unittests/scans/hcl_appscan/issue_9279.xml

<?xml version="1.0" encoding="utf-8" standalone="yes"?>

<xml-report name="AppScan Report" technology="DAST" xmlExportVersion="2.7">
  <content>
    <executive-summary>1</executive-summary>
    <issues>1</issues>
    <table-of-content>1</table-of-content>
    <introduction>1</introduction>
    <by-url>0</by-url>
    <fix-recommendations>1</fix-recommendations>
    <variants>1</variants>
    <request-response>1</request-response>
    <differences>1</differences>
    <advisories>1</advisories>
    <advisories-dot-net>1</advisories-dot-net>
    <advisories-j2ee>1</advisories-j2ee>
    <advisories-php>1</advisories-php>
    <application-data>1</application-data>
    <visited-urls>1</visited-urls>
    <filtered-urls>1</filtered-urls>
    <script-parameters>1</script-parameters>
    <broken-links>1</broken-links>
    <comments>1</comments>
    <java-scripts>1</java-scripts>
    <cookies>1</cookies>
    <components>1</components>
    <issue-information>1</issue-information>
    <page-break-after-each-issue-url>0</page-break-after-each-issue-url>
    <cover-page>1</cover-page>
    <regulations>0</regulations>
    <delta-analysis>0</delta-analysis>
    <is-rtf-report>0</is-rtf-report>
  </content>
  <dictionary>
    <item id="secure">Secure</item>
    <item id="scheme">Scheme</item>
    <item id="SameSite">Same Site</item>
    <item id="comments">Comments</item>
    <item id="scanDateColon">Scan started:</item>
    <item id="issueTypesDiscovered">Issue Types</item>
    <item id="threatClassificationColon">Threat Classification:</item>
    <item id="reportTagLine">AppScan Web Application Security Report</item>
    <item id="FilteredUrl.Untrusted">Untested Web Server</item>
    <item id="urlColon">URL:</item>
    <item id="originalResponseLabel">Original Response</item>
    <item id="threatClassification">WASC Threat Classification</item>
    <item id="unwantedLabel">Unwanted</item>
    <item id="testOptimizationColon">Test optimization level:</item>
    <item id="affectedProductsColon">Affected Products:</item>
    <item id="urlsStatus">URLs Status</item>
    <item id="issuesByURL">Issues Sorted by URL</item>
    <item id="allowConcurrentLogins">Concurrent logins:</item>
    <item id="responseLabel">Response</item>
    <item id="xssBlurb">Simulation of the pop-up that appears when this page is opened in a browser</item>
    <item id="ApplicationData.HttpParamType.NoneOrUnknown">None or Unknown</item>
    <item id="documentMap">Document Map</item>
    <item id="components">Components</item>
    <item id="fixRecommendationsColon">Fix Recommendation:</item>
    <item id="BinaryDataNotIncluded">This request/response contains binary content, which is not included in generated reports.</item>
    <item id="executiveSummary">Summary</item>
    <item id="entityColon">Entity:</item>
    <item id="general">General</item>
    <item id="detectedCookies">Tracked or session ID cookies:</item>
    <item id="trialVersionMessage">This summary report was created with the Application Security Analyzer Free Plan. Once you purchase the full service you will have access to a complete report with detailed descriptions of the issues found and how to remediate them.</item>
    <item id="cvssScoreColon">CVSS Score:</item>
    <item id="ApplicationData.HttpParamType.TextArea">TextArea</item>
    <item id="informational">Informational</item>
    <item id="sessionVerifierPattern">In-session pattern:</item>
    <item id="ApplicationData.HttpParamType.Image">Image</item>
    <item id="differenceColon">Difference:</item>
    <item id="ApplicationData.HttpParamType.Radio">Radio</item>
    <item id="detailedSummaryContent">This section includes a detailed listing of the scan results, including all issue types found, all recommended remediation tasks, all vulnerable URLs, etc., and is intended to provide a detailed understanding of the security status of the application, as well as to assist in scoping and prioritizing the work required to remedy the issues found.</item>
    <item id="fixedIssues">Fixed Issues</item>
    <item id="testDescriptionColon">Test Description:</item>
    <item id="sessionManagementMode">Login method:</item>
    <item id="totalIssuesInScanColon">Total security issues discovered in the scan:</item>
    <item id="referencesColon">External References:</item>
    <item id="cvssVersionColon">CVSS version:</item>
    <item id="ScanSummary">Scan Summary</item>
    <item id="brokenLinks">Failed Requests</item>
    <item id="testPolicyColon">Test policy:</item>
    <item id="parameters">Parameters</item>
    <item id="introductionAndObjectivesContent">General information about the scan, including the project name, purpose of the scan, etc.</item>
    <item id="ApplicationData.HttpParamType.Simple_Link">Simple Link</item>
    <item id="FilteredUrl.PathLimit">Path Limit</item>
    <item id="rulesColon">Rules:</item>
    <item id="newUrls">New URLs</item>
    <item id="ApplicationData.HttpParamType.Post_Data">Body</item>
    <item id="openIssues">Open Issues</item>
    <item id="filteredLinks">Filtered URLs</item>
    <item id="operatingSystemColon">Operating system:</item>
    <item id="documentMapContent">This report consists of the following sections:</item>
    <item id="scanBaseStartedColon">Base Scan Started:</item>
    <item id="securityIssuesBySections">Detailed Security Issues by Sections</item>
    <item id="testLoginLabel">Test Login</item>
    <item id="InformationalSeverityIssues">Informational severity issues:</item>
    <item id="javaScripts">JavaScripts</item>
    <item id="dictionarySessionManagementModeUnknown">Unknown</item>
    <item id="FilteredUrl.Path">Path</item>
    <item id="vulnerableURLs">Vulnerable URLs</item>
    <item id="sniqueIssuesDetectedAcrossRegulation">{0} Unique issues detected across {1} sections of the regulation:</item>
    <item id="highSeverityIssues">High severity issues:</item>
    <item id="FilteredUrl.PredictableUrl">Likely Similar DOM</item>
    <item id="fixColon">Fix:</item>
    <item id="dictionaryTrue">True</item>
    <item id="dictionaryNone">None</item>
    <item id="comment">Comment</item>
    <item id="cookies">Cookies</item>
    <item id="firstSet">First Set</item>
    <item id="hostColon">Host</item>
    <item id="objectivesContent">AppScan performs real-time security assessments of web applications. These assessments aim to uncover any security issues in the application, explain the impact and risks associated with these issues, and provide guidance in planning and prioritizing the remediation, The objective of this assignment was to perform controlled attack and penetration activities to assess the overall level of security of the application.</item>
    <item id="ApplicationData.HttpParamType.Checkbox">Checkbox</item>
    <item id="bodyparameter">Body Parameter</item>
    <item id="benignLabel">Harmless</item>
    <item id="cipherSuiteId">Id</item>
    <item id="attackNotSupported">This attack is not supported by AppScan.</item>
    <item id="ApplicationData.HttpParamType.Button">Button</item>
    <item id="rawTestResponseLabel">Raw Test Response:</item>
    <item id="loginSettings">Login Settings</item>
    <item id="createdByAppScan">This report was created by HCL AppScan Standard</item>
    <item id="nodePathColon">Report Produced on Tree node:</item>
    <item id="additionalDataColon">Additional Data:</item>
    <item id="issuesStatus">Issues Status</item>
    <item id="testResponseNextToLastLabel">Test Response (next-to-last)</item>
    <item id="applicationServerColon">Application server:</item>
    <item id="generalInformation">General Information</item>
    <item id="testTypeColon">Test Type:</item>
    <item id="executiveSummaryContent">This section is a high-level "overview" of the information gathered during the scan, using graphs or comparative numbers, and is intended to provide a general understanding of the security status of the application.</item>
    <item id="ApplicationData.HttpParamType.XML">XML</item>
    <item id="deltaAnalysis">Delta Analysis</item>
    <item id="testResponseLastLabel">Test Response (last)</item>
    <item id="ApplicationData.HttpParamType.Hidden">Hidden</item>
    <item id="cweColon">CWE:</item>
    <item id="cveColon">CVE:</item>
    <item id="of">of</item>
    <item id="addedToRequestColon">added to request:</item>
    <item id="numberOfIssues">Number of Issues</item>
    <item id="FilteredUrl.DomSimilarity">Similar DOM</item>
    <item id="exploitExampleColon">Exploit Example:</item>
    <item id="trialVersionWatermark">Free Plan</item>
    <item id="scanNumComplianceIssuesFoundColon">Compliance issues found:</item>
    <item id="malwareLabel">Malicious</item>
    <item id="dictionarySessionManagementModeAutomatic">Automatic</item>
    <item id="ApplicationData.HttpParamType.Submit">Submit</item>
    <item id="added">added</item>
    <item id="fixed">Fixed</item>
    <item id="cause">Cause</item>
    <item id="index">Index</item>
    <item id="issue">Issue</item>
    <item id="query">Query</item>
    <item id="ApplicationData.HttpParamType.Select">Select</item>
    <item id="value">Value</item>
    <item id="cipherSuitesTitle">The following weak cipher suites are supported by the server:</item>
    <item id="fix">Fix</item>
    <item id="low">Low</item>
    <item id="new">New</item>
    <item id="toc">TOC</item>
    <item id="url">URL</item>
    <item id="php">PHP</item>
    <item id="lowSeverityIssues">Low severity issues:</item>
    <item id="visitedLinks">Visited URLs</item>
    <item id="sampleReportWatermark">Sample Report</item>
    <item id="remaining">Remaining</item>
    <item id="expires">Expires</item>
    <item id="removedUrls">Removed URLs</item>
    <item id="targetScan">Target Scan</item>
    <item id="ApplicationData.HttpParamType.Custom_Parameter">Custom</item>
    <item id="howToFix">How to Fix</item>
    <item id="mediumSeverityIssues">Medium severity issues:</item>
    <item id="FilteredUrl.FileExtension">File Extension</item>
    <item id="issueType">Issue Type</item>
    <item id="FilteredUrl.LogoutFilter">Logout Filter</item>
    <item id="ApplicationData.HttpParamType.Password">Password</item>
    <item id="scanFileNameColon">Scan file name:</item>
    <item id="enableJsxInLoginReplay">JavaScript execution:</item>
    <item id="JsStackStrace">JS Stack Trace</item>
    <item id="dictionarySessionManagementModePrompt">Prompt</item>
    <item id="webServerColon">Web server:</item>
    <item id="dictionaryEnabled">Enabled</item>
    <item id="objectives">Objectives</item>
    <item id="xfidColon">X-Force:</item>
    <item id="introductionContent">This report contains the results of a web application security scan performed by HCL AppScan Standard.</item>
    <item id="testTechnicalDescriptionColon">Technical Description:</item>
    <item id="variant">Variant</item>
    <item id="appScanSeverity">AppScan Severity</item>
    <item id="FilteredUrl.RequestMethod">HTTP Request Method</item>
    <item id="issuesDetectedAcrossRegulation">Issues detected across {0} sections of the regulation:</item>
    <item id="totalIssuesInReportColon">Total security issues included in the report:</item>
    <item id="tableOfContents">Table of Contents</item>
    <item id="introductionAndObjectives">Introduction and Objectives</item>
    <item id="FilteredUrl.DepthLimit">Depth Limit</item>
    <item id="version">Version</item>
    <item id="detectedParameters">Tracked or session ID parameters:</item>
    <item id="originalRequestsAndResponsesColon">Original Requests and Responses:</item>
    <item id="sessionVerifierEnabled">In-session detection:</item>
    <item id="FilteredUrl.TotVisitedLinksLimit">Total Visited Links Limit</item>
    <item id="newIssues">New Issues</item>
    <item id="HttpOnly">HTTP Only</item>
    <item id="TotalSecurityIssues">total security issues</item>
    <item id="introduction">Introduction</item>
    <item id="dictionarySessionManagementModeRecorded">Recorded login</item>
    <item id="scanTargetStartedColon">Target Scan Started:</item>
    <item id="baseScan">Base Scan</item>
    <item id="testResponseFirstLabel">Test Response (first)</item>
    <item id="causesColon">Cause:</item>
    <item id="sectionViolation">Violated Section</item>
    <item id="critical">Critical</item>
    <item id="portColon">Port</item>
    <item id="testOptimizationFast">Fast</item>
    <item id="validLoginLabel">Valid Login</item>
    <item id="severityColon">Severity:</item>
    <item id="parameter">Parameter</item>
    <item id="severity">Severity</item>
    <item id="applicationData">Application Data</item>
    <item id="testRequestLabel">Test Request:</item>
    <item id="fixRecommendations">Fix Recommendations</item>
    <item id="reasoningColon">Reasoning:</item>
    <item id="domain">Domain</item>
    <item id="dotNet">.Net</item>
    <item id="advisories">Advisories</item>
    <item id="entity">Entity</item>
    <item id="riskColon">Risk:</item>
    <item id="createdBySaaS">This report was created by IBM Application Security Analyzer - Dynamic, Security rules version:</item>
    <item id="criticalSeverityIssues">Critical severity issues:</item>
    <item id="sectionViolationGdprArticles">GDPR Articles</item>
    <item id="ApplicationData.HttpParamType.File">File</item>
    <item id="ApplicationData.HttpParamType.JSON">JSON</item>
    <item id="ApplicationData.HttpParamType.Text">Text</item>
    <item id="reportName">Comprehensive Security Report</item>
    <item id="issueTypes">Issue Types</item>
    <item id="scanNumSecurityEntitiesTestedColon">Security entities tested:</item>
    <item id="regulations">Regulations</item>
    <item id="removed">removed</item>
    <item id="queryparameter">Query Parameter</item>
    <item id="FilteredUrl.ImageContext">Image Context</item>
    <item id="removedLabel">Removed</item>
    <item id="medium">Medium</item>
    <item id="method">Method</item>
    <item id="FilteredUrl.MaxLengthExceeded">URL Length Limit</item>
    <item id="sslVersion">SSL Version</item>
    <item id="testOptimizationFaster">Faster</item>
    <item id="dictionaryTestPolicyModified">(Modified)</item>
    <item id="sections">Sections</item>
    <item id="causes">Causes</item>
    <item id="cookie">Cookie</item>
    <item id="scanNumPagesScannedColon">Scanned pages:</item>
    <item id="header">Header</item>
    <item id="GeneralInformation.Unknown">Unknown</item>
    <item id="FilteredUrl.RegExp">General Regular Expression</item>
    <item id="testOptimizationFastest">Fastest</item>
    <item id="dictionaryDisabled">Disabled</item>
    <item id="affectedURLs">Vulnerable URLs</item>
    <item id="manipulatedFromColon">manipulated from:</item>
    <item id="issueDistributionByScan">Issue Distribution by Scan</item>
    <item id="threat">Threat</item>
    <item id="testOptimizationNormal">Normal</item>
    <item id="securityRisks">Security Risks</item>
    <item id="securityRisksColon">Risk:</item>
    <item id="requestedURL">Requested URL</item>
    <item id="testRequestsResponsesColon">Test Requests and Responses:</item>
    <item id="numberOfAffectedIssues">this is now the same as the one below - should be removed</item>
    <item id="requestLabel">Request</item>
    <item id="trialVersionHeader">Please Note:</item>
    <item id="remediationTask">Remediation Task</item>
    <item id="detailedSummary">Detailed Summary</item>
    <item id="issuesByIssueType">Issues Sorted by Issue Type</item>
    <item id="remainingUrls">Remaining URLs</item>
    <item id="cipherSuiteName">Name</item>
    <item id="toColon">to:</item>
    <item id="FilteredUrl.NestingLimit">Nesting Limit</item>
    <item id="testResponseLabel">Test Response</item>
    <item id="removedFromRequestColon">removed from request:</item>
    <item id="FilteredUrl.BodySimilar">Similar Body</item>
    <item id="originalRequestLabel">Original Request</item>
    <item id="body">Body</item>
    <item id="code">Code</item>
    <item id="high">High</item>
    <item id="name">Name</item>
    <item id="open">Open</item>
    <item id="type">Type</item>
    <item id="j2ee">J2EE</item>
    <item id="path">Path</item>
    <item id="port">Port</item>
    <item id="risk">Risk</item>
    <item id="sectionViolationByIssue">Section Violation By Issue</item>
    <item id="dictionaryFalse">False</item>
    <item id="GeneralInformation.Any">Any</item>
    <item id="recordedRequestSequence">Login sequence:</item>
    <item id="willFix">Issue Types that this task fixes</item>
    <item id="reason">Reason</item>
  </dictionary>
  <layout>
    <rules-number>0</rules-number>
    <title />
    <report-type />
    <description />
    <header />
    <footer />
    <include-date>1</include-date>
    <report-date-and-time>1/4/2024 12:22:44 PM</report-date-and-time>
    <company-logo-path />
    <additional-logo-path />
    <margins>1</margins>
    <node-path />
    <coverage>StandardFullReport</coverage>
  </layout>
  <scan-information>
    <scan-name>demo.testfire.net</scan-name>
    <scan-file-name>demo.testfire.net.scan</scan-file-name>
    <scan-date-and-time>11/2/2023 10:39:49 AM</scan-date-and-time>
    <scan-date-and-time-iso>2023-11-02T10:39:49Z</scan-date-and-time-iso>
    <product-name>HCL AppScan Standard</product-name>
    <product-version>10.4.0</product-version>
    <cvss-version>3.1</cvss-version>
  </scan-information>
  <scan-configuration>
    <login-settings-group>
      <allow-concurrent-logins>dictionaryEnabled</allow-concurrent-logins>
      <enable-Jsx-In-login-replay>dictionaryDisabled</enable-Jsx-In-login-replay>
      <session-management-mode>dictionarySessionManagementModeRecorded</session-management-mode>
      <session-verifier-enabled>dictionaryEnabled</session-verifier-enabled>
      <session-verifier-pattern>&gt;Sign Off&lt;</session-verifier-pattern>
      <tracked-cookies>
        <cookie>JSESSIONID</cookie>
        <cookie>AltoroAccounts</cookie>
      </tracked-cookies>
      <tracked-parameters />
      <recorded-urls-sequence>
        <url>https://demo.testfire.net/</url>
        <url>https://demo.testfire.net/login.jsp</url>
        <url>https://demo.testfire.net/doLogin</url>
        <url>https://demo.testfire.net/bank/main.jsp</url>
      </recorded-urls-sequence>
    </login-settings-group>
    <test-policy-name>Default</test-policy-name>
    <test-optimization-level>testOptimizationFast</test-optimization-level>
    <starting-url>https://demo.testfire.net</starting-url>
    <link-limit-state>dictionaryDisabled</link-limit-state>
    <link-limit>500</link-limit>
    <depth-limit-state>dictionaryEnabled</depth-limit-state>
    <depth-limit>20</depth-limit>
    <path-limit-state>dictionaryDisabled</path-limit-state>
    <path-limit>5</path-limit>
    <form-filler-state>dictionaryEnabled</form-filler-state>
    <java-script-links-execution>dictionaryDisabled</java-script-links-execution>
    <java-script-links-extraction>dictionaryEnabled</java-script-links-extraction>
    <flash-execution-state>dictionaryDisabled</flash-execution-state>
    <flash-links-extraction-state>dictionaryDisabled</flash-links-extraction-state>
    <additional-servers-and-domains />
    <multi-phase-operation-names>
      <multi-phase-operation-name>Sequence 1</multi-phase-operation-name>
    </multi-phase-operation-names>
    <path-filters>
      <path-filter>
        <path>.*/deleteweb.aspx</path>
        <type>Exclude</type>
        <matching>True</matching>
      </path-filter>
    </path-filters>
    <custom-proxy-settings>dictionaryDisabled</custom-proxy-settings>
    <use-ie-proxy-settings>dictionaryEnabled</use-ie-proxy-settings>
    <proxy-settings-ip-address />
    <proxy-settings-port>8080</proxy-settings-port>
    <scanned-hosts>
      <item>
        <host>demo.testfire.net</host>
        <port>443</port>
        <operating-system>GeneralInformation.Unknown</operating-system>
        <web-server>Apache</web-server>
        <application-server>Tomcat</application-server>
      </item>
    </scanned-hosts>
  </scan-configuration>
  <scan-summary>
    <scan-Duration>00:47:16.6591694</scan-Duration>
    <num-pages-scanned>61</num-pages-scanned>
    <total-num-pages>61</total-num-pages>
    <num-security-entities-tested>264</num-security-entities-tested>
    <total-num-security-entities>264</total-num-security-entities>
    <num-issues-found>113</num-issues-found>
    <total-issues-severity-critical>5</total-issues-severity-critical>
    <total-issues-severity-high>11</total-issues-severity-high>
    <total-issues-severity-medium>34</total-issues-severity-medium>
    <total-issues-severity-low>46</total-issues-severity-low>
    <total-issues-severity-informational>17</total-issues-severity-informational>
    <test-policy>Default</test-policy>
  </scan-summary>
  <issue-type-group>
    <item id="attBlindSqlInjectionStrings" count="1" maxIssueSeverity="6">
      <name>Blind SQL Injection</name>
      <cve />
      <cwe>89</cwe>
      <xfid>8783</xfid>
      <remediation>
        <ref>fix_52000</ref>
      </remediation>
      <advisory>
        <ref>attBlindSqlInjectionStrings</ref>
      </advisory>
      <threat-class>
        <ref>catSQLInjection</ref>
      </threat-class>
      <fix-recommendation>
        <ref>attBlindSqlInjectionStrings</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_0</ref>
      </causes>
      <security-risks>
        <ref>databaseManipulations</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="attSqlInjectionChecks" count="4" maxIssueSeverity="6">
      <name>SQL Injection</name>
      <cve />
      <cwe>89</cwe>
      <xfid>8783</xfid>
      <remediation>
        <ref>fix_52000</ref>
      </remediation>
      <advisory>
        <ref>attSqlInjectionChecks</ref>
      </advisory>
      <threat-class>
        <ref>catSQLInjection</ref>
      </threat-class>
      <fix-recommendation>
        <ref>attSqlInjectionChecks</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_1</ref>
        <ref>Cause_2</ref>
        <ref>Cause_3</ref>
        <ref>Cause_4</ref>
      </causes>
      <security-risks>
        <ref>databaseManipulations</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="attIntegerOverflow" count="2" maxIssueSeverity="3">
      <name>Integer Overflow</name>
      <cve />
      <cwe>190</cwe>
      <xfid>0</xfid>
      <remediation>
        <ref>fix_50300</ref>
      </remediation>
      <advisory>
        <ref>attIntegerOverflow</ref>
      </advisory>
      <threat-class>
        <ref>catIntegerOverflow</ref>
      </threat-class>
      <fix-recommendation>
        <ref>attIntegerOverflow</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_5</ref>
      </causes>
      <security-risks>
        <ref>debugErrorInformation</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="attRedirectInURL" count="1" maxIssueSeverity="3">
      <name>Phishing Through URL Redirection</name>
      <cve />
      <cwe>601</cwe>
      <xfid>52830</xfid>
      <remediation>
        <ref>fix_53140</ref>
      </remediation>
      <advisory>
        <ref>attRedirectInURL</ref>
      </advisory>
      <threat-class>
        <ref>catURLRedirectoryAbuse</ref>
      </threat-class>
      <fix-recommendation>
        <ref>attRedirectInURL</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_6</ref>
        <ref>Cause_7</ref>
        <ref>Cause_8</ref>
      </causes>
      <security-risks>
        <ref>phishing</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="attCrossSiteScripting" count="8" maxIssueSeverity="3">
      <name>Reflected Cross Site Scripting</name>
      <cve />
      <cwe>79</cwe>
      <xfid>6784</xfid>
      <remediation>
        <ref>fix_52000</ref>
      </remediation>
      <advisory>
        <ref>attCrossSiteScripting</ref>
      </advisory>
      <threat-class>
        <ref>catCrossSiteScripting</ref>
      </threat-class>
      <fix-recommendation>
        <ref>attCrossSiteScripting</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_9</ref>
        <ref>Cause_10</ref>
        <ref>Cause_11</ref>
        <ref>Cause_12</ref>
      </causes>
      <security-risks>
        <ref>userImpersonation</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="attSameSiteCookie" count="2" maxIssueSeverity="2">
      <name>Cookie with Insecure or Improper or Missing SameSite attribute</name>
      <cve />
      <cwe>1275</cwe>
      <xfid>0</xfid>
      <remediation>
        <ref>fix_61797</ref>
      </remediation>
      <advisory>
        <ref>attSameSiteCookie</ref>
      </advisory>
      <threat-class>
        <ref>catServerMisconfiguration</ref>
      </threat-class>
      <fix-recommendation>
        <ref>attSameSiteCookie</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_13</ref>
      </causes>
      <security-risks>
        <ref>risk_attSameSiteCookie</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="attCrossSiteRequestForgery" count="5" maxIssueSeverity="2">
      <name>Cross-Site Request Forgery</name>
      <cve />
      <cwe>352</cwe>
      <xfid>6784</xfid>
      <remediation>
        <ref>fix_60130</ref>
      </remediation>
      <advisory>
        <ref>attCrossSiteRequestForgery</ref>
      </advisory>
      <threat-class>
        <ref>catCrossSiteRequestForgery</ref>
      </threat-class>
      <fix-recommendation>
        <ref>attCrossSiteRequestForgery</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_14</ref>
        <ref>Cause_15</ref>
        <ref>Cause_16</ref>
        <ref>Cause_17</ref>
      </causes>
      <security-risks>
        <ref>CSRF_risk</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="GV_SQLErr" count="6" maxIssueSeverity="2">
      <name>Database Error Pattern Found</name>
      <cve />
      <cwe>209</cwe>
      <xfid>52577</xfid>
      <remediation>
        <ref>fix_52000</ref>
      </remediation>
      <advisory>
        <ref>GV_SQLErr</ref>
      </advisory>
      <threat-class>
        <ref>catSQLInjection</ref>
      </threat-class>
      <fix-recommendation>
        <ref>GV_SQLErr</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_0</ref>
      </causes>
      <security-risks>
        <ref>databaseManipulations</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="DirectAccesstoAdministrationPages" count="2" maxIssueSeverity="2">
      <name>Direct Access to Administration Pages</name>
      <cve />
      <cwe>306</cwe>
      <xfid>52579</xfid>
      <remediation>
        <ref>fix_54860</ref>
      </remediation>
      <advisory>
        <ref>DirectAccesstoAdministrationPages</ref>
      </advisory>
      <threat-class>
        <ref>catPredictableResourceLocation</ref>
      </threat-class>
      <fix-recommendation>
        <ref>DirectAccesstoAdministrationPages</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_18</ref>
      </causes>
      <security-risks>
        <ref>privilegeEscalation</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="attHostHeaderInjection" count="1" maxIssueSeverity="2">
      <name>Host Header Injection</name>
      <cve />
      <cwe>644</cwe>
      <xfid>0</xfid>
      <remediation>
        <ref>fix_61481</ref>
      </remediation>
      <advisory>
        <ref>attHostHeaderInjection</ref>
      </advisory>
      <threat-class>
        <ref>catAbuseOfFunctionality</ref>
      </threat-class>
      <fix-recommendation>
        <ref>attHostHeaderInjection</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_19</ref>
      </causes>
      <security-risks>
        <ref>cachePoisoning</ref>
        <ref>phishing</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="attAccountLockout" count="1" maxIssueSeverity="2">
      <name>Inadequate Account Lockout</name>
      <cve />
      <cwe>307</cwe>
      <xfid>52623</xfid>
      <remediation>
        <ref>fix_59220</ref>
      </remediation>
      <advisory>
        <ref>attAccountLockout</ref>
      </advisory>
      <threat-class>
        <ref>catBruteForce</ref>
      </threat-class>
      <fix-recommendation>
        <ref>attAccountLockout</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_20</ref>
      </causes>
      <security-risks>
        <ref>privilegeEscalation</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="attLinkInjection" count="6" maxIssueSeverity="2">
      <name>Link Injection (facilitates Cross-Site Request Forgery)</name>
      <cve />
      <cwe>74</cwe>
      <xfid>6784</xfid>
      <remediation>
        <ref>fix_52000</ref>
      </remediation>
      <advisory>
        <ref>attLinkInjection</ref>
      </advisory>
      <threat-class>
        <ref>catContentSpoofing</ref>
      </threat-class>
      <fix-recommendation>
        <ref>attLinkInjection</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_0</ref>
      </causes>
      <security-risks>
        <ref>phishing</ref>
        <ref>userImpersonation</ref>
        <ref>siteDefacement</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="attRespCookieNotSecureSSL" count="1" maxIssueSeverity="2">
      <name>Missing Secure Attribute in Encrypted Session (SSL) Cookie</name>
      <cve />
      <cwe>614</cwe>
      <xfid>52696</xfid>
      <remediation>
        <ref>fix_52740</ref>
      </remediation>
      <advisory>
        <ref>attRespCookieNotSecureSSL</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <fix-recommendation>
        <ref>attRespCookieNotSecureSSL</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_21</ref>
      </causes>
      <security-risks>
        <ref>unsecureCookieInSSL</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="OldTLS" count="1" maxIssueSeverity="2">
      <name>Older TLS Version is Supported</name>
      <cve />
      <cwe>327</cwe>
      <xfid>0</xfid>
      <remediation>
        <ref>fix_61030</ref>
      </remediation>
      <advisory>
        <ref>OldTLS</ref>
      </advisory>
      <threat-class>
        <ref>catServerMisconfiguration</ref>
      </threat-class>
      <fix-recommendation>
        <ref>OldTLS</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_18</ref>
      </causes>
      <security-risks>
        <ref>userImpersonation</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="phishingInFrames" count="7" maxIssueSeverity="2">
      <name>Phishing Through Frames</name>
      <cve />
      <cwe>79</cwe>
      <xfid>52829</xfid>
      <remediation>
        <ref>fix_52000</ref>
      </remediation>
      <advisory>
        <ref>phishingInFrames</ref>
      </advisory>
      <threat-class>
        <ref>catContentSpoofing</ref>
      </threat-class>
      <fix-recommendation>
        <ref>phishingInFrames</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_0</ref>
      </causes>
      <security-risks>
        <ref>phishing</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="SHA1CipherSuites" count="1" maxIssueSeverity="2">
      <name>SHA-1 cipher suites were detected</name>
      <cve />
      <cwe>327</cwe>
      <xfid>0</xfid>
      <remediation>
        <ref>fix_61754</ref>
      </remediation>
      <advisory>
        <ref>SHA1CipherSuites</ref>
      </advisory>
      <threat-class>
        <ref>catServerMisconfiguration</ref>
      </threat-class>
      <fix-recommendation>
        <ref>SHA1CipherSuites</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_18</ref>
      </causes>
      <security-risks>
        <ref>userImpersonation</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="constTransient" count="1" maxIssueSeverity="2">
      <name>Session Identifier Not Updated</name>
      <cve />
      <cwe>304</cwe>
      <xfid>52863</xfid>
      <remediation>
        <ref>fix_60310</ref>
      </remediation>
      <advisory>
        <ref>constTransient</ref>
      </advisory>
      <threat-class>
        <ref>catSessionFixation</ref>
      </threat-class>
      <fix-recommendation>
        <ref>constTransient</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_20</ref>
      </causes>
      <security-risks>
        <ref>userImpersonation</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="GD_autocompleteInForm" count="4" maxIssueSeverity="1">
      <name>Autocomplete HTML Attribute Not Disabled for Password Field</name>
      <cve />
      <cwe>522</cwe>
      <xfid>85989</xfid>
      <remediation>
        <ref>fix_61640</ref>
      </remediation>
      <advisory>
        <ref>GD_autocompleteInForm</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <fix-recommendation>
        <ref>GD_autocompleteInForm</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_20</ref>
      </causes>
      <security-risks>
        <ref>authBypass</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="bodyParamsInQuery" count="3" maxIssueSeverity="1">
      <name>Body Parameters Accepted in Query</name>
      <cve />
      <cwe>200</cwe>
      <xfid>0</xfid>
      <remediation>
        <ref>fix_61757</ref>
      </remediation>
      <advisory>
        <ref>bodyParamsInQuery</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <fix-recommendation>
        <ref>bodyParamsInQuery</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_20</ref>
      </causes>
      <security-risks>
        <ref>sensitiveInformation</ref>
        <ref>phishing</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="attCachedSSL" count="17" maxIssueSeverity="1">
      <name>Cacheable SSL Page Found</name>
      <cve />
      <cwe>525</cwe>
      <xfid>52512</xfid>
      <remediation>
        <ref>fix_60210</ref>
      </remediation>
      <advisory>
        <ref>attCachedSSL</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <fix-recommendation>
        <ref>attCachedSSL</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_22</ref>
      </causes>
      <security-risks>
        <ref>sensitiveInformation</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="GD_CreditCardVisa" count="4" maxIssueSeverity="1">
      <name>Credit Card Number Pattern Found (Visa)</name>
      <cve />
      <cwe>200</cwe>
      <xfid>51894</xfid>
      <remediation>
        <ref>fix_59161</ref>
      </remediation>
      <advisory>
        <ref>GD_CreditCardVisa</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <fix-recommendation>
        <ref>GD_CreditCardVisa</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_20</ref>
      </causes>
      <security-risks>
        <ref>sensitiveInformation</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="attHttpsToHttp" count="1" maxIssueSeverity="1">
      <name>Encryption Not Enforced</name>
      <cve />
      <cwe>311</cwe>
      <xfid>52586</xfid>
      <remediation>
        <ref>fix_52721</ref>
      </remediation>
      <advisory>
        <ref>attHttpsToHttp</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <fix-recommendation>
        <ref>attHttpsToHttp</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_23</ref>
        <ref>Cause_24</ref>
      </causes>
      <security-risks>
        <ref>sensitiveNotOverSSL</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="attContentSecurityPolicy" count="1" maxIssueSeverity="1">
      <name>Missing "Content-Security-Policy" header</name>
      <cve />
      <cwe>1032</cwe>
      <xfid>0</xfid>
      <remediation>
        <ref>fix_61770</ref>
      </remediation>
      <advisory>
        <ref>attContentSecurityPolicy</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <fix-recommendation>
        <ref>attContentSecurityPolicy</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_20</ref>
      </causes>
      <security-risks>
        <ref>sensitiveInformation</ref>
        <ref>phishing</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="attRespCookieNotHttpOnlySessionCookie" count="1" maxIssueSeverity="1">
      <name>Missing HttpOnly Attribute in Session Cookie</name>
      <cve />
      <cwe>653</cwe>
      <xfid>85873</xfid>
      <remediation>
        <ref>fix_52741</ref>
      </remediation>
      <advisory>
        <ref>attRespCookieNotHttpOnlySessionCookie</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <fix-recommendation>
        <ref>attRespCookieNotHttpOnlySessionCookie</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_25</ref>
      </causes>
      <security-risks>
        <ref>userImpersonation</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="ContentTypeOptions" count="1" maxIssueSeverity="1">
      <name>Missing or insecure "X-Content-Type-Options" header</name>
      <cve />
      <cwe>200</cwe>
      <xfid>0</xfid>
      <remediation>
        <ref>fix_61767</ref>
      </remediation>
      <advisory>
        <ref>ContentTypeOptions</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <fix-recommendation>
        <ref>ContentTypeOptions</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_20</ref>
      </causes>
      <security-risks>
        <ref>sensitiveInformation</ref>
        <ref>phishing</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="XFS" count="1" maxIssueSeverity="1">
      <name>Missing or insecure Cross-Frame Scripting Defence</name>
      <cve />
      <cwe>1021</cwe>
      <xfid>0</xfid>
      <remediation>
        <ref>fix_61763</ref>
      </remediation>
      <advisory>
        <ref>XFS</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <fix-recommendation>
        <ref>XFS</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_20</ref>
      </causes>
      <security-risks>
        <ref>sensitiveInformation</ref>
        <ref>phishing</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="HSTS" count="1" maxIssueSeverity="1">
      <name>Missing or insecure HTTP Strict-Transport-Security Header</name>
      <cve />
      <cwe>200</cwe>
      <xfid>0</xfid>
      <remediation>
        <ref>fix_61750</ref>
      </remediation>
      <advisory>
        <ref>HSTS</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <fix-recommendation>
        <ref>HSTS</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_20</ref>
      </causes>
      <security-risks>
        <ref>sensitiveInformation</ref>
        <ref>phishing</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="GETParamOverSSL" count="11" maxIssueSeverity="1">
      <name>Query Parameter in SSL Request</name>
      <cve />
      <cwe>598</cwe>
      <xfid>52845</xfid>
      <remediation>
        <ref>fix_52720</ref>
      </remediation>
      <advisory>
        <ref>GETParamOverSSL</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <fix-recommendation>
        <ref>GETParamOverSSL</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_26</ref>
      </causes>
      <security-risks>
        <ref>sensitiveNotOverSSL</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="attUnnecessaryResponseHeaders" count="1" maxIssueSeverity="1">
      <name>Unnecessary Http Response Headers found in the Application</name>
      <cve />
      <cwe>200</cwe>
      <xfid>0</xfid>
      <remediation>
        <ref>fix_MA_attInformationLeakage</ref>
      </remediation>
      <advisory>
        <ref>attUnnecessaryResponseHeaders</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <fix-recommendation>
        <ref>attUnnecessaryResponseHeaders</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_20</ref>
      </causes>
      <security-risks>
        <ref>sensitiveInformation</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="attUndefinedState" count="7" maxIssueSeverity="0">
      <name>Application Error</name>
      <cve />
      <cwe>550</cwe>
      <xfid>52502</xfid>
      <remediation>
        <ref>fix_50300</ref>
      </remediation>
      <advisory>
        <ref>attUndefinedState</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <fix-recommendation>
        <ref>attUndefinedState</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_27</ref>
        <ref>Cause_28</ref>
      </causes>
      <security-risks>
        <ref>debugErrorInformation</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="GD_EmailAddress" count="4" maxIssueSeverity="0">
      <name>Email Address Pattern Found</name>
      <cve />
      <cwe>359</cwe>
      <xfid>52584</xfid>
      <remediation>
        <ref>fix_60260</ref>
      </remediation>
      <advisory>
        <ref>GD_EmailAddress</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <fix-recommendation>
        <ref>GD_EmailAddress</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_20</ref>
      </causes>
      <security-risks>
        <ref>sensitiveInformation</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="attSensitiveInHtmlComments" count="4" maxIssueSeverity="0">
      <name>HTML Comments Sensitive Information Disclosure</name>
      <cve />
      <cwe>615</cwe>
      <xfid>52601</xfid>
      <remediation>
        <ref>fix_50750</ref>
      </remediation>
      <advisory>
        <ref>attSensitiveInHtmlComments</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <fix-recommendation>
        <ref>attSensitiveInHtmlComments</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_29</ref>
        <ref>Cause_30</ref>
      </causes>
      <security-risks>
        <ref>sensitiveInformation</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="attReferrerPolicyHeaderExist" count="1" maxIssueSeverity="0">
      <name>Missing "Referrer policy" Security Header</name>
      <cve />
      <cwe>200</cwe>
      <xfid>0</xfid>
      <remediation>
        <ref>fix_61771</ref>
      </remediation>
      <advisory>
        <ref>attReferrerPolicyHeaderExist</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <fix-recommendation>
        <ref>attReferrerPolicyHeaderExist</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_20</ref>
      </causes>
      <security-risks>
        <ref>sensitiveInformation</ref>
        <ref>phishing</ref>
      </security-risks>
      <affected-products />
    </item>
    <item id="GD_PathDisclosure" count="1" maxIssueSeverity="0">
      <name>Possible Server Path Disclosure Pattern Found</name>
      <cve />
      <cwe>200</cwe>
      <xfid>52839</xfid>
      <remediation>
        <ref>fix_60510</ref>
      </remediation>
      <advisory>
        <ref>GD_PathDisclosure</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <fix-recommendation>
        <ref>GD_PathDisclosure</ref>
      </fix-recommendation>
      <causes>
        <ref>Cause_31</ref>
      </causes>
      <security-risks>
        <ref>pathDisclosure</ref>
      </security-risks>
      <affected-products />
    </item>
  </issue-type-group>
  <fix-recommendation-group>
    <item id="attBlindSqlInjectionStrings">
      <general>
        <fixRecommendation type="General">
          <text>There are several mitigation techniques:</text>
          <text>[1] Strategy: Libraries or Frameworks</text>
          <text>Use a vetted library or framework that does not allow this weakness or provides constructs that make it easier to avoid.</text>
          <text />
          <text>[2] Strategy: Parameterization</text>
          <text>If available, use structured mechanisms that automatically enforce separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this at every point where output is generated.</text>
          <text />
          <text>[3] Strategy: Environment Hardening</text>
          <text>Run your code using the lowest privileges that are required to accomplish the necessary tasks.</text>
          <text />
          <text>[4] Strategy: Output Encoding</text>
          <text>If you need to use dynamically-generated query strings or commands in spite of the risk, properly quote arguments, and escape any special characters within those arguments.</text>
          <text />
          <text>[5] Strategy: Input Validation</text>
          <text>Assume all input is malicious. Use an "accept known good" input validation strategy: a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on detecting for malicious or malformed inputs with a blacklist. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.</text>
          <text>Here are two possible ways to protect your web application against SQL injection attacks:</text>
          <text />
          <text>[1] Use a stored procedure rather than dynamically built SQL query string. The way parameters are passed to SQL Server stored procedures, prevents the use of apostrophes and hyphens.</text>
          <text />
          <text>Here is a simple example of how to use stored procedures in ASP.NET:</text>
          <text />
          <text>  ' Visual Basic example
  Dim DS As DataSet
  Dim MyConnection As SqlConnection
  Dim MyCommand As SqlDataAdapter
  
  Dim SelectCommand As String = "select * from users where username = @username"
  ...
  MyCommand.SelectCommand.Parameters.Add(New SqlParameter("@username", SqlDbType.NVarChar, 20))
  MyCommand.SelectCommand.Parameters("@username").Value = UserNameField.Value
  
  
  // C# example
  String selectCmd = "select * from Authors where state = @username";
  SqlConnection myConnection = new SqlConnection("server=...");
  SqlDataAdapter myCommand = new SqlDataAdapter(selectCmd, myConnection);
  
  myCommand.SelectCommand.Parameters.Add(new SqlParameter("@username", SqlDbType.NVarChar, 20));
  myCommand.SelectCommand.Parameters["@username"].Value = UserNameField.Value;
</text>
          <text />
          <text>[2] You can add input validation to Web Forms pages by using validation controls. Validation controls provide an easy-to-use mechanism for all common types of standard validation - for example, testing for valid dates or values within a range - plus ways to provide custom-written validation. In addition, validation controls allow you to completely customize how error information is displayed to the user. Validation controls can be used with any controls that are processed in a Web Forms page's class file, including both HTML and Web server controls.</text>
          <text />
          <text>In order to make sure user input contains only valid values, you can use one of the following validation controls:</text>
          <text />
          <text>a. "RangeValidator": checks that a user's entry (value) is between specified lower and upper boundaries. You can check ranges within pairs of numbers, alphabetic characters, and dates.</text>
          <text />
          <text>b. "RegularExpressionValidator": checks that the entry matches a pattern defined by a regular expression. This type of validation allows you to check for predictable sequences of characters, such as those in social security numbers, e-mail addresses, telephone numbers, postal codes, and so on.</text>
          <text />
          <text>Important note: validation controls do not block user input or change the flow of page processing; they only set an error state, and produce error messages. It is the programmer's responsibility to test the state of the controls in the code before performing further application-specific actions.</text>
          <text />
          <text>There are two ways to check for user input validity: </text>
          <text />
          <text>1. Testing for a general error state: </text>
          <text />
          <text>In your code, test the page's IsValid property. This property rolls up the values of the IsValid properties of all the validation controls on the page (using a logical AND). If one of the validation controls is set to invalid, the page's property will return false.</text>
          <text />
          <text>2. Testing for the error state of individual controls:</text>
          <text />
          <text>Loop through the page's Validators collection, which contains references to all the validation controls. You can then examine the IsValid property of each validation control.</text>
          <text>** Prepared Statements:</text>
          <text />
          <text>There are 3 possible ways to protect your application against SQL injection, i.e. malicious tampering of SQL parameters.  Instead of dynamically building SQL statements, use:</text>
          <text />
          <text>[1] PreparedStatement, which is precompiled and stored in a pool of PreparedStatement objects.  PreparedStatement defines setters to register input parameters that are compatible with the supported JDBC SQL data types.  For example, setString should be used for input parameters of type VARCHAR or LONGVARCHAR (refer to the Java API for further details).  This way of setting input parameters prevents an attacker from manipulating the SQL statement through injection of bad characters, such as apostrophe.</text>
          <text />
          <text>Example of how to use a PreparedStatement in J2EE:</text>
          <text />
          <text>  // J2EE PreparedStatemenet Example
  // Get a connection to the database
  Connection myConnection;
  if (isDataSourceEnabled()) {
      // using the DataSource to get a managed connection
      Context ctx = new InitialContext();
      myConnection = ((DataSource)ctx.lookup(datasourceName)).getConnection(dbUserName, dbPassword);
  } else {
      try {
          // using the DriverManager to get a JDBC connection
          Class.forName(jdbcDriverClassPath);
          myConnection = DriverManager.getConnection(jdbcURL, dbUserName, dbPassword);
      } catch (ClassNotFoundException e) {
          ...
      }
  }
  ...
  try {
      PreparedStatement myStatement = myConnection.prepareStatement("select * from users where username = ?");
      myStatement.setString(1, userNameField);
      ResultSet rs = myStatement.executeQuery();
      ...
      rs.close();
  } catch (SQLException sqlException) {
      ...
  } finally {
      myStatement.close();
      myConnection.close();
  }
</text>
          <text />
          <text>[2] CallableStatement, which extends PreparedStatement to execute database SQL stored procedures.  This class inherits input setters from PreparedStatement (see [1] above).</text>
          <text />
          <text>The following example assumes that this database stored procedure has been created:</text>
          <text />
          <text>CREATE PROCEDURE select_user (@username varchar(20))</text>
          <text>AS SELECT * FROM USERS WHERE USERNAME = @username;</text>
          <text />
          <text>Example of how to use a CallableStatement in J2EE to execute the above stored procedure:</text>
          <text />
          <text>  // J2EE PreparedStatemenet Example
  // Get a connection to the database
  Connection myConnection;
  if (isDataSourceEnabled()) {
      // using the DataSource to get a managed connection
      Context ctx = new InitialContext();
      myConnection = ((DataSource)ctx.lookup(datasourceName)).getConnection(dbUserName, dbPassword);
  } else {
      try {
          // using the DriverManager to get a JDBC connection
          Class.forName(jdbcDriverClassPath);
          myConnection = DriverManager.getConnection(jdbcURL, dbUserName, dbPassword);
      } catch (ClassNotFoundException e) {
          ...
      }
  }
  ...
  try {
      PreparedStatement myStatement = myConnection.prepareCall("{?= call select_user ?,?}");
      myStatement.setString(1, userNameField);
      myStatement.registerOutParameter(1, Types.VARCHAR);
      ResultSet rs = myStatement.executeQuery();
      ...
      rs.close();
  } catch (SQLException sqlException) {
      ...
  } finally {
      myStatement.close();
      myConnection.close();
  }
</text>
          <text />
          <text>[3] Entity Bean, which represents an EJB business object in a persistent storage mechanism.  There are two types of entity beans: bean-managed and container-managed.  With bean-managed persistence, the developer is responsible of writing the SQL code to access the database (refer to sections [1] and [2] above).  With container-managed persistence, the EJB container automatically generates the SQL code.  As a result, the container is responsible of preventing malicious attempts to tamper with the generated SQL code.</text>
          <text />
          <text>Example of how to use an Entity Bean in J2EE:</text>
          <text />
          <text>  // J2EE EJB Example
  try {
      // lookup the User home interface
      UserHome userHome = (UserHome)context.lookup(User.class);    
      // find the User remote interface
      User = userHome.findByPrimaryKey(new UserKey(userNameField));    
      ...    
  } catch (Exception e) {
      ...
  }
</text>
          <text />
          <text>RECOMMENDED JAVA TOOLS</text>
          <text>N/A</text>
          <text />
          <text>REFERENCES</text>
          <link target="https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html">https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html</link>
          <link target="https://docs.oracle.com/javase/7/docs/api/java/sql/CallableStatement.html">https://docs.oracle.com/javase/7/docs/api/java/sql/CallableStatement.html</link>
          <text />
          <text />
          <text>** Input Data Validation:</text>
          <text />
          <text>While data validations may be provided as a user convenience on the client-tier, data validation must be performed on the server-tier using Servlets.  Client-side validations are inherently insecure because they can be easily bypassed, e.g. by disabling Javascript.</text>
          <text />
          <text>A good design usually requires the web application framework to provide server-side utility routines to validate the following:</text>
          <text>[1] Required field</text>
          <text>[2] Field data type (all HTTP request parameters are Strings by default)</text>
          <text>[3] Field length</text>
          <text>[4] Field range</text>
          <text>[5] Field options</text>
          <text>[6] Field pattern</text>
          <text>[7] Cookie values</text>
          <text>[8] HTTP Response</text>
          <text />
          <text>A good practice is to implement the above routine as static methods in a "Validator" utility class.  The following sections describe an example validator class.</text>
          <text />
          <text>[1] Required field</text>
          <text>Always check that the field is not null and its length is greater than zero, excluding leading and trailing white spaces.  </text>
          <text />
          <text>Example of how to validate required fields:</text>
          <text />
          <text>  // Java example to validate required fields
  public Class Validator {
      ...
      public static boolean validateRequired(String value) {
          boolean isFieldValid = false;
          if (value != null &amp;&amp; value.trim().length() &gt; 0) {
              isFieldValid = true;
          }
          return isFieldValid;
      }
      ...
  }
  ...
  String fieldValue = request.getParameter("fieldName");
  if (Validator.validateRequired(fieldValue)) {
      // fieldValue is valid, continue processing request
      ...
  }
</text>
          <text />
          <text>[2] Field data type</text>
          <text>In web applications, input parameters are poorly typed.  For example, all HTTP request parameters or cookie values are of type String.  The developer is responsible for verifying the input is of the correct data type.  Use the Java primitive wrapper classes to check if the field value can be safely converted to the desired primitive data type.</text>
          <text />
          <text>Example of how to validate a numeric field (type int):</text>
          <text />
          <text>  // Java example to validate that a field is an int number
  public Class Validator {
      ...
      public static boolean validateInt(String value) {
          boolean isFieldValid = false;
          try {
              Integer.parseInt(value);
              isFieldValid = true;
          } catch (Exception e) {
              isFieldValid = false;
          }
          return isFieldValid;
      }
      ...
  }
  ...
  // check if the HTTP request parameter is of type int
  String fieldValue = request.getParameter("fieldName");
  if (Validator.validateInt(fieldValue)) {
      // fieldValue is valid, continue processing request
      ...
  }
</text>
          <text />
          <text>A good practice is to convert all HTTP request parameters to their respective data types.  For example, the developer should store the "integerValue" of a request parameter in a request attribute and use it as shown in the following example:</text>
          <text />
          <text>  // Example to convert the HTTP request parameter to a primitive wrapper data type
  // and store this value in a request attribute for further processing
  String fieldValue = request.getParameter("fieldName");
  if (Validator.validateInt(fieldValue)) {
      // convert fieldValue to an Integer
      Integer integerValue = Integer.getInteger(fieldValue);
      // store integerValue in a request attribute
      request.setAttribute("fieldName", integerValue);
  }
  ...
  // Use the request attribute for further processing
  Integer integerValue = (Integer)request.getAttribute("fieldName");
  ...
</text>
          <text />
          <text>The primary Java data types that the application should handle:</text>
          <text>- Byte</text>
          <text>- Short</text>
          <text>- Integer</text>
          <text>- Long</text>
          <text>- Float</text>
          <text>- Double</text>
          <text>- Date</text>
          <text />
          <text>[3] Field length</text>
          <text>Always ensure that the input parameter (whether HTTP request parameter or cookie value) is bounded by a minimum length and/or a maximum length.</text>
          <text />
          <text>Example to validate that the length of the userName field is between 8 and 20 characters:</text>
          <text />
          <text>  // Example to validate the field length
  public Class Validator {
      ...
      public static boolean validateLength(String value, int minLength, int maxLength) {
          String validatedValue = value;
          if (!validateRequired(value)) {
              validatedValue = "";
          }
          return (validatedValue.length() &gt;= minLength &amp;&amp;
                      validatedValue.length() &lt;= maxLength);
      }
      ...
  }
  ...
  String userName = request.getParameter("userName");
  if (Validator.validateRequired(userName)) {
      if (Validator.validateLength(userName, 8, 20)) {
          // userName is valid, continue further processing
          ...
      }
  }
</text>
          <text />
          <text>[4] Field range</text>
          <text>Always ensure that the input parameter is within a range as defined by the functional requirements.</text>
          <text />
          <text>Example to validate that the input numberOfChoices is between 10 and 20:</text>
          <text />
          <text>  // Example to validate the field range
  public Class Validator {
      ...
      public static boolean validateRange(int value, int min, int max) {
          return (value &gt;= min &amp;&amp; value &lt;= max);
      }
      ...
  }
  ...
  String fieldValue = request.getParameter("numberOfChoices");
  if (Validator.validateRequired(fieldValue)) {
      if (Validator.validateInt(fieldValue)) {
          int numberOfChoices = Integer.parseInt(fieldValue);
          if (Validator.validateRange(numberOfChoices, 10, 20)) {
              // numberOfChoices is valid, continue processing request
              ...
          }
      }
  }
</text>
          <text />
          <text>[5] Field options</text>
          <text>Often, the web application presents the user with a set of options to choose from, e.g. using the SELECT HTML tag, but fails to perform server-side validation to ensure that the selected value is one of the allowed options.  Remember that a malicious user can easily modify any option value.  Always validate the selected user value against the allowed options as defined by the functional requirements.</text>
          <text />
          <text>Example to validate the user selection against a list of allowed options:</text>
          <text />
          <text>  // Example to validate user selection against a list of options
  public Class Validator {
      ...
      public static boolean validateOption(Object[] options, Object value) {
          boolean isValidValue = false;
          try {
              List list = Arrays.asList(options);
              if (list != null) {
                  isValidValue = list.contains(value);
              }
          } catch (Exception e) {
          }
          return isValidValue;
      }
      ...
  }
  ...
  // Allowed options
  String[] options = {"option1", "option2", "option3");
  // Verify that the user selection is one of the allowed options
  String userSelection = request.getParameter("userSelection");
  if (Validator.validateOption(options, userSelection)) {
      // valid user selection, continue processing request
      ...
  }
</text>
          <text />
          <text>[6] Field pattern</text>
          <text>Always check that the user input matches a pattern as defined by the functionality requirements.  For example, if the userName field should only allow alpha-numeric characters, case insensitive, then use the following regular expression:</text>
          <text>^[a-zA-Z0-9]*$</text>
          <text />
          <text>Java 1.3 or earlier versions do not include any regular expression packages.  Apache Regular Expression Package (see Resources below) is recommended for use with Java 1.3 to resolve this lack of support.  Example to perform regular expression validation:</text>
          <text />
          <text>  // Example to validate that a given value matches a specified pattern
  // using the Apache regular expression package
  import org.apache.regexp.RE;
  import org.apache.regexp.RESyntaxException;
  public Class Validator {
      ...
      public static boolean matchPattern(String value, String expression) {
          boolean match = false;
          if (validateRequired(expression)) {
               RE r = new RE(expression);
               match = r.match(value);             
          }
          return match;
      }
      ...
  }
  ...
  // Verify that the userName request parameter is alpha-numeric
  String userName = request.getParameter("userName");
  if (Validator.matchPattern(userName, "^[a-zA-Z0-9]*$")) {
      // userName is valid, continue processing request
      ...
  }
</text>
          <text />
          <text>Java 1.4 introduced a new regular expression package (java.util.regex).  Here is a modified version of Validator.matchPattern using the new Java 1.4 regular expression package:</text>
          <text />
          <text>  // Example to validate that a given value matches a specified pattern
  // using the Java 1.4 regular expression package
  import java.util.regex.Pattern;
  import java.util.regexe.Matcher;
  public Class Validator {
      ...
      public static boolean matchPattern(String value, String expression) {
          boolean match = false;
          if (validateRequired(expression)) {
              match = Pattern.matches(expression, value);
          }
          return match;
      }
      ...
  }
</text>
          <text />
          <text>[7] Cookie value</text>
          <text>Use the javax.servlet.http.Cookie object to validate the cookie value.  The same validation rules (described above) apply to cookie values depending on the application requirements, e.g. validate a required value, validate length, etc.</text>
          <text />
          <text>Example to validate a required cookie value:</text>
          <text />
          <text>  // Example to validate a required cookie value
  // First retrieve all available cookies submitted in the HTTP request
  Cookie[] cookies = request.getCookies();
  if (cookies != null) {
      // find the "user" cookie
      for (int i=0; i&lt;cookies.length; ++i) {
          if (cookies[i].getName().equals("user")) {
              // validate the cookie value
              if (Validator.validateRequired(cookies[i].getValue()) {
                  // valid cookie value, continue processing request
                  ...
              }
          }    
      }
  }
</text>
          <text />
          <text>[8] HTTP Response</text>
          <text>[8-1] Filter user input</text>
          <text>To guard the application against cross-site scripting, sanitize HTML by converting sensitive characters to their corresponding character entities.  These are the HTML sensitive characters:</text>
          <text>&lt; &gt; " ' % ; ) ( &amp; +</text>
          <text />
          <text>Example to filter a specified string by converting sensitive characters to their corresponding character entities:</text>
          <text />
          <text>  // Example to filter sensitive data to prevent cross-site scripting
  public Class Validator {
      ...
      public static String filter(String value) {
          if (value == null) {
              return null;
          }        
          StringBuffer result = new StringBuffer(value.length());
          for (int i=0; i&lt;value.length(); ++i) {
              switch (value.charAt(i)) {
              case '&lt;':
                  result.append("&lt;");
                  break;
              case '&gt;': 
                  result.append("&gt;");
                  break;
              case '"': 
                  result.append(""");
                  break;
              case '\'': 
                  result.append("'");
                  break;
              case '%': 
                  result.append("%");
                  break;
              case ';': 
                  result.append(";");
                  break;
              case '(': 
                  result.append("(");
                  break;
              case ')': 
                  result.append(")");
                  break;
              case '&amp;': 
                  result.append("&amp;");
                  break;
              case '+':
                  result.append("+");
                  break;
              default:
                  result.append(value.charAt(i));
                  break;
          }        
          return result;
      }
      ...
  }
  ...
  // Filter the HTTP response using Validator.filter
  PrintWriter out = response.getWriter();
  // set output response
  out.write(Validator.filter(response));
  out.close();
</text>
          <text />
          <text>The Java Servlet API 2.3 introduced Filters, which supports the interception and transformation of HTTP requests or responses.</text>
          <text />
          <text>Example of using a Servlet Filter to sanitize the response using Validator.filter:</text>
          <text />
          <text>  // Example to filter all sensitive characters in the HTTP response using a Java Filter.
  // This example is for illustration purposes since it will filter all content in the response, including HTML tags!
  public class SensitiveCharsFilter implements Filter {
      ...
      public void doFilter(ServletRequest request,
                      ServletResponse response,
                      FilterChain chain)
              throws IOException, ServletException {
  
          PrintWriter out = response.getWriter();
          ResponseWrapper wrapper = new ResponseWrapper((HttpServletResponse)response);
          chain.doFilter(request, wrapper);
  
          CharArrayWriter caw = new CharArrayWriter();
          caw.write(Validator.filter(wrapper.toString()));
          
          response.setContentType("text/html");
          response.setContentLength(caw.toString().length());
          out.write(caw.toString());
          out.close();
      }
      ...
      public class CharResponseWrapper extends HttpServletResponseWrapper {
          private CharArrayWriter output;
  
          public String toString() {
              return output.toString();
          }
      
          public CharResponseWrapper(HttpServletResponse response){
              super(response);
              output = new CharArrayWriter();
          }
          
          public PrintWriter getWriter(){
              return new PrintWriter(output);
          }
      }
  } 
  
  }
</text>
          <text />
          <text>[8-2] Secure the cookie</text>
          <text>When storing sensitive data in a cookie, make sure to set the secure flag of the cookie in the HTTP response, using Cookie.setSecure(boolean flag) to instruct the browser to send the cookie  using  a secure protocol, such as HTTPS or SSL.</text>
          <text />
          <text>Example to secure the "user" cookie:</text>
          <text />
          <text>  // Example to secure a cookie, i.e. instruct the browser to
  // send the cookie using a secure protocol
  Cookie cookie = new Cookie("user", "sensitive");
  cookie.setSecure(true);
  response.addCookie(cookie);
</text>
          <text />
          <text>RECOMMENDED JAVA TOOLS</text>
          <text>The two main Java frameworks for server-side validation are:</text>
          <text>[1] Jakarta Commons Validator (integrated with Struts 1.1)</text>
          <text>The Jakarta Commons Validator is a powerful framework that implements all the above data validation requirements.  These rules are configured in an XML file that defines input validation rules for form fields.  Struts supports output filtering of dangerous characters in the [8] HTTP Response by default on all data written using the Struts 'bean:write' tag.  This filtering may be disabled by setting the 'filter=false' flag.</text>
          <text />
          <text>Struts defines the following basic input validators, but custom validators may also be defined:</text>
          <text>required: succeeds if the field contains any characters other than white space.</text>
          <text>mask: succeeds if the value matches the regular expression given by the mask attribute.</text>
          <text>range: succeeds if the value is within the values given by the min and max attributes ((value &gt;= min) &amp; (value &lt;= max)).</text>
          <text>maxLength: succeeds if the field is length is less than or equal to the max attribute.</text>
          <text>minLength: succeeds if the field is length is greater than or equal to the min attribute.</text>
          <text>byte, short, integer, long, float, double: succeeds if the value can be converted to the corresponding primitive.</text>
          <text>date: succeeds if the value represents a valid date. A date pattern may be provided.</text>
          <text>creditCard: succeeds if the value could be a valid credit card number.</text>
          <text>e-mail: succeeds if the value could be a valid e-mail address.</text>
          <text />
          <text>Example to validate the userName field of a loginForm using Struts Validator:</text>
          <text>  &lt;form-validation&gt;
      &lt;global&gt;
          ...
          &lt;validator name="required"
              classname="org.apache.struts.validator.FieldChecks"
              method="validateRequired"
              msg="errors.required"&gt;
          &lt;/validator&gt;
          &lt;validator name="mask"
              classname="org.apache.struts.validator.FieldChecks"
              method="validateMask"
              msg="errors.invalid"&gt;
          &lt;/validator&gt;
          ...
      &lt;/global&gt;
      &lt;formset&gt;
          &lt;form name="loginForm"&gt;
              &lt;!-- userName is required and is alpha-numeric case insensitive --&gt;
              &lt;field property="userName" depends="required,mask"&gt;
                  &lt;!-- message resource key to display if validation fails --&gt;
                  &lt;msg name="mask" key="login.userName.maskmsg"/&gt;
                  &lt;arg0 key="login.userName.displayname"/&gt;
                  &lt;var&gt;
                      &lt;var-name&gt;mask&lt;/var-name&gt;
                      &lt;var-value&gt;^[a-zA-Z0-9]*$&lt;/var-value&gt;
                  &lt;/var&gt;
              &lt;/field&gt;
          ...
          &lt;/form&gt;
          ...
      &lt;/formset&gt;
  &lt;/form-validation&gt;
</text>
          <text />
          <text>[2] JavaServer Faces Technology</text>
          <text>JavaServer Faces Technology is a set of Java APIs (JSR 127) to represent UI components, manage their state, handle events and input validation.</text>
          <text />
          <text>The JavaServer Faces API implements the following basic validators, but custom validators may be defined:</text>
          <text>validate_doublerange: registers a DoubleRangeValidator on a component</text>
          <text>validate_length: registers a LengthValidator on a component</text>
          <text>validate_longrange: registers a LongRangeValidator on a component</text>
          <text>validate_required: registers a RequiredValidator on a component</text>
          <text>validate_stringrange: registers a StringRangeValidator on a component</text>
          <text>validator: registers a custom Validator on a component</text>
          <text />
          <text>The JavaServer Faces API defines the following UIInput and UIOutput Renderers (Tags):</text>
          <text>input_date: accepts a java.util.Date formatted with a java.text.Date instance</text>
          <text>output_date: displays a java.util.Date formatted with a java.text.Date instance</text>
          <text>input_datetime: accepts a java.util.Date formatted with a java.text.DateTime instance</text>
          <text>output_datetime: displays a java.util.Date formatted with a java.text.DateTime instance</text>
          <text>input_number: displays a numeric data type (java.lang.Number or primitive), formatted with a java.text.NumberFormat</text>
          <text>output_number: displays a numeric data type (java.lang.Number or primitive), formatted with a java.text.NumberFormat</text>
          <text>input_text: accepts a text string of one line.</text>
          <text>output_text: displays a text string of one line.</text>
          <text>input_time: accepts a java.util.Date, formatted with a java.text.DateFormat time instance</text>
          <text>output_time: displays a java.util.Date, formatted with a java.text.DateFormat time instance</text>
          <text>input_hidden: allows a page author to include a hidden variable in a page</text>
          <text>input_secret: accepts one line of text with no spaces and displays it as a set of asterisks as it is typed</text>
          <text>input_textarea: accepts multiple lines of text</text>
          <text>output_errors: displays error messages for an entire page or error messages associated with a specified client identifier</text>
          <text>output_label: displays a nested component as a label for a specified input field</text>
          <text>output_message: displays a localized message</text>
          <text />
          <text>Example to validate the userName field of a loginForm using JavaServer Faces:</text>
          <text>  &lt;%@ taglib uri="https://docs.oracle.com/javaee/6/tutorial/doc/glxce.html" prefix="h" %&gt;
  &lt;%@ taglib uri="http://mrbool.com/how-to-create-a-login-validation-with-jsf-java-server-faces/27046" prefix="f" %&gt;
  ...
  &lt;jsp:useBean id="UserBean"
      class="myApplication.UserBean" scope="session" /&gt;
  &lt;f:use_faces&gt;
    &lt;h:form formName="loginForm" &gt;
      &lt;h:input_text id="userName" size="20" modelReference="UserBean.userName"&gt;
          &lt;f:validate_required/&gt;
          &lt;f:validate_length minimum="8" maximum="20"/&gt;    
      &lt;/h:input_text&gt;
      &lt;!-- display errors if present --&gt;
      &lt;h:output_errors id="loginErrors" clientId="userName"/&gt;
      &lt;h:command_button id="submit" label="Submit" commandName="submit" /&gt;&lt;p&gt;
    &lt;/h:form&gt;
  &lt;/f:use_faces&gt;
</text>
          <text />
          <text />
          <text>REFERENCES</text>
          <text>Java API 1.3 - </text>
          <link target="https://www.oracle.com/java/technologies/java-archive-13docs-downloads.html">https://www.oracle.com/java/technologies/java-archive-13docs-downloads.html</link>
          <text>Java API 1.4 - </text>
          <link target="https://www.oracle.com/java/technologies/java-archive-142docs-downloads.html">https://www.oracle.com/java/technologies/java-archive-142docs-downloads.html</link>
          <text>Java Servlet API 2.3 - </text>
          <link target="https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api">https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api</link>
          <text>Java Regular Expression Package - </text>
          <link target="http://jakarta.apache.org/regexp/">http://jakarta.apache.org/regexp/</link>
          <text>Jakarta Validator - </text>
          <link target="http://jakarta.apache.org/commons/validator/">http://jakarta.apache.org/commons/validator/</link>
          <text>JavaServer Faces Technology - </text>
          <link target="http://www.javaserverfaces.org/">http://www.javaserverfaces.org/</link>
          <text />
          <text>** Error Handling:</text>
          <text />
          <text>Many J2EE web application architectures follow the Model View Controller (MVC) pattern.  In this pattern a Servlet acts as a Controller.  A Servlet delegates the application processing to a JavaBean such as an EJB Session Bean (the Model).  The Servlet then forwards the request to a JSP (View) to render the processing results.  Servlets should check all input, output, return codes, error codes and known exceptions to ensure that the expected processing actually occurred.</text>
          <text />
          <text>While data validation protects applications against malicious data tampering, a sound error handling strategy is necessary to prevent the application from inadvertently disclosing internal error messages such as exception stack traces.  A good error handling strategy addresses the following items:</text>
          <text />
          <text>[1] Defining Errors</text>
          <text>[2] Reporting Errors</text>
          <text>[3] Rendering Errors</text>
          <text>[4] Error Mapping</text>
          <text />
          <text>[1] Defining Errors</text>
          <text>Hard-coded error messages in the application layer (e.g. Servlets) should be avoided.  Instead, the application should use error keys that map to known application failures.  A good practice is to define error keys that map to validation rules for HTML form fields or other bean properties.  For example, if the "user_name" field is required, is alphanumeric, and must be unique in the database, then the following error keys should be defined:</text>
          <text />
          <text>(a) ERROR_USERNAME_REQUIRED: this error key is used to display a message notifying the user that the "user_name" field is required;</text>
          <text>(b) ERROR_USERNAME_ALPHANUMERIC: this error key is used to display a message notifying the user that the "user_name" field should be alphanumeric;</text>
          <text>(c) ERROR_USERNAME_DUPLICATE: this error key is used to display a message notifying the user that the "user_name" value is a duplicate in the database;</text>
          <text>(d) ERROR_USERNAME_INVALID: this error key is used to display a generic message notifying the user that the "user_name" value is invalid;</text>
          <text />
          <text>A good practice is to define the following framework Java classes which are used to store and report application errors:</text>
          <text />
          <text>- ErrorKeys: defines all error keys</text>
          <text />
          <text>      // Example: ErrorKeys defining the following error keys:    
      //    - ERROR_USERNAME_REQUIRED
      //    - ERROR_USERNAME_ALPHANUMERIC
      //    - ERROR_USERNAME_DUPLICATE
      //    - ERROR_USERNAME_INVALID
      //    ...
      public Class ErrorKeys {
          public static final String ERROR_USERNAME_REQUIRED = "error.username.required";
          public static final String ERROR_USERNAME_ALPHANUMERIC = "error.username.alphanumeric";
          public static final String ERROR_USERNAME_DUPLICATE = "error.username.duplicate";
          public static final String ERROR_USERNAME_INVALID = "error.username.invalid";
          ...
      }
</text>
          <text>- Error: encapsulates an individual error</text>
          <text />
          <text>      // Example: Error encapsulates an error key.
      // Error is serializable to support code executing in multiple JVMs.
      public Class Error implements Serializable {
          
          // Constructor given a specified error key
          public Error(String key) {
              this(key, null);
          }
          
          // Constructor given a specified error key and array of placeholder objects
          public Error(String key, Object[] values) {
              this.key = key;
              this.values = values;
          }
          
          // Returns the error key
          public String getKey() {
              return this.key;
          }
          
          // Returns the placeholder values
          public Object[] getValues() {
              return this.values;
          }
          
          private String key = null;
          private Object[] values = null;
      }    
</text>
          <text />
          <text>- Errors: encapsulates a Collection of errors</text>
          <text />
          <text>      // Example: Errors encapsulates the Error objects being reported to the presentation layer.
      // Errors are stored in a HashMap where the key is the bean property name and value is an
      // ArrayList of Error objects.
      public Class Errors implements Serializable {
      
          // Adds an Error object to the Collection of errors for the specified bean property.
          public void addError(String property, Error error) {
              ArrayList propertyErrors = (ArrayList)errors.get(property);
              if (propertyErrors == null) {
                  propertyErrors = new ArrayList();
                  errors.put(property, propertyErrors);
              }
              propertyErrors.put(error);            
          }
          
          // Returns true if there are any errors
          public boolean hasErrors() {
              return (errors.size &gt; 0);
          }
          
          // Returns the Errors for the specified property
          public ArrayList getErrors(String property) {
              return (ArrayList)errors.get(property);
          }
  
          private HashMap errors = new HashMap();
      }
</text>
          <text />
          <text>Using the above framework classes, here is an example to process validation errors of the "user_name" field:</text>
          <text />
          <text>  // Example to process validation errors of the "user_name" field.
  Errors errors = new Errors();
  String userName = request.getParameter("user_name");
  // (a) Required validation rule
  if (!Validator.validateRequired(userName)) {
      errors.addError("user_name", new Error(ErrorKeys.ERROR_USERNAME_REQUIRED));
  } // (b) Alpha-numeric validation rule
  else if (!Validator.matchPattern(userName, "^[a-zA-Z0-9]*$")) {
      errors.addError("user_name", new Error(ErrorKeys.ERROR_USERNAME_ALPHANUMERIC));
  }
  else
  {
      // (c) Duplicate check validation rule
      // We assume that there is an existing UserValidationEJB session bean that implements
      // a checkIfDuplicate() method to verify if the user already exists in the database.
      try {
          ...        
          if (UserValidationEJB.checkIfDuplicate(userName)) {
              errors.addError("user_name", new Error(ErrorKeys.ERROR_USERNAME_DUPLICATE));
          }
      } catch (RemoteException e) {
          // log the error
          logger.error("Could not validate user for specified userName: " + userName);
          errors.addError("user_name", new Error(ErrorKeys.ERROR_USERNAME_DUPLICATE);
      }
  }
  // set the errors object in a request attribute called "errors"
  request.setAttribute("errors", errors);
  ...
</text>
          <text />
          <text>[2] Reporting Errors</text>
          <text>There are two ways to report web-tier application errors:</text>
          <text>(a) Servlet Error Mechanism</text>
          <text>(b) JSP Error Mechanism</text>
          <text />
          <text>[2-a] Servlet Error Mechanism</text>
          <text>A Servlet may report errors by:</text>
          <text>- forwarding to the input JSP (having already stored the errors in a request attribute), OR</text>
          <text>- calling response.sendError with an HTTP error code argument, OR</text>
          <text>- throwing an exception</text>
          <text />
          <text>It is good practice to process all known application errors (as described in section [1]), store them in a request attribute, and forward to the input JSP. The input JSP should display the error messages and prompt the user to re-enter the data.  The following example illustrates how to forward to an input JSP (userInput.jsp):</text>
          <text />
          <text>  // Example to forward to the userInput.jsp following user validation errors
  RequestDispatcher rd = getServletContext().getRequestDispatcher("/user/userInput.jsp");
  if (rd != null) {
      rd.forward(request, response);
  }
</text>
          <text />
          <text>If the Servlet cannot forward to a known JSP page, the second option is to report an error using the response.sendError method with HttpServletResponse.SC_INTERNAL_SERVER_ERROR (status code 500) as argument.  Refer to the javadoc of javax.servlet.http.HttpServletResponse for more details on the various HTTP status codes.  Example to return a HTTP error:</text>
          <text />
          <text>  // Example to return a HTTP error code
  RequestDispatcher rd = getServletContext().getRequestDispatcher("/user/userInput.jsp");
  if (rd == null) {
      // messages is a resource bundle with all message keys and values
      response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
                              messages.getMessage(ErrorKeys.ERROR_USERNAME_INVALID));
  }
</text>
          <text />
          <text>As a last resort, Servlets can throw an exception, which must be a subclass of one of the following classes:</text>
          <text>- RuntimeException</text>
          <text>- ServletException</text>
          <text>- IOException</text>
          <text />
          <text>[2-b] JSP Error Mechanism</text>
          <text>JSP pages provide a mechanism to handle runtime exceptions by defining an errorPage directive as shown in the following example:</text>
          <text />
          <text>      &lt;%@ page errorPage="/errors/userValidation.jsp" %&gt;
</text>
          <text />
          <text>Uncaught JSP exceptions are forwarded to the specified errorPage, and the original exception is set in a request parameter called javax.servlet.jsp.jspException.  The error page must include a isErrorPage directive as shown below:</text>
          <text />
          <text>      &lt;%@ page isErrorPage="true" %&gt;
</text>
          <text />
          <text>The isErrorPage directive causes the "exception" variable to be initialized to the exception object being thrown.</text>
          <text />
          <text>[3] Rendering Errors</text>
          <text>The J2SE Internationalization APIs provide utility classes for externalizing application resources and formatting messages including:</text>
          <text />
          <text>(a) Resource Bundles</text>
          <text>(b) Message Formatting</text>
          <text />
          <text>[3-a] Resource Bundles</text>
          <text>Resource bundles support internationalization by separating localized data from the source code that uses it.  Each resource bundle stores a map of key/value pairs for a specific locale.</text>
          <text />
          <text>It is common to use or extend java.util.PropertyResourceBundle, which stores the content in an external properties file as shown in the following example:</text>
          <text />
          <text>  ################################################
  # ErrorMessages.properties
  ################################################
  # required user name error message
  error.username.required=User name field is required
  
  # invalid user name format
  error.username.alphanumeric=User name must be alphanumeric
  
  # duplicate user name error message
  error.username.duplicate=User name {0} already exists, please choose another one
  
  ...
</text>
          <text />
          <text>Multiple resources can be defined to support different locales (hence the name resource bundle).  For example, ErrorMessages_fr.properties can be defined to support the French member of the bundle family.  If the resource member of the requested locale does not exist, the default member is used.  In the above example, the default resource is ErrorMessages.properties.  Depending on the user's locale, the application (JSP or Servlet) retrieves content from the appropriate resource.</text>
          <text />
          <text>[3-b] Message Formatting</text>
          <text>The J2SE standard class java.util.MessageFormat provides a generic way to create messages with replacement placeholders.  A MessageFormat object contains a pattern string with embedded format specifiers as shown below:</text>
          <text />
          <text>  // Example to show how to format a message using placeholder parameters
  String pattern = "User name {0} already exists, please choose another one";
  String userName = request.getParameter("user_name");
  Object[] args = new Object[1];
  args[0] = userName;
  String message = MessageFormat.format(pattern, args);
</text>
          <text />
          <text>Here is a more comprehensive example to render error messages using ResourceBundle and MessageFormat:</text>
          <text />
          <text>  // Example to render an error message from a localized ErrorMessages resource (properties file)
  // Utility class to retrieve locale-specific error messages
  public Class ErrorMessageResource {
      
      // Returns the error message for the specified error key in the environment locale
      public String getErrorMessage(String errorKey) {
          return getErrorMessage(errorKey, defaultLocale);
      }
      
      // Returns the error message for the specified error key in the specified locale
      public String getErrorMessage(String errorKey, Locale locale) {
          return getErrorMessage(errorKey, null, locale);
      }
      
      // Returns a formatted error message for the specified error key in the specified locale
      public String getErrorMessage(String errorKey, Object[] args, Locale locale) {    
          // Get localized ErrorMessageResource
          ResourceBundle errorMessageResource = ResourceBundle.getBundle("ErrorMessages", locale);
          // Get localized error message
          String errorMessage = errorMessageResource.getString(errorKey);
          if (args != null) {
              // Format the message using the specified placeholders args
              return MessageFormat.format(errorMessage, args);
          } else {
              return errorMessage;
          }
      }
      
      // default environment locale
      private Locale defaultLocale = Locale.getDefaultLocale();
  }
  ...
  // Get the user's locale
  Locale userLocale = request.getLocale();
  // Check if there were any validation errors
  Errors errors = (Errors)request.getAttribute("errors");
  if (errors != null &amp;&amp; errors.hasErrors()) {
      // iterate through errors and output error messages corresponding to the "user_name" property
      ArrayList userNameErrors = errors.getErrors("user_name");
      ListIterator iterator = userNameErrors.iterator();
      while (iterator.hasNext()) {
          // Get the next error object
          Error error = (Error)iterator.next();
          String errorMessage = ErrorMessageResource.getErrorMessage(error.getKey(), userLocale);
          output.write(errorMessage + "\r\n");
      }
  }
</text>
          <text />
          <text>It is recommended to define a custom JSP tag, e.g. displayErrors, to iterate through and render error messages as shown in the above example.</text>
          <text />
          <text>[4] Error Mapping</text>
          <text>Normally, the Servlet Container will return a default error page corresponding to either the response status code or the exception.  A mapping between the status code or the exception and a web resource may be specified using custom error pages.  It is a good practice to develop static error pages that do not disclose internal error states (by default, most Servlet containers will report internal error messages).  This mapping is configured in the Web Deployment Descriptor (web.xml) as specified in the following example:</text>
          <text />
          <text>  &lt;!-- Mapping of HTTP error codes and application exceptions to error pages --&gt;
  &lt;error-page&gt;
    &lt;exception-type&gt;UserValidationException&lt;/exception-type&gt;
    &lt;location&gt;/errors/validationError.html&lt;/error-page&gt;
  &lt;/error-page&gt;
  &lt;error-page&gt;
    &lt;error-code&gt;500&lt;/exception-type&gt;
    &lt;location&gt;/errors/internalError.html&lt;/error-page&gt;
  &lt;/error-page&gt;
  &lt;error-page&gt;
  ...
  &lt;/error-page&gt;
  ...
</text>
          <text />
          <text />
          <text>RECOMMENDED JAVA TOOLS</text>
          <text>The two main Java frameworks for server-side validation are:</text>
          <text>[1] Jakarta Commons Validator (integrated with Struts 1.1)</text>
          <text>The Jakarta Commons Validator is a Java framework that defines the error handling mechanism as described above.  Validation rules are configured in an XML file that defines input validation rules for form fields and the corresponding validation error keys.  Struts provides internationalization support to build localized applications using resource bundles and message formatting.</text>
          <text />
          <text>Example to validate the userName field of a loginForm using Struts Validator:</text>
          <text>  &lt;form-validation&gt;
      &lt;global&gt;
          ...
          &lt;validator name="required"
              classname="org.apache.struts.validator.FieldChecks"
              method="validateRequired"
              msg="errors.required"&gt;
          &lt;/validator&gt;
          &lt;validator name="mask"
              classname="org.apache.struts.validator.FieldChecks"
              method="validateMask"
              msg="errors.invalid"&gt;
          &lt;/validator&gt;
          ...
      &lt;/global&gt;
      &lt;formset&gt;
          &lt;form name="loginForm"&gt;
              &lt;!-- userName is required and is alpha-numeric case insensitive --&gt;
              &lt;field property="userName" depends="required,mask"&gt;
                  &lt;!-- message resource key to display if validation fails --&gt;
                  &lt;msg name="mask" key="login.userName.maskmsg"/&gt;
                  &lt;arg0 key="login.userName.displayname"/&gt;
                  &lt;var&gt;
                      &lt;var-name&gt;mask&lt;/var-name&gt;
                      &lt;var-value&gt;^[a-zA-Z0-9]*$&lt;/var-value&gt;
                  &lt;/var&gt;
              &lt;/field&gt;
          ...
          &lt;/form&gt;
          ...
      &lt;/formset&gt;
  &lt;/form-validation&gt;
</text>
          <text />
          <text>The Struts JSP tag library defines the "errors" tag that conditionally displays a set of accumulated error messages as shown in the following example:</text>
          <text />
          <text>  &lt;%@ page language="java" %&gt;
  &lt;%@ taglib uri="/WEB-INF/struts-html.tld" prefix="html" %&gt;
  &lt;%@ taglib uri="/WEB-INF/struts-bean.tld" prefix="bean" %&gt;
  &lt;html:html&gt;
  &lt;head&gt;
  &lt;body&gt;
      &lt;html:form action="/logon.do"&gt;    
      &lt;table border="0" width="100%"&gt;
      &lt;tr&gt;
          &lt;th align="right"&gt;
              &lt;html:errors property="username"/&gt;
              &lt;bean:message key="prompt.username"/&gt;
          &lt;/th&gt;
          &lt;td align="left"&gt;
              &lt;html:text property="username" size="16"/&gt;
          &lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
      &lt;td align="right"&gt;
          &lt;html:submit&gt;&lt;bean:message key="button.submit"/&gt;&lt;/html:submit&gt;
      &lt;/td&gt;
      &lt;td align="right"&gt;
          &lt;html:reset&gt;&lt;bean:message key="button.reset"/&gt;&lt;/html:reset&gt;
      &lt;/td&gt;
      &lt;/tr&gt;
      &lt;/table&gt;
      &lt;/html:form&gt;
  &lt;/body&gt;
  &lt;/html:html&gt;
</text>
          <text />
          <text>[2] JavaServer Faces Technology</text>
          <text>JavaServer Faces Technology is a set of Java APIs (JSR 127) to represent UI components, manage their state, handle events, validate input, and support internationalization.</text>
          <text />
          <text>The JavaServer Faces API defines the "output_errors" UIOutput Renderer, which displays error messages for an entire page or error messages associated with a specified client identifier.</text>
          <text />
          <text>Example to validate the userName field of a loginForm using JavaServer Faces:</text>
          <text>  &lt;%@ taglib uri="https://docs.oracle.com/javaee/6/tutorial/doc/glxce.html" prefix="h" %&gt;
  &lt;%@ taglib uri="http://mrbool.com/how-to-create-a-login-validation-with-jsf-java-server-faces/27046" prefix="f" %&gt;
  ...
  &lt;jsp:useBean id="UserBean"
      class="myApplication.UserBean" scope="session" /&gt;
  &lt;f:use_faces&gt;
    &lt;h:form formName="loginForm" &gt;
      &lt;h:input_text id="userName" size="20" modelReference="UserBean.userName"&gt;
          &lt;f:validate_required/&gt;
          &lt;f:validate_length minimum="8" maximum="20"/&gt;    
      &lt;/h:input_text&gt;
      &lt;!-- display errors if present --&gt;
      &lt;h:output_errors id="loginErrors" clientId="userName"/&gt;
      &lt;h:command_button id="submit" label="Submit" commandName="submit" /&gt;&lt;p&gt;
    &lt;/h:form&gt;
  &lt;/f:use_faces&gt;
</text>
          <text />
          <text>REFERENCES</text>
          <text>Java API 1.3 - </text>
          <link target="https://www.oracle.com/java/technologies/java-archive-13docs-downloads.html">https://www.oracle.com/java/technologies/java-archive-13docs-downloads.html</link>
          <text>Java API 1.4 - </text>
          <link target="https://www.oracle.com/java/technologies/java-archive-142docs-downloads.html">https://www.oracle.com/java/technologies/java-archive-142docs-downloads.html</link>
          <text>Java Servlet API 2.3 - </text>
          <link target="https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api">https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api</link>
          <text>Java Regular Expression Package - </text>
          <link target="http://jakarta.apache.org/regexp/">http://jakarta.apache.org/regexp/</link>
          <text>Jakarta Validator - </text>
          <link target="http://jakarta.apache.org/commons/validator/">http://jakarta.apache.org/commons/validator/</link>
          <text>JavaServer Faces Technology - </text>
          <link target="http://www.javaserverfaces.org/">http://www.javaserverfaces.org/</link>
          <text>** Filter User Input</text>
          <text />
          <text>Before passing any data to a SQL query, it should always be properly filtered with whitelisting techniques.  This cannot be over-emphasized.  Filtering user input will correct many injection flaws before they arrive at the database.</text>
          <text />
          <text>** Quote User Input</text>
          <text />
          <text>Regardless of data type, it is always a good idea to place single quotes around all user data if this is permitted by the database.  MySQL allows this formatting technique.</text>
          <text />
          <text>** Escape the Data Values</text>
          <text />
          <text>If you're using MySQL 4.3.0 or newer, you should escape all strings with mysql_real_escape_string().  If you are using an older version of MySQL, you should use the mysql_escape_string() function.  If you are not using MySQL, you might choose to use the specific escaping function for your particular database.  If you are not aware of an escaping function, you might choose to utilize a more generic escaping function such as addslashes().</text>
          <text />
          <text>If you're using the PEAR DB database abstraction layer, you can use the DB::quote() method or use a query placeholder like ?, which automatically escapes the value that replaces the placeholder.</text>
          <text />
          <text>REFERENCES</text>
          <link target="http://ca3.php.net/mysql_real_escape_string">http://ca3.php.net/mysql_real_escape_string</link>
          <link target="http://ca.php.net/mysql_escape_string">http://ca.php.net/mysql_escape_string</link>
          <link target="http://ca.php.net/addslashes">http://ca.php.net/addslashes</link>
          <link target="http://pear.php.net/package-info.php?package=DB">http://pear.php.net/package-info.php?package=DB</link>
          <text />
          <text />
          <text>** Input Data Validation:</text>
          <text />
          <text>While data validations may be provided as a user convenience on the client-tier, data validation must always be performed on the server-tier.  Client-side validations are inherently insecure because they can be easily bypassed, e.g. by disabling Javascript.</text>
          <text />
          <text>A good design usually requires the web application framework to provide server-side utility routines to validate the following:</text>
          <text>[1] Required field</text>
          <text>[2] Field data type (all HTTP request parameters are Strings by default)</text>
          <text>[3] Field length</text>
          <text>[4] Field range</text>
          <text>[5] Field options</text>
          <text>[6] Field pattern</text>
          <text>[7] Cookie values</text>
          <text>[8] HTTP Response</text>
          <text />
          <text>A good practice is to implement a function or functions that validates each application parameter.  The following sections describe some example checking.</text>
          <text />
          <text>[1] Required field</text>
          <text>Always check that the field is not null and its length is greater than zero, excluding leading and trailing white spaces.</text>
          <text />
          <text>Example of how to validate required fields:</text>
          <text />
          <text>  // PHP example to validate required fields
  function validateRequired($input) {
      ...
      $pass = false;
      if (strlen(trim($input))&gt;0){
          $pass = true;
      }
      return $pass;
      ...
  }
  ...
  if (validateRequired($fieldName)) {
      // fieldName is valid, continue processing request
      ...
  }
</text>
          <text />
          <text />
          <text>[2] Field data type</text>
          <text>In web applications, input parameters are poorly typed.  For example, all HTTP request parameters or cookie values are of type String.  The developer is responsible for verifying the input is of the correct data type.</text>
          <text />
          <text>[3] Field length</text>
          <text>Always ensure that the input parameter (whether HTTP request parameter or cookie value) is bounded by a minimum length and/or a maximum length.</text>
          <text />
          <text>[4] Field range</text>
          <text>Always ensure that the input parameter is within a range as defined by the functional requirements.</text>
          <text />
          <text>[5] Field options</text>
          <text>Often, the web application presents the user with a set of options to choose from, e.g. using the SELECT HTML tag, but fails to perform server-side validation to ensure that the selected value is one of the allowed options.  Remember that a malicious user can easily modify any option value.  Always validate the selected user value against the allowed options as defined by the functional requirements.</text>
          <text />
          <text>[6] Field pattern</text>
          <text>Always check that user input matches a pattern as defined by the functionality requirements.  For example, if the userName field should only allow alpha-numeric characters, case insensitive, then use the following regular expression:</text>
          <text>^[a-zA-Z0-9]+$</text>
          <text />
          <text>[7] Cookie value</text>
          <text>The same validation rules (described above) apply to cookie values depending on the application requirements, e.g. validate a required value, validate length, etc.</text>
          <text />
          <text>[8] HTTP Response</text>
          <text />
          <text>[8-1] Filter user input</text>
          <text>To guard the application against cross-site scripting, the developer should sanitize HTML by converting sensitive characters to their corresponding character entities.  These are the HTML sensitive characters:</text>
          <text>&lt; &gt; " ' % ; ) ( &amp; +</text>
          <text />
          <text>PHP includes some automatic sanitization utility functions, such as htmlentities():</text>
          <text />
          <text>  $input = htmlentities($input, ENT_QUOTES, 'UTF-8');
</text>
          <text />
          <text>In addition, in order to avoid UTF-7 variants of Cross-site Scripting, you should explicitly define the Content-Type header of the response, for example:</text>
          <text />
          <text>  &lt;?php
  
  header('Content-Type: text/html; charset=UTF-8');
  
  ?&gt;
</text>
          <text />
          <text>[8-2] Secure the cookie</text>
          <text />
          <text>When storing sensitive data in a cookie and transporting it over SSL, make sure that you first set the secure flag of the cookie in the HTTP response. This will instruct the browser to only use that cookie over SSL connections.</text>
          <text />
          <text>You can use the following code example, for securing the cookie:</text>
          <text />
          <text>  &lt;$php
  
      $value = "some_value";
      $time = time()+3600;
      $path = "/application/";
      $domain = ".example.com";
      $secure = 1;
  
      setcookie("CookieName", $value, $time, $path, $domain, $secure, TRUE);
  ?&gt;
  
</text>
          <text />
          <text>In addition, we recommend that you use the HttpOnly flag. When the HttpOnly flag is set to TRUE the cookie will be made accessible only through the HTTP protocol. This means that the cookie won't be accessible by scripting languages, such as JavaScript. This setting can effectively help to reduce identity theft through XSS attacks (although it is not supported by all browsers).</text>
          <text />
          <text>The HttpOnly flag was Added in PHP 5.2.0.</text>
          <text />
          <text>REFERENCES</text>
          <text />
          <text>[1] Mitigating Cross-site Scripting With HTTP-only Cookies: </text>
          <link target="http://msdn2.microsoft.com/en-us/library/ms533046.aspx">http://msdn2.microsoft.com/en-us/library/ms533046.aspx</link>
          <text>[2] PHP Security Consortium: </text>
          <link target="http://phpsec.org/">http://phpsec.org/</link>
          <text>[3] PHP &amp; Web Application Security Blog (Chris Shiflett): </text>
          <link target="http://shiflett.org/">http://shiflett.org/</link>
        </fixRecommendation>
      </general>
    </item>
    <item id="attSqlInjectionChecks">
      <general>
        <fixRecommendation type="General">
          <text>Use stored procedures with parameters to prevent injection of SQL commands in data, or at least parameterized database calls that do not allow the injection of code. Do not include any dynamic SQL execution in the stored procedures.</text>
          <text>An even better solution is to use an ORM (object-relational mapping) framework such as Hibernate or EntityFramework, if you have one available on your platform.</text>
          <text>Ensure that all user input is validated and filtered on the server side, not just to disallow bad characters such as a single quote ( ' ) and double quotes ("), but rather to only allow safe characters. Narrowly define the set of safe characters based on the expected value of the parameter in the request.</text>
          <text>Use escaping functions on all user input.</text>
          <text>Configure the application identity for the least database privileges that are required to accomplish the necessary tasks. Harden the database server to disable any unneeded functionality, such as shell commands.</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="attIntegerOverflow">
      <general>
        <fixRecommendation type="General">
          <text>Validate all inputs are within an expected range and the sign before relying on their values or using them in arithmetic calculations.</text>
          <text>Be sure to check both upper bounds and lower bounds, including negative lower bounds for signed integers (integer overflow is also possible with very large negative numbers).</text>
          <text>Use unsigned integers where possible.</text>
          <text>Consider using a safe integer-handling library (such as C/C++ SafeInt or IntegerLib).</text>
          <text>Consider enabling compiler extensions that prevent some classes of buffer overflows.</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="attRedirectInURL">
      <general>
        <fixRecommendation type="General">
          <text>Avoid redirecting requests based on untrusted data if possible.</text>
          <text>If relying on user input cannot be avoided, the URL should first be validated before redirection. Data that a user can modify must be treated as untrusted data.</text>
          <text>A unique token, linked to the current user session, should be sent along with the redirect field value. This unique token should then be verified by the server before the actual redirect takes place. This ensures that attackers would have a harder time using the redirect field to propagate their malicious activities, since they cannot guess the user's session token.</text>
          <text>Sanitize input by comparing to a predefined list of trusted URLs, based on an allow-list.</text>
          <text>Force all redirects to first go through a page notifying users that they are about to leave your site, with the destination clearly displayed, and have them click a link to confirm.</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="attCrossSiteScripting">
      <general>
        <fixRecommendation type="General">
          <text>Fully encode all dynamic data from an untrusted source that is inserted into the webpage, to ensure it is treated as literal text and not as a script that could be executed or markup that could be rendered.</text>
          <text>Consider the context in which your data will be used, and contextually encode the data as close as possible to the actual output: e.g. HTML encoding for HTML content; HTML Attribute encoding for data output to attribute values; JavaScript encoding for dynamically generated JavaScript. For example, when HTML encoding non-alphanumeric characters into HTML entities, `&lt;` and `&gt;` would become `&amp;lt;` and `&amp;gt;`.</text>
          <text>As an extra defensive measure, validate all external input on the server, regardless of source. Carefully check each input parameter against a rigorous positive specification (allowlist) defining data type; size; range; format; and acceptable values. Regular expressions or framework controls may be useful in some cases, though this is not a replacement for output encoding.</text>
          <text>Output encoding and data validation must be done on all untrusted data, wherever it comes from: e.g. form fields, URL parameters, web service arguments, cookies, any data from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files and filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.</text>
          <text>For every web page that is returned by the server, explicitly set the `Content-Type` HTTP response header. This header value should define a specific character encoding (charset), such as `ISO-8859-1` or `UTF-8`. When an encoding is not specified, the web browser may choose a different encoding by guessing which encoding is actually being used by the web page, which would allow a potential attacker to bypass XSS protections.</text>
          <text>Additionally, set the `httpOnly` flag on the session cookie, to prevent any XSS exploits from stealing a user's cookie.</text>
          <text>Prefer using a framework or standard library that prevents this vulnerability by automatically encoding all dynamic output based on context, or at least that provides constructs that make it easier to avoid.</text>
          <text>For every web page that is returned by the server, explicitly set the `Content-Security-Policy` HTTP response header, In order to make it significantly more difficult for the attacker to actually exploit the XSS attack.</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="attSameSiteCookie">
      <general>
        <fixRecommendation type="General">
          <text>[1] Review possible solutions for configuring SameSite Cookie attribute to recommended values.</text>
          <text>[2] Restrict Cookies to a first-party or same-site context.</text>
          <text>[3] Verify and set the SameSite attribute of your cookie to Strict, to ensure that the cookie will only be sent in a first-party context.</text>
          <text>[4] Or, if you want to relax the restrictions of first-party context, then verify and set the SameSite attribute of the cookie to Lax with Secure Flag enabled and transferred over HTTPS.</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="attCrossSiteRequestForgery">
      <general>
        <fixRecommendation type="General">
          <text>Set all session and authentication cookies to include the `SameSite` attribute, setting it to `Strict` or `Lax`. When setting this attribute to `Lax` ensure that no sensitive action can be performed via a `GET` request, as per the HTTP standard.</text>
          <text>Use built-in CSRF protection provided by the platform or framework, and ensure to activate it appropriately whether in configuration or code.</text>
          <text>If your platform does not provide a built-in anti-CSRF mechanism, consider integrating a well-vetted library to implement the protection, such as OWASP CSRFGuard.</text>
          <text>Avoid building a custom anti-CSRF implementation, as this can be complicated to achieve correctly without allowing trivial bypass. If you absolutely must do so due to lack of standard library support, you should generate a secure, random and non-predictable token (e.g. GUID v4) on the server and embed it in each HTML form, while binding it to the user's session. Upon receiving the submitted form, verify that the included form token matches the token previously bound to the user. It is also feasible to embed the CSRF token in a designated cookie ('double-submitted cookie'), or even better use a custom request header - when the server receives these together with the submitted form token, it is simple to validate that they match (instead of storing in the user's session).</text>
          <text>An alternative approach would be to require user reauthentication for specific actions, to ensure the user's active confirmation. Note that this would substantially impact user experience, so this should be used sparingly and only for especially sensitive actions.</text>
          <text>Verify the source of the request by validating the `Origin` header if present, or at least the `Referer` header. Discard sensitive requests that originate from a different site.</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="GV_SQLErr">
      <general>
        <fixRecommendation type="General">
          <text>There are several mitigation techniques:</text>
          <text>[1] Strategy: Libraries or Frameworks</text>
          <text>Use a vetted library or framework that does not allow this weakness to occur, or provides constructs that make it easier to avoid.</text>
          <text />
          <text>[2] Strategy: Parameterization</text>
          <text>If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.</text>
          <text />
          <text>[3] Strategy: Environment Hardening</text>
          <text>Run your code using the lowest privileges that are required to accomplish the necessary tasks.</text>
          <text />
          <text>[4] Strategy: Output Encoding</text>
          <text>If you need to use dynamically-generated query strings or commands in spite of the risk, properly quote arguments and escape any special characters within those arguments.</text>
          <text />
          <text>[5] Strategy: Input Validation</text>
          <text>Assume all input is malicious. Use an "accept known good" input validation strategy: a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on blacklisting malicious or malformed inputs. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.</text>
          <text>Here are two possible ways to protect your web application against SQL injection attacks:</text>
          <text />
          <text>[1] Use a stored procedure rather than dynamically built SQL query string. The way parameters are passed to SQL Server stored procedures, prevents the use of apostrophes and hyphens.</text>
          <text />
          <text>Here is a simple example of how to use stored procedures in ASP.NET:</text>
          <text />
          <text>  ' Visual Basic example
  Dim DS As DataSet
  Dim MyConnection As SqlConnection
  Dim MyCommand As SqlDataAdapter
  
  Dim SelectCommand As String = "select * from users where username = @username"
  ...
  MyCommand.SelectCommand.Parameters.Add(New SqlParameter("@username", SqlDbType.NVarChar, 20))
  MyCommand.SelectCommand.Parameters("@username").Value = UserNameField.Value
  
  
  // C# example
  String selectCmd = "select * from Authors where state = @username";
  SqlConnection myConnection = new SqlConnection("server=...");
  SqlDataAdapter myCommand = new SqlDataAdapter(selectCmd, myConnection);
  
  myCommand.SelectCommand.Parameters.Add(new SqlParameter("@username", SqlDbType.NVarChar, 20));
  myCommand.SelectCommand.Parameters["@username"].Value = UserNameField.Value;
</text>
          <text />
          <text>[2] You can add input validation to Web Forms pages by using validation controls. Validation controls provide an easy-to-use mechanism for all common types of standard validation - for example, testing for valid dates or values within a range - plus ways to provide custom-written validation. In addition, validation controls allow you to completely customize how error information is displayed to the user. Validation controls can be used with any controls that are processed in a Web Forms page's class file, including both HTML and Web server controls.</text>
          <text />
          <text>In order to make sure user input contains only valid values, you can use one of the following validation controls:</text>
          <text />
          <text>a. "RangeValidator": checks that a user's entry (value) is between specified lower and upper boundaries. You can check ranges within pairs of numbers, alphabetic characters, and dates.</text>
          <text />
          <text>b. "RegularExpressionValidator": checks that the entry matches a pattern defined by a regular expression. This type of validation allows you to check for predictable sequences of characters, such as those in social security numbers, e-mail addresses, telephone numbers, postal codes, and so on.</text>
          <text />
          <text>Important note: validation controls do not block user input or change the flow of page processing; they only set an error state, and produce error messages. It is the programmer's responsibility to test the state of the controls in the code before performing further application-specific actions.</text>
          <text />
          <text>There are two ways to check for user input validity: </text>
          <text />
          <text>1. Testing for a general error state: </text>
          <text />
          <text>In your code, test the page's IsValid property. This property rolls up the values of the IsValid properties of all the validation controls on the page (using a logical AND). If one of the validation controls is set to invalid, the page's property will return false.</text>
          <text />
          <text>2. Testing for the error state of individual controls:</text>
          <text />
          <text>Loop through the page's Validators collection, which contains references to all the validation controls. You can then examine the IsValid property of each validation control.</text>
          <text>** Prepared Statements:</text>
          <text />
          <text>There are 3 possible ways to protect your application against SQL injection, i.e. malicious tampering of SQL parameters.  Instead of dynamically building SQL statements, use:</text>
          <text />
          <text>[1] PreparedStatement, which is precompiled and stored in a pool of PreparedStatement objects.  PreparedStatement defines setters to register input parameters that are compatible with the supported JDBC SQL data types.  For example, setString should be used for input parameters of type VARCHAR or LONGVARCHAR (refer to the Java API for further details).  This way of setting input parameters prevents an attacker from manipulating the SQL statement through injection of bad characters, such as apostrophe.</text>
          <text />
          <text>Example of how to use a PreparedStatement in J2EE:</text>
          <text />
          <text>  // J2EE PreparedStatemenet Example
  // Get a connection to the database
  Connection myConnection;
  if (isDataSourceEnabled()) {
      // using the DataSource to get a managed connection
      Context ctx = new InitialContext();
      myConnection = ((DataSource)ctx.lookup(datasourceName)).getConnection(dbUserName, dbPassword);
  } else {
      try {
          // using the DriverManager to get a JDBC connection
          Class.forName(jdbcDriverClassPath);
          myConnection = DriverManager.getConnection(jdbcURL, dbUserName, dbPassword);
      } catch (ClassNotFoundException e) {
          ...
      }
  }
  ...
  try {
      PreparedStatement myStatement = myConnection.prepareStatement("select * from users where username = ?");
      myStatement.setString(1, userNameField);
      ResultSet rs = myStatement.executeQuery();
      ...
      rs.close();
  } catch (SQLException sqlException) {
      ...
  } finally {
      myStatement.close();
      myConnection.close();
  }
</text>
          <text />
          <text>[2] CallableStatement, which extends PreparedStatement to execute database SQL stored procedures.  This class inherits input setters from PreparedStatement (see [1] above).</text>
          <text />
          <text>The following example assumes that this database stored procedure has been created:</text>
          <text />
          <text>CREATE PROCEDURE select_user (@username varchar(20))</text>
          <text>AS SELECT * FROM USERS WHERE USERNAME = @username;</text>
          <text />
          <text>Example of how to use a CallableStatement in J2EE to execute the above stored procedure:</text>
          <text />
          <text>  // J2EE PreparedStatemenet Example
  // Get a connection to the database
  Connection myConnection;
  if (isDataSourceEnabled()) {
      // using the DataSource to get a managed connection
      Context ctx = new InitialContext();
      myConnection = ((DataSource)ctx.lookup(datasourceName)).getConnection(dbUserName, dbPassword);
  } else {
      try {
          // using the DriverManager to get a JDBC connection
          Class.forName(jdbcDriverClassPath);
          myConnection = DriverManager.getConnection(jdbcURL, dbUserName, dbPassword);
      } catch (ClassNotFoundException e) {
          ...
      }
  }
  ...
  try {
      PreparedStatement myStatement = myConnection.prepareCall("{?= call select_user ?,?}");
      myStatement.setString(1, userNameField);
      myStatement.registerOutParameter(1, Types.VARCHAR);
      ResultSet rs = myStatement.executeQuery();
      ...
      rs.close();
  } catch (SQLException sqlException) {
      ...
  } finally {
      myStatement.close();
      myConnection.close();
  }
</text>
          <text />
          <text>[3] Entity Bean, which represents an EJB business object in a persistent storage mechanism.  There are two types of entity beans: bean-managed and container-managed.  With bean-managed persistence, the developer is responsible of writing the SQL code to access the database (refer to sections [1] and [2] above).  With container-managed persistence, the EJB container automatically generates the SQL code.  As a result, the container is responsible of preventing malicious attempts to tamper with the generated SQL code.</text>
          <text />
          <text>Example of how to use an Entity Bean in J2EE:</text>
          <text />
          <text>  // J2EE EJB Example
  try {
      // lookup the User home interface
      UserHome userHome = (UserHome)context.lookup(User.class);    
      // find the User remote interface
      User = userHome.findByPrimaryKey(new UserKey(userNameField));    
      ...    
  } catch (Exception e) {
      ...
  }
</text>
          <text />
          <text>RECOMMENDED JAVA TOOLS</text>
          <text>N/A</text>
          <text />
          <text>REFERENCES</text>
          <link target="https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html">https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html</link>
          <link target="https://docs.oracle.com/javase/7/docs/api/java/sql/CallableStatement.html">https://docs.oracle.com/javase/7/docs/api/java/sql/CallableStatement.html</link>
          <text />
          <text />
          <text>** Input Data Validation:</text>
          <text />
          <text>While data validations may be provided as a user convenience on the client-tier, data validation must be performed on the server-tier using Servlets.  Client-side validations are inherently insecure because they can be easily bypassed, e.g. by disabling Javascript.</text>
          <text />
          <text>A good design usually requires the web application framework to provide server-side utility routines to validate the following:</text>
          <text>[1] Required field</text>
          <text>[2] Field data type (all HTTP request parameters are Strings by default)</text>
          <text>[3] Field length</text>
          <text>[4] Field range</text>
          <text>[5] Field options</text>
          <text>[6] Field pattern</text>
          <text>[7] Cookie values</text>
          <text>[8] HTTP Response</text>
          <text />
          <text>A good practice is to implement the above routine as static methods in a "Validator" utility class.  The following sections describe an example validator class.</text>
          <text />
          <text>[1] Required field</text>
          <text>Always check that the field is not null and its length is greater than zero, excluding leading and trailing white spaces.  </text>
          <text />
          <text>Example of how to validate required fields:</text>
          <text />
          <text>  // Java example to validate required fields
  public Class Validator {
      ...
      public static boolean validateRequired(String value) {
          boolean isFieldValid = false;
          if (value != null &amp;&amp; value.trim().length() &gt; 0) {
              isFieldValid = true;
          }
          return isFieldValid;
      }
      ...
  }
  ...
  String fieldValue = request.getParameter("fieldName");
  if (Validator.validateRequired(fieldValue)) {
      // fieldValue is valid, continue processing request
      ...
  }
</text>
          <text />
          <text>[2] Field data type</text>
          <text>In web applications, input parameters are poorly typed.  For example, all HTTP request parameters or cookie values are of type String.  The developer is responsible for verifying the input is of the correct data type.  Use the Java primitive wrapper classes to check if the field value can be safely converted to the desired primitive data type.</text>
          <text />
          <text>Example of how to validate a numeric field (type int):</text>
          <text />
          <text>  // Java example to validate that a field is an int number
  public Class Validator {
      ...
      public static boolean validateInt(String value) {
          boolean isFieldValid = false;
          try {
              Integer.parseInt(value);
              isFieldValid = true;
          } catch (Exception e) {
              isFieldValid = false;
          }
          return isFieldValid;
      }
      ...
  }
  ...
  // check if the HTTP request parameter is of type int
  String fieldValue = request.getParameter("fieldName");
  if (Validator.validateInt(fieldValue)) {
      // fieldValue is valid, continue processing request
      ...
  }
</text>
          <text />
          <text>A good practice is to convert all HTTP request parameters to their respective data types.  For example, the developer should store the "integerValue" of a request parameter in a request attribute and use it as shown in the following example:</text>
          <text />
          <text>  // Example to convert the HTTP request parameter to a primitive wrapper data type
  // and store this value in a request attribute for further processing
  String fieldValue = request.getParameter("fieldName");
  if (Validator.validateInt(fieldValue)) {
      // convert fieldValue to an Integer
      Integer integerValue = Integer.getInteger(fieldValue);
      // store integerValue in a request attribute
      request.setAttribute("fieldName", integerValue);
  }
  ...
  // Use the request attribute for further processing
  Integer integerValue = (Integer)request.getAttribute("fieldName");
  ...
</text>
          <text />
          <text>The primary Java data types that the application should handle:</text>
          <text>- Byte</text>
          <text>- Short</text>
          <text>- Integer</text>
          <text>- Long</text>
          <text>- Float</text>
          <text>- Double</text>
          <text>- Date</text>
          <text />
          <text>[3] Field length</text>
          <text>Always ensure that the input parameter (whether HTTP request parameter or cookie value) is bounded by a minimum length and/or a maximum length.</text>
          <text />
          <text>Example to validate that the length of the userName field is between 8 and 20 characters:</text>
          <text />
          <text>  // Example to validate the field length
  public Class Validator {
      ...
      public static boolean validateLength(String value, int minLength, int maxLength) {
          String validatedValue = value;
          if (!validateRequired(value)) {
              validatedValue = "";
          }
          return (validatedValue.length() &gt;= minLength &amp;&amp;
                      validatedValue.length() &lt;= maxLength);
      }
      ...
  }
  ...
  String userName = request.getParameter("userName");
  if (Validator.validateRequired(userName)) {
      if (Validator.validateLength(userName, 8, 20)) {
          // userName is valid, continue further processing
          ...
      }
  }
</text>
          <text />
          <text>[4] Field range</text>
          <text>Always ensure that the input parameter is within a range as defined by the functional requirements.</text>
          <text />
          <text>Example to validate that the input numberOfChoices is between 10 and 20:</text>
          <text />
          <text>  // Example to validate the field range
  public Class Validator {
      ...
      public static boolean validateRange(int value, int min, int max) {
          return (value &gt;= min &amp;&amp; value &lt;= max);
      }
      ...
  }
  ...
  String fieldValue = request.getParameter("numberOfChoices");
  if (Validator.validateRequired(fieldValue)) {
      if (Validator.validateInt(fieldValue)) {
          int numberOfChoices = Integer.parseInt(fieldValue);
          if (Validator.validateRange(numberOfChoices, 10, 20)) {
              // numberOfChoices is valid, continue processing request
              ...
          }
      }
  }
</text>
          <text />
          <text>[5] Field options</text>
          <text>Often, the web application presents the user with a set of options to choose from, e.g. using the SELECT HTML tag, but fails to perform server-side validation to ensure that the selected value is one of the allowed options.  Remember that a malicious user can easily modify any option value.  Always validate the selected user value against the allowed options as defined by the functional requirements.</text>
          <text />
          <text>Example to validate the user selection against a list of allowed options:</text>
          <text />
          <text>  // Example to validate user selection against a list of options
  public Class Validator {
      ...
      public static boolean validateOption(Object[] options, Object value) {
          boolean isValidValue = false;
          try {
              List list = Arrays.asList(options);
              if (list != null) {
                  isValidValue = list.contains(value);
              }
          } catch (Exception e) {
          }
          return isValidValue;
      }
      ...
  }
  ...
  // Allowed options
  String[] options = {"option1", "option2", "option3");
  // Verify that the user selection is one of the allowed options
  String userSelection = request.getParameter("userSelection");
  if (Validator.validateOption(options, userSelection)) {
      // valid user selection, continue processing request
      ...
  }
</text>
          <text />
          <text>[6] Field pattern</text>
          <text>Always check that the user input matches a pattern as defined by the functionality requirements.  For example, if the userName field should only allow alpha-numeric characters, case insensitive, then use the following regular expression:</text>
          <text>^[a-zA-Z0-9]*$</text>
          <text />
          <text>Java 1.3 or earlier versions do not include any regular expression packages.  Apache Regular Expression Package (see Resources below) is recommended for use with Java 1.3 to resolve this lack of support.  Example to perform regular expression validation:</text>
          <text />
          <text>  // Example to validate that a given value matches a specified pattern
  // using the Apache regular expression package
  import org.apache.regexp.RE;
  import org.apache.regexp.RESyntaxException;
  public Class Validator {
      ...
      public static boolean matchPattern(String value, String expression) {
          boolean match = false;
          if (validateRequired(expression)) {
               RE r = new RE(expression);
               match = r.match(value);             
          }
          return match;
      }
      ...
  }
  ...
  // Verify that the userName request parameter is alpha-numeric
  String userName = request.getParameter("userName");
  if (Validator.matchPattern(userName, "^[a-zA-Z0-9]*$")) {
      // userName is valid, continue processing request
      ...
  }
</text>
          <text />
          <text>Java 1.4 introduced a new regular expression package (java.util.regex).  Here is a modified version of Validator.matchPattern using the new Java 1.4 regular expression package:</text>
          <text />
          <text>  // Example to validate that a given value matches a specified pattern
  // using the Java 1.4 regular expression package
  import java.util.regex.Pattern;
  import java.util.regexe.Matcher;
  public Class Validator {
      ...
      public static boolean matchPattern(String value, String expression) {
          boolean match = false;
          if (validateRequired(expression)) {
              match = Pattern.matches(expression, value);
          }
          return match;
      }
      ...
  }
</text>
          <text />
          <text>[7] Cookie value</text>
          <text>Use the javax.servlet.http.Cookie object to validate the cookie value.  The same validation rules (described above) apply to cookie values depending on the application requirements, e.g. validate a required value, validate length, etc.</text>
          <text />
          <text>Example to validate a required cookie value:</text>
          <text />
          <text>  // Example to validate a required cookie value
  // First retrieve all available cookies submitted in the HTTP request
  Cookie[] cookies = request.getCookies();
  if (cookies != null) {
      // find the "user" cookie
      for (int i=0; i&lt;cookies.length; ++i) {
          if (cookies[i].getName().equals("user")) {
              // validate the cookie value
              if (Validator.validateRequired(cookies[i].getValue()) {
                  // valid cookie value, continue processing request
                  ...
              }
          }    
      }
  }
</text>
          <text />
          <text>[8] HTTP Response</text>
          <text>[8-1] Filter user input</text>
          <text>To guard the application against cross-site scripting, sanitize HTML by converting sensitive characters to their corresponding character entities.  These are the HTML sensitive characters:</text>
          <text>&lt; &gt; " ' % ; ) ( &amp; +</text>
          <text />
          <text>Example to filter a specified string by converting sensitive characters to their corresponding character entities:</text>
          <text />
          <text>  // Example to filter sensitive data to prevent cross-site scripting
  public Class Validator {
      ...
      public static String filter(String value) {
          if (value == null) {
              return null;
          }        
          StringBuffer result = new StringBuffer(value.length());
          for (int i=0; i&lt;value.length(); ++i) {
              switch (value.charAt(i)) {
              case '&lt;':
                  result.append("&lt;");
                  break;
              case '&gt;': 
                  result.append("&gt;");
                  break;
              case '"': 
                  result.append(""");
                  break;
              case '\'': 
                  result.append("'");
                  break;
              case '%': 
                  result.append("%");
                  break;
              case ';': 
                  result.append(";");
                  break;
              case '(': 
                  result.append("(");
                  break;
              case ')': 
                  result.append(")");
                  break;
              case '&amp;': 
                  result.append("&amp;");
                  break;
              case '+':
                  result.append("+");
                  break;
              default:
                  result.append(value.charAt(i));
                  break;
          }        
          return result;
      }
      ...
  }
  ...
  // Filter the HTTP response using Validator.filter
  PrintWriter out = response.getWriter();
  // set output response
  out.write(Validator.filter(response));
  out.close();
</text>
          <text />
          <text>The Java Servlet API 2.3 introduced Filters, which supports the interception and transformation of HTTP requests or responses.</text>
          <text />
          <text>Example of using a Servlet Filter to sanitize the response using Validator.filter:</text>
          <text />
          <text>  // Example to filter all sensitive characters in the HTTP response using a Java Filter.
  // This example is for illustration purposes since it will filter all content in the response, including HTML tags!
  public class SensitiveCharsFilter implements Filter {
      ...
      public void doFilter(ServletRequest request,
                      ServletResponse response,
                      FilterChain chain)
              throws IOException, ServletException {
  
          PrintWriter out = response.getWriter();
          ResponseWrapper wrapper = new ResponseWrapper((HttpServletResponse)response);
          chain.doFilter(request, wrapper);
  
          CharArrayWriter caw = new CharArrayWriter();
          caw.write(Validator.filter(wrapper.toString()));
          
          response.setContentType("text/html");
          response.setContentLength(caw.toString().length());
          out.write(caw.toString());
          out.close();
      }
      ...
      public class CharResponseWrapper extends HttpServletResponseWrapper {
          private CharArrayWriter output;
  
          public String toString() {
              return output.toString();
          }
      
          public CharResponseWrapper(HttpServletResponse response){
              super(response);
              output = new CharArrayWriter();
          }
          
          public PrintWriter getWriter(){
              return new PrintWriter(output);
          }
      }
  } 
  
  }
</text>
          <text />
          <text>[8-2] Secure the cookie</text>
          <text>When storing sensitive data in a cookie, make sure to set the secure flag of the cookie in the HTTP response, using Cookie.setSecure(boolean flag) to instruct the browser to send the cookie  using  a secure protocol, such as HTTPS or SSL.</text>
          <text />
          <text>Example to secure the "user" cookie:</text>
          <text />
          <text>  // Example to secure a cookie, i.e. instruct the browser to
  // send the cookie using a secure protocol
  Cookie cookie = new Cookie("user", "sensitive");
  cookie.setSecure(true);
  response.addCookie(cookie);
</text>
          <text />
          <text>RECOMMENDED JAVA TOOLS</text>
          <text>The two main Java frameworks for server-side validation are:</text>
          <text>[1] Jakarta Commons Validator (integrated with Struts 1.1)</text>
          <text>The Jakarta Commons Validator is a powerful framework that implements all the above data validation requirements.  These rules are configured in an XML file that defines input validation rules for form fields.  Struts supports output filtering of dangerous characters in the [8] HTTP Response by default on all data written using the Struts 'bean:write' tag.  This filtering may be disabled by setting the 'filter=false' flag.</text>
          <text />
          <text>Struts defines the following basic input validators, but custom validators may also be defined:</text>
          <text>required: succeeds if the field contains any characters other than white space.</text>
          <text>mask: succeeds if the value matches the regular expression given by the mask attribute.</text>
          <text>range: succeeds if the value is within the values given by the min and max attributes ((value &gt;= min) &amp; (value &lt;= max)).</text>
          <text>maxLength: succeeds if the field is length is less than or equal to the max attribute.</text>
          <text>minLength: succeeds if the field is length is greater than or equal to the min attribute.</text>
          <text>byte, short, integer, long, float, double: succeeds if the value can be converted to the corresponding primitive.</text>
          <text>date: succeeds if the value represents a valid date. A date pattern may be provided.</text>
          <text>creditCard: succeeds if the value could be a valid credit card number.</text>
          <text>e-mail: succeeds if the value could be a valid e-mail address.</text>
          <text />
          <text>Example to validate the userName field of a loginForm using Struts Validator:</text>
          <text>  &lt;form-validation&gt;
      &lt;global&gt;
          ...
          &lt;validator name="required"
              classname="org.apache.struts.validator.FieldChecks"
              method="validateRequired"
              msg="errors.required"&gt;
          &lt;/validator&gt;
          &lt;validator name="mask"
              classname="org.apache.struts.validator.FieldChecks"
              method="validateMask"
              msg="errors.invalid"&gt;
          &lt;/validator&gt;
          ...
      &lt;/global&gt;
      &lt;formset&gt;
          &lt;form name="loginForm"&gt;
              &lt;!-- userName is required and is alpha-numeric case insensitive --&gt;
              &lt;field property="userName" depends="required,mask"&gt;
                  &lt;!-- message resource key to display if validation fails --&gt;
                  &lt;msg name="mask" key="login.userName.maskmsg"/&gt;
                  &lt;arg0 key="login.userName.displayname"/&gt;
                  &lt;var&gt;
                      &lt;var-name&gt;mask&lt;/var-name&gt;
                      &lt;var-value&gt;^[a-zA-Z0-9]*$&lt;/var-value&gt;
                  &lt;/var&gt;
              &lt;/field&gt;
          ...
          &lt;/form&gt;
          ...
      &lt;/formset&gt;
  &lt;/form-validation&gt;
</text>
          <text />
          <text>[2] JavaServer Faces Technology</text>
          <text>JavaServer Faces Technology is a set of Java APIs (JSR 127) to represent UI components, manage their state, handle events and input validation.</text>
          <text />
          <text>The JavaServer Faces API implements the following basic validators, but custom validators may be defined:</text>
          <text>validate_doublerange: registers a DoubleRangeValidator on a component</text>
          <text>validate_length: registers a LengthValidator on a component</text>
          <text>validate_longrange: registers a LongRangeValidator on a component</text>
          <text>validate_required: registers a RequiredValidator on a component</text>
          <text>validate_stringrange: registers a StringRangeValidator on a component</text>
          <text>validator: registers a custom Validator on a component</text>
          <text />
          <text>The JavaServer Faces API defines the following UIInput and UIOutput Renderers (Tags):</text>
          <text>input_date: accepts a java.util.Date formatted with a java.text.Date instance</text>
          <text>output_date: displays a java.util.Date formatted with a java.text.Date instance</text>
          <text>input_datetime: accepts a java.util.Date formatted with a java.text.DateTime instance</text>
          <text>output_datetime: displays a java.util.Date formatted with a java.text.DateTime instance</text>
          <text>input_number: displays a numeric data type (java.lang.Number or primitive), formatted with a java.text.NumberFormat</text>
          <text>output_number: displays a numeric data type (java.lang.Number or primitive), formatted with a java.text.NumberFormat</text>
          <text>input_text: accepts a text string of one line.</text>
          <text>output_text: displays a text string of one line.</text>
          <text>input_time: accepts a java.util.Date, formatted with a java.text.DateFormat time instance</text>
          <text>output_time: displays a java.util.Date, formatted with a java.text.DateFormat time instance</text>
          <text>input_hidden: allows a page author to include a hidden variable in a page</text>
          <text>input_secret: accepts one line of text with no spaces and displays it as a set of asterisks as it is typed</text>
          <text>input_textarea: accepts multiple lines of text</text>
          <text>output_errors: displays error messages for an entire page or error messages associated with a specified client identifier</text>
          <text>output_label: displays a nested component as a label for a specified input field</text>
          <text>output_message: displays a localized message</text>
          <text />
          <text>Example to validate the userName field of a loginForm using JavaServer Faces:</text>
          <text>  &lt;%@ taglib uri="https://docs.oracle.com/javaee/6/tutorial/doc/glxce.html" prefix="h" %&gt;
  &lt;%@ taglib uri="http://mrbool.com/how-to-create-a-login-validation-with-jsf-java-server-faces/27046" prefix="f" %&gt;
  ...
  &lt;jsp:useBean id="UserBean"
      class="myApplication.UserBean" scope="session" /&gt;
  &lt;f:use_faces&gt;
    &lt;h:form formName="loginForm" &gt;
      &lt;h:input_text id="userName" size="20" modelReference="UserBean.userName"&gt;
          &lt;f:validate_required/&gt;
          &lt;f:validate_length minimum="8" maximum="20"/&gt;    
      &lt;/h:input_text&gt;
      &lt;!-- display errors if present --&gt;
      &lt;h:output_errors id="loginErrors" clientId="userName"/&gt;
      &lt;h:command_button id="submit" label="Submit" commandName="submit" /&gt;&lt;p&gt;
    &lt;/h:form&gt;
  &lt;/f:use_faces&gt;
</text>
          <text />
          <text />
          <text>REFERENCES</text>
          <text>Java API 1.3 - </text>
          <link target="https://www.oracle.com/java/technologies/java-archive-13docs-downloads.html">https://www.oracle.com/java/technologies/java-archive-13docs-downloads.html</link>
          <text>Java API 1.4 - </text>
          <link target="https://www.oracle.com/java/technologies/java-archive-142docs-downloads.html">https://www.oracle.com/java/technologies/java-archive-142docs-downloads.html</link>
          <text>Java Servlet API 2.3 - </text>
          <link target="https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api">https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api</link>
          <text>Java Regular Expression Package - </text>
          <link target="http://jakarta.apache.org/regexp/">http://jakarta.apache.org/regexp/</link>
          <text>Jakarta Validator - </text>
          <link target="http://jakarta.apache.org/commons/validator/">http://jakarta.apache.org/commons/validator/</link>
          <text>JavaServer Faces Technology - </text>
          <link target="http://www.javaserverfaces.org/">http://www.javaserverfaces.org/</link>
          <text />
          <text>** Error Handling:</text>
          <text />
          <text>Many J2EE web application architectures follow the Model View Controller (MVC) pattern.  In this pattern a Servlet acts as a Controller.  A Servlet delegates the application processing to a JavaBean such as an EJB Session Bean (the Model).  The Servlet then forwards the request to a JSP (View) to render the processing results.  Servlets should check all input, output, return codes, error codes and known exceptions to ensure that the expected processing actually occurred.</text>
          <text />
          <text>While data validation protects applications against malicious data tampering, a sound error handling strategy is necessary to prevent the application from inadvertently disclosing internal error messages such as exception stack traces.  A good error handling strategy addresses the following items:</text>
          <text />
          <text>[1] Defining Errors</text>
          <text>[2] Reporting Errors</text>
          <text>[3] Rendering Errors</text>
          <text>[4] Error Mapping</text>
          <text />
          <text>[1] Defining Errors</text>
          <text>Hard-coded error messages in the application layer (e.g. Servlets) should be avoided.  Instead, the application should use error keys that map to known application failures.  A good practice is to define error keys that map to validation rules for HTML form fields or other bean properties.  For example, if the "user_name" field is required, is alphanumeric, and must be unique in the database, then the following error keys should be defined:</text>
          <text />
          <text>(a) ERROR_USERNAME_REQUIRED: this error key is used to display a message notifying the user that the "user_name" field is required;</text>
          <text>(b) ERROR_USERNAME_ALPHANUMERIC: this error key is used to display a message notifying the user that the "user_name" field should be alphanumeric;</text>
          <text>(c) ERROR_USERNAME_DUPLICATE: this error key is used to display a message notifying the user that the "user_name" value is a duplicate in the database;</text>
          <text>(d) ERROR_USERNAME_INVALID: this error key is used to display a generic message notifying the user that the "user_name" value is invalid;</text>
          <text />
          <text>A good practice is to define the following framework Java classes which are used to store and report application errors:</text>
          <text />
          <text>- ErrorKeys: defines all error keys</text>
          <text />
          <text>      // Example: ErrorKeys defining the following error keys:    
      //    - ERROR_USERNAME_REQUIRED
      //    - ERROR_USERNAME_ALPHANUMERIC
      //    - ERROR_USERNAME_DUPLICATE
      //    - ERROR_USERNAME_INVALID
      //    ...
      public Class ErrorKeys {
          public static final String ERROR_USERNAME_REQUIRED = "error.username.required";
          public static final String ERROR_USERNAME_ALPHANUMERIC = "error.username.alphanumeric";
          public static final String ERROR_USERNAME_DUPLICATE = "error.username.duplicate";
          public static final String ERROR_USERNAME_INVALID = "error.username.invalid";
          ...
      }
</text>
          <text>- Error: encapsulates an individual error</text>
          <text />
          <text>      // Example: Error encapsulates an error key.
      // Error is serializable to support code executing in multiple JVMs.
      public Class Error implements Serializable {
          
          // Constructor given a specified error key
          public Error(String key) {
              this(key, null);
          }
          
          // Constructor given a specified error key and array of placeholder objects
          public Error(String key, Object[] values) {
              this.key = key;
              this.values = values;
          }
          
          // Returns the error key
          public String getKey() {
              return this.key;
          }
          
          // Returns the placeholder values
          public Object[] getValues() {
              return this.values;
          }
          
          private String key = null;
          private Object[] values = null;
      }    
</text>
          <text />
          <text>- Errors: encapsulates a Collection of errors</text>
          <text />
          <text>      // Example: Errors encapsulates the Error objects being reported to the presentation layer.
      // Errors are stored in a HashMap where the key is the bean property name and value is an
      // ArrayList of Error objects.
      public Class Errors implements Serializable {
      
          // Adds an Error object to the Collection of errors for the specified bean property.
          public void addError(String property, Error error) {
              ArrayList propertyErrors = (ArrayList)errors.get(property);
              if (propertyErrors == null) {
                  propertyErrors = new ArrayList();
                  errors.put(property, propertyErrors);
              }
              propertyErrors.put(error);            
          }
          
          // Returns true if there are any errors
          public boolean hasErrors() {
              return (errors.size &gt; 0);
          }
          
          // Returns the Errors for the specified property
          public ArrayList getErrors(String property) {
              return (ArrayList)errors.get(property);
          }
  
          private HashMap errors = new HashMap();
      }
</text>
          <text />
          <text>Using the above framework classes, here is an example to process validation errors of the "user_name" field:</text>
          <text />
          <text>  // Example to process validation errors of the "user_name" field.
  Errors errors = new Errors();
  String userName = request.getParameter("user_name");
  // (a) Required validation rule
  if (!Validator.validateRequired(userName)) {
      errors.addError("user_name", new Error(ErrorKeys.ERROR_USERNAME_REQUIRED));
  } // (b) Alpha-numeric validation rule
  else if (!Validator.matchPattern(userName, "^[a-zA-Z0-9]*$")) {
      errors.addError("user_name", new Error(ErrorKeys.ERROR_USERNAME_ALPHANUMERIC));
  }
  else
  {
      // (c) Duplicate check validation rule
      // We assume that there is an existing UserValidationEJB session bean that implements
      // a checkIfDuplicate() method to verify if the user already exists in the database.
      try {
          ...        
          if (UserValidationEJB.checkIfDuplicate(userName)) {
              errors.addError("user_name", new Error(ErrorKeys.ERROR_USERNAME_DUPLICATE));
          }
      } catch (RemoteException e) {
          // log the error
          logger.error("Could not validate user for specified userName: " + userName);
          errors.addError("user_name", new Error(ErrorKeys.ERROR_USERNAME_DUPLICATE);
      }
  }
  // set the errors object in a request attribute called "errors"
  request.setAttribute("errors", errors);
  ...
</text>
          <text />
          <text>[2] Reporting Errors</text>
          <text>There are two ways to report web-tier application errors:</text>
          <text>(a) Servlet Error Mechanism</text>
          <text>(b) JSP Error Mechanism</text>
          <text />
          <text>[2-a] Servlet Error Mechanism</text>
          <text>A Servlet may report errors by:</text>
          <text>- forwarding to the input JSP (having already stored the errors in a request attribute), OR</text>
          <text>- calling response.sendError with an HTTP error code argument, OR</text>
          <text>- throwing an exception</text>
          <text />
          <text>It is good practice to process all known application errors (as described in section [1]), store them in a request attribute, and forward to the input JSP. The input JSP should display the error messages and prompt the user to re-enter the data.  The following example illustrates how to forward to an input JSP (userInput.jsp):</text>
          <text />
          <text>  // Example to forward to the userInput.jsp following user validation errors
  RequestDispatcher rd = getServletContext().getRequestDispatcher("/user/userInput.jsp");
  if (rd != null) {
      rd.forward(request, response);
  }
</text>
          <text />
          <text>If the Servlet cannot forward to a known JSP page, the second option is to report an error using the response.sendError method with HttpServletResponse.SC_INTERNAL_SERVER_ERROR (status code 500) as argument.  Refer to the javadoc of javax.servlet.http.HttpServletResponse for more details on the various HTTP status codes.  Example to return a HTTP error:</text>
          <text />
          <text>  // Example to return a HTTP error code
  RequestDispatcher rd = getServletContext().getRequestDispatcher("/user/userInput.jsp");
  if (rd == null) {
      // messages is a resource bundle with all message keys and values
      response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
                              messages.getMessage(ErrorKeys.ERROR_USERNAME_INVALID));
  }
</text>
          <text />
          <text>As a last resort, Servlets can throw an exception, which must be a subclass of one of the following classes:</text>
          <text>- RuntimeException</text>
          <text>- ServletException</text>
          <text>- IOException</text>
          <text />
          <text>[2-b] JSP Error Mechanism</text>
          <text>JSP pages provide a mechanism to handle runtime exceptions by defining an errorPage directive as shown in the following example:</text>
          <text />
          <text>      &lt;%@ page errorPage="/errors/userValidation.jsp" %&gt;
</text>
          <text />
          <text>Uncaught JSP exceptions are forwarded to the specified errorPage, and the original exception is set in a request parameter called javax.servlet.jsp.jspException.  The error page must include a isErrorPage directive as shown below:</text>
          <text />
          <text>      &lt;%@ page isErrorPage="true" %&gt;
</text>
          <text />
          <text>The isErrorPage directive causes the "exception" variable to be initialized to the exception object being thrown.</text>
          <text />
          <text>[3] Rendering Errors</text>
          <text>The J2SE Internationalization APIs provide utility classes for externalizing application resources and formatting messages including:</text>
          <text />
          <text>(a) Resource Bundles</text>
          <text>(b) Message Formatting</text>
          <text />
          <text>[3-a] Resource Bundles</text>
          <text>Resource bundles support internationalization by separating localized data from the source code that uses it.  Each resource bundle stores a map of key/value pairs for a specific locale.</text>
          <text />
          <text>It is common to use or extend java.util.PropertyResourceBundle, which stores the content in an external properties file as shown in the following example:</text>
          <text />
          <text>  ################################################
  # ErrorMessages.properties
  ################################################
  # required user name error message
  error.username.required=User name field is required
  
  # invalid user name format
  error.username.alphanumeric=User name must be alphanumeric
  
  # duplicate user name error message
  error.username.duplicate=User name {0} already exists, please choose another one
  
  ...
</text>
          <text />
          <text>Multiple resources can be defined to support different locales (hence the name resource bundle).  For example, ErrorMessages_fr.properties can be defined to support the French member of the bundle family.  If the resource member of the requested locale does not exist, the default member is used.  In the above example, the default resource is ErrorMessages.properties.  Depending on the user's locale, the application (JSP or Servlet) retrieves content from the appropriate resource.</text>
          <text />
          <text>[3-b] Message Formatting</text>
          <text>The J2SE standard class java.util.MessageFormat provides a generic way to create messages with replacement placeholders.  A MessageFormat object contains a pattern string with embedded format specifiers as shown below:</text>
          <text />
          <text>  // Example to show how to format a message using placeholder parameters
  String pattern = "User name {0} already exists, please choose another one";
  String userName = request.getParameter("user_name");
  Object[] args = new Object[1];
  args[0] = userName;
  String message = MessageFormat.format(pattern, args);
</text>
          <text />
          <text>Here is a more comprehensive example to render error messages using ResourceBundle and MessageFormat:</text>
          <text />
          <text>  // Example to render an error message from a localized ErrorMessages resource (properties file)
  // Utility class to retrieve locale-specific error messages
  public Class ErrorMessageResource {
      
      // Returns the error message for the specified error key in the environment locale
      public String getErrorMessage(String errorKey) {
          return getErrorMessage(errorKey, defaultLocale);
      }
      
      // Returns the error message for the specified error key in the specified locale
      public String getErrorMessage(String errorKey, Locale locale) {
          return getErrorMessage(errorKey, null, locale);
      }
      
      // Returns a formatted error message for the specified error key in the specified locale
      public String getErrorMessage(String errorKey, Object[] args, Locale locale) {    
          // Get localized ErrorMessageResource
          ResourceBundle errorMessageResource = ResourceBundle.getBundle("ErrorMessages", locale);
          // Get localized error message
          String errorMessage = errorMessageResource.getString(errorKey);
          if (args != null) {
              // Format the message using the specified placeholders args
              return MessageFormat.format(errorMessage, args);
          } else {
              return errorMessage;
          }
      }
      
      // default environment locale
      private Locale defaultLocale = Locale.getDefaultLocale();
  }
  ...
  // Get the user's locale
  Locale userLocale = request.getLocale();
  // Check if there were any validation errors
  Errors errors = (Errors)request.getAttribute("errors");
  if (errors != null &amp;&amp; errors.hasErrors()) {
      // iterate through errors and output error messages corresponding to the "user_name" property
      ArrayList userNameErrors = errors.getErrors("user_name");
      ListIterator iterator = userNameErrors.iterator();
      while (iterator.hasNext()) {
          // Get the next error object
          Error error = (Error)iterator.next();
          String errorMessage = ErrorMessageResource.getErrorMessage(error.getKey(), userLocale);
          output.write(errorMessage + "\r\n");
      }
  }
</text>
          <text />
          <text>It is recommended to define a custom JSP tag, e.g. displayErrors, to iterate through and render error messages as shown in the above example.</text>
          <text />
          <text>[4] Error Mapping</text>
          <text>Normally, the Servlet Container will return a default error page corresponding to either the response status code or the exception.  A mapping between the status code or the exception and a web resource may be specified using custom error pages.  It is a good practice to develop static error pages that do not disclose internal error states (by default, most Servlet containers will report internal error messages).  This mapping is configured in the Web Deployment Descriptor (web.xml) as specified in the following example:</text>
          <text />
          <text>  &lt;!-- Mapping of HTTP error codes and application exceptions to error pages --&gt;
  &lt;error-page&gt;
    &lt;exception-type&gt;UserValidationException&lt;/exception-type&gt;
    &lt;location&gt;/errors/validationError.html&lt;/error-page&gt;
  &lt;/error-page&gt;
  &lt;error-page&gt;
    &lt;error-code&gt;500&lt;/exception-type&gt;
    &lt;location&gt;/errors/internalError.html&lt;/error-page&gt;
  &lt;/error-page&gt;
  &lt;error-page&gt;
  ...
  &lt;/error-page&gt;
  ...
</text>
          <text />
          <text />
          <text>RECOMMENDED JAVA TOOLS</text>
          <text>The two main Java frameworks for server-side validation are:</text>
          <text>[1] Jakarta Commons Validator (integrated with Struts 1.1)</text>
          <text>The Jakarta Commons Validator is a Java framework that defines the error handling mechanism as described above.  Validation rules are configured in an XML file that defines input validation rules for form fields and the corresponding validation error keys.  Struts provides internationalization support to build localized applications using resource bundles and message formatting.</text>
          <text />
          <text>Example to validate the userName field of a loginForm using Struts Validator:</text>
          <text>  &lt;form-validation&gt;
      &lt;global&gt;
          ...
          &lt;validator name="required"
              classname="org.apache.struts.validator.FieldChecks"
              method="validateRequired"
              msg="errors.required"&gt;
          &lt;/validator&gt;
          &lt;validator name="mask"
              classname="org.apache.struts.validator.FieldChecks"
              method="validateMask"
              msg="errors.invalid"&gt;
          &lt;/validator&gt;
          ...
      &lt;/global&gt;
      &lt;formset&gt;
          &lt;form name="loginForm"&gt;
              &lt;!-- userName is required and is alpha-numeric case insensitive --&gt;
              &lt;field property="userName" depends="required,mask"&gt;
                  &lt;!-- message resource key to display if validation fails --&gt;
                  &lt;msg name="mask" key="login.userName.maskmsg"/&gt;
                  &lt;arg0 key="login.userName.displayname"/&gt;
                  &lt;var&gt;
                      &lt;var-name&gt;mask&lt;/var-name&gt;
                      &lt;var-value&gt;^[a-zA-Z0-9]*$&lt;/var-value&gt;
                  &lt;/var&gt;
              &lt;/field&gt;
          ...
          &lt;/form&gt;
          ...
      &lt;/formset&gt;
  &lt;/form-validation&gt;
</text>
          <text />
          <text>The Struts JSP tag library defines the "errors" tag that conditionally displays a set of accumulated error messages as shown in the following example:</text>
          <text />
          <text>  &lt;%@ page language="java" %&gt;
  &lt;%@ taglib uri="/WEB-INF/struts-html.tld" prefix="html" %&gt;
  &lt;%@ taglib uri="/WEB-INF/struts-bean.tld" prefix="bean" %&gt;
  &lt;html:html&gt;
  &lt;head&gt;
  &lt;body&gt;
      &lt;html:form action="/logon.do"&gt;    
      &lt;table border="0" width="100%"&gt;
      &lt;tr&gt;
          &lt;th align="right"&gt;
              &lt;html:errors property="username"/&gt;
              &lt;bean:message key="prompt.username"/&gt;
          &lt;/th&gt;
          &lt;td align="left"&gt;
              &lt;html:text property="username" size="16"/&gt;
          &lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
      &lt;td align="right"&gt;
          &lt;html:submit&gt;&lt;bean:message key="button.submit"/&gt;&lt;/html:submit&gt;
      &lt;/td&gt;
      &lt;td align="right"&gt;
          &lt;html:reset&gt;&lt;bean:message key="button.reset"/&gt;&lt;/html:reset&gt;
      &lt;/td&gt;
      &lt;/tr&gt;
      &lt;/table&gt;
      &lt;/html:form&gt;
  &lt;/body&gt;
  &lt;/html:html&gt;
</text>
          <text />
          <text>[2] JavaServer Faces Technology</text>
          <text>JavaServer Faces Technology is a set of Java APIs (JSR 127) to represent UI components, manage their state, handle events, validate input, and support internationalization.</text>
          <text />
          <text>The JavaServer Faces API defines the "output_errors" UIOutput Renderer, which displays error messages for an entire page or error messages associated with a specified client identifier.</text>
          <text />
          <text>Example to validate the userName field of a loginForm using JavaServer Faces:</text>
          <text>  &lt;%@ taglib uri="https://docs.oracle.com/javaee/6/tutorial/doc/glxce.html" prefix="h" %&gt;
  &lt;%@ taglib uri="http://mrbool.com/how-to-create-a-login-validation-with-jsf-java-server-faces/27046" prefix="f" %&gt;
  ...
  &lt;jsp:useBean id="UserBean"
      class="myApplication.UserBean" scope="session" /&gt;
  &lt;f:use_faces&gt;
    &lt;h:form formName="loginForm" &gt;
      &lt;h:input_text id="userName" size="20" modelReference="UserBean.userName"&gt;
          &lt;f:validate_required/&gt;
          &lt;f:validate_length minimum="8" maximum="20"/&gt;    
      &lt;/h:input_text&gt;
      &lt;!-- display errors if present --&gt;
      &lt;h:output_errors id="loginErrors" clientId="userName"/&gt;
      &lt;h:command_button id="submit" label="Submit" commandName="submit" /&gt;&lt;p&gt;
    &lt;/h:form&gt;
  &lt;/f:use_faces&gt;
</text>
          <text />
          <text>REFERENCES</text>
          <text>Java API 1.3 - </text>
          <link target="https://www.oracle.com/java/technologies/java-archive-13docs-downloads.html">https://www.oracle.com/java/technologies/java-archive-13docs-downloads.html</link>
          <text>Java API 1.4 - </text>
          <link target="https://www.oracle.com/java/technologies/java-archive-142docs-downloads.html">https://www.oracle.com/java/technologies/java-archive-142docs-downloads.html</link>
          <text>Java Servlet API 2.3 - </text>
          <link target="https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api">https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api</link>
          <text>Java Regular Expression Package - </text>
          <link target="http://jakarta.apache.org/regexp/">http://jakarta.apache.org/regexp/</link>
          <text>Jakarta Validator - </text>
          <link target="http://jakarta.apache.org/commons/validator/">http://jakarta.apache.org/commons/validator/</link>
          <text>JavaServer Faces Technology - </text>
          <link target="http://www.javaserverfaces.org/">http://www.javaserverfaces.org/</link>
          <text>** Filter User Input</text>
          <text />
          <text>Before passing any data to a SQL query, it should always be properly filtered with whitelisting techniques.  This cannot be over-emphasized.  Filtering user input will correct many injection flaws before they arrive at the database.</text>
          <text />
          <text>** Quote User Input</text>
          <text />
          <text>Regardless of data type, it is always a good idea to place single quotes around all user data if this is permitted by the database.  MySQL allows this formatting technique.</text>
          <text />
          <text>** Escape the Data Values</text>
          <text />
          <text>If you're using MySQL 4.3.0 or newer, you should escape all strings with mysql_real_escape_string().  If you are using an older version of MySQL, you should use the mysql_escape_string() function.  If you are not using MySQL, you might choose to use the specific escaping function for your particular database.  If you are not aware of an escaping function, you might choose to utilize a more generic escaping function such as addslashes().</text>
          <text />
          <text>If you're using the PEAR DB database abstraction layer, you can use the DB::quote() method or use a query placeholder like ?, which automatically escapes the value that replaces the placeholder.</text>
          <text />
          <text>REFERENCES</text>
          <link target="http://ca3.php.net/mysql_real_escape_string">http://ca3.php.net/mysql_real_escape_string</link>
          <link target="http://ca.php.net/mysql_escape_string">http://ca.php.net/mysql_escape_string</link>
          <link target="http://ca.php.net/addslashes">http://ca.php.net/addslashes</link>
          <link target="http://pear.php.net/package-info.php?package=DB">http://pear.php.net/package-info.php?package=DB</link>
          <text />
          <text />
          <text>** Input Data Validation:</text>
          <text />
          <text>While data validations may be provided as a user convenience on the client-tier, data validation must always be performed on the server-tier.  Client-side validations are inherently insecure because they can be easily bypassed, e.g. by disabling Javascript.</text>
          <text />
          <text>A good design usually requires the web application framework to provide server-side utility routines to validate the following:</text>
          <text>[1] Required field</text>
          <text>[2] Field data type (all HTTP request parameters are Strings by default)</text>
          <text>[3] Field length</text>
          <text>[4] Field range</text>
          <text>[5] Field options</text>
          <text>[6] Field pattern</text>
          <text>[7] Cookie values</text>
          <text>[8] HTTP Response</text>
          <text />
          <text>A good practice is to implement a function or functions that validates each application parameter.  The following sections describe some example checking.</text>
          <text />
          <text>[1] Required field</text>
          <text>Always check that the field is not null and its length is greater than zero, excluding leading and trailing white spaces.</text>
          <text />
          <text>Example of how to validate required fields:</text>
          <text />
          <text>  // PHP example to validate required fields
  function validateRequired($input) {
      ...
      $pass = false;
      if (strlen(trim($input))&gt;0){
          $pass = true;
      }
      return $pass;
      ...
  }
  ...
  if (validateRequired($fieldName)) {
      // fieldName is valid, continue processing request
      ...
  }
</text>
          <text />
          <text />
          <text>[2] Field data type</text>
          <text>In web applications, input parameters are poorly typed.  For example, all HTTP request parameters or cookie values are of type String.  The developer is responsible for verifying the input is of the correct data type.</text>
          <text />
          <text>[3] Field length</text>
          <text>Always ensure that the input parameter (whether HTTP request parameter or cookie value) is bounded by a minimum length and/or a maximum length.</text>
          <text />
          <text>[4] Field range</text>
          <text>Always ensure that the input parameter is within a range as defined by the functional requirements.</text>
          <text />
          <text>[5] Field options</text>
          <text>Often, the web application presents the user with a set of options to choose from, e.g. using the SELECT HTML tag, but fails to perform server-side validation to ensure that the selected value is one of the allowed options.  Remember that a malicious user can easily modify any option value.  Always validate the selected user value against the allowed options as defined by the functional requirements.</text>
          <text />
          <text>[6] Field pattern</text>
          <text>Always check that user input matches a pattern as defined by the functionality requirements.  For example, if the userName field should only allow alpha-numeric characters, case insensitive, then use the following regular expression:</text>
          <text>^[a-zA-Z0-9]+$</text>
          <text />
          <text>[7] Cookie value</text>
          <text>The same validation rules (described above) apply to cookie values depending on the application requirements, e.g. validate a required value, validate length, etc.</text>
          <text />
          <text>[8] HTTP Response</text>
          <text />
          <text>[8-1] Filter user input</text>
          <text>To guard the application against cross-site scripting, the developer should sanitize HTML by converting sensitive characters to their corresponding character entities.  These are the HTML sensitive characters:</text>
          <text>&lt; &gt; " ' % ; ) ( &amp; +</text>
          <text />
          <text>PHP includes some automatic sanitization utility functions, such as htmlentities():</text>
          <text />
          <text>  $input = htmlentities($input, ENT_QUOTES, 'UTF-8');
</text>
          <text />
          <text>In addition, in order to avoid UTF-7 variants of Cross-site Scripting, you should explicitly define the Content-Type header of the response, for example:</text>
          <text />
          <text>  &lt;?php
  
  header('Content-Type: text/html; charset=UTF-8');
  
  ?&gt;
</text>
          <text />
          <text>[8-2] Secure the cookie</text>
          <text />
          <text>When storing sensitive data in a cookie and transporting it over SSL, make sure that you first set the secure flag of the cookie in the HTTP response. This will instruct the browser to only use that cookie over SSL connections.</text>
          <text />
          <text>You can use the following code example, for securing the cookie:</text>
          <text />
          <text>  &lt;$php
  
      $value = "some_value";
      $time = time()+3600;
      $path = "/application/";
      $domain = ".example.com";
      $secure = 1;
  
      setcookie("CookieName", $value, $time, $path, $domain, $secure, TRUE);
  ?&gt;
  
</text>
          <text />
          <text>In addition, we recommend that you use the HttpOnly flag. When the HttpOnly flag is set to TRUE the cookie will be made accessible only through the HTTP protocol. This means that the cookie won't be accessible by scripting languages, such as JavaScript. This setting can effectively help to reduce identity theft through XSS attacks (although it is not supported by all browsers).</text>
          <text />
          <text>The HttpOnly flag was Added in PHP 5.2.0.</text>
          <text />
          <text>REFERENCES</text>
          <text />
          <text>[1] Mitigating Cross-site Scripting With HTTP-only Cookies: </text>
          <link target="http://msdn2.microsoft.com/en-us/library/ms533046.aspx">http://msdn2.microsoft.com/en-us/library/ms533046.aspx</link>
          <text>[2] PHP Security Consortium: </text>
          <link target="http://phpsec.org/">http://phpsec.org/</link>
          <text>[3] PHP &amp; Web Application Security Blog (Chris Shiflett): </text>
          <link target="http://shiflett.org/">http://shiflett.org/</link>
        </fixRecommendation>
      </general>
    </item>
    <item id="DirectAccesstoAdministrationPages">
      <general>
        <fixRecommendation type="General">
          <text>Do not allow access to administration scripts without proper authorization, as it may allow an attacker to gain privileged rights.</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="attHostHeaderInjection">
      <general>
        <fixRecommendation type="General">
          <text>Validate and sanitize the user supplied inputs properly</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="attAccountLockout">
      <general>
        <fixRecommendation type="General">
          <text>Decide upon the number of login attempts to be allowed (usually from 3 to 5), and make sure that the account will be locked once the permitted number of attempts is exceeded. </text>
          <text>To avoid unnecessary support calls from genuine users who were locked out of their account and require enabling, it is possible to suspend account activity only temporarily, and enable it after a specific period of time. Locking the account for a period of ten minutes or so is usually sufficient to block brute force attacks.</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="attLinkInjection">
      <general>
        <fixRecommendation type="General">
          <text>There are several mitigation techniques:</text>
          <text>[1] Strategy: Libraries or Frameworks</text>
          <text>Use a vetted library or framework that does not allow this weakness to occur, or provides constructs that make it easier to avoid.</text>
          <text>Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.</text>
          <text />
          <text>[2] Understand the context in which your data will be used, and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.</text>
          <text>For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.</text>
          <text>Parts of the same output document may require different encodings, which will vary depending on whether the output is in the:</text>
          <text>[-] HTML body</text>
          <text>[-] Element attributes (such as src="XYZ")</text>
          <text>[-] URIs</text>
          <text>[-] JavaScript sections</text>
          <text>[-] Cascading Style Sheets and style property</text>
          <text>Note that HTML Entity Encoding is only appropriate for the HTML body.</text>
          <text>Consult the XSS Prevention Cheat Sheet </text>
          <link target="http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet">http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet</link>
          <text>for more details on the types of encoding and escaping that are needed.</text>
          <text />
          <text>[3] Strategy: Identify and Reduce Attack Surface</text>
          <text>Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.</text>
          <text />
          <text>[4] Strategy: Output Encoding</text>
          <text>For every web page that is generated, use and specify a character encoding such as ISO-8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different encoding by guessing the web page encoding. This can cause the web browser to treat certain sequences as special, opening up the client to subtle XSS attacks. See CWE-116 for more mitigations related to encoding/escaping.</text>
          <text />
          <text>[5] Strategy: Identify and Reduce Attack Surface</text>
          <text>To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.</text>
          <text />
          <text>[6] Strategy: Input Validation</text>
          <text>Assume all input is malicious. Use an "accept known good" input validation strategy: a whitelist of acceptable inputs that strictly conform to specifications. Reject input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on a blacklist of malicious or malformed inputs. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.</text>
          <text>When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."</text>
          <text>When dynamically constructing web pages, use stringent whitelists that limit the character set based on the expected value of the parameter in the request. All input should be validated and cleansed: not only parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so on. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. It is common to see data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.</text>
          <text>Note that proper output encoding, escaping, and quoting is the most effective solution for preventing XSS, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent XSS, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, in a chat application, the heart emoticon ("&lt;3") would likely pass the validation step, since it is commonly used. However, it cannot be directly inserted into the web page because it contains the "&lt;" character, which would need to be escaped or otherwise handled. In this case, stripping the "&lt;" might reduce the risk of XSS, but it would produce incorrect behavior because the emoticon would not be recorded. This might seem to be a minor inconvenience, but it would be more important in a mathematical forum that wants to represent inequalities.</text>
          <text>Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address.</text>
          <text>Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="attRespCookieNotSecureSSL">
      <general>
        <fixRecommendation type="General">
          <text>Basically the only required attribute for the cookie is the "name" field. Common optional attributes are: "comment", "domain", "path", etc.</text>
          <text>The "secure" attribute must be set accordingly in order to prevent to cookie from being sent unencrypted.</text>
          <text>For more information on how to set the secure flag, see OWASP "Secure Attribute" cheatsheet at </text>
          <link target="https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#secure-attribute">https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#secure-attribute</link>
          <text />
          <text />
          <text>RFC 2965 states:</text>
          <text>"The Secure attribute (with no value) directs the user agent to use only (unspecified) secure means to contact the origin server whenever it sends back this cookie, to protect the confidentially and authenticity of the information in the cookie."</text>
          <text>For further reference please see the HTTP State Management Mechanism RFC 2965 at: </text>
          <link target="http://www.ietf.org/rfc/rfc2965.txt">http://www.ietf.org/rfc/rfc2965.txt</link>
          <text>and for "Best current practice" for use of HTTP State Management please see </text>
          <link target="http://tools.ietf.org/html/rfc2964">http://tools.ietf.org/html/rfc2964</link>
        </fixRecommendation>
      </general>
    </item>
    <item id="OldTLS">
      <general>
        <fixRecommendation type="General">
          <text>Reconfigure the server to avoid the use of weak cipher suites. The configuration changes are server-specific.</text>
          <text>For Microsoft Windows XP and Microsoft Windows Server 2003, follow these instructions: </text>
          <text>http://support.microsoft.com/kb/245030</text>
          <text>For Microsoft Windows Vista, Microsoft Windows 7, and Microsoft Windows Server 2008, remove the cipher suites that were identified as weak from the Supported Cipher Suite list by following these instructions:</text>
          <text>http://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx</text>
          <text>For Apache TomCat server, follow these instructions: </text>
          <text>https://www.owasp.org/index.php/Talk:Securing_tomcat#Disabling_weak_ciphers_in_Tomcat</text>
          <text>For Apache server, follow these instructions:</text>
          <text>https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="phishingInFrames">
      <general>
        <fixRecommendation type="General">
          <text>There are several mitigation techniques:</text>
          <text>[1] Strategy: Libraries or Frameworks</text>
          <text>Use a vetted library or framework that does not allow this weakness to occur, or provides constructs that make it easier to avoid.</text>
          <text>Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.</text>
          <text />
          <text>[2] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.</text>
          <text>For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.</text>
          <text>Parts of the same output document may require different encodings, which will vary depending on whether the output is in the:</text>
          <text>[-] HTML body</text>
          <text>[-] Element attributes (such as src="XYZ")</text>
          <text>[-] URIs</text>
          <text>[-] JavaScript sections</text>
          <text>[-] Cascading Style Sheets and style property</text>
          <text>Note that HTML Entity Encoding is only appropriate for the HTML body.</text>
          <text>Consult the XSS Prevention Cheat Sheet </text>
          <link target="http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet">http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet</link>
          <text>for more details on the types of encoding and escaping that are needed.</text>
          <text />
          <text>[3] Strategy: Identify and Reduce Attack Surface</text>
          <text>Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.</text>
          <text />
          <text>[4] Strategy: Output Encoding</text>
          <text>For every web page that is generated, use and specify a character encoding such as ISO-8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different encoding by guessing which encoding is actually being used by the web page. This can cause the web browser to treat certain sequences as special, opening up the client to subtle XSS attacks. See CWE-116 for more mitigations related to encoding/escaping.</text>
          <text />
          <text>[5] Strategy: Identify and Reduce Attack Surface</text>
          <text>To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.</text>
          <text />
          <text>[6] Strategy: Input Validation</text>
          <text>Assume all input is malicious. Use an "accept known good" input validation strategy: a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on a blacklist of malicious or malformed inputs. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.</text>
          <text>When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."</text>
          <text>When dynamically constructing web pages, use stringent whitelists that limit the character set based on the expected value of the parameter in the request. All input should be validated and cleansed, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. It is common to see data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.</text>
          <text>Note that proper output encoding, escaping, and quoting is the most effective solution for preventing XSS, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent XSS, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, in a chat application, the heart emoticon ("&lt;3") would likely pass the validation step, since it is commonly used. However, it cannot be directly inserted into the web page because it contains the "&lt;" character, which would need to be escaped or otherwise handled. In this case, stripping the "&lt;" might reduce the risk of XSS, but it would produce incorrect behavior because the emoticon would not be recorded. This might seem to be a minor inconvenience, but it would be more important in a mathematical forum that wants to represent inequalities.</text>
          <text>Even if you make a mistake in your validation (such as forgetting one of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address.</text>
          <text>Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="SHA1CipherSuites">
      <general>
        <fixRecommendation type="General">
          <text>Secure Cipher-Suites best practices:</text>
          <text />
          <text>[1]</text>
          <link target="https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html#use-strong-cryptographic-hashing-algorithms"> Use strong cryptographic hashing algorithms</link>
          <text />
          <text>[2]</text>
          <link target="https://docs.microsoft.com/en-us/power-platform/admin/server-cipher-tls-requirements"> Server cipher TLS requirements</link>
        </fixRecommendation>
      </general>
    </item>
    <item id="constTransient">
      <general>
        <fixRecommendation type="General">
          <text>Prevent user ability to manipulate session ID. Do not accept session IDs provided by the user's browser at login; always generate a new session to which the user will log in if successfully authenticated. </text>
          <text>Invalidate any existing session identifiers prior to authorizing a new user session.</text>
          <text>For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="GD_autocompleteInForm">
      <general>
        <fixRecommendation type="General">
          <text>If the "autocomplete" attribute is missing in the "password" field of the "input" element, add it and set it to "off".</text>
          <text>If the "autocomplete" attribute is set to "on", change it to "off".</text>
          <text />
          <text>For example:</text>
          <text />
          <text>Vulnerable site:</text>
          <text>  &lt;form action="AppScan.html" method="get"&gt;
      Username: &lt;input type="text" name="firstname" /&gt;&lt;br /&gt;
      Password: &lt;input type="password" name="lastname" /&gt;
      &lt;input type="submit" value="Submit" /&gt;
  &lt;form&gt;
</text>
          <text />
          <text>Non-vulnerable site:</text>
          <text>  &lt;form action="AppScan.html" method="get"&gt;
      Username: &lt;input type="text" name="firstname" /&gt;&lt;br /&gt;
      Password: &lt;input type="password" name="lastname" autocomplete="off"/&gt;
      &lt;input type="submit" value="Submit" /&gt;
  &lt;form&gt;
</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="bodyParamsInQuery">
      <general>
        <fixRecommendation type="General">
          <text>Re-program the application to disallow handling of POST parameters that were listed in the Query</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="attCachedSSL">
      <general>
        <fixRecommendation type="General">
          <text>Disable caching on all SSL pages or all pages that contain sensitive data.</text>
          <text>This can be achieved by using "Cache-Control: no-store" and either "Pragma: no-cache" or "Cache-Control: no-cache" response directives in your SSL page headers.</text>
          <text />
          <text>Cache-Control: private - This directive instructs proxies that the page contains private information, and therefore should not be cached by a shared cache. However, it does not instruct browsers to refrain from caching the pages.</text>
          <text />
          <text>Cache-Control: no-cache - This directive also instructs proxies that the page contains private information, and therefore should not be cached. It also instructs the browser to revalidate with the server to check if a new version is available. This means that the browser may store sensitive pages or information to be used in the revalidation. Certain browsers do not necessarily follow the RFC and may treat no-cache as no-store.</text>
          <text />
          <text>Cache-Control: no-store - This is the most secure directive. It instructs both the proxy and the browser not to cache the page or store it in its cache folders.</text>
          <text />
          <text>Pragma: no-cache - This directive is required for older browsers, that do not support the Cache-Control header.</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="GD_CreditCardVisa">
      <general>
        <fixRecommendation type="General">
          <text>Refrain from including credit card numbers in your website.</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="attHttpsToHttp">
      <general>
        <fixRecommendation type="General">
          <text>You should always transmit all data over a TLS/SSL connection only. This includes all external communications, including browsers, backend connections such as databases, third party APIs, and other services.</text>
          <text>In addition, several privacy regulations state that sensitive information such as user credentials will always be sent encrypted to the web site.</text>
          <text>Always enforce the use of an encrypted connection (e.g. TLS/SSL), and do not allow any access to sensitive information using unencrypted HTTP.</text>
          <text>Use TLS 1.2 or TLS 1.3 and use strong cryptographic hashing algorithms and cipher suites.</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="attContentSecurityPolicy">
      <general>
        <fixRecommendation type="General">
          <text>Configure your server to send the "Content-Security-Policy" header.</text>
          <text>It is recommended to configure Content-Security-Policy header with secure values for its directives as below:</text>
          <text>For 'default-src', and 'script-src' secure values such as 'none', or https://any.example.com.</text>
          <text>For 'frame-ancestors', and 'object-src' secure values such  as 'self', 'none' or https://any.example.com are expected.</text>
          <text>"unsafe-inline" and "unsafe-eval" must not be used in any circumstance. Using nonce / hash would be only considered for short-term workaround.</text>
          <text>For Apache, see: </text>
          <text>http://httpd.apache.org/docs/2.2/mod/mod_headers.html</text>
          <text>For IIS, see: </text>
          <text>https://technet.microsoft.com/pl-pl/library/cc753133%28v=ws.10%29.aspx</text>
          <text>For nginx, see: </text>
          <text>http://nginx.org/en/docs/http/ngx_http_headers_module.html</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="attRespCookieNotHttpOnlySessionCookie">
      <general>
        <fixRecommendation type="General">
          <text>Basically the only required attribute for the cookie is the "name" field.</text>
          <text>Common optional attributes are: "comment", "domain", "path", etc.</text>
          <text>The "HttpOnly" attribute must be set accordingly in order to prevent session cookies from being accessed by scripts.</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="ContentTypeOptions">
      <general>
        <fixRecommendation type="General">
          <text>Configure your server to send the "X-Content-Type-Options" header with value "nosniff" on all outgoing requests.</text>
          <text />
          <text>For Apache, see: </text>
          <link target="http://httpd.apache.org/docs/2.2/mod/mod_headers.html">http://httpd.apache.org/docs/2.2/mod/mod_headers.html</link>
          <text>For IIS, see: </text>
          <link target="https://technet.microsoft.com/pl-pl/library/cc753133%28v=ws.10%29.aspx">https://technet.microsoft.com/pl-pl/library/cc753133%28v=ws.10%29.aspx</link>
          <text>For nginx, see: </text>
          <link target="http://nginx.org/en/docs/http/ngx_http_headers_module.html">http://nginx.org/en/docs/http/ngx_http_headers_module.html</link>
        </fixRecommendation>
      </general>
    </item>
    <item id="XFS">
      <general>
        <fixRecommendation type="General">
          <text>Use the X-Frame-Options to prevent (or limit) pages from being embedded in iFrames. For older browser, include a "frame-breaker" script in each page that should not be framed.</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="HSTS">
      <general>
        <fixRecommendation type="General">
          <text>Implement the The HTTP Strict Transport Security policy by adding the "Strict-Transport-Security" response header to the web application responses.</text>
          <text>For more information please see </text>
          <link target="https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html">https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html</link>
        </fixRecommendation>
      </general>
    </item>
    <item id="GETParamOverSSL">
      <general>
        <fixRecommendation type="General">
          <text>Make sure that sensitive information such as:</text>
          <text>- Username</text>
          <text>- Password</text>
          <text>- Social Security number</text>
          <text>- Credit Card number</text>
          <text>- Driver's License number</text>
          <text>- e-mail address</text>
          <text>- Phone number</text>
          <text>- Zip code</text>
          <text />
          <text>is always sent in the body part of an HTTP POST request.</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="attUnnecessaryResponseHeaders">
      <general>
        <fixRecommendation type="General">
          <text>Configure your server to remove the default "Server" header from being sent to all outgoing requests.</text>
          <text>For IIS, see:</text>
          <text>https://techcommunity.microsoft.com/t5/iis-support-blog/remove-unwanted-http-response-headers/ba-p/369710</text>
          <text>For nginx, see: </text>
          <text>https://www.getpagespeed.com/server-setup/nginx/how-to-remove-the-server-header-in-nginx</text>
          <text>For Weblogic, see: </text>
          <text>https://docs.oracle.com/cd/E13222_01/wls/docs81/adminguide/web_server.html</text>
          <text>For Apache, see: </text>
          <text>https://techglimpse.com/set-modify-response-headers-http-tip/</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="attUndefinedState">
      <general>
        <fixRecommendation type="General">
          <text>[1] Check incoming requests for the presence of all expected parameters and values. When a parameter is missing, issue a proper error message or use default values.</text>
          <text>[2] The application should verify that its input consists of valid characters (after decoding). For example, an input value containing the null byte (encoded as %00), apostrophe, quotes, etc. should be rejected.</text>
          <text>[3] Enforce values in their expected ranges and types. If your application expects a certain parameter to have a value from a certain set, then the application should ensure that the value it receives indeed belongs to the set. For example, if your application expects a value in the range 10..99, then it should make sure that the value is indeed numeric, and that its value is in 10..99.</text>
          <text>[4] Verify that the data belongs to the set offered to the client.</text>
          <text>[5] Do not output debugging error messages and exceptions in a production environment.</text>
          <text>In order to disable debugging in ASP.NET, edit your web.config file to contain the following:</text>
          <text>&lt;compilation </text>
          <text>debug="false"</text>
          <text>/&gt;</text>
          <text />
          <text>For more information, see "HOW TO: Disable Debugging for ASP.NET Applications" in: </text>
          <link target="http://support.microsoft.com/default.aspx?scid=kb;en-us;815157">http://support.microsoft.com/default.aspx?scid=kb;en-us;815157</link>
          <text />
          <text>You can add input validation to Web Forms pages by using validation controls. Validation controls provide an easy-to-use mechanism for all common types of standard validation (for example, testing for valid dates or values within a range), plus ways to provide custom-written validation. In addition, validation controls allow you to completely customize how error information is displayed to the user. Validation controls can be used with any controls that are processed in a Web Forms page's class file, including both HTML and Web server controls.</text>
          <text />
          <text>To make sure that all the required parameters exist in a request, use the "RequiredFieldValidator" validation control. This control ensures that the user does not skip an entry in the web form.</text>
          <text />
          <text>To make sure user input contains only valid values, you can use one of the following validation controls:</text>
          <text />
          <text>[1] "RangeValidator": checks that a user's entry (value) is between specified lower and upper boundaries. You can check ranges within pairs of numbers, alphabetic characters, and dates.</text>
          <text />
          <text>[2] "RegularExpressionValidator": checks that the entry matches a pattern defined by a regular expression. This type of validation allows you to check for predictable sequences of characters, such as those in social security numbers, e-mail addresses, telephone numbers, postal codes, and so on.</text>
          <text />
          <text>Important note: validation controls do not block user input or change the flow of page processing; they only set an error state, and produce error messages. It is the programmer's responsibility to test the state of the controls in the code before performing further application-specific actions.</text>
          <text />
          <text>There are two ways to check for user input validity: </text>
          <text />
          <text>1. Test for a general error state: </text>
          <text />
          <text>In your code, test the page's IsValid property. This property rolls up the values of the IsValid properties of all the validation controls on the page (using a logical AND). If one of the validation controls is set to invalid, the page's property will return false.</text>
          <text />
          <text>2. Test for the error state of individual controls:</text>
          <text />
          <text>Loop through the page's Validators collection, which contains references to all the validation controls. You can then examine the IsValid property of each validation control.</text>
          <text>** Input Data Validation:</text>
          <text />
          <text>While data validations may be provided as a user convenience on the client-tier, data validation must be performed on the server-tier using Servlets.  Client-side validations are inherently insecure because they can be easily bypassed, e.g. by disabling Javascript.</text>
          <text />
          <text>A good design usually requires the web application framework to provide server-side utility routines to validate the following:</text>
          <text>[1] Required field</text>
          <text>[2] Field data type (all HTTP request parameters are Strings by default)</text>
          <text>[3] Field length</text>
          <text>[4] Field range</text>
          <text>[5] Field options</text>
          <text>[6] Field pattern</text>
          <text>[7] Cookie values</text>
          <text>[8] HTTP Response</text>
          <text />
          <text>A good practice is to implement the above routine as static methods in a "Validator" utility class.  The following sections describe an example validator class.</text>
          <text />
          <text>[1] Required field</text>
          <text>Always check that the field is not null and its length is greater than zero, excluding leading and trailing white spaces.  </text>
          <text />
          <text>Example of how to validate required fields:</text>
          <text />
          <text>  // Java example to validate required fields
  public Class Validator {
      ...
      public static boolean validateRequired(String value) {
          boolean isFieldValid = false;
          if (value != null &amp;&amp; value.trim().length() &gt; 0) {
              isFieldValid = true;
          }
          return isFieldValid;
      }
      ...
  }
  ...
  String fieldValue = request.getParameter("fieldName");
  if (Validator.validateRequired(fieldValue)) {
      // fieldValue is valid, continue processing request
      ...
  }
</text>
          <text />
          <text>[2] Field data type</text>
          <text>In web applications, input parameters are poorly typed.  For example, all HTTP request parameters or cookie values are of type String.  The developer is responsible for verifying the input is of the correct data type.  Use the Java primitive wrapper classes to check if the field value can be safely converted to the desired primitive data type.</text>
          <text />
          <text>Example of how to validate a numeric field (type int):</text>
          <text />
          <text>  // Java example to validate that a field is an int number
  public Class Validator {
      ...
      public static boolean validateInt(String value) {
          boolean isFieldValid = false;
          try {
              Integer.parseInt(value);
              isFieldValid = true;
          } catch (Exception e) {
              isFieldValid = false;
          }
          return isFieldValid;
      }
      ...
  }
  ...
  // check if the HTTP request parameter is of type int
  String fieldValue = request.getParameter("fieldName");
  if (Validator.validateInt(fieldValue)) {
      // fieldValue is valid, continue processing request
      ...
  }
</text>
          <text />
          <text>A good practice is to convert all HTTP request parameters to their respective data types.  For example, store the "integerValue" of a request parameter in a request attribute and use it as shown in the following example:</text>
          <text />
          <text>  // Example to convert the HTTP request parameter to a primitive wrapper data type
  // and store this value in a request attribute for further processing
  String fieldValue = request.getParameter("fieldName");
  if (Validator.validateInt(fieldValue)) {
      // convert fieldValue to an Integer
      Integer integerValue = Integer.getInteger(fieldValue);
      // store integerValue in a request attribute
      request.setAttribute("fieldName", integerValue);
  }
  ...
  // Use the request attribute for further processing
  Integer integerValue = (Integer)request.getAttribute("fieldName");
  ...
</text>
          <text />
          <text>The primary Java data types that the application should handle:</text>
          <text>- Byte</text>
          <text>- Short</text>
          <text>- Integer</text>
          <text>- Long</text>
          <text>- Float</text>
          <text>- Double</text>
          <text>- Date</text>
          <text />
          <text>[3] Field length</text>
          <text>Always ensure that the input parameter (whether HTTP request parameter or cookie value) is bounded by a minimum length and/or a maximum length.</text>
          <text />
          <text>Example to validate that the length of the userName field is between 8 and 20 characters:</text>
          <text />
          <text>  // Example to validate the field length
  public Class Validator {
      ...
      public static boolean validateLength(String value, int minLength, int maxLength) {
          String validatedValue = value;
          if (!validateRequired(value)) {
              validatedValue = "";
          }
          return (validatedValue.length() &gt;= minLength &amp;&amp;
                      validatedValue.length() &lt;= maxLength);
      }
      ...
  }
  ...
  String userName = request.getParameter("userName");
  if (Validator.validateRequired(userName)) {
      if (Validator.validateLength(userName, 8, 20)) {
          // userName is valid, continue further processing
          ...
      }
  }
</text>
          <text />
          <text>[4] Field range</text>
          <text>Always ensure that the input parameter is within a range as defined by the functional requirements.</text>
          <text />
          <text>Example to validate that the input numberOfChoices is between 10 and 20:</text>
          <text />
          <text>  // Example to validate the field range
  public Class Validator {
      ...
      public static boolean validateRange(int value, int min, int max) {
          return (value &gt;= min &amp;&amp; value &lt;= max);
      }
      ...
  }
  ...
  String fieldValue = request.getParameter("numberOfChoices");
  if (Validator.validateRequired(fieldValue)) {
      if (Validator.validateInt(fieldValue)) {
          int numberOfChoices = Integer.parseInt(fieldValue);
          if (Validator.validateRange(numberOfChoices, 10, 20)) {
              // numberOfChoices is valid, continue processing request
              ...
          }
      }
  }
</text>
          <text />
          <text>[5] Field options</text>
          <text>Often, the web application presents the user with a set of options to choose from, e.g. using the SELECT HTML tag, but fails to perform server-side validation to ensure that the selected value is one of the allowed options.  Remember that a malicious user can easily modify any option value.  Always validate the selected user value against the allowed options as defined by the functional requirements.</text>
          <text />
          <text>Example to validate the user selection against a list of allowed options:</text>
          <text />
          <text>  // Example to validate user selection against a list of options
  public Class Validator {
      ...
      public static boolean validateOption(Object[] options, Object value) {
          boolean isValidValue = false;
          try {
              List list = Arrays.asList(options);
              if (list != null) {
                  isValidValue = list.contains(value);
              }
          } catch (Exception e) {
          }
          return isValidValue;
      }
      ...
  }
  ...
  // Allowed options
  String[] options = {"option1", "option2", "option3");
  // Verify that the user selection is one of the allowed options
  String userSelection = request.getParameter("userSelection");
  if (Validator.validateOption(options, userSelection)) {
      // valid user selection, continue processing request
      ...
  }
</text>
          <text />
          <text>[6] Field pattern</text>
          <text>Always check that the user input matches a pattern as defined by the functionality requirements.  For example, if the userName field should only allow alpha-numeric characters, case insensitive, then use the following regular expression:</text>
          <text>^[a-zA-Z0-9]*$</text>
          <text />
          <text>Java 1.3 or earlier versions do not include any regular expression packages.  Apache Regular Expression Package (see Resources below) is recommended for use with Java 1.3 to resolve this lack of support.  </text>
          <text>Example to perform regular expression validation:</text>
          <text />
          <text>  // Example to validate that a given value matches a specified pattern
  // using the Apache regular expression package
  import org.apache.regexp.RE;
  import org.apache.regexp.RESyntaxException;
  public Class Validator {
      ...
      public static boolean matchPattern(String value, String expression) {
          boolean match = false;
          if (validateRequired(expression)) {
               RE r = new RE(expression);
               match = r.match(value);             
          }
          return match;
      }
      ...
  }
  ...
  // Verify that the userName request parameter is alpha-numeric
  String userName = request.getParameter("userName");
  if (Validator.matchPattern(userName, "^[a-zA-Z0-9]*$")) {
      // userName is valid, continue processing request
      ...
  }
</text>
          <text />
          <text>Java 1.4 introduced a new regular expression package (java.util.regex).  Here is a modified version of Validator.matchPattern using the new Java 1.4 regular expression package:</text>
          <text />
          <text>  // Example to validate that a given value matches a specified pattern
  // using the Java 1.4 regular expression package
  import java.util.regex.Pattern;
  import java.util.regexe.Matcher;
  public Class Validator {
      ...
      public static boolean matchPattern(String value, String expression) {
          boolean match = false;
          if (validateRequired(expression)) {
              match = Pattern.matches(expression, value);
          }
          return match;
      }
      ...
  }
</text>
          <text />
          <text>[7] Cookie value</text>
          <text>Use the javax.servlet.http.Cookie object to validate the cookie value.  The same validation rules (described above) apply to cookie values depending on the application requirements, e.g. validate a required value, validate length, etc.</text>
          <text />
          <text>Example to validate a required cookie value:</text>
          <text />
          <text>  // Example to validate a required cookie value
  // First retrieve all available cookies submitted in the HTTP request
  Cookie[] cookies = request.getCookies();
  if (cookies != null) {
      // find the "user" cookie
      for (int i=0; i&lt;cookies.length; ++i) {
          if (cookies[i].getName().equals("user")) {
              // validate the cookie value
              if (Validator.validateRequired(cookies[i].getValue()) {
                  // valid cookie value, continue processing request
                  ...
              }
          }    
      }
  }
</text>
          <text />
          <text>[8] HTTP Response</text>
          <text>[8-1] Filter user input</text>
          <text>To guard the application against cross-site scripting, sanitize HTML by converting sensitive characters to their corresponding character entities.  These are the HTML sensitive characters:</text>
          <text>&lt; &gt; " ' % ; ) ( &amp; +</text>
          <text />
          <text>Example to filter a specified string by converting sensitive characters to their corresponding character entities:</text>
          <text />
          <text>  // Example to filter sensitive data to prevent cross-site scripting
  public Class Validator {
      ...
      public static String filter(String value) {
          if (value == null) {
              return null;
          }        
          StringBuffer result = new StringBuffer(value.length());
          for (int i=0; i&lt;value.length(); ++i) {
              switch (value.charAt(i)) {
              case '&lt;':
                  result.append("&lt;");
                  break;
              case '&gt;': 
                  result.append("&gt;");
                  break;
              case '"': 
                  result.append(""");
                  break;
              case '\'': 
                  result.append("'");
                  break;
              case '%': 
                  result.append("%");
                  break;
              case ';': 
                  result.append(";");
                  break;
              case '(': 
                  result.append("(");
                  break;
              case ')': 
                  result.append(")");
                  break;
              case '&amp;': 
                  result.append("&amp;");
                  break;
              case '+':
                  result.append("+");
                  break;
              default:
                  result.append(value.charAt(i));
                  break;
          }        
          return result;
      }
      ...
  }
  ...
  // Filter the HTTP response using Validator.filter
  PrintWriter out = response.getWriter();
  // set output response
  out.write(Validator.filter(response));
  out.close();
</text>
          <text />
          <text>The Java Servlet API 2.3 introduced Filters, which supports the interception and transformation of HTTP requests or responses.</text>
          <text />
          <text>Example of using a Servlet Filter to sanitize the response using Validator.filter:</text>
          <text />
          <text>  // Example to filter all sensitive characters in the HTTP response using a Java Filter.
  // This example is for illustration purposes since it will filter all content in the response, including HTML tags!
  public class SensitiveCharsFilter implements Filter {
      ...
      public void doFilter(ServletRequest request,
                      ServletResponse response,
                      FilterChain chain)
              throws IOException, ServletException {
  
          PrintWriter out = response.getWriter();
          ResponseWrapper wrapper = new ResponseWrapper((HttpServletResponse)response);
          chain.doFilter(request, wrapper);
  
          CharArrayWriter caw = new CharArrayWriter();
          caw.write(Validator.filter(wrapper.toString()));
          
          response.setContentType("text/html");
          response.setContentLength(caw.toString().length());
          out.write(caw.toString());
          out.close();
      }
      ...
      public class CharResponseWrapper extends HttpServletResponseWrapper {
          private CharArrayWriter output;
  
          public String toString() {
              return output.toString();
          }
      
          public CharResponseWrapper(HttpServletResponse response){
              super(response);
              output = new CharArrayWriter();
          }
          
          public PrintWriter getWriter(){
              return new PrintWriter(output);
          }
      }
  } 
  
  }
</text>
          <text />
          <text>[8-2] Secure the cookie</text>
          <text>When storing sensitive data in a cookie, make sure to set the secure flag of the cookie in the HTTP response, using Cookie.setSecure(boolean flag) to instruct the browser to send the cookie  using  a secure protocol, such as HTTPS or SSL.</text>
          <text />
          <text>Example to secure the "user" cookie:</text>
          <text />
          <text>  // Example to secure a cookie, i.e. instruct the browser to
  // send the cookie using a secure protocol
  Cookie cookie = new Cookie("user", "sensitive");
  cookie.setSecure(true);
  response.addCookie(cookie);
</text>
          <text />
          <text>RECOMMENDED JAVA TOOLS</text>
          <text>The two main Java frameworks for server-side validation are:</text>
          <text>[1] Jakarta Commons Validator (integrated with Struts 1.1)</text>
          <text>The Jakarta Commons Validator is a powerful framework that implements all the above data validation requirements.  These rules are configured in an XML file that defines input validation rules for form fields.  Struts supports output filtering of dangerous characters in the [8] HTTP Response by default on all data written using the Struts 'bean:write' tag.  This filtering may be disabled by setting the 'filter=false' flag.</text>
          <text />
          <text>Struts defines the following basic input validators, but custom validators may also be defined:</text>
          <text>required: succeeds if the field contains any characters other than white space.</text>
          <text>mask: succeeds if the value matches the regular expression given by the mask attribute.</text>
          <text>range: succeeds if the value is within the values given by the min and max attributes ((value &gt;= min) &amp; (value &lt;= max)).</text>
          <text>maxLength: succeeds if the field is length is less than or equal to the max attribute.</text>
          <text>minLength: succeeds if the field is length is greater than or equal to the min attribute.</text>
          <text>byte, short, integer, long, float, double: succeeds if the value can be converted to the corresponding primitive.</text>
          <text>date: succeeds if the value represents a valid date. A date pattern may be provided.</text>
          <text>creditCard: succeeds if the value could be a valid credit card number.</text>
          <text>e-mail: succeeds if the value could be a valid e-mail address.</text>
          <text />
          <text>Example to validate the userName field of a loginForm using Struts Validator:</text>
          <text>  &lt;form-validation&gt;
      &lt;global&gt;
          ...
          &lt;validator name="required"
              classname="org.apache.struts.validator.FieldChecks"
              method="validateRequired"
              msg="errors.required"&gt;
          &lt;/validator&gt;
          &lt;validator name="mask"
              classname="org.apache.struts.validator.FieldChecks"
              method="validateMask"
              msg="errors.invalid"&gt;
          &lt;/validator&gt;
          ...
      &lt;/global&gt;
      &lt;formset&gt;
          &lt;form name="loginForm"&gt;
              &lt;!-- userName is required and is alpha-numeric case insensitive --&gt;
              &lt;field property="userName" depends="required,mask"&gt;
                  &lt;!-- message resource key to display if validation fails --&gt;
                  &lt;msg name="mask" key="login.userName.maskmsg"/&gt;
                  &lt;arg0 key="login.userName.displayname"/&gt;
                  &lt;var&gt;
                      &lt;var-name&gt;mask&lt;/var-name&gt;
                      &lt;var-value&gt;^[a-zA-Z0-9]*$&lt;/var-value&gt;
                  &lt;/var&gt;
              &lt;/field&gt;
          ...
          &lt;/form&gt;
          ...
      &lt;/formset&gt;
  &lt;/form-validation&gt;
</text>
          <text />
          <text>[2] JavaServer Faces Technology</text>
          <text>JavaServer Faces Technology is a set of Java APIs (JSR 127) to represent UI components, manage their state, handle events and input validation.</text>
          <text />
          <text>The JavaServer Faces API implements the following basic validators, but custom validators may be defined:</text>
          <text>validate_doublerange: registers a DoubleRangeValidator on a component</text>
          <text>validate_length: registers a LengthValidator on a component</text>
          <text>validate_longrange: registers a LongRangeValidator on a component</text>
          <text>validate_required: registers a RequiredValidator on a component</text>
          <text>validate_stringrange: registers a StringRangeValidator on a component</text>
          <text>validator: registers a custom Validator on a component</text>
          <text />
          <text>The JavaServer Faces API defines the following UIInput and UIOutput Renderers (Tags):</text>
          <text>input_date: accepts a java.util.Date formatted with a java.text.Date instance</text>
          <text>output_date: displays a java.util.Date formatted with a java.text.Date instance</text>
          <text>input_datetime: accepts a java.util.Date formatted with a java.text.DateTime instance</text>
          <text>output_datetime: displays a java.util.Date formatted with a java.text.DateTime instance</text>
          <text>input_number: displays a numeric data type (java.lang.Number or primitive), formatted with a java.text.NumberFormat</text>
          <text>output_number: displays a numeric data type (java.lang.Number or primitive), formatted with a java.text.NumberFormat</text>
          <text>input_text: accepts a text string of one line.</text>
          <text>output_text: displays a text string of one line.</text>
          <text>input_time: accepts a java.util.Date, formatted with a java.text.DateFormat time instance</text>
          <text>output_time: displays a java.util.Date, formatted with a java.text.DateFormat time instance</text>
          <text>input_hidden: allows a page author to include a hidden variable in a page</text>
          <text>input_secret: accepts one line of text with no spaces and displays it as a set of asterisks as it is typed</text>
          <text>input_textarea: accepts multiple lines of text</text>
          <text>output_errors: displays error messages for an entire page or error messages associated with a specified client identifier</text>
          <text>output_label: displays a nested component as a label for a specified input field</text>
          <text>output_message: displays a localized message</text>
          <text />
          <text>Example to validate the userName field of a loginForm using JavaServer Faces:</text>
          <text>  &lt;%@ taglib uri="https://docs.oracle.com/javaee/6/tutorial/doc/glxce.html" prefix="h" %&gt;
  &lt;%@ taglib uri="http://mrbool.com/how-to-create-a-login-validation-with-jsf-java-server-faces/27046" prefix="f" %&gt;
  ...
  &lt;jsp:useBean id="UserBean"
      class="myApplication.UserBean" scope="session" /&gt;
  &lt;f:use_faces&gt;
    &lt;h:form formName="loginForm" &gt;
      &lt;h:input_text id="userName" size="20" modelReference="UserBean.userName"&gt;
          &lt;f:validate_required/&gt;
          &lt;f:validate_length minimum="8" maximum="20"/&gt;    
      &lt;/h:input_text&gt;
      &lt;!-- display errors if present --&gt;
      &lt;h:output_errors id="loginErrors" clientId="userName"/&gt;
      &lt;h:command_button id="submit" label="Submit" commandName="submit" /&gt;&lt;p&gt;
    &lt;/h:form&gt;
  &lt;/f:use_faces&gt;
</text>
          <text />
          <text />
          <text>REFERENCES</text>
          <text>Java API 1.3 - </text>
          <link target="https://www.oracle.com/java/technologies/java-archive-13docs-downloads.html">https://www.oracle.com/java/technologies/java-archive-13docs-downloads.html</link>
          <text>Java API 1.4 - </text>
          <link target="https://www.oracle.com/java/technologies/java-archive-142docs-downloads.html">https://www.oracle.com/java/technologies/java-archive-142docs-downloads.html</link>
          <text>Java Servlet API 2.3 - </text>
          <link target="https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api">https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api</link>
          <text>Java Regular Expression Package - </text>
          <link target="http://jakarta.apache.org/regexp/">http://jakarta.apache.org/regexp/</link>
          <text>Jakarta Validator - </text>
          <link target="http://jakarta.apache.org/commons/validator/">http://jakarta.apache.org/commons/validator/</link>
          <text>JavaServer Faces Technology - </text>
          <link target="http://www.javaserverfaces.org/">http://www.javaserverfaces.org/</link>
          <text />
          <text>** Error Handling:</text>
          <text />
          <text>Many J2EE web application architectures follow the Model View Controller (MVC) pattern.  In this pattern a Servlet acts as a Controller.  A Servlet delegates the application processing to a JavaBean such as an EJB Session Bean (the Model).  The Servlet then forwards the request to a JSP (View) to render the processing results.  Servlets should check all input, output, return codes, error codes and known exceptions to ensure that the expected processing actually occurred.</text>
          <text />
          <text>While data validation protects applications against malicious data tampering, a sound error handling strategy is necessary to prevent the application from inadvertently disclosing internal error messages such as exception stack traces.  A good error handling strategy addresses the following items:</text>
          <text />
          <text>[1] Defining Errors</text>
          <text>[2] Reporting Errors</text>
          <text>[3] Rendering Errors</text>
          <text>[4] Error Mapping</text>
          <text />
          <text>[1] Defining Errors</text>
          <text>Hard-coded error messages in the application layer (e.g. Servlets) should be avoided.  Instead, the application should use error keys that map to known application failures.  A good practice is to define error keys that map to validation rules for HTML form fields or other bean properties.  For example, if the "user_name" field is required, is alphanumeric, and must be unique in the database, then the following error keys should be defined:</text>
          <text />
          <text>(a) ERROR_USERNAME_REQUIRED: this error key is used to display a message notifying the user that the "user_name" field is required;</text>
          <text>(b) ERROR_USERNAME_ALPHANUMERIC: this error key is used to display a message notifying the user that the "user_name" field should be alphanumeric;</text>
          <text>(c) ERROR_USERNAME_DUPLICATE: this error key is used to display a message notifying the user that the "user_name" value is a duplicate in the database;</text>
          <text>(d) ERROR_USERNAME_INVALID: this error key is used to display a generic message notifying the user that the "user_name" value is invalid;</text>
          <text />
          <text>A good practice is to define the following framework Java classes which are used to store and report application errors:</text>
          <text />
          <text>- ErrorKeys: defines all error keys</text>
          <text />
          <text>      // Example: ErrorKeys defining the following error keys:    
      //    - ERROR_USERNAME_REQUIRED
      //    - ERROR_USERNAME_ALPHANUMERIC
      //    - ERROR_USERNAME_DUPLICATE
      //    - ERROR_USERNAME_INVALID
      //    ...
      public Class ErrorKeys {
          public static final String ERROR_USERNAME_REQUIRED = "error.username.required";
          public static final String ERROR_USERNAME_ALPHANUMERIC = "error.username.alphanumeric";
          public static final String ERROR_USERNAME_DUPLICATE = "error.username.duplicate";
          public static final String ERROR_USERNAME_INVALID = "error.username.invalid";
          ...
      }
</text>
          <text>- Error: encapsulates an individual error</text>
          <text />
          <text>      // Example: Error encapsulates an error key.
      // Error is serializable to support code executing in multiple JVMs.
      public Class Error implements Serializable {
          
          // Constructor given a specified error key
          public Error(String key) {
              this(key, null);
          }
          
          // Constructor given a specified error key and array of placeholder objects
          public Error(String key, Object[] values) {
              this.key = key;
              this.values = values;
          }
          
          // Returns the error key
          public String getKey() {
              return this.key;
          }
          
          // Returns the placeholder values
          public Object[] getValues() {
              return this.values;
          }
          
          private String key = null;
          private Object[] values = null;
      }    
</text>
          <text />
          <text>- Errors: encapsulates a Collection of errors</text>
          <text />
          <text>      // Example: Errors encapsulates the Error objects being reported to the presentation layer.
      // Errors are stored in a HashMap where the key is the bean property name and value is an
      // ArrayList of Error objects.
      public Class Errors implements Serializable {
      
          // Adds an Error object to the Collection of errors for the specified bean property.
          public void addError(String property, Error error) {
              ArrayList propertyErrors = (ArrayList)errors.get(property);
              if (propertyErrors == null) {
                  propertyErrors = new ArrayList();
                  errors.put(property, propertyErrors);
              }
              propertyErrors.put(error);            
          }
          
          // Returns true if there are any errors
          public boolean hasErrors() {
              return (errors.size &gt; 0);
          }
          
          // Returns the Errors for the specified property
          public ArrayList getErrors(String property) {
              return (ArrayList)errors.get(property);
          }
  
          private HashMap errors = new HashMap();
      }
</text>
          <text />
          <text>Using the above framework classes, here is an example to process validation errors of the "user_name" field:</text>
          <text />
          <text>  // Example to process validation errors of the "user_name" field.
  Errors errors = new Errors();
  String userName = request.getParameter("user_name");
  // (a) Required validation rule
  if (!Validator.validateRequired(userName)) {
      errors.addError("user_name", new Error(ErrorKeys.ERROR_USERNAME_REQUIRED));
  } // (b) Alpha-numeric validation rule
  else if (!Validator.matchPattern(userName, "^[a-zA-Z0-9]*$")) {
      errors.addError("user_name", new Error(ErrorKeys.ERROR_USERNAME_ALPHANUMERIC));
  }
  else
  {
      // (c) Duplicate check validation rule
      // We assume that there is an existing UserValidationEJB session bean that implements
      // a checkIfDuplicate() method to verify if the user already exists in the database.
      try {
          ...        
          if (UserValidationEJB.checkIfDuplicate(userName)) {
              errors.addError("user_name", new Error(ErrorKeys.ERROR_USERNAME_DUPLICATE));
          }
      } catch (RemoteException e) {
          // log the error
          logger.error("Could not validate user for specified userName: " + userName);
          errors.addError("user_name", new Error(ErrorKeys.ERROR_USERNAME_DUPLICATE);
      }
  }
  // set the errors object in a request attribute called "errors"
  request.setAttribute("errors", errors);
  ...
</text>
          <text />
          <text>[2] Reporting Errors</text>
          <text>There are two ways to report web-tier application errors:</text>
          <text>(a) Servlet Error Mechanism</text>
          <text>(b) JSP Error Mechanism</text>
          <text />
          <text>[2-a] Servlet Error Mechanism</text>
          <text>A Servlet may report errors by:</text>
          <text>- forwarding to the input JSP (having already stored the errors in a request attribute), OR</text>
          <text>- calling response.sendError with an HTTP error code argument, OR</text>
          <text>- throwing an exception</text>
          <text />
          <text>It is good practice to process all known application errors (as described in section [1]), store them in a request attribute, and forward to the input JSP. The input JSP should display the error messages and prompt the user to re-enter the data.  The following example illustrates how to forward to an input JSP (userInput.jsp):</text>
          <text />
          <text>  // Example to forward to the userInput.jsp following user validation errors
  RequestDispatcher rd = getServletContext().getRequestDispatcher("/user/userInput.jsp");
  if (rd != null) {
      rd.forward(request, response);
  }
</text>
          <text />
          <text>If the Servlet cannot forward to a known JSP page, the second option is to report an error using the response.sendError method with HttpServletResponse.SC_INTERNAL_SERVER_ERROR (status code 500) as argument.  Refer to the javadoc of javax.servlet.http.HttpServletResponse for more details on the various HTTP status codes.  </text>
          <text />
          <text>Example to return a HTTP error:</text>
          <text>  // Example to return a HTTP error code
  RequestDispatcher rd = getServletContext().getRequestDispatcher("/user/userInput.jsp");
  if (rd == null) {
      // messages is a resource bundle with all message keys and values
      response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
                              messages.getMessage(ErrorKeys.ERROR_USERNAME_INVALID));
  }
</text>
          <text />
          <text>As a last resort, Servlets can throw an exception, which must be a subclass of one of the following classes:</text>
          <text>- RuntimeException</text>
          <text>- ServletException</text>
          <text>- IOException</text>
          <text />
          <text>[2-b] JSP Error Mechanism</text>
          <text>JSP pages provide a mechanism to handle runtime exceptions by defining an errorPage directive as shown in the following example:</text>
          <text />
          <text>      &lt;%@ page errorPage="/errors/userValidation.jsp" %&gt;
</text>
          <text />
          <text>Uncaught JSP exceptions are forwarded to the specified errorPage, and the original exception is set in a request parameter called javax.servlet.jsp.jspException.  The error page must include a isErrorPage directive as shown below:</text>
          <text />
          <text>      &lt;%@ page isErrorPage="true" %&gt;
</text>
          <text />
          <text>The isErrorPage directive causes the "exception" variable to be initialized to the exception object being thrown.</text>
          <text />
          <text>[3] Rendering Errors</text>
          <text>The J2SE Internationalization APIs provide utility classes for externalizing application resources and formatting messages including:</text>
          <text />
          <text>(a) Resource Bundles</text>
          <text>(b) Message Formatting</text>
          <text />
          <text>[3-a] Resource Bundles</text>
          <text>Resource bundles support internationalization by separating localized data from the source code that uses it.  Each resource bundle stores a map of key/value pairs for a specific locale.</text>
          <text />
          <text>It is common to use or extend java.util.PropertyResourceBundle, which stores the content in an external properties file as shown in the following example:</text>
          <text />
          <text>  ################################################
  # ErrorMessages.properties
  ################################################
  # required user name error message
  error.username.required=User name field is required
  
  # invalid user name format
  error.username.alphanumeric=User name must be alphanumeric
  
  # duplicate user name error message
  error.username.duplicate=User name {0} already exists, please choose another one
  
  ...
</text>
          <text />
          <text>Multiple resources can be defined to support different locales (hence the name resource bundle).  For example, ErrorMessages_fr.properties can be defined to support the French member of the bundle family.  If the resource member of the requested locale does not exist, the default member is used.  In the above example, the default resource is ErrorMessages.properties.  Depending on the user's locale, the application (JSP or Servlet) retrieves content from the appropriate resource.</text>
          <text />
          <text>[3-b] Message Formatting</text>
          <text>The J2SE standard class java.util.MessageFormat provides a generic way to create messages with replacement placeholders.  A MessageFormat object contains a pattern string with embedded format specifiers as shown below:</text>
          <text />
          <text>  // Example to show how to format a message using placeholder parameters
  String pattern = "User name {0} already exists, please choose another one";
  String userName = request.getParameter("user_name");
  Object[] args = new Object[1];
  args[0] = userName;
  String message = MessageFormat.format(pattern, args);
</text>
          <text />
          <text>Here is a more comprehensive example to render error messages using ResourceBundle and MessageFormat:</text>
          <text />
          <text>  // Example to render an error message from a localized ErrorMessages resource (properties file)
  // Utility class to retrieve locale-specific error messages
  public Class ErrorMessageResource {
      
      // Returns the error message for the specified error key in the environment locale
      public String getErrorMessage(String errorKey) {
          return getErrorMessage(errorKey, defaultLocale);
      }
      
      // Returns the error message for the specified error key in the specified locale
      public String getErrorMessage(String errorKey, Locale locale) {
          return getErrorMessage(errorKey, null, locale);
      }
      
      // Returns a formatted error message for the specified error key in the specified locale
      public String getErrorMessage(String errorKey, Object[] args, Locale locale) {    
          // Get localized ErrorMessageResource
          ResourceBundle errorMessageResource = ResourceBundle.getBundle("ErrorMessages", locale);
          // Get localized error message
          String errorMessage = errorMessageResource.getString(errorKey);
          if (args != null) {
              // Format the message using the specified placeholders args
              return MessageFormat.format(errorMessage, args);
          } else {
              return errorMessage;
          }
      }
      
      // default environment locale
      private Locale defaultLocale = Locale.getDefaultLocale();
  }
  ...
  // Get the user's locale
  Locale userLocale = request.getLocale();
  // Check if there were any validation errors
  Errors errors = (Errors)request.getAttribute("errors");
  if (errors != null &amp;&amp; errors.hasErrors()) {
      // iterate through errors and output error messages corresponding to the "user_name" property
      ArrayList userNameErrors = errors.getErrors("user_name");
      ListIterator iterator = userNameErrors.iterator();
      while (iterator.hasNext()) {
          // Get the next error object
          Error error = (Error)iterator.next();
          String errorMessage = ErrorMessageResource.getErrorMessage(error.getKey(), userLocale);
          output.write(errorMessage + "\r\n");
      }
  }
</text>
          <text />
          <text>It is recommended to define a custom JSP tag, e.g. displayErrors, to iterate through and render error messages as shown in the above example.</text>
          <text />
          <text>[4] Error Mapping</text>
          <text>Normally, the Servlet Container will return a default error page corresponding to either the response status code or the exception.  A mapping between the status code or the exception and a web resource may be specified using custom error pages.  It is a good practice to develop static error pages that do not disclose internal error states (by default, most Servlet containers will report internal error messages).  This mapping is configured in the Web Deployment Descriptor (web.xml) as specified in the following example:</text>
          <text />
          <text>  &lt;!-- Mapping of HTTP error codes and application exceptions to error pages --&gt;
  &lt;error-page&gt;
    &lt;exception-type&gt;UserValidationException&lt;/exception-type&gt;
    &lt;location&gt;/errors/validationError.html&lt;/error-page&gt;
  &lt;/error-page&gt;
  &lt;error-page&gt;
    &lt;error-code&gt;500&lt;/exception-type&gt;
    &lt;location&gt;/errors/internalError.html&lt;/error-page&gt;
  &lt;/error-page&gt;
  &lt;error-page&gt;
  ...
  &lt;/error-page&gt;
  ...
</text>
          <text />
          <text />
          <text>RECOMMENDED JAVA TOOLS</text>
          <text>The two main Java frameworks for server-side validation are:</text>
          <text>[1] Jakarta Commons Validator (integrated with Struts 1.1)</text>
          <text>The Jakarta Commons Validator is a Java framework that defines the error handling mechanism as described above.  Validation rules are configured in an XML file that defines input validation rules for form fields and the corresponding validation error keys.  Struts provides internationalization support to build localized applications using resource bundles and message formatting.</text>
          <text />
          <text>Example to validate the userName field of a loginForm using Struts Validator:</text>
          <text>  &lt;form-validation&gt;
      &lt;global&gt;
          ...
          &lt;validator name="required"
              classname="org.apache.struts.validator.FieldChecks"
              method="validateRequired"
              msg="errors.required"&gt;
          &lt;/validator&gt;
          &lt;validator name="mask"
              classname="org.apache.struts.validator.FieldChecks"
              method="validateMask"
              msg="errors.invalid"&gt;
          &lt;/validator&gt;
          ...
      &lt;/global&gt;
      &lt;formset&gt;
          &lt;form name="loginForm"&gt;
              &lt;!-- userName is required and is alpha-numeric case insensitive --&gt;
              &lt;field property="userName" depends="required,mask"&gt;
                  &lt;!-- message resource key to display if validation fails --&gt;
                  &lt;msg name="mask" key="login.userName.maskmsg"/&gt;
                  &lt;arg0 key="login.userName.displayname"/&gt;
                  &lt;var&gt;
                      &lt;var-name&gt;mask&lt;/var-name&gt;
                      &lt;var-value&gt;^[a-zA-Z0-9]*$&lt;/var-value&gt;
                  &lt;/var&gt;
              &lt;/field&gt;
          ...
          &lt;/form&gt;
          ...
      &lt;/formset&gt;
  &lt;/form-validation&gt;
</text>
          <text />
          <text>The Struts JSP tag library defines the "errors" tag that conditionally displays a set of accumulated error messages as shown in the following example:</text>
          <text />
          <text>  &lt;%@ page language="java" %&gt;
  &lt;%@ taglib uri="/WEB-INF/struts-html.tld" prefix="html" %&gt;
  &lt;%@ taglib uri="/WEB-INF/struts-bean.tld" prefix="bean" %&gt;
  &lt;html:html&gt;
  &lt;head&gt;
  &lt;body&gt;
      &lt;html:form action="/logon.do"&gt;    
      &lt;table border="0" width="100%"&gt;
      &lt;tr&gt;
          &lt;th align="right"&gt;
              &lt;html:errors property="username"/&gt;
              &lt;bean:message key="prompt.username"/&gt;
          &lt;/th&gt;
          &lt;td align="left"&gt;
              &lt;html:text property="username" size="16"/&gt;
          &lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
      &lt;td align="right"&gt;
          &lt;html:submit&gt;&lt;bean:message key="button.submit"/&gt;&lt;/html:submit&gt;
      &lt;/td&gt;
      &lt;td align="right"&gt;
          &lt;html:reset&gt;&lt;bean:message key="button.reset"/&gt;&lt;/html:reset&gt;
      &lt;/td&gt;
      &lt;/tr&gt;
      &lt;/table&gt;
      &lt;/html:form&gt;
  &lt;/body&gt;
  &lt;/html:html&gt;
</text>
          <text />
          <text>[2] JavaServer Faces Technology</text>
          <text>JavaServer Faces Technology is a set of Java APIs (JSR 127) to represent UI components, manage their state, handle events, validate input, and support internationalization.</text>
          <text />
          <text>The JavaServer Faces API defines the "output_errors" UIOutput Renderer, which displays error messages for an entire page or error messages associated with a specified client identifier.</text>
          <text />
          <text>Example to validate the userName field of a loginForm using JavaServer Faces:</text>
          <text>  &lt;%@ taglib uri="https://docs.oracle.com/javaee/6/tutorial/doc/glxce.html" prefix="h" %&gt;
  &lt;%@ taglib uri="http://mrbool.com/how-to-create-a-login-validation-with-jsf-java-server-faces/27046" prefix="f" %&gt;
  ...
  &lt;jsp:useBean id="UserBean"
      class="myApplication.UserBean" scope="session" /&gt;
  &lt;f:use_faces&gt;
    &lt;h:form formName="loginForm" &gt;
      &lt;h:input_text id="userName" size="20" modelReference="UserBean.userName"&gt;
          &lt;f:validate_required/&gt;
          &lt;f:validate_length minimum="8" maximum="20"/&gt;    
      &lt;/h:input_text&gt;
      &lt;!-- display errors if present --&gt;
      &lt;h:output_errors id="loginErrors" clientId="userName"/&gt;
      &lt;h:command_button id="submit" label="Submit" commandName="submit" /&gt;&lt;p&gt;
    &lt;/h:form&gt;
  &lt;/f:use_faces&gt;
</text>
          <text />
          <text>REFERENCES</text>
          <text>Java API 1.3 - </text>
          <link target="https://www.oracle.com/java/technologies/java-archive-13docs-downloads.html">https://www.oracle.com/java/technologies/java-archive-13docs-downloads.html</link>
          <text>Java API 1.4 - </text>
          <link target="https://www.oracle.com/java/technologies/java-archive-142docs-downloads.html">https://www.oracle.com/java/technologies/java-archive-142docs-downloads.html</link>
          <text>Java Servlet API 2.3 - </text>
          <link target="https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api">https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api</link>
          <text>Java Regular Expression Package - </text>
          <link target="http://jakarta.apache.org/regexp/">http://jakarta.apache.org/regexp/</link>
          <text>Jakarta Validator - </text>
          <link target="http://jakarta.apache.org/commons/validator/">http://jakarta.apache.org/commons/validator/</link>
          <text>JavaServer Faces Technology - </text>
          <link target="http://www.javaserverfaces.org/">http://www.javaserverfaces.org/</link>
          <text>** Input Data Validation:</text>
          <text />
          <text>While data validations may be provided as a user convenience on the client-tier, data validation must always be performed on the server-tier.  Client-side validations are inherently insecure because they can be easily bypassed, e.g. by disabling Javascript.</text>
          <text />
          <text>A good design usually requires the web application framework to provide server-side utility routines to validate the following:</text>
          <text>[1] Required field</text>
          <text>[2] Field data type (all HTTP request parameters are Strings by default)</text>
          <text>[3] Field length</text>
          <text>[4] Field range</text>
          <text>[5] Field options</text>
          <text>[6] Field pattern</text>
          <text>[7] Cookie values</text>
          <text>[8] HTTP Response</text>
          <text />
          <text>A good practice is to implement a function or functions that validates each application parameter.  The following sections describe some example checking.</text>
          <text />
          <text>[1] Required field</text>
          <text>Always check that the field is not null and its length is greater than zero, excluding leading and trailing white spaces.</text>
          <text />
          <text>Example of how to validate required fields:</text>
          <text />
          <text>  // PHP example to validate required fields
  function validateRequired($input) {
      ...
      $pass = false;
      if (strlen(trim($input))&gt;0){
          $pass = true;
      }
      return $pass;
      ...
  }
  ...
  if (validateRequired($fieldName)) {
      // fieldName is valid, continue processing request
      ...
  }
</text>
          <text />
          <text />
          <text>[2] Field data type</text>
          <text>In web applications, input parameters are poorly typed.  For example, all HTTP request parameters or cookie values are of type String.  The developer is responsible for verifying the input is of the correct data type.</text>
          <text />
          <text>[3] Field length</text>
          <text>Always ensure that the input parameter (whether HTTP request parameter or cookie value) is bounded by a minimum length and/or a maximum length.</text>
          <text />
          <text>[4] Field range</text>
          <text>Always ensure that the input parameter is within a range as defined by the functional requirements.</text>
          <text />
          <text>[5] Field options</text>
          <text>Often, the web application presents the user with a set of options to choose from, e.g. using the SELECT HTML tag, but fails to perform server-side validation to ensure that the selected value is one of the allowed options.  Remember that a malicious user can easily modify any option value.  Always validate the selected user value against the allowed options as defined by the functional requirements.</text>
          <text />
          <text>[6] Field pattern</text>
          <text>Always check that user input matches a pattern as defined by the functionality requirements.  For example, if the userName field should only allow alpha-numeric characters, case insensitive, then use the following regular expression:</text>
          <text>^[a-zA-Z0-9]+$</text>
          <text />
          <text>[7] Cookie value</text>
          <text>The same validation rules (described above) apply to cookie values depending on the application requirements, e.g. validate a required value, validate length, etc.</text>
          <text />
          <text>[8] HTTP Response</text>
          <text />
          <text>[8-1] Filter user input</text>
          <text>To guard the application against cross-site scripting, the developer should sanitize HTML by converting sensitive characters to their corresponding character entities.  These are the HTML sensitive characters:</text>
          <text>&lt; &gt; " ' % ; ) ( &amp; +</text>
          <text />
          <text>PHP includes some automatic sanitization utility functions, such as htmlentities():</text>
          <text />
          <text>  $input = htmlentities($input, ENT_QUOTES, 'UTF-8');
</text>
          <text />
          <text>In addition, in order to avoid UTF-7 variants of Cross-site Scripting, you should explicitly define the Content-Type header of the response, for example:</text>
          <text />
          <text>  &lt;?php
  
  header('Content-Type: text/html; charset=UTF-8');
  
  ?&gt;
</text>
          <text />
          <text>[8-2] Secure the cookie</text>
          <text />
          <text>When storing sensitive data in a cookie and transporting it over SSL, make sure that you first set the secure flag of the cookie in the HTTP response. This will instruct the browser to only use that cookie over SSL connections.</text>
          <text />
          <text>You can use the following code example, for securing the cookie:</text>
          <text />
          <text>  &lt;$php
  
      $value = "some_value";
      $time = time()+3600;
      $path = "/application/";
      $domain = ".example.com";
      $secure = 1;
  
      setcookie("CookieName", $value, $time, $path, $domain, $secure, TRUE);
  ?&gt;
  
</text>
          <text />
          <text>In addition, we recommend that you use the HttpOnly flag. When the HttpOnly flag is set to TRUE the cookie will be made accessible only through the HTTP protocol. This means that the cookie won't be accessible by scripting languages, such as JavaScript. This setting can effectively help to reduce identity theft through XSS attacks (although it is not supported by all browsers).</text>
          <text />
          <text>The HttpOnly flag was Added in PHP 5.2.0.</text>
          <text />
          <text>REFERENCES</text>
          <text />
          <text>[1] Mitigating Cross-site Scripting With HTTP-only Cookies: </text>
          <link target="http://msdn2.microsoft.com/en-us/library/ms533046.aspx">http://msdn2.microsoft.com/en-us/library/ms533046.aspx</link>
          <text>[2] PHP Security Consortium: </text>
          <link target="http://phpsec.org/">http://phpsec.org/</link>
          <text>[3] PHP &amp; Web Application Security Blog (Chris Shiflett): </text>
          <link target="http://shiflett.org/">http://shiflett.org/</link>
        </fixRecommendation>
      </general>
    </item>
    <item id="GD_EmailAddress">
      <general>
        <fixRecommendation type="General">
          <text>Remove any e-mail addresses from the website so that they won't be exploited by malicious users.</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="attSensitiveInHtmlComments">
      <general>
        <fixRecommendation type="General">
          <text>Remove client-side comments that could reveal internal information for development time. Consider processing files before deployment to automatically remove all comments. This allows comments to be visible to internal developers but not to external users.</text>
          <text>Do not leave any sensitive information, such as filenames, file paths, passwords, or SQL queries, in HTML or JavaScript comments.</text>
          <text>Remove traces of previous (or future) site links in the production site comments.</text>
        </fixRecommendation>
      </general>
    </item>
    <item id="attReferrerPolicyHeaderExist">
      <general>
        <fixRecommendation type="General">
          <text>Configure your server to send the "Referrer Policy" header.</text>
          <text>It is recommended to configure Referrer Policy header with secure values for its directives as below:</text>
          <text>"strict-origin-when-cross-origin" offers more privacy. With this policy, only the origin is sent in the Referer header of cross-origin requests.</text>
          <text />
          <text>For Google Chrome, see: </text>
          <link target="https://developers.google.com/web/updates/2020/07/referrer-policy-new-chrome-default">https://developers.google.com/web/updates/2020/07/referrer-policy-new-chrome-default</link>
          <text>For Firefox , see: </text>
          <link target="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy.">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy.</link>
        </fixRecommendation>
      </general>
    </item>
    <item id="GD_PathDisclosure">
      <general>
        <fixRecommendation type="General">
          <text>There are several mitigation techniques:</text>
          <text>[1] In case the vulnerability is in the application itself, fix the server code so it doesn’t include file locations in any output.</text>
          <text>[2] Otherwise, if the application is in a 3rd party product, download the relevant security patch depending on the 3rd party product you are using on your web server or web application.</text>
        </fixRecommendation>
      </general>
    </item>
  </fix-recommendation-group>
  <threat-class-group>
    <item id="catSQLInjection" href="http://projects.webappsec.org/SQL-Injection">SQL Injection</item>
    <item id="catIntegerOverflow" href="http://projects.webappsec.org/Integer-Overflows">Integer Overflows</item>
    <item id="catURLRedirectoryAbuse" href="http://projects.webappsec.org/URL-Redirector-Abuse">URL Redirector Abuse</item>
    <item id="catCrossSiteScripting" href="http://projects.webappsec.org/Cross-Site+Scripting">Cross-site Scripting</item>
    <item id="catServerMisconfiguration" href="http://projects.webappsec.org/Server-Misconfiguration">Server Misconfiguration</item>
    <item id="catCrossSiteRequestForgery" href="http://projects.webappsec.org/Cross-Site-Request-Forgery">Cross-site Request Forgery</item>
    <item id="catPredictableResourceLocation" href="http://projects.webappsec.org/Predictable-Resource-Location">Predictable Resource Location</item>
    <item id="catAbuseOfFunctionality" href="http://projects.webappsec.org/Abuse-of-Functionality">Abuse of Functionality</item>
    <item id="catBruteForce" href="http://projects.webappsec.org/Brute-Force">Brute Force</item>
    <item id="catContentSpoofing" href="http://projects.webappsec.org/Content-Spoofing">Content Spoofing</item>
    <item id="catInformationLeakage" href="http://projects.webappsec.org/Information-Leakage">Information Leakage</item>
    <item id="catSessionFixation" href="http://projects.webappsec.org/Session-Fixation">Session Fixation</item>
  </threat-class-group>
  <url-group>
    <item id="775863246">
      <name>https://demo.testfire.net/bank/ccApply</name>
      <issue-type>attBlindSqlInjectionStrings</issue-type>
      <issues-count informational="1" low="1" medium="1" critical="1" total="4" />
      <max-severity>6</max-severity>
    </item>
    <item id="651044833">
      <name>https://demo.testfire.net/bank/showTransactions</name>
      <issue-type>attSqlInjectionChecks</issue-type>
      <issues-count informational="2" low="1" medium="4" critical="2" total="9" />
      <max-severity>6</max-severity>
    </item>
    <item id="1948842127">
      <name>https://demo.testfire.net/doLogin</name>
      <issue-type>attSqlInjectionChecks</issue-type>
      <issues-count medium="5" critical="2" total="7" />
      <max-severity>6</max-severity>
    </item>
    <item id="1271360813">
      <name>https://demo.testfire.net/bank/doTransfer</name>
      <issue-type>attIntegerOverflow</issue-type>
      <issues-count informational="3" low="2" medium="1" high="1" total="7" />
      <max-severity>3</max-severity>
    </item>
    <item id="-629986450">
      <name>https://demo.testfire.net/bank/showAccount</name>
      <issue-type>attIntegerOverflow</issue-type>
      <issues-count informational="2" low="3" high="1" total="6" />
      <max-severity>3</max-severity>
    </item>
    <item id="1339814455">
      <name>https://demo.testfire.net/bank/customize.jsp</name>
      <issue-type>attRedirectInURL</issue-type>
      <issues-count low="3" medium="3" high="3" total="9" />
      <max-severity>3</max-severity>
    </item>
    <item id="-1996295944">
      <name>https://demo.testfire.net/bank/queryxpath.jsp</name>
      <issue-type>attCrossSiteScripting</issue-type>
      <issues-count low="3" medium="3" high="1" total="7" />
      <max-severity>3</max-severity>
    </item>
    <item id="-536121314">
      <name>https://demo.testfire.net/index.jsp</name>
      <issue-type>attCrossSiteScripting</issue-type>
      <issues-count low="3" medium="2" high="1" total="6" />
      <max-severity>3</max-severity>
    </item>
    <item id="1165086597">
      <name>https://demo.testfire.net/search.jsp</name>
      <issue-type>attCrossSiteScripting</issue-type>
      <issues-count low="2" medium="2" high="1" total="5" />
      <max-severity>3</max-severity>
    </item>
    <item id="1592530293">
      <name>https://demo.testfire.net/sendFeedback</name>
      <issue-type>attCrossSiteScripting</issue-type>
      <issues-count medium="3" high="2" total="5" />
      <max-severity>3</max-severity>
    </item>
    <item id="1134871332">
      <name>https://demo.testfire.net/util/serverStatusCheckService.jsp</name>
      <issue-type>attCrossSiteScripting</issue-type>
      <issues-count low="2" medium="2" high="1" total="5" />
      <max-severity>3</max-severity>
    </item>
    <item id="1792737604">
      <name>https://demo.testfire.net/</name>
      <issue-type>attSameSiteCookie</issue-type>
      <issues-count informational="1" low="6" medium="4" total="11" />
      <max-severity>2</max-severity>
    </item>
    <item id="-154706909">
      <name>https://demo.testfire.net/admin/admin.jsp</name>
      <issue-type>attCrossSiteRequestForgery</issue-type>
      <issues-count informational="2" low="3" medium="1" total="6" />
      <max-severity>2</max-severity>
    </item>
    <item id="-1929661216">
      <name>https://demo.testfire.net/admin/</name>
      <issue-type>DirectAccesstoAdministrationPages</issue-type>
      <issues-count medium="1" total="1" />
      <max-severity>2</max-severity>
    </item>
    <item id="-299437858">
      <name>https://demo.testfire.net/login.jsp</name>
      <issue-type>OldTLS</issue-type>
      <issues-count informational="1" low="3" medium="2" total="6" />
      <max-severity>2</max-severity>
    </item>
    <item id="812105649">
      <name>https://demo.testfire.net/bank/apply.jsp</name>
      <issue-type>GD_autocompleteInForm</issue-type>
      <issues-count low="2" total="2" />
      <max-severity>1</max-severity>
    </item>
    <item id="1469354828">
      <name>https://demo.testfire.net/bank/main.jsp</name>
      <issue-type>attCachedSSL</issue-type>
      <issues-count low="2" total="2" />
      <max-severity>1</max-severity>
    </item>
    <item id="-1261426540">
      <name>https://demo.testfire.net/bank/transaction.jsp</name>
      <issue-type>attCachedSSL</issue-type>
      <issues-count low="1" total="1" />
      <max-severity>1</max-severity>
    </item>
    <item id="325438362">
      <name>https://demo.testfire.net/bank/transfer.jsp</name>
      <issue-type>attCachedSSL</issue-type>
      <issues-count low="2" total="2" />
      <max-severity>1</max-severity>
    </item>
    <item id="-38179879">
      <name>https://demo.testfire.net/feedback.jsp</name>
      <issue-type>attCachedSSL</issue-type>
      <issues-count informational="1" low="1" total="2" />
      <max-severity>1</max-severity>
    </item>
    <item id="1761041858">
      <name>https://demo.testfire.net/status_check.jsp</name>
      <issue-type>attCachedSSL</issue-type>
      <issues-count low="1" total="1" />
      <max-severity>1</max-severity>
    </item>
    <item id="2028812105">
      <name>https://demo.testfire.net/subscribe.jsp</name>
      <issue-type>attCachedSSL</issue-type>
      <issues-count low="1" total="1" />
      <max-severity>1</max-severity>
    </item>
    <item id="-959239324">
      <name>https://demo.testfire.net/survey_questions.jsp</name>
      <issue-type>attCachedSSL</issue-type>
      <issues-count low="3" total="3" />
      <max-severity>1</max-severity>
    </item>
    <item id="-2065932717">
      <name>https://demo.testfire.net/swagger/properties.json</name>
      <issue-type>attCachedSSL</issue-type>
      <issues-count informational="1" low="1" total="2" />
      <max-severity>1</max-severity>
    </item>
    <item id="345404385">
      <name>https://demo.testfire.net/doSubscribe</name>
      <issue-type>GD_EmailAddress</issue-type>
      <issues-count informational="1" total="1" />
      <max-severity>0</max-severity>
    </item>
    <item id="-1112684816">
      <name>https://demo.testfire.net/swagger/swagger-ui-bundle.js</name>
      <issue-type>GD_EmailAddress</issue-type>
      <issues-count informational="1" total="1" />
      <max-severity>0</max-severity>
    </item>
    <item id="-1625474485">
      <name>https://demo.testfire.net/swagger/swagger-ui-standalone-preset.js</name>
      <issue-type>GD_EmailAddress</issue-type>
      <issues-count informational="1" total="1" />
      <max-severity>0</max-severity>
    </item>
  </url-group>
  <entity-group>
    <item id="7089695691196187648">
      <name>demo.testfire.net</name>
      <url-name>https://demo.testfire.net/login.jsp</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="-3539107900041520384">
      <name>login.jsp</name>
      <url-name>https://demo.testfire.net/login.jsp</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="2309187148794231040">
      <name>index.jsp</name>
      <url-name>https://demo.testfire.net/index.jsp</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="7372740714070585856">
      <name>JSESSIONID</name>
      <url-name>https://demo.testfire.net/</url-name>
      <entity-type>Cookie</entity-type>
    </item>
    <item id="1010167929559218944">
      <name>feedback.jsp</name>
      <url-name>https://demo.testfire.net/feedback.jsp</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="-5939543974179105024">
      <name>properties.json</name>
      <url-name>https://demo.testfire.net/swagger/properties.json</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="-3517474992796452096">
      <name>queryxpath.jsp</name>
      <url-name>https://demo.testfire.net/bank/queryxpath.jsp</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="2822766115314697472">
      <name>transaction.jsp</name>
      <url-name>https://demo.testfire.net/bank/transaction.jsp</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="1834802225548946688">
      <name>apply.jsp</name>
      <url-name>https://demo.testfire.net/bank/apply.jsp</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="3855082450745769216">
      <name>customize.jsp</name>
      <url-name>https://demo.testfire.net/bank/customize.jsp</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="4927821206135434240">
      <name>main.jsp</name>
      <url-name>https://demo.testfire.net/bank/main.jsp</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="-2166482836966180864">
      <name>transfer.jsp</name>
      <url-name>https://demo.testfire.net/bank/transfer.jsp</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="4232534407132182784">
      <name>showTransactions</name>
      <url-name>https://demo.testfire.net/bank/showTransactions</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="-3873382253807372032">
      <name>search.jsp</name>
      <url-name>https://demo.testfire.net/search.jsp</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="-4873707097942489088">
      <name>showAccount</name>
      <url-name>https://demo.testfire.net/bank/showAccount</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="6449140091464153600">
      <name>subscribe.jsp</name>
      <url-name>https://demo.testfire.net/subscribe.jsp</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="-1452623662241870080">
      <name>showTransactions</name>
      <url-name>https://demo.testfire.net/bank/showTransactions</url-name>
      <entity-type>Global</entity-type>
    </item>
    <item id="6473554968846338816">
      <name>status_check.jsp</name>
      <url-name>https://demo.testfire.net/status_check.jsp</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="7463535076884699136">
      <name>sendFeedback</name>
      <url-name>https://demo.testfire.net/sendFeedback</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="-3961925784633657600">
      <name>doTransfer</name>
      <url-name>https://demo.testfire.net/bank/doTransfer</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="4989988208601256960">
      <name>doSubscribe</name>
      <url-name>https://demo.testfire.net/doSubscribe</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="-8100816465074548224">
      <name>serverStatusCheckService.jsp</name>
      <url-name>https://demo.testfire.net/util/serverStatusCheckService.jsp</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="-2761707092542850560">
      <name>swagger-ui-standalone-preset.js</name>
      <url-name>https://demo.testfire.net/swagger/swagger-ui-standalone-preset.js</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="4214307616682893568">
      <name>startDate</name>
      <url-name>https://demo.testfire.net/bank/showTransactions</url-name>
      <entity-type>Parameter</entity-type>
    </item>
    <item id="4035308366481687552">
      <name>swagger-ui-bundle.js</name>
      <url-name>https://demo.testfire.net/swagger/swagger-ui-bundle.js</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="8787226202325719296">
      <name>query</name>
      <url-name>https://demo.testfire.net/search.jsp</url-name>
      <entity-type>Parameter</entity-type>
    </item>
    <item id="-13292272741911040">
      <name>ccApply</name>
      <url-name>https://demo.testfire.net/bank/ccApply</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="-2605020402746782464">
      <name>survey_questions.jsp</name>
      <url-name>https://demo.testfire.net/survey_questions.jsp</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="-4831459913268758016">
      <name>HostName</name>
      <url-name>https://demo.testfire.net/util/serverStatusCheckService.jsp</url-name>
      <entity-type>Parameter</entity-type>
    </item>
    <item id="-6284830949157645056">
      <name>endDate</name>
      <url-name>https://demo.testfire.net/bank/showTransactions</url-name>
      <entity-type>Parameter</entity-type>
    </item>
    <item id="-2105342084864231680">
      <name>content</name>
      <url-name>https://demo.testfire.net/index.jsp</url-name>
      <entity-type>Parameter</entity-type>
    </item>
    <item id="-4784596934833808640">
      <name>name</name>
      <url-name>https://demo.testfire.net/sendFeedback</url-name>
      <entity-type>Parameter</entity-type>
    </item>
    <item id="-4344886403399488000">
      <name>listAccounts</name>
      <url-name>https://demo.testfire.net/bank/showAccount</url-name>
      <entity-type>Parameter</entity-type>
    </item>
    <item id="6856104062088173056">
      <name>transferAmount</name>
      <url-name>https://demo.testfire.net/bank/doTransfer</url-name>
      <entity-type>Parameter</entity-type>
    </item>
    <item id="-6983105739602322944">
      <name>email_addr</name>
      <url-name>https://demo.testfire.net/sendFeedback</url-name>
      <entity-type>Parameter</entity-type>
    </item>
    <item id="4395093134614225152">
      <name>startDate</name>
      <url-name>https://demo.testfire.net/bank/showTransactions</url-name>
      <entity-type>Global</entity-type>
    </item>
    <item id="-2578790552666065408">
      <name>endDate</name>
      <url-name>https://demo.testfire.net/bank/showTransactions</url-name>
      <entity-type>Global</entity-type>
    </item>
    <item id="4751107591038376192">
      <name>toAccount</name>
      <url-name>https://demo.testfire.net/bank/doTransfer</url-name>
      <entity-type>Parameter</entity-type>
    </item>
    <item id="-2094775300248269312">
      <name>passwd</name>
      <url-name>https://demo.testfire.net/bank/ccApply</url-name>
      <entity-type>Parameter</entity-type>
    </item>
    <item id="-8616786764826749184">
      <name>admin.jsp</name>
      <url-name>https://demo.testfire.net/admin/</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="5415789320716974080">
      <name>step</name>
      <url-name>https://demo.testfire.net/survey_questions.jsp</url-name>
      <entity-type>Parameter</entity-type>
    </item>
    <item id="-228016076698823936">
      <name>transfer</name>
      <url-name>https://demo.testfire.net/bank/doTransfer</url-name>
      <entity-type>Parameter</entity-type>
    </item>
    <item id="2495632636453037824">
      <name>job</name>
      <url-name>https://demo.testfire.net/index.jsp</url-name>
      <entity-type>Parameter</entity-type>
    </item>
    <item id="-7168640119326840064">
      <name>lang</name>
      <url-name>https://demo.testfire.net/bank/customize.jsp</url-name>
      <entity-type>Parameter</entity-type>
    </item>
    <item id="4795255983614942464">
      <name>To modify account information do not connect to SQL source directly.  Make all changes</name>
      <url-name>https://demo.testfire.net/bank/showAccount</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="559640856319848448">
      <name>txtEmail</name>
      <url-name>https://demo.testfire.net/survey_questions.jsp</url-name>
      <entity-type>Parameter</entity-type>
    </item>
    <item id="-9201148799232170496">
      <name>To get the latest admin login, please contact SiteOps at 415-555-6159</name>
      <url-name>https://demo.testfire.net/login.jsp</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="997280275077376256">
      <name>doLogin</name>
      <url-name>https://demo.testfire.net/doLogin</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="-1062602607834918144">
      <name>AltoroAccounts</name>
      <url-name>https://demo.testfire.net/</url-name>
      <entity-type>Cookie</entity-type>
    </item>
    <item id="6419376628788214784">
      <name>uid</name>
      <url-name>https://demo.testfire.net/doLogin</url-name>
      <entity-type>Parameter</entity-type>
    </item>
    <item id="7017457843490478080">
      <name>uid</name>
      <url-name>https://demo.testfire.net/doLogin</url-name>
      <entity-type>Global</entity-type>
    </item>
    <item id="7553320665850814720">
      <name>passw</name>
      <url-name>https://demo.testfire.net/doLogin</url-name>
      <entity-type>Parameter</entity-type>
    </item>
    <item id="-2879177742401463040">
      <name>passw</name>
      <url-name>https://demo.testfire.net/doLogin</url-name>
      <entity-type>Global</entity-type>
    </item>
    <item id="-8192025389945628672">
      <name>doLogin</name>
      <url-name>https://demo.testfire.net/doLogin</url-name>
      <entity-type>Global</entity-type>
    </item>
    <item id="3665851486236943616">
      <name>Be careful what you change.  All changes are made directly to AltoroJ database.</name>
      <url-name>https://demo.testfire.net/admin/admin.jsp</url-name>
      <entity-type>Page</entity-type>
    </item>
    <item id="2537967696232628224">
      <name>action="changePassword"</name>
      <url-name>https://demo.testfire.net/admin/admin.jsp</url-name>
      <entity-type>Page</entity-type>
    </item>
  </entity-group>
  <issue-group total="113">
    <item id="4817056231027443712" id-v2="-8937896718345817344">
      <severity>low</severity>
      <severity-id>1</severity-id>
      <cvss-score>3.7</cvss-score>
      <cvss-vector>
        <vector>AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X</vector>
      </cvss-vector>
      <cwe>200</cwe>
      <issue-type>
        <ref>attUnnecessaryResponseHeaders</ref>
      </issue-type>
      <remediation>
        <ref>fix_MA_attInformationLeakage</ref>
      </remediation>
      <advisory>
        <ref>attUnnecessaryResponseHeaders</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <entity>
        <ref>7089695691196187648</ref>
      </entity>
      <url original_request_method="GET">
        <ref>-299437858</ref>
      </url>
      <security-risks>
        <ref>sensitiveInformation</ref>
      </security-risks>
      <cause-id>
        <ref>insecureWebAppConfiguration</ref>
      </cause-id>
      <user-image-group />
      <variant-group>
        <item id="1">
          <issue-information>
            <template>RawTestResp_Template</template>
            <variant-id>1</variant-id>
            <issue-tip>Inspect the test response headers, to verify if it exposes sensitive information, which may help attackers in planning further attacks.</issue-tip>
            <issue-tips>
              <issue-tip>Inspect the test response headers, to verify if it exposes sensitive information, which may help attackers in planning further attacks.</issue-tip>
            </issue-tips>
            <variantID>1</variantID>
            <testResponseChunk>...

Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://demo.testfire.net/
Accept-Language: en-US
Cookie: JSESSIONID=6354734A2B825ABCB2DC812C04629BE8
Content-Length: 0


HTTP/1.1 200 OK
--begin_highlight_tag--Server--end_highlight_tag--: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 02 Nov 2023 09:01:47 GMT


...

</testResponseChunk>
          </issue-information>
          <comments />
          <reasoning id="3527">The response contains unnecessary headers, which may help attackers in planning further attacks.</reasoning>
          <additional-data />
          <cwe />
          <image-comment />
          <differences />
          <iast-info />
          <test-http-traffic>GET /login.jsp HTTP/1.1
Host: demo.testfire.net
Connection: keep-alive
sec-ch-ua: "Not)A;Brand";v="24", "Chromium";v="116"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://demo.testfire.net/
Accept-Language: en-US
Cookie: JSESSIONID=6354734A2B825ABCB2DC812C04629BE8
Content-Length: 0


HTTP/1.1 200 OK
--begin_highlight_tag--Server--end_highlight_tag--: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 02 Nov 2023 09:16:07 GMT


&lt;!-- BEGIN HEADER --&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

&lt;html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" &gt;


&lt;head&gt;
	&lt;title&gt;Altoro Mutual&lt;/title&gt;
  &lt;meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /&gt;
  &lt;link href="/style.css" rel="stylesheet" type="text/css" /&gt;
&lt;/head&gt;
&lt;body style="margin-top:5px;"&gt;

&lt;div id="header" style="margin-bottom:5px; width: 99%;"&gt;
  &lt;form id="frmSearch" method="get" action="/search.jsp"&gt;
	  &lt;table width="100%" border="0" cellpadding="0" cellspacing="0"&gt;
		  &lt;tr&gt;
		      &lt;td rowspan="2"&gt;&lt;a id="HyperLink1" href="/index.jsp"&gt;&lt;img src="/images/logo.gif" width=283 height=80/&gt;&lt;/a&gt;&lt;/td&gt;
			  &lt;td align="right" valign="top"&gt;
  			  &lt;a id="LoginLink" href="/logout.jsp"&gt;&lt;font style="font-weight: bold; color: red;"&gt;Sign Off&lt;/font&gt;&lt;/a&gt; | &lt;a id="HyperLink3" href="/index.jsp?content=inside_contact.htm"&gt;Contact Us&lt;/a&gt; | &lt;a id="HyperLink4" href="/feedback.jsp"&gt;Feedback&lt;/a&gt; | &lt;label for="txtSearch"&gt;Search&lt;/label&gt;
          &lt;input type="text" name="query" id="query" accesskey="S" /&gt;
          &lt;input type="submit" value="Go" /&gt;
			  &lt;/td&gt;
		  &lt;/tr&gt;
		  &lt;tr&gt;
			  &lt;td align="right" style="background-image:url('/images/gradient.jpg');padding:0px;margin:0px;"&gt;&lt;img src="/images/header_pic.jpg" alt="" width=354 height=60/&gt;&lt;/td&gt;
		  &lt;/tr&gt;
	  &lt;/table&gt;
	&lt;/form&gt;
&lt;/div&gt;

&lt;table cellspacing="0" width="100%"&gt;
  &lt;tr&gt;
    &lt;td width="25%" class="bt br bb"&gt;&lt;div id="Header1"&gt;&lt;img id="Image1" src="/images/pf_lock.gif" width=12 height=14 style="vertical-align: bottom;" alt="Secure Login"/&gt; &amp;nbsp; &lt;a id="AccountLink" href="/bank/main.jsp" class="focus" &gt;MY ACCOUNT&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header2"&gt;&lt;a id="LinkHeader2" class="focus" href="/index.jsp?content=personal.htm" &gt;PERSONAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header3"&gt;&lt;a id="LinkHeader3" class="focus" href="/index.jsp?content=business.htm" &gt;SMALL BUSINESS&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt bb"&gt;&lt;div id="Header4"&gt;&lt;a id="LinkHeader4" class="focus" href="/index.jsp?content=inside.htm"&gt;INSIDE ALTORO MUTUAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
  
  &lt;!-- END HEADER --&gt;


&lt;div id="wrapper" style="width: 99%;"&gt;
	 

&lt;!-- TOC BEGIN --&gt;     
     &lt;td valign="top" class="cc br bb"&gt;
        &lt;br style="line-height: 10px;"/&gt;
        
        &lt;a id="CatLink1" class="subheader" href="index.jsp?content=personal.htm"&gt;PERSONAL&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink1" href="index.jsp?content=personal_deposit.htm"&gt;Deposit Product&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink2" href="index.jsp?content=personal_checking.htm"&gt;Checking&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink3" href="index.jsp?content=personal_loans.htm"&gt;Loan Products&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink4" href="index.jsp?content=personal_cards.htm"&gt;Cards&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink5" href="index.jsp?content=personal_investments.htm"&gt;Investments &amp;amp; Insurance&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink6" href="index.jsp?content=personal_other.htm"&gt;Other Services&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;

        &lt;a id="CatLink2" class="subheader" href="index.jsp?content=business.htm"&gt;SMALL BUSINESS&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink7" href="index.jsp?content=business_deposit.htm"&gt;Deposit Products&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink8" href="index.jsp?content=business_lending.htm"&gt;Lending Services&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink9" href="index.jsp?content=business_cards.htm"&gt;Cards&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink10" href="index.jsp?content=business_insurance.htm"&gt;Insurance&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink11" href="index.jsp?content=business_retirement.htm"&gt;Retirement&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink12" href="index.jsp?content=business_other.htm"&gt;Other Services&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;

        &lt;a id="CatLink3" 
...
...
...
</test-http-traffic>
        </item>
      </variant-group>
    </item>
    <item id="4402203607203598336" id-v2="-7861571020548500736">
      <severity>low</severity>
      <severity-id>1</severity-id>
      <cvss-score>3.7</cvss-score>
      <cvss-vector>
        <vector>AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X</vector>
      </cvss-vector>
      <cwe>311</cwe>
      <issue-type>
        <ref>attHttpsToHttp</ref>
      </issue-type>
      <remediation>
        <ref>fix_52721</ref>
      </remediation>
      <advisory>
        <ref>attHttpsToHttp</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <entity>
        <ref>7089695691196187648</ref>
      </entity>
      <url original_request_method="GET">
        <ref>1792737604</ref>
      </url>
      <security-risks>
        <ref>sensitiveNotOverSSL</ref>
      </security-risks>
      <cause-id>
        <ref>sensitiveDataNotSSL</ref>
      </cause-id>
      <user-image-group />
      <variant-group>
        <item id="12">
          <issue-information>
            <template>RendOrigTestResp_Template</template>
            <variant-id>12</variant-id>
            <issue-tip>Compare the test response with the original response, and make sure that they are the same, even though the test response did not use HTTPS.</issue-tip>
            <issue-tips>
              <issue-tip>Compare the test response with the original response, and make sure that they are the same, even though the test response did not use HTTPS.</issue-tip>
            </issue-tips>
            <variantID>12</variantID>
            <originalResponseImageValue>Images/12_2.jpg</originalResponseImageValue>
            <testResponseImageValue>Images/12_1.jpg</testResponseImageValue>
            <originalResponseChunk />
            <testResponseChunk />
          </issue-information>
          <comments />
          <reasoning id="3210">The test response is very similar to the original response. This indicates that the the resource was successfully accessed using HTTP instead of HTTPS.</reasoning>
          <additional-data />
          <cwe />
          <image-comment />
          <differences>
            <item altered="http" original="https" difference-type="changed" difference-element="scheme" />
            <item altered="80" original="443" difference-type="changed" difference-element="port" />
            <item altered="demo.testfire.net:80" original="demo.testfire.net" name="Host" difference-type="changed" difference-element="header" />
          </differences>
          <iast-info />
          <test-http-traffic>GET / HTTP/1.1
Host: --begin_mark_tag--demo.testfire.net:80--end_mark_tag--
Connection: keep-alive
sec-ch-ua: "Not)A;Brand";v="24", "Chromium";v="116"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Language: en-US
Content-Length: 0


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 02 Nov 2023 09:02:18 GMT
Set-Cookie: JSESSIONID=4869F050B8D631EF652E1E073F3CBF2C; Path=/; HttpOnly


&lt;!-- BEGIN HEADER --&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "--begin_mark_tag--http--end_mark_tag--://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

&lt;html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" &gt;


&lt;head&gt;
	&lt;title&gt;Altoro Mutual&lt;/title&gt;
  &lt;meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /&gt;
  &lt;link href="/style.css" rel="stylesheet" type="text/css" /&gt;
&lt;/head&gt;
&lt;body style="margin-top:5px;"&gt;

&lt;div id="header" style="margin-bottom:5px; width: 99%;"&gt;
  &lt;form id="frmSearch" method="get" action="/search.jsp"&gt;
	  &lt;table width="100%" border="0" cellpadding="0" cellspacing="0"&gt;
		  &lt;tr&gt;
		      &lt;td rowspan="2"&gt;&lt;a id="HyperLink1" href="/index.jsp"&gt;&lt;img src="/images/logo.gif" width=283 height=80/&gt;&lt;/a&gt;&lt;/td&gt;
			  &lt;td align="right" valign="top"&gt;
  			  &lt;a id="LoginLink" href="/login.jsp"&gt;&lt;font style="font-weight: bold; color: red;"&gt;Sign In&lt;/font&gt;&lt;/a&gt; | &lt;a id="HyperLink3" href="/index.jsp?content=inside_contact.htm"&gt;Contact Us&lt;/a&gt; | &lt;a id="HyperLink4" href="/feedback.jsp"&gt;Feedback&lt;/a&gt; | &lt;label for="txtSearch"&gt;Search&lt;/label&gt;
          &lt;input type="text" name="query" id="query" accesskey="S" /&gt;
          &lt;input type="submit" value="Go" /&gt;
			  &lt;/td&gt;
		  &lt;/tr&gt;
		  &lt;tr&gt;
			  &lt;td align="right" style="background-image:url('/images/gradient.jpg');padding:0px;margin:0px;"&gt;&lt;img src="/images/header_pic.jpg" alt="" width=354 height=60/&gt;&lt;/td&gt;
		  &lt;/tr&gt;
	  &lt;/table&gt;
	&lt;/form&gt;
&lt;/div&gt;

&lt;table cellspacing="0" width="100%"&gt;
  &lt;tr&gt;
    &lt;td width="25%" class="bt br bb"&gt;&lt;div id="Header1"&gt;&lt;img id="Image1" src="/images/pf_lock.gif" width=12 height=14 style="vertical-align: bottom;" alt="Secure Login"/&gt; &amp;nbsp; &lt;a id="AccountLink" href="/login.jsp" class="focus" &gt;ONLINE BANKING LOGIN&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header2"&gt;&lt;a id="LinkHeader2" class="focus" href="/index.jsp?content=personal.htm" &gt;PERSONAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header3"&gt;&lt;a id="LinkHeader3" class="focus" href="/index.jsp?content=business.htm" &gt;SMALL BUSINESS&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt bb"&gt;&lt;div id="Header4"&gt;&lt;a id="LinkHeader4" class="focus" href="/index.jsp?content=inside.htm"&gt;INSIDE ALTORO MUTUAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
  
  &lt;!-- END HEADER --&gt;


&lt;div id="wrapper" style="width: 99%;"&gt;
	 

&lt;!-- TOC BEGIN --&gt;     
     &lt;td valign="top" class="cc br bb"&gt;
        &lt;br style="line-height: 10px;"/&gt;
        
        &lt;a id="CatLink1" class="subheader" href="index.jsp?content=personal.htm"&gt;PERSONAL&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink1" href="index.jsp?content=personal_deposit.htm"&gt;Deposit Product&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink2" href="index.jsp?content=personal_checking.htm"&gt;Checking&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink3" href="index.jsp?content=personal_loans.htm"&gt;Loan Products&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink4" href="index.jsp?content=personal_cards.htm"&gt;Cards&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink5" href="index.jsp?content=personal_investments.htm"&gt;Investments &amp;amp; Insurance&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink6" href="index.jsp?content=personal_other.htm"&gt;Other Services&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;

        &lt;a id="CatLink2" class="subheader" href="index.jsp?content=business.htm"&gt;SMALL BUSINESS&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink7" href="index.jsp?content=business_deposit.htm"&gt;Deposit Products&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink8" href="index.jsp?content=business_lending.htm"&gt;Lending Services&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink9" href="index.jsp?content=business_cards.htm"&gt;Cards&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink10" href="index.jsp?content=business_insurance.htm"&gt;Insurance&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink11" href="index.jsp?content=business_retirement.htm"&gt;Retirement&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink12" href="index.jsp?content=business_other.htm"&gt;Other Services&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;

        &lt;a id="Ca
...
...
...
</test-http-traffic>
        </item>
      </variant-group>
    </item>
    <item id="-4922263171817193216" id-v2="7766105197396905216">
      <severity>low</severity>
      <severity-id>1</severity-id>
      <cvss-score>3.7</cvss-score>
      <cvss-vector>
        <vector>AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X</vector>
      </cvss-vector>
      <cwe>200</cwe>
      <issue-type>
        <ref>ContentTypeOptions</ref>
      </issue-type>
      <remediation>
        <ref>fix_61767</ref>
      </remediation>
      <advisory>
        <ref>ContentTypeOptions</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <entity>
        <ref>7089695691196187648</ref>
      </entity>
      <url original_request_method="GET">
        <ref>1792737604</ref>
      </url>
      <security-risks>
        <ref>sensitiveInformation</ref>
        <ref>phishing</ref>
      </security-risks>
      <cause-id>
        <ref>insecureWebAppConfiguration</ref>
      </cause-id>
      <user-image-group />
      <variant-group>
        <item id="13">
          <issue-information>
            <template>RawTestResp_Template</template>
            <variant-id>13</variant-id>
            <issue-tip>Open the test response, and verify that the "X-Content-Type-Options" header is indeed missing or has an insecure value</issue-tip>
            <issue-tips>
              <issue-tip>Open the test response, and verify that the "X-Content-Type-Options" header is indeed missing or has an insecure value</issue-tip>
            </issue-tips>
            <variantID>13</variantID>
            <testResponseChunk>...

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Language: en-US
Content-Length: 0


HTTP/1.1 --begin_highlight_tag--200--end_highlight_tag-- OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 02 Nov 2023 09:02:20 GMT
Set-Cookie: JSESSIONID=6E9208129C77FD658F688F6A07E27501; Path=/; Secure; HttpOnly

--begin_highlight_tag----end_highlight_tag--


...

</testResponseChunk>
          </issue-information>
          <comments />
          <reasoning id="3430">AppScan detected that the "X-Content-Type-Options" response header is missing or has an insecure value, which increases exposure to drive-by download attacks</reasoning>
          <additional-data />
          <cwe />
          <image-comment />
          <differences />
          <iast-info />
          <test-http-traffic>GET / HTTP/1.1
Host: demo.testfire.net
Connection: keep-alive
sec-ch-ua: "Not)A;Brand";v="24", "Chromium";v="116"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Language: en-US
Content-Length: 0


HTTP/1.1 --begin_highlight_tag--200--end_highlight_tag-- OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 02 Nov 2023 09:02:20 GMT
Set-Cookie: JSESSIONID=6E9208129C77FD658F688F6A07E27501; Path=/; Secure; HttpOnly


&lt;!-- BEGIN HEADER --&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

&lt;html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" &gt;


&lt;head&gt;
	&lt;title&gt;Altoro Mutual&lt;/title&gt;
  &lt;meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /&gt;
  &lt;link href="/style.css" rel="stylesheet" type="text/css" /&gt;
&lt;/head&gt;
&lt;body style="margin-top:5px;"&gt;

&lt;div id="header" style="margin-bottom:5px; width: 99%;"&gt;
  &lt;form id="frmSearch" method="get" action="/search.jsp"&gt;
	  &lt;table width="100%" border="0" cellpadding="0" cellspacing="0"&gt;
		  &lt;tr&gt;
		      &lt;td rowspan="2"&gt;&lt;a id="HyperLink1" href="/index.jsp"&gt;&lt;img src="/images/logo.gif" width=283 height=80/&gt;&lt;/a&gt;&lt;/td&gt;
			  &lt;td align="right" valign="top"&gt;
  			  &lt;a id="LoginLink" href="/login.jsp"&gt;&lt;font style="font-weight: bold; color: red;"&gt;Sign In&lt;/font&gt;&lt;/a&gt; | &lt;a id="HyperLink3" href="/index.jsp?content=inside_contact.htm"&gt;Contact Us&lt;/a&gt; | &lt;a id="HyperLink4" href="/feedback.jsp"&gt;Feedback&lt;/a&gt; | &lt;label for="txtSearch"&gt;Search&lt;/label&gt;
          &lt;input type="text" name="query" id="query" accesskey="S" /&gt;
          &lt;input type="submit" value="Go" /&gt;
			  &lt;/td&gt;
		  &lt;/tr&gt;
		  &lt;tr&gt;
			  &lt;td align="right" style="background-image:url('/images/gradient.jpg');padding:0px;margin:0px;"&gt;&lt;img src="/images/header_pic.jpg" alt="" width=354 height=60/&gt;&lt;/td&gt;
		  &lt;/tr&gt;
	  &lt;/table&gt;
	&lt;/form&gt;
&lt;/div&gt;

&lt;table cellspacing="0" width="100%"&gt;
  &lt;tr&gt;
    &lt;td width="25%" class="bt br bb"&gt;&lt;div id="Header1"&gt;&lt;img id="Image1" src="/images/pf_lock.gif" width=12 height=14 style="vertical-align: bottom;" alt="Secure Login"/&gt; &amp;nbsp; &lt;a id="AccountLink" href="/login.jsp" class="focus" &gt;ONLINE BANKING LOGIN&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header2"&gt;&lt;a id="LinkHeader2" class="focus" href="/index.jsp?content=personal.htm" &gt;PERSONAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header3"&gt;&lt;a id="LinkHeader3" class="focus" href="/index.jsp?content=business.htm" &gt;SMALL BUSINESS&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt bb"&gt;&lt;div id="Header4"&gt;&lt;a id="LinkHeader4" class="focus" href="/index.jsp?content=inside.htm"&gt;INSIDE ALTORO MUTUAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
  
  &lt;!-- END HEADER --&gt;


&lt;div id="wrapper" style="width: 99%;"&gt;
	 

&lt;!-- TOC BEGIN --&gt;     
     &lt;td valign="top" class="cc br bb"&gt;
        &lt;br style="line-height: 10px;"/&gt;
        
        &lt;a id="CatLink1" class="subheader" href="index.jsp?content=personal.htm"&gt;PERSONAL&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink1" href="index.jsp?content=personal_deposit.htm"&gt;Deposit Product&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink2" href="index.jsp?content=personal_checking.htm"&gt;Checking&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink3" href="index.jsp?content=personal_loans.htm"&gt;Loan Products&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink4" href="index.jsp?content=personal_cards.htm"&gt;Cards&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink5" href="index.jsp?content=personal_investments.htm"&gt;Investments &amp;amp; Insurance&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink6" href="index.jsp?content=personal_other.htm"&gt;Other Services&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;

        &lt;a id="CatLink2" class="subheader" href="index.jsp?content=business.htm"&gt;SMALL BUSINESS&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink7" href="index.jsp?content=business_deposit.htm"&gt;Deposit Products&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink8" href="index.jsp?content=business_lending.htm"&gt;Lending Services&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink9" href="index.jsp?content=business_cards.htm"&gt;Cards&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink10" href="index.jsp?content=business_insurance.htm"&gt;Insurance&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink11" href="index.jsp?content=business_retirement.htm"&gt;Retirement&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink12" href="index.jsp?content=business_other.htm"&gt;Other Services&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;

        &lt;a id="CatLink3" class="subh
...
...
...
</test-http-traffic>
        </item>
      </variant-group>
    </item>
    <item id="3214224542828837120" id-v2="-8732287359059888896">
      <severity>medium</severity>
      <severity-id>2</severity-id>
      <cvss-score>5.3</cvss-score>
      <cvss-vector>
        <vector>AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X</vector>
      </cvss-vector>
      <cwe>327</cwe>
      <issue-type>
        <ref>OldTLS</ref>
      </issue-type>
      <remediation>
        <ref>fix_61030</ref>
      </remediation>
      <advisory>
        <ref>OldTLS</ref>
      </advisory>
      <threat-class>
        <ref>catServerMisconfiguration</ref>
      </threat-class>
      <entity>
        <ref>7089695691196187648</ref>
      </entity>
      <url original_request_method="GET">
        <ref>-299437858</ref>
      </url>
      <security-risks>
        <ref>userImpersonation</ref>
      </security-risks>
      <cause-id>
        <ref>insecureWebServerConfiguration</ref>
      </cause-id>
      <user-image-group />
      <variant-group>
        <item id="3">
          <issue-information>
            <template>RawTestResp_Template</template>
            <variant-id>3</variant-id>
            <issue-tip>Manually connect to the server, specifying TLS version 1.0 or 1.1, and verify that the connection was successful</issue-tip>
            <issue-tips>
              <issue-tip>Manually connect to the server, specifying TLS version 1.0 or 1.1, and verify that the connection was successful</issue-tip>
            </issue-tips>
            <variantID>3</variantID>
            <testResponseChunk>HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Date: Thu, 02 Nov 2023 09:00:33 GMT
Content-Length: 8519


&lt;!-- BEGIN HEADER --&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

&lt;html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" &gt;


...</testResponseChunk>
          </issue-information>
          <comments />
          <reasoning id="3447">AppScan discovered that the server supports an older TLS version (either TLSv1.0 or TLSv1.1)</reasoning>
          <additional-data />
          <cwe />
          <image-comment />
          <differences />
          <iast-info />
          <test-http-traffic>GET /login.jsp HTTP/1.1
Host: demo.testfire.net
Connection: keep-alive
sec-ch-ua: "Not)A;Brand";v="24", "Chromium";v="116"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://demo.testfire.net/
Accept-Language: en-US
Cookie: JSESSIONID=3ACA6BE6E0307851EB7E08C4128D7298
Content-Length: 0


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Date: Thu, 02 Nov 2023 09:25:21 GMT
Content-Length: 8519


&lt;!-- BEGIN HEADER --&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

&lt;html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" &gt;


&lt;head&gt;
	&lt;title&gt;Altoro Mutual&lt;/title&gt;
  &lt;meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /&gt;
  &lt;link href="/style.css" rel="stylesheet" type="text/css" /&gt;
&lt;/head&gt;
&lt;body style="margin-top:5px;"&gt;

&lt;div id="header" style="margin-bottom:5px; width: 99%;"&gt;
  &lt;form id="frmSearch" method="get" action="/search.jsp"&gt;
	  &lt;table width="100%" border="0" cellpadding="0" cellspacing="0"&gt;
		  &lt;tr&gt;
		      &lt;td rowspan="2"&gt;&lt;a id="HyperLink1" href="/index.jsp"&gt;&lt;img src="/images/logo.gif" width=283 height=80/&gt;&lt;/a&gt;&lt;/td&gt;
			  &lt;td align="right" valign="top"&gt;
  			  &lt;a id="LoginLink" href="/login.jsp"&gt;&lt;font style="font-weight: bold; color: red;"&gt;Sign In&lt;/font&gt;&lt;/a&gt; | &lt;a id="HyperLink3" href="/index.jsp?content=inside_contact.htm"&gt;Contact Us&lt;/a&gt; | &lt;a id="HyperLink4" href="/feedback.jsp"&gt;Feedback&lt;/a&gt; | &lt;label for="txtSearch"&gt;Search&lt;/label&gt;
          &lt;input type="text" name="query" id="query" accesskey="S" /&gt;
          &lt;input type="submit" value="Go" /&gt;
			  &lt;/td&gt;
		  &lt;/tr&gt;
		  &lt;tr&gt;
			  &lt;td align="right" style="background-image:url('/images/gradient.jpg');padding:0px;margin:0px;"&gt;&lt;img src="/images/header_pic.jpg" alt="" width=354 height=60/&gt;&lt;/td&gt;
		  &lt;/tr&gt;
	  &lt;/table&gt;
	&lt;/form&gt;
&lt;/div&gt;

&lt;table cellspacing="0" width="100%"&gt;
  &lt;tr&gt;
    &lt;td width="25%" class="bt br bb"&gt;&lt;div id="Header1"&gt;&lt;img id="Image1" src="/images/pf_lock.gif" width=12 height=14 style="vertical-align: bottom;" alt="Secure Login"/&gt; &amp;nbsp; &lt;a id="AccountLink" href="/login.jsp" class="focus" &gt;ONLINE BANKING LOGIN&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header2"&gt;&lt;a id="LinkHeader2" class="focus" href="/index.jsp?content=personal.htm" &gt;PERSONAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header3"&gt;&lt;a id="LinkHeader3" class="focus" href="/index.jsp?content=business.htm" &gt;SMALL BUSINESS&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt bb"&gt;&lt;div id="Header4"&gt;&lt;a id="LinkHeader4" class="focus" href="/index.jsp?content=inside.htm"&gt;INSIDE ALTORO MUTUAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
  
  &lt;!-- END HEADER --&gt;


&lt;div id="wrapper" style="width: 99%;"&gt;
	 

&lt;!-- TOC BEGIN --&gt;     
     &lt;td valign="top" class="cc br bb"&gt;
        &lt;br style="line-height: 10px;"/&gt;
        
        &lt;a id="CatLink1" class="subheader" href="index.jsp?content=personal.htm"&gt;PERSONAL&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink1" href="index.jsp?content=personal_deposit.htm"&gt;Deposit Product&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink2" href="index.jsp?content=personal_checking.htm"&gt;Checking&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink3" href="index.jsp?content=personal_loans.htm"&gt;Loan Products&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink4" href="index.jsp?content=personal_cards.htm"&gt;Cards&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink5" href="index.jsp?content=personal_investments.htm"&gt;Investments &amp;amp; Insurance&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink6" href="index.jsp?content=personal_other.htm"&gt;Other Services&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;

        &lt;a id="CatLink2" class="subheader" href="index.jsp?content=business.htm"&gt;SMALL BUSINESS&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink7" href="index.jsp?content=business_deposit.htm"&gt;Deposit Products&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink8" href="index.jsp?content=business_lending.htm"&gt;Lending Services&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink9" href="index.jsp?content=business_cards.htm"&gt;Cards&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink10" href="index.jsp?content=business_insurance.htm"&gt;Insurance&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink11" href="index.jsp?content=business_retirement.htm"&gt;Retirement&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink12" href="index.jsp?content=business_other.htm"&gt;Other Services&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;

        &lt;a id="CatLink3" class="subheader" href="index.jsp?content=insi
...
...
...
</test-http-traffic>
        </item>
      </variant-group>
    </item>
    <item id="8855262540970660864" id-v2="-7823638085273590784">
      <severity>medium</severity>
      <severity-id>2</severity-id>
      <cvss-score>5.3</cvss-score>
      <cvss-vector>
        <vector>AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X</vector>
      </cvss-vector>
      <cwe>327</cwe>
      <issue-type>
        <ref>SHA1CipherSuites</ref>
      </issue-type>
      <remediation>
        <ref>fix_61754</ref>
      </remediation>
      <advisory>
        <ref>SHA1CipherSuites</ref>
      </advisory>
      <threat-class>
        <ref>catServerMisconfiguration</ref>
      </threat-class>
      <entity>
        <ref>7089695691196187648</ref>
      </entity>
      <url original_request_method="GET">
        <ref>-299437858</ref>
      </url>
      <security-risks>
        <ref>userImpersonation</ref>
      </security-risks>
      <cause-id>
        <ref>insecureWebServerConfiguration</ref>
      </cause-id>
      <user-image-group />
      <variant-group>
        <item id="6">
          <issue-information>
            <template>CipherSuites_Template</template>
            <variant-id>6</variant-id>
            <issue-tip>Verify that the site uses the cryptographically weak cipher suites listed here.</issue-tip>
            <issue-tips>
              <issue-tip>Verify that the site uses the cryptographically weak cipher suites listed here.</issue-tip>
            </issue-tips>
            <Id>51</Id>
            <Name>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Name>
            <SslVersion>TLS 1.0</SslVersion>
            <CipherSuite>
              <Id>51</Id>
              <Name>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Name>
              <SslVersion>TLS 1.0</SslVersion>
            </CipherSuite>
            <Id>57</Id>
            <Name>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Name>
            <SslVersion>TLS 1.0</SslVersion>
            <CipherSuite>
              <Id>57</Id>
              <Name>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Name>
              <SslVersion>TLS 1.0</SslVersion>
            </CipherSuite>
            <Id>49171</Id>
            <Name>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Name>
            <SslVersion>TLS 1.0</SslVersion>
            <CipherSuite>
              <Id>49171</Id>
              <Name>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Name>
              <SslVersion>TLS 1.0</SslVersion>
            </CipherSuite>
            <Id>49172</Id>
            <Name>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Name>
            <SslVersion>TLS 1.0</SslVersion>
            <CipherSuite>
              <Id>49172</Id>
              <Name>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Name>
              <SslVersion>TLS 1.0</SslVersion>
            </CipherSuite>
            <Id>51</Id>
            <Name>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Name>
            <SslVersion>TLS 1.1</SslVersion>
            <CipherSuite>
              <Id>51</Id>
              <Name>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Name>
              <SslVersion>TLS 1.1</SslVersion>
            </CipherSuite>
            <Id>57</Id>
            <Name>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Name>
            <SslVersion>TLS 1.1</SslVersion>
            <CipherSuite>
              <Id>57</Id>
              <Name>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Name>
              <SslVersion>TLS 1.1</SslVersion>
            </CipherSuite>
            <Id>49171</Id>
            <Name>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Name>
            <SslVersion>TLS 1.1</SslVersion>
            <CipherSuite>
              <Id>49171</Id>
              <Name>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Name>
              <SslVersion>TLS 1.1</SslVersion>
            </CipherSuite>
            <Id>49172</Id>
            <Name>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Name>
            <SslVersion>TLS 1.1</SslVersion>
            <CipherSuite>
              <Id>49172</Id>
              <Name>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Name>
              <SslVersion>TLS 1.1</SslVersion>
            </CipherSuite>
            <Id>51</Id>
            <Name>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Name>
            <SslVersion>TLS 1.2</SslVersion>
            <CipherSuite>
              <Id>51</Id>
              <Name>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Name>
              <SslVersion>TLS 1.2</SslVersion>
            </CipherSuite>
            <Id>57</Id>
            <Name>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Name>
            <SslVersion>TLS 1.2</SslVersion>
            <CipherSuite>
              <Id>57</Id>
              <Name>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Name>
              <SslVersion>TLS 1.2</SslVersion>
            </CipherSuite>
            <Id>49171</Id>
            <Name>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Name>
            <SslVersion>TLS 1.2</SslVersion>
            <CipherSuite>
              <Id>49171</Id>
              <Name>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Name>
              <SslVersion>TLS 1.2</SslVersion>
            </CipherSuite>
            <Id>49172</Id>
            <Name>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Name>
            <SslVersion>TLS 1.2</SslVersion>
            <CipherSuite>
              <Id>49172</Id>
              <Name>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Name>
              <SslVersion>TLS 1.2</SslVersion>
            </CipherSuite>
            <CipherSuites>
              <CipherSuite>
                <Id>51</Id>
                <Name>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Name>
                <SslVersion>TLS 1.0</SslVersion>
              </CipherSuite>
              <CipherSuite>
                <Id>57</Id>
                <Name>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Name>
                <SslVersion>TLS 1.0</SslVersion>
              </CipherSuite>
              <CipherSuite>
                <Id>49171</Id>
                <Name>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Name>
                <SslVersion>TLS 1.0</SslVersion>
              </CipherSuite>
              <CipherSuite>
                <Id>49172</Id>
                <Name>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Name>
                <SslVersion>TLS 1.0</SslVersion>
              </CipherSuite>
              <CipherSuite>
                <Id>51</Id>
                <Name>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Name>
                <SslVersion>TLS 1.1</SslVersion>
              </CipherSuite>
              <CipherSuite>
                <Id>57</Id>
                <Name>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Name>
                <SslVersion>TLS 1.1</SslVersion>
              </CipherSuite>
              <CipherSuite>
                <Id>49171</Id>
                <Name>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Name>
                <SslVersion>TLS 1.1</SslVersion>
              </CipherSuite>
              <CipherSuite>
                <Id>49172</Id>
                <Name>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Name>
                <SslVersion>TLS 1.1</SslVersion>
              </CipherSuite>
              <CipherSuite>
                <Id>51</Id>
                <Name>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Name>
                <SslVersion>TLS 1.2</SslVersion>
              </CipherSuite>
              <CipherSuite>
                <Id>57</Id>
                <Name>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Name>
                <SslVersion>TLS 1.2</SslVersion>
              </CipherSuite>
              <CipherSuite>
                <Id>49171</Id>
                <Name>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Name>
                <SslVersion>TLS 1.2</SslVersion>
              </CipherSuite>
              <CipherSuite>
                <Id>49172</Id>
                <Name>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Name>
                <SslVersion>TLS 1.2</SslVersion>
              </CipherSuite>
            </CipherSuites>
            <variantID>6</variantID>
          </issue-information>
          <comments />
          <reasoning id="3358">AppScan determined that the site uses weak cipher suites by successfully creating SSL connections using each of the weak cipher suites listed here.</reasoning>
          <additional-data>&lt;CipherSuites&gt;&lt;CipherSuite&gt;&lt;Id&gt;51&lt;/Id&gt;&lt;Name&gt;TLS_DHE_RSA_WITH_AES_128_CBC_SHA&lt;/Name&gt;&lt;SslVersion&gt;TLS 1.0&lt;/SslVersion&gt;&lt;/CipherSuite&gt;&lt;CipherSuite&gt;&lt;Id&gt;57&lt;/Id&gt;&lt;Name&gt;TLS_DHE_RSA_WITH_AES_256_CBC_SHA&lt;/Name&gt;&lt;SslVersion&gt;TLS 1.0&lt;/SslVersion&gt;&lt;/CipherSuite&gt;&lt;CipherSuite&gt;&lt;Id&gt;49171&lt;/Id&gt;&lt;Name&gt;TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA&lt;/Name&gt;&lt;SslVersion&gt;TLS 1.0&lt;/SslVersion&gt;&lt;/CipherSuite&gt;&lt;CipherSuite&gt;&lt;Id&gt;49172&lt;/Id&gt;&lt;Name&gt;TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA&lt;/Name&gt;&lt;SslVersion&gt;TLS 1.0&lt;/SslVersion&gt;&lt;/CipherSuite&gt;&lt;CipherSuite&gt;&lt;Id&gt;51&lt;/Id&gt;&lt;Name&gt;TLS_DHE_RSA_WITH_AES_128_CBC_SHA&lt;/Name&gt;&lt;SslVersion&gt;TLS 1.1&lt;/SslVersion&gt;&lt;/CipherSuite&gt;&lt;CipherSuite&gt;&lt;Id&gt;57&lt;/Id&gt;&lt;Name&gt;TLS_DHE_RSA_WITH_AES_256_CBC_SHA&lt;/Name&gt;&lt;SslVersion&gt;TLS 1.1&lt;/SslVersion&gt;&lt;/CipherSuite&gt;&lt;CipherSuite&gt;&lt;Id&gt;49171&lt;/Id&gt;&lt;Name&gt;TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA&lt;/Name&gt;&lt;SslVersion&gt;TLS 1.1&lt;/SslVersion&gt;&lt;/CipherSuite&gt;&lt;CipherSuite&gt;&lt;Id&gt;49172&lt;/Id&gt;&lt;Name&gt;TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA&lt;/Name&gt;&lt;SslVersion&gt;TLS 1.1&lt;/SslVersion&gt;&lt;/CipherSuite&gt;&lt;CipherSuite&gt;&lt;Id&gt;51&lt;/Id&gt;&lt;Name&gt;TLS_DHE_RSA_WITH_AES_128_CBC_SHA&lt;/Name&gt;&lt;SslVersion&gt;TLS 1.2&lt;/SslVersion&gt;&lt;/CipherSuite&gt;&lt;CipherSuite&gt;&lt;Id&gt;57&lt;/Id&gt;&lt;Name&gt;TLS_DHE_RSA_WITH_AES_256_CBC_SHA&lt;/Name&gt;&lt;SslVersion&gt;TLS 1.2&lt;/SslVersion&gt;&lt;/CipherSuite&gt;&lt;CipherSuite&gt;&lt;Id&gt;49171&lt;/Id&gt;&lt;Name&gt;TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA&lt;/Name&gt;&lt;SslVersion&gt;TLS 1.2&lt;/SslVersion&gt;&lt;/CipherSuite&gt;&lt;CipherSuite&gt;&lt;Id&gt;49172&lt;/Id&gt;&lt;Name&gt;TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA&lt;/Name&gt;&lt;SslVersion&gt;TLS 1.2&lt;/SslVersion&gt;&lt;/CipherSuite&gt;&lt;/CipherSuites&gt;</additional-data>
          <cwe />
          <image-comment />
          <differences />
          <iast-info />
          <test-http-traffic>GET /login.jsp HTTP/1.1
Host: demo.testfire.net
Connection: keep-alive
sec-ch-ua: "Not)A;Brand";v="24", "Chromium";v="116"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://demo.testfire.net/
Accept-Language: en-US
Cookie: JSESSIONID=3ACA6BE6E0307851EB7E08C4128D7298
Content-Length: 0


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Date: Thu, 02 Nov 2023 09:25:21 GMT
Content-Length: 8519


&lt;!-- BEGIN HEADER --&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

&lt;html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" &gt;


&lt;head&gt;
	&lt;title&gt;Altoro Mutual&lt;/title&gt;
  &lt;meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /&gt;
  &lt;link href="/style.css" rel="stylesheet" type="text/css" /&gt;
&lt;/head&gt;
&lt;body style="margin-top:5px;"&gt;

&lt;div id="header" style="margin-bottom:5px; width: 99%;"&gt;
  &lt;form id="frmSearch" method="get" action="/search.jsp"&gt;
	  &lt;table width="100%" border="0" cellpadding="0" cellspacing="0"&gt;
		  &lt;tr&gt;
		      &lt;td rowspan="2"&gt;&lt;a id="HyperLink1" href="/index.jsp"&gt;&lt;img src="/images/logo.gif" width=283 height=80/&gt;&lt;/a&gt;&lt;/td&gt;
			  &lt;td align="right" valign="top"&gt;
  			  &lt;a id="LoginLink" href="/login.jsp"&gt;&lt;font style="font-weight: bold; color: red;"&gt;Sign In&lt;/font&gt;&lt;/a&gt; | &lt;a id="HyperLink3" href="/index.jsp?content=inside_contact.htm"&gt;Contact Us&lt;/a&gt; | &lt;a id="HyperLink4" href="/feedback.jsp"&gt;Feedback&lt;/a&gt; | &lt;label for="txtSearch"&gt;Search&lt;/label&gt;
          &lt;input type="text" name="query" id="query" accesskey="S" /&gt;
          &lt;input type="submit" value="Go" /&gt;
			  &lt;/td&gt;
		  &lt;/tr&gt;
		  &lt;tr&gt;
			  &lt;td align="right" style="background-image:url('/images/gradient.jpg');padding:0px;margin:0px;"&gt;&lt;img src="/images/header_pic.jpg" alt="" width=354 height=60/&gt;&lt;/td&gt;
		  &lt;/tr&gt;
	  &lt;/table&gt;
	&lt;/form&gt;
&lt;/div&gt;

&lt;table cellspacing="0" width="100%"&gt;
  &lt;tr&gt;
    &lt;td width="25%" class="bt br bb"&gt;&lt;div id="Header1"&gt;&lt;img id="Image1" src="/images/pf_lock.gif" width=12 height=14 style="vertical-align: bottom;" alt="Secure Login"/&gt; &amp;nbsp; &lt;a id="AccountLink" href="/login.jsp" class="focus" &gt;ONLINE BANKING LOGIN&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header2"&gt;&lt;a id="LinkHeader2" class="focus" href="/index.jsp?content=personal.htm" &gt;PERSONAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header3"&gt;&lt;a id="LinkHeader3" class="focus" href="/index.jsp?content=business.htm" &gt;SMALL BUSINESS&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt bb"&gt;&lt;div id="Header4"&gt;&lt;a id="LinkHeader4" class="focus" href="/index.jsp?content=inside.htm"&gt;INSIDE ALTORO MUTUAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
  
  &lt;!-- END HEADER --&gt;


&lt;div id="wrapper" style="width: 99%;"&gt;
	 

&lt;!-- TOC BEGIN --&gt;     
     &lt;td valign="top" class="cc br bb"&gt;
        &lt;br style="line-height: 10px;"/&gt;
        
        &lt;a id="CatLink1" class="subheader" href="index.jsp?content=personal.htm"&gt;PERSONAL&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink1" href="index.jsp?content=personal_deposit.htm"&gt;Deposit Product&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink2" href="index.jsp?content=personal_checking.htm"&gt;Checking&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink3" href="index.jsp?content=personal_loans.htm"&gt;Loan Products&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink4" href="index.jsp?content=personal_cards.htm"&gt;Cards&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink5" href="index.jsp?content=personal_investments.htm"&gt;Investments &amp;amp; Insurance&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink6" href="index.jsp?content=personal_other.htm"&gt;Other Services&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;

        &lt;a id="CatLink2" class="subheader" href="index.jsp?content=business.htm"&gt;SMALL BUSINESS&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink7" href="index.jsp?content=business_deposit.htm"&gt;Deposit Products&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink8" href="index.jsp?content=business_lending.htm"&gt;Lending Services&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink9" href="index.jsp?content=business_cards.htm"&gt;Cards&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink10" href="index.jsp?content=business_insurance.htm"&gt;Insurance&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink11" href="index.jsp?content=business_retirement.htm"&gt;Retirement&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink12" href="index.jsp?content=business_other.htm"&gt;Other Services&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;

        &lt;a id="CatLink3" class="subheader" href="index.jsp?content=insi
...
...
...
</test-http-traffic>
        </item>
      </variant-group>
    </item>
    <item id="-4267717693997616128" id-v2="-4057357914707973632">
      <severity>informational</severity>
      <severity-id>0</severity-id>
      <cvss-score>0.0</cvss-score>
      <cvss-vector>
        <vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/E:X/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X</vector>
      </cvss-vector>
      <cwe>200</cwe>
      <issue-type>
        <ref>attReferrerPolicyHeaderExist</ref>
      </issue-type>
      <remediation>
        <ref>fix_61771</ref>
      </remediation>
      <advisory>
        <ref>attReferrerPolicyHeaderExist</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <entity>
        <ref>7089695691196187648</ref>
      </entity>
      <url original_request_method="HEAD">
        <ref>1792737604</ref>
      </url>
      <security-risks>
        <ref>sensitiveInformation</ref>
        <ref>phishing</ref>
      </security-risks>
      <cause-id>
        <ref>insecureWebAppConfiguration</ref>
      </cause-id>
      <user-image-group />
      <variant-group>
        <item id="17">
          <comments />
          <reasoning id="3530">AppScan detected that the Referrer Policy Response header is missing or with an insecure policy, which increases exposure to various cross-site injection attacks</reasoning>
          <additional-data />
          <cwe />
          <image-comment />
          <differences />
          <iast-info />
          <test-http-traffic>This request/response contains binary content, which is not included in generated reports.</test-http-traffic>
        </item>
      </variant-group>
    </item>
    <item id="8310705748913625600" id-v2="8541228502175636480">
      <severity>low</severity>
      <severity-id>1</severity-id>
      <cvss-score>3.7</cvss-score>
      <cvss-vector>
        <vector>AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X</vector>
      </cvss-vector>
      <cwe>525</cwe>
      <issue-type>
        <ref>attCachedSSL</ref>
      </issue-type>
      <remediation>
        <ref>fix_60210</ref>
      </remediation>
      <advisory>
        <ref>attCachedSSL</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <entity>
        <ref>-3539107900041520384</ref>
      </entity>
      <url original_request_method="GET">
        <ref>-299437858</ref>
      </url>
      <security-risks>
        <ref>sensitiveInformation</ref>
      </security-risks>
      <cause-id>
        <ref>SensitiveCache</ref>
      </cause-id>
      <user-image-group />
      <variant-group>
        <item id="19">
          <issue-information>
            <template>RawTestResp_Template</template>
            <variant-id>19</variant-id>
            <issue-tip>Examine the response, and verify that it doesn't contain both cache control headers or meta tags ("Cache-Control: no-store" and either "Pragma: no-cache" or "Cache-Control: no-cache").</issue-tip>
            <issue-tips>
              <issue-tip>Examine the response, and verify that it doesn't contain both cache control headers or meta tags ("Cache-Control: no-store" and either "Pragma: no-cache" or "Cache-Control: no-cache").</issue-tip>
            </issue-tips>
            <variantID>19</variantID>
            <testResponseChunk>HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 02 Nov 2023 09:02:50 GMT


&lt;!-- BEGIN HEADER --&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

&lt;html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" &gt;


...</testResponseChunk>
          </issue-information>
          <comments />
          <reasoning id="3204">The application has responded with a response that indicates the page should be cached, but cache controls aren't set (you can set "Cache-Control: no-store" or "Cache-Control: no-cache" or "Pragma: no-cache" to prevent caching).</reasoning>
          <additional-data />
          <cwe />
          <image-comment />
          <differences />
          <iast-info />
          <test-http-traffic>GET /login.jsp HTTP/1.1
Host: demo.testfire.net
Connection: keep-alive
sec-ch-ua: "Not)A;Brand";v="24", "Chromium";v="116"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://demo.testfire.net/
Accept-Language: en-US
Cookie: JSESSIONID=6354734A2B825ABCB2DC812C04629BE8
Content-Length: 0


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 02 Nov 2023 09:16:07 GMT


&lt;!-- BEGIN HEADER --&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

&lt;html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" &gt;


&lt;head&gt;
	&lt;title&gt;Altoro Mutual&lt;/title&gt;
  &lt;meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /&gt;
  &lt;link href="/style.css" rel="stylesheet" type="text/css" /&gt;
&lt;/head&gt;
&lt;body style="margin-top:5px;"&gt;

&lt;div id="header" style="margin-bottom:5px; width: 99%;"&gt;
  &lt;form id="frmSearch" method="get" action="/search.jsp"&gt;
	  &lt;table width="100%" border="0" cellpadding="0" cellspacing="0"&gt;
		  &lt;tr&gt;
		      &lt;td rowspan="2"&gt;&lt;a id="HyperLink1" href="/index.jsp"&gt;&lt;img src="/images/logo.gif" width=283 height=80/&gt;&lt;/a&gt;&lt;/td&gt;
			  &lt;td align="right" valign="top"&gt;
  			  &lt;a id="LoginLink" href="/logout.jsp"&gt;&lt;font style="font-weight: bold; color: red;"&gt;Sign Off&lt;/font&gt;&lt;/a&gt; | &lt;a id="HyperLink3" href="/index.jsp?content=inside_contact.htm"&gt;Contact Us&lt;/a&gt; | &lt;a id="HyperLink4" href="/feedback.jsp"&gt;Feedback&lt;/a&gt; | &lt;label for="txtSearch"&gt;Search&lt;/label&gt;
          &lt;input type="text" name="query" id="query" accesskey="S" /&gt;
          &lt;input type="submit" value="Go" /&gt;
			  &lt;/td&gt;
		  &lt;/tr&gt;
		  &lt;tr&gt;
			  &lt;td align="right" style="background-image:url('/images/gradient.jpg');padding:0px;margin:0px;"&gt;&lt;img src="/images/header_pic.jpg" alt="" width=354 height=60/&gt;&lt;/td&gt;
		  &lt;/tr&gt;
	  &lt;/table&gt;
	&lt;/form&gt;
&lt;/div&gt;

&lt;table cellspacing="0" width="100%"&gt;
  &lt;tr&gt;
    &lt;td width="25%" class="bt br bb"&gt;&lt;div id="Header1"&gt;&lt;img id="Image1" src="/images/pf_lock.gif" width=12 height=14 style="vertical-align: bottom;" alt="Secure Login"/&gt; &amp;nbsp; &lt;a id="AccountLink" href="/bank/main.jsp" class="focus" &gt;MY ACCOUNT&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header2"&gt;&lt;a id="LinkHeader2" class="focus" href="/index.jsp?content=personal.htm" &gt;PERSONAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header3"&gt;&lt;a id="LinkHeader3" class="focus" href="/index.jsp?content=business.htm" &gt;SMALL BUSINESS&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt bb"&gt;&lt;div id="Header4"&gt;&lt;a id="LinkHeader4" class="focus" href="/index.jsp?content=inside.htm"&gt;INSIDE ALTORO MUTUAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
  
  &lt;!-- END HEADER --&gt;


&lt;div id="wrapper" style="width: 99%;"&gt;
	 

&lt;!-- TOC BEGIN --&gt;     
     &lt;td valign="top" class="cc br bb"&gt;
        &lt;br style="line-height: 10px;"/&gt;
        
        &lt;a id="CatLink1" class="subheader" href="index.jsp?content=personal.htm"&gt;PERSONAL&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink1" href="index.jsp?content=personal_deposit.htm"&gt;Deposit Product&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink2" href="index.jsp?content=personal_checking.htm"&gt;Checking&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink3" href="index.jsp?content=personal_loans.htm"&gt;Loan Products&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink4" href="index.jsp?content=personal_cards.htm"&gt;Cards&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink5" href="index.jsp?content=personal_investments.htm"&gt;Investments &amp;amp; Insurance&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink6" href="index.jsp?content=personal_other.htm"&gt;Other Services&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;

        &lt;a id="CatLink2" class="subheader" href="index.jsp?content=business.htm"&gt;SMALL BUSINESS&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink7" href="index.jsp?content=business_deposit.htm"&gt;Deposit Products&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink8" href="index.jsp?content=business_lending.htm"&gt;Lending Services&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink9" href="index.jsp?content=business_cards.htm"&gt;Cards&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink10" href="index.jsp?content=business_insurance.htm"&gt;Insurance&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink11" href="index.jsp?content=business_retirement.htm"&gt;Retirement&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink12" href="index.jsp?content=business_other.htm"&gt;Other Services&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;

        &lt;a id="CatLink3" class="subheader" href="index.jsp?content=in
...
...
...
</test-http-traffic>
        </item>
      </variant-group>
    </item>
    <item id="8063836920509851904" id-v2="-3985381215337334784">
      <severity>low</severity>
      <severity-id>1</severity-id>
      <cvss-score>3.7</cvss-score>
      <cvss-vector>
        <vector>AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X</vector>
      </cvss-vector>
      <cwe>200</cwe>
      <issue-type>
        <ref>HSTS</ref>
      </issue-type>
      <remediation>
        <ref>fix_61750</ref>
      </remediation>
      <advisory>
        <ref>HSTS</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <entity>
        <ref>7089695691196187648</ref>
      </entity>
      <url original_request_method="GET">
        <ref>1792737604</ref>
      </url>
      <security-risks>
        <ref>sensitiveInformation</ref>
        <ref>phishing</ref>
      </security-risks>
      <cause-id>
        <ref>insecureWebAppConfiguration</ref>
      </cause-id>
      <user-image-group />
      <variant-group>
        <item id="14">
          <issue-information>
            <template>RawTestResp_Template</template>
            <variant-id>14</variant-id>
            <issue-tip>Open the test response, and look for the HTTP Strict-Transport-Security header. It is either missing or with insufficient "max-age"</issue-tip>
            <issue-tips>
              <issue-tip>Open the test response, and look for the HTTP Strict-Transport-Security header. It is either missing or with insufficient "max-age"</issue-tip>
            </issue-tips>
            <variantID>14</variantID>
            <testResponseChunk>HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 02 Nov 2023 09:02:20 GMT
Set-Cookie: JSESSIONID=6E9208129C77FD658F688F6A07E27501; Path=/; Secure; HttpOnly


&lt;!-- BEGIN HEADER --&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;
...</testResponseChunk>
          </issue-information>
          <comments />
          <reasoning id="3403">AppScan detected that the HTTP Strict-Transport-Security response header is missing or with insufficient "max-age"</reasoning>
          <additional-data />
          <cwe />
          <image-comment />
          <differences />
          <iast-info />
          <test-http-traffic>GET / HTTP/1.1
Host: demo.testfire.net
Connection: keep-alive
sec-ch-ua: "Not)A;Brand";v="24", "Chromium";v="116"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Language: en-US
Content-Length: 0


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 02 Nov 2023 09:02:20 GMT
Set-Cookie: JSESSIONID=6E9208129C77FD658F688F6A07E27501; Path=/; Secure; HttpOnly


&lt;!-- BEGIN HEADER --&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

&lt;html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" &gt;


&lt;head&gt;
	&lt;title&gt;Altoro Mutual&lt;/title&gt;
  &lt;meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /&gt;
  &lt;link href="/style.css" rel="stylesheet" type="text/css" /&gt;
&lt;/head&gt;
&lt;body style="margin-top:5px;"&gt;

&lt;div id="header" style="margin-bottom:5px; width: 99%;"&gt;
  &lt;form id="frmSearch" method="get" action="/search.jsp"&gt;
	  &lt;table width="100%" border="0" cellpadding="0" cellspacing="0"&gt;
		  &lt;tr&gt;
		      &lt;td rowspan="2"&gt;&lt;a id="HyperLink1" href="/index.jsp"&gt;&lt;img src="/images/logo.gif" width=283 height=80/&gt;&lt;/a&gt;&lt;/td&gt;
			  &lt;td align="right" valign="top"&gt;
  			  &lt;a id="LoginLink" href="/login.jsp"&gt;&lt;font style="font-weight: bold; color: red;"&gt;Sign In&lt;/font&gt;&lt;/a&gt; | &lt;a id="HyperLink3" href="/index.jsp?content=inside_contact.htm"&gt;Contact Us&lt;/a&gt; | &lt;a id="HyperLink4" href="/feedback.jsp"&gt;Feedback&lt;/a&gt; | &lt;label for="txtSearch"&gt;Search&lt;/label&gt;
          &lt;input type="text" name="query" id="query" accesskey="S" /&gt;
          &lt;input type="submit" value="Go" /&gt;
			  &lt;/td&gt;
		  &lt;/tr&gt;
		  &lt;tr&gt;
			  &lt;td align="right" style="background-image:url('/images/gradient.jpg');padding:0px;margin:0px;"&gt;&lt;img src="/images/header_pic.jpg" alt="" width=354 height=60/&gt;&lt;/td&gt;
		  &lt;/tr&gt;
	  &lt;/table&gt;
	&lt;/form&gt;
&lt;/div&gt;

&lt;table cellspacing="0" width="100%"&gt;
  &lt;tr&gt;
    &lt;td width="25%" class="bt br bb"&gt;&lt;div id="Header1"&gt;&lt;img id="Image1" src="/images/pf_lock.gif" width=12 height=14 style="vertical-align: bottom;" alt="Secure Login"/&gt; &amp;nbsp; &lt;a id="AccountLink" href="/login.jsp" class="focus" &gt;ONLINE BANKING LOGIN&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header2"&gt;&lt;a id="LinkHeader2" class="focus" href="/index.jsp?content=personal.htm" &gt;PERSONAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header3"&gt;&lt;a id="LinkHeader3" class="focus" href="/index.jsp?content=business.htm" &gt;SMALL BUSINESS&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt bb"&gt;&lt;div id="Header4"&gt;&lt;a id="LinkHeader4" class="focus" href="/index.jsp?content=inside.htm"&gt;INSIDE ALTORO MUTUAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
  
  &lt;!-- END HEADER --&gt;


&lt;div id="wrapper" style="width: 99%;"&gt;
	 

&lt;!-- TOC BEGIN --&gt;     
     &lt;td valign="top" class="cc br bb"&gt;
        &lt;br style="line-height: 10px;"/&gt;
        
        &lt;a id="CatLink1" class="subheader" href="index.jsp?content=personal.htm"&gt;PERSONAL&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink1" href="index.jsp?content=personal_deposit.htm"&gt;Deposit Product&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink2" href="index.jsp?content=personal_checking.htm"&gt;Checking&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink3" href="index.jsp?content=personal_loans.htm"&gt;Loan Products&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink4" href="index.jsp?content=personal_cards.htm"&gt;Cards&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink5" href="index.jsp?content=personal_investments.htm"&gt;Investments &amp;amp; Insurance&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink6" href="index.jsp?content=personal_other.htm"&gt;Other Services&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;

        &lt;a id="CatLink2" class="subheader" href="index.jsp?content=business.htm"&gt;SMALL BUSINESS&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink7" href="index.jsp?content=business_deposit.htm"&gt;Deposit Products&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink8" href="index.jsp?content=business_lending.htm"&gt;Lending Services&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink9" href="index.jsp?content=business_cards.htm"&gt;Cards&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink10" href="index.jsp?content=business_insurance.htm"&gt;Insurance&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink11" href="index.jsp?content=business_retirement.htm"&gt;Retirement&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink12" href="index.jsp?content=business_other.htm"&gt;Other Services&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;

        &lt;a id="CatLink3" class="subheader" href="index.jsp?content=inside.htm"&gt;I
...
...
...
</test-http-traffic>
        </item>
      </variant-group>
    </item>
    <item id="-1392238194277092608" id-v2="5590681010321058560">
      <severity>low</severity>
      <severity-id>1</severity-id>
      <cvss-score>3.7</cvss-score>
      <cvss-vector>
        <vector>AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X</vector>
      </cvss-vector>
      <cwe>522</cwe>
      <issue-type>
        <ref>GD_autocompleteInForm</ref>
      </issue-type>
      <remediation>
        <ref>fix_61640</ref>
      </remediation>
      <advisory>
        <ref>GD_autocompleteInForm</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <entity>
        <ref>-3539107900041520384</ref>
      </entity>
      <url original_request_method="GET">
        <ref>-299437858</ref>
      </url>
      <security-risks>
        <ref>authBypass</ref>
      </security-risks>
      <cause-id>
        <ref>insecureWebAppConfiguration</ref>
      </cause-id>
      <user-image-group />
      <variant-group>
        <item id="22">
          <issue-information>
            <template>RawTestResp_Template</template>
            <variant-id>22</variant-id>
            <issue-tip>Verify that the password field of the form either is missing the autocomplete attribute or that the autocomplete attribute is set to "on".</issue-tip>
            <issue-tips>
              <issue-tip>Verify that the password field of the form either is missing the autocomplete attribute or that the autocomplete attribute is set to "on".</issue-tip>
            </issue-tips>
            <variantID>22</variantID>
            <testResponseChunk>...

        &lt;/td&gt;
        &lt;td&gt;
        &lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
        &lt;td&gt;
          Password:
        &lt;/td&gt;
        &lt;td&gt;
          --begin_highlight_tag--&lt;input type="password" id="passw" name="passw" style="width: 150px;"&gt;--end_highlight_tag--
          &lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;&lt;/td&gt;
          &lt;td&gt;
            &lt;input type="submit" name="btnSubmit" value="Login"&gt;
          &lt;/td&gt;
        &lt;/tr&gt;
    &lt;/table&gt;

...

</testResponseChunk>
          </issue-information>
          <comments />
          <reasoning id="3302">AppScan has found that a password field does not enforce the disabling of the autocomplete feature.</reasoning>
          <additional-data />
          <cwe />
          <image-comment />
          <differences />
          <iast-info />
          <test-http-traffic>GET /login.jsp HTTP/1.1
Host: demo.testfire.net
Connection: keep-alive
sec-ch-ua: "Not)A;Brand";v="24", "Chromium";v="116"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://demo.testfire.net/
Accept-Language: en-US
Cookie: JSESSIONID=6354734A2B825ABCB2DC812C04629BE8
Content-Length: 0


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 02 Nov 2023 09:16:07 GMT


&lt;!-- BEGIN HEADER --&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

&lt;html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" &gt;


&lt;head&gt;
	&lt;title&gt;Altoro Mutual&lt;/title&gt;
  &lt;meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /&gt;
  &lt;link href="/style.css" rel="stylesheet" type="text/css" /&gt;
&lt;/head&gt;
&lt;body style="margin-top:5px;"&gt;

&lt;div id="header" style="margin-bottom:5px; width: 99%;"&gt;
  &lt;form id="frmSearch" method="get" action="/search.jsp"&gt;
	  &lt;table width="100%" border="0" cellpadding="0" cellspacing="0"&gt;
		  &lt;tr&gt;
		      &lt;td rowspan="2"&gt;&lt;a id="HyperLink1" href="/index.jsp"&gt;&lt;img src="/images/logo.gif" width=283 height=80/&gt;&lt;/a&gt;&lt;/td&gt;
			  &lt;td align="right" valign="top"&gt;
  			  &lt;a id="LoginLink" href="/logout.jsp"&gt;&lt;font style="font-weight: bold; color: red;"&gt;Sign Off&lt;/font&gt;&lt;/a&gt; | &lt;a id="HyperLink3" href="/index.jsp?content=inside_contact.htm"&gt;Contact Us&lt;/a&gt; | &lt;a id="HyperLink4" href="/feedback.jsp"&gt;Feedback&lt;/a&gt; | &lt;label for="txtSearch"&gt;Search&lt;/label&gt;
          &lt;input type="text" name="query" id="query" accesskey="S" /&gt;
          &lt;input type="submit" value="Go" /&gt;
			  &lt;/td&gt;
		  &lt;/tr&gt;
		  &lt;tr&gt;
			  &lt;td align="right" style="background-image:url('/images/gradient.jpg');padding:0px;margin:0px;"&gt;&lt;img src="/images/header_pic.jpg" alt="" width=354 height=60/&gt;&lt;/td&gt;
		  &lt;/tr&gt;
	  &lt;/table&gt;
	&lt;/form&gt;
&lt;/div&gt;

&lt;table cellspacing="0" width="100%"&gt;
  &lt;tr&gt;
    &lt;td width="25%" class="bt br bb"&gt;&lt;div id="Header1"&gt;&lt;img id="Image1" src="/images/pf_lock.gif" width=12 height=14 style="vertical-align: bottom;" alt="Secure Login"/&gt; &amp;nbsp; &lt;a id="AccountLink" href="/bank/main.jsp" class="focus" &gt;MY ACCOUNT&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header2"&gt;&lt;a id="LinkHeader2" class="focus" href="/index.jsp?content=personal.htm" &gt;PERSONAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header3"&gt;&lt;a id="LinkHeader3" class="focus" href="/index.jsp?content=business.htm" &gt;SMALL BUSINESS&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt bb"&gt;&lt;div id="Header4"&gt;&lt;a id="LinkHeader4" class="focus" href="/index.jsp?content=inside.htm"&gt;INSIDE ALTORO MUTUAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
  
  &lt;!-- END HEADER --&gt;


&lt;div id="wrapper" style="width: 99%;"&gt;
	 

&lt;!-- TOC BEGIN --&gt;     
     &lt;td valign="top" class="cc br bb"&gt;
        &lt;br style="line-height: 10px;"/&gt;
        
        &lt;a id="CatLink1" class="subheader" href="index.jsp?content=personal.htm"&gt;PERSONAL&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink1" href="index.jsp?content=personal_deposit.htm"&gt;Deposit Product&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink2" href="index.jsp?content=personal_checking.htm"&gt;Checking&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink3" href="index.jsp?content=personal_loans.htm"&gt;Loan Products&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink4" href="index.jsp?content=personal_cards.htm"&gt;Cards&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink5" href="index.jsp?content=personal_investments.htm"&gt;Investments &amp;amp; Insurance&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink6" href="index.jsp?content=personal_other.htm"&gt;Other Services&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;

        &lt;a id="CatLink2" class="subheader" href="index.jsp?content=business.htm"&gt;SMALL BUSINESS&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink7" href="index.jsp?content=business_deposit.htm"&gt;Deposit Products&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink8" href="index.jsp?content=business_lending.htm"&gt;Lending Services&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink9" href="index.jsp?content=business_cards.htm"&gt;Cards&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink10" href="index.jsp?content=business_insurance.htm"&gt;Insurance&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink11" href="index.j
...
...
...

		      &lt;td&gt;
		        Password:
		      &lt;/td&gt;
		      &lt;td&gt;
		        --begin_highlight_tag--&lt;input type="password" id="passw" name="passw" style="width: 150px;"&gt;--end_highlight_tag--
		        &lt;/td&gt;
		    &lt;/tr&gt;
		    &lt;tr&gt;
		        &lt;td&gt;&lt;/td&gt;
...
...
...
</test-http-traffic>
        </item>
      </variant-group>
    </item>
    <item id="6027976286845670912" id-v2="-1474745306123455232">
      <severity>low</severity>
      <severity-id>1</severity-id>
      <cvss-score>3.7</cvss-score>
      <cvss-vector>
        <vector>AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X</vector>
      </cvss-vector>
      <cwe>525</cwe>
      <issue-type>
        <ref>attCachedSSL</ref>
      </issue-type>
      <remediation>
        <ref>fix_60210</ref>
      </remediation>
      <advisory>
        <ref>attCachedSSL</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <entity>
        <ref>2309187148794231040</ref>
      </entity>
      <url original_request_method="GET">
        <ref>-536121314</ref>
      </url>
      <security-risks>
        <ref>sensitiveInformation</ref>
      </security-risks>
      <cause-id>
        <ref>SensitiveCache</ref>
      </cause-id>
      <user-image-group />
      <variant-group>
        <item id="15">
          <issue-information>
            <template>RawTestResp_Template</template>
            <variant-id>15</variant-id>
            <issue-tip>Examine the response, and verify that it doesn't contain both cache control headers or meta tags ("Cache-Control: no-store" and either "Pragma: no-cache" or "Cache-Control: no-cache").</issue-tip>
            <issue-tips>
              <issue-tip>Examine the response, and verify that it doesn't contain both cache control headers or meta tags ("Cache-Control: no-store" and either "Pragma: no-cache" or "Cache-Control: no-cache").</issue-tip>
            </issue-tips>
            <variantID>15</variantID>
            <testResponseChunk>HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 02 Nov 2023 09:02:21 GMT


&lt;!-- BEGIN HEADER --&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

...</testResponseChunk>
          </issue-information>
          <comments />
          <reasoning id="3204">The application has responded with a response that indicates the page should be cached, but cache controls aren't set (you can set "Cache-Control: no-store" or "Cache-Control: no-cache" or "Pragma: no-cache" to prevent caching).</reasoning>
          <additional-data />
          <cwe />
          <image-comment />
          <differences />
          <iast-info />
          <test-http-traffic>GET /index.jsp HTTP/1.1
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://demo.testfire.net/logout.jsp
Host: demo.testfire.net
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
Cookie: JSESSIONID=6354734A2B825ABCB2DC812C04629BE8; AltoroAccounts=ODAwMDAyflNhdmluZ3N+LTEuOTk5NTQzNDA3MDM5MTU2MjJFMTh8ODAwMDAzfkNoZWNraW5nfjcuMTA2ODA0NjQ0NzM3ODg1RTIwfDQ1MzkwODIwMzkzOTYyODh+Q3JlZGl0IENhcmR+LTEuOTk5NTQzNDAxMjc4NzEyMzJFMTh8
Content-Length: 0


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 02 Nov 2023 09:02:21 GMT


&lt;!-- BEGIN HEADER --&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

&lt;html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" &gt;


&lt;head&gt;
	&lt;title&gt;Altoro Mutual&lt;/title&gt;
  &lt;meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /&gt;
  &lt;link href="/style.css" rel="stylesheet" type="text/css" /&gt;
&lt;/head&gt;
&lt;body style="margin-top:5px;"&gt;

&lt;div id="header" style="margin-bottom:5px; width: 99%;"&gt;
  &lt;form id="frmSearch" method="get" action="/search.jsp"&gt;
	  &lt;table width="100%" border="0" cellpadding="0" cellspacing="0"&gt;
		  &lt;tr&gt;
		      &lt;td rowspan="2"&gt;&lt;a id="HyperLink1" href="/index.jsp"&gt;&lt;img src="/images/logo.gif" width=283 height=80/&gt;&lt;/a&gt;&lt;/td&gt;
			  &lt;td align="right" valign="top"&gt;
  			  &lt;a id="LoginLink" href="/logout.jsp"&gt;&lt;font style="font-weight: bold; color: red;"&gt;Sign Off&lt;/font&gt;&lt;/a&gt; | &lt;a id="HyperLink3" href="/index.jsp?content=inside_contact.htm"&gt;Contact Us&lt;/a&gt; | &lt;a id="HyperLink4" href="/feedback.jsp"&gt;Feedback&lt;/a&gt; | &lt;label for="txtSearch"&gt;Search&lt;/label&gt;
          &lt;input type="text" name="query" id="query" accesskey="S" /&gt;
          &lt;input type="submit" value="Go" /&gt;
			  &lt;/td&gt;
		  &lt;/tr&gt;
		  &lt;tr&gt;
			  &lt;td align="right" style="background-image:url('/images/gradient.jpg');padding:0px;margin:0px;"&gt;&lt;img src="/images/header_pic.jpg" alt="" width=354 height=60/&gt;&lt;/td&gt;
		  &lt;/tr&gt;
	  &lt;/table&gt;
	&lt;/form&gt;
&lt;/div&gt;

&lt;table cellspacing="0" width="100%"&gt;
  &lt;tr&gt;
    &lt;td width="25%" class="bt br bb"&gt;&lt;div id="Header1"&gt;&lt;img id="Image1" src="/images/pf_lock.gif" width=12 height=14 style="vertical-align: bottom;" alt="Secure Login"/&gt; &amp;nbsp; &lt;a id="AccountLink" href="/bank/main.jsp" class="focus" &gt;MY ACCOUNT&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header2"&gt;&lt;a id="LinkHeader2" class="focus" href="/index.jsp?content=personal.htm" &gt;PERSONAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header3"&gt;&lt;a id="LinkHeader3" class="focus" href="/index.jsp?content=business.htm" &gt;SMALL BUSINESS&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt bb"&gt;&lt;div id="Header4"&gt;&lt;a id="LinkHeader4" class="focus" href="/index.jsp?content=inside.htm"&gt;INSIDE ALTORO MUTUAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
  
  &lt;!-- END HEADER --&gt;


&lt;div id="wrapper" style="width: 99%;"&gt;
	 

&lt;!-- TOC BEGIN --&gt;     
     &lt;td valign="top" class="cc br bb"&gt;
        &lt;br style="line-height: 10px;"/&gt;
        
        &lt;a id="CatLink1" class="subheader" href="index.jsp?content=personal.htm"&gt;PERSONAL&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink1" href="index.jsp?content=personal_deposit.htm"&gt;Deposit Product&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink2" href="index.jsp?content=personal_checking.htm"&gt;Checking&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink3" href="index.jsp?content=personal_loans.htm"&gt;Loan Products&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink4" href="index.jsp?content=personal_cards.htm"&gt;Cards&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink5" href="index.jsp?content=personal_investments.htm"&gt;Investments &amp;amp; Insurance&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink6" href="index.jsp?content=personal_other.htm"&gt;Other Services&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;

        &lt;a id="CatLink2" class="subheader" href="index.jsp?content=business.htm"&gt;SMALL BUSINESS&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink7" href="index.jsp?content=business_deposit.htm"&gt;Deposit Products&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink8" href="index.jsp?content=business_lending.htm"&gt;Lending Services&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink9" href="index.jsp?content=business_cards.htm"&gt;Cards&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink10" href="index.jsp?content=business_insurance.htm"&gt;Insurance&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink11" href="index.jsp?content=business_retirement.htm"&gt;Retirement&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink12" href="index.jsp?content=business_other.htm"&gt;Other Services&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;

        &lt;a id="CatLink3" class="subheader" href="index.jsp?content=inside.htm"&gt;INSIDE ALTORO MUTUAL&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink13" href="index.jsp?conten
...
...
...
</test-http-traffic>
        </item>
      </variant-group>
    </item>
    <item id="7983147879895373824" id-v2="-1735976782401668864">
      <severity>medium</severity>
      <severity-id>2</severity-id>
      <cvss-score>4.7</cvss-score>
      <cvss-vector>
        <vector>AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X</vector>
      </cvss-vector>
      <cwe>1275</cwe>
      <issue-type>
        <ref>attSameSiteCookie</ref>
      </issue-type>
      <remediation>
        <ref>fix_61797</ref>
      </remediation>
      <advisory>
        <ref>attSameSiteCookie</ref>
      </advisory>
      <threat-class>
        <ref>catServerMisconfiguration</ref>
      </threat-class>
      <entity>
        <ref>7372740714070585856</ref>
      </entity>
      <url original_request_method="GET">
        <ref>1792737604</ref>
      </url>
      <security-risks>
        <ref>risk_attSameSiteCookie</ref>
      </security-risks>
      <cause-id>
        <ref>cause_attSameSiteCookie</ref>
      </cause-id>
      <user-image-group />
      <variant-group>
        <item id="9">
          <issue-information>
            <template>RawOrigResp_Template</template>
            <variant-id>9</variant-id>
            <issue-tip>View the Set-Cookie header, and verify that the SameSite attribute is set to either 'Lax' or 'Strict' to ensure that the cookie is restricted to first-party or same-site context.</issue-tip>
            <issue-tips>
              <issue-tip>View the Set-Cookie header, and verify that the SameSite attribute is set to either 'Lax' or 'Strict' to ensure that the cookie is restricted to first-party or same-site context.</issue-tip>
            </issue-tips>
            <variantID>9</variantID>
            <testResponseChunk>...

Accept-Language: en-US
Content-Length: 0


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 02 Nov 2023 09:02:19 GMT
--begin_highlight_tag--Set-Cookie: JSESSIONID=992EEE657118C508CE46528D92B33F19; Path=/; Secure; HttpOnly--end_highlight_tag--


...

</testResponseChunk>
          </issue-information>
          <comments />
          <reasoning id="3528">The response contains Sensitive Cookie with Insecure or Improper or Missing SameSite attribute, which may lead to Cookie information leakage, which may extend to Cross-Site-Request-Forgery(CSRF) attacks if there are no additional protections in place.</reasoning>
          <additional-data />
          <cwe />
          <image-comment />
          <differences />
          <iast-info />
          <test-http-traffic>GET / HTTP/1.1
Host: demo.testfire.net
Connection: keep-alive
sec-ch-ua: "Not)A;Brand";v="24", "Chromium";v="116"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Language: en-US
Content-Length: 0


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 02 Nov 2023 09:02:19 GMT
--begin_highlight_tag--Set-Cookie: JSESSIONID=992EEE657118C508CE46528D92B33F19; Path=/; Secure; HttpOnly--end_highlight_tag--


&lt;!-- BEGIN HEADER --&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

&lt;html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" &gt;


&lt;head&gt;
	&lt;title&gt;Altoro Mutual&lt;/title&gt;
  &lt;meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /&gt;
  &lt;link href="/style.css" rel="stylesheet" type="text/css" /&gt;
&lt;/head&gt;
&lt;body style="margin-top:5px;"&gt;

&lt;div id="header" style="margin-bottom:5px; width: 99%;"&gt;
  &lt;form id="frmSearch" method="get" action="/search.jsp"&gt;
	  &lt;table width="100%" border="0" cellpadding="0" cellspacing="0"&gt;
		  &lt;tr&gt;
		      &lt;td rowspan="2"&gt;&lt;a id="HyperLink1" href="/index.jsp"&gt;&lt;img src="/images/logo.gif" width=283 height=80/&gt;&lt;/a&gt;&lt;/td&gt;
			  &lt;td align="right" valign="top"&gt;
  			  &lt;a id="LoginLink" href="/login.jsp"&gt;&lt;font style="font-weight: bold; color: red;"&gt;Sign In&lt;/font&gt;&lt;/a&gt; | &lt;a id="HyperLink3" href="/index.jsp?content=inside_contact.htm"&gt;Contact Us&lt;/a&gt; | &lt;a id="HyperLink4" href="/feedback.jsp"&gt;Feedback&lt;/a&gt; | &lt;label for="txtSearch"&gt;Search&lt;/label&gt;
          &lt;input type="text" name="query" id="query" accesskey="S" /&gt;
          &lt;input type="submit" value="Go" /&gt;
			  &lt;/td&gt;
		  &lt;/tr&gt;
		  &lt;tr&gt;
			  &lt;td align="right" style="background-image:url('/images/gradient.jpg');padding:0px;margin:0px;"&gt;&lt;img src="/images/header_pic.jpg" alt="" width=354 height=60/&gt;&lt;/td&gt;
		  &lt;/tr&gt;
	  &lt;/table&gt;
	&lt;/form&gt;
&lt;/div&gt;

&lt;table cellspacing="0" width="100%"&gt;
  &lt;tr&gt;
    &lt;td width="25%" class="bt br bb"&gt;&lt;div id="Header1"&gt;&lt;img id="Image1" src="/images/pf_lock.gif" width=12 height=14 style="vertical-align: bottom;" alt="Secure Login"/&gt; &amp;nbsp; &lt;a id="AccountLink" href="/login.jsp" class="focus" &gt;ONLINE BANKING LOGIN&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header2"&gt;&lt;a id="LinkHeader2" class="focus" href="/index.jsp?content=personal.htm" &gt;PERSONAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header3"&gt;&lt;a id="LinkHeader3" class="focus" href="/index.jsp?content=business.htm" &gt;SMALL BUSINESS&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt bb"&gt;&lt;div id="Header4"&gt;&lt;a id="LinkHeader4" class="focus" href="/index.jsp?content=inside.htm"&gt;INSIDE ALTORO MUTUAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
  
  &lt;!-- END HEADER --&gt;


&lt;div id="wrapper" style="width: 99%;"&gt;
	 

&lt;!-- TOC BEGIN --&gt;     
     &lt;td valign="top" class="cc br bb"&gt;
        &lt;br style="line-height: 10px;"/&gt;
        
        &lt;a id="CatLink1" class="subheader" href="index.jsp?content=personal.htm"&gt;PERSONAL&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink1" href="index.jsp?content=personal_deposit.htm"&gt;Deposit Product&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink2" href="index.jsp?content=personal_checking.htm"&gt;Checking&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink3" href="index.jsp?content=personal_loans.htm"&gt;Loan Products&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink4" href="index.jsp?content=personal_cards.htm"&gt;Cards&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink5" href="index.jsp?content=personal_investments.htm"&gt;Investments &amp;amp; Insurance&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink6" href="index.jsp?content=personal_other.htm"&gt;Other Services&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;

        &lt;a id="CatLink2" class="subheader" href="index.jsp?content=business.htm"&gt;SMALL BUSINESS&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink7" href="index.jsp?content=business_deposit.htm"&gt;Deposit Products&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink8" href="index.jsp?content=business_lending.htm"&gt;Lending Services&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink9" href="index.jsp?content=business_cards.htm"&gt;Cards&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink10" href="index.jsp?content=business_insurance.htm"&gt;Insurance&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink11" href="index.jsp?content=business_retirement.htm"&gt;Retirement&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink12" href="index.jsp?content=business_other.htm"&gt;Other Services&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;

        &lt;a id="CatLink3" class="subh
...
...
...
</test-http-traffic>
        </item>
      </variant-group>
    </item>
    <item id="5038612902394148864" id-v2="-4190384546636583680">
      <severity>low</severity>
      <severity-id>1</severity-id>
      <cvss-score>3.7</cvss-score>
      <cvss-vector>
        <vector>AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X</vector>
      </cvss-vector>
      <cwe>525</cwe>
      <issue-type>
        <ref>attCachedSSL</ref>
      </issue-type>
      <remediation>
        <ref>fix_60210</ref>
      </remediation>
      <advisory>
        <ref>attCachedSSL</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <entity>
        <ref>1010167929559218944</ref>
      </entity>
      <url original_request_method="GET">
        <ref>-38179879</ref>
      </url>
      <security-risks>
        <ref>sensitiveInformation</ref>
      </security-risks>
      <cause-id>
        <ref>SensitiveCache</ref>
      </cause-id>
      <user-image-group />
      <variant-group>
        <item id="26">
          <issue-information>
            <template>RawTestResp_Template</template>
            <variant-id>26</variant-id>
            <issue-tip>Examine the response, and verify that it doesn't contain both cache control headers or meta tags ("Cache-Control: no-store" and either "Pragma: no-cache" or "Cache-Control: no-cache").</issue-tip>
            <issue-tips>
              <issue-tip>Examine the response, and verify that it doesn't contain both cache control headers or meta tags ("Cache-Control: no-store" and either "Pragma: no-cache" or "Cache-Control: no-cache").</issue-tip>
            </issue-tips>
            <variantID>26</variantID>
            <testResponseChunk>HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 02 Nov 2023 09:02:53 GMT


&lt;!-- BEGIN HEADER --&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

&lt;html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" &gt;


...</testResponseChunk>
          </issue-information>
          <comments />
          <reasoning id="3204">The application has responded with a response that indicates the page should be cached, but cache controls aren't set (you can set "Cache-Control: no-store" or "Cache-Control: no-cache" or "Pragma: no-cache" to prevent caching).</reasoning>
          <additional-data />
          <cwe />
          <image-comment />
          <differences />
          <iast-info />
          <test-http-traffic>GET /feedback.jsp HTTP/1.1
Host: demo.testfire.net
Connection: keep-alive
sec-ch-ua: "Not)A;Brand";v="24", "Chromium";v="116"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://demo.testfire.net/index.jsp?content=inside_contact.htm
Accept-Language: en-US
Cookie: JSESSIONID=6354734A2B825ABCB2DC812C04629BE8; AltoroAccounts=ODAwMDAyflNhdmluZ3N+LTEuOTk5NTQzNDA3MDM5MTU2MjJFMTh8ODAwMDAzfkNoZWNraW5nfjcuMTA2ODA0NjQ0NzM3ODg1RTIwfDQ1MzkwODIwMzkzOTYyODh+Q3JlZGl0IENhcmR+LTEuOTk5NTQzNDAxMjc4NzEyMzJFMTh8
Content-Length: 0


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 02 Nov 2023 09:13:54 GMT


&lt;!-- BEGIN HEADER --&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

&lt;html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" &gt;


&lt;head&gt;
	&lt;title&gt;Altoro Mutual&lt;/title&gt;
  &lt;meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /&gt;
  &lt;link href="/style.css" rel="stylesheet" type="text/css" /&gt;
&lt;/head&gt;
&lt;body style="margin-top:5px;"&gt;

&lt;div id="header" style="margin-bottom:5px; width: 99%;"&gt;
  &lt;form id="frmSearch" method="get" action="/search.jsp"&gt;
	  &lt;table width="100%" border="0" cellpadding="0" cellspacing="0"&gt;
		  &lt;tr&gt;
		      &lt;td rowspan="2"&gt;&lt;a id="HyperLink1" href="/index.jsp"&gt;&lt;img src="/images/logo.gif" width=283 height=80/&gt;&lt;/a&gt;&lt;/td&gt;
			  &lt;td align="right" valign="top"&gt;
  			  &lt;a id="LoginLink" href="/logout.jsp"&gt;&lt;font style="font-weight: bold; color: red;"&gt;Sign Off&lt;/font&gt;&lt;/a&gt; | &lt;a id="HyperLink3" href="/index.jsp?content=inside_contact.htm"&gt;Contact Us&lt;/a&gt; | &lt;a id="HyperLink4" href="/feedback.jsp"&gt;Feedback&lt;/a&gt; | &lt;label for="txtSearch"&gt;Search&lt;/label&gt;
          &lt;input type="text" name="query" id="query" accesskey="S" /&gt;
          &lt;input type="submit" value="Go" /&gt;
			  &lt;/td&gt;
		  &lt;/tr&gt;
		  &lt;tr&gt;
			  &lt;td align="right" style="background-image:url('/images/gradient.jpg');padding:0px;margin:0px;"&gt;&lt;img src="/images/header_pic.jpg" alt="" width=354 height=60/&gt;&lt;/td&gt;
		  &lt;/tr&gt;
	  &lt;/table&gt;
	&lt;/form&gt;
&lt;/div&gt;

&lt;table cellspacing="0" width="100%"&gt;
  &lt;tr&gt;
    &lt;td width="25%" class="bt br bb"&gt;&lt;div id="Header1"&gt;&lt;img id="Image1" src="/images/pf_lock.gif" width=12 height=14 style="vertical-align: bottom;" alt="Secure Login"/&gt; &amp;nbsp; &lt;a id="AccountLink" href="/bank/main.jsp" class="focus" &gt;MY ACCOUNT&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header2"&gt;&lt;a id="LinkHeader2" class="focus" href="/index.jsp?content=personal.htm" &gt;PERSONAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header3"&gt;&lt;a id="LinkHeader3" class="focus" href="/index.jsp?content=business.htm" &gt;SMALL BUSINESS&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt bb"&gt;&lt;div id="Header4"&gt;&lt;a id="LinkHeader4" class="focus" href="/index.jsp?content=inside.htm"&gt;INSIDE ALTORO MUTUAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
  
  &lt;!-- END HEADER --&gt;


&lt;div id="wrapper" style="width: 99%;"&gt;
	 

&lt;!-- TOC BEGIN --&gt;     
     &lt;td valign="top" class="cc br bb"&gt;
        &lt;br style="line-height: 10px;"/&gt;
        
        &lt;a id="CatLink1" class="subheader" href="index.jsp?content=personal.htm"&gt;PERSONAL&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink1" href="index.jsp?content=personal_deposit.htm"&gt;Deposit Product&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink2" href="index.jsp?content=personal_checking.htm"&gt;Checking&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink3" href="index.jsp?content=personal_loans.htm"&gt;Loan Products&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink4" href="index.jsp?content=personal_cards.htm"&gt;Cards&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink5" href="index.jsp?content=personal_investments.htm"&gt;Investments &amp;amp; Insurance&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink6" href="index.jsp?content=personal_other.htm"&gt;Other Services&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;

        &lt;a id="CatLink2" class="subheader" href="index.jsp?content=business.htm"&gt;SMALL BUSINESS&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink7" href="index.jsp?content=business_deposit.htm"&gt;Deposit Products&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink8" href="index.jsp?content=business_lending.htm"&gt;Lending Services&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink9" href="index.jsp?content=business_cards.htm"&gt;Cards&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink10" href="index.jsp?content=business_insurance.htm"&gt;Insurance&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink11" href="index.jsp?content=business_
...
...
...
</test-http-traffic>
        </item>
      </variant-group>
    </item>
    <item id="2088265890053804032" id-v2="1639607924908779520">
      <severity>low</severity>
      <severity-id>1</severity-id>
      <cvss-score>3.7</cvss-score>
      <cvss-vector>
        <vector>AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X</vector>
      </cvss-vector>
      <cwe>525</cwe>
      <issue-type>
        <ref>attCachedSSL</ref>
      </issue-type>
      <remediation>
        <ref>fix_60210</ref>
      </remediation>
      <advisory>
        <ref>attCachedSSL</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <entity>
        <ref>-5939543974179105024</ref>
      </entity>
      <url original_request_method="GET">
        <ref>-2065932717</ref>
      </url>
      <security-risks>
        <ref>sensitiveInformation</ref>
      </security-risks>
      <cause-id>
        <ref>SensitiveCache</ref>
      </cause-id>
      <user-image-group />
      <variant-group>
        <item id="143">
          <issue-information>
            <template>RawTestResp_Template</template>
            <variant-id>143</variant-id>
            <issue-tip>Examine the response, and verify that it doesn't contain both cache control headers or meta tags ("Cache-Control: no-store" and either "Pragma: no-cache" or "Cache-Control: no-cache").</issue-tip>
            <issue-tips>
              <issue-tip>Examine the response, and verify that it doesn't contain both cache control headers or meta tags ("Cache-Control: no-store" and either "Pragma: no-cache" or "Cache-Control: no-cache").</issue-tip>
            </issue-tips>
            <variantID>143</variantID>
            <testResponseChunk>HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"9400-1553517609517"
Last-Modified: Mon, 25 Mar 2019 12:40:09 GMT
Content-Type: application/json
Content-Length: 9400
Date: Thu, 02 Nov 2023 09:04:58 GMT

{
	"basePath": "/api",
	"paths": {
		"/login": {
			"get": {
				"tags": [
					"1. Login"
				],
				"summary": "Check if any user is logged in",
				"description": "If a user is loggedin the username will be returned",
				"operationId": "checkLogin",
...</testResponseChunk>
          </issue-information>
          <comments />
          <reasoning id="3204">The application has responded with a response that indicates the page should be cached, but cache controls aren't set (you can set "Cache-Control: no-store" or "Cache-Control: no-cache" or "Pragma: no-cache" to prevent caching).</reasoning>
          <additional-data />
          <cwe />
          <image-comment />
          <differences />
          <iast-info />
          <test-http-traffic>GET /swagger/properties.json HTTP/1.1
Host: demo.testfire.net
Connection: keep-alive
sec-ch-ua: "Not)A;Brand";v="24", "Chromium";v="116"
Accept: application/json,*/*
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.testfire.net/swagger/index.html
Accept-Language: en-US
Cookie: JSESSIONID=6354734A2B825ABCB2DC812C04629BE8; AltoroAccounts=ODAwMDAyflNhdmluZ3N+LTEuOTk5NTQzNDA3MDM5MTU2MjJFMTh8ODAwMDAzfkNoZWNraW5nfjcuMTA2ODA0NjQ0NzM3ODg1RTIwfDQ1MzkwODIwMzkzOTYyODh+Q3JlZGl0IENhcmR+LTEuOTk5NTQzNDAxMjc4NzEyMzJFMTh8
Content-Length: 0


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"9400-1553517609517"
Last-Modified: Mon, 25 Mar 2019 12:40:09 GMT
Content-Type: application/json
Content-Length: 9400
Date: Thu, 02 Nov 2023 09:16:00 GMT

{
	"basePath": "/api",
	"paths": {
		"/login": {
			"get": {
				"tags": [
					"1. Login"
				],
				"summary": "Check if any user is logged in",
				"description": "If a user is loggedin the username will be returned",
				"operationId": "checkLogin",
				"produces": [
					"application/json"
				],
				"parameters": [
					{
						"name": "Authorization",
						"in": "header",
						"required": true,
						"description": "Authorization token (provided upon successful login)",
						"type": "string"
					}
				],
				"responses": {
					"401": {
						"description": "Logged out"
					},
					"200": {
						"description": "Logged in"
					}
				}
			},
			"post": {
				"tags": [
					"1. Login"
				],
				"summary": "Login method",
				"description": "After a successful login a token is returned. This is a Bearer token. To authenticate with it use the Authorization header and set value to Bearer empty space and the token value.",
				"operationId": "login",
				"consumes": [
					"application/json"
				],
				"produces": [
					"application/json"
				],
				"parameters": [
					{
						"in": "body",
						"name": "body",
						"description": "Username and password combination to allow users to log-in",
						"required": true,
						"schema": {
							"$ref": "#/definitions/login"
						}
					}
				],
				"responses": {
					"200": {
						"description": "Success message when login is complete"
					},
					"400": {
						"description": "Bad parameters: Please check provided values"
					},
					"500": {
						"description": "Internal server error: Please see error message or logs for details"
					}
				}
			}
		},
		"/account": {
			"get": {
				"tags": [
					"2. Account"
				],
				"operationId": "getAccount",
				"produces": [
					"application/json"
				],
				"description": "Returns a list of all the accounts owned by the user",
				"parameters": [
					{
						"name": "Authorization",
						"in": "header",
						"required": true,
						"description": "Authorization token (provided upon successful login)",
						"type": "string"
					}
				],
				"responses": {
					"200": {
						"description": "Successful operation"
					},
					"401": {
						"description": "Unauthorized request"
					},
					"500": {
						"description": "Internal server error"
					}
				}
			}
		},
		"/account/{accountNo}": {
			"get": {
				"tags": [
					"2. Account"
				],
				"operationId": "getAccountBalance",
				"produces": [
					"application/json"
				],
				"description": "Returns details about a specific account",
				"parameters": [
					{
						"name": "Authorization",
						"in": "header",
						"required": true,
						"description": "Authorization token (provided upon successful login)",
						"type": "string"
					},
					{
						"name": "accountNo",
						"in": "path",
						"required": true,
						"description": "Account id",
						"type": "string"
					}
				],
				"responses": {
					"200": {
						"description": "Successful operation"
					},
					"401": {
						"description": "Unauthorized request"
					},
					"500": {
						"description": "Internal server error"
					}
				}
			}
		},
		"/account/{accountNo}/transactions": {
			"get": {
				"tags": [
					"2. Account"
				],
				"operationId": "showLastTenTransactions",
				"description": "Returns the last 10 transactions attached to an account",
				"produces": [
					"application/json"
				],
				"parameters": [
					{
						"name": "Authorization",
						"in": "header",
						"required": true,
						"description": "Authorization token (provided upon successful login)",
						"type": "string"
					},
					{
						"name": "accountNo",
						"in": "path",
						"required": true,
						"description": "Account id",
						"type": "string"
					}
				],
				"responses": {
					"200": {
						"description": "Suc
...
...
...
</test-http-traffic>
        </item>
      </variant-group>
    </item>
    <item id="-6741875111884696832" id-v2="3619546670498382592">
      <severity>medium</severity>
      <severity-id>2</severity-id>
      <cvss-score>5.3</cvss-score>
      <cvss-vector>
        <vector>AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X</vector>
      </cvss-vector>
      <cwe>644</cwe>
      <issue-type>
        <ref>attHostHeaderInjection</ref>
      </issue-type>
      <remediation>
        <ref>fix_61481</ref>
      </remediation>
      <advisory>
        <ref>attHostHeaderInjection</ref>
      </advisory>
      <threat-class>
        <ref>catAbuseOfFunctionality</ref>
      </threat-class>
      <entity>
        <ref>-3517474992796452096</ref>
      </entity>
      <url original_request_method="GET">
        <ref>-1996295944</ref>
      </url>
      <security-risks>
        <ref>cachePoisoning</ref>
        <ref>phishing</ref>
      </security-risks>
      <cause-id>
        <ref>redirectionFromWithinSite</ref>
      </cause-id>
      <user-image-group />
      <variant-group>
        <item id="30">
          <issue-information>
            <template>RawTestResp_Template</template>
            <variant-id>30</variant-id>
            <issue-tip>N/A</issue-tip>
            <issue-tips>
              <issue-tip>N/A</issue-tip>
            </issue-tips>
            <variantID>30</variantID>
            <testResponseChunk>...

            &lt;li&gt;&lt;a id="MenuHyperLink5" href="/bank/customize.jsp"&gt;Customize Site Language&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;
  
    &lt;/td&gt;
&lt;!-- MEMBER TOC END --&gt;
    &lt;td valign="top" colspan="3" class="bb"&gt;
  
  &lt;div class="fl" style="width: 99%;"&gt;
   &lt;h1&gt;Search News Articles&lt;/h1&gt;
   --begin_highlight_tag--&lt;form id="QueryXpath" method="get" action="https://appscanheaderinjection.com--end_highlight_tag--/bank/queryxpath.jsp"&gt;
     Search our news articles database
     &lt;br /&gt;&lt;br /&gt;
    &lt;input type="hidden" id=content" name="content" value="queryxpath.jsp"/&gt;
    &lt;input type="text" id="query" name="query" width=450 value="Enter title (e.g. Watchfire)"/&gt;
    &lt;input type="submit" width=75 id="Button1" value="Query"&gt;
     &lt;br /&gt;&lt;br /&gt;
   
   
   &lt;/form&gt;

...

</testResponseChunk>
          </issue-information>
          <comments />
          <reasoning id="3536">The value AppScan injected seems to be included in the response.</reasoning>
          <additional-data />
          <cwe />
          <image-comment />
          <differences>
            <item altered="appscanheaderinjection.com" original="demo.testfire.net" name="Host" difference-type="changed" difference-element="header" />
          </differences>
          <iast-info />
          <test-http-traffic>GET /bank/queryxpath.jsp HTTP/1.1
Host: --begin_mark_tag--appscanheaderinjection.com--end_mark_tag--
Connection: keep-alive
sec-ch-ua: "Not)A;Brand";v="24", "Chromium";v="116"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://demo.testfire.net/bank/transaction.jsp
Accept-Language: en-US
Cookie: JSESSIONID=6354734A2B825ABCB2DC812C04629BE8; AltoroAccounts=ODAwMDAyflNhdmluZ3N+LTEuOTk5NTQzNDA3MDM5MTU2MjJFMTh8ODAwMDAzfkNoZWNraW5nfjcuMTA2ODA0NjQ0NzM3ODg1RTIwfDQ1MzkwODIwMzkzOTYyODh+Q3JlZGl0IENhcmR+LTEuOTk5NTQzNDAxMjc4NzEyMzJFMTh8
Content-Length: 0


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 5607
Date: Thu, 02 Nov 2023 09:02:54 GMT


&lt;!-- BEGIN HEADER --&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

&lt;html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" &gt;


&lt;head&gt;
	&lt;title&gt;Altoro Mutual&lt;/title&gt;
  &lt;meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /&gt;
  &lt;link href="/style.css" rel="stylesheet" type="text/css" /&gt;
&lt;/head&gt;
&lt;body style="margin-top:5px;"&gt;

&lt;div id="header" style="margin-bottom:5px; width: 99%;"&gt;
  &lt;form id="frmSearch" method="get" action="/search.jsp"&gt;
	  &lt;table width="100%" border="0" cellpadding="0" cellspacing="0"&gt;
		  &lt;tr&gt;
		      &lt;td rowspan="2"&gt;&lt;a id="HyperLink1" href="/index.jsp"&gt;&lt;img src="/images/logo.gif" width=283 height=80/&gt;&lt;/a&gt;&lt;/td&gt;
			  &lt;td align="right" valign="top"&gt;
  			  &lt;a id="LoginLink" href="/logout.jsp"&gt;&lt;font style="font-weight: bold; color: red;"&gt;Sign Off&lt;/font&gt;&lt;/a&gt; | &lt;a id="HyperLink3" href="/index.jsp?content=inside_contact.htm"&gt;Contact Us&lt;/a&gt; | &lt;a id="HyperLink4" href="/feedback.jsp"&gt;Feedback&lt;/a&gt; | &lt;label for="txtSearch"&gt;Search&lt;/label&gt;
          &lt;input type="text" name="query" id="query" accesskey="S" /&gt;
          &lt;input type="submit" value="Go" /&gt;
			  &lt;/td&gt;
		  &lt;/tr&gt;
		  &lt;tr&gt;
			  &lt;td align="right" style="background-image:url('/images/gradient.jpg');padding:0px;margin:0px;"&gt;&lt;img src="/images/header_pic.jpg" alt="" width=354 height=60/&gt;&lt;/td&gt;
		  &lt;/tr&gt;
	  &lt;/table&gt;
	&lt;/form&gt;
&lt;/div&gt;

&lt;table cellspacing="0" width="100%"&gt;
  &lt;tr&gt;
    &lt;td width="25%" class="bt br bb"&gt;&lt;div id="Header1"&gt;&lt;img id="Image1" src="/images/pf_lock.gif" width=12 height=14 style="vertical-align: bottom;" alt="Secure Login"/&gt; &amp;nbsp; &lt;a id="AccountLink" href="/bank/main.jsp" class="focus" &gt;MY ACCOUNT&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header2"&gt;&lt;a id="LinkHeader2" class="focus" href="/index.jsp?content=personal.htm" &gt;PERSONAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header3"&gt;&lt;a id="LinkHeader3" class="focus" href="/index.jsp?content=business.htm" &gt;SMALL BUSINESS&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt bb"&gt;&lt;div id="Header4"&gt;&lt;a id="LinkHeader4" class="focus" href="/index.jsp?content=inside.htm"&gt;INSIDE ALTORO MUTUAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
  
  &lt;!-- END HEADER --&gt;


&lt;div id="wrapper" style="width: 99%;"&gt;
	&lt;!-- MEMBER TOC BEGIN --&gt;

 
&lt;table cellspacing="0" width="100%"&gt;


    &lt;td valign="top" class="cc br bb"&gt;
        &lt;br style="line-height: 10px;"/&gt;
        &lt;b&gt;I WANT TO ...&lt;/b&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink1" href="/bank/main.jsp"&gt;View Account Summary&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink2" href="/bank/transaction.jsp"&gt;View Recent Transactions&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink3" href="/bank/transfer.jsp"&gt;Transfer Funds&lt;/a&gt;&lt;/li&gt;
	 		&lt;!-- &lt;li&gt;&lt;a id="MenuHyperLink3" href="/bank/stocks.jsp"&gt;Trade Stocks&lt;/a&gt;&lt;/li&gt;--&gt;
	 		 
            &lt;li&gt;&lt;a id="MenuHyperLink4" href="/bank/queryxpath.jsp"&gt;Search News Articles&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink5" href="/bank/customize.jsp"&gt;Customize Site Language&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;
		
    &lt;/td&gt;
&lt;!-- MEMBER TOC END --&gt;
    &lt;td valign="top" colspan="3" class="bb"&gt;
		
		&lt;div class="fl" style="width: 99%;"&gt;
			&lt;h1&gt;Search News Articles&lt;/h1&gt;
			--begin_highlight_tag--&lt;form id="QueryXpath" method="get" action="https://appscanheaderinjection.com--end_highlight_tag--/bank/queryxpath.jsp"&gt;
			  Search our news articles database
			  &lt;br /&gt;&lt;br /&gt;
				&lt;input type="hidden" id=content" name="content" value="queryxpath.jsp"/&gt;
				&lt;input type="text" id="query" name="query" width=450 value="Enter title (e.g. Watchfire)"/&gt;
				&lt;input type="submit" width=75 id="Button1" value="Query"&gt;
			  &lt;br /&gt;&lt;br /&gt;
			
			
			&lt;/form&gt;
		&lt;/div&gt;    
    &lt;/td&gt;	
&lt;/div&gt;

 
&lt;!-- BEGIN FOOTER --&gt;


&lt;/
...
...
...
</test-http-traffic>
        </item>
      </variant-group>
    </item>
    <item id="1848862540169527296" id-v2="-4823402215344196096">
      <severity>informational</severity>
      <severity-id>0</severity-id>
      <cvss-score>0.0</cvss-score>
      <cvss-vector>
        <vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X</vector>
      </cvss-vector>
      <cwe>200</cwe>
      <issue-type>
        <ref>GD_PathDisclosure</ref>
      </issue-type>
      <remediation>
        <ref>fix_60510</ref>
      </remediation>
      <advisory>
        <ref>GD_PathDisclosure</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <entity>
        <ref>1010167929559218944</ref>
      </entity>
      <url original_request_method="GET">
        <ref>-38179879</ref>
      </url>
      <security-risks>
        <ref>pathDisclosure</ref>
      </security-risks>
      <cause-id>
        <ref>missingPatchesForThirdPartyProds</ref>
        <ref>errorMessagesReturned</ref>
        <ref>debugInfoInHtmlSource</ref>
      </cause-id>
      <user-image-group />
      <variant-group>
        <item id="34">
          <issue-information>
            <template>RawTestResp_Template</template>
            <variant-id>34</variant-id>
            <issue-tip>Verify that absolute paths to files on the server appear in the response.</issue-tip>
            <issue-tips>
              <issue-tip>Verify that absolute paths to files on the server appear in the response.</issue-tip>
            </issue-tips>
            <variantID>34</variantID>
            <testResponseChunk>...

  &lt;p&gt;Our Frequently Asked Questions area will help you with many of your inquiries.&lt;br /&gt;
  If you can't find your question, return to this page and use the e-mail form below.&lt;/p&gt;
  
  &lt;p&gt;&lt;b&gt;IMPORTANT!&lt;/b&gt; This feedback facility is not secure.  Please do not send any &lt;br /&gt;
  account information in a message sent from here.&lt;/p&gt;
  
  &lt;form name="cmt" method="post" action="sendFeedback"&gt;
  
  &lt;!--- Dave- Hard code this into the final script - Possible security problem.
    Re-generated every Tuesday and old files are saved to .bak format at--begin_highlight_tag-- L:\--end_highlight_tag--backup\website\oldfiles    ---&gt;
  &lt;input type="hidden" name="cfile" value="comments.txt"&gt;
  
  &lt;table border=0&gt;
    &lt;tr&gt;
      &lt;td align=right&gt;To:&lt;/td&gt;
      &lt;td valign=top&gt;&lt;b&gt;Online Banking&lt;/b&gt; &lt;/td&gt;
    &lt;/tr&gt;
    &lt;tr&gt;
      &lt;td align=right&gt;Your Name:&lt;/td&gt;

...

</testResponseChunk>
          </issue-information>
          <comments />
          <reasoning id="3048">The response contains the absolute paths and/or filenames of files on the server.</reasoning>
          <additional-data />
          <cwe />
          <image-comment />
          <differences />
          <iast-info />
          <test-http-traffic>GET /feedback.jsp HTTP/1.1
Host: demo.testfire.net
Connection: keep-alive
sec-ch-ua: "Not)A;Brand";v="24", "Chromium";v="116"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://demo.testfire.net/index.jsp?content=inside_contact.htm
Accept-Language: en-US
Cookie: JSESSIONID=6354734A2B825ABCB2DC812C04629BE8; AltoroAccounts=ODAwMDAyflNhdmluZ3N+LTEuOTk5NTQzNDA3MDM5MTU2MjJFMTh8ODAwMDAzfkNoZWNraW5nfjcuMTA2ODA0NjQ0NzM3ODg1RTIwfDQ1MzkwODIwMzkzOTYyODh+Q3JlZGl0IENhcmR+LTEuOTk5NTQzNDAxMjc4NzEyMzJFMTh8
Content-Length: 0


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 02 Nov 2023 09:13:54 GMT


&lt;!-- BEGIN HEADER --&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

&lt;html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" &gt;


&lt;head&gt;
	&lt;title&gt;Altoro Mutual&lt;/title&gt;
  &lt;meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /&gt;
  &lt;link href="/style.css" rel="stylesheet" type="text/css" /&gt;
&lt;/head&gt;
&lt;body style="margin-top:5px;"&gt;

&lt;div id="header" style="margin-bottom:5px; width: 99%;"&gt;
  &lt;form id="frmSearch" method="get" action="/search.jsp"&gt;
	  &lt;table width="100%" border="0" cellpadding="0" cellspacing="0"&gt;
		  &lt;tr&gt;
		      &lt;td rowspan="2"&gt;&lt;a id="HyperLink1" href="/index.jsp"&gt;&lt;img src="/images/logo.gif" width=283 height=80/&gt;&lt;/a&gt;&lt;/td&gt;
			  &lt;td align="right" valign="top"&gt;
  			  &lt;a id="LoginLink" href="/logout.jsp"&gt;&lt;font style="font-weight: bold; color: red;"&gt;Sign Off&lt;/font&gt;&lt;/a&gt; | &lt;a id="HyperLink3" href="/index.jsp?content=inside_contact.htm"&gt;Contact Us&lt;/a&gt; | &lt;a id="HyperLink4" href="/feedback.jsp"&gt;Feedback&lt;/a&gt; | &lt;label for="txtSearch"&gt;Search&lt;/label&gt;
          &lt;input type="text" name="query" id="query" accesskey="S" /&gt;
          &lt;input type="submit" value="Go" /&gt;
			  &lt;/td&gt;
		  &lt;/tr&gt;
		  &lt;tr&gt;
			  &lt;td align="right" style="background-image:url('/images/gradient.jpg');padding:0px;margin:0px;"&gt;&lt;img src="/images/header_pic.jpg" alt="" width=354 height=60/&gt;&lt;/td&gt;
		  &lt;/tr&gt;
	  &lt;/table&gt;
	&lt;/form&gt;
&lt;/div&gt;

&lt;table cellspacing="0" width="100%"&gt;
  &lt;tr&gt;
    &lt;td width="25%" class="bt br bb"&gt;&lt;div id="Header1"&gt;&lt;img id="Image1" src="/images/pf_lock.gif" width=12 height=14 style="vertical-align: bottom;" alt="Secure Login"/&gt; &amp;nbsp; &lt;a id="AccountLink" href="/bank/main.jsp" class="focus" &gt;MY ACCOUNT&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header2"&gt;&lt;a id="LinkHeader2" class="focus" href="/index.jsp?content=personal.htm" &gt;PERSONAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header3"&gt;&lt;a id="LinkHeader3" class="focus" href="/index.jsp?content=business.htm" &gt;SMALL BUSINESS&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt bb"&gt;&lt;div id="Header4"&gt;&lt;a id="LinkHeader4" class="focus" href="/index.jsp?content=inside.htm"&gt;INSIDE ALTORO MUTUAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
  
  &lt;!-- END HEADER --&gt;


&lt;div id="wrapper" style="width: 99%;"&gt;
	 

&lt;!-- TOC BEGIN --&gt;     
     &lt;td valign="top" class="cc br bb"&gt;
        &lt;br style="line-height: 10px;"/&gt;
        
        &lt;a id="CatLink1" class="subheader" href="index.jsp?content=personal.htm"&gt;PERSONAL&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink1" href="index.jsp?content=personal_deposit.htm"&gt;Deposit Product&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink2" href="index.jsp?content=personal_checking.htm"&gt;Checking&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink3" href="index.jsp?content=personal_loans.htm"&gt;Loan Products&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink4" href="index.jsp?content=personal_cards.htm"&gt;Cards&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink5" href="index.jsp?content=personal_investments.htm"&gt;Investments &amp;amp; Insurance&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink6" href="index.jsp?content=personal_other.htm"&gt;Other Services&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;

        &lt;a id="CatLink2" class="subheader" href="index.jsp?content=business.htm"&gt;SMALL BUSINESS&lt;/a&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink7" href="index.jsp?content=business_deposit.htm"&gt;Deposit Products&lt;/a&gt;&lt;/li&gt;

...
...
...

		
		&lt;form name="cmt" method="post" action="sendFeedback"&gt;
		
		&lt;!--- Dave- Hard code this into the final script - Possible security problem.
		  Re-generated every Tuesday and old files are saved to .bak format at--begin_highlight_tag-- L:\--end_highlight_tag--backup\website\oldfiles    ---&gt;
		&lt;input type="hidden" name="cfile" value="comments.txt"&gt;
		
		&lt;table border=0&gt;
		  &lt;tr&gt;
...
...
...
</test-http-traffic>
        </item>
      </variant-group>
    </item>
    <item id="4361256704605503744" id-v2="-4381261870390529792">
      <severity>low</severity>
      <severity-id>1</severity-id>
      <cvss-score>3.7</cvss-score>
      <cvss-vector>
        <vector>AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X</vector>
      </cvss-vector>
      <cwe>525</cwe>
      <issue-type>
        <ref>attCachedSSL</ref>
      </issue-type>
      <remediation>
        <ref>fix_60210</ref>
      </remediation>
      <advisory>
        <ref>attCachedSSL</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <entity>
        <ref>-3517474992796452096</ref>
      </entity>
      <url original_request_method="GET">
        <ref>-1996295944</ref>
      </url>
      <security-risks>
        <ref>sensitiveInformation</ref>
      </security-risks>
      <cause-id>
        <ref>SensitiveCache</ref>
      </cause-id>
      <user-image-group />
      <variant-group>
        <item id="37">
          <issue-information>
            <template>RawTestResp_Template</template>
            <variant-id>37</variant-id>
            <issue-tip>Examine the response, and verify that it doesn't contain both cache control headers or meta tags ("Cache-Control: no-store" and either "Pragma: no-cache" or "Cache-Control: no-cache").</issue-tip>
            <issue-tips>
              <issue-tip>Examine the response, and verify that it doesn't contain both cache control headers or meta tags ("Cache-Control: no-store" and either "Pragma: no-cache" or "Cache-Control: no-cache").</issue-tip>
            </issue-tips>
            <variantID>37</variantID>
            <testResponseChunk>HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 5598
Date: Thu, 02 Nov 2023 09:02:55 GMT


&lt;!-- BEGIN HEADER --&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

&lt;html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" &gt;


...</testResponseChunk>
          </issue-information>
          <comments />
          <reasoning id="3204">The application has responded with a response that indicates the page should be cached, but cache controls aren't set (you can set "Cache-Control: no-store" or "Cache-Control: no-cache" or "Pragma: no-cache" to prevent caching).</reasoning>
          <additional-data />
          <cwe />
          <image-comment />
          <differences />
          <iast-info />
          <test-http-traffic>GET /bank/queryxpath.jsp HTTP/1.1
Host: demo.testfire.net
Connection: keep-alive
sec-ch-ua: "Not)A;Brand";v="24", "Chromium";v="116"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://demo.testfire.net/bank/transaction.jsp
Accept-Language: en-US
Cookie: JSESSIONID=6354734A2B825ABCB2DC812C04629BE8; AltoroAccounts=ODAwMDAyflNhdmluZ3N+LTEuOTk5NTQzNDA3MDM5MTU2MjJFMTh8ODAwMDAzfkNoZWNraW5nfjcuMTA2ODA0NjQ0NzM3ODg1RTIwfDQ1MzkwODIwMzkzOTYyODh+Q3JlZGl0IENhcmR+LTEuOTk5NTQzNDAxMjc4NzEyMzJFMTh8
Content-Length: 0


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 5598
Date: Thu, 02 Nov 2023 09:02:55 GMT


&lt;!-- BEGIN HEADER --&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

&lt;html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" &gt;


&lt;head&gt;
	&lt;title&gt;Altoro Mutual&lt;/title&gt;
  &lt;meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /&gt;
  &lt;link href="/style.css" rel="stylesheet" type="text/css" /&gt;
&lt;/head&gt;
&lt;body style="margin-top:5px;"&gt;

&lt;div id="header" style="margin-bottom:5px; width: 99%;"&gt;
  &lt;form id="frmSearch" method="get" action="/search.jsp"&gt;
	  &lt;table width="100%" border="0" cellpadding="0" cellspacing="0"&gt;
		  &lt;tr&gt;
		      &lt;td rowspan="2"&gt;&lt;a id="HyperLink1" href="/index.jsp"&gt;&lt;img src="/images/logo.gif" width=283 height=80/&gt;&lt;/a&gt;&lt;/td&gt;
			  &lt;td align="right" valign="top"&gt;
  			  &lt;a id="LoginLink" href="/logout.jsp"&gt;&lt;font style="font-weight: bold; color: red;"&gt;Sign Off&lt;/font&gt;&lt;/a&gt; | &lt;a id="HyperLink3" href="/index.jsp?content=inside_contact.htm"&gt;Contact Us&lt;/a&gt; | &lt;a id="HyperLink4" href="/feedback.jsp"&gt;Feedback&lt;/a&gt; | &lt;label for="txtSearch"&gt;Search&lt;/label&gt;
          &lt;input type="text" name="query" id="query" accesskey="S" /&gt;
          &lt;input type="submit" value="Go" /&gt;
			  &lt;/td&gt;
		  &lt;/tr&gt;
		  &lt;tr&gt;
			  &lt;td align="right" style="background-image:url('/images/gradient.jpg');padding:0px;margin:0px;"&gt;&lt;img src="/images/header_pic.jpg" alt="" width=354 height=60/&gt;&lt;/td&gt;
		  &lt;/tr&gt;
	  &lt;/table&gt;
	&lt;/form&gt;
&lt;/div&gt;

&lt;table cellspacing="0" width="100%"&gt;
  &lt;tr&gt;
    &lt;td width="25%" class="bt br bb"&gt;&lt;div id="Header1"&gt;&lt;img id="Image1" src="/images/pf_lock.gif" width=12 height=14 style="vertical-align: bottom;" alt="Secure Login"/&gt; &amp;nbsp; &lt;a id="AccountLink" href="/bank/main.jsp" class="focus" &gt;MY ACCOUNT&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header2"&gt;&lt;a id="LinkHeader2" class="focus" href="/index.jsp?content=personal.htm" &gt;PERSONAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header3"&gt;&lt;a id="LinkHeader3" class="focus" href="/index.jsp?content=business.htm" &gt;SMALL BUSINESS&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt bb"&gt;&lt;div id="Header4"&gt;&lt;a id="LinkHeader4" class="focus" href="/index.jsp?content=inside.htm"&gt;INSIDE ALTORO MUTUAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
  
  &lt;!-- END HEADER --&gt;


&lt;div id="wrapper" style="width: 99%;"&gt;
	&lt;!-- MEMBER TOC BEGIN --&gt;

 
&lt;table cellspacing="0" width="100%"&gt;


    &lt;td valign="top" class="cc br bb"&gt;
        &lt;br style="line-height: 10px;"/&gt;
        &lt;b&gt;I WANT TO ...&lt;/b&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink1" href="/bank/main.jsp"&gt;View Account Summary&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink2" href="/bank/transaction.jsp"&gt;View Recent Transactions&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink3" href="/bank/transfer.jsp"&gt;Transfer Funds&lt;/a&gt;&lt;/li&gt;
	 		&lt;!-- &lt;li&gt;&lt;a id="MenuHyperLink3" href="/bank/stocks.jsp"&gt;Trade Stocks&lt;/a&gt;&lt;/li&gt;--&gt;
	 		 
            &lt;li&gt;&lt;a id="MenuHyperLink4" href="/bank/queryxpath.jsp"&gt;Search News Articles&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink5" href="/bank/customize.jsp"&gt;Customize Site Language&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;
		
    &lt;/td&gt;
&lt;!-- MEMBER TOC END --&gt;
    &lt;td valign="top" colspan="3" class="bb"&gt;
		
		&lt;div class="fl" style="width: 99%;"&gt;
			&lt;h1&gt;Search News Articles&lt;/h1&gt;
			&lt;form id="QueryXpath" method="get" action="https://demo.testfire.net/bank/queryxpath.jsp"&gt;
			  Search our news articles database
			  &lt;br /&gt;&lt;br /&gt;
				&lt;input type="hidden" id=content" name="content" value="queryxpath.jsp"/&gt;
				&lt;input type="text" id="query" name="query" width=450 value="Enter title (e.g. Watchfire)"/&gt;
				&lt;input type="submit" width=75 id="Button1" value="Query"&gt;
			  &lt;br /&gt;&lt;br /&gt;
			
			
			&lt;/form&gt;
		&lt;/div&gt;    
    &lt;/td&gt;	
&lt;/div&gt;

 
&lt;!-- BEGIN FOOTER --&gt;


&lt;/tr&gt;
&lt;/table&gt;
&lt;div id="footer" style="width: 99%;"&gt;
    &lt;a id="HyperLink5" href="/index.jsp?co
...
...
...
</test-http-traffic>
        </item>
      </variant-group>
    </item>
    <item id="5589970947926074368" id-v2="6313051952010436864">
      <severity>low</severity>
      <severity-id>1</severity-id>
      <cvss-score>3.7</cvss-score>
      <cvss-vector>
        <vector>AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X</vector>
      </cvss-vector>
      <cwe>525</cwe>
      <issue-type>
        <ref>attCachedSSL</ref>
      </issue-type>
      <remediation>
        <ref>fix_60210</ref>
      </remediation>
      <advisory>
        <ref>attCachedSSL</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <entity>
        <ref>2822766115314697472</ref>
      </entity>
      <url original_request_method="GET">
        <ref>-1261426540</ref>
      </url>
      <security-risks>
        <ref>sensitiveInformation</ref>
      </security-risks>
      <cause-id>
        <ref>SensitiveCache</ref>
      </cause-id>
      <user-image-group />
      <variant-group>
        <item id="40">
          <issue-information>
            <template>RawTestResp_Template</template>
            <variant-id>40</variant-id>
            <issue-tip>Examine the response, and verify that it doesn't contain both cache control headers or meta tags ("Cache-Control: no-store" and either "Pragma: no-cache" or "Cache-Control: no-cache").</issue-tip>
            <issue-tips>
              <issue-tip>Examine the response, and verify that it doesn't contain both cache control headers or meta tags ("Cache-Control: no-store" and either "Pragma: no-cache" or "Cache-Control: no-cache").</issue-tip>
            </issue-tips>
            <variantID>40</variantID>
            <testResponseChunk>HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 02 Nov 2023 09:02:55 GMT


&lt;!-- BEGIN HEADER --&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

&lt;html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" &gt;
...</testResponseChunk>
          </issue-information>
          <comments />
          <reasoning id="3204">The application has responded with a response that indicates the page should be cached, but cache controls aren't set (you can set "Cache-Control: no-store" or "Cache-Control: no-cache" or "Pragma: no-cache" to prevent caching).</reasoning>
          <additional-data />
          <cwe />
          <image-comment />
          <differences />
          <iast-info />
          <test-http-traffic>GET /bank/transaction.jsp HTTP/1.1
Host: demo.testfire.net
Connection: keep-alive
sec-ch-ua: "Not)A;Brand";v="24", "Chromium";v="116"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://demo.testfire.net/bank/main.jsp
Accept-Language: en-US
Cookie: JSESSIONID=6354734A2B825ABCB2DC812C04629BE8; AltoroAccounts=ODAwMDAyflNhdmluZ3N+LTEuOTk5NTQzNDA3MDM5MTU2MjJFMTh8ODAwMDAzfkNoZWNraW5nfjcuMTA2ODA0NjQ0NzM3ODg1RTIwfDQ1MzkwODIwMzkzOTYyODh+Q3JlZGl0IENhcmR+LTEuOTk5NTQzNDAxMjc4NzEyMzJFMTh8
Content-Length: 0


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 02 Nov 2023 09:02:55 GMT


&lt;!-- BEGIN HEADER --&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

&lt;html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" &gt;


&lt;head&gt;
	&lt;title&gt;Altoro Mutual&lt;/title&gt;
  &lt;meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /&gt;
  &lt;link href="/style.css" rel="stylesheet" type="text/css" /&gt;
&lt;/head&gt;
&lt;body style="margin-top:5px;"&gt;

&lt;div id="header" style="margin-bottom:5px; width: 99%;"&gt;
  &lt;form id="frmSearch" method="get" action="/search.jsp"&gt;
	  &lt;table width="100%" border="0" cellpadding="0" cellspacing="0"&gt;
		  &lt;tr&gt;
		      &lt;td rowspan="2"&gt;&lt;a id="HyperLink1" href="/index.jsp"&gt;&lt;img src="/images/logo.gif" width=283 height=80/&gt;&lt;/a&gt;&lt;/td&gt;
			  &lt;td align="right" valign="top"&gt;
  			  &lt;a id="LoginLink" href="/logout.jsp"&gt;&lt;font style="font-weight: bold; color: red;"&gt;Sign Off&lt;/font&gt;&lt;/a&gt; | &lt;a id="HyperLink3" href="/index.jsp?content=inside_contact.htm"&gt;Contact Us&lt;/a&gt; | &lt;a id="HyperLink4" href="/feedback.jsp"&gt;Feedback&lt;/a&gt; | &lt;label for="txtSearch"&gt;Search&lt;/label&gt;
          &lt;input type="text" name="query" id="query" accesskey="S" /&gt;
          &lt;input type="submit" value="Go" /&gt;
			  &lt;/td&gt;
		  &lt;/tr&gt;
		  &lt;tr&gt;
			  &lt;td align="right" style="background-image:url('/images/gradient.jpg');padding:0px;margin:0px;"&gt;&lt;img src="/images/header_pic.jpg" alt="" width=354 height=60/&gt;&lt;/td&gt;
		  &lt;/tr&gt;
	  &lt;/table&gt;
	&lt;/form&gt;
&lt;/div&gt;

&lt;table cellspacing="0" width="100%"&gt;
  &lt;tr&gt;
    &lt;td width="25%" class="bt br bb"&gt;&lt;div id="Header1"&gt;&lt;img id="Image1" src="/images/pf_lock.gif" width=12 height=14 style="vertical-align: bottom;" alt="Secure Login"/&gt; &amp;nbsp; &lt;a id="AccountLink" href="/bank/main.jsp" class="focus" &gt;MY ACCOUNT&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header2"&gt;&lt;a id="LinkHeader2" class="focus" href="/index.jsp?content=personal.htm" &gt;PERSONAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header3"&gt;&lt;a id="LinkHeader3" class="focus" href="/index.jsp?content=business.htm" &gt;SMALL BUSINESS&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt bb"&gt;&lt;div id="Header4"&gt;&lt;a id="LinkHeader4" class="focus" href="/index.jsp?content=inside.htm"&gt;INSIDE ALTORO MUTUAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
  
  &lt;!-- END HEADER --&gt;


&lt;div id="wrapper" style="width: 99%;"&gt;
	&lt;!-- MEMBER TOC BEGIN --&gt;

 
&lt;table cellspacing="0" width="100%"&gt;


    &lt;td valign="top" class="cc br bb"&gt;
        &lt;br style="line-height: 10px;"/&gt;
        &lt;b&gt;I WANT TO ...&lt;/b&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink1" href="/bank/main.jsp"&gt;View Account Summary&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink2" href="/bank/transaction.jsp"&gt;View Recent Transactions&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink3" href="/bank/transfer.jsp"&gt;Transfer Funds&lt;/a&gt;&lt;/li&gt;
	 		&lt;!-- &lt;li&gt;&lt;a id="MenuHyperLink3" href="/bank/stocks.jsp"&gt;Trade Stocks&lt;/a&gt;&lt;/li&gt;--&gt;
	 		 
            &lt;li&gt;&lt;a id="MenuHyperLink4" href="/bank/queryxpath.jsp"&gt;Search News Articles&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink5" href="/bank/customize.jsp"&gt;Customize Site Language&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;
		
    &lt;/td&gt;
&lt;!-- MEMBER TOC END --&gt;
    &lt;td valign="top" colspan="3" class="bb"&gt;
    
		
		&lt;div class="fl" style="width: 99%;"&gt;
		
	 	
		&lt;h1&gt;Recent Transactions&lt;/h1&gt;
		
		&lt;script type="text/javascript"&gt;
			function confirminput(myform) {
			
				if (myform.startDate.value != ""){
					var valid = false;
					var splitStrings = myform.startDate.value.split("-");
					if (splitStrings.length == 3) {
						var year = parseInt(splitStrings[0]);
						var month = parseInt((splitStrings[1].charAt(0)==0 &amp;&amp; splitStrings[1].length == 2)?splitStrings[1].charAt(1):splitStrings[1]);
						var day = parseInt((splitStrings[2].charAt(0)==0 &amp;&amp; splitStrings[2].length == 2)?splitStrings[2].charAt(1):splitStrings[2]);

						var va
...
...
...
</test-http-traffic>
        </item>
      </variant-group>
    </item>
    <item id="-3019653408243740928" id-v2="696389365463240704">
      <severity>informational</severity>
      <severity-id>0</severity-id>
      <cvss-score>0.0</cvss-score>
      <cvss-vector>
        <vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X</vector>
      </cvss-vector>
      <cwe>615</cwe>
      <issue-type>
        <ref>attSensitiveInHtmlComments</ref>
      </issue-type>
      <remediation>
        <ref>fix_50750</ref>
      </remediation>
      <advisory>
        <ref>attSensitiveInHtmlComments</ref>
      </advisory>
      <threat-class>
        <ref>catInformationLeakage</ref>
      </threat-class>
      <entity>
        <ref>2537967696232628224</ref>
      </entity>
      <url original_request_method="GET">
        <ref>-154706909</ref>
      </url>
      <security-risks>
        <ref>sensitiveInformation</ref>
      </security-risks>
      <cause-id>
        <ref>debugInfoInHtmlSource</ref>
      </cause-id>
      <user-image-group />
      <variant-group>
        <item id="2876">
          <issue-information>
            <template>RawOrigResp_Template</template>
            <variant-id>2876</variant-id>
            <issue-tip>Examine the HTML comments for sensitive information.</issue-tip>
            <issue-tips>
              <issue-tip>Examine the HTML comments for sensitive information.</issue-tip>
            </issue-tips>
            <variantID>2876</variantID>
            <testResponseChunk>...

          &lt;option Value="Checking"&gt;Checking&lt;/option&gt;
          &lt;option Value="Savings" Selected&gt;Savings&lt;/option&gt;
          &lt;option Value="IRA"&gt;IRA&lt;/option&gt;
        &lt;/Select&gt;&lt;/td&gt;
      &lt;td&gt;&lt;/td&gt;
      &lt;td&gt;&lt;input type="submit" value="Add Account"&gt;&lt;/td&gt;
    &lt;/tr&gt;
    &lt;/form&gt;
 
   &lt;!-- action="change--begin_highlight_tag--Password--end_highlight_tag--" --&gt;
    &lt;form id="changePass" name="changePass" action="" method="post" onsubmit="return confirmpass(this);"&gt;
    &lt;tr&gt;
      &lt;td colspan="4"&gt;&lt;h2&gt;&lt;br&gt;&lt;br&gt;Change user's password&lt;/h2&gt;&lt;/td&gt;
    &lt;/tr&gt;
    &lt;tr&gt;
      &lt;th&gt;
        Users:
      &lt;/th&gt;
      &lt;th&gt;

...

</testResponseChunk>
          </issue-information>
          <comments />
          <reasoning id="3252">AppScan discovered HTML comments containing what appears to be sensitive information.</reasoning>
          <additional-data />
          <cwe />
          <image-comment />
          <differences />
          <iast-info />
          <test-http-traffic>GET /admin/admin.jsp HTTP/1.1
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://demo.testfire.net/index.jsp?content=personal_other.htm
Host: demo.testfire.net
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Cookie: JSESSIONID=3D7E6256EC7DF679DA0F61CC8A0F1205; AltoroAccounts="ODAwMDAyflNhdmluZ3N+LTEuOTk5NTQzNDA3MDM5MTU2MjJFMTh8ODAwMDAzfkNoZWNraW5nfjguMjkxMjcyMDg1NTE3OTNFMjB8NDUzOTA4MjAzOTM5NjI4OH5DcmVkaXQgQ2FyZH4tMS45OTk1NDM0MDEyNzg3MTIzMkUxOHw="
Content-Length: 0


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 02 Nov 2023 09:25:06 GMT


&lt;!-- BEGIN HEADER --&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

&lt;html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" &gt;


&lt;head&gt;
	&lt;title&gt;Altoro Mutual&lt;/title&gt;
  &lt;meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /&gt;
  &lt;link href="/style.css" rel="stylesheet" type="text/css" /&gt;
&lt;/head&gt;
&lt;body style="margin-top:5px;"&gt;

&lt;div id="header" style="margin-bottom:5px; width: 99%;"&gt;
  &lt;form id="frmSearch" method="get" action="/search.jsp"&gt;
	  &lt;table width="100%" border="0" cellpadding="0" cellspacing="0"&gt;
		  &lt;tr&gt;
		      &lt;td rowspan="2"&gt;&lt;a id="HyperLink1" href="/index.jsp"&gt;&lt;img src="/images/logo.gif" width=283 height=80/&gt;&lt;/a&gt;&lt;/td&gt;
			  &lt;td align="right" valign="top"&gt;
  			  &lt;a id="LoginLink" href="/logout.jsp"&gt;&lt;font style="font-weight: bold; color: red;"&gt;Sign Off&lt;/font&gt;&lt;/a&gt; | &lt;a id="HyperLink3" href="/index.jsp?content=inside_contact.htm"&gt;Contact Us&lt;/a&gt; | &lt;a id="HyperLink4" href="/feedback.jsp"&gt;Feedback&lt;/a&gt; | &lt;label for="txtSearch"&gt;Search&lt;/label&gt;
          &lt;input type="text" name="query" id="query" accesskey="S" /&gt;
          &lt;input type="submit" value="Go" /&gt;
			  &lt;/td&gt;
		  &lt;/tr&gt;
		  &lt;tr&gt;
			  &lt;td align="right" style="background-image:url('/images/gradient.jpg');padding:0px;margin:0px;"&gt;&lt;img src="/images/header_pic.jpg" alt="" width=354 height=60/&gt;&lt;/td&gt;
		  &lt;/tr&gt;
	  &lt;/table&gt;
	&lt;/form&gt;
&lt;/div&gt;

&lt;table cellspacing="0" width="100%"&gt;
  &lt;tr&gt;
    &lt;td width="25%" class="bt br bb"&gt;&lt;div id="Header1"&gt;&lt;img id="Image1" src="/images/pf_lock.gif" width=12 height=14 style="vertical-align: bottom;" alt="Secure Login"/&gt; &amp;nbsp; &lt;a id="AccountLink" href="/bank/main.jsp" class="focus" &gt;MY ACCOUNT&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header2"&gt;&lt;a id="LinkHeader2" class="focus" href="/index.jsp?content=personal.htm" &gt;PERSONAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt br bb"&gt;&lt;div id="Header3"&gt;&lt;a id="LinkHeader3" class="focus" href="/index.jsp?content=business.htm" &gt;SMALL BUSINESS&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
    &lt;td width="25%" class="cc bt bb"&gt;&lt;div id="Header4"&gt;&lt;a id="LinkHeader4" class="focus" href="/index.jsp?content=inside.htm"&gt;INSIDE ALTORO MUTUAL&lt;/a&gt;&lt;/div&gt;&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
  
  &lt;!-- END HEADER --&gt;


&lt;div id="wrapper" style="width: 99%;"&gt;
	&lt;!-- MEMBER TOC BEGIN --&gt;

 
&lt;table cellspacing="0" width="100%"&gt;


    &lt;td valign="top" class="cc br bb"&gt;
        &lt;br style="line-height: 10px;"/&gt;
        &lt;b&gt;I WANT TO ...&lt;/b&gt;
        &lt;ul class="sidebar"&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink1" href="/bank/main.jsp"&gt;View Account Summary&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink2" href="/bank/transaction.jsp"&gt;View Recent Transactions&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink3" href="/bank/transfer.jsp"&gt;Transfer Funds&lt;/a&gt;&lt;/li&gt;
	 		&lt;!-- &lt;li&gt;&lt;a id="MenuHyperLink3" href="/bank/stocks.jsp"&gt;Trade Stocks&lt;/a&gt;&lt;/li&gt;--&gt;
	 		 
            &lt;li&gt;&lt;a id="MenuHyperLink4" href="/bank/queryxpath.jsp"&gt;Search News Articles&lt;/a&gt;&lt;/li&gt;
            &lt;li&gt;&lt;a id="MenuHyperLink5" href="/bank/customize.jsp"&gt;Customize Site Language&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;
		
    &lt;/td&gt;
&lt;!-- MEMBER TOC END --&gt;
	&lt;td valign="top" colspan="3" class="bb"&gt;
		
		
		&lt;script language="javascript"&gt;
		
		function confirmpass(myform)
		{
		  if (myform.password1.value.length &amp;&amp; (myform.password1.value==myform.password2.value))
		  {
		    return true;
		  }
		  else
		  {
		    myform.password1.value="";
		    myform.password2.value="";
		    myform.password1.focus();
		    alert ("Passwords do not match");
		    return false;
		  }
		
		}
		&lt;/script&gt;
		
		&lt;!-- Be careful what you change.  All changes are made directly to AltoroJ database. --&gt;
		&lt;div class="fl" style="width: 99%;"&gt;
		&lt;p&gt;&lt;span style="color:#FF0066;font-size:12pt;font-weight:bold;"&gt;
		
		&lt;/s
...
...
...

		    &lt;td&gt;&lt;input type="submit" value="Add Account"&gt;&lt;/td&gt;
		  &lt;/tr&gt;
		  &lt;/form&gt;
 
 		&lt;!-- action="change--begin_highlight_tag--Password--end_highlight_tag--" --&gt;
		  &lt;form id="changePass" name="changePass" action="" method="post" onsubmit="return confirmpass(this);"&gt;
		  &lt;tr&gt;
		    &lt;td colspan="4"&gt;&lt;h2&gt;&lt;br&gt;&lt;br&gt;Change user's password&lt;/h2&gt;&lt;/td&gt;
		  &lt;/tr&gt;
...
...
...
</test-http-traffic>
        </item>
      </variant-group>
    </item>
  </issue-group>
  <cause-group>
    <item id="Cause_0">Sanitation of hazardous characters was not performed correctly on user input</item>
    <item id="Cause_1">Sanitization of hazardous characters was not performed correctly on user input.</item>
    <item id="Cause_2">Dynamically generating queries that include unvalidated user input can lead to SQL injection attacks. An attacker can insert SQL commands or modifiers in the user input that can cause the query to behave in an unsafe manner.</item>
    <item id="Cause_3">Without sufficient validation and encapsulation of user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database, possibly including execution of system commands.</item>
    <item id="Cause_4">SQL payloads can enter the system through any untrusted data, including user input, data previously stored in the database, files, 3rd party APIs, and more.</item>
    <item id="Cause_5">An Integer Overflow (or wraparound) occurs when a value that is too large is stored (larger than the maximum value the variable can hold) in an integer data type (including byte, short, long, and other types). The most significant bits of the integer are lost, and the remaining value is relative to the minimum value (either 0 or very negative value for signed types).</item>
    <item id="Cause_6">The web application redirects users to an external site based on untrusted data.</item>
    <item id="Cause_7">In particular, the submitted request was found to include a URL as a parameter. The web application uses this value to redirect the user's browser to the specified URL.</item>
    <item id="Cause_8">An attacker can modify this URL value to an arbitrary address. The attacker would then cause the victim to submit the altered request, thus being redirected to a site of the attacker's choosing.</item>
    <item id="Cause_9">Cross-site scripting (XSS) vulnerabilities arise when an attacker sends malicious code to the victim's browser, mostly using JavaScript. A vulnerable web application might embed untrusted data in the output, without filtering or encoding it. In this way, an attacker can inject a malicious script to the application, and the script will be returned in the response. This will then run on the victim's browser.</item>
    <item id="Cause_10">In particular, sanitization of hazardous characters was not performed correctly on user input or untrusted data.</item>
    <item id="Cause_11">In reflected attacks, an attacker tricks an end user into sending request containing malicious code to a vulnerable Web server, which then reflects the attack back to the end user's browser.</item>
    <item id="Cause_12">The server receives the malicious data directly from the HTTP request and reflects it back in the HTTP response. The most common method of sending malicious content is adding it as a parameter in a URL that is posted publicly or e-mailed directly to the victim. URLs that contain the malicious script constitute the core of many phishing schemes, whereby the convinced victim visits a URL that refers to a vulnerable site. The site then reflects the malicious content back to the victim, and then the content is executed by the victim's browser.</item>
    <item id="Cause_13">Sensitive Cookie with Improper or Insecure or Missing SameSite Attribute</item>
    <item id="Cause_14">This vulnerability arises because the application allows the user to perform some sensitive action without verifying that the request was sent intentionally.</item>
    <item id="Cause_15">An attacker can cause a victim's browser to emit an HTTP request to an arbitrary URL in the application. When this request is sent from an authenticated victim's browser, it will include the victim's session cookie or authentication header. The application will accept this as a valid request from an authenticated user. </item>
    <item id="Cause_16">When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, an attacker may be able to trick a client into making an unintentional request from a different site, which will be treated as an authentic request by the application. This can be done by submitting a form, loading an image, sending an XMLHttpRequest in JavaScript, and more.</item>
    <item id="Cause_17">For example, this IMG tag can be embedded in an attacker's webpage, and the victim's browser will submit a request to retrieve the image. This valid request will be processed by the application, and the browser will not display a broken image. `&lt;img src="https://myapp.com/transfer?acct=VICTIM&amp;amount=10000" width=0 height=0 border=0&gt;`. As a result, money is transferred from the victim's account to the attacker, using the victim’s session.</item>
    <item id="Cause_18">The web server or application server are configured in an insecure way</item>
    <item id="Cause_19">Lack of input validation and sanitization</item>
    <item id="Cause_20">Insecure web application programming or configuration</item>
    <item id="Cause_21">The web application sends non-secure cookies over SSL</item>
    <item id="Cause_22">Sensitive information might have been cached by your browser</item>
    <item id="Cause_23">The application does not use a secure channel, such as TLS/SSL, to exchange sensitive information.</item>
    <item id="Cause_24">An attacker with access to the network traffic can eavesdrop on packets over the connection. This attack is not technically difficult, but does require physical access to some portion of the network over which the sensitive data travels.</item>
    <item id="Cause_25">The web application sets session cookies without the HttpOnly attribute</item>
    <item id="Cause_26">Query parameters were passed over SSL, and may contain sensitive information</item>
    <item id="Cause_27">Proper bounds checking were not performed on incoming parameter values</item>
    <item id="Cause_28">No validation was done in order to make sure that user input matches the data type expected</item>
    <item id="Cause_29">Many web application programmers use HTML comments to help debug the application when needed. While adding general comments is very useful, some programmers tend to leave important data in client-side comments, such as filenames related to the web application, links which were not meant to be browsed by users, old code fragments including passwords, etc.</item>
    <item id="Cause_30">Comments such as BUG, FIXME, and TODO may be an indication of missing security functionality and checking. Others indicate code problems that you should fix, such as hard-coded variables, error handling, not using stored procedures, and performance issues. Comments in HTML and JavaScript are usually easily viewable by end users.</item>
    <item id="Cause_31">Latest patches or hotfixes for 3rd. party products were not installed</item>
  </cause-group>
  <security-risk-group maxIssuesByRisk="38">
    <item id="databaseManipulations">It is possible to view, modify or delete database entries and tables</item>
    <item id="debugErrorInformation">It is possible to gather sensitive debugging information</item>
    <item id="phishing">It is possible to persuade a naive user to supply sensitive information such as username, password, credit card number, social security number etc.</item>
    <item id="userImpersonation">It may be possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user</item>
    <item id="risk_attSameSiteCookie">Prevent cookie information leakage by restricting cookies to first-party or same-site context, Attacks can extend to Cross-Site-Request-Forgery (CSRF) attacks if there are no additional protections in place (such as Anti-CSRF tokens).</item>
    <item id="CSRF_risk">It may be possible to force an end-user to execute unwanted actions on a web application in which they're currently authenticated.</item>
    <item id="privilegeEscalation">It might be possible to escalate user privileges and gain administrative permissions over the web application</item>
    <item id="cachePoisoning">It is possible to deface the site content through web-cache poisoning</item>
    <item id="siteDefacement">It is possible to upload, modify or delete web pages, scripts and files on the web server</item>
    <item id="unsecureCookieInSSL">It may be possible to steal user and session information (cookies) that was sent during an encrypted session</item>
    <item id="authBypass">It may be possible to bypass the web application's authentication mechanism</item>
    <item id="sensitiveInformation">It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations</item>
    <item id="sensitiveNotOverSSL">It may be possible to steal sensitive data such as credit card numbers, social security numbers etc. that are sent unencrypted</item>
    <item id="pathDisclosure">It is possible to retrieve the absolute path of the web server installation, which might help an attacker to develop further attacks and to gain information about the file system structure of the web application</item>
  </security-risk-group>
  <advisory-group>
    <item id="attBlindSqlInjectionStrings">
      <advisory>
        <id>attBlindSqlInjectionStrings</id>
        <name>Blind SQL Injection</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>SQL Injection</name>
          <reference>http://projects.webappsec.org/SQL-Injection</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_0</cause>
        </causes>
        <securityRisks>
          <text>It is possible to view, modify or delete database entries and tables</text>
          <text>The software constructs all or part of an SQL command using externally-influenced input, but fails to neutralize elements that could modify the SQL command when it is sent to the database.</text>
          <text />
          <text>Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database, possibly including execution of system commands.</text>
          <text />
          <text>For example, let's say we have an HTML page with a login form, which eventually runs the following SQL query on the database using the user input:</text>
          <text>  SELECT * FROM accounts WHERE username='$user' AND password='$pass'
</text>
          <text>The two variables, $user and $pass, contain the user credentials entered by the user in the login form.</text>
          <text>If the user has input "jsmith" as the username, and "Demo1234" as the password, the SQL query will look like this:</text>
          <text>  SELECT * FROM accounts WHERE username='jsmith' AND password='Demo1234'
</text>
          <text>But if the user input "'" (a single apostrophe) as the username, and "'" (a single apostrophe) as the password, the SQL query will look like this:</text>
          <text>  SELECT * FROM accounts WHERE username=''' AND password='''
</text>
          <text>This, of course, is a malformed SQL query, and will invoke an error message, which may be returned in the HTTP response.</text>
          <text>An error such as this informs the attacker that an SQL Injection has succeeded, which will lead the attacker to attempt further attack vectors.</text>
          <text />
          <text>Blind SQL Injection is similar of SQL Injection. The difference lies in the fact that to leverage it, the attacker does not need to look for SQL errors in the response. Therefore, the method AppScan uses to identify it is also different.</text>
          <text>Instead of attempting to invoke an SQL error, AppScan locates scripts that are susceptible to SQL injection, by manipulating the logic of the application through multiple requests.</text>
          <text />
          <text>The technique calls for sending requests whose vulnerable parameter (the parameter that gets embedded in the SQL query) is modified so that the response indicates whether the data is used in SQL query context or not. The modification involves the use of an AND Boolean expression with the original string, which evaluates once as True and once as False. In one case, the net result should be identical to the original result (a successful login), and in the other case, the result should be significantly different (a failed login). An OR expression which evaluates as True may also be useful for some rare cases.</text>
          <text />
          <text>If the original data is numeric, a simpler trick can be played. Let's consider original data 123. This can be replaced with 0+123 in one request, and with 456+123 in another. The result of the first request should be identical to the original result, whereas the result of the second request should be different (as the number is evaluated as 579). For some cases, we still need a version of the attack described above (using AND and OR), but without escaping from string context.</text>
          <text />
          <text>The concept behind Blind SQL Injection is that it is possible, even without receiving direct data from the database (in the form of an error message, or leaked information), to extract data from the database, one bit at a time, or to modify the query in a malicious way. The idea is that the application's behavior (returning responses that are identical or different to the original response) can provide a single bit of information about the evaluated (modified) query, meaning, it's possible for the attacker to formulate an SQL Boolean expression whose evaluation (single bit) is compromised in the form of the application behavior (identical/un-identical to the original behavior).</text>
        </securityRisks>
        <affectedProducts>
          <text>This issue may affect different types of products.</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/89.html" id="CWE-89">89</link>
        </cwe>
        <xfid />
        <references>
          <link target="http://www.cgisecurity.com/lib/webappdis.doc">"Web Application Disassembly with ODBC Error Messages" (By David Litchfield)</link>
          <link target="http://shh.thathost.com/text/binary-search-sql-injection.txt">"Using Binary Search with SQL Injection" (By Sverre H. Huseby)</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">attBlindSqlInjectionStrings</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="attSqlInjectionChecks">
      <advisory>
        <id>Injection.SQL</id>
        <name>SQL Injection</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>SQL Injection</name>
          <reference>http://projects.webappsec.org/SQL-Injection</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_1</cause>
          <cause>Cause_2</cause>
          <cause>Cause_3</cause>
          <cause>Cause_4</cause>
        </causes>
        <securityRisks>
          <text>Potential consequences include the loss of:</text>
          <text>Confidentiality - Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL injection vulnerabilities.</text>
          <text>Authentication - If poor SQL commands are used to check user names and passwords, it may be possible to connect to a system as another user with no previous knowledge of the password.</text>
          <text>Authorization - If authorization information is held in a SQL database, it may be possible to change this information through the successful exploitation of a SQL injection vulnerability.</text>
          <text>Integrity - Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a SQL injection attack.</text>
        </securityRisks>
        <affectedProducts />
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/89.html" id="CWE-89">89</link>
        </cwe>
        <xfid />
        <references>
          <link target="https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html">OWASP - SQL Injection Prevention Cheat Sheet</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">attSqlInjectionChecks</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="attIntegerOverflow">
      <advisory>
        <id>IntegerOverflow</id>
        <name>Integer Overflow</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Integer Overflows</name>
          <reference>http://projects.webappsec.org/Integer-Overflows</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_5</cause>
        </causes>
        <securityRisks>
          <text>When an integer overflow occurs, the interpreted value will appear to have 'wrapped around' past the maximum value and reset back to the minimum value.</text>
          <text>The value can unexpectedly become zero or negative. This can have security implications if the value is used to control looping, manage resources (such as memory allocation), or make business logic decisions.</text>
          <text>For example, an integer overflow can give money to the customer in addition to their purchases, when the transaction is completed.</text>
          <text>In particular, if a mathematical operation results in a number larger than the maximum possible for the integer type, the value wraps around and the variable is set to zero, or negative.</text>
          <text>i=UINT_MAX+1; // Maximum value for a variable of type unsigned int - 4294967295 (0xffffffff). The result is: i=0</text>
        </securityRisks>
        <affectedProducts />
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/190.html" id="CWE-190">190</link>
        </cwe>
        <xfid />
        <references>
          <link target="https://docs.microsoft.com/en-us/cpp/safeint/safeint-library?view=msvc-160">SafeInt Library</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">attIntegerOverflow</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="attRedirectInURL">
      <advisory>
        <id>UnvalidatedRedirect</id>
        <name>Phishing Through URL Redirection</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>URL Redirector Abuse</name>
          <reference>http://projects.webappsec.org/URL-Redirector-Abuse</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample>
          <text>The following example shows a URL redirection to untrusted site.</text>
          <text>The redir parameter is used to redirect the user to a different page automatically.</text>
          <code>[REQUEST]
GET /MyPage.php?redir=/AnotherPage.php HTTP/1.1
</code>
          <br />
          <code>[RESPONSE]
</code>
          <br />
          <text>An attacker might trick the GET parameter used to redirect the user to an external site</text>
          <code>[REQUEST]
GET /MyPage.php?redir=https://www.malware.com HTTP/1.1
</code>
          <br />
          <code>[RESPONSE]
</code>
          <br />
        </exploitExample>
        <causes>
          <cause>Cause_6</cause>
          <cause>Cause_7</cause>
          <cause>Cause_8</cause>
        </causes>
        <securityRisks>
          <text>This vulnerability can allow an attacker to take advantage of the trust the user holds for the application, causing them to trust an arbitrary site under control of the attacker as well. This would often be leveraged through the use of phishing techniques.</text>
          <text>Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or "fishing" for information.</text>
          <text>An attacker may successfully launch a phishing scam and steal user credentials or other sensitive information such as credit card number, social security number, and more.</text>
          <text>It can also be possible to redirect the user to install malware that could infect the user's computer.</text>
        </securityRisks>
        <affectedProducts />
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/601.html" id="CWE-601">601</link>
        </cwe>
        <xfid />
        <references>
          <link target="https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html">Unvalidated Redirects and Forwards Cheat Sheet</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">attRedirectInURL</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="attCrossSiteScripting">
      <advisory>
        <id>CrossSiteScripting.Reflected</id>
        <name>Reflected Cross Site Scripting</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Cross-site Scripting</name>
          <reference>http://projects.webappsec.org/Cross-Site+Scripting</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample>
          <text>The following example shows a script that returns a parameter value in the response.</text>
          <text>The parameter value is sent to the script using a GET request, and then returned in the response embedded in the HTML.</text>
          <code>[REQUEST]
GET /index.aspx?name=JSmith HTTP/1.1
</code>
          <br />
          <code>[RESPONSE]
HTTP/1.1 200 OK
Server: SomeServer
Date: Sun, 01 Jan 2002 00:31:19 GMT
Content-Type: text/html
Accept-Ranges: bytes
Content-Length: 27

&lt;HTML&gt;
Hello JSmith
&lt;/HTML&gt;
</code>
          <br />
          <text>An attacker might leverage the attack like this. In this case, the JavaScript code will be executed by the browser.</text>
          <code>[REQUEST]
GET /index.aspx?name=&gt;"'&gt;&lt;script&gt;alert('XSS')&lt;/script&gt; HTTP/1.1
</code>
          <br />
          <code>[RESPONSE]
HTTP/1.1 200 OK
Server: SomeServer
Date: Sun, 01 Jan 2002 00:31:19 GMT
Content-Type: text/html
Accept-Ranges: bytes
Content-Length: 83

&lt;HTML&gt;
Hello &gt;"'&gt;&lt;script&gt;alert('XSS')&lt;/script&gt;
&lt;/HTML&gt;
</code>
          <br />
        </exploitExample>
        <causes>
          <cause>Cause_9</cause>
          <cause>Cause_10</cause>
          <cause>Cause_11</cause>
          <cause>Cause_12</cause>
        </causes>
        <securityRisks>
          <text>XSS attacks can expose the user's session cookie, allowing the attacker to hijack the user's session and gain access to the user's account, which could lead to impersonation of users.</text>
          <text>An attacker could modify and view the users' records and perform transactions as those users. The attacker may be able to perform privileged operations on behalf of the user, or gain access to any sensitive data belonging to the user. This would be especially dangerous if the user has administrator permissions.</text>
          <text>The attacker could even run a malicious script on the victim's browser which would redirect the user to other pages or sites, modify content presentation, or even make it possible to run malicious software or a crypto miner.</text>
        </securityRisks>
        <affectedProducts />
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/79.html" id="CWE-79">79</link>
        </cwe>
        <xfid />
        <references>
          <link target="https://owasp.org/www-community/attacks/xss/">Cross-site Scripting (XSS)</link>
          <link target="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html">OWASP XSS Cheat Sheet</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">attCrossSiteScripting</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="attSameSiteCookie">
      <advisory>
        <id>attSameSiteCookie</id>
        <name>Cookie with Insecure or Improper or Missing SameSite attribute</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Server Misconfiguration</name>
          <reference>http://projects.webappsec.org/Server-Misconfiguration</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_13</cause>
        </causes>
        <securityRisks>
          <text>Prevent Cookie information leakage by restricting cookies to first-party or same-site context</text>
          <text>Attacks can extend to Cross-Site-Request-Forgery (CSRF) attacks if there are no additional protections in place (such as Anti-CSRF tokens).</text>
          <text>The SameSite attribute controls how cookies are sent for cross-domain requests.</text>
          <text />
          <text>The attribute may have three values: 'Lax', 'Strict', or 'None'. If 'None' is used, a website may create a cross-domain POST HTTP request to another website, and the browser automatically adds cookies to this request.</text>
          <text />
          <text>This may lead to Cross-Site-Request-Forgery (CSRF) attacks if there are no additional protections in place (such as Anti-CSRF tokens).</text>
          <text />
          <text>Modes and their uses:</text>
          <text>'Lax' mode: the cookie will only be sent with a top-level get request.</text>
          <text>'Strict' mode; the cookie will not be sent with any cross-site usage even if the user follows a link to another website.</text>
          <text>'None' mode: the cookie will be sent with the cross-site requests.</text>
          <text />
          <text>The attribute having: 'Lax' or 'None' must have 'Secure' Flag set and must be transferred over https.</text>
          <text>Example - Set-Cookie: key=value; SameSite=Lax;Secure</text>
          <text />
          <text>Setting attribute to 'Strict' is the recommended option.</text>
          <text>Example - Set-Cookie: key=value; SameSite=Strict</text>
        </securityRisks>
        <affectedProducts>
          <text>This issue may affect different types of products.</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/1275.html" id="CWE-1275">1275</link>
        </cwe>
        <xfid />
        <references>
          <link target="http://www.webappsec.org/projects/threat/classes/information_leakage.shtml">WASC Threat Classification: Information Leakage</link>
          <link target="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite">SameSite Cookies</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">attSameSiteCookie</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="attCrossSiteRequestForgery">
      <advisory>
        <id>CrossSiteRequestForgery</id>
        <name>Cross-Site Request Forgery</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Cross-site Request Forgery</name>
          <reference>http://projects.webappsec.org/Cross-Site-Request-Forgery</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_14</cause>
          <cause>Cause_15</cause>
          <cause>Cause_16</cause>
          <cause>Cause_17</cause>
        </causes>
        <securityRisks>
          <text>An attacker can exploit this vulnerability to perform sensitive actions in another user's account, or using their privileges.</text>
          <text>It may be possible to force an end-user to execute unwanted actions on a web application in which they're currently authenticated. This would allow the attacker to alter user records and to perform transactions as that user. </text>
          <text>If the user is currently logged-in to the victim site, the request will automatically use the user's credentials such as session cookies, IP address, and other browser authentication methods. Using this method, the attacker forges the victim's identity and submits actions on their behalf.</text>
          <text>The severity of this vulnerability depends on the affected functionality in context of the application. For example, a CSRF attack on a search page is less severe than a CSRF attack on a money-transfer or profile-update page.</text>
        </securityRisks>
        <affectedProducts />
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/352.html" id="CWE-352">352</link>
        </cwe>
        <xfid />
        <references>
          <link target="https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html">OWASP CSRF Cheat Sheet</link>
          <link target="https://owasp.org/www-project-csrfguard/">OWASP CSRFGuard</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">attCrossSiteRequestForgery</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="GV_SQLErr">
      <advisory>
        <id>GVSQLErr</id>
        <name>Database Error Pattern Found</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>SQL Injection</name>
          <reference>http://projects.webappsec.org/SQL-Injection</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_0</cause>
        </causes>
        <securityRisks>
          <text>It is possible to view, modify or delete database entries and tables</text>
          <text>AppScan discovered Database Errors in the test response, that may have been triggered by an attack other than SQL Injection.</text>
          <text>It is possible, though not certain, that this error indicates a possible SQL Injection vulnerability in the application.</text>
          <text>If it does, please read the following SQL Injection advisory carefully.</text>
          <text />
          <text>The software constructs all or part of an SQL command using externally-influenced input, but it incorrectly neutralizes special elements that could modify the intended SQL command when sent to the database.</text>
          <text />
          <text>Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database, and possibly including execution of system commands.</text>
          <text />
          <text>For example, let's say we have an HTML page with a login form, which eventually runs the following SQL query on the database using the user input:</text>
          <text>  SELECT * FROM accounts WHERE username='$user' AND password='$pass'
</text>
          <text>The two variables, $user and $pass, contain the user credentials entered by the user in the login form.</text>
          <text>Therefore, if the user has input "jsmith" as the username, and "Demo1234" as the password, the SQL query will look like this:</text>
          <text>  SELECT * FROM accounts WHERE username='jsmith' AND password='Demo1234'
</text>
          <text>But if the user input "'" (a single apostrophe) as the username, and "'" (a single apostrophe) as the password, the SQL query will look like this:</text>
          <text>  SELECT * FROM accounts WHERE username=''' AND password='''
</text>
          <text>This, of course, is a malformed SQL query, and will invoke an error message, which may be returned in the HTTP response.</text>
          <text>An error such as this informs the attacker that an SQL Injection has succeeded, which will lead the attacker to attempt further attack vectors.</text>
          <text />
          <text>Sample Exploit:</text>
          <text>The following C# code dynamically constructs and executes a SQL query that searches for items matching a specified name. The query restricts the items displayed to those where owner matches the user name of the currently-authenticated user.</text>
          <text>  ...
  string userName = ctx.getAuthenticatedUserName();
  string query = "SELECT * FROM items WHERE owner = "'" 
  				+ userName + "' AND itemname = '"  
  				+ ItemName.Text + "'";
  sda = new SqlDataAdapter(query, conn);
  DataTable dt = new DataTable();
  sda.Fill(dt);
  ...
</text>
          <text>The query that this code intends to execute follows:</text>
          <text>  SELECT * FROM items WHERE owner =  AND itemname = ;
</text>
          <text>However, because the query is constructed dynamically by concatenating a constant base query string and a user input string, the query only behaves correctly if itemName does not contain a single-quote character. If an attacker with the user name wiley enters the string "name' OR 'a'='a" for itemName, then the query becomes the following:</text>
          <text>  SELECT * FROM items WHERE owner = 'wiley' AND itemname = 'name' OR 'a'='a';
</text>
          <text>The addition of the OR 'a'='a' condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query:</text>
          <text>  SELECT * FROM items;
</text>
        </securityRisks>
        <affectedProducts>
          <text>This issue may affect different types of products.</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/209.html" id="CWE-209">209</link>
        </cwe>
        <xfid />
        <references>
          <link target="http://www.cgisecurity.com/lib/webappdis.doc">"Web Application Disassembly with ODBC Error Messages" (By David Litchfield)</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">GV_SQLErr</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="DirectAccesstoAdministrationPages">
      <advisory>
        <id>DirectAccesstoAdministrationPages</id>
        <name>Direct Access to Administration Pages</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Predictable Resource Location</name>
          <reference>http://projects.webappsec.org/Predictable-Resource-Location</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_18</cause>
        </causes>
        <securityRisks>
          <text>It might be possible to escalate user privileges and gain administrative permissions over the web application</text>
          <text>A common user can access certain pages on a site through simple surfing (i.e. following web links). However, there might be pages and scripts that are not accessible through simple surfing, (i.e. pages and scripts that are not linked).</text>
          <text>An attacker may be able to access these pages by guessing their name, e.g. admin.php, admin.asp, admin.cgi, admin.html, etc.</text>
          <text />
          <text>Example request for a script named "admin.php": </text>
          <text>http://[SERVER]/admin.php</text>
          <text />
          <text>Access to administration scripts should not be allowed without proper authorization, as it may allow an attacker to gain privileged rights.</text>
          <text />
          <text>Sample Exploit:</text>
          <text>http://[SERVER]/admin.php</text>
          <text>http://[SERVER]/admin.asp</text>
          <text>http://[SERVER]/admin.aspx</text>
          <text>http://[SERVER]/admin.html</text>
          <text>http://[SERVER]/admin.cfm</text>
          <text>http://[SERVER]/admin.cgi</text>
        </securityRisks>
        <affectedProducts />
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/306.html" id="CWE-306">306</link>
        </cwe>
        <xfid />
        <references />
        <fixRecommendations>
          <fixRecommendation type="General">DirectAccesstoAdministrationPages</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="attHostHeaderInjection">
      <advisory>
        <id>attHostHeaderInjection</id>
        <name>Host Header Injection</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Abuse of Functionality</name>
          <reference>http://projects.webappsec.org/Abuse-of-Functionality</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_19</cause>
        </causes>
        <securityRisks>
          <text>
  - Dispatch requests to the first virtual host on the list
  - Cause a redirect to an attacker-controlled domain
  - Perform web cache poisoning
  - Manipulate password reset functionality
</text>
          <text>A web server commonly hosts several web applications on the same IP address, referring to each application via the virtual host. </text>
          <text>In an incoming HTTP request, web servers often dispatch the request to the target virtual host based on the value supplied in the Host or X-Forwarded-Host header.</text>
          <text />
          <text>Sample Exploit:</text>
          <text>GET /login.html HTTP/1.1</text>
          <text>Host: evilhost.com</text>
        </securityRisks>
        <affectedProducts />
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/644.html" id="CWE-644">644</link>
        </cwe>
        <xfid />
        <references>
          <link target="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection">OWASP - WSTG Latest</link>
          <link target="https://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html">Practical Host header attacks</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">attHostHeaderInjection</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="attAccountLockout">
      <advisory>
        <id>attAccountLockout</id>
        <name>Inadequate Account Lockout</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Brute Force</name>
          <reference>http://projects.webappsec.org/Brute-Force</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_20</cause>
        </causes>
        <securityRisks>
          <text>It might be possible to escalate user privileges and gain administrative permissions over the web application</text>
          <text>AppScan Detected that the application does not limit the number of false login attempts.</text>
          <text>It did so by sending 10 requests with a bad password, and then successfully logged in using the correct credentials.</text>
          <text>Not limiting the number of false login attempts exposes the application to a brute force attack.</text>
          <text>A brute force attack is an attempt by a malicious user to gain access to the application by sending a large number of possible passwords and/or usernames.</text>
          <text>Since this technique involves a large amount of login attempts, an application that does not limit the number of false login requests allowed is vulnerable to these attacks.</text>
          <text>It is therefore highly recommended to restrict the number of false login attempts allowed on an account before it is locked.</text>
          <text />
          <text>Sample Exploit:</text>
          <text>The following request illustrates a password-guessing request:</text>
          <text />
          <text>http://site/login.asp?username=EXISTING_USERNAME&amp;password=GUESSED_PASSWORD</text>
          <text />
          <text>If the site does not lock the tested account after several false attempts, the attacker may eventually discover the account password and use it to impersonate the account's legitimate user.</text>
        </securityRisks>
        <affectedProducts>
          <text>This issue affects several applications</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/307.html" id="CWE-307">307</link>
        </cwe>
        <xfid />
        <references>
          <link target="http://www.codeguru.com/csharp/csharp/cs_webservices/security/article.php/c7907/">"Blocking Brute-Force Attacks" by Mark Burnett</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">attAccountLockout</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="attLinkInjection">
      <advisory>
        <id>attLinkInjection</id>
        <name>Link Injection (facilitates Cross-Site Request Forgery)</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Content Spoofing</name>
          <reference>http://projects.webappsec.org/Content-Spoofing</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_0</cause>
        </causes>
        <securityRisks>
          <text>It is possible to persuade a naive user to supply sensitive information such as username, password, credit card number, social security number etc.</text>
          <text>It may be possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user</text>
          <text>It is possible to upload, modify or delete web pages, scripts and files on the web server</text>
          <text>The software constructs all or part of a command, data structure, or record using externally-influenced input, but fails to neutralize elements that could modify how it is parsed or interpreted.</text>
          <text />
          <text>Link Injection is the modifying of the content of a site by embedding in it a URL to an external site, or to a script in the vulnerable site. After embedding the URL in the vulnerable site, an attacker is able to use it as a platform to launch attacks against other sites, as well as against the vulnerable site itself.</text>
          <text />
          <text>Some of these possible attacks require the user to be logged in to the site during the attack. By launching these attacks from the vulnerable site itself, the attacker increases the chances of success, because the user is more likely to be logged in.</text>
          <text />
          <text>The Link Injection vulnerability is a result of insufficient user input sanitization, the input being later returned to the user in the site response. The resulting ability to inject hazardous characters into the response makes it possible for attackers to embed URLs, among other possible content modifications.</text>
          <text />
          <text>Below is an example for a Link Injection (We will assume that site "www.vulnerable.com" has a parameter called "name", which is used to greet users).</text>
          <text />
          <text>The following request:</text>
          <text>HTTP://www.vulnerable.com/greet.asp?name=John Smith</text>
          <text />
          <text>Will yield the following response:</text>
          <text>  &lt;HTML&gt;
  &lt;BODY&gt;
          Hello, John Smith.
  &lt;/BODY&gt;
  &lt;/HTML&gt;
</text>
          <text>However, a malicious user may send the following request:</text>
          <text>HTTP://www.vulnerable.com/greet.asp?name=&lt;IMG SRC="http://www.ANY-SITE.com/ANY-SCRIPT.asp"&gt;</text>
          <text />
          <text>This will return the following response:</text>
          <text>  &lt;HTML&gt;
  &lt;BODY&gt;
          Hello, &lt;IMG SRC="http://www.ANY-SITE.com/ANY-SCRIPT.asp"&gt;.
  &lt;/BODY&gt;
  &lt;/HTML&gt;
</text>
          <text>As this example shows, it is possible to cause a user's browser to issue automatic requests to virtually any site the attacker desires. As a result, Link Injection vulnerability can be used to launch several types of attack:</text>
          <text>[-] Cross-Site Request Forgery</text>
          <text>[-] Cross-Site Scripting</text>
          <text>[-] Phishing</text>
        </securityRisks>
        <affectedProducts>
          <text>This issue may affect different types of products.</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/74.html" id="CWE-74">74</link>
        </cwe>
        <xfid />
        <references>
          <link target="https://owasp.org/www-community/attacks/csrf">OWASP Article</link>
          <link target="http://www.cgisecurity.com/csrf-faq.html">The Cross-Site Request Forgery FAQ</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">attLinkInjection</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="attRespCookieNotSecureSSL">
      <advisory>
        <id>attRespCookieNotSecureSSL</id>
        <name>Missing Secure Attribute in Encrypted Session (SSL) Cookie</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Information Leakage</name>
          <reference>http://projects.webappsec.org/Information-Leakage</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_21</cause>
        </causes>
        <securityRisks>
          <text>It may be possible to steal user and session information (cookies) that was sent during an encrypted session</text>
          <text>During the application test, it was detected that the tested web application set a cookie without the "secure" attribute, during an encrypted session. Since this cookie does not contain the "secure" attribute, it might also be sent to the site during an unencrypted session. Any information such as cookies, session tokens or user credentials that are sent to the server as clear text, may be stolen and used later for identity theft or user impersonation.</text>
          <text />
          <text>In addition, several privacy regulations state that sensitive information such as user credentials will always be sent encrypted to the web site</text>
        </securityRisks>
        <affectedProducts>
          <text>This issue may affect different types of products</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/614.html" id="CWE-614">614</link>
        </cwe>
        <xfid />
        <references>
          <link target="http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act/">Financial Privacy: The Gramm-Leach Bliley Act</link>
          <link target="http://www.hhs.gov/ocr/hipaa/">Health Insurance Portability and Accountability Act (HIPAA)</link>
          <link target="http://www.sec.gov/spotlight/sarbanes-oxley.htm">Sarbanes-Oxley Act</link>
          <link target="http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html">California SB1386</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">attRespCookieNotSecureSSL</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="OldTLS">
      <advisory>
        <id>OldTLS</id>
        <name>Older TLS Version is Supported</name>
        <testDescription>Infrastructure</testDescription>
        <threatClassification>
          <name>Server Misconfiguration</name>
          <reference>http://projects.webappsec.org/Server-Misconfiguration</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_18</cause>
        </causes>
        <securityRisks>
          <text>It may be possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user</text>
          <text>The server supports TLS cipher suites that either do not offer encryption or use weak encryption algorithms. An attacker may therefore be able to </text>
          <text>decrypt the secure communication between the client and the server, or successfully execute a "man-in-the-middle" attack on the client, enabling them to view sensitive information and perform actions on behalf of the client.</text>
          <text>Current most secure TLS version is 1.3</text>
        </securityRisks>
        <affectedProducts>
          <text>This issue may affect different types of products.</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/327.html" id="CWE-327">327</link>
        </cwe>
        <xfid />
        <references>
          <link target="https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1/">Deprecating TLS 1.0 and 1.1</link>
          <link target="https://kinsta.com/blog/tls-1-3/">Overview of TLS 1.3</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">OldTLS</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="phishingInFrames">
      <advisory>
        <id>phishingInFrames</id>
        <name>Phishing Through Frames</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Content Spoofing</name>
          <reference>http://projects.webappsec.org/Content-Spoofing</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_0</cause>
        </causes>
        <securityRisks>
          <text>It is possible to persuade a naive user to supply sensitive information such as username, password, credit card number, social security number etc.</text>
          <text>Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or "fishing" for information.</text>
          <text />
          <text>It is possible for an attacker to inject a frame or an iframe tag with malicious content. An incautious user may browse it and not realize that he is leaving the original site and surfing to a malicious site. The attacker may then lure the user to login again, thus acquiring his login credentials.</text>
          <text>The fact that the fake site is embedded in the original site helps the attacker by giving his phishing attempts a more reliable appearance.</text>
        </securityRisks>
        <affectedProducts>
          <text>This issue may affect different types of products.</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/79.html" id="CWE-79">79</link>
        </cwe>
        <xfid />
        <references>
          <link target="http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.shtm">FTC Consumer Alert - "How Not to Get Hooked by a 'Phishing' Scam"</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">phishingInFrames</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="SHA1CipherSuites">
      <advisory>
        <id>SHA1CipherSuites</id>
        <name>SHA-1 cipher suites were detected</name>
        <testDescription>Infrastructure</testDescription>
        <threatClassification>
          <name>Server Misconfiguration</name>
          <reference>http://projects.webappsec.org/Server-Misconfiguration</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_18</cause>
        </causes>
        <securityRisks>
          <text>It may be possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user</text>
          <text>The server supports SHA-1 ciphersuites.</text>
          <text />
          <text>SHA-1 was officially deprecated by NIST in 2011, but many applications still rely on it.</text>
          <text>Up until now (2021), only theoretical attacks have been known agsinst SHA-1, which is why many applications still rely on it.</text>
          <text>Recently, a practical attack was introduced by CWI Amsterdam and Google Research teams ( [1] and [2] ).</text>
          <text />
        </securityRisks>
        <affectedProducts>
          <text>This issue may affect different types of products.</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/327.html" id="CWE-327">327</link>
        </cwe>
        <xfid />
        <references>
          <link target="http://shattered.io/">[1] SHATTERED</link>
          <link target="http://shattered.io/static/shattered.pdf">[2] The first collision for full SHA-1</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">SHA1CipherSuites</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="constTransient">
      <advisory>
        <id>constTransient</id>
        <name>Session Identifier Not Updated</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Session Fixation</name>
          <reference>http://projects.webappsec.org/Session-Fixation</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_20</cause>
        </causes>
        <securityRisks>
          <text>It may be possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user</text>
          <text>Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier, gives an attacker the opportunity to steal authenticated sessions.</text>
          <text />
          <text>Such a scenario is commonly observed when:</text>
          <text>[1] A web application authenticates a user without first invalidating the existing session, thereby continuing to use the session already associated with the user</text>
          <text>[2] An attacker is able to force a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session</text>
          <text>[3] The application or container uses predictable session identifiers.</text>
          <text />
          <text>In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to associate, and possibly authenticate, against the server using that session identifier, giving the attacker access to the user's account through the active session.</text>
          <text />
          <text>AppScan has found that the session identifiers before and after the login process were not updated, which means that user impersonation may be possible. Preliminary knowledge of the session identifier value may enable a remote attacker to pose as a logged-in legitimate user.</text>
          <text>The flow of attack:</text>
          <text>a) An attacker uses the victim's browser to open the login form of the vulnerable site.</text>
          <text>b) Once the form is open, the attacker writes down the session identifier value, and waits.</text>
          <text>c) When the victim logs into the vulnerable site, his session identifier is not updated.</text>
          <text>d) The attacker can then use the session identifier value to impersonate the victim user, and operate on his behalf.</text>
          <text />
          <text>The session identifier value can be obtained by utilizing a Cross-Site Scripting vulnerability, causing the victim's browser to use a predefined session identifier when contacting the vulnerable site, or by launching a Session Fixation attack that will cause the site to present a predefined session identifier to the victim's browser.</text>
        </securityRisks>
        <affectedProducts>
          <text>This issue may affect different types of products.</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/304.html" id="CWE-304">304</link>
        </cwe>
        <xfid />
        <references>
          <link target="http://www.acrossecurity.com/papers/session_fixation.pdf">"Session Fixation Vulnerability in Web-based Applications", By Mitja Kolsek - Acros Security</link>
          <link target="http://il2.php.net/session#session.security">PHP Manual, Session Handling Functions, Sessions and security</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">constTransient</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="GD_autocompleteInForm">
      <advisory>
        <id>GDautocompleteInForm</id>
        <name>Autocomplete HTML Attribute Not Disabled for Password Field</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Information Leakage</name>
          <reference>http://projects.webappsec.org/Information-Leakage</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_20</cause>
        </causes>
        <securityRisks>
          <text>It may be possible to bypass the web application's authentication mechanism</text>
          <text>The "autocomplete" attribute has been standardized in the HTML5 standard. W3C's site states that the attribute has two states, "on" and "off", and that omitting it altogether is equivalent to setting it to "on".</text>
          <text />
          <text>This page is vulnerable since it does not set the "autocomplete" attribute to "off" for the "password" field in the "input" element.</text>
          <text>This may enable an unauthorized user (with local access to an authorized client) to autofill the username and password fields, and thus log in to the site.</text>
        </securityRisks>
        <affectedProducts>
          <text>N/A</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/522.html" id="CWE-522">522</link>
        </cwe>
        <xfid />
        <references />
        <fixRecommendations>
          <fixRecommendation type="General">GD_autocompleteInForm</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="bodyParamsInQuery">
      <advisory>
        <id>bodyParamsInQuery</id>
        <name>Body Parameters Accepted in Query</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Information Leakage</name>
          <reference>http://projects.webappsec.org/Information-Leakage</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_20</cause>
        </causes>
        <securityRisks>
          <text>It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations</text>
          <text>It is possible to persuade a naive user to supply sensitive information such as username, password, credit card number, social security number etc.</text>
          <text>GET requests are designed to query the server, while POST requests are for submitting data.</text>
          <text>However, aside from the technical purpose, attacking query parameters is easier than body parameters, because sending a link to the original site, or posting it in a blog or comment, is easier and has better results than the alternative - in order to attack a request with body parameters, an attacker would need to create a page containing a form that will be submitted when visited by the victim.</text>
          <text>It is a lot harder to convince the victim to visit a page that he doesn't know, than letting him visit the original site. It it therefore not recommended to support body parameters that arrive in the query string.</text>
        </securityRisks>
        <affectedProducts>
          <text>This issue may affect different types of products.</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/200.html" id="CWE-200">200</link>
        </cwe>
        <xfid />
        <references>
          <link target="http://tools.ietf.org/html/rfc7231#section-4.3.1">GET</link>
          <link target="http://tools.ietf.org/html/rfc7231#section-4.3.3">POST</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">bodyParamsInQuery</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="attCachedSSL">
      <advisory>
        <id>attCachedSSL</id>
        <name>Cacheable SSL Page Found</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Information Leakage</name>
          <reference>http://projects.webappsec.org/Information-Leakage</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_22</cause>
        </causes>
        <securityRisks>
          <text>It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations</text>
          <text>Most web browsers are configured by default to cache the user's pages during use. This means that SSL pages are cached as well. </text>
          <text />
          <text>It is not recommended to enable the web browser to save any SSL information, since this information might be compromised when a vulnerability exists.</text>
        </securityRisks>
        <affectedProducts>
          <text>This issue may affect different types of products.</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/525.html" id="CWE-525">525</link>
        </cwe>
        <xfid />
        <references />
        <fixRecommendations>
          <fixRecommendation type="General">attCachedSSL</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="GD_CreditCardVisa">
      <advisory>
        <id>GDCreditCardVisa</id>
        <name>Credit Card Number Pattern Found (Visa)</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Information Leakage</name>
          <reference>http://projects.webappsec.org/Information-Leakage</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_20</cause>
        </causes>
        <securityRisks>
          <text>It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations</text>
          <text>AppScan detected a response containing a complete Visa credit card number.</text>
          <text>For reasons of security and privacy, credit card numbers should not appear in web pages.</text>
        </securityRisks>
        <affectedProducts>
          <text>This issue may affect different types of products.</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/200.html" id="CWE-200">200</link>
        </cwe>
        <xfid />
        <references />
        <fixRecommendations>
          <fixRecommendation type="General">GD_CreditCardVisa</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="attHttpsToHttp">
      <advisory>
        <id>Communications.Unencrypted</id>
        <name>Encryption Not Enforced</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Information Leakage</name>
          <reference>http://projects.webappsec.org/Information-Leakage</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_23</cause>
          <cause>Cause_24</cause>
        </causes>
        <securityRisks>
          <text>Any information sent to the server as clear text may be stolen over the network and used later for identity theft or user impersonation.</text>
          <text>It may be possible to intercept sensitive data such as user login information (usernames and passwords), credit card numbers, social security numbers etc. that are sent unencrypted.</text>
          <text>It may be possible to perform man in the middle (MitM) attacks, which would give an attacker full control of the communication, including changing content, stealing data, or impersonating the user to the server.</text>
        </securityRisks>
        <affectedProducts />
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/319.html" id="CWE-319">319</link>
        </cwe>
        <xfid />
        <references>
          <link target="https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html">OWASP - TLS Cipher String Cheat Sheet</link>
          <link target="https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html">OWASP - Transport Layer Protection Cheat Sheet</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">attHttpsToHttp</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="attContentSecurityPolicy">
      <advisory>
        <id>attContentSecurityPolicy</id>
        <name>Missing "Content-Security-Policy" header</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Information Leakage</name>
          <reference>http://projects.webappsec.org/Information-Leakage</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_20</cause>
        </causes>
        <securityRisks>
          <text>It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations</text>
          <text>It is possible to persuade a naive user to supply sensitive information such as username, password, credit card number, social security number etc.</text>
          <text>The absence or improper values of CSP can cause the web application being vulnerable to XSS, clickjacking, etc.</text>
          <text>The "Content-Security-Policy" header is designed to modify the way browsers render pages, and thus to protect from various cross-site injections, including Cross-Site Scripting. It is important to set the header value correctly, in a way that will not prevent proper operation of the web site. For example, if the header is set to prevent execution of inline JavaScript, the web site must not use inline JavaScript in its pages.</text>
          <text>To protect against Cross-Site Scripting, Cross-Frame Scripting and clickjacking, it is important to set the following policies with proper values:</text>
          <text>Both of 'default-src' and 'frame-ancestors' policies, *OR* all of 'script-src', 'object-src' and 'frame-ancestors’ policies.</text>
          <text>For 'default-src', 'script-src' and 'object-src', insecure values such as '*', 'data:', 'unsafe-inline' or 'unsafe-eval' should be avoided.</text>
          <text>For 'frame-ancestors', insecure values such  as '*' or 'data:' should be avoided.</text>
          <text>Additionally for 'script-src', and 'default-src' (fallback directive for 'script-src') 'self' is considered insecure and should be avoided.</text>
          <text>Please refer the following links for more information.</text>
          <text>Please note that “Content-Security-Policy” includes four different tests. A general test that verifies if the "Content-Security-Policy" header is being used and three additional tests that check if "Frame-Ancestors", "Object-Src" and "Script-Src" were configured correctly.</text>
        </securityRisks>
        <affectedProducts>
          <text>This issue may affect different types of products</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/1032.html" id="CWE-1032">1032</link>
        </cwe>
        <xfid />
        <references>
          <link target="https://owasp.org/www-project-secure-headers/">List of some secure Headers</link>
          <link target="http://www.html5rocks.com/en/tutorials/security/content-security-policy/">An Introduction to Content Security Policy</link>
          <link target="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy">MDN web docs - Content-Security-Policy</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">attContentSecurityPolicy</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="attRespCookieNotHttpOnlySessionCookie">
      <advisory>
        <id>attRespCookieNotHttpOnlySessionCookie</id>
        <name>Missing HttpOnly Attribute in Session Cookie</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Information Leakage</name>
          <reference>http://projects.webappsec.org/Information-Leakage</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_25</cause>
        </causes>
        <securityRisks>
          <text>It may be possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user</text>
          <text>During the application test, it was detected that the tested web application set a session cookie without the "HttpOnly" attribute. Since this session cookie does not contain the "HttpOnly" attribute, it might be accessed by a malicous script injected to the site, and its value can be stolen. Any information stored in session tokens may be stolen and used later for identity theft or user impersonation.</text>
        </securityRisks>
        <affectedProducts>
          <text>This issue may affect different types of products</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/653.html" id="CWE-653">653</link>
        </cwe>
        <xfid />
        <references />
        <fixRecommendations>
          <fixRecommendation type="General">attRespCookieNotHttpOnlySessionCookie</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="ContentTypeOptions">
      <advisory>
        <id>ContentTypeOptions</id>
        <name>Missing or insecure "X-Content-Type-Options" header</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Information Leakage</name>
          <reference>http://projects.webappsec.org/Information-Leakage</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_20</cause>
        </causes>
        <securityRisks>
          <text>It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations</text>
          <text>It is possible to persuade a naive user to supply sensitive information such as username, password, credit card number, social security number etc.</text>
          <text>The "X-Content-Type-Options" header (with "nosniff" value) prevents IE and Chrome from ignoring the content-type of a response.</text>
          <text>This action may prevent untrusted content (e.g. user uploaded content) from being executed on the user browser (after a malicious naming, for example).</text>
        </securityRisks>
        <affectedProducts>
          <text>This issue may affect different types of products</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/200.html" id="CWE-200">200</link>
        </cwe>
        <xfid />
        <references>
          <link target="https://www.owasp.org/index.php/List_of_useful_HTTP_headers">List of useful HTTP headers</link>
          <link target="https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx">Reducing MIME type security risks</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">ContentTypeOptions</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="XFS">
      <advisory>
        <id>XFS</id>
        <name>Missing or insecure Cross-Frame Scripting Defence</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Information Leakage</name>
          <reference>http://projects.webappsec.org/Information-Leakage</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_20</cause>
        </causes>
        <securityRisks>
          <text>It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations</text>
          <text>It is possible to persuade a naive user to supply sensitive information such as username, password, credit card number, social security number etc.</text>
          <text>Cross-Frame Scripting is an attack technique where an attacker loads a vulnerable application in an iFrame on his malicious site.</text>
          <text>The attacker can then launch a Clickjacking attack, which may lead to Phishing, Cross-Site Request Forgery, sensitive information leakage, and more.</text>
          <text>For best protection, it is advised to set the header value to DENY or SAMEORIGIN.</text>
          <text />
          <text>Sample Exploit:</text>
          <text>Within a malicious site, it is possible to embed the vulnerable page:</text>
          <text>&lt;frame src="http://vulnerable.com/login.html"&gt;</text>
        </securityRisks>
        <affectedProducts>
          <text>This issue may affect different types of products.</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/1021.html" id="CWE-1021">1021</link>
        </cwe>
        <xfid />
        <references>
          <link target="https://owasp.org/www-community/attacks/Cross_Frame_Scripting">Cross-Frame Scripting</link>
          <link target="https://owasp.org/www-community/attacks/Clickjacking">Clickjacking</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">XFS</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="HSTS">
      <advisory>
        <id>HSTS</id>
        <name>Missing or insecure HTTP Strict-Transport-Security Header</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Information Leakage</name>
          <reference>http://projects.webappsec.org/Information-Leakage</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_20</cause>
        </causes>
        <securityRisks>
          <text>It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations</text>
          <text>It is possible to persuade a naive user to supply sensitive information such as username, password, credit card number, social security number etc.</text>
          <text>HTTP Strict Transport Security (HSTS) is a mechanism which protects secure (HTTPS) websites from being downgraded to non-secure HTTP. This mechanism enables web servers to instruct their clients (web browsers or other user agents) to use secure HTTPS connections when interacting with the server, and never use the insecure HTTP protocol.</text>
          <text>It is important to set the 'max-age' to a high enough value to prevent falling back to an insecure connection prematurely.</text>
          <text />
          <text>The HTTP Strict Transport Security policy is communicated by the server to its clients using a response header named "Strict-Transport-Security". The value of this header is a period of time during which the client should access the server in HTTPS only. Other header attributes include "includeSubDomains" and "preload".</text>
        </securityRisks>
        <affectedProducts>
          <text>This issue may affect different types of products.</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/200.html" id="CWE-200">200</link>
        </cwe>
        <xfid />
        <references>
          <link target="https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html">OWASP "HTTP Strict Transport Security"</link>
          <link target="http://tools.ietf.org/html/rfc6797">HSTS Spec</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">HSTS</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="GETParamOverSSL">
      <advisory>
        <id>GETParamOverSSL</id>
        <name>Query Parameter in SSL Request</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Information Leakage</name>
          <reference>http://projects.webappsec.org/Information-Leakage</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_26</cause>
        </causes>
        <securityRisks>
          <text>It may be possible to steal sensitive data such as credit card numbers, social security numbers etc. that are sent unencrypted</text>
          <text>During the application test, it was detected that a request, which was sent over SSL, contained parameters that were transmitted in the Query part of an HTTP request.</text>
          <text>When sending requests, the browser's history can be used to reveal the URLs, which contain the query parameter names and values.</text>
          <text />
          <text>Due to the sensitivity of encrypted requests, it is suggested to use HTTP POST (without parameters in the URL string) when possible, in order to avoid the disclosure of URLs and parameter values to others.</text>
        </securityRisks>
        <affectedProducts>
          <text>This issue may affect different types of products</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/598.html" id="CWE-598">598</link>
        </cwe>
        <xfid />
        <references>
          <link target="http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act/">Financial Privacy: The Gramm-Leach Bliley Act</link>
          <link target="http://www.hhs.gov/ocr/hipaa/">Health Insurance Portability and Accountability Act (HIPAA)</link>
          <link target="http://www.sec.gov/spotlight/sarbanes-oxley.htm">Sarbanes-Oxley Act</link>
          <link target="http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html">California SB1386</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">GETParamOverSSL</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="attUnnecessaryResponseHeaders">
      <advisory>
        <id>attUnnecessaryResponseHeaders</id>
        <name>Unnecessary Http Response Headers found in the Application</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Information Leakage</name>
          <reference>http://projects.webappsec.org/Information-Leakage</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_20</cause>
        </causes>
        <securityRisks>
          <text>It is possible to gather sensitive information about the web server type, version, OS and more.</text>
          <text>AppScan detected a Http response header that is unnecessary.</text>
          <text>For reasons of security and privacy, The Http response headers like  "Server", "X-Powered-By", "X-AspNetMvc-Version" and "X-AspNet-Version" should not appear in web pages.</text>
          <text>The "Server" header is a header that is added usually by default whenever a response is sent to the client by the server.</text>
          <text>The "X-Powered-By" header is a header that might be added by default whenever a response is sent to the client by the server.</text>
          <text>These added header(s) may reveal sensitive information about the internal server software version and type, thus enabling attackers to fingerprint it and attack it with targeted exploits. Moreover, when a new exploit becomes known to the public, the server will most likely get attacked with it.</text>
        </securityRisks>
        <affectedProducts>
          <text>This issue may affect different types of products.</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/200.html" id="CWE-200">200</link>
        </cwe>
        <xfid />
        <references>
          <link target="http://projects.webappsec.org/w/page/13246925/Fingerprinting">Fingerprinting</link>
          <link target="https://www.hacksplaining.com/prevention/information-leakage">Preventing Information Leakage</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">attUnnecessaryResponseHeaders</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="attUndefinedState">
      <advisory>
        <id>attUndefinedState</id>
        <name>Application Error</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Information Leakage</name>
          <reference>http://projects.webappsec.org/Information-Leakage</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_27</cause>
          <cause>Cause_28</cause>
        </causes>
        <securityRisks>
          <text>It is possible to gather sensitive debugging information</text>
          <text>If an attacker probes the application by forging a request that contains parameters or parameter values other than the ones expected by the application (examples are listed below), the application may enter an undefined state that makes it vulnerable to attack. The attacker can gain useful information from the application's response to this request, which information may be exploited to locate application weaknesses.</text>
          <text>For example, if the parameter field should be an apostrophe-quoted string (e.g. in an ASP script or SQL query), the injected apostrophe symbol will prematurely terminate the string stream, thus changing the normal flow/syntax of the script.</text>
          <text>Another cause of vital information being revealed in error messages, is when the scripting engine, web server, or database are misconfigured.</text>
          <text />
          <text>Here are some different variants:</text>
          <text>[1] Remove parameter</text>
          <text>[2] Remove parameter value</text>
          <text>[3] Set parameter value to null</text>
          <text>[4] Set parameter value to a numeric overflow (+/- 99999999)</text>
          <text>[5] Set parameter value to hazardous characters, such as ' " \' \" ) ;</text>
          <text>[6] Append some string to a numeric parameter value</text>
          <text>[7] Append "." (dot) or "[]" (angle brackets) to the parameter name</text>
        </securityRisks>
        <affectedProducts>
          <text>This issue may affect different types of products.</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/550.html" id="CWE-550">550</link>
        </cwe>
        <xfid />
        <references>
          <link target="https://packetstormsecurity.com/files/10631/rfp2k01.txt.html">An example for using apostrophe to hack a site can be found in "How I hacked PacketStorm (by Rain Forest Puppy), RFP's site"</link>
          <link target="http://www.cgisecurity.com/lib/webappdis.doc">"Web Application Disassembly with ODBC Error Messages" (By David Litchfield)</link>
          <link target="http://www.cert.org/advisories/CA-1997-25.html">CERT Advisory (CA-1997-25): Sanitizing user-supplied data in CGI scripts</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">attUndefinedState</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="GD_EmailAddress">
      <advisory>
        <id>GDEmailAddress</id>
        <name>Email Address Pattern Found</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Information Leakage</name>
          <reference>http://projects.webappsec.org/Information-Leakage</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_20</cause>
        </causes>
        <securityRisks>
          <text>It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations</text>
          <text>Spambots crawl internet sites, set out to find e-mail addresses in order to build mailing lists for sending unsolicited e-mail (spam).</text>
          <text />
          <text>AppScan detected a response containing one or more e-mail addresses, which may be exploited to send spam mail</text>
          <text />
          <text>Furthermore, the e-mail addresses found may be private and thus should not be accessible to the general public.</text>
        </securityRisks>
        <affectedProducts>
          <text>This issue may affect different types of products.</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/359.html" id="CWE-359">359</link>
        </cwe>
        <xfid />
        <references>
          <link target="http://en.wikipedia.org/wiki/Spambot">Definition of Spambot (Wikipedia)</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">GD_EmailAddress</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="attSensitiveInHtmlComments">
      <advisory>
        <id>Quality.Comments</id>
        <name>HTML Comments Sensitive Information Disclosure</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Information Leakage</name>
          <reference>http://projects.webappsec.org/Information-Leakage</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_29</cause>
          <cause>Cause_30</cause>
        </causes>
        <securityRisks>
          <text>It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations.</text>
          <text>An attacker who finds these comments can map the application's structure and files, expose hidden parts of the site, and study the fragments of code to reverse engineer the application, which may help develop further attacks against the site.</text>
        </securityRisks>
        <affectedProducts />
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/615.html" id="CWE-615">615</link>
        </cwe>
        <xfid />
        <references />
        <fixRecommendations>
          <fixRecommendation type="General">attSensitiveInHtmlComments</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="attReferrerPolicyHeaderExist">
      <advisory>
        <id>attReferrerPolicyHeaderExist</id>
        <name>Missing "Referrer policy" Security Header</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Information Leakage</name>
          <reference>http://projects.webappsec.org/Information-Leakage</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_20</cause>
        </causes>
        <securityRisks>
          <text>It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations</text>
          <text>It is possible to persuade a naive user to supply sensitive information such as username, password, credit card number, social security number etc.</text>
          <text>The absence or improper values of Referrer Policy can cause URL leak itself, and even sensitive information contained in the URL will be leaked to the cross-site.</text>
          <text>This is a part of ruleset to check if Referrer Policy is present and if so to test its configuration. The "Referer Policy" header defines what data is made available in the Referer header, and for navigation and iframes in the destination's (document.referrer). This header is designed to modify the way browsers render pages, and thus to prevent cross-domain Referer leakage. It is important to set the header value correctly, in a way that will not prevent proper operation of the web site.</text>
          <text>Referer header is a request header that indicates the site which the traffic originated from. If there is no adequate prevention in place, the  URL itself, and even sensitive information contained in the URL will be leaked to the cross-site.</text>
          <text />
          <text>"no-referrer-when-downgrade" and "unsafe-url" are the policies which leaks the Full Url for the ThirdParty Sites. The remaining policies are"no-referrer", "origin", "origin-when-cross-origin","same-origin", "strict-origin", "strict-origin-when-cross-origin.</text>
          <text />
          <text>Please refer the following links for more information.</text>
        </securityRisks>
        <affectedProducts>
          <text>This issue may affect different types of products</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/200.html" id="CWE-200">200</link>
        </cwe>
        <xfid />
        <references>
          <link target="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy">MDN web docs - Referrer-Policy</link>
        </references>
        <fixRecommendations>
          <fixRecommendation type="General">attReferrerPolicyHeaderExist</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
    <item id="GD_PathDisclosure">
      <advisory>
        <id>GDPathDisclosure</id>
        <name>Possible Server Path Disclosure Pattern Found</name>
        <testDescription>Application</testDescription>
        <threatClassification>
          <name>Information Leakage</name>
          <reference>http://projects.webappsec.org/Information-Leakage</reference>
        </threatClassification>
        <testTechnicalDescription />
        <exploitExample />
        <causes>
          <cause>Cause_31</cause>
        </causes>
        <securityRisks>
          <text>It is possible to retrieve the absolute path of the web server installation, which might help an attacker to develop further attacks and to gain information about the file system structure of the web application</text>
          <text>AppScan detected a response containing a file's absolute path (e.g. c:\dir\file in Windows, or /dir/file in Unix).</text>
          <text />
          <text>An attacker may be able to exploit this information to access sensitive information on the directory structure of the server machine which could be used for further attacks against the site.</text>
        </securityRisks>
        <affectedProducts>
          <text>This issue may affect different types of products.</text>
        </affectedProducts>
        <cwe>
          <link target="http://cwe.mitre.org/data/definitions/200.html" id="CWE-200">200</link>
        </cwe>
        <xfid />
        <references />
        <fixRecommendations>
          <fixRecommendation type="General">GD_PathDisclosure</fixRecommendation>
        </fixRecommendations>
      </advisory>
    </item>
  </advisory-group>
  <affected-product-group />
  <remediation-group>
    <item id="fix_53140">
      <name>Disable redirection to external sites based on parameter values</name>
      <priority>High</priority>
      <priority-id>2</priority-id>
    </item>
    <item id="fix_52000">
      <name>Review possible solutions for hazardous character injection</name>
      <priority>High</priority>
      <priority-id>2</priority-id>
    </item>
    <item id="fix_50300">
      <name>Verify that parameter values are in their expected ranges and types. Do not output debugging error messages and exceptions</name>
      <priority>High</priority>
      <priority-id>2</priority-id>
    </item>
    <item id="fix_52740">
      <name>Add the 'Secure' attribute to all sensitive cookies</name>
      <priority>Medium</priority>
      <priority-id>1</priority-id>
    </item>
    <item id="fix_54860">
      <name>Apply proper authorization to administration scripts</name>
      <priority>Medium</priority>
      <priority-id>1</priority-id>
    </item>
    <item id="fix_61754">
      <name>Change server's supported ciphersuites</name>
      <priority>Medium</priority>
      <priority-id>1</priority-id>
    </item>
    <item id="fix_60310">
      <name>Change session identifier values after login</name>
      <priority>Medium</priority>
      <priority-id>1</priority-id>
    </item>
    <item id="fix_61481">
      <name>Construct HTTP headers very carefully, avoiding the use of non-validated/unsanitized input data</name>
      <priority>Medium</priority>
      <priority-id>1</priority-id>
    </item>
    <item id="fix_59220">
      <name>Enforce account lockout after several failed login attempts</name>
      <priority>Medium</priority>
      <priority-id>1</priority-id>
    </item>
    <item id="fix_61797">
      <name>Review possible solutions for configuring SameSite Cookie attribute to recommended values</name>
      <priority>Medium</priority>
      <priority-id>1</priority-id>
    </item>
    <item id="fix_61030">
      <name>Use a different signature algorithm for the certificate. See "Fix Recommentation" for specific server instructions</name>
      <priority>Medium</priority>
      <priority-id>1</priority-id>
    </item>
    <item id="fix_60130">
      <name>Validate the value of the "Referer" header, and use a one-time-nonce for each submitted form</name>
      <priority>Medium</priority>
      <priority-id>1</priority-id>
    </item>
    <item id="fix_52741">
      <name>Add the 'HttpOnly' attribute to all session cookies</name>
      <priority>Low</priority>
      <priority-id>0</priority-id>
    </item>
    <item id="fix_52720">
      <name>Always use SSL and POST (body) parameters when sending sensitive information.</name>
      <priority>Low</priority>
      <priority-id>0</priority-id>
    </item>
    <item id="fix_61770">
      <name>Config your server to use the "Content-Security-Policy" header with secure policies</name>
      <priority>Low</priority>
      <priority-id>0</priority-id>
    </item>
    <item id="fix_61771">
      <name>Config your server to use the "Referrer Policy" header with secure policies</name>
      <priority>Low</priority>
      <priority-id>0</priority-id>
    </item>
    <item id="fix_61767">
      <name>Config your server to use the "X-Content-Type-Options" header with "nosniff" value</name>
      <priority>Low</priority>
      <priority-id>0</priority-id>
    </item>
    <item id="fix_61763">
      <name>Config your server to use the "X-Frame-Options" header with DENY or SAMEORIGIN value</name>
      <priority>Low</priority>
      <priority-id>0</priority-id>
    </item>
    <item id="fix_61640">
      <name>Correctly set the "autocomplete" attribute to "off"</name>
      <priority>Low</priority>
      <priority-id>0</priority-id>
    </item>
    <item id="fix_61757">
      <name>Do not accept body parameters that are sent in the query string</name>
      <priority>Low</priority>
      <priority-id>0</priority-id>
    </item>
    <item id="fix_MA_attInformationLeakage">
      <name>Do not allow sensitive information to leak.</name>
      <priority>Low</priority>
      <priority-id>0</priority-id>
    </item>
    <item id="fix_60510">
      <name>Download the relevant security patch for your web server or web application.</name>
      <priority>Low</priority>
      <priority-id>0</priority-id>
    </item>
    <item id="fix_52721">
      <name>Enforce the use of HTTPS when sending sensitive information</name>
      <priority>Low</priority>
      <priority-id>0</priority-id>
    </item>
    <item id="fix_61750">
      <name>Implement the HTTP Strict-Transport-Security policy with a long "max-age"</name>
      <priority>Low</priority>
      <priority-id>0</priority-id>
    </item>
    <item id="fix_60210">
      <name>Prevent caching of SSL pages by adding "Cache-Control: no-store" and "Pragma: no-cache" headers to their responses.</name>
      <priority>Low</priority>
      <priority-id>0</priority-id>
    </item>
    <item id="fix_59161">
      <name>Remove credit card numbers from your website</name>
      <priority>Low</priority>
      <priority-id>0</priority-id>
    </item>
    <item id="fix_60260">
      <name>Remove e-mail addresses from the website</name>
      <priority>Low</priority>
      <priority-id>0</priority-id>
    </item>
    <item id="fix_50750">
      <name>Remove sensitive information from HTML comments</name>
      <priority>Low</priority>
      <priority-id>0</priority-id>
    </item>
  </remediation-group>
  <cookie-group>
    <total>2</total>
    <item>
      <name>AltoroAccounts</name>
      <value>ODAwMDAyflNhdmluZ3N+LTEuOTk5NTQzNDA3MDM5MTU2MjJFMTh8ODAwMDAzfkNoZWNraW5nfjcuMTA2ODA0NjQ0NzM3ODg1RTIwfDQ1MzkwODIwMzkzOTYyODh+Q3JlZGl0IENhcmR+LTEuOTk5NTQzNDAxMjc4NzEyMzJFMTh8</value>
      <first-set-in-url>https://demo.testfire.net/doLogin</first-set-in-url>
      <first-requested-in-url>https://demo.testfire.net/bank/main.jsp</first-requested-in-url>
      <domain>demo.testfire.net</domain>
      <expires />
      <secure>dictionaryFalse</secure>
      <http-only>dictionaryFalse</http-only>
      <same-site />
      <js-stack-trace />
    </item>
    <item>
      <name>JSESSIONID</name>
      <value>A496F85EFEC2D4852626C21B50001A3A</value>
      <first-set-in-url>https://demo.testfire.net/</first-set-in-url>
      <first-requested-in-url>https://demo.testfire.net/login.jsp</first-requested-in-url>
      <domain>demo.testfire.net</domain>
      <expires />
      <secure>dictionaryTrue</secure>
      <http-only>dictionaryTrue</http-only>
      <same-site />
      <js-stack-trace />
    </item>
  </cookie-group>
  <component-group>
    <total>0</total>
  </component-group>
  <java-script-group>
    <total>22</total>
    <item>
      <text>
			function setfocus() {
			    if (document.login.uid.value=="") {
			      	document.login.uid.focus();
			    } else {
			      	document.login.passw.focus();
			    }
			}
			
			function confirminput(myform) {
			    if (myform.uid.value.length &amp;&amp; myform.passw.value.length) {
			      return (true);
			    } else if (!(myform.uid.value.length)) {
			      myform.reset();
			      myform.uid.focus();
			      alert ("You must enter a valid username");
			      return (false);
			    } else {
			      myform.passw.focus();
			      alert ("You must enter a valid password");
			      return (false);
			    }
			}
			window.onload = setfocus;
		</text>
      <url>https://demo.testfire.net/login.jsp</url>
    </item>
    <item>
      <text>return (confirminput(login));</text>
      <url>https://demo.testfire.net/login.jsp</url>
    </item>
    <item>
      <text>window.open('disclaimer.htm?url=http://www.netscape.com', '_blank', 'status=no,location=no,menubar=no,resizable=no,scrollbars=no,toolbar=no,width=450,height=200'); return false;</text>
      <url>https://demo.testfire.net/index.jsp</url>
    </item>
    <item>
      <text>window.open('disclaimer.htm?url=http://www.microsoft.com', '_blank', 'status=no,location=no,menubar=no,resizable=no,scrollbars=no,toolbar=no,width=450,height=200'); return false;</text>
      <url>https://demo.testfire.net/index.jsp</url>
    </item>
    <item>
      <text>
		_uacct = "1234abc";
		urchinTracker();
		</text>
      <url>https://demo.testfire.net/index.jsp</url>
    </item>
    <item>
      <text>
			function confirmEmail(sEmail) {
			  var msg = null;
			  if (sEmail != "") {
			    var emailFilter=/^[\w\d\.\%-]+@[\w\d\.\%-]+\.\w{2,4}$/;
			    if (!(emailFilter.test(sEmail))) {
			      var illegalChars= /[^\w\d\.\%\-@]/;
			      if (sEmail.match(illegalChars)) {
			          msg = "Your email can only contain alphanumeric\ncharacters and the following:  @.%-\n\n";
			      } else {
			        msg = "Your email address does not appear to be valid. Please try again.\n\n";
			      }
			    }
			  } else {
			    msg = "Please enter an email address.\n\n";
			  }
			  if (msg != null) {
			      alert(msg);
			      return false;
			  } else {
			      return true;
			  }
			}
			</text>
      <url>https://demo.testfire.net/subscribe.jsp</url>
    </item>
    <item>
      <text>return confirmEmail(txtEmail.value);</text>
      <url>https://demo.testfire.net/subscribe.jsp</url>
    </item>
    <item>
      <text>
var xmlHttp = false;

	//http://www.ibm.com/developerworks/web/library/wa-ajaxintro1/index.html
	/* Create a new XMLHttpRequest object to talk to the Web server */
	xmlHttp = false;
	/*@cc_on @*/
	/*@if (@_jscript_version &gt;= 5)
	try {
	  xmlHttp = new ActiveXObject("Msxml2.XMLHTTP");
	} catch (e) {
	  try {
	    xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
	  } catch (e2) {
 	   xmlHttp = false;
 	 }
	}
	@end @*/

	
	if (!xmlHttp &amp;&amp; typeof XMLHttpRequest != 'undefined') {
	  xmlHttp = new XMLHttpRequest();
	}

var sLastHostName='';
function checkSiteStatus(sHostName)
{
	sLastHostName = sHostName;
	//Make JSON request
	xmlHttp.open("GET","util/serverStatusCheckService.jsp?HostName=" + sHostName);
	xmlHttp.onreadystatechange = StateChangeForJSON;
	xmlHttp.send(null);
}
function StateChangeForJSON()
{
	if(xmlHttp.readyState == 4 &amp;&amp; xmlHttp.status == 200)
	{
		var jsonObj = eval('('+ xmlHttp.responseText + ')');
		var jsonFetchHostStatus = jsonObj["HostStatus"];
		var jsonFetchHostName=jsonObj["HostName"];
		//get JSON values and output
		x=document.getElementById('FetchHostName');
		x.innerHTML=jsonFetchHostName;
		x=document.getElementById('FetchHostStatus');
		x.innerHTML=jsonFetchHostStatus;
	}
	else if(xmlHttp.readyState == 4 &amp;&amp; xmlHttp.status == 500)
	{
		x=document.getElementById('FetchHostName');
		x.innerHTML=sLastHostName;
		x=document.getElementById('FetchHostStatus');
		x.innerHTML='The service returned an error. Please be patient while our administrators fix the issue.';
	}
	else if(xmlHttp.readyState == 4 &amp;&amp; xmlHttp.status == 404)
	{
		x=document.getElementById('FetchHostName');
		x.innerHTML=sLastHostName;
		x=document.getElementById('FetchHostStatus');
		x.innerHTML='The service returned an error. The status service appears to not be available';
	}
	else if(xmlHttp.readyState == 4 &amp;&amp; xmlHttp.status == 401)
	{
		x=document.getElementById('FetchHostName');
		x.innerHTML=sLastHostName;
		x=document.getElementById('FetchHostStatus');
		x.innerHTML='The service returned a 401 unauthorized error, indicating it was implemented incorrectly';
	}
	else if(xmlHttp.readyState == 4 &amp;&amp; xmlHttp.status == 302)
	{
		x=document.getElementById('FetchHostName');
		x.innerHTML=sLastHostName;
		x=document.getElementById('FetchHostStatus');
		x.innerHTML='The service returned a 302 redirect, indicating it was implemented incorrectly';
	}
}


</text>
      <url>https://demo.testfire.net/status_check.jsp</url>
    </item>
    <item>
      <text>
    window.onload = function() {

      // Build a system
      const ui = SwaggerUIBundle({
        url: window.location.href.substr(0, window.location.href.lastIndexOf("\/") + 1) + "properties.json",
        dom_id: '#swagger-ui',
        deepLinking: true,
        presets: [
          SwaggerUIBundle.presets.apis,
          SwaggerUIStandalonePreset
        ],
        plugins: [
          SwaggerUIBundle.plugins.DownloadUrl
        ],
        layout: "StandaloneLayout"
      })

      window.ui = ui
    }
  </text>
      <url>https://demo.testfire.net/swagger/index.html</url>
    </item>
    <item>
      <text>!function(t,e){"object"==typeof exports&amp;&amp;"object"==typeof module?module.exports=e():"function"==typeof define&amp;&amp;define.amd?define([],e):"object"==typeof exports?exports.SwaggerUIStandalonePreset=e():t.SwaggerUIStandalonePreset=e()}(this,function(){return function(t){var e={};function n(r){if(e[r])return e[r].exports;var i=e[r]={i:r,l:!1,exports:{}};return t[r].call(i.exports,i,i.exports,n),i.l=!0,i.exports}return n.m=t,n.c=e,n.d=function(t,e,r){n.o(t,e)||Object.defineProperty(t,e,{configurable:!1,enumerable:!0,get:r})},n.n=function(t){var e=t&amp;&amp;t.__esModule?function(){return t.default}:function(){return t};return n.d(e,"a",e),e},n.o=function(t,e){return Object.prototype.hasOwnProperty.call(t,e)},n.p="/dist",n(n.s=206)}([function(t,e,n){"use strict";var r=n(52),i=["kind","resolve","construct","instanceOf","predicate","represent","defaultStyle","styleAliases"],o=["scalar","sequence","mapping"];t.exports=function(t,e){var n,u;if(e=e||{},Object.keys(e).forEach(function(e){if(-1===i.indexOf(e))throw new r('Unknown option "'+e+'" is met in definition of "'+t+'" YAML type.')}),this.tag=t,this.kind=e.kind||null,this.resolve=e.resolve||function(){return!0},this.construct=e.construct||function(t){return t},this.instanceOf=e.instanceOf||null,this.predicate=e.predicate||null,this.represent=e.represent||null,this.defaultStyle=e.defaultStyle||null,this.styleAliases=(n=e.styleAliases||null,u={},null!==n&amp;&amp;Object.keys(n).forEach(function(t){n[t].forEach(function(e){u[String(e)]=t})}),u),-1===o.indexOf(this.kind))throw new r('Unknown kind "'+this.kind+'" is specified for "'+t+'" YAML type.')}},function(t,e,n){var r=n(133)("wks"),i=n(98),o=n(5).Symbol,u="function"==typeof o;(t.exports=function(t){return r[t]||(r[t]=u&amp;&amp;o[t]||(u?o:i)("Symbol."+t))}).store=r},function(t,e){var n=t.exports={version:"2.5.5"};"number"==typeof __e&amp;&amp;(__e=n)},function(t,e,n){var r=n(5),i=n(19),o=n(17),u=n(30),a=n(60),s=function(t,e,n){var c,f,l,p,h=t&amp;s.F,d=t&amp;s.G,v=t&amp;s.S,y=t&amp;s.P,g=t&amp;s.B,m=d?r:v?r[e]||(r[e]={}):(r[e]||{}).prototype,_=d?i:i[e]||(i[e]={}),b=_.prototype||(_.prototype={});for(c in d&amp;&amp;(n=e),n)l=((f=!h&amp;&amp;m&amp;&amp;void 0!==m[c])?m:n)[c],p=g&amp;&amp;f?a(l,r):y&amp;&amp;"function"==typeof l?a(Function.call,l):l,m&amp;&amp;u(m,c,l,t&amp;s.U),_[c]!=l&amp;&amp;o(_,c,p),y&amp;&amp;b[c]!=l&amp;&amp;(b[c]=l)};r.core=i,s.F=1,s.G=2,s.S=4,s.P=8,s.B=16,s.W=32,s.U=64,s.R=128,t.exports=s},function(t,e,n){var r=n(3),i=n(43),o=n(10),u=/"/g,a=function(t,e,n,r){var i=String(o(t)),a="&lt;"+e;return""!==n&amp;&amp;(a+=" "+n+'="'+String(r).replace(u,"&amp;quot;")+'"'),a+"&gt;"+i+"&lt;/"+e+"&gt;"};t.exports=function(t,e){var n={};n[t]=e(a),r(r.P+r.F*i(function(){var e=""[t]('"');return e!==e.toLowerCase()||e.split('"').length&gt;3}),"String",n)}},function(t,e){var n=t.exports="undefined"!=typeof window&amp;&amp;window.Math==Math?window:"undefined"!=typeof self&amp;&amp;self.Math==Math?self:Function("return this")();"number"==typeof __g&amp;&amp;(__g=n)},function(t,e,n){var r=n(93)("wks"),i=n(55),o=n(9).Symbol,u="function"==typeof o;(t.exports=function(t){return r[t]||(r[t]=u&amp;&amp;o[t]||(u?o:i)("Symbol."+t))}).store=r},function(t,e,n){var r=n(169),i="object"==typeof self&amp;&amp;self&amp;&amp;self.Object===Object&amp;&amp;self,o=r||i||Function("return this")();t.exports=o},function(t,e){var n=Array.isArray;t.exports=n},function(t,e){var n=t.exports="undefined"!=typeof window&amp;&amp;window.Math==Math?window:"undefined"!=typeof self&amp;&amp;self.Math==Math?self:Function("return this")();"number"==typeof __g&amp;&amp;(__g=n)},function(t,e){t.exports=function(t){if(void 0==t)throw TypeError("Can't call method on  "+t);return t}},function(t,e){var n;n=function(){return this}();try{n=n||Function("return this")()||(0,eval)("this")}catch(t){"object"==typeof window&amp;&amp;(n=window)}t.exports=n},function(t,e,n){"use strict";t.exports=function(t){if("function"!=typeof t)throw new TypeError(t+" is not a function");return t}},function(t,e,n){var r=n(9),i=n(2),o=n(126),u=n(26),a=n(16),s=function(t,e,n){var c,f,l,p=t&amp;s.F,h=t&amp;s.G,d=t&amp;s.S,v=t&amp;s.P,y=t&amp;s.B,g=t&amp;s.W,m=h?i:i[e]||(i[e]={}),_=m.prototype,b=h?r:d?r[e]:(r[e]||{}).prototype;for(c in h&amp;&amp;(n=e),n)(f=!p&amp;&amp;b&amp;&amp;void 0!==b[c])&amp;&amp;a(m,c)||(l=f?b[c]:n[c],m[c]=h&amp;&amp;"function"!=typeof b[c]?n[c]:y&amp;&amp;f?o(l,r):g&amp;&amp;b[c]==l?function(t){var e=function(e,n,r){if(this instanceof t){switch(arguments.length){case 0:return new t;case 1:return new t(e);case 2:return new t(e,n)}return new t(e,n,r)}return t.apply(this,arguments)};return e.prototype=t.prototype,e}(l):v&amp;&amp;"function"==typeof l?o(Function.call,l):l,v&amp;&amp;((m.virtual||(m.virtual={}))[c]=l,t&amp;s.R&amp;&amp;_&amp;&amp;!_[c]&amp;&amp;u(_,c,l)))};s.F=1,s.G=2,s.S=4,s.P=8,s.B=16,s.W=32,s.U=64,s.R=128,t.exports=s},function(t,e,n){var r=n(27),i=n(127),o=n(89),u=Object.defineProperty;e.f=n(15)?Object.defineProperty:function(t,e,n){if(r(t),e=o(e,!0),r(n),i)try{return u(t,e,n)}catch(t){}if("get"in n||"set"in n)throw TypeError("Accessors not supported!");return"value"in n&amp;&amp;(t[e]=n.value),t}},function(t,e,n){t.exports=!n(29)(function(){return 7!=Object.defineProperty({},"a",{get:function(){return 7}}).a})},function(t,e){var n={}.hasOwnProperty;t.exports=function(t,e){return n.call(t,e)}},function(t,...</text>
      <url>https://demo.testfire.net/swagger/swagger-ui-standalone-preset.js</url>
    </item>
    <item>
      <text>!function(e,t){"object"==typeof exports&amp;&amp;"object"==typeof module?module.exports=t():"function"==typeof define&amp;&amp;define.amd?define([],t):"object"==typeof exports?exports.SwaggerUIBundle=t():e.SwaggerUIBundle=t()}(this,function(){return function(e){var t={};function n(r){if(t[r])return t[r].exports;var o=t[r]={i:r,l:!1,exports:{}};return e[r].call(o.exports,o,o.exports,n),o.l=!0,o.exports}return n.m=e,n.c=t,n.d=function(e,t,r){n.o(e,t)||Object.defineProperty(e,t,{configurable:!1,enumerable:!0,get:r})},n.n=function(e){var t=e&amp;&amp;e.__esModule?function(){return e.default}:function(){return e};return n.d(t,"a",t),t},n.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},n.p="/dist",n(n.s=446)}([function(e,t,n){"use strict";e.exports=n(75)},function(e,t,n){e.exports=n(854)()},function(e,t,n){"use strict";t.__esModule=!0,t.default=function(e,t){if(!(e instanceof t))throw new TypeError("Cannot call a class as a function")}},function(e,t,n){"use strict";t.__esModule=!0;var r,o=n(262),i=(r=o)&amp;&amp;r.__esModule?r:{default:r};t.default=function(){function e(e,t){for(var n=0;n&lt;t.length;n++){var r=t[n];r.enumerable=r.enumerable||!1,r.configurable=!0,"value"in r&amp;&amp;(r.writable=!0),(0,i.default)(e,r.key,r)}}return function(t,n,r){return n&amp;&amp;e(t.prototype,n),r&amp;&amp;e(t,r),t}}()},function(e,t,n){e.exports={default:n(767),__esModule:!0}},function(e,t,n){"use strict";t.__esModule=!0;var r,o=n(45),i=(r=o)&amp;&amp;r.__esModule?r:{default:r};t.default=function(e,t){if(!e)throw new ReferenceError("this hasn't been initialised - super() hasn't been called");return!t||"object"!==(void 0===t?"undefined":(0,i.default)(t))&amp;&amp;"function"!=typeof t?e:t}},function(e,t,n){"use strict";t.__esModule=!0;var r=a(n(769)),o=a(n(350)),i=a(n(45));function a(e){return e&amp;&amp;e.__esModule?e:{default:e}}t.default=function(e,t){if("function"!=typeof t&amp;&amp;null!==t)throw new TypeError("Super expression must either be null or a function, not "+(void 0===t?"undefined":(0,i.default)(t)));e.prototype=(0,o.default)(t&amp;&amp;t.prototype,{constructor:{value:e,enumerable:!1,writable:!0,configurable:!0}}),t&amp;&amp;(r.default?(0,r.default)(e,t):e.__proto__=t)}},function(e,t,n){var r;r=function(){"use strict";var e=Array.prototype.slice;function t(e,t){t&amp;&amp;(e.prototype=Object.create(t.prototype)),e.prototype.constructor=e}function n(e){return a(e)?e:J(e)}function r(e){return u(e)?e:Y(e)}function o(e){return s(e)?e:K(e)}function i(e){return a(e)&amp;&amp;!l(e)?e:G(e)}function a(e){return!(!e||!e[f])}function u(e){return!(!e||!e[p])}function s(e){return!(!e||!e[d])}function l(e){return u(e)||s(e)}function c(e){return!(!e||!e[h])}t(r,n),t(o,n),t(i,n),n.isIterable=a,n.isKeyed=u,n.isIndexed=s,n.isAssociative=l,n.isOrdered=c,n.Keyed=r,n.Indexed=o,n.Set=i;var f="@@__IMMUTABLE_ITERABLE__@@",p="@@__IMMUTABLE_KEYED__@@",d="@@__IMMUTABLE_INDEXED__@@",h="@@__IMMUTABLE_ORDERED__@@",v=5,m=1&lt;&lt;v,y=m-1,g={},b={value:!1},_={value:!1};function w(e){return e.value=!1,e}function E(e){e&amp;&amp;(e.value=!0)}function x(){}function S(e,t){t=t||0;for(var n=Math.max(0,e.length-t),r=new Array(n),o=0;o&lt;n;o++)r[o]=e[o+t];return r}function C(e){return void 0===e.size&amp;&amp;(e.size=e.__iterate(A)),e.size}function k(e,t){if("number"!=typeof t){var n=t&gt;&gt;&gt;0;if(""+n!==t||4294967295===n)return NaN;t=n}return t&lt;0?C(e)+t:t}function A(){return!0}function O(e,t,n){return(0===e||void 0!==n&amp;&amp;e&lt;=-n)&amp;&amp;(void 0===t||void 0!==n&amp;&amp;t&gt;=n)}function P(e,t){return M(e,t,0)}function T(e,t){return M(e,t,t)}function M(e,t,n){return void 0===e?n:e&lt;0?Math.max(0,t+e):void 0===t?e:Math.min(t,e)}var I=0,j=1,N=2,R="function"==typeof Symbol&amp;&amp;Symbol.iterator,D="@@iterator",L=R||D;function U(e){this.next=e}function q(e,t,n,r){var o=0===e?t:1===e?n:[t,n];return r?r.value=o:r={value:o,done:!1},r}function F(){return{value:void 0,done:!0}}function z(e){return!!H(e)}function B(e){return e&amp;&amp;"function"==typeof e.next}function V(e){var t=H(e);return t&amp;&amp;t.call(e)}function H(e){var t=e&amp;&amp;(R&amp;&amp;e[R]||e[D]);if("function"==typeof t)return t}function W(e){return e&amp;&amp;"number"==typeof e.length}function J(e){return null===e||void 0===e?ie():a(e)?e.toSeq():function(e){var t=se(e)||"object"==typeof e&amp;&amp;new te(e);if(!t)throw new TypeError("Expected Array or iterable object of values, or keyed object: "+e);return t}(e)}function Y(e){return null===e||void 0===e?ie().toKeyedSeq():a(e)?u(e)?e.toSeq():e.fromEntrySeq():ae(e)}function K(e){return null===e||void 0===e?ie():a(e)?u(e)?e.entrySeq():e.toIndexedSeq():ue(e)}function G(e){return(null===e||void 0===e?ie():a(e)?u(e)?e.entrySeq():e:ue(e)).toSetSeq()}U.prototype.toString=function(){return"[Iterator]"},U.KEYS=I,U.VALUES=j,U.ENTRIES=N,U.prototype.inspect=U.prototype.toSource=function(){return this.toString()},U.prototype[L]=function(){return this},t(J,n),J.of=function(){return J(arguments)},J.prototype.toSeq=function(){return this},J.prototype.toString=function(){return this.__toString("Seq {","}")},J.prototype.cacheResult=function(){return!this._cache&amp;&amp;this.__iterateUncached&amp;&amp;(this._cache=this.entrySeq().toArray(),this.size=this._cache.length),this},J.pro...</text>
      <url>https://demo.testfire.net/swagger/swagger-ui-bundle.js</url>
    </item>
    <item>
      <text>
			function confirminput(myform) {
			
				if (myform.startDate.value != ""){
					var valid = false;
					var splitStrings = myform.startDate.value.split("-");
					if (splitStrings.length == 3) {
						var year = parseInt(splitStrings[0]);
						var month = parseInt((splitStrings[1].charAt(0)==0 &amp;&amp; splitStrings[1].length == 2)?splitStrings[1].charAt(1):splitStrings[1]);
						var day = parseInt((splitStrings[2].charAt(0)==0 &amp;&amp; splitStrings[2].length == 2)?splitStrings[2].charAt(1):splitStrings[2]);

						var validNums = !(isNaN(year) || isNaN(month) || isNaN(day));
						
						if (validNums)
							valid = validateDate(month, day, year);
					}
			
					if (!valid){
						alert ("'After' date of " + myform.startDate.value + " is not valid.");
						return false;
					}
				}
			
				if (myform.endDate.value != ""){
					var valid2 = false;
					var splitStrings2 = myform.endDate.value.split("-");
					if (splitStrings2.length == 3) {
						var year2 = parseInt(splitStrings2[0]);
						var month2 = parseInt((splitStrings2[1].charAt(0)==0 &amp;&amp; splitStrings2[1].length == 2)?splitStrings2[1].charAt(1):splitStrings2[1]);
						var day2 = parseInt((splitStrings2[2].charAt(0)==0 &amp;&amp; splitStrings2[2].length == 2)?splitStrings2[2].charAt(1):splitStrings2[2]);
			
						var validNums2 = !(isNaN(year2) || isNaN(month2) || isNaN(day2));
						
						if (validNums2)
							valid2 = validateDate(month2, day2, year2);
					}
					
					if (!valid2){
						alert ("'Before' date of " + myform.endDate.value + " is not valid.");
						return false;
					}
				}
				return true;
			}
			
			function validateDate(month, day, year){
				try {
					var thisDate = new Date();
					var wrongMonth = month&lt;1 || month&gt;12;
					var wrongDay = (day&lt;1) || (day&gt;31) || (day&gt;30 &amp;&amp; ((month==4)||(month==6)||(month==9)||(month==11))) || (day&gt;29 &amp;&amp; month==2 &amp;&amp; (year%4==0) &amp;&amp; (year%100!=0 || year%400==0)) || (day&gt;28 &amp;&amp; month==2 &amp;&amp; ((year%4!=0) || (year%100==0 &amp;&amp; year%400!=0))); 
					var wrongYear = year &lt; 1990 || year &gt; parseInt(thisDate.getFullYear());
			
					var thisYear = parseInt(thisDate.getFullYear());
					var thisMonth = parseInt(thisDate.getMonth())+1;
					var thisDay = parseInt(thisDate.getDate());
					var wrongDate = year==thisYear &amp;&amp; ((thisMonth&lt;month) || (thisMonth==month &amp;&amp; thisDay&lt;(day-1)));
			
					if (wrongMonth ||wrongDay || wrongYear || wrongDate)
						return false;
					
					} catch (error){
						return false;
					}
					
					return true;
			}
		</text>
      <url>https://demo.testfire.net/bank/transaction.jsp</url>
    </item>
    <item>
      <text>return (confirminput(Form1));</text>
      <url>https://demo.testfire.net/bank/transaction.jsp</url>
    </item>
    <item>
      <text>
		
			function confirminput(myform) {
				var dbt=document.getElementById("fromAccount").value;
				var cdt=document.getElementById("toAccount").value;
				var amt=document.getElementById("transferAmount").value;
				
				if (dbt == cdt) {
					alert("From Account and To Account fields cannot be the same.");
					return false;
				}
				else if (!(amt &gt; 0)){
					alert("Transfer Amount must be a number greater than 0.");
					return false;
				}
		
				return true;
			}

		</text>
      <url>https://demo.testfire.net/bank/transfer.jsp</url>
    </item>
    <item>
      <text>return (confirminput(tForm));</text>
      <url>https://demo.testfire.net/bank/transfer.jsp</url>
    </item>
    <item>
      <text>

    function go() {
	    var iPos = document.URL.indexOf("url=")+4;
    	var sDst = document.URL.substring(iPos,document.URL.length); 
        if (window.opener) {
      		window.opener.location.href = sDst;
      		cl();
        } else {
        	window.location.href = sDst;
        }
    }

    function cl() {
      window.close();
    }

    var iPos = document.URL.indexOf("url=")+4;
  	var sDst = document.URL.substring(iPos,document.URL.length);
    // if redirection is in the application's domain, don't ask for authorization
	if ( sDst.indexOf("http") == 0 &amp;&amp; sDst.indexOf(document.location.hostname) != -1 ) {
		if (window.opener) {
      		window.opener.location.href = "http" + sDst.substring(4);
      		cl();
        } else {
        	window.location.href = "http" + sDst.substring(4);
        }
	}

	</text>
      <url>https://demo.testfire.net/disclaimer.htm</url>
    </item>
    <item>
      <text>document.write(encodeURI(sDst));</text>
      <url>https://demo.testfire.net/disclaimer.htm</url>
    </item>
    <item>
      <text>go();return false;</text>
      <url>https://demo.testfire.net/disclaimer.htm</url>
    </item>
    <item>
      <text>cl();return false;</text>
      <url>https://demo.testfire.net/disclaimer.htm</url>
    </item>
    <item>
      <text>

var jobs = {
		"Administration":{"ExecutiveAssistant":"jobs/20061023.htm"}, 
		"ConsumaerBanking":{"Teller":"jobs/20061019.htm"},
		"CustomerService":{"CustomerServiceRepresentative":"jobs/20061026.htm"},
		"Marketing":{"LoyaltyMarketingProgramManager":"jobs/20061025.htm"},
		"RiskManagement":{"OperationalRiskManager":"jobs/20061027.htm"},
		"Sales":{"MortgageLendingAccountExecutive":"jobs/20061024.htm"}
};

function loadPage() {
	if (document.location.hash == "#alljobs") {
		document.location.hash = "";
		return;
	}
	/* check if job parameter exists */
	var job = getParameter("job");
	if (job &amp;&amp; job.length &gt; 0) {
		var sp = job.split(':');
		if (sp.length == 2 &amp;&amp; jobs[sp[1]] &amp;&amp; jobs[sp[1]] != "") {
			/* check if job exists */
			if (jobs[sp[1]][sp[0]] &amp;&amp; jobs[sp[1]][sp[0]] != "") {
				document.location.href = "index.jsp?content="+jobs[sp[1]][sp[0]];
			} else {
				/* tell the user the job isn't open anymore */
				document.write("&lt;h2 style='color:#ff0000'&gt;We're sorry, but it appears the position for " + sp[0] + " in group " + sp[1] + " is not open anymore&lt;/h2&gt;");
			}
		}
	}
}

function getParameter(name) {
	var searchStr = document.location.search.substring(1);
	var params = searchStr.split('&amp;');
	for (var i=0; i &lt; params.length; i++) {
		nv = params[i].split('=');
		if (nv.length == 2 &amp;&amp; nv[0] == name) {
			return nv[1];
		}
	}
	return "";
}

function sethash() {
	document.location.hash = "alljobs";
}

/* set IE to go back to orig page when pressing the back command in teh next page */
if (navigator.appName == 'Microsoft Internet Explorer') {
	window.onbeforeunload=sethash;
}

window.onload = loadPage;

</text>
      <url>https://demo.testfire.net/index.jsp</url>
    </item>
    <item>
      <text>
		
		function confirmpass(myform)
		{
		  if (myform.password1.value.length &amp;&amp; (myform.password1.value==myform.password2.value))
		  {
		    return true;
		  }
		  else
		  {
		    myform.password1.value="";
		    myform.password2.value="";
		    myform.password1.focus();
		    alert ("Passwords do not match");
		    return false;
		  }
		
		}
		</text>
      <url>https://demo.testfire.net/admin/admin.jsp</url>
    </item>
    <item>
      <text>return confirmpass(this);</text>
      <url>https://demo.testfire.net/admin/admin.jsp</url>
    </item>
  </java-script-group>
  <comment-group>
    <total>40</total>
    <item>
      <text>BEGIN HEADER</text>
      <url>https://demo.testfire.net/login.jsp</url>
    </item>
    <item>
      <text>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;</text>
      <url>https://demo.testfire.net/login.jsp</url>
    </item>
    <item>
      <text>END HEADER</text>
      <url>https://demo.testfire.net/login.jsp</url>
    </item>
    <item>
      <text>TOC BEGIN</text>
      <url>https://demo.testfire.net/login.jsp</url>
    </item>
    <item>
      <text>TOC END</text>
      <url>https://demo.testfire.net/login.jsp</url>
    </item>
    <item>
      <text>To get the latest admin login, please contact SiteOps at 415-555-6159</text>
      <url>https://demo.testfire.net/login.jsp</url>
    </item>
    <item>
      <text>BEGIN FOOTER</text>
      <url>https://demo.testfire.net/login.jsp</url>
    </item>
    <item>
      <text>END FOOTER</text>
      <url>https://demo.testfire.net/login.jsp</url>
    </item>
    <item>
      <text>Keywords:Altoro Mutual, online banking, banking, checking, savings, accounts</text>
      <url>https://demo.testfire.net/</url>
    </item>
    <item>
      <text>MEMBER TOC BEGIN</text>
      <url>https://demo.testfire.net/bank/main.jsp</url>
    </item>
    <item>
      <text>&lt;li&gt;&lt;a id="MenuHyperLink3" href="/bank/stocks.jsp"&gt;Trade Stocks&lt;/a&gt;&lt;/li&gt;</text>
      <url>https://demo.testfire.net/bank/main.jsp</url>
    </item>
    <item>
      <text>MEMBER TOC END</text>
      <url>https://demo.testfire.net/bank/main.jsp</url>
    </item>
    <item>
      <text>Keywords:Altoro Mutual, online banking, contact information, subscriptions</text>
      <url>https://demo.testfire.net/index.jsp</url>
    </item>
    <item>
      <text>- Dave- Hard code this into the final script - Possible security problem.
		  Re-generated every Tuesday and old files are saved to .bak format at L:\backup\website\oldfiles    -</text>
      <url>https://demo.testfire.net/feedback.jsp</url>
    </item>
    <item>
      <text>To modify account information do not connect to SQL source directly.  Make all changes
		through the admin page.</text>
      <url>https://demo.testfire.net/bank/showAccount</url>
    </item>
    <item>
      <text>Keywords:Altoro Mutual, personal deposit, personal checking, personal loans, personal cards, personal investments</text>
      <url>https://demo.testfire.net/index.jsp</url>
    </item>
    <item>
      <text>Keywords:Altoro Mutual</text>
      <url>https://demo.testfire.net/index.jsp</url>
    </item>
    <item>
      <text>Keywords:Altoro Mutual, deposit products, personal deposits</text>
      <url>https://demo.testfire.net/index.jsp</url>
    </item>
    <item>
      <text>Keywords:Altoro Mutual, personal checking, checking platinum, checking gold, checking silver, checking bronze</text>
      <url>https://demo.testfire.net/index.jsp</url>
    </item>
    <item>
      <text>Keywords:Altoro Mutual, auto loans, boat loans, lines of credit, home equity, mortgage loans, student loans</text>
      <url>https://demo.testfire.net/index.jsp</url>
    </item>
    <item>
      <text>Keywords:Altoro Mutual, brokerage services, retirement, insurance, private banking, wealth and tax services</text>
      <url>https://demo.testfire.net/index.jsp</url>
    </item>
    <item>
      <text>Keywords:Altoro Mutual, Altoro Private Bank, Altoro Wealth and Tax</text>
      <url>https://demo.testfire.net/index.jsp</url>
    </item>
    <item>
      <text>Keywords:Altoro Mutual, real estate loans, small business loands, small business loands, equipment leasing, credit line</text>
      <url>https://demo.testfire.net/index.jsp</url>
    </item>
    <item>
      <text>Keywords:Altoro Mutual, credit cards, platinum cards, premium credit</text>
      <url>https://demo.testfire.net/index.jsp</url>
    </item>
    <item>
      <text>Keywords:Altoro Mutual, press releases, media, news, events, public relations</text>
      <url>https://demo.testfire.net/index.jsp</url>
    </item>
    <item>
      <text>Keywords:Altoro Mutual, job openings, benefits, student internships, management trainee programs</text>
      <url>https://demo.testfire.net/index.jsp</url>
    </item>
    <item>
      <text>Keywords:Altoro Mutual, privacy, information collection, safeguards, data usage</text>
      <url>https://demo.testfire.net/index.jsp</url>
    </item>
    <item>
      <text>Keywords:Altoro Mutual, security, security, security, we provide security, secure online banking</text>
      <url>https://demo.testfire.net/index.jsp</url>
    </item>
    <item>
      <text>HTML for static distribution bundle build</text>
      <url>https://demo.testfire.net/swagger/index.html</url>
    </item>
    <item>
      <text>&lt;!DOCTYPE html&gt;</text>
      <url>https://demo.testfire.net/swagger/index.html</url>
    </item>
    <item>
      <text>TODO PAGES: &lt;td colspan="4"&gt;&lt;span&gt;1&lt;/span&gt;&amp;nbsp;&lt;a href="javascript:__doPostBack('_ctl0$_ctl0$Content$Main$MyTransactions$_ctl54$_ctl1','')"&gt;2&lt;/a&gt;&lt;/td&gt;</text>
      <url>https://demo.testfire.net/bank/transaction.jsp</url>
    </item>
    <item>
      <text>Keywords:Altoro Mutual Press Release</text>
      <url>https://demo.testfire.net/index.jsp</url>
    </item>
    <item>
      <text>Keywords:Altoro Mutual, benefits, child-care, flexible time, health club, company discounts, paid vacations</text>
      <url>https://demo.testfire.net/index.jsp</url>
    </item>
    <item>
      <text>Keywords:Altoro Mutual, careers, opportunities, jobs, management</text>
      <url>https://demo.testfire.net/index.jsp</url>
    </item>
    <item>
      <text>Keywords:Altoro Mutual, management trainess, Careers, advancement</text>
      <url>https://demo.testfire.net/index.jsp</url>
    </item>
    <item>
      <text>Keywords:Altoro Mutual, executives, board of directors</text>
      <url>https://demo.testfire.net/index.jsp</url>
    </item>
    <item>
      <text>Be careful what you change.  All changes are made directly to AltoroJ database.</text>
      <url>https://demo.testfire.net/admin/admin.jsp</url>
    </item>
    <item>
      <text>action="addAccount"</text>
      <url>https://demo.testfire.net/admin/admin.jsp</url>
    </item>
    <item>
      <text>action="changePassword"</text>
      <url>https://demo.testfire.net/admin/admin.jsp</url>
    </item>
    <item>
      <text>action="addUser"</text>
      <url>https://demo.testfire.net/admin/admin.jsp</url>
    </item>
  </comment-group>
  <script-parameter-group>
    <total>33</total>
    <item>
      <name>content</name>
      <values>
        <value>customize.jsp</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Simple_Link</parameter-type>
      <url>https://demo.testfire.net/bank/customize.jsp?content=customize.jsp&amp;lang=international</url>
    </item>
    <item>
      <name>content</name>
      <values>
        <value>queryxpath.jsp</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Hidden</parameter-type>
      <url>https://demo.testfire.net/bank/queryxpath.jsp?content=queryxpath.jsp&amp;query=Enter+title+(e.g.+Watchfire)</url>
    </item>
    <item>
      <name>passwd</name>
      <values>
        <value>**CONFIDENTIAL 0**</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Password</parameter-type>
      <url>https://demo.testfire.net/bank/ccApply</url>
    </item>
    <item>
      <name>step</name>
      <values>
        <value>a</value>
        <value>b</value>
        <value>done</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Simple_Link</parameter-type>
      <url>https://demo.testfire.net/survey_questions.jsp?step=a</url>
    </item>
    <item>
      <name>txtEmail</name>
      <values>
        <value>jsmith@mail.com</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Simple_Link</parameter-type>
      <url>https://demo.testfire.net/survey_questions.jsp?step=done&amp;txtEmail=jsmith@mail.com</url>
    </item>
    <item>
      <name>uid</name>
      <values>
        <value>jsmith</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Text</parameter-type>
      <url>https://demo.testfire.net/doLogin</url>
    </item>
    <item>
      <name>passw</name>
      <values>
        <value>**CONFIDENTIAL 0**</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Password</parameter-type>
      <url>https://demo.testfire.net/doLogin</url>
    </item>
    <item>
      <name>listAccounts</name>
      <values>
        <value>800003</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Select</parameter-type>
      <url>https://demo.testfire.net/bank/showAccount?listAccounts=800003</url>
    </item>
    <item>
      <name>url</name>
      <values>
        <value>http://www.netscape.com</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Simple_Link</parameter-type>
      <url>https://demo.testfire.net/disclaimer.htm?url=http://www.netscape.com</url>
    </item>
    <item>
      <name>btnSubmit</name>
      <values>
        <value>Subscribe</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Submit</parameter-type>
      <url>https://demo.testfire.net/doSubscribe</url>
    </item>
    <item>
      <name>content</name>
      <values>
        <value>inside_contact.htm</value>
        <value>personal.htm</value>
        <value>inside.htm</value>
        <value>personal_deposit.htm</value>
        <value>personal_checking.htm</value>
        <value>personal_loans.htm</value>
        <value>personal_investments.htm</value>
        <value>personal_other.htm</value>
        <value>business_lending.htm</value>
        <value>business_cards.htm</value>
        <value>business_retirement.htm</value>
        <value>inside_about.htm</value>
        <value>inside_press.htm</value>
        <value>inside_careers.htm</value>
        <value>privacy.htm</value>
        <value>security.htm</value>
        <value>pr/20061109.htm</value>
        <value>inside_executives.htm</value>
        <value>inside_jobs.htm</value>
        <value>inside_benefits.htm</value>
        <value>inside_trainee.htm</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Simple_Link</parameter-type>
      <url>https://demo.testfire.net/index.jsp?content=inside_contact.htm</url>
    </item>
    <item>
      <name>btnSubmit</name>
      <values>
        <value>Login</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Submit</parameter-type>
      <url>https://demo.testfire.net/doLogin</url>
    </item>
    <item>
      <name>query</name>
      <values>
        <value>Enter title (e.g. Watchfire)</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Text</parameter-type>
      <url>https://demo.testfire.net/bank/queryxpath.jsp?content=queryxpath.jsp&amp;query=Enter+title+(e.g.+Watchfire)</url>
    </item>
    <item>
      <name>query</name>
      <values>
        <value>1234</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Text</parameter-type>
      <url>https://demo.testfire.net/search.jsp?query=1234</url>
    </item>
    <item>
      <name>Submit</name>
      <values>
        <value>Submit</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Submit</parameter-type>
      <url>https://demo.testfire.net/bank/ccApply</url>
    </item>
    <item>
      <name>endDate</name>
      <values>
        <value>2019-01-01</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Text</parameter-type>
      <url>https://demo.testfire.net/bank/showTransactions</url>
    </item>
    <item>
      <name>submit</name>
      <values>
        <value>+Submit+</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Submit</parameter-type>
      <url>https://demo.testfire.net/sendFeedback</url>
    </item>
    <item>
      <name>transferAmount</name>
      <values>
        <value>1234</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Text</parameter-type>
      <url>https://demo.testfire.net/bank/doTransfer</url>
    </item>
    <item>
      <name>txtEmail</name>
      <values>
        <value>test@altoromutual.com</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Text</parameter-type>
      <url>https://demo.testfire.net/doSubscribe</url>
    </item>
    <item>
      <name>cfile</name>
      <values>
        <value>comments.txt</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Hidden</parameter-type>
      <url>https://demo.testfire.net/sendFeedback</url>
    </item>
    <item>
      <name>startDate</name>
      <values>
        <value>2019-01-01</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Text</parameter-type>
      <url>https://demo.testfire.net/bank/showTransactions</url>
    </item>
    <item>
      <name>name</name>
      <values>
        <value>John+Smith</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Text</parameter-type>
      <url>https://demo.testfire.net/sendFeedback</url>
    </item>
    <item>
      <name>accttypes</name>
      <values>
        <value>Savings</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Select</parameter-type>
      <url>https://demo.testfire.net/admin/admin.jsp</url>
    </item>
    <item>
      <name>transfer</name>
      <values>
        <value>Transfer Money</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Submit</parameter-type>
      <url>https://demo.testfire.net/bank/doTransfer</url>
    </item>
    <item>
      <name>HostName</name>
      <values>
        <value>AltoroMutual</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Simple_Link</parameter-type>
      <url>https://demo.testfire.net/util/serverStatusCheckService.jsp?HostName=AltoroMutual</url>
    </item>
    <item>
      <name>email_addr</name>
      <values>
        <value>753+Main+Street</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Text</parameter-type>
      <url>https://demo.testfire.net/sendFeedback</url>
    </item>
    <item>
      <name>toAccount</name>
      <values>
        <value>800003</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Select</parameter-type>
      <url>https://demo.testfire.net/bank/doTransfer</url>
    </item>
    <item>
      <name>comments</name>
      <values>
        <value>1234</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.TextArea</parameter-type>
      <url>https://demo.testfire.net/sendFeedback</url>
    </item>
    <item>
      <name>username</name>
      <values>
        <value>sspeed</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Select</parameter-type>
      <url>https://demo.testfire.net/admin/admin.jsp</url>
    </item>
    <item>
      <name>fromAccount</name>
      <values>
        <value>800003</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Select</parameter-type>
      <url>https://demo.testfire.net/bank/doTransfer</url>
    </item>
    <item>
      <name>subject</name>
      <values>
        <value>1234</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Post_Data</parameter-type>
      <url>https://demo.testfire.net/sendFeedback</url>
    </item>
    <item>
      <name>job</name>
      <values>
        <value>OperationalRiskManager:RiskManagement</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Simple_Link</parameter-type>
      <url>https://demo.testfire.net/index.jsp?content=inside_jobs.htm&amp;job=OperationalRiskManager:RiskManagement</url>
    </item>
    <item>
      <name>lang</name>
      <values>
        <value>international</value>
      </values>
      <parameter-type>ApplicationData.HttpParamType.Simple_Link</parameter-type>
      <url>https://demo.testfire.net/bank/customize.jsp?content=customize.jsp&amp;lang=international</url>
    </item>
  </script-parameter-group>
  <header-group>
    <total>0</total>
  </header-group>
  <visited-link-group>
    <total>60</total>
    <item>
      <url>https://demo.testfire.net/</url>
    </item>
    <item>
      <url>https://demo.testfire.net/login.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/doLogin</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/main.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/search.jsp?query=1234</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_contact.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/feedback.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/sendFeedback</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/showAccount?listAccounts=800003</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_deposit.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_checking.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_loans.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_investments.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_other.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_lending.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_cards.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_retirement.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/retirement.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_about.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_press.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_careers.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/subscribe.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/doSubscribe</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=privacy.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=security.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/status_check.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/util/serverStatusCheckService.jsp?HostName=AltoroMutual</url>
    </item>
    <item>
      <url>https://demo.testfire.net/swagger/index.html</url>
    </item>
    <item>
      <url>https://demo.testfire.net/swagger/swagger-ui-standalone-preset.js</url>
    </item>
    <item>
      <url>https://demo.testfire.net/swagger/properties.json</url>
    </item>
    <item>
      <url>https://demo.testfire.net/swagger/swagger-ui-bundle.js</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/transaction.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/showTransactions</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/transfer.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/queryxpath.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/queryxpath.jsp?content=queryxpath.jsp&amp;query=Enter+title+(e.g.+Watchfire)</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/customize.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/customize.jsp?content=customize.jsp&amp;lang=international</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/apply.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/ccApply</url>
    </item>
    <item>
      <url>https://demo.testfire.net/survey_questions.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/survey_questions.jsp?step=a</url>
    </item>
    <item>
      <url>https://demo.testfire.net/survey_questions.jsp?step=b</url>
    </item>
    <item>
      <url>https://demo.testfire.net/disclaimer.htm?url=http://www.netscape.com</url>
    </item>
    <item>
      <url>https://demo.testfire.net/subscribe.swf</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_executives.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=pr/20061109.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_jobs.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_benefits.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_trainee.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/doTransfer</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/customize.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/customize.jsp?content=customize.jsp&amp;lang=international</url>
    </item>
    <item>
      <url>https://demo.testfire.net/logout.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_jobs.htm&amp;job=OperationalRiskManager:RiskManagement</url>
    </item>
    <item>
      <url>https://demo.testfire.net/survey_questions.jsp?step=done&amp;txtEmail=jsmith@mail.com</url>
    </item>
    <item>
      <url>https://demo.testfire.net/admin/admin.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/admin/admin.jsp</url>
    </item>
  </visited-link-group>
  <unique-visited-link-group>
    <max-issues-in-url>11</max-issues-in-url>
    <item>
      <url>https://demo.testfire.net/</url>
    </item>
    <item>
      <url>https://demo.testfire.net/admin/admin.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/apply.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/ccApply</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/customize.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/customize.jsp?content=customize.jsp&amp;lang=international</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/doTransfer</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/main.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/queryxpath.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/queryxpath.jsp?content=queryxpath.jsp&amp;query=Enter+title+(e.g.+Watchfire)</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/showAccount?listAccounts=800003</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/showTransactions</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/transaction.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/transfer.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/disclaimer.htm?url=http://www.netscape.com</url>
    </item>
    <item>
      <url>https://demo.testfire.net/doLogin</url>
    </item>
    <item>
      <url>https://demo.testfire.net/doSubscribe</url>
    </item>
    <item>
      <url>https://demo.testfire.net/feedback.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_cards.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_lending.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_retirement.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_about.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_benefits.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_careers.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_contact.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_executives.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_jobs.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_jobs.htm&amp;job=OperationalRiskManager:RiskManagement</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_press.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_trainee.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_checking.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_deposit.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_investments.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_loans.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_other.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=pr/20061109.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=privacy.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=security.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/login.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/logout.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/retirement.htm</url>
    </item>
    <item>
      <url>https://demo.testfire.net/search.jsp?query=1234</url>
    </item>
    <item>
      <url>https://demo.testfire.net/sendFeedback</url>
    </item>
    <item>
      <url>https://demo.testfire.net/status_check.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/subscribe.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/subscribe.swf</url>
    </item>
    <item>
      <url>https://demo.testfire.net/survey_questions.jsp</url>
    </item>
    <item>
      <url>https://demo.testfire.net/survey_questions.jsp?step=a</url>
    </item>
    <item>
      <url>https://demo.testfire.net/survey_questions.jsp?step=b</url>
    </item>
    <item>
      <url>https://demo.testfire.net/survey_questions.jsp?step=done&amp;txtEmail=jsmith@mail.com</url>
    </item>
    <item>
      <url>https://demo.testfire.net/swagger/index.html</url>
    </item>
    <item>
      <url>https://demo.testfire.net/swagger/properties.json</url>
    </item>
    <item>
      <url>https://demo.testfire.net/swagger/swagger-ui-bundle.js</url>
    </item>
    <item>
      <url>https://demo.testfire.net/swagger/swagger-ui-standalone-preset.js</url>
    </item>
    <item>
      <url>https://demo.testfire.net/util/serverStatusCheckService.jsp?HostName=AltoroMutual</url>
    </item>
  </unique-visited-link-group>
  <broken-link-group>
    <total>6</total>
    <item>
      <url>https://demo.testfire.net/default.jsp?content=security.htm</url>
      <reason>Response Status '404' - Not Found</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/inside_points_of_interest.htm</url>
      <reason>Response Status '404' - Not Found</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/default.jsp?content=security.htm</url>
      <reason>Response Status '404' - Not Found</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/Privacypolicy.jsp?sec=Careers&amp;template=US</url>
      <reason>Response Status '404' - Not Found</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/default.jsp?content=security.htm</url>
      <reason>Response Status '404' - Not Found</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/default.jsp?content=security.htm</url>
      <reason>Response Status '404' - Not Found</reason>
    </item>
  </broken-link-group>
  <filtered-link-group>
    <total>242</total>
    <item>
      <url>https://demo.testfire.net/style.css</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/logo.gif</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/header_pic.jpg</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/pf_lock.gif</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/cgi.exe</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/home1.jpg</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/home2.jpg</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/home3.jpg</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://github.com/AppSecDev/AltoroJ/</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>http://www-142.ibm.com/software/products/us/en/subcategory/SWI10</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/inside6.jpg</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/p_main.jpg</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/pr/communityannualreport.pdf</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/inside1.jpg</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/p_deposit.jpg</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/p_checking.jpg</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/p_loans.jpg</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/p_investments.jpg</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>http://demo-analytics.testfire.net/urchin.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/admin/clients.xls</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/p_other.jpg</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/b_lending.jpg</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/b_cards.jpg</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/b_retirement.jpg</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>http://www.newspapersyndications.tv/</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/inside5.jpg</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/inside7.jpg</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/inside4.jpg</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>http://www.cert.org/</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/icon_top.gif</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/swagger/swagger-ui.css</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/swagger/favicon-32x32.png</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/swagger/favicon-16x16.png</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://online.swagger.io/validator?url=https://demo.testfire.net/swagger/properties.json</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_savings.htm</url>
      <reason>FilteredUrl.BodySimilar</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/ok.gif</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/cancel.gif</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>http://www.netscape.com/</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://www.aol.com/</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.yimg.com/aaq/benji/benji-1.0.83.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.yimg.com/nn/lib/metro/g/myy/advertisement_0.0.19.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.yimg.com/aaq/wf/wf-dl-1.6.2.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/caas-assets-production/assets/v1/wafer-core.d8a2bbe83acf7922.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/caas-assets-production/assets/v1/polyfills.e0be59dc1da96626.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/caas-assets-production/assets/v1/vendor-glide.a8bd1773c27f716d.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/caas-assets-production/assets/v1/utils.783372195eb15b3c.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.yimg.com/aaq/wf/wf-rapid-1.10.7.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.yimg.com/aaq/wf/wf-scrollview-2.21.0.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.yimg.com/aaq/wf/wf-tabs-1.12.6.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.yimg.com/aaq/wf/wf-toggle-1.15.4.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.yimg.com/aaq/wf/wf-video-2.22.15.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/caas-assets-production/assets/v1/video_player_wafer.08e7f13466871cff.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/caas-assets-production/assets/v1/dispatcher.e1ad6900814fab04.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/caas-assets-production/assets/v1/gam.ded987fb43ca4cac.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.yimg.com/aaq/wf/wf-autocomplete-1.31.7.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/caas-assets-production/assets/v1/readmo.8c9dae6c4d72bf7e.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.yimg.com/aaq/wf/wf-module-2.0.0.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.yimg.com/aaq/wf/wf-text-1.2.0.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.yimg.com/aaq/wf/wf-beacon-1.3.4.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.yimg.com/aaq/wf/wf-fetch-1.19.1.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.yimg.com/aaq/wf/wf-bind-1.1.3.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/caas-assets-production/assets/v1/notification_banner.021ba5ca8466c0b7.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/caas-assets-production/assets/v1/ad_blocker.66ca66172460f2e8.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.yimg.com/aaq/wf/wf-image-1.4.0.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/caas-assets-production/assets/v1/dl.3f04b2accc977d6a.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/caas-assets-production/assets/v1/notification_bell.c68f40de3779e9a4.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/caas-assets-production/assets/v1/weather.35ca22e5bc4d12c5.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.yimg.com/ss/rapid3.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/caas-assets-production/assets/v1/aol_header.da6597b18c191447.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.yimg.com/os/yaft/yaft-0.3.29.min.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.yimg.com/oa/consent.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/caas-assets-production/assets/v1/news.ec578b81c96c3c35.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/caas-assets-production/assets/v1/choose_news.db3547969a1b837c.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://consent.cmp.oath.com/cmp.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/caas-assets-production/assets/v1/y_finance_markets.c976d9537fe5aaf8.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2021-12/27ab1e70-68e8-11ec-9f8f-130668cce848&amp;client=76f99bdb8f78cd44cc0b&amp;signature=12d46bf50c61cc738244b48afd58278f22fa2d41</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2021-06/77d38700-d9ed-11eb-be27-f7edbce29062&amp;client=76f99bdb8f78cd44cc0b&amp;signature=f681a4e420fd5eb2c85085401f6fad97b8f5c7d1</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2023-06/1504f900-095d-11ee-af59-036f8ef2680e&amp;client=76f99bdb8f78cd44cc0b&amp;signature=f96c8983d15c2cd551b47caf27cd710ec77e61ad</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.yimg.com/cx/vzm/cs.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2020-12/575bc790-355f-11eb-ad7b-2304a1f8730f&amp;client=76f99bdb8f78cd44cc0b&amp;signature=9ff3de001884e92d939ae40d08e9b7109e31ec24</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2023-04/761cfe70-deb2-11ed-8fff-6672c0d730ce&amp;client=76f99bdb8f78cd44cc0b&amp;signature=3e88644a0b664a16743aee5bc603aabc2307f5c2</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2020-11/24ea2060-2fbd-11eb-b6fd-a6e16217c6e6&amp;client=76f99bdb8f78cd44cc0b&amp;signature=2a26e46583bfd12678b081b69fb7cca425c39052</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2022-04/024bb600-bc29-11ec-be3f-c8aa85a55bda&amp;client=76f99bdb8f78cd44cc0b&amp;signature=b9513e72c8af6f42b1e2f462026b9e7c280d5a3a</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.yimg.com/aaq/pv/perf-vitals_2.1.1.js</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2023-07/b1f2c370-2fe4-11ee-af3f-3bc97f9dc4f0&amp;client=76f99bdb8f78cd44cc0b&amp;signature=307667e96789b86d53a0f4bbdb5707cd1bea98a9</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2020-12/515ef980-3432-11eb-b5ef-2a7f8e085664&amp;client=76f99bdb8f78cd44cc0b&amp;signature=2219f359ed98a4e53a5fcf45b7e15fd870daf112</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2020-12/d50a9120-3411-11eb-97bb-1084c5a79300&amp;client=76f99bdb8f78cd44cc0b&amp;signature=2e380cbe938a1f4b6b57c6cdf936e0516050112f</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2021-09/7bc91ad0-1009-11ec-bfea-2182b7e056ce&amp;client=76f99bdb8f78cd44cc0b&amp;signature=0ce860f1e66ab33504feea849bdc56f9987a9c41</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2022-08/16659720-22f2-11ed-bbf8-7ef4b7911c60&amp;client=76f99bdb8f78cd44cc0b&amp;signature=38d2911d75273d418cf1c35d0c430a84d5a2ca66</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2021-07/3c019bd0-ee43-11eb-bced-b4b62d80677d&amp;client=76f99bdb8f78cd44cc0b&amp;signature=3aa198e79469e4081181851b7817f9aefe8b4866</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2022-07/b6b52f10-0dc1-11ed-9af1-3e6ae68289be&amp;client=76f99bdb8f78cd44cc0b&amp;signature=a707ab932a73b8a9fb47d3fc3b9ee0c75e5ebc25</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2021-12/64340b00-6982-11ec-a6ee-d01e5d0b5861&amp;client=76f99bdb8f78cd44cc0b&amp;signature=ac1c86f1c864869accf8544da530e03be9b801e8</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2021-11/aacb3290-4bb5-11ec-9dff-c91b8179f931&amp;client=76f99bdb8f78cd44cc0b&amp;signature=177ac960ba64a8abb0f463dbe9e209b3d20d649d</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2021-12/e8f349d0-6993-11ec-beb7-1653c87f6a88&amp;client=76f99bdb8f78cd44cc0b&amp;signature=7675a6e9b61e2052c273db9b79d7c1cb5cc4496c</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_savings.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2021-07/443d5c40-dfec-11eb-bbff-7da4a64d072d&amp;client=76f99bdb8f78cd44cc0b&amp;signature=2bbcf94c8cff5820cd47b0b2766b30c5416c86c9</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/survey_questions.jsp</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2020-11/a2258160-2b7f-11eb-bbe3-c5a6dfd56406&amp;client=76f99bdb8f78cd44cc0b&amp;signature=ae507cb078909cbed31627771fd05c3f42bd428b</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2021-08/1f7aca00-0ab2-11ec-9ef8-03b4eef83866&amp;client=76f99bdb8f78cd44cc0b&amp;signature=c2f031ad3ac41d2282251c921aa9e4634e674019</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/survey_questions.jsp?step=a</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2021-09/291fe6d0-1246-11ec-9eb7-5392da65195b&amp;client=76f99bdb8f78cd44cc0b&amp;signature=a55197107cb3e922d2624bc588f9c497bb452282</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2020-11/ee6a7240-244c-11eb-bd1f-e1f6ad08dba9&amp;client=76f99bdb8f78cd44cc0b&amp;signature=c95b1e7a4d9513cf73f9897cf1beea2ef60ef716</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/survey_questions.jsp?step=b</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2021-12/e9cc2d60-6982-11ec-b3df-9bd0426ec2ec&amp;client=76f99bdb8f78cd44cc0b&amp;signature=2e98d8405d99584183fc278e449e64974d353e94</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2023-09/c1ee04e0-4dcd-11ee-97bf-83c5420da580&amp;client=76f99bdb8f78cd44cc0b&amp;signature=914d0608eb4f953292a2fc317324e981b551aa42</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2020-11/ad68a030-2ae3-11eb-b7df-2219b2546d62&amp;client=76f99bdb8f78cd44cc0b&amp;signature=50e22a394a6cf858e64b2613c09da8a9a4cdfc51</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2020-12/be863210-34b6-11eb-9fb7-2187cff1c470&amp;client=76f99bdb8f78cd44cc0b&amp;signature=cd7d9f6e5bc98fb19e3761f13bce648092a434ce</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2022-12/88a54880-7c98-11ed-bf53-d549d04eb5fa&amp;client=76f99bdb8f78cd44cc0b&amp;signature=02b60b757010b68fe7003f78bda5ac1c3a9988fa</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://s.aolcdn.com/images/dims?format=jpg&amp;quality=80&amp;thumbnail=32,32&amp;image_uri=https://s.yimg.com/os/creatr-uploaded-images/2023-08/5696bdd0-3541-11ee-9d77-e98ff6d47746&amp;client=76f99bdb8f78cd44cc0b&amp;signature=aac44e401f7cb4c4a646ca784a3a43da1693a625</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=privacy.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_cards.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_deposit.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_insurance.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_other.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_investor.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/search.jsp?query=</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/disclaimer.htm?url=http://www.microsoft.com</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/showAccount?listAccounts=800002</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=pr/20061005.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=pr/20060928.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/customize.jsp?content=customize.jsp&amp;lang=english</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/ccApply</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/images/spacer.gif</url>
      <reason>FilteredUrl.FileExtension</reason>
    </item>
    <item>
      <url>http://www.exampledomainnotinuse.org/mybeacon.gif</url>
      <reason>FilteredUrl.Untrusted</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_contact.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/feedback.jsp</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_deposit.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_checking.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_loans.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_cards.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_investments.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_other.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_deposit.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_lending.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_cards.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_insurance.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_retirement.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_other.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_about.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_investor.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_press.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_careers.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/subscribe.jsp</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=security.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/status_check.jsp</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/swagger/index.html</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/search.jsp?query=1234</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/sendFeedback</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_community.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_contact.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=pr/20060921.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=pr/20060817.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=pr/20060720.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=pr/20060518.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=pr/20060413.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_internships.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/survey_questions.jsp?step=c</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_jobs.htm&amp;job=ExecutiveAssistant:Administration</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_jobs.htm&amp;job=Teller:ConsumaerBanking</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_jobs.htm&amp;job=CustomerServiceRepresentative:CustomerService</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_jobs.htm&amp;job=LoyaltyMarketingProgramManager:Marketing</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_jobs.htm&amp;job=MortgageLendingAccountExecutive:Sales</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/login.jsp</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_contact.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/feedback.jsp</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_deposit.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_checking.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_loans.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_cards.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_investments.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_other.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_deposit.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_lending.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_cards.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_insurance.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_retirement.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_other.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_about.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_investor.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_press.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_careers.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/subscribe.jsp</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_savings.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=privacy.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/survey_questions.jsp</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=security.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/status_check.jsp</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/swagger/index.html</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/search.jsp?query=1234</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/login.jsp</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_contact.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/feedback.jsp</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_deposit.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_checking.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_loans.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_cards.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_investments.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_other.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_deposit.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_lending.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_cards.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_insurance.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_retirement.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=business_other.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_about.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_investor.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_press.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=inside_careers.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/subscribe.jsp</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=personal_savings.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=privacy.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/survey_questions.jsp</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/index.jsp?content=security.htm</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/status_check.jsp</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/swagger/index.html</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/search.jsp?query=1234</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/</url>
      <reason>FilteredUrl.BodySimilar</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/doLogin</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/login.jsp</url>
      <reason>FilteredUrl.BodySimilar</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/main.jsp</url>
      <reason>FilteredUrl.BodySimilar</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/admin/admin.jsp</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/login.jsp</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/doLogin</url>
      <reason>FilteredUrl.PredictableUrl</reason>
    </item>
    <item>
      <url>https://demo.testfire.net/bank/main.jsp</url>
      <reason>FilteredUrl.DomSimilarity</reason>
    </item>
  </filtered-link-group>
</xml-report>