-
Notifications
You must be signed in to change notification settings - Fork 2
/
kb_autogenerated.go
849 lines (846 loc) · 72.9 KB
/
kb_autogenerated.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
package db
// NOTE: This file is automatically generated. Do not edit manually.
var (
ApacheStrutsDevModeCode IssueCode = "apache_struts_dev_mode"
ApacheTapestryExceptionCode IssueCode = "apache_tapestry_exception"
AspNetMvcHeaderCode IssueCode = "asp_net_mvc_header"
Base32EncodedDataInParameterCode IssueCode = "base32_encoded_data_in_parameter"
Base36EncodedDataInParameterCode IssueCode = "base36_encoded_data_in_parameter"
Base64EncodedDataInParameterCode IssueCode = "base64_encoded_data_in_parameter"
BlindSqlInjectionCode IssueCode = "blind_sql_injection"
CacheControlHeaderCode IssueCode = "cache_control_header"
CacheStorageUsageDetectedCode IssueCode = "cache_storage_usage_detected"
CdnDetectedCode IssueCode = "cdn_detected"
CertificateErrorsCode IssueCode = "certificate_errors"
ClientSidePrototypePollutionCode IssueCode = "client_side_prototype_pollution"
CloudDetectedCode IssueCode = "cloud_detected"
ConsoleUsageDetectedCode IssueCode = "console_usage_detected"
CorsCode IssueCode = "cors"
CrlfInjectionCode IssueCode = "crlf_injection"
CsrfCode IssueCode = "csrf"
CstiCode IssueCode = "csti"
DatabaseErrorsCode IssueCode = "database_errors"
DbConnectionStringsCode IssueCode = "db_connection_strings"
DirectoryListingCode IssueCode = "directory_listing"
DjangoDebugExceptionCode IssueCode = "django_debug_exception"
DomStorageEventsDetectedCode IssueCode = "dom_storage_events_detected"
EmailAddressesCode IssueCode = "email_addresses"
EsiDetectedCode IssueCode = "esi_detected"
EsiInjectionCode IssueCode = "esi_injection"
ExposedApiCredentialsCode IssueCode = "exposed_api_credentials"
FileUploadDetectedCode IssueCode = "file_upload_detected"
ForbiddenBypassCode IssueCode = "forbidden_bypass"
GrailsExceptionCode IssueCode = "grails_exception"
HeaderInsightsReportCode IssueCode = "header_insights_report"
HostHeaderInjectionCode IssueCode = "host_header_injection"
Http2DetectedCode IssueCode = "http2_detected"
Http3DetectedCode IssueCode = "http3_detected"
HttpMethodsCode IssueCode = "http_methods"
IdorCode IssueCode = "idor"
IncorrectContentTypeHeaderCode IssueCode = "incorrect_content_type_header"
IndexeddbUsageDetectedCode IssueCode = "indexeddb_usage_detected"
JavaDeserializationCode IssueCode = "java_deserialization"
JavaSerializedObjectDetectedCode IssueCode = "java_serialized_object_detected"
JavaServerHeaderCode IssueCode = "java_server_header"
JettyServerHeaderCode IssueCode = "jetty_server_header"
JwtDetectedCode IssueCode = "jwt_detected"
Log4shellCode IssueCode = "log4shell"
MissingContentTypeHeaderCode IssueCode = "missing_content_type_header"
MixedContentCode IssueCode = "mixed_content"
NetworkAuthChallengeDetectedCode IssueCode = "network_auth_challenge_detected"
NosqlInjectionCode IssueCode = "nosql_injection"
OobCommunicationsCode IssueCode = "oob_communications"
OpenRedirectCode IssueCode = "open_redirect"
OsCmdInjectionCode IssueCode = "os_cmd_injection"
ParameterPollutionCode IssueCode = "parameter_pollution"
PasswordFieldAutocompleteEnabledCode IssueCode = "password_field_autocomplete_enabled"
PasswordInGetRequestCode IssueCode = "password_in_get_request"
PrivateIpsCode IssueCode = "private_ips"
PrivateKeysCode IssueCode = "private_keys"
ReflectedInputCode IssueCode = "reflected_input"
RemoteFileInclusionCode IssueCode = "remote_file_inclusion"
SecretsInJsCode IssueCode = "secrets_in_js"
ServerHeaderCode IssueCode = "server_header"
ServerSidePrototypePollutionCode IssueCode = "server_side_prototype_pollution"
SessionTokenInUrlCode IssueCode = "session_token_in_url"
SniInjectionCode IssueCode = "sni_injection"
SqlInjectionCode IssueCode = "sql_injection"
SsiDetectedCode IssueCode = "ssi_detected"
SsiInjectionCode IssueCode = "ssi_injection"
SsrfCode IssueCode = "ssrf"
SstiCode IssueCode = "ssti"
StorageBucketDetectedCode IssueCode = "storage_bucket_detected"
StrictTransportSecurityHeaderCode IssueCode = "strict_transport_security_header"
TechStackFingerprintCode IssueCode = "tech_stack_fingerprint"
Text4shellCode IssueCode = "text4shell"
UnencryptedPasswordSubmissionCode IssueCode = "unencrypted_password_submission"
VulnerableJavascriptDependencyCode IssueCode = "vulnerable_javascript_dependency"
WafDetectedCode IssueCode = "waf_detected"
WebsocketDetectedCode IssueCode = "websocket_detected"
XAspVersionHeaderCode IssueCode = "x_asp_version_header"
XFrameOptionsHeaderCode IssueCode = "x_frame_options_header"
XPoweredByHeaderCode IssueCode = "x_powered_by_header"
XXssProtectionHeaderCode IssueCode = "x_xss_protection_header"
XpathInjectionCode IssueCode = "xpath_injection"
XsltInjectionCode IssueCode = "xslt_injection"
XssReflectedCode IssueCode = "xss_reflected"
XxeCode IssueCode = "xxe"
)
var issueTemplates = []IssueTemplate{
{
Code: ApacheStrutsDevModeCode,
Title: "Apache Struts Dev Mode Detected",
Description: "The application is running in Apache Struts development mode, which could expose sensitive information or debugging data.",
Remediation: "Ensure the application is running in production mode to prevent the exposure of sensitive information.",
Cwe: 215,
Severity: "Medium",
References: []string{"https://struts.apache.org/core-developers/development-mode"},
},
{
Code: ApacheTapestryExceptionCode,
Title: "Apache Tapestry Exception Detected",
Description: "The application exposes Apache Tapestry exceptions, potentially revealing sensitive information or system details.",
Remediation: "Configure the application to not expose detailed error messages to end users.",
Cwe: 209,
Severity: "Medium",
References: []string{},
},
{
Code: AspNetMvcHeaderCode,
Title: "ASP.NET MVC Header Disclosure",
Description: "The application discloses the use of ASP.NET MVC. This could aid an attacker in crafting ASP.NET MVC-specific exploits.",
Remediation: "Configure ASP.NET MVC to stop disclosing this information through headers.",
Cwe: 200,
Severity: "Low",
References: []string{},
},
{
Code: Base32EncodedDataInParameterCode,
Title: "Base32 Encoded Data Detected in Parameter",
Description: "The application has detected Base32 encoded data in a parameter. While this is not inherently a security vulnerability, it is informational and could be indicative of other issues, such as encoding sensitive information.",
Remediation: "Review the reason for using Base32 encoding in a parameter. If it is used to obfuscate sensitive data, consider more secure methods of data protection, such as encryption.",
Cwe: 310,
Severity: "Info",
References: []string{"https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url", "https://auth0.com/blog/encoding-encryption-hashing/"},
},
{
Code: Base36EncodedDataInParameterCode,
Title: "Base36 Encoded Data Detected in Parameter",
Description: "The application has detected Base36 encoded data in a parameter. While this is not inherently a security vulnerability, it is informational and could be indicative of other issues, such as encoding sensitive information.",
Remediation: "Review the reason for using Base36 encoding in a parameter. If it is used to obfuscate sensitive data, consider more secure methods of data protection, such as encryption.",
Cwe: 310,
Severity: "Info",
References: []string{"https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url", "https://auth0.com/blog/encoding-encryption-hashing/"},
},
{
Code: Base64EncodedDataInParameterCode,
Title: "Base64 Encoded Data Detected in Parameter",
Description: "The application has detected Base64 encoded data in a parameter. While this is not inherently a security vulnerability, it is informational and could be indicative of other issues, such as encoding sensitive information.",
Remediation: "Review the reason for using Base64 encoding in a parameter. If it is used to obfuscate sensitive data, consider more secure methods of data protection, such as encryption.",
Cwe: 310,
Severity: "Info",
References: []string{"https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url", "https://base64.guru/blog/base64-encryption-is-a-lie", "https://auth0.com/blog/encoding-encryption-hashing/"},
},
{
Code: BlindSqlInjectionCode,
Title: "Blind SQL Injection",
Description: "The application does not properly sanitize user input, potentially allowing for SQL injection attacks.",
Remediation: "Ensure all user-supplied input is properly sanitized before being used in SQL queries.",
Cwe: 89,
Severity: "High",
References: []string{"https://owasp.org/www-community/attacks/Blind_SQL_Injection"},
},
{
Code: CacheControlHeaderCode,
Title: "Cache Control Header Misconfiguration",
Description: "The application's response can be cached, potentially leading to information disclosure or stale content.",
Remediation: "Configure your application's headers to prevent sensitive information from being cached. You can set 'Cache-Control: no-store' or 'Cache-Control: private' as needed.",
Cwe: 524,
Severity: "Low",
References: []string{"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control"},
},
{
Code: CacheStorageUsageDetectedCode,
Title: "Cache Storage Usage Detection Report",
Description: "This report documents the detection of Cache Storage usage on specific pages of the application. Cache Storage is part of the Service Worker API and allows web applications to store and manage resources, such as files and data, in an efficient, versioned cache. Utilizing Cache Storage can significantly enhance performance by reducing load times and providing offline content access. However, improper management of cache storage can lead to security vulnerabilities, such as stale or sensitive data being inadvertently cached.",
Remediation: "While this report is primarily for informational purposes, it is recommended to periodically review the contents and management strategies of cache storage to ensure data integrity and security. Developers should implement and enforce policies for cache expiration and data sanitation to prevent leakage of sensitive information. Regular security audits should be performed to ensure that cached data does not expose the application to additional attack vectors.",
Cwe: 0,
Severity: "Info",
References: []string{"https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage"},
},
{
Code: CdnDetectedCode,
Title: "CDN Detection Report",
Description: "A Content Delivery Network (CDN) has been detected for the target application. This could indicate enhanced performance and additional security layers.",
Remediation: "No remediation steps are required, as this report is intended for informational purposes only.",
Cwe: 0,
Severity: "Info",
References: []string{"https://developer.mozilla.org/en-US/docs/Glossary/CDN", "https://www.cloudflare.com/learning/cdn/what-is-a-cdn/"},
},
{
Code: CertificateErrorsCode,
Title: "Certificate Errors",
Description: "This report aggregates and highlights events related to security certificate errors within the applicationificate. These events are reported automatically by the browser and typically indicate problems with SSL/TLS certificates, such as expiration, misconfiguration, or untrusted issuers, which can undermine the security of communications and erode user trust.",
Remediation: "Address certificate-related issues promptly to maintain secure, encrypted channels for user communications. Verify that all certificates are up-to-date, properly configured, and issued by a trusted Certificate Authority (CA). Implement automated alerts and renewals for certificates to avoid expirations. Consider using tools for continuous monitoring and validation of certificate status across your digital assets.",
Cwe: 295,
Severity: "Medium",
References: []string{"https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning", "https://letsencrypt.org/docs/certificate-errors/"},
},
{
Code: ClientSidePrototypePollutionCode,
Title: "Client-Side Prototype Pollution Detected",
Description: "The application appears to be vulnerable to Client-Side Prototype Pollution (CSPP) attacks. This vulnerability occurs when the application processes user-supplied input with the JavaScript function `Object.assign()`, or uses it to clone an object. An attacker can inject properties into object prototypes, potentially leading to a variety of impacts, including denial-of-service, alteration of script behavior, or cross-site scripting (XSS) if the polluted properties are used in a DOM context.",
Remediation: "To mitigate this vulnerability, avoid using the `Object.assign()` function with user-supplied input. If user input must be used, ensure it is thoroughly validated and sanitized first. Implement proper input validation and sanitization procedures. Also, be aware of how your client-side code handles object properties and ensure that all code which reads from object properties handles unexpected values correctly.",
Cwe: 20,
Severity: "Low",
References: []string{"https://portswigger.net/web-security/prototype-pollution/client-side", "https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution"},
},
{
Code: CloudDetectedCode,
Title: "Cloud Service Detection Report",
Description: "The target application is hosted on a cloud service, which could be indicative of specific security configurations or vulnerabilities.",
Remediation: "No remediation steps are required, as this report is intended for informational purposes only.",
Cwe: 0,
Severity: "Info",
References: []string{"https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"},
},
{
Code: ConsoleUsageDetectedCode,
Title: "Console Usage Detection Report",
Description: "This report identifies instances of console usage within the application. Console logs are often used for debugging purposes and can inadvertently expose sensitive information in the JavaScript code that is accessible to end users through the browser's developer tools. This exposure can pose security risks if logs contain data like user tokens, passwords, or other sensitive details.",
Remediation: "To mitigate the risks associated with console log usage, developers should remove or mask console logs before deploying applications to production. Implement a logging strategy that directs sensitive or debug-level information to secure, server-side logs instead of client-facing consoles. Use environment-based conditional logging to ensure that detailed logs are only available during development or testing phases and not in production.",
Cwe: 532,
Severity: "Info",
References: []string{"https://developer.mozilla.org/en-US/docs/Web/API/console/log_static", "https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html"},
},
{
Code: CorsCode,
Title: "Cross Origin Resource Sharing (CORS)",
Description: "The application has misconfigured Cross-Origin Resource Sharing (CORS) policies, potentially allowing unauthorized domains access to sensitive data.",
Remediation: "Ensure that the CORS policies are properly configured to only allow trusted domains to access resources. In many cases, it is advisable to use a whitelist approach where only specifically allowed domains are permitted access.",
Cwe: 942,
Severity: "Medium",
References: []string{"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS", "https://book.hacktricks.xyz/pentesting-web/cors-bypass"},
},
{
Code: CrlfInjectionCode,
Title: "CRLF Injection Detected",
Description: "The application appears to be vulnerable to CRLF (Carriage Return Line Feed) injection attacks. This vulnerability occurs when the application does not properly sanitize user-supplied input that is then used in HTTP headers. An attacker can exploit this vulnerability to manipulate HTTP headers and control the HTTP response body, potentially leading to HTTP response splitting, session hijacking, cross-site scripting (XSS) attacks, or other injection attacks.",
Remediation: "To mitigate this vulnerability, sanitize and validate all user-supplied inputs that are incorporated into HTTP headers. Remove or escape CRLF sequences and other control characters. Use allowlists of acceptable inputs, rather than denylists of bad inputs. In addition, configure your web server to ignore or reject HTTP headers that contain CR or LF characters. Regular code reviews and penetration testing can help to identify and mitigate such issues.",
Cwe: 93,
Severity: "Medium",
References: []string{"https://owasp.org/www-community/vulnerabilities/CRLF_Injection"},
},
{
Code: CsrfCode,
Title: "Cross-Site Request Forgery Detected",
Description: "The application appears to be vulnerable to Cross-Site Request Forgery (CSRF) attacks. This vulnerability occurs when the application allows an attacker to trick an authenticated user into performing an unwanted action without their consent. An attacker can exploit this vulnerability to carry out actions with the same permissions as the victim, potentially leading to unauthorized data access, data loss, or account compromise.",
Remediation: "To mitigate this vulnerability, ensure that the application uses anti-CSRF tokens in every form or state changing request. These tokens should be tied to a user's session and included in every form or AJAX request that might result in a change of state for the user's data or settings. Also, make sure the application checks for the presence and correctness of this token before processing any such requests.",
Cwe: 352,
Severity: "High",
References: []string{"https://owasp.org/www-community/attacks/csrf", "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html"},
},
{
Code: CstiCode,
Title: "Client-Side Template Injection",
Description: "The application appears to be vulnerable to Client-Side Template Injection (CSTI). This vulnerability occurs when an attacker manipulates client-side templating engines by injecting malicious content into templates. Such actions can lead to Cross-Site Scripting (XSS) and other client-side vulnerabilities. This typically arises from the application dynamically inserting untrusted data into templates without adequate sanitization or validation.",
Remediation: "To mitigate CSTI vulnerabilities, ensure all user input is thoroughly sanitized before being processed by client-side templating engines. Employ Content Security Policy (CSP) headers to lessen the impact of any successful injections. Opt for templating libraries that automatically handle encoding and escaping of user-supplied data. Regularly perform code audits to identify and secure potential injection points.",
Cwe: 116,
Severity: "High",
References: []string{"https://book.hacktricks.xyz/pentesting-web/client-side-template-injection-csti", "https://ryhanson.com/angular-expression-injection-walkthrough/", "https://portswigger.net/research/xss-without-html-client-side-template-injection-with-angularjs"},
},
{
Code: DatabaseErrorsCode,
Title: "Database Errors Detected",
Description: "The application exposes database errors, which can leak sensitive information about the database setup and potentially the structure of the underlying data model. This could be valuable information for an attacker looking to exploit the application.",
Remediation: "Avoid exposing database errors publicly. Consider implementing a global exception handler that can catch any unhandled exceptions and return a generic error message to the user. Detailed error information should be logged for debugging, but should not be exposed to the user or over insecure channels. Regular code reviews and penetration testing can help to identify and mitigate such issues.",
Cwe: 209,
Severity: "Medium",
References: []string{},
},
{
Code: DbConnectionStringsCode,
Title: "Database Connection Strings Detected",
Description: "The application exposes database connection strings, which can provide sensitive information about the database setup, including credentials.",
Remediation: "Avoid exposing database connection strings publicly to mitigate potential information leakage.",
Cwe: 200,
Severity: "High",
References: []string{"https://en.wikipedia.org/wiki/Connection_string", "https://www.connectionstrings.com/"},
},
{
Code: DirectoryListingCode,
Title: "Directory Listing Enabled",
Description: "The application allows directory listings, which could expose sensitive files or information to attackers.",
Remediation: "Disable directory listings to prevent unauthorized access to file listings.",
Cwe: 548,
Severity: "Low",
References: []string{"https://wiki.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Directory_Indexing"},
},
{
Code: DjangoDebugExceptionCode,
Title: "Django Debug Page Exception Detected",
Description: "The application is running in Django's debug mode, which could expose sensitive information or debugging data.",
Remediation: "Ensure the application is running in production mode to prevent the exposure of sensitive information.",
Cwe: 215,
Severity: "Medium",
References: []string{"https://docs.djangoproject.com/en/stable/ref/settings/#debug"},
},
{
Code: DomStorageEventsDetectedCode,
Title: "DOM Storage Events Detection Report",
Description: "This report identifies the detection of DOM Storage events on a specific page of the application. DOM Storage, including LocalStorage and SessionStorage, allows websites to store data in the user's browser. Monitoring these storage events can provide insights into how data is stored and managed by the application, which may indicate potential security concerns or privacy issues if sensitive data is handled improperly.",
Remediation: "No specific remediation steps are required as this report serves purely informational purposes. However, it is recommended to review the usage of DOM Storage to ensure that sensitive information is not being stored insecurely or without proper encryption. Regular audits and compliance checks should be conducted to ensure that data storage practices adhere to relevant data protection standards and regulations.",
Cwe: 0,
Severity: "Info",
References: []string{"https://developer.mozilla.org/en-US/docs/Web/API/Window/DOMStorage", "https://portswigger.net/web-security/dom-based/html5-storage-manipulation"},
},
{
Code: EmailAddressesCode,
Title: "Email Addresses Detected",
Description: "The application exposes email addresses, potentially making users or administrators targets for spam or phishing attacks.",
Remediation: "Avoid displaying email addresses publicly, or use techniques to obfuscate them to make it harder for automated tools to collect them.",
Cwe: 200,
Severity: "Low",
References: []string{},
},
{
Code: EsiDetectedCode,
Title: "Edge Side Includes (ESI) Detection",
Description: "The application appears to support Edge Side Includes (ESI), although this does not necessarily indicate a vulnerability. ESI can, however, be leveraged in certain scenarios if not properly secured.",
Remediation: "Monitor and review the usage of ESI within the application. Ensure that its implementation does not expose sensitive data or functionalities.",
Cwe: 918,
Severity: "Info",
References: []string{"https://en.wikipedia.org/wiki/Edge_Side_Includes", "https://www.w3.org/TR/esi-lang/"},
},
{
Code: EsiInjectionCode,
Title: "Edge Side Includes (ESI) Injection",
Description: "The application does not properly sanitize user input, potentially allowing for Edge Side Includes (ESI) injection attacks. This can be exploited to perform actions such as Server Side Request Forgeries (SSRF) or disclose sensitive information.",
Remediation: "Ensure all user-supplied input is properly sanitized before being processed by the application. Avoid dynamically constructing ESI tags based on user input.",
Cwe: 74,
Severity: "High",
References: []string{"https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/", "https://en.wikipedia.org/wiki/Edge_Side_Includes", "https://www.w3.org/TR/esi-lang/"},
},
{
Code: ExposedApiCredentialsCode,
Title: "Exposed API Credentials Detected",
Description: "The application appears to have API credentials exposed. This vulnerability occurs when API keys, tokens or other forms of credentials are unintentionally exposed within the application, which could allow an attacker to misuse these credentials to gain unauthorized access or perform actions on behalf of the application.",
Remediation: "To mitigate this vulnerability, ensure that API credentials are securely stored and not embedded in the code directly. Environment variables or secure credential storage should be used. Make sure to not commit these credentials in the version control system. If these exposed credentials have been used, consider them compromised and replace them immediately.",
Cwe: 798,
Severity: "High",
References: []string{"https://support.google.com/googleapi/answer/6310037?hl=en"},
},
{
Code: FileUploadDetectedCode,
Title: "File Upload Detected",
Description: "The application allows file uploads, which can expose it to various security vulnerabilities if not properly managed.",
Remediation: "Ensure that file upload functionality is secured, including validating/sanitizing uploaded files, setting proper file permissions, and storing files in a secure location.",
Cwe: 434,
Severity: "Info",
References: []string{"https://book.hacktricks.xyz/pentesting-web/file-upload", "https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html"},
},
{
Code: ForbiddenBypassCode,
Title: "Forbidden Bypass (401/403)",
Description: "The application fails to properly enforce access restrictions, allowing attackers to bypass 401 Unauthorized or 403 Forbidden responses. This vulnerability can lead to unauthorized access to protected resources.",
Remediation: "Ensure strict access controls are in place and effectively enforced. Audit and review all endpoints that return 401 or 403 responses to validate their security against bypass attempts.",
Cwe: 285,
Severity: "High",
References: []string{"https://owasp.org/Top10/A01_2021-Broken_Access_Control/", "https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/403-and-401-bypasses", "https://blog.vidocsecurity.com/blog/401-and-403-bypass-how-to-do-it-right"},
},
{
Code: GrailsExceptionCode,
Title: "Grails Runtime Exception Detected",
Description: "The application exposes Grails runtime exceptions, which could provide an attacker with valuable system information.",
Remediation: "Configure the application to not expose detailed error messages to end users.",
Cwe: 209,
Severity: "Medium",
References: []string{},
},
{
Code: HeaderInsightsReportCode,
Title: "Header Insights Report",
Description: "This report offers a comprehensive overview of the HTTP headers used by the application. While HTTP headers can provide important information about security controls, technology stacks, and other aspects, this report is intended for informational purposes and is not indicative of security vulnerabilities.",
Remediation: "No remediation steps are required, as this report is intended for informational purposes. However, the insights can be valuable for understanding the application's behavior, debugging issues, or for future security assessments.",
Cwe: 0,
Severity: "Info",
References: []string{"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers", "https://owasp.org/www-project-secure-headers/"},
},
{
Code: HostHeaderInjectionCode,
Title: "Host Header Injection",
Description: "The application appears to be vulnerable to Host Header Injection. This vulnerability occurs when a user is able to manipulate the Host header and the application trusts the header without proper validation. This can lead to vulnerabilities such as web cache poisoning, password reset poisoning, and malicious redirections.",
Remediation: "To mitigate this vulnerability, validate and sanitize incoming Host headers. Use a whitelist of allowed domains and hostnames. Ensure that the application generates absolute URLs using a known good base URL, rather than relying on the incoming Host header. Additionally, implement proper logging of incorrect Host header attempts and regularly review for suspicious activities.",
Cwe: 601,
Severity: "Medium",
References: []string{"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection", "https://portswigger.net/web-security/host-header"},
},
{
Code: Http2DetectedCode,
Title: "HTTP/2 Protocol in Use",
Description: "The application has been detected using the HTTP/2 protocol. While HTTP/2 provides significant benefits in performance and features, like header compression, multiplexing, and prioritization, it's not without some HTTP/2 specific vulnerabilities such as certain request smuggling techniques.",
Remediation: "Ensure that the server appropriately announces its support for HTTP/2 and that the HTTP/2 implementation adheres to best practices. Keep server software or supporting libraries updated to receive the latest security patches.",
Cwe: 0,
Severity: "Info",
References: []string{"https://portswigger.net/research/http2", "https://tools.ietf.org/html/rfc7540", "https://developers.google.com/web/fundamentals/performance/http2"},
},
{
Code: Http3DetectedCode,
Title: "HTTP/3 Protocol in Use",
Description: "The application is utilizing the HTTP/3 protocol. HTTP/3, the successor to HTTP/2, offers performance enhancements and operates over the QUIC transport protocol, which aims to improve upon the shortcomings of TCP. This includes benefits like reduced latency and better congestion control. However, as with any protocol, incorrect implementations or configurations can introduce vulnerabilities specific to HTTP/3 and QUIC.",
Remediation: "Ensure the server signals its support for HTTP/3 correctly and that the HTTP/3 and QUIC implementations align with best practices. Regularly update server software or libraries that handle HTTP/3 to incorporate the latest security improvements.",
Cwe: 0,
Severity: "Info",
References: []string{"https://www.cloudflare.com/learning/performance/what-is-http3/", "https://www.rfc-editor.org/rfc/rfc9114.html", "https://portswigger.net/research/http-3-connection-contamination"},
},
{
Code: HttpMethodsCode,
Title: "HTTP Methods",
Description: "The application allows the use of potentially dangerous HTTP methods.",
Remediation: "Make sure the HTTP Methods are properly configured and only the necessary ones are allowed.",
Cwe: 20,
Severity: "Low",
References: []string{},
},
{
Code: IdorCode,
Title: "Insecure Direct Object Reference (IDOR) Detected",
Description: "The application appears to be vulnerable to Insecure Direct Object References (IDOR). This vulnerability occurs when an attacker can access or modify objects (e.g., database records, files) directly by manipulating input parameters, such as URLs or form fields, without proper authorization checks. IDOR can lead to unauthorized data disclosure, data tampering, or other unintended actions.",
Remediation: "To mitigate this vulnerability, implement proper access controls for all application objects. Ensure that each request for a specific object is accompanied by an authorization check to determine if the user has the necessary permissions to access or modify the object. Use indirect references, like session-based mappings, instead of direct object references in URLs or form fields. Regularly review application logs for suspicious activity and conduct thorough testing to identify potential IDOR vulnerabilities.",
Cwe: 639,
Severity: "High",
References: []string{"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References", "https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html", "https://en.wikipedia.org/wiki/Insecure_direct_object_reference"},
},
{
Code: IncorrectContentTypeHeaderCode,
Title: "Incorrect Content Type Header",
Description: "The application does not correctly specify the content type of the response, potentially leading to security vulnerabilities such as MIME sniffing attacks.",
Remediation: "Always specify a correct 'Content-Type' header in the response. Use 'X-Content-Type-Options: nosniff' to prevent the browser from MIME-sniffing a response away from the declared content-type.",
Cwe: 16,
Severity: "Medium",
References: []string{},
},
{
Code: IndexeddbUsageDetectedCode,
Title: "IndexedDB Usage Detection Report",
Description: "This report highlights the usage of IndexedDB on specific pages of the application. IndexedDB is a low-level API for client-side storage of significant amounts of structured data, including files/blobs. This allows web applications to store data persistently in a user's browser, and to function efficiently without an internet connection. Monitoring IndexedDB usage can provide insights into the application's data storage capabilities and potential areas where sensitive data might be stored or exposed.",
Remediation: "No specific remediation steps are required as this report is intended for informational purposes only. It is advisable for developers and security teams to ensure that IndexedDB is used securely and in compliance with data protection standards. Data stored using IndexedDB should be encrypted if it contains sensitive or personal information. Regular security reviews and audits should be performed to validate data handling practices and to mitigate potential exposure risks.",
Cwe: 0,
Severity: "Info",
References: []string{"https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API", "https://www.researchgate.net/publication/259081595_An_Investigation_into_Possible_Attacks_on_HTML5_IndexedDB_and_their_Prevention"},
},
{
Code: JavaDeserializationCode,
Title: "Insecure Java Deserialization Detected",
Description: "The application appears to be vulnerable to insecure Java deserialization attacks. This vulnerability arises when an application deserializes untrusted data without proper validation. An attacker can exploit this vulnerability to execute arbitrary code, bypass authentication, or perform other malicious activities.",
Remediation: "To mitigate this vulnerability, avoid deserializing untrusted data. Use safe serialization libraries or frameworks that do not allow the execution of arbitrary code. Implement strong type-checking during deserialization and apply the principle of least privilege. Regularly update and patch Java libraries to protect against known deserialization exploits.",
Cwe: 502,
Severity: "Critical",
References: []string{"https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization", "https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html", "https://snyk.io/blog/serialization-and-deserialization-in-java/", "https://github.com/frohoff/ysoserial"},
},
{
Code: JavaSerializedObjectDetectedCode,
Title: "Java serialized object resonse detected",
Description: "A java serialized object response has been detected, this would require further manual investigation to check for possible deserialization vulnerabilities",
Remediation: "N/A",
Cwe: 0,
Severity: "Info",
References: []string{"https://docs.oracle.com/javase/tutorial/jndi/objects/serial.html", "https://maxchadwick.xyz/blog/java-serialized-object-detection", "https://portswigger.net/web-security/deserialization/exploiting"},
},
{
Code: JavaServerHeaderCode,
Title: "Java Version Detected",
Description: "The application's server response header discloses the version of Java in use. This could potentially provide valuable information to an attacker seeking to exploit a known vulnerability in the disclosed Java version.",
Remediation: "Configure your server to not disclose software version information in its response headers. Alternatively, ensure your software versions are regularly updated to the latest versions, mitigating the risk of known vulnerabilities.",
Cwe: 200,
Severity: "Low",
References: []string{},
},
{
Code: JettyServerHeaderCode,
Title: "Jetty Version Detected",
Description: "The application's server response header discloses the version of Jetty in use. An attacker can exploit this information to target known vulnerabilities in the disclosed Jetty version.",
Remediation: "Configure your server to not disclose software version information in its response headers. Alternatively, regularly update your Jetty version to the latest one to reduce the risk of known vulnerabilities.",
Cwe: 200,
Severity: "Low",
References: []string{},
},
{
Code: JwtDetectedCode,
Title: "JSON Web Token (JWT) Detected",
Description: "The application appears to use JSON Web Tokens (JWT). If not properly secured, JWTs can lead to various security issues, including token-based authentication vulnerabilities and identity spoofing.",
Remediation: "Ensure that JWTs are used securely. Implement proper validation and handling mechanisms. Consider using additional safeguards such as Token Binding, and never expose sensitive information in the payload of the JWT. Always verify the signature of incoming JWTs to confirm they were issued by your system.",
Cwe: 347,
Severity: "Info",
References: []string{"https://jwt.io/", "https://book.hacktricks.xyz/pentesting-web/hacking-jwt-json-web-tokens", "https://github.com/ticarpi/jwt_tool"},
},
{
Code: Log4shellCode,
Title: "Log4Shell (Log4j Remote Code Execution)",
Description: "The application uses a vulnerable version of Log4j that allows remote code execution.",
Remediation: "Update Log4j to a patched version (2.15.0 or later).",
Cwe: 502,
Severity: "Critical",
References: []string{"https://logging.apache.org/log4j/2.x/security.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"},
},
{
Code: MissingContentTypeHeaderCode,
Title: "Missing Content Type Header",
Description: "The application does not appear to be setting a content type in the response headers. This can lead to security vulnerabilities if the browser attempts to 'sniff' the MIME type, potentially leading to situations where content is interpreted and executed as a different type than intended. For example, an attacker might be able to trick a user's browser into interpreting a response body as HTML or JavaScript, leading to cross-site scripting vulnerabilities.",
Remediation: "To mitigate this vulnerability, ensure that all responses include a Content-Type header that accurately reflects the type of content being returned. If the content type is not known in advance, 'application/octet-stream' can be used as a general fallback. Avoid using 'text/plain' as this can still be sniffed in some situations. In addition, setting the 'X-Content-Type-Options: nosniff' header will instruct the browser not to attempt to sniff the MIME type.",
Cwe: 16,
Severity: "Info",
References: []string{"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options"},
},
{
Code: MixedContentCode,
Title: "Mixed Content",
Description: "The application serves both secure (HTTPS) and insecure (HTTP) content, which may lead to some content being vulnerable to man-in-the-middle attacks.",
Remediation: "Ensure all content is served over a secure connection. Use HTTPS for all resources and avoid linking to insecure (HTTP) resources.",
Cwe: 16,
Severity: "Medium",
References: []string{"https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content", "https://web.dev/articles/what-is-mixed-content"},
},
{
Code: NetworkAuthChallengeDetectedCode,
Title: "Network Authentication Challenge Detection",
Description: "This report details instances where network authentication challenges (e.g., HTTP Basic Authentication, Digest Authentication) have been detected within the application. These authentication mechanisms prompt users to provide credentials to access certain network resources. While effective for simple authentication needs, these methods can expose credentials to risks if not used over secure connections or if implemented without additional security measures.",
Remediation: "To address potential security concerns associated with basic or digest authentication challenges, ensure all authentication processes occur over HTTPS to protect credentials in transit. Consider upgrading to more secure authentication methods, such as OAuth or JWTs, which provide enhanced security features and better user experience. Regularly review and update authentication protocols to adhere to current security best practices and mitigate potential vulnerabilities.",
Cwe: 303,
Severity: "Info",
References: []string{"https://datatracker.ietf.org/doc/html/rfc2617", "https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication"},
},
{
Code: NosqlInjectionCode,
Title: "NoSQL Injection Detected",
Description: "The application appears to be vulnerable to NoSQL injection attacks. This vulnerability occurs when the application uses user-supplied input to construct NoSQL queries without properly sanitizing or validating the input first. An attacker can exploit this vulnerability to manipulate queries, potentially leading to unauthorized data access, data loss, or data corruption.",
Remediation: "To mitigate this vulnerability, avoid constructing queries with user-supplied input whenever possible. Instead, use parameterized queries, which can help ensure that user input is not interpreted as part of the query. Implement proper input validation and sanitization procedures. Also, ensure that the least privilege principle is followed, and each function of the application has only the necessary access rights it needs to perform its tasks.",
Cwe: 943,
Severity: "High",
References: []string{"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection", "https://book.hacktricks.xyz/pentesting-web/nosql-injection"},
},
{
Code: OobCommunicationsCode,
Title: "Out of Band Communications",
Description: "The application sends sensitive information to an external server.",
Remediation: "Ensure all sensitive information is kept within the application and not sent to external servers.",
Cwe: 201,
Severity: "Medium",
References: []string{},
},
{
Code: OpenRedirectCode,
Title: "Open Redirect Detected",
Description: "The application appears to be vulnerable to open redirect attacks. This vulnerability occurs when an application accepts untrusted input that can cause the web application to redirect the request to a URL contained within untrusted input. This can be used in phishing attacks to redirect users to malicious sites.",
Remediation: "Ensure that all redirection URLs are validated against a white-list of trusted URLs. Avoid using user-supplied input to determine the destination of redirection without validation. If user input is utilized, ensure it is properly sanitized and validated against expected inputs.",
Cwe: 601,
Severity: "Medium",
References: []string{"https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/04-Testing_for_Client_Side_URL_Redirect", "https://learn.snyk.io/lesson/open-redirect/"},
},
{
Code: OsCmdInjectionCode,
Title: "OS Command Injection",
Description: "The application allows the execution of arbitrary operating system commands.",
Remediation: "Avoid using shell commands in application code. If unavoidable, use strongly typed parameter APIs to prevent injection.",
Cwe: 78,
Severity: "High",
References: []string{"https://owasp.org/www-community/attacks/Command_Injection", "https://book.hacktricks.xyz/pentesting-web/command-injection"},
},
{
Code: ParameterPollutionCode,
Title: "Parameter Pollution Detected",
Description: "The application appears to be vulnerable to Parameter Pollution. This vulnerability occurs when the application does not properly validate or handle multiple instances of the same parameter. An attacker can exploit this by injecting additional parameters or by manipulating existing ones, potentially leading to a variety of impacts such as bypassing input validation, manipulating application logic, or accessing unauthorized data.",
Remediation: "Ensure that the application properly handles, validates, and sanitizes all parameters. Implement strict rules for processing incoming parameters and reject any requests with unexpected or repeated parameters. Regularly review application logic to ensure consistent handling of parameters throughout the application.",
Cwe: 235,
Severity: "Medium",
References: []string{"https://en.wikipedia.org/wiki/HTTP_parameter_pollution", "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution", "https://book.hacktricks.xyz/pentesting-web/parameter-pollution", "https://securityintelligence.com/posts/how-to-prevent-http-parameter-pollution/"},
},
{
Code: PasswordFieldAutocompleteEnabledCode,
Title: "Password Field Autocomplete Enabled",
Description: "The application's password fields have autocomplete enabled, which may pose a security risk by allowing password autofill on shared or public devices.",
Remediation: "Disable autocomplete on password fields to prevent passwords from being stored and auto-filled by the browser.",
Cwe: 200,
Severity: "Low",
References: []string{"https://wiki.owasp.org/index.php/Testing_for_Vulnerable_Remember_Password_(OTG-AUTHN-005)"},
},
{
Code: PasswordInGetRequestCode,
Title: "Password Submitted in GET Request",
Description: "The application allows users to submit passwords using the GET method in URLs, which poses a significant security risk. Passwords transmitted in URLs are easily exposed in browser history, server logs, and can be intercepted by attackers. This vulnerability could lead to unauthorized access to user accounts and compromise sensitive information.",
Remediation: "To mitigate this vulnerability, never use the GET method to transmit sensitive data, including passwords. Use the POST method with HTTPS to ensure that data is not exposed in URLs and is encrypted during transmission. Additionally, review and sanitize server logs to prevent storing sensitive information and enforce strict guidelines for handling sensitive data transmission securely.",
Cwe: 598,
Severity: "Low",
References: []string{"https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url", "https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html"},
},
{
Code: PrivateIpsCode,
Title: "Private IPs Detected",
Description: "The application exposes private IP addresses, which can provide useful information for potential attackers and expose the internal network structure.",
Remediation: "Avoid exposing private IP addresses publicly to mitigate potential information leakage.",
Cwe: 200,
Severity: "Low",
References: []string{"https://en.wikipedia.org/wiki/Private_network", "https://datatracker.ietf.org/doc/html/rfc1918"},
},
{
Code: PrivateKeysCode,
Title: "Private Keys Detected",
Description: "The application exposes private keys, which can provide crucial information for potential attackers and expose the system to unauthorized access.",
Remediation: "Private keys must be kept confidential and should never be exposed or sent over insecure channels. If a private key has been exposed, it should be considered compromised and a new key pair should be generated.",
Cwe: 522,
Severity: "High",
References: []string{"https://en.wikipedia.org/wiki/Public-key_cryptography", "https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html"},
},
{
Code: ReflectedInputCode,
Title: "Input reflected in response",
Description: "Input reflection arises when data originating from a user request is directly echoed back in the application's immediate response. While not inherently a vulnerability, it serves as a crucial step for several client-side vulnerabilities abd certain server-side vulnerabilities like SQL injection become more discernible and exploitable when input is echoed back in responses.",
Remediation: "To avoid vulnerabilities raised due to input returned in response, implement robust input validation and output encoding mechanisms. Ensure that user-supplied data is thoroughly sanitized and validated before being echoed back in application responses. Employ context-aware encoding techniques to prevent various types of injection attacks and security misconfigurations.",
Cwe: 20,
Severity: "Info",
References: []string{"https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html"},
},
{
Code: RemoteFileInclusionCode,
Title: "Remote File Inclusion Detected",
Description: "The application appears to be vulnerable to Remote File Inclusion (RFI) attacks. This vulnerability occurs when the application uses user-supplied input to include remote files without properly sanitizing or validating the input first. An attacker can exploit this vulnerability to inject malicious scripts, potentially leading to unauthorized data access, data corruption, or even server takeover.",
Remediation: "To mitigate this vulnerability, avoid including files from remote servers whenever possible. When it is necessary to do so, ensure that the remote file's location is hard-coded or otherwise not influenced by user input. Also, implement proper input validation and sanitization procedures. Regular code reviews and penetration testing can help to identify and mitigate such issues.",
Cwe: 98,
Severity: "High",
References: []string{"https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-Testing_for_Remote_File_Inclusion"},
},
{
Code: SecretsInJsCode,
Title: "Exposed Secrets in Javascript",
Description: "The application appears to contain sensitive data, such as API keys, passwords or cryptographic keys, directly within the JavaScript code. This exposure can lead to critical vulnerabilities as it provides potential attackers with sensitive details that can be used to exploit the application or other related systems.",
Remediation: "To mitigate this issue, never hard-code secrets into your JavaScript or any other client-side code. Instead, store secrets server-side and ensure they are securely transmitted and only to authenticated and authorized entities. Implement strict access controls and consider using secret management solutions. Regular code reviews can help to identify and remove any accidentally committed secrets.",
Cwe: 615,
Severity: "Medium",
References: []string{},
},
{
Code: ServerHeaderCode,
Title: "Server Header Disclosure",
Description: "The application discloses the server it's using through the Server header, potentially aiding attackers in crafting specific exploits.",
Remediation: "Remove the 'Server' header or configure your server to stop disclosing this information.",
Cwe: 200,
Severity: "Info",
References: []string{},
},
{
Code: ServerSidePrototypePollutionCode,
Title: "Server-Side Prototype Pollution Detected",
Description: "The application appears to be vulnerable to Server-Side Prototype Pollution (SSPP) attacks. This vulnerability occurs when the application allows modification of a JavaScript object prototype. When a function traverses the entire prototype chain, an attacker can inject properties into this chain, potentially leading to various impacts, such as denial-of-service, property overwrite, or even remote code execution if the polluted properties are used unsafely.",
Remediation: "To mitigate this vulnerability, avoid using user-supplied input in the object manipulation functions without proper validation. Validate and sanitize the inputs that are used for configuration. Be aware of the libraries or dependencies that your application uses and keep them updated. Regular code reviews and penetration testing can also help to identify and mitigate such issues.",
Cwe: 400,
Severity: "High",
References: []string{"https://portswigger.net/web-security/prototype-pollution/server-side", "https://portswigger.net/research/server-side-prototype-pollution", "https://arxiv.org/pdf/2207.11171.pdf"},
},
{
Code: SessionTokenInUrlCode,
Title: "Session Token In URL",
Description: "The application includes session tokens in URLs, potentially exposing sensitive data and enabling session hijacking.",
Remediation: "Do not include session tokens in URLs. Instead, use secure cookies to manage sessions.",
Cwe: 200,
Severity: "Medium",
References: []string{"https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"},
},
{
Code: SniInjectionCode,
Title: "Server Name Indication (SNI) Injection",
Description: "The application is vulnerable to Server Name Indication (SNI) Injection. This vulnerability occurs when the application does not validate or incorrectly processes the SNI during the TLS handshake process. An attacker can exploit this to inject arbitrary data, induce abnormal behavior in applications, or conduct Server-Side Request Forgery (SSRF) attacks.",
Remediation: "Properly validate and sanitize the SNI during the TLS handshake process. Consider implementing additional security measures such as input validation, parameterized queries, or appropriate encoding to prevent injection attacks. Be wary of how your application handles SNI, especially if you are using a Web Application Server (WAS) or Ingress.",
Cwe: 91,
Severity: "Medium",
References: []string{"https://www.cloudflare.com/learning/ssl/what-is-sni/", "https://www.hahwul.com/cullinan/sni-injection"},
},
{
Code: SqlInjectionCode,
Title: "SQL Injection Detected",
Description: "The application appears to be vulnerable to SQL injection attacks. This vulnerability occurs when the application uses user-supplied input to construct SQL queries without properly sanitizing or validating the input first. An attacker can exploit this vulnerability to manipulate queries, potentially leading to unauthorized data access, data loss, or data corruption.",
Remediation: "To mitigate this vulnerability, avoid constructing SQL queries with user-supplied input whenever possible. Instead, use parameterized queries or prepared statements, which can help ensure that user input is not interpreted as part of the SQL command. Implement proper input validation and sanitization procedures. Also, ensure that the least privilege principle is followed, and each function of the application has only the necessary access rights it needs to perform its tasks.",
Cwe: 89,
Severity: "High",
References: []string{"https://owasp.org/www-community/attacks/SQL_Injection", "https://book.hacktricks.xyz/pentesting-web/sql-injection", "https://sqlmap.org/"},
},
{
Code: SsiDetectedCode,
Title: "Server Side Includes (SSI) Detection",
Description: "The application appears to support Server Side Includes (SSI), although this does not necessarily indicate a vulnerability. Improper implementation or usage of SSI can lead to vulnerabilities if not properly secured.",
Remediation: "Monitor and review the usage of SSI within the application. Ensure that its implementation does not expose sensitive data or functionalities.",
Cwe: 96,
Severity: "Info",
References: []string{"https://en.wikipedia.org/wiki/Server_Side_Includes"},
},
{
Code: SsiInjectionCode,
Title: "Server Side Includes (SSI) Injection",
Description: "The application does not properly sanitize user input, potentially allowing for Server Side Includes (SSI) injection attacks. This can be exploited to execute server-side commands or disclose sensitive information.",
Remediation: "Ensure all user-supplied input is properly sanitized before being processed by the application. Avoid dynamically constructing SSI directives based on user input.",
Cwe: 96,
Severity: "High",
References: []string{"https://owasp.org/www-community/attacks/Server-Side_Includes_(SSI)_Injection"},
},
{
Code: SsrfCode,
Title: "Server Side Request Forgery",
Description: "The application can be tricked into making arbitrary HTTP requests to internal services.",
Remediation: "Ensure the application does not make requests based on user-supplied data. If necessary, use a whitelist of approved domains.",
Cwe: 918,
Severity: "High",
References: []string{"https://owasp.org/www-community/attacks/Server_Side_Request_Forgery", "https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery"},
},
{
Code: SstiCode,
Title: "Server-Side Template Injection (SSTI) Detected",
Description: "The application appears to be vulnerable to Server-Side Template Injection (SSTI). This vulnerability occurs when an attacker can inject arbitrary template code into a template engine, resulting in unintended code execution on the server. Exploiting this vulnerability could allow attackers to execute arbitrary commands, read sensitive server-side files, or perform other malicious actions.",
Remediation: "To mitigate this vulnerability, ensure that user inputs are strictly sanitized before being passed to a template engine. Avoid using raw user input within templates without validation or sanitization. Implement strict input validation mechanisms and consider using safer template systems or configurations that restrict the capabilities of templates.",
Cwe: 94,
Severity: "High",
References: []string{"https://portswigger.net/research/server-side-template-injection", "https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection", "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection"},
},
{
Code: StorageBucketDetectedCode,
Title: "Storage Bucket Detected",
Description: "The application exposes storage bucket URLs or errors in the response. This can provide sensitive information about the storage setup.",
Remediation: "Avoid exposing storage bucket URLs or error messages publicly to mitigate potential information leakage. Make sure to handle errors gracefully and avoid revealing any sensitive information in error messages. It's recommended to manually review any detected storage buckets to verify if they are exposing sensitive information.",
Cwe: 200,
Severity: "Info",
References: []string{},
},
{
Code: StrictTransportSecurityHeaderCode,
Title: "Strict-Transport-Security Header Misconfiguration",
Description: "The application's HTTP Strict Transport Security (HSTS) policy is misconfigured, potentially leading to man-in-the-middle attacks.",
Remediation: "Configure your application's headers to properly set the HSTS policy, including 'max-age' and optionally 'includeSubDomains' and 'preload'.",
Cwe: 523,
Severity: "Low",
References: []string{},
},
{
Code: TechStackFingerprintCode,
Title: "Technology Stack Fingerprint Report",
Description: "This report provides a detailed fingerprint of the technology stack used by the target application. It identifies various technologies such as CMS platforms, JavaScript libraries, server software, and more. Knowing the technologies in use can offer insights into potential vulnerabilities and areas for further investigation.",
Remediation: "No remediation steps are required, as this report is intended for informational purposes. However, understanding the technologies in use can be valuable for identifying potential vulnerabilities specific to those technologies.",
Cwe: 0,
Severity: "Info",
References: []string{"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server", "https://www.wappalyzer.com/"},
},
{
Code: Text4shellCode,
Title: "Text4Shell Vulnerability Detected",
Description: "The application appears to be vulnerable to Text4Shell, a remote code execution vulnerability identified as CVE-2022-42889. This vulnerability affects Apache Commons Text versions 1.5 through 1.9 and occurs due to unsafe string interpolation methods that can execute arbitrary code if manipulated. Key interpolators involved are 'script', 'dns', and 'url' which, if exploited, could allow attackers to execute commands or access data remotely.",
Remediation: "Immediately update to Apache Commons Text version 1.10 or newer, which removes dangerous default interpolators. Ensure that all data entering string interpolation functions is sanitized and validate inputs to mitigate any potential exploitation. Review and restrict the use of interpolators in your environment to trusted functionality only.",
Cwe: 502,
Severity: "High",
References: []string{"https://security.apache.org/blog/cve-2022-42889/", "https://nvd.nist.gov/vuln/detail/cve-2022-42889"},
},
{
Code: UnencryptedPasswordSubmissionCode,
Title: "Unencrypted Password Submission Detected",
Description: "The application allows users to submit passwords over an unencrypted connection (HTTP), which poses a significant security risk. Passwords transmitted over HTTP are sent in plain text and can be intercepted by attackers monitoring network traffic. This vulnerability could lead to unauthorized access to user accounts and compromise sensitive information.",
Remediation: "To mitigate this vulnerability, ensure that all sensitive data, including passwords, is transmitted over a secure connection (HTTPS). Implement SSL/TLS encryption to protect data in transit and prevent eavesdropping. Additionally, enforce HTTPS redirection to automatically redirect users from HTTP to HTTPS to ensure secure communication. Regularly audit network configurations and monitor for any insecure communication channels.",
Cwe: 319,
Severity: "High",
References: []string{"https://owasp.org/www-community/vulnerabilities/Insecure_Transport", "https://letsencrypt.org/", "https://www.cloudflare.com/learning/ssl/why-is-http-not-secure/"},
},
{
Code: VulnerableJavascriptDependencyCode,
Title: "Vulnerable JavaScript Dependency",
Description: "The application appears to be using a version of a JavaScript library which is known to be vulnerable. Using out-of-date libraries can expose the application to security risks, as vulnerabilities in the code may be exploited by an attacker.",
Remediation: "Upgrade the vulnerable library to the latest version or to the minimum secure version. Ensure all other libraries and dependencies are also up-to-date to prevent similar issues. Regular dependency checks and vulnerability scanning can help keep your application secure.",
Cwe: 937,
Severity: "Medium",
References: []string{"https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities"},
},
{
Code: WafDetectedCode,
Title: "Web Application Firewall (WAF) Detection Report",
Description: "A Web Application Firewall (WAF) has been detected for the target application, suggesting an additional layer of security.",
Remediation: "No remediation steps are required, as this report is intended for informational purposes only.",
Cwe: 0,
Severity: "Info",
References: []string{"https://www.cloudflare.com/learning/ddos/glossary/web-application-firewall-waf/", "https://owasp.org/www-community/Web_Application_Firewall"},
},
{
Code: WebsocketDetectedCode,
Title: "WebSockets in Use",
Description: "The application appears to be using WebSockets. This could potentially lead to real-time interaction, data streaming, or possibly real-time vulnerability exploitation if not properly secured.",
Remediation: "Ensure that the WebSocket connection is secure (wss://) and that appropriate authentication, authorization, and validation measures are in place for any data transmitted over the WebSocket.",
Cwe: 749,
Severity: "Info",
References: []string{},
},
{
Code: XAspVersionHeaderCode,
Title: "X-AspNet-Version Header Disclosure",
Description: "The application discloses the ASP.NET version it's using through the X-AspNet-Version header, potentially aiding attackers in crafting specific exploits.",
Remediation: "Remove the 'X-AspNet-Version' header or configure your ASP.NET application to stop disclosing this information.",
Cwe: 200,
Severity: "Info",
References: []string{},
},
{
Code: XFrameOptionsHeaderCode,
Title: "X-Frame-Options Header Missing or Incorrect",
Description: "The application does not correctly specify the X-Frame-Options header, potentially leading to clickjacking attacks.",
Remediation: "Always specify a correct 'X-Frame-Options' header in the response. Recommended values are 'DENY' or 'SAMEORIGIN'.",
Cwe: 346,
Severity: "Low",
References: []string{"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options"},
},
{
Code: XPoweredByHeaderCode,
Title: "X-Powered-By Header Disclosure",
Description: "The application discloses the technology it's using through the X-Powered-By header, potentially aiding attackers in crafting specific exploits.",
Remediation: "Remove the 'X-Powered-By' header or configure your technology to stop disclosing this information.",
Cwe: 200,
Severity: "Info",
References: []string{},
},
{
Code: XXssProtectionHeaderCode,
Title: "X-XSS-Protection Header Missing or Incorrect",
Description: "The application does not correctly specify the X-XSS-Protection header, potentially leading to cross-site scripting attacks.",
Remediation: "Always specify 'X-XSS-Protection: 1; mode=block' in the response header to enable XSS filtering on the client side.",
Cwe: 79,
Severity: "Info",
References: []string{"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection"},
},
{
Code: XpathInjectionCode,
Title: "XPath Injection Detected",
Description: "The application appears to be vulnerable to XPath injection attacks. This vulnerability occurs when the application uses user-supplied input to construct XPath queries without properly sanitizing or validating the input first. An attacker can exploit this vulnerability to manipulate queries, potentially leading to unauthorized data access, data loss, or data corruption.",
Remediation: "To mitigate this vulnerability, avoid constructing XPath queries with user-supplied input whenever possible. Instead, use parameterized queries or prepared statements, which can help ensure that user input is not interpreted as part of the XPath command. Implement proper input validation and sanitization procedures. Also, ensure that the least privilege principle is followed, and each function of the application has only the necessary access rights it needs to perform its tasks.",
Cwe: 643,
Severity: "High",
References: []string{"https://owasp.org/www-community/attacks/XPATH_Injection", "https://book.hacktricks.xyz/pentesting-web/xpath-injection"},
},
{
Code: XsltInjectionCode,
Title: "XSLT Injection",
Description: "The application does not properly sanitize user input before processing it with XSLT. This can lead to arbitrary code execution, data extraction, or other unintended behaviors when malicious XSLT content is processed.",
Remediation: "Ensure all user-supplied input is thoroughly sanitized and validated before being used in XSLT processing. Avoid dynamically constructing XSLT based on user input. If dynamic construction is required, use a safe method for combining XSLT, such as parameterized templates.",
Cwe: 91,
Severity: "High",
References: []string{"https://en.wikipedia.org/wiki/XSLT", "https://owasp.org/www-pdf-archive/OWASP_Switzerland_Meeting_2015-06-17_XSLT_SSRF_ENG.pdf", "https://www.youtube.com/watch?v=j4vCGtF3a64", "https://book.hacktricks.xyz/pentesting-web/xslt-server-side-injection-extensible-stylesheet-languaje-transformations"},
},
{
Code: XssReflectedCode,
Title: "Reflected XSS",
Description: "The application appears to be vulnerable to Reflected Cross-Site Scripting (XSS) attacks. This vulnerability occurs when user-supplied input is incorporated into web pages without proper sanitization and is then returned to the user in the web page. An attacker can exploit this by crafting malicious links containing script code which executes in the victim's browser when clicked, potentially leading to unauthorized access, data theft, or malicious actions on behalf of the user.",
Remediation: "To mitigate this vulnerability, ensure all user-supplied input is encoded or escaped before being included in output. Implement content security policies that restrict the sources of executable scripts. Use frameworks that automatically handle these encodings. Validate and sanitize all user input to remove or encode potentially dangerous characters. Regularly update and review web applications for XSS vulnerabilities.",
Cwe: 79,
Severity: "High",
References: []string{"https://owasp.org/www-community/attacks/xss/", "https://en.wikipedia.org/wiki/Cross-site_scripting", "https://portswigger.net/web-security/cross-site-scripting/reflected"},
},
{
Code: XxeCode,
Title: "XML External Entity (XXE) Detected",
Description: "The application appears to be vulnerable to XML External Entity (XXE) attacks. This vulnerability occurs when an application processes XML input containing a reference to an external entity. It can lead to disclosure of internal files, internal port scanning, remote code execution, and denial of service attacks.",
Remediation: "Disable the processing of external entities in your XML parser. Ensure that any XML parsing libraries or frameworks used by the application are configured securely. Regularly update and patch XML libraries to protect against known XXE exploits. If possible, use JSON or other data formats instead of XML.",
Cwe: 611,
Severity: "High",
References: []string{"https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)"},
},
}