determine if it is require"
},
{
"path": "db/en/fix/41.md",
"chars": 840,
"preview": "Unless the web server is being utilised to share static and\nnon-sensitive files, enabling directory listing is considere"
},
{
"path": "db/en/fix/42.md",
"chars": 242,
"preview": " * Ensure that the application source handles exceptions and errors in\na such a way that no sensitive information is dis"
},
{
"path": "db/en/fix/43.md",
"chars": 321,
"preview": "Since the whole XML document is communicated from an untrusted client,\nit's not usually possible to selectively validate"
},
{
"path": "db/en/fix/44.md",
"chars": 622,
"preview": "Based on the risk (determined by manual verification) of whether the\nform submission performs a sensitive action, the ad"
},
{
"path": "db/en/fix/45.md",
"chars": 323,
"preview": "All CORS requests include the `Origin` header which indicates\nthe source domain name. Create a server-side list of trust"
},
{
"path": "db/en/fix/46.md",
"chars": 228,
"preview": "Remediation actions may be vastly different depending on the framework\nbeing used, and how the application has been code"
},
{
"path": "db/en/fix/47.md",
"chars": 322,
"preview": "It is recommended that untrusted input is never processed as\nserver-side code.\n\nTo validate input, the application shoul"
},
{
"path": "db/en/fix/48.md",
"chars": 468,
"preview": "Depending on the framework being used the implementation methods will\nvary, however it is advised that the `Strict-Trans"
},
{
"path": "db/en/fix/49.md",
"chars": 273,
"preview": "CVS and/or SVN information should not be displayed to the end user.\nThis can be achieved by removing this information al"
},
{
"path": "db/en/fix/5.md",
"chars": 923,
"preview": "The identified form handler should at a minimum:\n\n1. Whitelist permitted file types and block all others. This should be"
},
{
"path": "db/en/fix/50.md",
"chars": 134,
"preview": "Ensure that the `Cache-control` HTTP response header is set to\n`no-cache, no-store` and the `Pragma` header must be set "
},
{
"path": "db/en/fix/51.md",
"chars": 495,
"preview": "The preferred configuration is to prevent the use of unauthorised HTTP\nmethods by utilising the `<LimitExcept>` directiv"
},
{
"path": "db/en/fix/52.md",
"chars": 301,
"preview": "Identification of the requirement to run a WebDAV server should be\nconsidered. If it is not required then it should be d"
},
{
"path": "db/en/fix/53.md",
"chars": 275,
"preview": "'X-Content-Type-Options: nosniff' header should be implemented which\nallows a web server to force the browser into disab"
},
{
"path": "db/en/fix/54.md",
"chars": 323,
"preview": "Do not have any default credentials set on the application. Any known usernames\nor passwords associated with the applica"
},
{
"path": "db/en/fix/55.md",
"chars": 439,
"preview": "If directories are unreferenced then they should be removed from the\nweb root and/or the application directory.\n\nPrevent"
},
{
"path": "db/en/fix/56.md",
"chars": 356,
"preview": "It is important that input sanitisation be conducted to prevent\napplication files (ASP, JSP, PHP or config files) from b"
},
{
"path": "db/en/fix/57.md",
"chars": 752,
"preview": "Initially, the credit card number within the response should be\nchecked to ensure its validity, as it is possible that t"
},
{
"path": "db/en/fix/6.md",
"chars": 239,
"preview": "The most effective remediation against NoSQL injection attacks is to\nensure that NoSQL API calls are not constructed via"
},
{
"path": "db/en/fix/7.md",
"chars": 55,
"preview": "Manually inspect the HTTP response status code and body"
},
{
"path": "db/en/fix/8.md",
"chars": 397,
"preview": "The affected site should be secured utilising the latest and most\nsecure encryption protocols. These include SSL version"
},
{
"path": "db/en/fix/9.md",
"chars": 833,
"preview": "Client-side document rewriting, redirection, or other sensitive\naction, using untrusted data, should be avoided wherever"
},
{
"path": "schema.json",
"chars": 3238,
"preview": "{\n \"$schema\": \"http://json-schema.org/draft-04/schema#\",\n \"type\": \"object\",\n \"title\": \"Vulnerability schema\",\n \"desc"
},
{
"path": "tests/__init__.py",
"chars": 1,
"preview": "\n"
},
{
"path": "tests/requirements.txt",
"chars": 81,
"preview": "vulndb>=0.0.8\nrequests\njsonschema\npyopenssl\nndg-httpsclient\npyasn1\nmarkdown\nnose\n"
}
]
// ... and 7 more files (download for full content)
About this extraction
This page contains the full source code of the vulndb/data GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 207 files (129.4 KB), approximately 39.0k tokens, and a symbol index with 27 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.