/
vulnerabilities.xml
265 lines (265 loc) · 17.7 KB
/
vulnerabilities.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
<?xml version="1.0" encoding="UTF-8"?>
<report type="security">
<generatedBy id="Wapiti 2.2.1"/>
<bugTypeList>
<bugType name="SQL Injection">
<bugList>
<bug level="1">
<url>http://testphp.vulnweb.com/listproducts.php?artist=%BF%27%22%28</url>
<parameter>artist=%BF%27%22%28</parameter>
<info>MySQL Injection (artist)</info>
</bug>
<bug level="1">
<url>http://testphp.vulnweb.com/listproducts.php?cat=%BF%27%22%28</url>
<parameter>cat=%BF%27%22%28</parameter>
<info>MySQL Injection (cat)</info>
</bug>
<bug level="1">
<url>http://testphp.vulnweb.com/secured/newuser.php</url>
<parameter>uphone=on&urname=on&uemail=on&upass=on&ucc=on&upass2=on&uaddress=on&uuname=%BF%27%22%28&signup=signup</parameter>
<info>MySQL Injection coming from http://testphp.vulnweb.com/signup.php</info>
</bug>
</bugList>
<description>
<![CDATA[SQL injection is a technique that exploits a vulnerability occurring in the database of an application.]]> </description>
<solution>
<![CDATA[To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead, user input must be escaped or filtered or parameterized statements must be used.]]> </solution>
<references>
<reference>
<title>http://www.owasp.org/index.php/SQL_Injection</title>
<url>http://www.owasp.org/index.php/SQL_Injection</url>
</reference>
<reference>
<title>http://en.wikipedia.org/wiki/SQL_injection</title>
<url>http://en.wikipedia.org/wiki/SQL_injection</url>
</reference>
</references>
</bugType>
<bugType name="Blind SQL Injection">
<bugList>
<bug level="1">
<url>http://testphp.vulnweb.com/product.php?pic=sleep%287%29%23</url>
<parameter>pic=sleep%287%29%23</parameter>
<info>Blind SQL Injection (pic)</info>
</bug>
<bug level="1">
<url>http://testphp.vulnweb.com/artists.php?artist=sleep%287%29%23</url>
<parameter>artist=sleep%287%29%23</parameter>
<info>Blind SQL Injection (artist)</info>
</bug>
<bug level="1">
<url>http://testphp.vulnweb.com/search.php?test=query</url>
<parameter>searchFor=%27+or+sleep%287%29%3D%27&goButton=682djy3wte</parameter>
<info>Blind SQL Injection coming from http://testphp.vulnweb.com/</info>
</bug>
<bug level="1">
<url>http://testphp.vulnweb.com/search.php?test=query</url>
<parameter>searchFor=%27+or+sleep%287%29%3D%27&goButton=njyxs2x9f7</parameter>
<info>Blind SQL Injection coming from http://testphp.vulnweb.com/index.php</info>
</bug>
<bug level="1">
<url>http://testphp.vulnweb.com/search.php?test=query</url>
<parameter>searchFor=%27+or+sleep%287%29%3D%27&goButton=go</parameter>
<info>Blind SQL Injection coming from http://testphp.vulnweb.com/categories.php</info>
</bug>
<bug level="1">
<url>http://testphp.vulnweb.com/userinfo.php</url>
<parameter>uname=%27+or+sleep%287%29%23&pass=vy3r70cwmr</parameter>
<info>Blind SQL Injection coming from http://testphp.vulnweb.com/login.php</info>
</bug>
<bug level="1">
<url>http://testphp.vulnweb.com/userinfo.php</url>
<parameter>uname=ppwy1j0kib&pass=%27+or+sleep%287%29%23</parameter>
<info>Blind SQL Injection coming from http://testphp.vulnweb.com/login.php</info>
</bug>
<bug level="1">
<url>http://testphp.vulnweb.com/secured/newuser.php</url>
<parameter>uphone=a9b7r85ixa&urname=h6m243r3mf&uemail=tliu2jv45x&upass=3vj4p5af5s&ucc=7l7jhpunxn&upass2=1cmptdsb1g&uaddress=rsdjkg32hh&uuname=%27+or+sleep%287%29%23&signup=x9s4mdx3rj</parameter>
<info>Blind SQL Injection coming from http://testphp.vulnweb.com/signup.php</info>
</bug>
</bugList>
<description>
<![CDATA[Blind SQL injection is a technique that exploits a vulnerability occurring in the database of an application. This kind of vulnerability is harder to detect than basic SQL injections because no error message will be displayed on the webpage.]]> </description>
<solution>
<![CDATA[To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead, user input must be escaped or filtered or parameterized statements must be used.]]> </solution>
<references>
<reference>
<title>http://www.imperva.com/resources/adc/blind_sql_server_injection.html</title>
<url>http://www.imperva.com/resources/adc/blind_sql_server_injection.html</url>
</reference>
<reference>
<title>http://www.owasp.org/index.php/Blind_SQL_Injection</title>
<url>http://www.owasp.org/index.php/Blind_SQL_Injection</url>
</reference>
</references>
</bugType>
<bugType name="File Handling">
<bugList>
<bug level="1">
<url>http://testphp.vulnweb.com/showimage.php?file=http%3A%2F%2Fwww.google.fr%2F</url>
<parameter>file=http%3A%2F%2Fwww.google.fr%2F</parameter>
<info>Remote include (file)</info>
</bug>
</bugList>
<description>
<![CDATA[This attack is also known as Path Transversal or Directory Transversal, its aim is the access to files and directories that are stored outside the web root folder. The attacker tries to explore the directories stored in the web server. The attacker uses some techniques, for instance, the manipulation of variables that reference files with 'dot-dot-slash (../)' sequences and its variations to move up to root directory to navigate through the file system.]]> </description>
<solution>
<![CDATA[Prefer working without user input when using file system calls<br>Use indexes rather than actual portions of file names when templating or using language files (ie value 5 from the user submission = Czechoslovakian, rather than expecting the user to return 'Czechoslovakian').<br>Ensure the user cannot supply all parts of the path – surround it with your path code.<br>Validate the user’s input by only accepting known good – do not sanitize the data.<br>Use chrooted jails and code access policies to restrict where the files can be obtained or saved to.]]> </solution>
<references>
<reference>
<title>http://www.owasp.org/index.php/Path_Traversal</title>
<url>http://www.owasp.org/index.php/Path_Traversal</url>
</reference>
<reference>
<title>http://www.acunetix.com/websitesecurity/directory-traversal.htm</title>
<url>http://www.acunetix.com/websitesecurity/directory-traversal.htm</url>
</reference>
</references>
</bugType>
<bugType name="Cross Site Scripting">
<bugList>
<bug level="1">
<url>http://testphp.vulnweb.com/hpp/?pp=%22%3E%3C%2Fa%3E%3Cscript%3Ealert%28%27s6jxugci4f%27%29%3C%2Fscript%3E</url>
<parameter>pp=%22%3E%3C%2Fa%3E%3Cscript%3Ealert%28%27s6jxugci4f%27%29%3C%2Fscript%3E</parameter>
<info>XSS (pp)</info>
</bug>
<bug level="1">
<url>http://testphp.vulnweb.com/showimage.php?file=%3Cscript%3Ealert%28%276k6613jay7%27%29%3C%2Fscript%3E</url>
<parameter>file=%3Cscript%3Ealert%28%276k6613jay7%27%29%3C%2Fscript%3E</parameter>
<info>XSS (file)</info>
</bug>
<bug level="1">
<url>http://testphp.vulnweb.com/hpp/params.php?p=%3Cscript%3Ealert%28%27jcjmr3y1we%27%29%3C%2Fscript%3E&pp=12</url>
<parameter>p=%3Cscript%3Ealert%28%27jcjmr3y1we%27%29%3C%2Fscript%3E&pp=12</parameter>
<info>XSS (p)</info>
</bug>
<bug level="1">
<url>http://testphp.vulnweb.com/hpp/params.php?p=valid&pp=%3Cscript%3Ealert%28%27xwu93dj9jy%27%29%3C%2Fscript%3E</url>
<parameter>p=valid&pp=%3Cscript%3Ealert%28%27xwu93dj9jy%27%29%3C%2Fscript%3E</parameter>
<info>XSS (pp)</info>
</bug>
<bug level="1">
<url>http://testphp.vulnweb.com/listproducts.php?artist=%3Cscript%3Ealert%28%27jkwrq2bpdp%27%29%3C%2Fscript%3E</url>
<parameter>artist=%3Cscript%3Ealert%28%27jkwrq2bpdp%27%29%3C%2Fscript%3E</parameter>
<info>XSS (artist)</info>
</bug>
<bug level="1">
<url>http://testphp.vulnweb.com/listproducts.php?cat=%3Cscript%3Ealert%28%273lelf1k3ln%27%29%3C%2Fscript%3E</url>
<parameter>cat=%3Cscript%3Ealert%28%273lelf1k3ln%27%29%3C%2Fscript%3E</parameter>
<info>XSS (cat)</info>
</bug>
<bug level="1">
<url>http://testphp.vulnweb.com/search.php?test=query</url>
<parameter>searchFor=%3Cscript%3Ealert%28%27od43t7495m%27%29%3C%2Fscript%3E&goButton=go</parameter>
<info>XSS (searchFor)</info>
</bug>
<bug level="1">
<url>http://testphp.vulnweb.com/guestbook.php</url>
<parameter>text=%3Cscript%3Ealert%28%279llvmtjnbe%27%29%3C%2Fscript%3E&name=anonymous+user&submit=add+message</parameter>
<info>XSS (text)</info>
</bug>
<bug level="1">
<url>http://testphp.vulnweb.com/guestbook.php</url>
<parameter>text=9llvmtjnbe&name=%3Cscript%3Ealert%28%27w9yvwf61ba%27%29%3C%2Fscript%3E&submit=add+message</parameter>
<info>XSS (name)</info>
</bug>
</bugList>
<description>
<![CDATA[Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts.]]> </description>
<solution>
<![CDATA[The best way to protect a web application from XSS attacks is ensure that the application performs validation of all headers, cookies, query strings, form fields, and hidden fields. Encoding user supplied output in the server side can also defeat XSS vulnerabilities by preventing inserted scripts from being transmitted to users in an executable form. Applications can gain significant protection from javascript based attacks by converting the following characters in all generated output to the appropriate HTML entity encoding: <, >, &, ", ', (, ), #, %, ; , +, -.]]> </solution>
<references>
<reference>
<title>http://en.wikipedia.org/wiki/Cross-site_scripting</title>
<url>http://en.wikipedia.org/wiki/Cross-site_scripting</url>
</reference>
<reference>
<title>http://www.owasp.org/index.php/Cross_Site_Scripting</title>
<url>http://www.owasp.org/index.php/Cross_Site_Scripting</url>
</reference>
</references>
</bugType>
<bugType name="CRLF">
<bugList/>
<description>
<![CDATA[The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They're used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. This combination of CR and LR is used for example when pressing 'Enter' on the keyboard. Depending on the application being used, pressing 'Enter' generally instructs the application to start a new line, or to send a command.]]> </description>
<solution>
<![CDATA[Check the submitted parameters and do not allow CRLF to be injected by filtering CRLF]]> </solution>
<references>
<reference>
<title>http://www.owasp.org/index.php/CRLF_Injection</title>
<url>http://www.owasp.org/index.php/CRLF_Injection</url>
</reference>
<reference>
<title>http://www.acunetix.com/websitesecurity/crlf-injection.htm</title>
<url>http://www.acunetix.com/websitesecurity/crlf-injection.htm</url>
</reference>
</references>
</bugType>
<bugType name="Commands execution">
<bugList/>
<description>
<![CDATA[This attack consists in executing system commands on the server. The attacker tries to inject this commands in the request parameters]]> </description>
<solution>
<![CDATA[Prefer working without user input when using file system calls]]> </solution>
<references>
<reference>
<title>http://www.owasp.org/index.php/Command_Injection</title>
<url>http://www.owasp.org/index.php/Command_Injection</url>
</reference>
</references>
</bugType>
<bugType name="Resource consumption">
<bugList/>
<description>
<![CDATA[An attacker can force a victim to consume more resources than should be allowed for the attacker's level of access. The program can potentially fail to release or incorrectly release a system resource. A resource is not properly cleared and made available for re-use. It can also be a false-positive due to a too short timeout used for the scan.]]> </description>
<solution>
<![CDATA[Configure properly the software giving the ressource to avoid memory consumption or system load.]]> </solution>
<references>
<reference>
<title>http://www.owasp.org/index.php/Asymmetric_resource_consumption_(amplification)</title>
<url>http://www.owasp.org/index.php/Asymmetric_resource_consumption_(amplification)</url>
</reference>
</references>
</bugType>
<bugType name="Htaccess Bypass">
<bugList/>
<description>
<![CDATA[htaccess files are used to restrict access to some files or HTTP method. In some case it may be possible to bypass this restriction and access the files.]]> </description>
<solution>
<![CDATA[Make sure every HTTP method is forbidden if the credentials are bad.]]> </solution>
<references>
<reference>
<title>http://blog.teusink.net/2009/07/common-apache-htaccess-misconfiguration.html</title>
<url>http://blog.teusink.net/2009/07/common-apache-htaccess-misconfiguration.html</url>
</reference>
</references>
</bugType>
<bugType name="Backup file">
<bugList/>
<description>
<![CDATA[It may be possible to find backup files of scripts on the webserver that thewebadmin put here to save a previous version or backup files that are automaticallygenerated by the software editor used (like for example Emacs). These copies may revealinteresting informations like source code or credentials]]> </description>
<solution>
<![CDATA[The webadmin must manually delete the backup files or remove it from the web root. He shouldalso reconfigure its editor to deactivate automatic backups]]> </solution>
<references>
<reference>
<title>Testing for Old, Backup and Unreferenced Files (OWASP-CM-006)</title>
<url>http://www.owasp.org/index.php/Testing_for_Old,_Backup_and_Unreferenced_Files_(OWASP-CM-006)</url>
</reference>
</references>
</bugType>
<bugType name="Potentially dangerous file">
<bugList/>
<description>
<![CDATA[Some scripts are known to be vulnerable or dangerous. Databases of such files exists and attackers often scan websites to find such vulnerabilities and exploit them. ]]> </description>
<solution>
<![CDATA[The administrator should frequently check for new version of the scripts used on his server and keep informed of vulnerabilities in the software programs he uses by reading security-list or specialised RSS.]]> </solution>
<references>
<reference>
<title>The Open Source Vulnerability Database</title>
<url>http://osvdb.org/</url>
</reference>
</references>
</bugType>
</bugTypeList>
</report>