[ { "path": ".circleci/config.yml", "content": "#\n# This file is used to configure the continuous integration for vulndb/data\n#\n# As a user you don't need to understand this file.\n#\nversion: 2\n\njobs:\n build:\n\n docker:\n - image: circleci/python:2.7.14\n\n steps:\n - checkout\n\n - run:\n command: |\n pip install --upgrade pip\n pip install --user --upgrade -r tests/requirements.txt\n pip --version\n pip freeze\n\n - run:\n command: |\n /home/circleci/.local/bin/nosetests -s -v tests/\n" }, { "path": ".gitignore", "content": "*.py[cod]\n*.py~\n*~\n*.swp\n\n# C extensions\n*.so\n\n# Packages\n*.egg\n*.egg-info\ndist\nbuild\neggs\nparts\nbin\nvar\nsdist\ndevelop-eggs\n.installed.cfg\nlib\nlib64\n\n# Installer logs\npip-log.txt\n\n# Unit test / coverage reports\n.coverage\n.tox\nnosetests.xml\n.noseids\nnoseids.pickle\nnose.cfg\n\n# Translations\n*.mo\n\n# Mr Developer\n.mr.developer.cfg\n.project\n.pydevproject\n.settings/\n.idea\n\n# w3af stuff\nparser.out\nparsetab.py\noutput-http.txt\noutput.txt\n\n# This is generated by the setup_moth.py script\ndjango-moth\n\n# Debugging circleci high memory usage\nmemory-usage.txt\n\n# Ignore sphinx builds\ndoc/sphinx/_build/\n\n# 404 test stuff\ndata.shelve\ntop-1m.csv\ntop-1m.csv.zip\n\n# docker build temp files\n/.dockerignore\n/Dockerfile\n\n# To make testing easier\ntest.w3af\noutput-w3af.txt\n\n# Ignore some profiling data\n*.dump\n\n# Ignore intermediate XML file\nw3af/plugins/crawl/phishtank/index.xml\n\n# For debian package build\n.pc/\ndebian/files\ndebian/w3af-console.debhelper.log\ndebian/w3af-console.postinst.debhelper\ndebian/w3af-console.prerm.debhelper\ndebian/w3af-console.substvars\ndebian/w3af-console/\ndebian/w3af.debhelper.log\ndebian/w3af.postinst.debhelper\ndebian/w3af.postrm.debhelper\ndebian/w3af.prerm.debhelper\ndebian/w3af.substvars\ndebian/w3af/\ndocker/kali-debootstrap\n*.deb\n" }, { "path": "LICENSE.md", "content": "Redistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n (1) Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer. \n\n (2) Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution. \n \n (3)The name of the author may not be used to\n endorse or promote products derived from this software without\n specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\nIMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,\nINDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES\n(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)\nHOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,\nSTRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING\nIN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE\nPOSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "README.md", "content": "User, contributor and developer-friendly vulnerability database. Our goal is to\nprovide a vulnerability database which is:\n\n * Actionable, easy to read and understand for developers and sysadmins who need\n to fix the vulnerability\n \n * Easy to integrate by developers into any vulnerability scanner, report\n generator, penetration testing or related tool.\n \n * Trivial to contribute to, by using JSON and Markdown to store the vulnerabilities\n\n## SDKs\n\nThis repository holds the vulnerability database itself, in order to make the\ninformation easily accessible from different programming languages these SDKs\nare available:\n\n * [python-sdk](https://github.com/vulndb/python-sdk)\n * [vulndb-go](https://github.com/vulndb/vulndb-go)\n * [php-sdk](https://github.com/vulndb/php-sdk)\n\n## Projects using this database\n\n * [w3af](http://www.w3af.org/)\n \n## Contributing\n\nWe would love to receive your [pull-requests](https://help.github.com/articles/using-pull-requests/)!\n\nThe easiest way to contribute is:\n * Browse our repository and find the JSON file you would like to edit\n * Click on the top-right icon in the github UI that will open the online text editor\n * Change the file\n * Save/commit\n\n## Translations\nThe vulnerability database [supports translations](https://github.com/vulndb/data/wiki/Translations)\nand we're happy to add your native language to reach more users.\n\n## Credits\n\n * JSON format specification by [Andres Riancho](https://github.com/andresriancho/),\n [Tasos Laskos](https://github.com/Zapotek) and [Vyacheslav Bakhmutov](https://github.com/m0sth8)\n \n * Initial data provided by the [Arachni scanner](http://www.arachni-scanner.com/) project\n\n## History\n\nThe project founders maintain one or more vulnerability scanners, each of those\ntools had a different vulnerability database with different fields, formats,\ntexts and quality. To reduce our documentation efforts we decided to commoditize\nthe vulnerability database and created this repository.\n\nAt the beginning we tried to use the CWE data, but we found several problems with\nit:\n\n * The target audience for our vulnerability information is too busy to read the\n [long](https://cwe.mitre.org/data/definitions/89.html) descriptions and hundreds\n of fields provided by CWE. We want to provide enough information for the users\n to know what's wrong and point them to information with more detailed info if\n that's what they need.\n\n * The XML format storing the CWE data is simply too complex for our needs.\n\n * Mitre never answered our questions on derivated work\n\nWe might still use some paragraphs from the CWE data in our database, but manually\nmigrated and reviewed for clarity.\n\nIt all started with these two github issues ([1](https://github.com/andresriancho/w3af/issues/53),\n[2](https://github.com/vulndb/data/issues/5)) and various emails between Slava,\nAndres and Tasos.\n\nThe initial database information was contributed by the [Arachni scanner](http://www.arachni-scanner.com/)\nimported in [this commit](https://github.com/vulndb/data/commit/e27222af21b0569525718f591eaa2c517d4c1da2). \n\n## Build status\n\n[![Circle CI](https://circleci.com/gh/vulndb/data.svg?style=svg)](https://circleci.com/gh/vulndb/data)\n" }, { "path": "db/en/1-allowed-http-methods.json", "content": "{\n \"id\": 1, \n \"title\": \"Allowed HTTP methods\", \n \"severity\": \"informational\", \n \"description\": {\n \"$ref\": \"#/files/description/1\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/39\"\n }\n }, \n \"cwe\": [\n \"749\"\n ], \n \"tags\": [\n \"web\", \n \"http\", \n \"methods\", \n \"options\"\n ], \n \"references\": [\n {\n \"url\": \"http://httpd.apache.org/docs/2.2/mod/core.html#limitexcept\", \n \"title\": \"Apache.org\"\n }\n ]\n}" }, { "path": "db/en/10-common-sensitive-file.json", "content": "{\n \"id\": 10, \n \"title\": \"Common sensitive file\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/files/description/10\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/10\"\n }\n }, \n \"tags\": [\n \"web\", \n \"common\", \n \"path\", \n \"file\", \n \"discovery\"\n ], \n \"references\": [\n {\n \"url\": \"http://httpd.apache.org/docs/2.0/mod/mod_access.html\", \n \"title\": \"Apache.org\"\n }\n ]\n}" }, { "path": "db/en/11-cookie-set-for-parent-domain.json", "content": "{\n \"id\": 11, \n \"title\": \"Cookie set for parent domain\", \n \"severity\": \"informational\", \n \"description\": {\n \"$ref\": \"#/files/description/11\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/40\"\n }\n }, \n \"references\": [\n {\n \"url\": \"https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)\", \n \"title\": \"OWASP\"\n }\n ]\n}" }, { "path": "db/en/12-credit-card-number-disclosure.json", "content": "{\n \"id\": 12, \n \"title\": \"Credit card number disclosure\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/description/12\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/57\"\n }\n }, \n \"cwe\": [\n \"200\"\n ], \n \"references\": [\n {\n \"url\": \"http://en.wikipedia.org/wiki/Luhn_algorithm\", \n \"title\": \"Wikipedia - Luhn algorithm\"\n }, \n {\n \"url\": \"http://en.wikipedia.org/wiki/Bank_card_number\", \n \"title\": \"Wikipedia - Bank card number\"\n }\n ]\n}" }, { "path": "db/en/13-cross-site-request-forgery.json", "content": "{\n \"id\": 13, \n \"title\": \"Cross-Site Request Forgery\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/13\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/44\"\n }\n }, \n \"cwe\": [\n \"352\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 8\n ]\n }, \n \"tags\": [\n \"web\", \n \"csrf\", \n \"form\", \n \"token\"\n ], \n \"references\": [\n {\n \"url\": \"http://www.cgisecurity.com/csrf-faq.html\", \n \"title\": \"CGI Security - CSRF\"\n }, \n {\n \"url\": \"http://en.wikipedia.org/wiki/Cross-site_request_forgery\", \n \"title\": \"Wikipedia - CSRF\"\n }, \n {\n \"url\": \"https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)\", \n \"title\": \"OWASP - CSRF\"\n }\n ]\n}" }, { "path": "db/en/14-cvs-svn-user-disclosure.json", "content": "{\n \"id\": 14, \n \"title\": \"CVS/SVN user disclosure\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/files/description/14\"\n }, \n \"cwe\": [\n \"200\", \n \"527\"\n ], \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/49\"\n }\n }\n}" }, { "path": "db/en/15-directory-listing.json", "content": "{\n \"id\": 15, \n \"title\": \"Directory listing\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/files/description/15\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/41\"\n }\n }, \n \"cwe\": [\n \"548\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 5\n ]\n }, \n \"tags\": [\n \"web\", \n \"path\", \n \"directory\", \n \"listing\", \n \"index\"\n ], \n \"references\": [\n {\n \"url\": \"http://projects.webappsec.org/w/page/13246922/Directory%20Indexing\", \n \"title\": \"WASC\"\n }\n ]\n}" }, { "path": "db/en/16-e-mail-address-disclosure.json", "content": "{\n \"id\": 16, \n \"title\": \"E-mail address disclosure\", \n \"severity\": \"informational\", \n \"description\": {\n \"$ref\": \"#/files/description/16\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/3\"\n }\n }\n}" }, { "path": "db/en/17-file-inclusion.json", "content": "{\n \"id\": 17, \n \"title\": \"File Inclusion\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/17\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/13\"\n }\n }, \n \"cwe\": [\n \"98\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 1\n ]\n }, \n \"tags\": [\n \"web\", \n \"file\", \n \"inclusion\", \n \"error\", \n \"injection\"\n ], \n \"references\": [\n {\n \"url\": \"https://www.owasp.org/index.php/PHP_File_Inclusion\", \n \"title\": \"OWASP\"\n }\n ]\n}" }, { "path": "db/en/18-form-based-file-upload.json", "content": "{\n \"id\": 18, \n \"title\": \"Form-based File Upload\", \n \"severity\": \"informational\", \n \"description\": {\n \"$ref\": \"#/files/description/18\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/5\"\n }\n }, \n \"tags\": [\n \"web\", \n \"file\", \n \"upload\"\n ], \n \"references\": [\n {\n \"url\": \"https://www.owasp.org/index.php/Unrestricted_File_Upload\", \n \"title\": \"owasp.org\"\n }\n ]\n}" }, { "path": "db/en/19-missing-strict-transport-security-header.json", "content": "{\n \"id\": 19, \n \"title\": \"Missing 'Strict-Transport-Security' header\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/description/19\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/48\"\n }\n }, \n \"references\": [\n {\n \"url\": \"http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\", \n \"title\": \"Wikipedia - HSTS\"\n }, \n {\n \"url\": \"https://www.owasp.org/index.php/HTTP_Strict_Transport_Security\", \n \"title\": \"OWASP - HSTS\"\n }\n ]\n}" }, { "path": "db/en/2-a-backdoor-file-exists-on-the-server.json", "content": "{\n \"id\": 2, \n \"title\": \"A backdoor file exists on the server\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/2\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/32\"\n }\n }, \n \"cwe\": [\n \"489\"\n ], \n \"tags\": [\n \"web\", \n \"path\", \n \"backdoor\", \n \"file\", \n \"discovery\"\n ], \n \"references\": [\n {\n \"url\": \"https://www.blackhat.com/presentations/bh-usa-07/Wysopal_and_Eng/Presentation/bh-usa-07-wysopal_and_eng.pdf\", \n \"title\": \"Static Detection of Application Backdoors\"\n }\n ]\n}" }, { "path": "db/en/20-misconfiguration-in-limit-directive-of-htaccess-file.json", "content": "{\n \"id\": 20, \n \"title\": \"Misconfiguration in LIMIT directive of .htaccess file\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/20\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/51\"\n }\n }, \n \"tags\": [\n \"web\", \n \"htaccess\", \n \"server\", \n \"limit\"\n ], \n \"references\": [\n {\n \"url\": \"http://httpd.apache.org/docs/2.2/mod/core.html#limit\", \n \"title\": \"Apache.org\"\n }\n ]\n}" }, { "path": "db/en/21-html-object.json", "content": "{\n \"id\": 21, \n \"title\": \"HTML object\", \n \"severity\": \"informational\", \n \"description\": {\n \"$ref\": \"#/files/description/21\"\n }, \n \"fix\": {\n \"effort\": 120, \n \"guidance\": {\n \"$ref\": \"#/files/fix/16\"\n }\n }\n}" }, { "path": "db/en/22-httponly-cookie.json", "content": "{\n \"id\": 22, \n \"title\": \"HttpOnly cookie\", \n \"severity\": \"informational\", \n \"description\": {\n \"$ref\": \"#/files/description/22\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/30\"\n }\n }, \n \"cwe\": [\n \"87\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 2\n ]\n }, \n \"references\": [\n {\n \"url\": \"https://www.owasp.org/index.php/HttpOnly\", \n \"title\": \"HttpOnly - OWASP\"\n }\n ]\n}" }, { "path": "db/en/23-publicly-writable-directory.json", "content": "{\n \"id\": 23, \n \"title\": \"Publicly writable directory\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/23\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/23\"\n }\n }, \n \"tags\": [\n \"web\", \n \"http\", \n \"methods\", \n \"put\", \n \"server\"\n ], \n \"references\": [\n {\n \"url\": \"http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html\", \n \"title\": \"RFC-2616 document\"\n }\n ]\n}" }, { "path": "db/en/24-insecure-client-access-policy.json", "content": "{\n \"id\": 24, \n \"title\": \"Insecure client-access policy\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/files/description/24\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/36\"\n }\n }, \n \"cwe\": [\n \"346\"\n ], \n \"references\": [\n {\n \"url\": \"https://msdn.microsoft.com/en-us/library/cc197955%28v=vs.95%29.aspx\", \n \"title\": \"MSDN\"\n }, \n {\n \"url\": \"https://www.owasp.org/index.php/Test_Cross_Origin_Resource_Sharing_%28OTG-CLIENT-007%29\", \n \"title\": \"OWASP\"\n }\n ]\n}" }, { "path": "db/en/25-insecure-cookie.json", "content": "{\n \"id\": 25, \n \"title\": \"Insecure cookie\", \n \"severity\": \"informational\", \n \"description\": {\n \"$ref\": \"#/files/description/25\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/26\"\n }\n }, \n \"cwe\": [\n \"614\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 2\n ]\n }, \n \"references\": [\n {\n \"url\": \"https://www.owasp.org/index.php/SecureFlag\", \n \"title\": \"SecureFlag - OWASP\"\n }\n ]\n}" }, { "path": "db/en/26-access-control-allow-origin-star.json", "content": "{\n \"id\": 26, \n \"title\": \"Access-Control-Allow-Origin header set to '*'\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/description/26\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/45\"\n }\n }, \n \"cwe\": [\n \"346\"\n ], \n \"references\": [\n {\n \"url\": \"https://www.owasp.org/index.php/CORS_OriginHeaderScrutiny\", \n \"title\": \"CORS security\"\n }, \n {\n \"url\": \"http://www.w3.org/TR/cors/\", \n \"title\": \"CORS W3C Specification\"\n }, \n {\n \"url\": \"https://en.wikipedia.org/wiki/Cross-origin_resource_sharing\", \n \"title\": \"CORS article at Wikipedia\"\n }\n ]\n}" }, { "path": "db/en/27-insecure-cross-domain-policy-allow-access-from.json", "content": "{\n \"id\": 27, \n \"title\": \"Insecure cross-domain policy\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/files/description/27\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/36\"\n }\n }, \n \"cwe\": [\n \"346\"\n ], \n \"references\": [\n {\n \"url\": \"http://blogs.adobe.com/stateofsecurity/2007/07/crossdomain_policy_files_1.html\", \n \"title\": \"Adobe\"\n }, \n {\n \"url\": \"https://www.owasp.org/index.php/Test_Cross_Origin_Resource_Sharing_%28OTG-CLIENT-007%29\", \n \"title\": \"OWASP\"\n }\n ]\n}" }, { "path": "db/en/29-interesting-response.json", "content": "{\n \"id\": 29, \n \"title\": \"Interesting response\", \n \"severity\": \"informational\", \n \"description\": {\n \"$ref\": \"#/files/description/29\"\n }, \n \"fix\": {\n \"effort\": 60, \n \"guidance\": {\n \"$ref\": \"#/files/fix/7\"\n }\n }, \n \"tags\": [\n \"web\", \n \"interesting\", \n \"response\", \n \"server\"\n ], \n \"references\": [\n {\n \"url\": \"http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html\", \n \"title\": \"RFC-2616\"\n }\n ]\n}" }, { "path": "db/en/3-backup-directory.json", "content": "{\n \"id\": 3, \n \"title\": \"Backup directory\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/description/3\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/21\"\n }\n }, \n \"cwe\": [\n \"530\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 5\n ]\n }, \n \"tags\": [\n \"web\", \n \"path\", \n \"backup\", \n \"file\", \n \"discovery\"\n ], \n \"references\": [\n {\n \"url\": \"http://www.webappsec.org/projects/threat/classes/information_leakage.shtml\", \n \"title\": \"WebAppSec\"\n }\n ]\n}" }, { "path": "db/en/30-ldap-injection.json", "content": "{\n \"id\": 30, \n \"title\": \"LDAP Injection\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/30\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/2\"\n }\n }, \n \"cwe\": [\n \"90\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 1\n ]\n }, \n \"tags\": [\n \"web\", \n \"ldap\", \n \"injection\"\n ], \n \"references\": [\n {\n \"url\": \"http://projects.webappsec.org/w/page/13246947/LDAP-Injection\", \n \"title\": \"WASC\"\n }, \n {\n \"url\": \"https://www.owasp.org/index.php/LDAP_injection\", \n \"title\": \"OWASP\"\n }\n ]\n}" }, { "path": "db/en/31-exposed-localstart-asp-page.json", "content": "{\n \"id\": 31, \n \"title\": \"Exposed localstart.asp page\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/files/description/31\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/38\"\n }\n }, \n \"tags\": [\n \"web\", \n \"asp\", \n \"iis\", \n \"server\"\n ]\n}" }, { "path": "db/en/32-mixed-resource.json", "content": "{\n \"id\": 32, \n \"title\": \"Mixed Resource\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/description/32\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/4\"\n }\n }, \n \"tags\": [\n \"web\", \n \"unencrypted\", \n \"resource\", \n \"javascript\", \n \"stylesheet\"\n ], \n \"references\": [\n {\n \"url\": \"http://googleonlinesecurity.blogspot.com/2011/06/trying-to-end-mixed-scripting.html\", \n \"title\": \"Google Online Security Blog\"\n }\n ]\n}" }, { "path": "db/en/33-nosql-injection.json", "content": "{\n \"id\": 33, \n \"title\": \"NoSQL Injection\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/33\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/6\"\n }\n }, \n \"cwe\": [\n \"89\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 1\n ]\n }, \n \"tags\": [\n \"web\", \n \"nosql\", \n \"injection\", \n \"database\", \n \"error\"\n ], \n \"references\": [\n {\n \"url\": \"https://www.owasp.org/index.php/Testing_for_NoSQL_injection\", \n \"title\": \"OWASP\"\n }\n ]\n}" }, { "path": "db/en/34-blind-nosql-injection-differential-analysis.json", "content": "{\n \"id\": 34, \n \"title\": \"Blind NoSQL Injection (differential analysis)\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/34\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/6\"\n }\n }, \n \"cwe\": [\n \"89\"\n ], \n \"tags\": [\n \"web\", \n \"nosql\", \n \"blind\", \n \"injection\", \n \"database\"\n ], \n \"references\": [\n {\n \"url\": \"https://www.owasp.org/index.php/Testing_for_NoSQL_injection\", \n \"title\": \"OWASP\"\n }\n ]\n}" }, { "path": "db/en/35-access-restriction-bypass-via-origin-spoof.json", "content": "{\n \"id\": 35, \n \"title\": \"Access restriction bypass via origin spoof\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/35\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/46\"\n }\n }, \n \"tags\": [\n \"web\", \n \"access\", \n \"restriction\", \n \"server\", \n \"bypass\"\n ]\n}" }, { "path": "db/en/36-operating-system-command-injection.json", "content": "{\n \"id\": 36, \n \"title\": \"Operating system command injection\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/36\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/19\"\n }\n }, \n \"cwe\": [\n \"78\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 1\n ]\n }, \n \"tags\": [\n \"web\", \n \"os\", \n \"command\", \n \"code\", \n \"injection\"\n ], \n \"references\": [\n {\n \"url\": \"http://projects.webappsec.org/w/page/13246950/OS%20Commanding\", \n \"title\": \"WASC\"\n }, \n {\n \"url\": \"https://www.owasp.org/index.php/OS_Command_Injection\", \n \"title\": \"OWASP\"\n }\n ]\n}" }, { "path": "db/en/38-password-field-with-auto-complete.json", "content": "{\n \"id\": 38, \n \"title\": \"Password field with auto-complete\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/files/description/38\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/18\"\n }\n }, \n \"cwe\": [\n \"522\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 2\n ]\n }\n}" }, { "path": "db/en/39-path-traversal.json", "content": "{\n \"id\": 39, \n \"title\": \"Path Traversal\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/39\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/13\"\n }\n }, \n \"cwe\": [\n \"22\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 4\n ]\n }, \n \"tags\": [\n \"web\", \n \"path\", \n \"traversal\", \n \"injection\"\n ], \n \"references\": [\n {\n \"url\": \"http://projects.webappsec.org/Path-Traversal\", \n \"title\": \"WASC\"\n }, \n {\n \"url\": \"https://www.owasp.org/index.php/Path_Traversal\", \n \"title\": \"OWASP\"\n }\n ]\n}" }, { "path": "db/en/4-backup-file.json", "content": "{\n \"id\": 4, \n \"title\": \"Backup file\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/description/4\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/21\"\n }\n }, \n \"cwe\": [\n \"530\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 5\n ]\n }, \n \"tags\": [\n \"web\", \n \"path\", \n \"backup\", \n \"file\", \n \"discovery\"\n ], \n \"references\": [\n {\n \"url\": \"http://www.webappsec.org/projects/threat/classes/information_leakage.shtml\", \n \"title\": \"WebAppSec\"\n }\n ]\n}" }, { "path": "db/en/40-private-ip-address-disclosure.json", "content": "{\n \"id\": 40, \n \"title\": \"Private IP address disclosure\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/files/description/40\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/22\"\n }\n }, \n \"cwe\": [\n \"200\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 6\n ]\n }, \n \"references\": [\n {\n \"url\": \"http://projects.webappsec.org/w/page/13246936/Information%20Leakage\", \n \"title\": \"WebAppSec\"\n }\n ]\n}" }, { "path": "db/en/41-response-splitting.json", "content": "{\n \"id\": 41, \n \"title\": \"Response Splitting\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/description/41\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/11\"\n }\n }, \n \"tags\": [\n \"web\", \n \"response\", \n \"splitting\", \n \"injection\", \n \"header\"\n ], \n \"cwe\": [\n \"98\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 1\n ]\n }, \n \"references\": [\n {\n \"url\": \"http://www.securiteam.com/securityreviews/5WP0E2KFGK.html\", \n \"title\": \"SecuriTeam\"\n }, \n {\n \"url\": \"https://www.owasp.org/index.php/HTTP_Response_Splitting\", \n \"title\": \"OWASP\"\n }\n ]\n}" }, { "path": "db/en/42-remote-file-inclusion.json", "content": "{\n \"id\": 42, \n \"title\": \"Remote File Inclusion\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/42\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/13\"\n }\n }, \n \"cwe\": [\n \"98\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 1\n ]\n }, \n \"tags\": [\n \"web\", \n \"remote\", \n \"file\", \n \"inclusion\", \n \"injection\"\n ], \n \"references\": [\n {\n \"url\": \"http://projects.webappsec.org/Remote-File-Inclusion\", \n \"title\": \"WASC\"\n }, \n {\n \"url\": \"http://en.wikipedia.org/wiki/Remote_File_Inclusion\", \n \"title\": \"Wikipedia\"\n }\n ]\n}" }, { "path": "db/en/43-session-fixation.json", "content": "{\n \"id\": 43, \n \"title\": \"Session fixation\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/43\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/15\"\n }\n }, \n \"cwe\": [\n \"384\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 2\n ]\n }, \n \"tags\": [\n \"web\", \n \"session\", \n \"cookie\", \n \"injection\", \n \"fixation\", \n \"hijacking\"\n ], \n \"references\": [\n {\n \"url\": \"http://projects.webappsec.org/w/page/13246960/Session%20Fixation\", \n \"title\": \"WASC\"\n }, \n {\n \"url\": \"https://www.owasp.org/index.php/Session_fixation\", \n \"title\": \"OWASP - Session fixation\"\n }\n ]\n}" }, { "path": "db/en/44-source-code-disclosure.json", "content": "{\n \"id\": 44, \n \"title\": \"Source code disclosure\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/44\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/56\"\n }\n }, \n \"cwe\": [\n \"200\", \n \"548\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 6\n ]\n }, \n \"tags\": [\n \"web\", \n \"code\", \n \"source\", \n \"file\", \n \"inclusion\", \n \"disclosure\"\n ]\n}" }, { "path": "db/en/45-sql-injection.json", "content": "{\n \"id\": 45, \n \"title\": \"SQL Injection\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/45\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/1\"\n }\n }, \n \"cwe\": [\n \"89\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 1\n ]\n }, \n \"tags\": [\n \"web\", \n \"sql\", \n \"injection\", \n \"database\", \n \"error\"\n ], \n \"references\": [\n {\n \"url\": \"http://www.securiteam.com/securityreviews/5DP0N1P76E.html\", \n \"title\": \"SecuriTeam\"\n }, \n {\n \"url\": \"http://en.wikipedia.org/wiki/SQL_injection\", \n \"title\": \"Wikipedia\"\n }, \n {\n \"url\": \"https://www.owasp.org/index.php/SQL_Injection\", \n \"title\": \"OWASP\"\n }, \n {\n \"url\": \"http://projects.webappsec.org/w/page/13246963/SQL%20Injection\", \n \"title\": \"WASC\"\n }, \n {\n \"url\": \"http://www.w3schools.com/sql/sql_injection.asp\", \n \"title\": \"W3 Schools\"\n }, \n {\n \"url\": \"http://unixwiz.net/techtips/sql-injection.html\", \n \"title\": \"UnixWiz\"\n }\n ]\n}" }, { "path": "db/en/46-blind-sql-injection.json", "content": "{\n \"id\": 46, \n \"title\": \"Blind SQL Injection\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/46\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/1\"\n }\n }, \n \"cwe\": [\n \"89\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 1\n ]\n }, \n \"tags\": [\n \"web\", \n \"sql\", \n \"blind\", \n \"injection\", \n \"database\"\n ], \n \"references\": [\n {\n \"url\": \"http://capec.mitre.org/data/definitions/7.html\", \n \"title\": \"MITRE - CAPEC\"\n }, \n {\n \"url\": \"http://projects.webappsec.org/w/page/13246963/SQL%20Injection\", \n \"title\": \"WASC\"\n }, \n {\n \"url\": \"http://www.w3schools.com/sql/sql_injection.asp\", \n \"title\": \"W3 Schools\"\n }, \n {\n \"url\": \"https://www.owasp.org/index.php/Blind_SQL_Injection\", \n \"title\": \"OWASP\"\n }\n ]\n}" }, { "path": "db/en/47-blind-sql-injection-timing-attack.json", "content": "{\n \"id\": 47, \n \"title\": \"Blind SQL Injection (timing attack)\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/47\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/1\"\n }\n }, \n \"tags\": [\n \"web\", \n \"sql\", \n \"blind\", \n \"injection\", \n \"database\"\n ], \n \"references\": [\n {\n \"url\": \"http://capec.mitre.org/data/definitions/7.html\", \n \"title\": \"MITRE - CAPEC\"\n }, \n {\n \"url\": \"http://projects.webappsec.org/w/page/13246963/SQL%20Injection\", \n \"title\": \"WASC\"\n }, \n {\n \"url\": \"http://www.w3schools.com/sql/sql_injection.asp\", \n \"title\": \"W3 Schools\"\n }, \n {\n \"url\": \"https://www.owasp.org/index.php/Blind_SQL_Injection\", \n \"title\": \"OWASP\"\n }\n ]\n}" }, { "path": "db/en/48-disclosed-us-social-security-number-ssn.json", "content": "{\n \"id\": 48, \n \"title\": \"Disclosed US Social Security Number (SSN)\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/48\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/28\"\n }\n }, \n \"cwe\": [\n \"213\"\n ], \n \"references\": [\n {\n \"url\": \"http://www.ssa.gov/pubs/10064.html\", \n \"title\": \"ssa.gov\"\n }\n ]\n}" }, { "path": "db/en/49-unencrypted-password-form.json", "content": "{\n \"id\": 49, \n \"title\": \"Unencrypted password form\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/description/49\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/8\"\n }\n }, \n \"cwe\": [\n \"319\"\n ], \n \"tags\": [\n \"web\", \n \"unencrypted\", \n \"password\", \n \"form\"\n ], \n \"references\": [\n {\n \"url\": \"http://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection\", \n \"title\": \"OWASP Top 10 2010\"\n }\n ]\n}" }, { "path": "db/en/5-captcha-protected-form.json", "content": "{\n \"id\": 5, \n \"title\": \"CAPTCHA protected form\", \n \"severity\": \"informational\", \n \"description\": {\n \"$ref\": \"#/files/description/5\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/37\"\n }\n }\n}" }, { "path": "db/en/50-unvalidated-redirect.json", "content": "{\n \"id\": 50, \n \"title\": \"Unvalidated redirect\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/description/50\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/29\"\n }\n }, \n \"cwe\": [\n \"601\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 10\n ]\n }, \n \"tags\": [\n \"web\", \n \"unvalidated\", \n \"redirect\", \n \"injection\", \n \"header\", \n \"location\"\n ], \n \"references\": [\n {\n \"url\": \"https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards\", \n \"title\": \"OWASP Top 10 2010\"\n }\n ]\n}" }, { "path": "db/en/51-unvalidated-dom-redirect.json", "content": "{\n \"id\": 51, \n \"title\": \"Unvalidated DOM redirect\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/description/51\"\n }, \n \"cwe\": [\n \"601\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 10\n ]\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/29\"\n }\n }, \n \"tags\": [\n \"web\", \n \"unvalidated\", \n \"redirect\", \n \"dom\", \n \"injection\"\n ], \n \"references\": [\n {\n \"url\": \"https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards\", \n \"title\": \"OWASP Top 10 2010\"\n }\n ]\n}" }, { "path": "db/en/52-webdav.json", "content": "{\n \"id\": 52, \n \"title\": \"WebDAV\", \n \"severity\": \"informational\", \n \"description\": {\n \"$ref\": \"#/files/description/52\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/52\"\n }\n }, \n \"tags\": [\n \"web\", \n \"webdav\", \n \"options\", \n \"methods\", \n \"server\"\n ], \n \"references\": [\n {\n \"url\": \"https://tools.ietf.org/html/rfc4918\",\n \"title\": \"WebDAV.org\"\n }, \n {\n \"url\": \"http://en.wikipedia.org/wiki/WebDAV\", \n \"title\": \"Wikipedia\"\n }\n ]\n}" }, { "path": "db/en/53-missing-x-frame-options-header.json", "content": "{\n \"id\": 53, \n \"title\": \"Missing 'X-Frame-Options' header\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/files/description/53\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/17\"\n }\n }, \n \"references\": [\n {\n \"url\": \"http://tools.ietf.org/html/rfc7034\", \n \"title\": \"RFC-7034\"\n }, \n {\n \"url\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options\", \n \"title\": \"Mozilla developer network\"\n }, \n {\n \"url\": \"https://www.owasp.org/index.php/Clickjacking\", \n \"title\": \"OWASP Clickjacking document\"\n }\n ]\n}" }, { "path": "db/en/54-xpath-injection.json", "content": "{\n \"id\": 54, \n \"title\": \"XPath Injection\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/54\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/24\"\n }\n }, \n \"cwe\": [\n \"91\", \n \"643\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 1\n ]\n }, \n \"tags\": [\n \"web\", \n \"xpath\", \n \"database\", \n \"error\", \n \"injection\"\n ], \n \"references\": [\n {\n \"url\": \"http://projects.webappsec.org/w/page/13247005/XPath%20Injection\", \n \"title\": \"WASC\"\n }, \n {\n \"url\": \"https://www.owasp.org/index.php/XPATH_Injection\", \n \"title\": \"OWASP\"\n }\n ]\n}" }, { "path": "db/en/55-cross-site-scripting-xss.json", "content": "{\n \"id\": 55, \n \"title\": \"Reflected Cross-Site Scripting (XSS)\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/55\"\n }, \n \"fix\": {\n \"effort\": 10, \n \"guidance\": {\n \"$ref\": \"#/files/fix/20\"\n }\n }, \n \"cwe\": [\n \"79\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 3\n ]\n }, \n \"tags\": [\n \"web\", \n \"xss\", \n \"injection\", \n \"script\"\n ], \n \"references\": [\n {\n \"url\": \"http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting\", \n \"title\": \"WASC\"\n }, \n {\n \"url\": \"http://secunia.com/advisories/9716/\", \n \"title\": \"Secunia\"\n }, \n {\n \"url\": \"https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet\", \n \"title\": \"OWASP\"\n }\n ]\n}" }, { "path": "db/en/56-dom-based-cross-site-scripting-xss.json", "content": "{\n \"id\": 56, \n \"title\": \"DOM-based Cross-Site Scripting (XSS)\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/56\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/9\"\n }\n }, \n \"cwe\": [\n \"79\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 3\n ]\n }, \n \"tags\": [\n \"web\", \n \"xss\", \n \"dom\", \n \"injection\", \n \"script\"\n ], \n \"references\": [\n {\n \"url\": \"http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting\", \n \"title\": \"WASC\"\n }, \n {\n \"url\": \"https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet\", \n \"title\": \"OWASP - Prevention\"\n }, \n {\n \"url\": \"https://www.owasp.org/index.php/DOM_Based_XSS\", \n \"title\": \"OWASP\"\n }\n ]\n}" }, { "path": "db/en/6-code-injection.json", "content": "{\n \"id\": 6, \n \"title\": \"Code injection\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/6\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/47\"\n }\n }, \n \"cwe\": [\n \"94\", \n \"95\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 1\n ]\n }, \n \"tags\": [\n \"web\", \n \"code\", \n \"injection\"\n ], \n \"references\": [\n {\n \"url\": \"http://docs.python.org/py3k/library/functions.html#eval\", \n \"title\": \"Python eval documentation\"\n }, \n {\n \"url\": \"http://www.aspdev.org/asp/asp-eval-execute/\", \n \"title\": \"ASP eval documentation\"\n }, \n {\n \"url\": \"http://php.net/manual/en/function.eval.php\", \n \"title\": \"PHP eval documentation\"\n }, \n {\n \"url\": \"http://perldoc.perl.org/functions/eval.html\", \n \"title\": \"Perl eval documentation\"\n }\n ]\n}" }, { "path": "db/en/63-http-trace.json", "content": "{\n \"id\": 63, \n \"title\": \"HTTP TRACE\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/description/63\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/25\"\n }\n }, \n \"owasp_top_10\": {\n \"2013\": [\n 5\n ]\n }, \n \"tags\": [\n \"web\", \n \"xst\", \n \"methods\", \n \"trace\", \n \"server\"\n ], \n \"references\": [\n {\n \"url\": \"http://capec.mitre.org/data/definitions/107.html\", \n \"title\": \"CAPEC\"\n }, \n {\n \"url\": \"http://www.owasp.org/index.php/Cross_Site_Tracing\", \n \"title\": \"OWASP\"\n }\n ]\n}" }, { "path": "db/en/64-xml-external-entity.json", "content": "{\n \"id\": 64, \n \"title\": \"XML External Entity\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/64\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/43\"\n }\n }, \n \"cwe\": [\n \"611\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 1\n ]\n }, \n \"references\": [\n {\n \"url\": \"https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing\", \n \"title\": \"OWASP\"\n }\n ]\n}" }, { "path": "db/en/65-arbitrary-file-upload.json", "content": "{\n \"id\": 65, \n \"title\": \"Unrestricted file upload\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/65\"\n }, \n \"fix\": {\n \"effort\": 10, \n \"guidance\": {\n \"$ref\": \"#/files/fix/5\"\n }\n }, \n \"tags\": [\n \"web\", \n \"file\", \n \"upload\"\n ], \n \"cwe\": [\n \"434\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 4\n ]\n }, \n \"references\": [\n {\n \"url\": \"https://www.owasp.org/index.php/Unrestricted_File_Upload\", \n \"title\": \"owasp.org\"\n }\n ]\n}" }, { "path": "db/en/66-insecure-ssl-version.json", "content": "{\n \"id\": 66, \n \"title\": \"Insecure SSL version enabled\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/description/66\"\n }, \n \"fix\": {\n \"effort\": 10, \n \"guidance\": {\n \"$ref\": \"#/files/fix/34\"\n }\n }, \n \"tags\": [\n \"web\", \n \"ssl\"\n ], \n \"cwe\": [\n \"326\"\n ], \n \"owasp_top_10\": {\n \"2010\": [\n 9\n ]\n }, \n \"references\": [\n {\n \"url\": \"https://support.microsoft.com/en-us/kb/187498\", \n \"title\": \"How to Disable SSL 2.0 in IIS\"\n }\n ]\n}" }, { "path": "db/en/67-self-signed-ssl-certificate.json", "content": "{\n \"id\": 67, \n \"title\": \"Self-signed TLS/SSL certificate\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/description/67\"\n }, \n \"fix\": {\n \"effort\": 60, \n \"guidance\": {\n \"$ref\": \"#/files/fix/12\"\n }\n }, \n \"cwe\": [\n \"296\"\n ], \n \"tags\": [\n \"web\", \n \"unencrypted\", \n \"tls\", \n \"ssl\"\n ], \n \"references\": [\n {\n \"url\": \"https://en.wikipedia.org/wiki/Self-signed_certificate\", \n \"title\": \"Wikipedia article on self-signed certificates\"\n }\n ]\n}" }, { "path": "db/en/68-shellshock.json", "content": "{\n \"id\": 68, \n \"title\": \"ShellShock\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/68\"\n }, \n \"fix\": {\n \"effort\": 60, \n \"guidance\": {\n \"$ref\": \"#/files/fix/33\"\n }\n }, \n \"tags\": [\n \"web\", \n \"bash\", \n \"shellshock\"\n ], \n \"references\": [\n {\n \"url\": \"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271\", \n \"title\": \"CVE-2014-6271\"\n }, \n {\n \"url\": \"https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29\", \n \"title\": \"Wikipedia article for Shellshock\"\n }\n ]\n}" }, { "path": "db/en/69-insecure-frontpage-configuration.json", "content": "{\n \"id\": 69, \n \"title\": \"Insecure Frontpage extensions configuration\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/69\"\n }, \n \"fix\": {\n \"effort\": 10, \n \"guidance\": {\n \"$ref\": \"#/files/fix/31\"\n }\n }, \n \"tags\": [\n \"web\", \n \"windows\", \n \"frontpage\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 5\n ]\n }, \n \"references\": [\n {\n \"url\": \"https://msdn.microsoft.com/en-us/library/bb742372.aspx\", \n \"title\": \"Configuring FrontPage Server Extensions\"\n }\n ]\n}" }, { "path": "db/en/70-persistent-xss.json", "content": "{\n \"id\": 70, \n \"title\": \"Persistent Cross-Site Scripting (XSS)\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/70\"\n }, \n \"fix\": {\n \"effort\": 10, \n \"guidance\": {\n \"$ref\": \"#/files/fix/20\"\n }\n }, \n \"cwe\": [\n \"79\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 3\n ]\n }, \n \"tags\": [\n \"web\", \n \"xss\", \n \"persistent\", \n \"script\"\n ], \n \"references\": [\n {\n \"url\": \"http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting\", \n \"title\": \"WASC\"\n }, \n {\n \"url\": \"http://secunia.com/advisories/9716/\", \n \"title\": \"Secunia\"\n }, \n {\n \"url\": \"https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet\", \n \"title\": \"OWASP\"\n }\n ]\n}" }, { "path": "db/en/71-reflected-file-download.json", "content": "{\n \"id\": 71, \n \"title\": \"Reflected File Download\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/description/71\"\n }, \n \"fix\": {\n \"effort\": 10, \n \"guidance\": {\n \"$ref\": \"#/files/fix/27\"\n }\n }, \n \"cwe\": [\n \"79\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 1\n ]\n }, \n \"tags\": [\n \"web\", \n \"rfd\", \n \"reflected\"\n ], \n \"references\": [\n {\n \"url\": \"https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/\", \n \"title\": \"Reflected File Download - A New Web Attack Vector\"\n }\n ]\n}" }, { "path": "db/en/72-cache-control-headers.json", "content": "{\n \"id\": 72, \n \"title\": \"Insecure or no Cache-Control header\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/files/description/72\"\n }, \n \"fix\": {\n \"effort\": 10, \n \"guidance\": {\n \"$ref\": \"#/files/fix/50\"\n }\n }, \n \"cwe\": [\n \"524\", \n \"525\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 5\n ]\n }, \n \"tags\": [\n \"web\", \n \"browser\", \n \"cache\", \n \"session\"\n ], \n \"references\": [\n {\n \"url\": \"https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching\", \n \"title\": \"Session Management Cheat Sheet\"\n }\n ]\n}" }, { "path": "db/en/73-information-leak-stack-trace.json", "content": "{\n \"id\": 73, \n \"title\": \"Application error message\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/files/description/73\"\n }, \n \"fix\": {\n \"effort\": 60, \n \"guidance\": {\n \"$ref\": \"#/files/fix/42\"\n }\n }, \n \"cwe\": [\n \"200\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 6\n ]\n }, \n \"tags\": [\n \"web\", \n \"error\", \n \"information leak\"\n ], \n \"references\": [\n {\n \"url\": \"http://projects.webappsec.org/w/page/13246936/Information%20Leakage\", \n \"title\": \"WASC threat classification\"\n }\n ]\n}" }, { "path": "db/en/74-phishing-vector.json", "content": "{\n \"id\": 74, \n \"title\": \"Phishing vector\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/files/description/74\"\n }, \n \"fix\": {\n \"effort\": 30, \n \"guidance\": {\n \"$ref\": \"#/files/fix/35\"\n }\n }, \n \"cwe\": [\n \"451\"\n ], \n \"tags\": [\n \"web\", \n \"phishing\"\n ], \n \"references\": [\n {\n \"url\": \"https://www.owasp.org/index.php/Phishing\", \n \"title\": \"Phishing - OWASP\"\n }\n ]\n}" }, { "path": "db/en/75-guessable-credentials.json", "content": "{\n \"id\": 75, \n \"title\": \"Guessable credentials\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/files/description/75\"\n }, \n \"fix\": {\n \"effort\": 40, \n \"guidance\": {\n \"$ref\": \"#/files/fix/54\"\n }\n }, \n \"cwe\": [\n \"522\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 5\n ]\n }, \n \"tags\": [\n \"guessable\", \n \"credentials\", \n \"weak\", \n \"predictable\"\n ], \n \"references\": [\n {\n \"url\": \"https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002)\", \n \"title\": \"OWASP Reference\"\n }\n ]\n}" }, { "path": "db/en/76-x-content-type-options_header_missing.json", "content": "{\n \"id\": 76, \n \"title\": \"X-Content-Type-Options header missing\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/files/description/76\"\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/53\"\n }\n }, \n \"cwe\": [], \n \"owasp_top_10\": {\n \"2013\": [\n 7\n ]\n }, \n \"tags\": [\n \"content\", \n \"sniffing\", \n \"missing\", \n \"header\"\n ], \n \"references\": [\n {\n \"url\": \"https://msdn.microsoft.com/en-us/library/gg622941(v=vs.85).aspx\", \n \"title\": \"Reducing MIME type security risks\"\n }\n ]\n}" }, { "path": "db/en/77-http-basic-authentication-credentials.json", "content": "{\n \"id\": 77, \n \"title\": \"HTTP Basic Authentication credentials\", \n \"severity\": \"low\", \n \"description\": {\n \"$ref\": \"#/files/description/77\"\n }, \n \"fix\": {\n \"effort\": 60, \n \"guidance\": {\n \"$ref\": \"#/files/fix/14\"\n }\n }, \n \"cwe\": [\n \"311\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 2\n ]\n }, \n \"tags\": [\n \"basic\", \n \"authentication\", \n \"clear-text\", \n \"base64\"\n ], \n \"references\": [\n {\n \"url\": \"https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Weak_Authentication_Methods\", \n \"title\": \"OWASP Weak Authentication Methods\"\n }\n ]\n}" }, { "path": "db/en/8-code-injection.json", "content": "{\n \"id\": 8, \n \"title\": \"Code injection (timing attack)\", \n \"severity\": \"high\", \n \"description\": {\n \"$ref\": \"#/files/description/8\"\n }, \n \"cwe\": [\n \"95\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 1\n ]\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/47\"\n }\n }, \n \"tags\": [\n \"web\", \n \"code\", \n \"injection\", \n \"blind\"\n ], \n \"references\": [\n {\n \"url\": \"http://docs.python.org/py3k/library/functions.html#eval\", \n \"title\": \"Python eval documentation\"\n }, \n {\n \"url\": \"http://www.aspdev.org/asp/asp-eval-execute/\", \n \"title\": \"ASP eval documentation\"\n }, \n {\n \"url\": \"http://en.wikipedia.org/wiki/Eval#Ruby\", \n \"title\": \"Ruby eval documentation\"\n }, \n {\n \"url\": \"http://php.net/manual/en/function.eval.php\", \n \"title\": \"PHP eval documentation\"\n }, \n {\n \"url\": \"http://perldoc.perl.org/functions/eval.html\", \n \"title\": \"Perl eval documentation\"\n }\n ]\n}" }, { "path": "db/en/9-common-directory.json", "content": "{\n \"id\": 9, \n \"title\": \"Common directory\", \n \"severity\": \"medium\", \n \"description\": {\n \"$ref\": \"#/files/description/9\"\n }, \n \"cwe\": [\n \"538\"\n ], \n \"owasp_top_10\": {\n \"2013\": [\n 5\n ]\n }, \n \"fix\": {\n \"effort\": 50, \n \"guidance\": {\n \"$ref\": \"#/files/fix/55\"\n }\n }, \n \"tags\": [\n \"web\", \n \"path\", \n \"directory\", \n \"common\", \n \"discovery\"\n ], \n \"references\": [\n {\n \"url\": \"https://www.owasp.org/index.php/Forced_browsing\", \n \"title\": \"OWASP - Forced browsing\"\n }\n ]\n}" }, { "path": "db/en/description/1.md", "content": "There are a number of HTTP methods that can be used on a webserver\n(`OPTIONS`, `HEAD`, `GET`, `POST`, `PUT`, `DELETE` etc.). Each of\nthese methods perform a different function and each have an associated\nlevel of risk when their use is permitted on the webserver.\n\nA client\ncan use the `OPTIONS` method within a request to query a server to\ndetermine which methods are allowed.\n\nCyber-criminals will almost\nalways perform this simple test as it will give a very quick\nindication of any high-risk methods being permitted by the server.\nThe tool discovered that several methods are supported by the server." }, { "path": "db/en/description/10.md", "content": "Web applications are often made up of multiple files and directories.\nIt is possible that over time some files may become unreferenced\n(unused) by the web application and forgotten about by the\nadministrator/developer. Because web applications are built using\ncommon frameworks, they contain common files that can be discovered\n(independent of server).\n\nDuring the initial recon stages of an\nattack, cyber-criminals will attempt to locate unreferenced files in\nthe hope that the file will assist in further compromise of the web\napplication. To achieve this they will make thousands of requests\nusing word lists containing common filenames. The response headers\nfrom the server will then indicate if the file exists.\n\nThe tool also\ncontains a list of common file names which it will attempt to access." }, { "path": "db/en/description/11.md", "content": "HTTP by itself is a stateless protocol. Therefore the server is unable\nto determine which requests are performed by which client, and which\nclients are authenticated or unauthenticated.\n\nThe use of HTTP cookies\nwithin the headers, allows a web server to identify each individual\nclient and can therefore determine which clients hold valid\nauthentication, from those that do not. These are known as session\ncookies.\n\nWhen a cookie is set by the server (sent the header of an\nHTTP response) there are several flags that can be set to configure\nthe properties of the cookie and how it is to be handled by the\nbrowser.\n\nOne of these flags represents the host, or domain. for which\nthe cookie can be used.\n\nWhen the cookie is set for the parent domain,\nrather than the host, this could indicate that the same cookie could\nbe used to access other hosts within that domain. While there are many\nlegitimate reasons for this, it could also be misconfiguration\nexpanding the possible surface of attacks." }, { "path": "db/en/description/12.md", "content": "Credit card numbers are used in applications where a user is able to\npurchase goods and/or services.\n\nA credit card number is a sensitive\npiece of information and should be handled as such. Cyber-criminals\nwill use various methods to attempt to compromise credit card\ninformation that can then be used for fraudulent purposes.\n\nThrough\nthe use of regular expressions and CC number format validation,\nIt was possible to discover a credit card number located within the\naffected page." }, { "path": "db/en/description/13.md", "content": "In the majority of today's web applications, clients are required to\nsubmit forms which can perform sensitive operations.\n\nAn example of\nsuch a form being used would be when an administrator wishes to create\na new user for the application.\n\nIn the simplest version of the form,\nthe administrator would fill-in:\n\n* Name * Password * Role (level of\naccess)\n\nContinuing with this example, Cross Site Request Forgery\n(CSRF) would occur when the administrator is tricked into clicking on\na link, which if logged into the application, would automatically\nsubmit the form without any further interaction.\n\nCyber-criminals will\nlook for sites where sensitive functions are performed in this manner\nand then craft malicious requests that will be used against clients\nvia a social engineering attack.\n\nThere are 3 things that are required\nfor a CSRF attack to occur:\n\n1. The form must perform some sort of\nsensitive action. 2. The victim (the administrator the example above)\nmust have an active session. 3. Most importantly, all parameter values\nmust be **known** or **guessable**.\n\nThe tool discovered that all\nparameters within the form were known or predictable and therefore the\nform could be vulnerable to CSRF.\n\n_Manual verification may be\nrequired to check whether the submission will then perform a sensitive\naction, such as reset a password, modify user profiles, post content\non a forum, etc._" }, { "path": "db/en/description/14.md", "content": "Concurrent Version System (CVS) and Subversion (SVN) provide a method\nfor application developers to control different versions of their\ncode.\n\nOccasionally, the developer's version or user information can\nbe stored incorrectly within the code and may be visible to the end\nuser (either in the HTML or code comments). As one of the initial\nsteps in information gathering, cyber-criminals will spider a website\nand using automated methods attempt to discover any CVS/SVN\ninformation that may be present in the page.\n\nThis will aid them in\ndeveloping a better understanding of the deployed application\n(potentially through the disclosure of version information), or it may\nassist in further information gathering or social engineering attacks.\nUsing the same automated methods, the tool was able to detect CVS or\nSVN details stored within the affected page." }, { "path": "db/en/description/15.md", "content": "Web servers permitting directory listing are typically used for\nsharing files.\n\nDirectory listing allows the client to view a simple\nlist of all the files and folders hosted on the web server. The client\nis then able to traverse each directory and download the files.\nCyber-criminals will utilise the presence of directory listing to\ndiscover sensitive files, download protected content, or even just\nlearn how the web application is structured.\n\nThe tool discovered that\nthe affected page permits directory listing." }, { "path": "db/en/description/16.md", "content": "Email addresses are typically found on \"Contact us\" pages, however,\nthey can also be found within scripts or code comments of the\napplication. They are used to provide a legitimate means of contacting\nan organisation.\n\nAs one of the initial steps in information\ngathering, cyber-criminals will spider a website and using automated\nmethods collect as many email addresses as possible, that they may\nthen use in a social engineering attack.\n\nUsing the same automated\nmethods, the tool was able to detect one or more email addresses that\nwere stored within the affected page." }, { "path": "db/en/description/17.md", "content": "Web applications occasionally use parameter values to store the\nlocation of a file which will later be required by the server.\n\nAn\nexample of this is often seen in error pages, where the actual file\npath for the error page is stored in a parameter value -- for example\n`example.com/error.php?page=404.php`.\n\nA file inclusion occurs when\nthe parameter value (ie. path to file) can be substituted with the\npath of another resource on the same server, effectively allowing the\ndisplaying of arbitrary, and possibly restricted/sensitive, files.\nThe tool discovered that it was possible to substitute a parameter\nvalue with another resource and have the server return the contents of\nthe resource to the client within the response." }, { "path": "db/en/description/18.md", "content": "The design of many web applications require that users be able to\nupload files that will either be stored or processed by the receiving\nweb server.\n\nThe tool has flagged this not as a vulnerability, but as a\nprompt for the penetration tester to conduct further manual testing on\nthe file upload function.\n\nAn insecure form-based file upload could\nallow a cyber-criminal a means to abuse and successfully exploit the\nserver directly, and/or any third party that may later access the\nfile. This can occur through uploading a file containing server\nside-code (such as PHP) that is then executed when requested by the\nclient." }, { "path": "db/en/description/19.md", "content": "The HTTP protocol by itself is clear text, meaning that any data that\nis transmitted via HTTP can be captured and the contents viewed. To\nkeep data private and prevent it from being intercepted, HTTP is often\ntunnelled through either Secure Sockets Layer (SSL) or Transport Layer\nSecurity (TLS). When either of these encryption standards are used, it\nis referred to as HTTPS.\n\nHTTP Strict Transport Security (HSTS) is an\noptional response header that can be configured on the server to\ninstruct the browser to only communicate via HTTPS. This will be\nenforced by the browser even if the user requests a HTTP resource on\nthe same server.\n\nCyber-criminals will often attempt to compromise\nsensitive information passed from the client to the server using HTTP.\nThis can be conducted via various Man-in-The-Middle (MiTM) attacks or\nthrough network packet captures.\n\nThe tool discovered that the affected\napplication is using HTTPS however does not use the HSTS header." }, { "path": "db/en/description/2.md", "content": "If a server has been previously compromised, there is a high\nprobability that the cyber-criminal has installed a backdoor so that\nthey can easily return to the server if required. One method of\nachieving this is to place a web backdoor or web shell within the web\nroot of the web server. This will then enable the cyber-criminal to\naccess the server through a HTTP/S session.\n\nAlthough extremely bad\npractice, it is possible that the web backdoor or web shell has been\nplaced there by an administrator so they can perform administrative\nactivities remotely.\n\nDuring the initial recon stages of an attack,\ncyber-criminals will attempt to locate these web backdoors or shells\nby requesting the names of the most common and well known ones.\n\nBy\nanalysing the response, they are able to determine if a web backdoor\nor web shell exists. These web backdoors or web shells can then\nprovide an easy path for further compromise of the server.\n\nBy\nutilising the same methods as the cyber-criminals, the tool was able to\ndiscover a possible web backdoor or web shell." }, { "path": "db/en/description/20.md", "content": "There are a number of HTTP methods that can be used on a webserver\n(for example `OPTIONS`, `HEAD`, `GET`, `POST`, `PUT`, `DELETE `etc.).\nEach of these methods perform a different function, and each has an\nassociated level of risk when their use is permitted on the webserver.\nThe `` directive within Apache's `.htaccess` file allows\nadministrators to define which of the methods they would like to\nblock. However, as this is a blacklisting approach, it is inevitable\nthat a server administrator may accidentally miss adding certain HTTP\nmethods to be blocked, thus increasing the level of risk to the\napplication and/or server." }, { "path": "db/en/description/21.md", "content": "Most automated tools are not able to analyze the security of client-side\ntechnologies such as Flash and Java applets. This informational finding\nserves as a heads-up to the information security specialist to review\nthe objects in question using a different method." }, { "path": "db/en/description/22.md", "content": "HTTP by itself is a stateless protocol. Therefore the server is unable\nto determine which requests are performed by which client, and which\nclients are authenticated or unauthenticated.\n\nThe use of HTTP cookies\nwithin the headers, allows a web server to identify each individual\nclient and can therefore determine which clients hold valid\nauthentication, from those that do not. These are known as session\ncookies.\n\nWhen a cookie is set by the server (sent the header of an\nHTTP response) there are several flags that can be set to configure\nthe properties of the cookie and how it is to be handled by the\nbrowser.\n\nThe `HttpOnly` flag assists in the prevention of client\nside-scripts (such as JavaScript) accessing and using the cookie.\nThis can help prevent XSS attacks targeting the cookies holding the\nclient's session token (setting the `HttpOnly` flag does not prevent,\nnor safeguard against XSS vulnerabilities themselves)." }, { "path": "db/en/description/23.md", "content": "There are various methods in which a file (or files) may be uploaded\nto a webserver. One method that can be used is the HTTP `PUT` method.\nThe `PUT` method is mainly used during development of applications and\nallows developers to upload (or put) files on the server within the\nweb root.\n\nBy nature of the design, the `PUT` method typically does\nnot provide any filtering and therefore allows sever side executable\ncode (PHP, ASP, etc) to be uploaded to the server.\n\nCyber-criminals\nwill search for servers supporting the `PUT` method with the intention\nof modifying existing pages, or uploading web shells to take control\nof the server.\n\nThe tool has discovered that the affected path allows\nclients to use the `PUT` method. During this test, the tool has `PUT` a\nfile on the server within the web root and successfully performed a\n`GET` request to its location and verified the contents." }, { "path": "db/en/description/24.md", "content": "The browser security model normally prevents web content from one\ndomain from accessing data from another domain. This is commonly known\nas the \"same origin policy\".\n\nURL policy files grant cross-domain\npermissions for reading data. They permit operations that are not\npermitted by default. The URL policy file for Silverlight is located,\nby default, in the root directory of the target server, with the name\n`ClientAccessPolicy.xml` (for example, at\n`www.example.com/ClientAccessPolicy.xml`).\n\nWhen a domain is specified\nin `ClientAccessPolicy.xml`, the site declares that it is willing to\nallow the operators of any servers in that domain to obtain any\ndocument on the server where the policy file resides.\n\nThe\n`ClientAccessPolicy.xml` file deployed on this website opens the\nserver to all domains (use of a single asterisk \"*\" as a pure wildcard\nis supported)." }, { "path": "db/en/description/25.md", "content": "HTTP by itself is a stateless protocol. Therefore the server is unable\nto determine which requests are performed by which client, and which\nclients are authenticated or unauthenticated.\n\nThe use of HTTP cookies\nwithin the headers, allows a web server to identify each individual\nclient and can therefore determine which clients hold valid\nauthentication, from those that do not. These are known as session\ncookies.\n\nWhen a cookie is set by the server (sent the header of an\nHTTP response) there are several flags that can be set to configure\nthe properties of the cookie and how it is to be handled by the\nbrowser.\n\nOne of these flags is known as the `secure` flag. When the\nsecure flag is set, the browser will prevent it from being sent over a\nclear text channel (HTTP) and only allow it to be sent when an\nencrypted channel is used (HTTPS).\n\nThe tool discovered that a cookie\nwas set by the server without the secure flag being set. Although the\ninitial setting of this cookie was via an HTTPS connection, any HTTP\nlink to the same server will result in the cookie being send in clear\ntext." }, { "path": "db/en/description/26.md", "content": "Cross-Origin Resource Sharing (CORS) is one of the new HTML5\ntechnologies which is widely implemented to create Web2.0 applications.\nCORS allows the browser to perform HTTP requests to a domain outside\nthe Same-Origin Policy and access the response body. This feature is\nsecured by a new set of HTTP headers, being `Access-Control-Allow-Origin`\none of the most important ones.\n\n\n\nIt was possible to identify an HTTP response which contained the\n`Access-Control-Allow-Origin` header value set to '*', which allows any\nthird-party domain to perform requests and read the responses.\nWhile this configuration is not a vulnerability per-se, it's only\nrecommended for sites which provide information that's public such as\nweather or stock prices." }, { "path": "db/en/description/27.md", "content": "The browser security model normally prevents web content from one\ndomain from accessing data from another domain. This is commonly known\nas the \"same origin policy\".\n\nURL policy files grant cross-domain\npermissions for reading data. They permit operations that are not\npermitted by default. The URL policy file for Silverlight is located,\nby default, in the root directory of the target server, with the name\n`crossdomain.xml` (for example, at `www.example.com/crossdomain.xml`).\nWhen a domain is specified in `crossdomain.xml`, the site declares\nthat it is willing to allow the operators of any servers in that\ndomain to obtain any document on the server where the policy file\nresides.\n\nThe `crossdomain.xml` file deployed on this website opens\nthe server to all domains (use of a single asterisk \"*\" as a pure\nwildcard is supported)." }, { "path": "db/en/description/29.md", "content": "The server responded with a strange HTTP status code. This is a non-issue\nhowever exotic HTTP response status codes can provide useful insights\ninto the behavior of the web application and assist with the information\nsecurity analysis." }, { "path": "db/en/description/3.md", "content": "A common practice when administering web applications is to create a\ncopy/backup of a particular directory prior to making any\nmodification. Another common practice is to add an extension or change\nthe name of the original directory to signify that it is a backup\n(examples include `.bak`, `.orig`, `.backup`, etc.).\n\nDuring the\ninitial recon stages of an attack, cyber-criminals will attempt to\nlocate backup directories by adding common extensions onto directories\nalready discovered on the webserver. By analysing the response headers\nfrom the server they are able to determine if a backup directory\nexists. These backup directories can then assist in the compromise of\nthe web application.\n\nBy utilising the same method, the tool was able\nto discover a possible backup directory." }, { "path": "db/en/description/30.md", "content": "Lightweight Directory Access Protocol (LDAP) is used by web\napplications to access and maintain directory information services.\nOne of the most common uses for LDAP is to provide a Single-Sign-On\n(SSO) service that will allow clients to authenticate with a web site\nwithout any interaction (assuming their credentials have been\nvalidated by the SSO provider).\n\nLDAP injection occurs when untrusted\ndata is used by the web application to query the LDAP directory\nwithout prior sanitisation.\n\nThis is a serious security risk, as it\ncould allow cyber-criminals the ability to query, modify, or remove\nanything from the LDAP tree. It could also allow other advanced\ninjection techniques that perform other more serious attacks.\n\nThe tool\nwas able to detect a page that is vulnerable to LDAP injection based\non known error messages." }, { "path": "db/en/description/31.md", "content": "To restrict access to specific pages on a webserver, developers can\nimplement various methods of authentication, therefore only allowing\naccess to clients with valid credentials. There are several forms of\nauthentication that can be used. The simplest forms of authentication\nare known as 'Basic' and 'Basic Realm'. These methods of\nauthentication have several known weaknesses such as being susceptible\nto brute force attacks.\n\nAdditionally, when utilising the NTLM\nmechanism in a windows environment, several disclosures of information\nexist, and any brute force attack occurs against the server's local\nusers, or domain users if the web server is a domain member.\nCyber-criminals will attempt to locate protected pages to gain access\nto them and also perform brute force attacks to discover valid\ncredentials.\n\nThe tool discovered the following page requires NTLM\nbased basic authentication in order to be accessed." }, { "path": "db/en/description/32.md", "content": "The HTTP protocol by itself is clear text, meaning that any data that\nis transmitted via HTTP can be captured and the contents viewed. To\nkeep data private and prevent it from being intercepted, HTTP is often\ntunnelled through either a Secure Sockets Layer (SSL), or Transport\nLayer Security (TLS) connection. When either of these encryption\nstandards are used, it is referred to as HTTPS.\n\nCyber-criminals will\noften attempt to compromise sensitive information passed from the\nclient to the server using HTTP. This can be conducted via various\ndifferent Man-in-The-Middle (MiTM) attacks or through network packet\ncaptures.\n\nThe tool discovered that the affected site is utilising both\nHTTP and HTTPS. While the HTML code is served over HTTPS, the server\nis also serving resources over an unencrypted channel, which can lead\nto the compromise of data, while providing a false sense of security\nto the user." }, { "path": "db/en/description/33.md", "content": "A NoSQL injection occurs when a value originating from the client's\nrequest is used within a NoSQL call without prior sanitisation.\n\nThis\ncan allow cyber-criminals to execute arbitrary NoSQL code and thus\nsteal data, or use the additional functionality of the database server\nto take control of further server components.\n\nThe tool discovered that\nthe affected page and parameter are vulnerable. This injection was\ndetected as the tool was able to discover known error messages within\nthe server's response." }, { "path": "db/en/description/34.md", "content": "A NoSQL injection occurs when a value originating from the client's\nrequest is used within a NoSQL call without prior sanitisation.\n\nThis\ncan allow cyber-criminals to execute arbitrary NoSQL code and thus\nsteal data, or use the additional functionality of the database server\nto take control of further server components.\n\nThe tool discovered that\nthe affected page and parameter are vulnerable. This injection was\ndetected as the tool was able to inject specific NoSQL queries that if\nvulnerable result in the responses for each injection being different.\nThis is known as a blind NoSQL injection vulnerability." }, { "path": "db/en/description/35.md", "content": "Origin headers are utilised by proxies and/or load balancers to track\nthe originating IP address of the client.\n\nAs the request progresses\nthrough a proxy, the origin header is added to the existing headers,\nand the value of the client's IP is then set within this header.\nOccasionally, poorly implemented access restrictions are based off of\nthe originating IP address alone.\n\nFor example, any public IP address\nmay be forced to authenticate, while an internal IP address may not.\nBecause this header can also be set by the client, it allows\ncyber-criminals to spoof their IP address and potentially gain access\nto restricted pages.\n\nThe tool discovered a resource that it did not\nhave permission to access, but been granted access after spoofing the\naddress of localhost (127.0.0.1), thus bypassing any requirement to\nauthenticate." }, { "path": "db/en/description/36.md", "content": "To perform specific actions from within a web application, it is\noccasionally required to run Operating System commands and have the\noutput of these commands captured by the web application and returned\nto the client.\n\nOS command injection occurs when user supplied input\nis inserted into one of these commands without proper sanitisation and\nis then executed by the server.\n\nCyber-criminals will abuse this\nweakness to perform their own arbitrary commands on the server. This\ncan include everything from simple `ping` commands to map the internal\nnetwork, to obtaining full control of the server.\n\n\n\nIt was possible to inject and verify the execution of specific Operating\nSystem commands which indicates that proper input sanitisation is not\noccurring." }, { "path": "db/en/description/38.md", "content": "In typical form-based web applications, it is common practice for\ndevelopers to allow `autocomplete` within the HTML form to improve the\nusability of the page. With `autocomplete` enabled (default), the\nbrowser is allowed to cache previously entered form values.\n\nFor\nlegitimate purposes, this allows the user to quickly re-enter the same\ndata when completing the form multiple times.\n\nWhen `autocomplete` is\nenabled on either/both the username and password fields, this could\nallow a cyber-criminal with access to the victim's computer the\nability to have the victim's credentials automatically entered as the\ncyber-criminal visits the affected page.\n\nThe tool has discovered that\nthe affected page contains a form containing a password field that has\nnot disabled `autocomplete`." }, { "path": "db/en/description/39.md", "content": "Web applications occasionally use parameter values to store the\nlocation of a file which will later be required by the server.\n\nAn\nexample of this is often seen in error pages, where the actual file\npath for the error page is stored in a parameter value -- for example\n`example.com/error.php?page=404.php`.\n\nA path traversal occurs when\nthe parameter value (ie. path to file being called by the server) can\nbe substituted with the relative path of another resource which is\nlocated outside of the applications working directory. The server then\nloads the resource and includes its contents in the response to the\nclient.\n\nCyber-criminals will abuse this vulnerability to view files\nthat should otherwise not be accessible.\n\nA very common example of\nthis, on *nix servers, is gaining access to the `/etc/passwd` file in\norder to retrieve a list of server users. This attack would look like:\n`yoursite.com/error.php?page=../../../../etc/passwd`\n\nAs path\ntraversal is based on the relative path, the payload must first\ntraverse to the file system's root directory, hence the string of\n`../../../../`.\n\nThe tool discovered that it was possible to substitute\na parameter value with a relative path to a common operating system\nfile and have the contents of the file included in the response." }, { "path": "db/en/description/4.md", "content": "A common practice when administering web applications is to create a\ncopy/backup of a particular file or directory prior to making any\nmodification to the file. Another common practice is to add an\nextension or change the name of the original file to signify that it\nis a backup (examples include `.bak`, `.orig`, `.backup`, etc.).\nDuring the initial recon stages of an attack, cyber-criminals will\nattempt to locate backup files by adding common extensions onto files\nalready discovered on the webserver. By analysing the response headers\nfrom the server they are able to determine if the backup file exists.\nThese backup files can then assist in the compromise of the web\napplication.\n\nBy utilising the same method, the tool was able to\ndiscover a possible backup file." }, { "path": "db/en/description/40.md", "content": "Private, or non-routable, IP addresses are generally used within a\nhome or company network and are typically unknown to anyone outside of\nthat network.\n\nCyber-criminals will attempt to identify the private IP\naddress range being used by their victim, to aid in collecting further\ninformation that could then lead to a possible compromise.\n\nThe tool\ndiscovered that the affected page returned a RFC 1918 compliant\nprivate IP address and therefore could be revealing sensitive\ninformation.\n\n_This finding typically requires manual verification to\nensure the context is correct, as any private IP address within the\nHTML body will trigger it." }, { "path": "db/en/description/41.md", "content": "HTTP response splitting occurs when untrusted data is inserted into\nthe response headers without any sanitisation.\n\nIf successful, this\nallows cyber-criminals to essentially split the HTTP response in two.\nThis is abused by cyber-criminals injecting CR (Carriage Return --\n`/r`) and LF (Line Feed -- `\n`) characters which will then form the\nsplit. If the CR or LF characters are not processed by the server then\nit cannot be exploited.\n\nAlong with these characters, cyber-criminals\ncan then construct their own arbitrary response headers and body which\nwould then form the second response. The second response is entirely\nunder their control, allowing for a number of other attacks." }, { "path": "db/en/description/42.md", "content": "Web applications occasionally use parameter values to store the\nlocation of a file which will later be required by the server.\n\nAn\nexample of this is often seen in error pages, where the actual file\npath for the error page is stored in a parameter value -- for example\n`example.com/error.php?page=404.php`.\n\nA remote file inclusion occurs\nwhen the parameter value (ie. path to file being called by the server)\ncan be substituted with the address of remote resource -- for example:\n`yoursite.com/error.asp?page=http://anothersite.com/somethingBad.php`\nIn some cases, the server will process the fetched resource;\ntherefore, if the resource contains server-side code matching that of\nthe framework being used (ASP, PHP, JSP, etc.), it is probable that\nthe resource will be executed as if it were part of the web\napplication.\n\nThe tool discovered that it was possible to substitute a\nparameter value with an external resource and have the server fetch it\nand include its contents in the response." }, { "path": "db/en/description/43.md", "content": "HTTP by itself is a stateless protocol; therefore, the server is\nunable to determine which requests are performed by which client and\nwhich clients are authenticated or unauthenticated.\n\nThe use of HTTP\ncookies within the headers allows a web server to identify each\nindividual client and can thus determine which clients hold valid\nauthentication from those that do not. These are known as session\ncookies or session tokens.\n\nTo prevent clients from being able to\nguess each other's session token, each assigned session token should\nbe entirely random and be different whenever a session is established\nwith the server.\n\nSession fixation occurs when the client is able to\nspecify their own session token value and the value of the session\ncookie is not changed by the server after successful authentication.\nOccasionally, the session token will also remain unchanged for the\nuser independently of how many times they have authenticated.\nCyber-criminals will abuse this functionality by sending crafted URL\nlinks with a predetermined session token within the link. The\ncyber-criminal will then wait for the victim to login and become\nauthenticated. If successful, the cyber-criminal will know a valid\nsession ID and therefore have access to the victim's session.\n\nThe tool\nhas discovered that it is able to set its own session token." }, { "path": "db/en/description/44.md", "content": "A modern web application will be reliant on several different\nprogramming languages.\n\nThese languages can be broken up in two\nflavours. These are client-side languages (such as those that run in\nthe browser -- like JavaScript) and server-side languages (which are\nexecuted by the server -- like ASP, PHP, JSP, etc.) to form the\ndynamic pages (client-side code) that are then sent to the client.\nBecause all server side code should be executed by the server, it\nshould never be seen by the client. However in some scenarios, it is\npossible that:\n\n\n1. The server side code has syntax errors and therefore is not executed\nby the server but is instead sent to the client\n\n2. Using crafted requests it is possible to force the server\ninto displaying the source code of the application without executing it.\n\n\n\nAs the server-side source code often contains sensitive\ninformation, such as database connection strings or details into the\napplication workflow, this can be extremely risky.\n\nCyber-criminals\nwill attempt to discover pages that either accidentally or forcefully\nallow the server-side source code to be disclosed, to assist in\ndiscovering further vulnerabilities or sensitive information.\n\nThe tool\nhas detected server-side source code within the server's response.\n_(False positives may occur when requesting binary files such as\nimages (.JPG or .PNG) and may require manual verification.)_" }, { "path": "db/en/description/45.md", "content": "Due to the requirement for dynamic content of today's web\napplications, many rely on a database backend to store data that will\nbe called upon and processed by the web application (or other\nprograms). Web applications retrieve data from the database by using\nStructured Query Language (SQL) queries.\n\nTo meet demands of many\ndevelopers, database servers (such as MSSQL, MySQL, Oracle etc.) have\nadditional built-in functionality that can allow extensive control of\nthe database and interaction with the host operating system itself.\nAn SQL injection occurs when a value originating from the client's\nrequest is used within a SQL query without prior sanitisation. This\ncould allow cyber-criminals to execute arbitrary SQL code and steal\ndata or use the additional functionality of the database server to\ntake control of more server components.\n\nThe successful exploitation\nof a SQL injection can be devastating to an organisation and is one of\nthe most commonly exploited web application vulnerabilities.\n\nThis\ninjection was detected as the tool was able to cause the server to\nrespond to the request with a database related error." }, { "path": "db/en/description/46.md", "content": "Due to the requirement for dynamic content of today's web\napplications, many rely on a database backend to store data that will\nbe called upon and processed by the web application (or other\nprograms). Web applications retrieve data from the database by using\nStructured Query Language (SQL) queries.\n\nTo meet demands of many\ndevelopers, database servers (such as MSSQL, MySQL, Oracle etc.) have\nadditional built-in functionality that can allow extensive control of\nthe database and interaction with the host operating system itself.\nAn SQL injection occurs when a value originating from the client's\nrequest is used within a SQL query without prior sanitisation. This\ncould allow cyber-criminals to execute arbitrary SQL code and steal\ndata or use the additional functionality of the database server to\ntake control of more server components.\n\nThe successful exploitation\nof a SQL injection can be devastating to an organisation and is one of\nthe most commonly exploited web application vulnerabilities.\n\n\n\nInjection was detected as it was possible to inject specific SQL\nqueries, that if vulnerable, result in the responses for each\ninjection being different. This is known as a blind SQL injection\nvulnerability." }, { "path": "db/en/description/47.md", "content": "Due to the requirement for dynamic content of today's web\napplications, many rely on a database backend to store data that will\nbe called upon and processed by the web application (or other\nprograms). Web applications retrieve data from the database by using\nStructured Query Language (SQL) queries.\n\nTo meet demands of many\ndevelopers, database servers (such as MSSQL, MySQL, Oracle etc.) have\nadditional built-in functionality that can allow extensive control of\nthe database and interaction with the host operating system itself.\nAn SQL injection occurs when a value originating from the client's\nrequest is used within a SQL query without prior sanitisation. This\ncould allow cyber-criminals to execute arbitrary SQL code and steal\ndata or use the additional functionality of the database server to\ntake control of more server components.\n\nThe successful exploitation\nof a SQL injection can be devastating to an organisation and is one of\nthe most commonly exploited web application vulnerabilities.\n\nThis\ninjection was detected as the tool was able to inject specific SQL\nqueries, that if vulnerable, result in the responses for each request\nbeing delayed before being sent by the server. This is known as a\ntime-based blind SQL injection vulnerability." }, { "path": "db/en/description/48.md", "content": "The US Social Security Number (SSN) is a personally identifiable\nnumber that is issued to its citizens.\n\nA stolen or leaked SSN can\nlead to a compromise, and/or the theft of the affected individual's\nidentity.\n\nThrough the use of regular expressions, the tool has\ndiscovered an SSN located within the response of the affected page." }, { "path": "db/en/description/49.md", "content": "The HTTP protocol by itself is clear text, meaning that any data that\nis transmitted via HTTP can be captured and the contents viewed.\n\nTo\nkeep data private, and prevent it from being intercepted, HTTP is\noften tunnelled through either Secure Sockets Layer (SSL), or\nTransport Layer Security (TLS). When either of these encryption\nstandards are used it is referred to as HTTPS.\n\nCyber-criminals will\noften attempt to compromise credentials passed from the client to the\nserver using HTTP. This can be conducted via various different\nMan-in-The-Middle (MiTM) attacks or through network packet captures.\nThe tool discovered that the affected page contains a `password` input,\nhowever, the value of the field is not sent to the server utilising\nHTTPS. Therefore it is possible that any submitted credential may\nbecome compromised." }, { "path": "db/en/description/5.md", "content": "To prevent the automated abuse of a page, applications can implement\nwhat is known as a CAPTCHA.\n\nThese are used to ensure human\ninteraction with the application and are often used on forms where the\napplication conducts sensitive actions. These typically include user\nregistration, or submitting emails via \"Contact Us\" pages etc.\nThe tool has flagged this not as a vulnerability, but as a prompt for\nthe penetration tester to conduct further manual testing on the\nCAPTCHA function, as The tool cannon audit CAPTCHA protected forms.\nTesting for insecurely implemented CAPTCHA is a manual process, and an\ninsecurely implemented CAPTCHA could allow a cyber-criminal a means to\nabuse these sensitive actions." }, { "path": "db/en/description/50.md", "content": "Web applications occasionally use parameter values to store the\naddress of the page to which the client will be redirected -- for\nexample: `yoursite.com/page.asp?redirect=www.yoursite.com/404.asp`\n\nAn\nunvalidated redirect occurs when the client is able to modify the\naffected parameter value in the request and thus control the location\nof the redirection. For example, the following URL\n`yoursite.com/page.asp?redirect=www.anothersite.com` will redirect to\n`www.anothersite.com`.\n\nCyber-criminals will abuse these\nvulnerabilities in social engineering attacks to get users to\nunknowingly visit malicious web sites.\n\nThe tool has discovered that\nthe server does not validate the parameter value prior to redirecting\nthe client to the injected value." }, { "path": "db/en/description/51.md", "content": "Web applications occasionally use DOM input values to store the\naddress of the page to which the client will be redirected -- for\nexample: `yoursite.com/#/?redirect=www.yoursite.com/404.asp`\n\nAn\nunvalidated redirect occurs when the client is able to modify the\naffected parameter value and thus control the location of the\nredirection. For example, the following URL\n`yoursite.com/#/?redirect=www.anothersite.com` will redirect to\n`www.anothersite.com`.\n\nCyber-criminals will abuse these\nvulnerabilities in social engineering attacks to get users to\nunknowingly visit malicious web sites.\n\nThe tool has discovered that\nthe web page does not validate the parameter value prior to\nredirecting the client to the injected value." }, { "path": "db/en/description/52.md", "content": "Web Distributed Authoring and Versioning (WebDAV) is a facility that\nenables basic file management (reading and writing) to a web server.\nIt essentially allows the webserver to be mounted by the client as a\ntraditional file system allowing users a very simplistic means to\naccess it as they would any other medium or network share.\n\nIf\ndiscovered, attackers will attempt to harvest information from the\nWebDAV enabled directories, or even upload malicious files that could\nthen be used to compromise the server.\n\nThe tool discovered that the\naffected page allows WebDAV access. This was discovered as the server\nallowed several specific methods that are specific to WebDAV\n(`PROPFIND`, `PROPPATCH`, etc.), however, further testing should be\nconducted on the WebDAV component specifically as the tool does support\nthis feature." }, { "path": "db/en/description/53.md", "content": "Clickjacking (User Interface redress attack, UI redress attack, UI\nredressing) is a malicious technique of tricking a Web user into\nclicking on something different from what the user perceives they are\nclicking on, thus potentially revealing confidential information or\ntaking control of their computer while clicking on seemingly innocuous\nweb pages.\n\nThe server didn't return an `X-Frame-Options` header which\nmeans that this website could be at risk of a clickjacking attack.\nThe `X-Frame-Options` HTTP response header can be used to indicate\nwhether or not a browser should be allowed to render a page inside a\nframe or iframe. Sites can use this to avoid clickjacking attacks, by\nensuring that their content is not embedded into other sites." }, { "path": "db/en/description/54.md", "content": "XML Path Language (XPath) queries are used by web applications for\nselecting nodes from XML documents. Once selected, the value of these\nnodes can then be used by the application.\n\nA simple example for the\nuse of XML documents is to store user information. As part of the\nauthentication process, the application will perform an XPath query to\nconfirm the login credentials and retrieve that user's information to\nuse in the following request.\n\nXPath injection occurs where untrusted\ndata is used to build XPath queries.\n\nCyber-criminals may abuse this\ninjection vulnerability to bypass authentication, query other user's\ninformation, or, if the XML document contains privileged user\ncredentials, allow the cyber-criminal to escalate their privileges.\nThe tool injected special XPath query characters into the page and\nbased on the responses from the server, has determined that the page\nis vulnerable to XPath injection." }, { "path": "db/en/description/55.md", "content": "Client-side scripts are used extensively by modern web applications.\nThey perform from simple functions (such as the formatting of text) up\nto full manipulation of client-side data and Operating System\ninteraction.\n\n\n\nCross Site Scripting (XSS) allows clients to inject arbitrary scripting\ncode into a request and have the server return the script to the\nclient in the response. This occurs because the application is taking\nuntrusted data (in this example, from the client) and reusing it\nwithout performing any validation or encoding." }, { "path": "db/en/description/56.md", "content": "Client-side scripts are used extensively by modern web applications.\nThey perform from simple functions (such as the formatting of text) up\nto full manipulation of client-side data and Operating System\ninteraction.\n\nUnlike traditional Cross-Site Scripting (XSS), where the\nclient is able to inject scripts into a request and have the server\nreturn the script to the client, DOM XSS does not require that a\nrequest be sent to the server and may be abused entirely within the\nloaded page.\n\nThis occurs when elements of the DOM (known as the\nsources) are able to be manipulated to contain untrusted data, which\nthe client-side scripts (known as the sinks) use or execute an unsafe\nway." }, { "path": "db/en/description/6.md", "content": "A modern web application will be reliant on several different\nprogramming languages.\n\nThese languages can be broken up in two\nflavours. These are client-side languages (such as those that run in\nthe browser -- like JavaScript) and server-side languages (which are\nexecuted by the server -- like ASP, PHP, JSP, etc.) to form the\ndynamic pages (client-side code) that are then sent to the client.\nBecause all server-side code should be executed by the server, it\nshould only ever come from a trusted source.\n\nCode injection occurs\nwhen the server takes untrusted code (ie. from the client) and\nexecutes it.\n\nCyber-criminals will abuse this weakness to execute\narbitrary code on the server, which could result in complete server\ncompromise.\n\nThe tool was able to inject specific server-side code and\nhave the executed output from the code contained within the server\nresponse. This indicates that proper input sanitisation is not\noccurring." }, { "path": "db/en/description/63.md", "content": "The `TRACE` HTTP method allows a client so send a request to the\nserver, and have the same request then send back in the server's\nresponse. This allows the client to determine if the server is\nreceiving the request as expected or if specific parts of the request\nare not arriving as expected. For example incorrect encoding or a load\nbalancer has filtered or changed a value. On many default\ninstallations the `TRACE` method is still enabled.\n\nWhile not\nvulnerable by itself, it does provide a method for cyber-criminals to\nbypass the `HTTPOnly` cookie flag, and therefore could allow a XSS\nattack to successfully access a session token.\n\nThe tool has discovered\nthat the affected page permits the HTTP `TRACE` method." }, { "path": "db/en/description/64.md", "content": "An XML External Entity attack is a type of attack against an\napplication that parses XML input.\n\nThis attack occurs when XML input\ncontaining a reference to an external entity is processed by a weakly\nconfigured XML parser.\n\nThis attack may lead to the disclosure of\nconfidential data, denial of service, port scanning from the\nperspective of the machine where the parser is located, and other\nsystem impacts." }, { "path": "db/en/description/65.md", "content": "Many web applications allow users to upload files that will either be\nstored or processed by the receiving web server.\n\n\n\nIt was possible to identify a form which allows files with arbitrary\ncontent and extension to be uploaded to the remote server, and then\nstores the uploaded file to a guessable path in the server's web root.\n\n\n\nThis could be used by a cyber-criminal to host content from the vulnerable\nserver for phishing and Cross-Site Scripting attacks. In cases where the\nserver is configured to execute scripts (PHP, Ruby, etc.) this\nvulnerability can be used to gain remote code execution on the server." }, { "path": "db/en/description/66.md", "content": "The server accepts SSL connections which use the insecure SSLv2\nprotocol. SSLv2 is an old implementation of the Secure Sockets Layer\nprotocol which suffers from a number of security flaws allowing attackers\nto capture and alter information passed between a client and the server.\n\n\n\nSSLv2 has been deprecated and is no longer recommended. Note that\nneither SSLv2 nor SSLv3 meet the U.S. FIPS 140-2 standard, which governs\ncryptographic modules for use in federal information systems. Only the\nnewer TLS (Transport Layer Security) protocol meets FIPS 140-2\nrequirements." }, { "path": "db/en/description/67.md", "content": "The server's TLS/SSL certificate is self-signed. Self-signed\ncertificates are not trusted by browsers and other HTTP clients,\nespecially because TLS/SSL man-in-the-middle attacks typically use\nself-signed certificates to eavesdrop on TLS/SSL connections." }, { "path": "db/en/description/68.md", "content": "GNU Bash through 4.3 processes trailing strings after function\ndefinitions in the values of environment variables, which allows remote\nattackers to execute arbitrary code via a crafted environment, as\ndemonstrated by vectors involving the ForceCommand feature in OpenSSH\nsshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts\nexecuted by unspecified DHCP clients, and other situations in which\nsetting the environment occurs across a privilege boundary from Bash\nexecution, aka 'ShellShock'" }, { "path": "db/en/description/69.md", "content": "Incorrect permissions and/or missing authentication were discovered on\nFrontPage extensions used for publishing content.\n\n\n\nA cyber-criminal might use this vulnerability to deface web sites and\npotentially gain remote code execution on the server." }, { "path": "db/en/description/70.md", "content": "Client-side scripts are used extensively by modern web applications.\nThey perform from simple functions (such as the formatting of text) up\nto full manipulation of client-side data and Operating System\ninteraction.\n\n\n\nCross Site Scripting (XSS) allows clients to inject arbitrary scripting\ncode into a request and have the server return the script to the\nclient in the response. This occurs because the application is taking\nuntrusted data (in this example, from the client) and reusing it\nwithout performing any validation or encoding.\n\n\n\nPersistent Cross Site Scripting vulnerabilities occur when the application\nstores user controlled information and then uses it to render HTTP\nresponse bodies to other clients.\n\n\n\nThis type of vulnerability can be used by a cyber-criminal to perform\nsession hijacking, phishing or denial of service attacks against other\nweb application users." }, { "path": "db/en/description/71.md", "content": "The reflected file download vulnerability is an application weakness\nwhich allows a cyber-criminal to perform advanced social engineering\nattacks where an arbitrary executable file is downloaded by the user from\nvulnerable site. The contents of the executable file are controlled by\nthe attacker and are never uploaded to the vulnerable site.\n\n\n\nThis vulnerability, like many other Web attacks, begins by sending a\nmalicious link to a victim. Unlike other attacks the exploitation finishes\noutside of the browser context:\n\n\n\n1. The user follows a malicious link to a trusted web site\n\n2. An executable file is downloaded and saved on the user's machine.\nAll security indicators show that the file is 'hosted' on the trusted web\nsite\n\n3. The user executes the file which contains shell commands that gain\ncomplete control over the computer." }, { "path": "db/en/description/72.md", "content": "The `cache-control` and `pragma` HTTP header have not been set properly\nallowing the browser and proxies to cache the HTTP response." }, { "path": "db/en/description/73.md", "content": "Information Leakage is an application weakness where an application\nreveals sensitive data, such as technical details of the web application,\nenvironment, or user-specific data. Sensitive data may be used by an\nattacker to exploit the target web application, its hosting network,\nor its users.\n\n\n\nIn its most common form, information leakage is the result of one or more\nof the following conditions:\n\n* A failure to scrub out HTML/Script comments containing sensitive\ninformation\n\n* Improper application or server configurations\n\n* Improper application error handling\n" }, { "path": "db/en/description/74.md", "content": "The web user interface (UI) does not properly represent critical\ninformation to the user, allowing the information - or its source -\nto be obscured or spoofed. This is often a component in phishing attacks.\n\n\n\nIf an attacker can cause the UI to display erroneous data, or to otherwise\nconvince the user to display information that appears to come from a\ntrusted source, then the attacker could trick the user into performing the\nwrong action. An example of this vulnerability is the possibility to\ncontrol the `src` attribute of an iframe tag using a query string\nparameter." }, { "path": "db/en/description/75.md", "content": "Web Applications often have predictable usernames and weak password policies set.\nThis can easily allow an attacker to gain unauthorized access into the application\nby guessing the credentials used for authentication.\n\nIt was possible to guess and\ngain a set a valid credentials for the application is scope." }, { "path": "db/en/description/76.md", "content": "'X-Content-Type-Options' is a type of HTTP header that can be used to prevent MIME\ncontent-sniffing attacks in Internet Explorer and Google Chrome. MIME content-sniffing\nis a mechanism that allows browsers to inspect and dynamically guess the content\ntype and file type.\n\nMIME Sniffing checking algorithm has known problems which\nmight allow users to upload files that might contain malicous code. If an attacker\ncan spoof a file type/content and upload it to the application successfully, it is\npossible to inject malicous code which can be downloaded and viewed by other\nusers of the application. This can lead to attacks such as persistant Cross-Site Scripting." }, { "path": "db/en/description/77.md", "content": "Basic Access Authentication is an authentication method which uses base64 encoding\nand transmits login credentials in cleartext between a server and client. This is\nconsidered insecure because credentials are transmitted over unencrypted channels\nwhich makes it vulnerable to network eavesdropping attacks. Furthermore, base64\nencoding is considered weak because it can be easily decoded to reveal the original\ncontent.\n\nIf an application requires authentication, it will send a `WWW-Authenticate`\nheader with a `401 Unauthorized` HTTP status code. Then, the client will need to send\nthe server credentials through an `Authorization` header. The credentials are transmitted\nas a 'name:password' string format in the header.A well-positioned attacker can capture\nthe usernames and passwords by sniffing traffic coming to these services." }, { "path": "db/en/description/8.md", "content": "A modern web application will be reliant on several different\nprogramming languages.\n\nThese languages can be broken up in two\nflavours. These are client-side languages (such as those that run in\nthe browser -- like JavaScript) and server-side languages (which are\nexecuted by the server -- like ASP, PHP, JSP, etc.) to form the\ndynamic pages (client-side code) that are then sent to the client.\nBecause all server-side code should be executed by the server, it\nshould only ever come from a trusted source.\n\nCode injection occurs\nwhen the server takes untrusted code (ie. from the client) and\nexecutes it.\n\nCyber-criminals will abuse this weakness to execute\narbitrary code on the server, which could result in complete server\ncompromise." }, { "path": "db/en/description/9.md", "content": "Web applications are often made up of multiple files and directories.\nIt is possible that over time some directories may become unreferenced\n(unused) by the web application and forgotten about by the\nadministrator/developer. Because web applications are built using\ncommon frameworks, they contain common directories that can be\ndiscovered (independent of server).\n\nDuring the initial recon stages\nof an attack, cyber-criminals will attempt to locate unreferenced\ndirectories in the hope that the directory will assist in further\ncompromise of the web application. To achieve this they will make\nthousands of requests using word lists containing common names. The\nresponse headers from the server will then indicate if the directory\nexists.\n\nThe tool also contains a list of common directory names which\nit will attempt to access." }, { "path": "db/en/fix/1.md", "content": "The only proven method to prevent against SQL injection attacks while\nstill maintaining full application functionality is to use\nparameterized queries (also known as prepared statements). When\nutilising this method of querying the database, any value supplied by\nthe client will be handled as a string value rather than part of the\nSQL query.\n\nAdditionally, when utilising parameterized queries, the\ndatabase engine will automatically check to make sure the string being\nused matches that of the column. For example, the database engine will\ncheck that the user supplied input is an integer if the database\ncolumn is configured to contain integers." }, { "path": "db/en/fix/10.md", "content": "If files are unreferenced then they should be removed from the web\nroot and/or the application directory.\n\nPreventing access without authentication may also be an option and \ncan stop a client from being able to view the contents of a file, \nhowever it is still likely that the directory structure will be \nable to be discovered.\n\nUsing obscure file names is implementing security through \nobscurity and is not a recommended option." }, { "path": "db/en/fix/11.md", "content": "It is recommended that untrusted data is never used to form the\ncontents of the response header.\n\nWhere any untrusted source is required to be used in the response \nheaders, it is important to ensure that any hazardous characters\n(`/r`, `/n` and potentially others) are sanitised prior to being\nused.\n\nThis is especially important when setting cookie values,\nredirecting, etc.." }, { "path": "db/en/fix/12.md", "content": "Create a new TLS/SSL certificate, request a trusted certificate\nauthority (CA) to sign it and replace the self-signed certificate with\nthe newly generated one." }, { "path": "db/en/fix/13.md", "content": "It is recommended that untrusted data is never used to form a file\nlocation to be included.\n\nTo validate data, the application should ensure that the supplied \nvalue for a file is permitted. This can be achieved by performing \nwhitelisting on the parameter value, by matching it against a list\nof permitted files. If the supplied value does not match any value\nin the whitelist, then the server should redirect to a standard\nerror page.\n\nIn some scenarios, where dynamic content is being requested, it may\nnot be possible to perform validation against a list of trusted resources,\ntherefore the list must also become dynamic (updated as the files change),\nor perform filtering to remove extraneous user input (such as semicolons,\nperiods etc.) and only permit `a-z0-9`.\n\nIt is also advised that sensitive files are not stored within the\nweb root and that the user permissions enforced by the directory\nare correct." }, { "path": "db/en/fix/14.md", "content": "Other methods of authentication, like cookie based authentication must be\nused as a replacement. This can still be considered insecure if credentials are\nsubmitted in clear text. TLS Encryption must be used when transmitting sensitive\ninformation." }, { "path": "db/en/fix/15.md", "content": "The most important remediation action is to prevent the server from\naccepting client supplied data as session tokens.\n\nAdditionally, the client's session token should be changed at specific \nkey stages of the application flow, such as during authentication. \nThis will ensure that even if clients are able to set their own cookie, \nit will not persist into an authenticated session." }, { "path": "db/en/fix/16.md", "content": "Analyze the objects using manual analysis techniques such as\na local proxy, decompilation or reverse engineering." }, { "path": "db/en/fix/17.md", "content": "Configure your web server to include an `X-Frame-Options` header." }, { "path": "db/en/fix/18.md", "content": "The `autocomplete` value can be configured in two different locations.\nThe first and most secure location is to disable the `autocomplete`\nattribute on the `
` HTML tag. This will disable `autocomplete`\nfor all inputs within that form. An example of disabling\n`autocomplete` within the form tag is ``.\n\nThe second slightly less desirable option is to disable the `autocomplete`\nattribute for a specific `` HTML tag. While this may be the\nless desired solution from a security perspective, it may be preferred\nmethod for usability reasons, depending on size of the form. An\nexample of disabling the `autocomplete` attribute within a password\ninput tag is ``." }, { "path": "db/en/fix/19.md", "content": "It is recommended that untrusted data is never used to form a command\nto be executed by the OS.\n\nTo validate data, the application should ensure that the supplied value \ncontains only the characters that are required to perform the\nrequired action.\n\nFor example, where the form field expects an IP address, only numbers\nand periods should be accepted. Additionally, all control operators\n(`&`, `&&`, `|`, `||`, `$`, `\\`, `#`) should be explicitly denied\nand never accepted as valid input by the server." }, { "path": "db/en/fix/2.md", "content": "It is recommended that untrusted data is never used to form a LDAP\nquery.\n\nTo validate data, the application should ensure that the\nsupplied value contains only the characters that are required to\nperform the required action. For example, where a username is\nrequired, then no non-alphanumeric characters should be accepted.\n\nIf this is not possible, special characters should be escaped so they are\ntreated accordingly. The following characters should be escaped with a\nback-slash:\n\n* `&`\n* `!`\n* `|`\n* `=`\n* `<`\n* `>`\n* `,`\n* `+`\n* `-`\n* `\"`\n* `'`\n* `;`\n\nAdditional character filtering must be applied to:\n\n* `(` \n* `)`\n* `\\`\n* `/`\n* `*`\n* `NULL`\n\nThese characters require ASCII escaping." }, { "path": "db/en/fix/20.md", "content": "To remedy XSS vulnerabilities, it is important to never use untrusted\nor unfiltered data within the code of a HTML page.\n\nUntrusted data can originate not only form the client but potentially\na third party or previously uploaded file etc. Filtering of untrusted\ndata typically involves converting special characters to their HTML\nentity encoded counterparts (however, other methods do exist, see\nreferences). These special characters include:\n\n\n* `&`\n* `<`\n* `>`\n* `\"`\n* `'`\n* `/`\n\nAn example of HTML entity encoding is converting `<` to `<`. Although\nit is possible to filter untrusted input, there are five locations\nwithin an HTML page where untrusted input (even if it has been\nfiltered) should never be placed:\n\n\n1. Directly in a script.\n2. Inside an HTML comment.\n3. In an attribute name.\n4. In a tag name.\n5. Directly in CSS.\n\nEach of these locations have their own form of escaping and filtering.\n\n_Because many browsers attempt to implement XSS protection, any manual\nverification of this finding should be conducted using multiple different\nbrowsers and browser versions._" }, { "path": "db/en/fix/21.md", "content": "Do not keep obsolete versions of files under the virtual web server\nroot.\n\nWhen updating the site, delete or move the files to a directory\noutside the virtual root, edit them there, and move (or copy) the\nfiles back to the virtual root. Make sure that only the files that are\nactually in use reside under the virtual root.\n\nPreventing access without authentication may also be an option and\nstop a client being able to view the contents of a file, however it\nis still likely that the filenames will be able to be discovered.\n\nUsing obscure filenames is only implementing security through\nobscurity and is not a recommended option." }, { "path": "db/en/fix/22.md", "content": "Identifying the context in which the affected page displays a Private\nIP address is necessary.\n\nIf the page is publicly accessible and displays the Private IP of the\naffected server (or supporting infrastructure), then measures should\nbe put in place to ensure that the IP address is removed from any response." }, { "path": "db/en/fix/23.md", "content": "Where possible the HTTP `PUT` method should be globally disabled. This\ncan typically be done with a simple configuration change on the\nserver. The steps to disable the `PUT` method will differ depending on\nthe type of server being used (IIS, Apache, etc.).\n\nFor cases where the `PUT` method is required to meet application\nfunctionality, such as REST style web services, strict limitations\nshould be implemented to ensure that only secure (SSL/TLS enabled)\nand authorised clients are permitted to use the `PUT` method.\n\nAdditionally, the server's file system permissions should also\nenforce strict limitations." }, { "path": "db/en/fix/24.md", "content": "The preferred way to protect against XPath injection is to utilise\nparameterized (also known as prepared) XPath queries. When utilising\nthis method of querying the XML document any value supplied by the\nclient will be handled as a string rather than part of the XPath\nquery.\n\nAn alternative to parameterized queries it to use precompiled\nXPath queries. Precompiled XPath queries are not generated dynamically\nand will therefor never process user supplied input as XPath." }, { "path": "db/en/fix/25.md", "content": "The HTTP `TRACE` method is normally not required within production\nsites and should therefore be disabled.\n\nDepending on the function being performed by the web application,\nthe risk level can start low and increase as more functionality\nis implemented.\n\nThe remediation is typically a very simple configuration change\nand in most cases will not have any negative impact on the server\nor application." }, { "path": "db/en/fix/26.md", "content": "The initial steps to remedy this should be determined on whether the\ncookie is sensitive in nature. If the cookie does not contain any\nsensitive information then the risk of this vulnerability is reduced;\nhowever, if the cookie does contain sensitive information, then the\nserver should ensure that the cookie has its `secure` flag set." }, { "path": "db/en/fix/27.md", "content": "1. Explicitly set the `filename` attribute in the Content-disposition\nHTTP response header.\n\n2. Perform strict whitelist validation on user input before using it\nin the creation of HTTP response bodies\n" }, { "path": "db/en/fix/28.md", "content": "Initially, the SSN within the response should be checked to ensure its\nvalidity, as it is possible that the regular expression has matched a\nsimilar number with no relation to a real SSN.\n\nIf the response does contain a valid SSN, then all efforts should be\ntaken to remove or further protect this information. This can be \nachieved by removing the SSN altogether or by masking the number\nso that only the last few digits are present within the response\n(eg. _**********123_)." }, { "path": "db/en/fix/29.md", "content": "The application should ensure that the supplied value for a redirect\nis permitted. This can be achieved by performing whitelisting on the\nparameter value.\n\nThe whitelist should contain a list of pages or\nsites that the application is permitted to redirect users to. If the\nsupplied value does not match any value in the whitelist then the\nserver should redirect to a standard error page." }, { "path": "db/en/fix/3.md", "content": "E-mail addresses should be presented in such a way\nthat it is hard to process them automatically." }, { "path": "db/en/fix/30.md", "content": "The initial step to remedy this would be to determine whether any\nclient-side scripts (such as JavaScript) need to access the cookie and\nif not, set the `HttpOnly` flag.\n\nAdditionally, it should be noted\nthat some older browsers are not compatible with the `HttpOnly` flag,\nand therefore setting this flag will not protect those clients against\nthis form of attack." }, { "path": "db/en/fix/31.md", "content": " 1. Change the permissions on directories and files accessible via IIS\n\n2. Setup authentication and authorization for FrontPage extension access" }, { "path": "db/en/fix/32.md", "content": "If manual confirmation reveals that a web backdoor or web shell does\nexist on the server, then it should be removed. It is also recommended\nthat an incident response investigation be conducted on the server to\nestablish how the web backdoor or web shell came to end up on the\nserver.\n\nDepending on the environment, investigation into the\ncompromise of any other services or servers should be conducted." }, { "path": "db/en/fix/33.md", "content": "Upgrade Bash to version 4.3.025 or newer" }, { "path": "db/en/fix/34.md", "content": "Change the web server configuration in order to disable SSLv2" }, { "path": "db/en/fix/35.md", "content": " * Review the generated HTML source and ensure that none of it's sections\ncan be used in a UI misrepresentation attack.\n\n* Perform strict data validation (e.g. syntax, length, etc.) before\nusing the user-provided data to render HTML pages.\n" }, { "path": "db/en/fix/36.md", "content": "Carefully evaluate which sites will be allowed to make cross-domain\ncalls.\n\nConsider network topology and any authentication mechanisms\nthat will be affected by the configuration or implementation of the\ncross-domain policy." }, { "path": "db/en/fix/37.md", "content": "Although no remediation may be required based on this finding alone,\nmanual testing should ensure that:\n\n1. The server keeps track of CAPTCHA tokens in use and has the token\nterminated after its first use or after a period of time. Therefore\npreventing replay attacks.\n\n2. The CAPTCHA answer is not hidden in plain text within the response\nthat is sent to the client.\n\n3. The CAPTCHA image should not be weak and easily solved.\n" }, { "path": "db/en/fix/38.md", "content": "If the pages being protected are not required for the functionality of\nthe web application they should be removed, otherwise, it is\nrecommended that basic and basic realm authentication are not used to\nprotect against pages requiring authentication.\n\nIf NTLM based basic\nauthentication must be used, then default server and domain accounts\nsuch as `administrator` and `root` should be disabled, as these will\nundoubtedly be the first accounts to be targeted in any such attack.\nAdditionally, the webserver should not be joined to any corporate\ndomain where usernames are readily available (such as from email\naddresses). If the pages are required, and it is possible to remove\nthe basic authentication, then a stronger and more resilient\nform-based authentication mechanism should be implemented to protect\nthe affected pages." }, { "path": "db/en/fix/39.md", "content": "It is recommended that a whitelisting approach be taken to explicitly\npermit the HTTP methods required by the application and block all\nothers.\n\nTypically the only HTTP methods required for most\napplications are `GET` and `POST`. All other methods perform actions\nthat are rarely required or perform actions that are inherently risky.\nThese risky methods (such as `PUT`, `DELETE`, etc) should be protected\nby strict limitations, such as ensuring that the channel is secure\n(SSL/TLS enabled) and only authorised and trusted clients are\npermitted to use them." }, { "path": "db/en/fix/4.md", "content": "All pages and/or resources on the affected site should be secured\nequally, utilising the latest and most secure encryption protocols.\nThese include SSL version 3.0 and TLS version 1.2.\n\nWhile TLS 1.2 is the latest and the most preferred protocol, not all browsers will\nsupport this encryption method. Therefore, the more common SSL is\nincluded. Older protocols such as SSL version 2, and weak ciphers (<\n128 bit) should also be disabled." }, { "path": "db/en/fix/40.md", "content": "The first step to remediation is to identify the context in which the\ncookie is being set and determine if it is required by the whole\ndomain, or just the specific host being tested.\n\nIf it is only\nrequired by the host, then the domain flag should be set as such.\nDepending on the framework being used, the configuration of this flag\nwill be modified in different ways." }, { "path": "db/en/fix/41.md", "content": "Unless the web server is being utilised to share static and\nnon-sensitive files, enabling directory listing is considered a poor\nsecurity practice\n\nThis can typically be done with a simple\nconfiguration change on the server. The steps to disable the directory\nlisting will differ depending on the type of server being used (IIS,\nApache, etc.). If directory listing is required, and permitted, then\nsteps should be taken to ensure that the risk of such a configuration\nis reduced.\n\nThese can include:\n\n1. Requiring authentication to access affected pages.\n\n2. Adding the affected path to the `robots.txt` file to prevent the\ndirectory contents being searchable via search engines.\n\n3. Ensuring that sensitive files are not stored within the\nweb or document root.\n\n4. Removing any files that are not required for the application to\nfunction.\n" }, { "path": "db/en/fix/42.md", "content": " * Ensure that the application source handles exceptions and errors in\na such a way that no sensitive information is disclosed to the users\n\n* Configure the application server to handle and log any exceptions\nthat the application might yield\n" }, { "path": "db/en/fix/43.md", "content": "Since the whole XML document is communicated from an untrusted client,\nit's not usually possible to selectively validate or escape tainted\ndata within the system identifier in the DTD.\n\nTherefore, the XML\nprocessor should be configured to use a local static DTD and disallow\nany declared DTD included in the XML document." }, { "path": "db/en/fix/44.md", "content": "Based on the risk (determined by manual verification) of whether the\nform submission performs a sensitive action, the addition of anti-CSRF\ntokens may be required.\n\nThese tokens can be configured in such a way\nthat each session generates a new anti-CSRF token or such that each\nindividual request requires a new token.\n\nIt is important that the\nserver track and maintain the status of each token (in order to reject\nrequests accompanied by invalid ones) and therefore prevent\ncyber-criminals from knowing, guessing or reusing them.\n\n_For examples\nof framework specific remediation options, please refer to the\nreferences._" }, { "path": "db/en/fix/45.md", "content": "All CORS requests include the `Origin` header which indicates\nthe source domain name. Create a server-side list of trusted\ndomains which can consume the CORS resources and when a request is\nreceived set the `Access-Control-Allow-Origin` response header\nto the right value from the list matching the `Origin` request header." }, { "path": "db/en/fix/46.md", "content": "Remediation actions may be vastly different depending on the framework\nbeing used, and how the application has been coded. However, the\norigin header should never be used to validate a client's access as it\nis trivial to change." }, { "path": "db/en/fix/47.md", "content": "It is recommended that untrusted input is never processed as\nserver-side code.\n\nTo validate input, the application should ensure\nthat the supplied value contains only the data that are required to\nperform the relevant action.\n\nFor example, where a username is\nrequired, then no non-alpha characters should not be accepted." }, { "path": "db/en/fix/48.md", "content": "Depending on the framework being used the implementation methods will\nvary, however it is advised that the `Strict-Transport-Security`\nheader be configured on the server.\n\nOne of the options for this\nheader is `max-age`, which is a representation (in milliseconds)\ndetermining the time in which the client's browser will adhere to the\nheader policy.\n\nDepending on the environment and the application this\ntime period could be from as low as minutes to as long as days." }, { "path": "db/en/fix/49.md", "content": "CVS and/or SVN information should not be displayed to the end user.\nThis can be achieved by removing this information all together prior\nto deployment, or by putting this information into a server-side (PHP,\nASP, JSP, etc) code comment block, as opposed to an HTML comment." }, { "path": "db/en/fix/5.md", "content": "The identified form handler should at a minimum:\n\n1. Whitelist permitted file types and block all others. This should be\nconducted on the MIME type of the file rather than its extension.\n\n2. As the file is uploaded, and prior to being handled (written to the\ndisk) by the server, the filename should be stripped of all control,\nspecial, or Unicode characters.\n\n3. Ensure that the upload is conducted via the HTTP `POST` method rather\nthan `GET` or `PUT`.\n\n4. Ensure that the file is written to a directory that does not hold\nany execute permission and that all files within that directory inherit\nthe same permissions.\n\n5. Scan (if possible) with an up-to-date virus scanner before being\nstored.\n\n6. Ensure that the application handles files as per the host operating\nsystem. For example, the length of the file name is appropriate, there\nis adequate space to store the file, protection against overwriting\nother files etc." }, { "path": "db/en/fix/50.md", "content": "Ensure that the `Cache-control` HTTP response header is set to\n`no-cache, no-store` and the `Pragma` header must be set to `no-cache`." }, { "path": "db/en/fix/51.md", "content": "The preferred configuration is to prevent the use of unauthorised HTTP\nmethods by utilising the `` directive.\n\nThis directive\nuses a whitelisting approach to permit HTTP methods while blocking all\nothers not listed in the directive, and will therefor block any method\ntampering attempts.\n\nMost commonly, the only HTTP methods required for\nmost scenarios are `GET` and `POST`. An example of permitting these\nHTTP methods is: ` require valid-user\n`" }, { "path": "db/en/fix/52.md", "content": "Identification of the requirement to run a WebDAV server should be\nconsidered. If it is not required then it should be disabled. However,\nif it is required to meet the application functionality, then it\nshould be protected by SSL/TLS as well as the implementation of a\nstrong authentication mechanism." }, { "path": "db/en/fix/53.md", "content": "'X-Content-Type-Options: nosniff' header should be implemented which\nallows a web server to force the browser into disabling MIME Sniffing\nfor a served file. The nosniff option will only load any external resource\nif the content-type maches what is expected of the file type." }, { "path": "db/en/fix/54.md", "content": "Do not have any default credentials set on the application. Any known usernames\nor passwords associated with the application framework should also be removed.\nFurthermore, Web Applications should implement a strong password policy consisting\nof a combination of alphanumeric characters and a minimum length of 8 characters." }, { "path": "db/en/fix/55.md", "content": "If directories are unreferenced then they should be removed from the\nweb root and/or the application directory.\n\nPreventing access without\nauthentication may also be an option and can stop a client from being\nable to view the contents of a file, however it is still likely that\nthe directory structure will be able to be discovered.\n\nUsing obscure\ndirectory names is implementing security through obscurity and is not\na recommended option." }, { "path": "db/en/fix/56.md", "content": "It is important that input sanitisation be conducted to prevent\napplication files (ASP, JSP, PHP or config files) from being called.\nIt is also important that the file system permissions are correctly\nconfigured and that all unused files are removed from the web root.\nIf these are not an option, then the vulnerable file should be removed\nfrom the server." }, { "path": "db/en/fix/57.md", "content": "Initially, the credit card number within the response should be\nchecked to ensure its validity, as it is possible that the regular\nexpression has matched on a similar number with no relation to a real\ncredit card.\n\nIf the response does contain a valid credit card number,\nthen all efforts should be taken to remove or further protect this\ninformation. This can be achieved by removing the credit card number\naltogether, or by masking the number so that only the last few digits\nare present within the response. (eg. _**********123_).\n\nAdditionally,\ncredit card numbers should not be stored by the application, unless\nthe organisation also complies with other security controls as\noutlined in the Payment Card Industry Data Security Standard (PCI-\nDSS)." }, { "path": "db/en/fix/6.md", "content": "The most effective remediation against NoSQL injection attacks is to\nensure that NoSQL API calls are not constructed via string\nconcatenation that includes unsanitized data.\n\nSanitization is best achieved using existing escaping libraries." }, { "path": "db/en/fix/7.md", "content": "Manually inspect the HTTP response status code and body" }, { "path": "db/en/fix/8.md", "content": "The affected site should be secured utilising the latest and most\nsecure encryption protocols. These include SSL version 3.0 and TLS\nversion 1.2. While TLS 1.2 is the latest and the most preferred\nprotocol, not all browsers will support this encryption method.\nTherefore, the more common SSL is included. Older protocols such as\nSSL version 2, and weak ciphers (< 128 bit) should also be disabled." }, { "path": "db/en/fix/9.md", "content": "Client-side document rewriting, redirection, or other sensitive\naction, using untrusted data, should be avoided wherever possible, as\nthese may not be inspected by server side filtering.\n\nTo remedy DOM XSS vulnerabilities where these sensitive document actions \nmust be used, it is essential to:\n\n1. Ensure any untrusted data is treated as text, as opposed to being\ninterpreted as code or mark-up within the page.\n\n2. Escape untrusted data prior to being used within the page. Escaping\nmethods will vary depending on where the untrusted data is being used.\n(See references for details.)\n\n3. Use `document.createElement`, `element.setAttribute`,\n`element.appendChild`, etc. to build dynamic interfaces as opposed\nto HTML rendering methods such as `document.write`,\n`document.writeIn`, `element.innerHTML`, or `element.outerHTML `etc.\n" }, { "path": "schema.json", "content": "{\n \"$schema\": \"http://json-schema.org/draft-04/schema#\",\n \"type\": \"object\",\n \"title\": \"Vulnerability schema\",\n \"description\": \"This schema describes json format for vulnerability\",\n \"definitions\": {\n \"multiString\": {\n \"oneof\": [\n {\n \"type\": \"string\",\n \"maxLength\": 90,\n \"minLength\": 30\n },\n {\n \"type\": \"array\",\n \"minItems\": 1,\n \"items\": {\n \"type\": \"string\",\n \"maxLength\": 90\n }\n }\n ]\n }\n },\n \"properties\": {\n \"id\": {\n \"type\": \"integer\",\n \"title\": \"Vulnerability unique id\",\n \"minimum\": 1\n },\n \"title\": {\n \"type\": \"string\",\n \"title\": \"Vulnerability title\",\n \"minLength\": 4,\n \"maxLength\": 255\n },\n \"description\": {\n \"title\": \"A very long description for vulnerability\",\n \"$ref\": \"#/definitions/multiString\"\n },\n \"severity\": {\n \"type\": \"string\",\n \"title\": \"Vulnerability severity\",\n \"enum\": [\n \"high\",\n \"medium\",\n \"low\",\n \"informational\"\n ]\n },\n \"wasc\": {\n \"type\": \"array\",\n \"title\": \"WASC identifiers\",\n \"description\": \"http://projects.webappsec.org/w/page/13246974/Threat%20Classification%20Reference%20Grid\",\n \"uniqueItems\": true,\n \"minItems\": 1,\n \"items\": {\n \"type\": \"string\",\n \"minLength\": 1\n }\n },\n \"tags\": {\n \"type\": \"array\",\n \"uniqueItems\": true,\n \"minItems\": 1,\n \"items\": {\n \"type\": \"string\",\n \"minLength\": 2,\n \"maxLength\": 255\n }\n },\n \"cwe\": {\n \"type\": \"array\",\n \"title\": \"CWE indentifiers\",\n \"description\": \"https://cwe.mitre.org/data/index.html\",\n \"uniqueItems\": true,\n \"items\": {\n \"type\": \"string\",\n \"minLength\": 1\n }\n },\n \"owasp_top_10\": {\n \"type\": \"object\",\n \"description\": \"position in owasp top ten splitted by years\",\n \"patternProperties\": {\n \"^[12][0-9]{3}$\": {\n \"type\": \"array\",\n \"minItems\": 1,\n \"items\": {\n \"type\": \"integer\",\n \"minimum\": 1\n }\n }\n },\n \"additionalProperties\": false\n },\n \"fix\": {\n \"type\": \"object\",\n \"properties\": {\n \"guidance\": {\n \"$ref\": \"#/definitions/multiString\",\n \"title\": \"A very long text explaining how to fix the vulnerability\"\n },\n \"effort\": {\n \"type\": \"integer\",\n \"minimum\": 0\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"guidance\",\n \"effort\"\n ]\n },\n \"references\": {\n \"type\": \"array\",\n \"minItems\": 1, \n \"items\": {\n \"type\": \"object\",\n \"properties\": {\n \"url\": {\n \"type\": \"string\",\n \"format\": \"uri\"\n },\n \"title\": {\n \"type\": \"string\",\n \"minLength\": 4,\n \"maxLength\": 255\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"url\",\n \"title\"\n ]\n }\n }\n },\n \"additionalProperties\": false,\n \"required\": [\n \"id\",\n \"title\",\n \"description\",\n \"severity\",\n \"fix\"\n ]\n}" }, { "path": "tests/__init__.py", "content": "\n" }, { "path": "tests/requirements.txt", "content": "vulndb>=0.0.8\nrequests\njsonschema\npyopenssl\nndg-httpsclient\npyasn1\nmarkdown\nnose\n" }, { "path": "tests/test_all_json.py", "content": "import unittest\nimport json\nimport os\n\n\nclass TestAllFilesAreJSON(unittest.TestCase):\n \"\"\"\n Basic test to make sure that all the files inside the db directory end\n with the json extension and have valid json content\n \"\"\"\n maxDiff = None\n\n def test_all_files_JSON(self):\n not_json = []\n\n for language in os.listdir('db'):\n for _file in os.listdir('db/%s' % language):\n if os.path.isfile(_file) and not _file.endswith('.json'):\n not_json.append(_file)\n\n self.assertEqual([], not_json)\n\n def test_all_files_JSON_content(self):\n not_json = []\n\n for language in os.listdir('db'):\n for _file in os.listdir('db/%s' % language):\n if not os.path.isfile(_file):\n continue\n\n try:\n json.loads(file(os.path.join('db', language, _file)).read())\n except:\n not_json.append(_file)\n\n self.assertEqual([], not_json)\n" }, { "path": "tests/test_json_spec.py", "content": "import requests\nimport os\n\nfrom tests.vulndb_test import VulnDBTest\nfrom nose.plugins.attrib import attr\nfrom vulndb import DBVuln\nfrom vulndb.constants.owasp import OWASP_TOP10_2010_URL_FMT, OWASP_TOP10_2013_URL_FMT\n\nSEVERITIES = {'high', 'medium', 'low', 'informational'}\n\n\nclass TestAllFilesHaveValidSpec(VulnDBTest):\n\n def test_severity(self):\n invalid = []\n\n for language, _file, db_data in self.get_all_json():\n if db_data['severity'] not in SEVERITIES:\n invalid.append((_file, db_data['severity']))\n\n self.assertEqual(invalid, [])\n\n def test_lengths(self):\n invalid = []\n\n for language, _file, db_data in self.get_all_json():\n description = self.get_description(language, db_data['description']['$ref'])\n if len(description) <= 30:\n invalid.append(_file)\n\n guidance = self.get_fix(language, db_data['fix']['guidance']['$ref'])\n if len(guidance) <= 30:\n invalid.append(_file)\n\n self.assertEqual(invalid, [])\n\n def test_id_match(self):\n invalid = []\n\n for language, db_path_file, db_data in self.get_all_json():\n json_id = db_data['id']\n\n db_file = os.path.split(db_path_file)[1]\n\n if not db_file.startswith('%s-' % json_id):\n invalid.append(db_file)\n\n self.assertEqual(invalid, [])\n\n def test_no_multiple_spaces(self):\n invalid = []\n\n for language, db_path_file, db_data in self.get_all_json():\n description = self.get_description(language, db_data['description']['$ref'])\n guidance = self.get_fix(language, db_data['fix']['guidance']['$ref'])\n\n if ' ' in guidance:\n invalid.append((db_path_file, 'fix_guidance'))\n\n if ' ' in description:\n invalid.append((db_path_file, 'description'))\n\n self.assertEqual(invalid, [])\n\n @attr('slow')\n def test_url_is_not_404(self):\n all_urls = set()\n invalid = []\n\n for language, db_path_file, db_data in self.get_all_json():\n\n cwe_list = db_data.get('cwe', [])\n for cwe_id in cwe_list:\n all_urls.add(DBVuln.get_cwe_url(cwe_id))\n\n reference_list = db_data.get('references', [])\n for reference in reference_list:\n all_urls.add(reference['url'])\n\n owasp_top_10 = db_data.get('owasp_top_10', {})\n for version, risk_id_list in owasp_top_10.iteritems():\n for risk_id in risk_id_list:\n owasp_url = self.get_owasp_url(version, risk_id)\n all_urls.add(owasp_url)\n\n session = requests.Session()\n for url in all_urls:\n if self.url_is_404(session, url):\n invalid.append(url)\n\n self.assertEqual(invalid, [])\n\n def get_owasp_url(self, owasp_version, risk_id):\n owasp_version = int(owasp_version)\n\n # Just return one of them, 2013 release has priority over 2010\n if owasp_version == 2013:\n return OWASP_TOP10_2013_URL_FMT % risk_id\n\n if owasp_version == 2010:\n return OWASP_TOP10_2010_URL_FMT % risk_id\n\n raise NotImplementedError\n\n def url_is_404(self, session, url):\n try:\n response = session.get(url)\n except KeyboardInterrupt:\n raise\n except:\n return True\n else:\n return response.status_code == 404\n" }, { "path": "tests/test_markdown_refs.py", "content": "import os\n\nfrom tests.vulndb_test import VulnDBTest\n\n\nclass TestReferences(VulnDBTest):\n \"\"\"\n Ensure that every fix and description field has a corresponding\n markdown file, and that every markdown file is referenced by at\n least one vulnerability.\n \"\"\"\n def get_references_for_language(self, language):\n desc_ids = set()\n referenced_desc_ids = set()\n fix_ids = set()\n referenced_fix_ids = set()\n\n for language_iter, db_path_file, db_data in self.get_all_json():\n\n if language_iter != language:\n continue\n\n desc_id = db_data['description']['$ref'].split('/')[-1]\n fix_id = db_data['fix']['guidance']['$ref'].split('/')[-1]\n\n referenced_desc_ids.add(desc_id)\n referenced_fix_ids.add(fix_id)\n\n description_path = os.path.join('db', language, 'description')\n fix_path = os.path.join('db', language, 'fix')\n\n for f in os.listdir(description_path):\n fpath = os.path.join(description_path, f)\n\n if not os.path.isfile(fpath):\n continue\n\n d_id = f.replace('.md', '').split('-')[0]\n desc_ids.add(d_id)\n\n for f in os.listdir(fix_path):\n fpath = os.path.join(fix_path, f)\n\n if not os.path.isfile(fpath):\n continue\n\n f_id = f.replace('.md', '').split('-')[0]\n fix_ids.add(f_id)\n\n return desc_ids, fix_ids, referenced_desc_ids, referenced_fix_ids\n\n def test_description_refs(self):\n for language in self.get_all_languages():\n desc_ids, _, referenced_desc_ids, _ = self.get_references_for_language(language)\n\n for desc_id in referenced_desc_ids:\n self.assertIn(\n desc_id, desc_ids,\n 'description is missing: {}'.format(desc_id)\n )\n\n for desc_id in desc_ids:\n self.assertIn(\n desc_id, referenced_desc_ids,\n 'description is not referenced: {}'.format(desc_id)\n )\n\n def test_fix_refs(self):\n for language in self.get_all_languages():\n _, fix_ids, _, referenced_fix_ids = self.get_references_for_language(language)\n\n for fix_id in referenced_fix_ids:\n self.assertIn(\n fix_id, fix_ids,\n 'fix is missing: {}'.format(fix_id)\n )\n\n for fix_id in fix_ids:\n self.assertIn(\n fix_id, referenced_fix_ids,\n 'fix is not referenced: {}'.format(fix_id)\n )\n" }, { "path": "tests/test_references.py", "content": "from tests.vulndb_test import VulnDBTest\n\n\nclass TestReferences(VulnDBTest):\n \"\"\"\n We don't want redundant references. Test for the presence of a\n reference URL that contains a cve.mitre.org URL. If an invalid\n reference is detected, simply remove the reference and add the\n CWE-ID to the \"cwe\" section of the vulnerability.\n \"\"\"\n def test_no_redundant_cve_mitre_org_urls(self):\n invalid = []\n\n for language, db_path_file, db_data in self.get_all_json():\n reference_urls = set()\n\n reference_list = db_data.get('references', [])\n for reference in reference_list:\n reference_urls.add(reference['url'])\n\n for reference in reference_urls:\n if 'cwe.mitre.org' in reference:\n invalid.append(reference.url)\n\n self.assertEqual(invalid, [])\n" }, { "path": "tests/test_schema_compatability.py", "content": "import json\nimport jsonschema\n\nfrom tests.vulndb_test import VulnDBTest\n\nSCHEMA_FILENAME = \"schema.json\"\n\n\nclass TestAllFilesSchemaCompatability(VulnDBTest):\n \"\"\"\n Basic test to make sure that all the files inside the db directory end\n with the json extension and have valid json content\n \"\"\"\n def test_all_files_JSON_content(self):\n try:\n schema = json.loads(file(SCHEMA_FILENAME).read())\n except (ValueError, IOError) as e:\n self.fail(e)\n\n try:\n jsonschema.Draft4Validator.check_schema(schema)\n except jsonschema.SchemaError as e:\n self.fail(e)\n\n incompatible = []\n for language, _file, db_data in self.get_all_json():\n try:\n jsonschema.validate(db_data, schema)\n except jsonschema.ValidationError as e:\n incompatible.append((_file, e,))\n\n self.assertEqual(incompatible, [])\n" }, { "path": "tests/test_valid_markdown.py", "content": "from markdown import markdown\nfrom tests.vulndb_test import VulnDBTest\n\n\nclass TestValidMarkdown(VulnDBTest):\n def test_valid_markdown(self):\n invalid = []\n\n for language, _file, db_data in self.get_all_json():\n description = self.get_description(language, db_data['description']['$ref'])\n try:\n markdown(description)\n except:\n invalid.append(_file)\n\n guidance = self.get_fix(language, db_data['fix']['guidance']['$ref'])\n try:\n markdown(guidance)\n except:\n invalid.append(_file)\n\n self.assertEqual(invalid, [])\n\n" }, { "path": "tests/vulndb_test.py", "content": "import os\nimport json\nimport unittest\n\n\nclass VulnDBTest(unittest.TestCase):\n maxDiff = None\n\n def get_all_json(self):\n for language in os.listdir('db'):\n for _file in os.listdir('db/%s' % language):\n if not _file.endswith('.json'):\n continue\n\n file_name = os.path.join('db', language, _file)\n fp = file(file_name)\n data = json.loads(fp.read())\n\n yield language, file_name, data\n\n def get_all_languages(self):\n return os.listdir('db')\n\n def get_file_from_ref(self, language, file_type, file_ref):\n file_id = file_ref.split('/')[-1]\n\n with open(os.path.join('db', language, file_type, '%s.md' % file_id)) as ifile:\n data = ifile.read()\n\n return data\n\n def get_description(self, language, desc_ref):\n return self.get_file_from_ref(language, 'description', desc_ref)\n\n def get_fix(self, language, fix_ref):\n return self.get_file_from_ref(language, 'fix', fix_ref)\n" } ]