0% found this document useful (0 votes)

47 views64 pages

Kelompok 1 - Laporan Tugas Burpsuite Dan Zap Proxy

The document discusses ZAP scanning reports on a website called testphp.vulnweb.com. The scan found issues like absence of anti-CSRF tokens, missing security headers, and information disclosure. It provided details on the vulnerabilities found and their potential impacts.

Uploaded by

Maria Susanti Watu

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

47 views64 pages

Kelompok 1 - Laporan Tugas Burpsuite Dan Zap Proxy

Uploaded by

Maria Susanti Watu

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 64

TUGAS BURPSUITE DAN ZAP PROXY

KEAMANAN SISTEM INFORMASI

Disusun Oleh :

Adika Caesar Prijatna (4112210018)

Agung Aulia Muhamad (4112210046)
Muhamad Surya Al Ghifari (41122100003)

PROGRAM STUDI SISTEM INFORMASI

S1 REGULER A
UNIVERSITAS WIDYATAMA
2023
 ZAP PROXY

ZAP Scanning Report

Site: http://testphp.vulnweb.com
Generated on Thu, 7 Dec 2023 13:14:45

ZAP Version: 2.14.0

Summary of Alerts

Risk Level Number of

Alerts
High 0
Medium 3
Low 3
Informational 5

Alerts

Number of
Name Risk Level
Instances
Absence of Anti-CSRF Tokens Medium 40
Content Security Policy (CSP) Header Not Set Medium 48
Missing Anti-clickjacking Header Medium 44
Server Leaks Information via "X-Powered-By"
Low 62
HTTP Response Header Field(s)
Server Leaks Version Information via "Server"
Low 74
HTTP Response Header Field
X-Content-Type-Options Header Missing Low 68
Authentication Request Identified Informational 1
Charset Mismatch (Header Versus Meta Content-
Informational 31
Type Charset)
Information Disclosure - Suspicious Comments Informational 1
Modern Web Application Informational 9
User Controllable HTML Element Attribute
Informational 3
(Potential XSS)
Alert Detail

Medium Absence of Anti-CSRF Tokens

No Anti-CSRF tokens were found in a HTML submission form.

A cross-site request forgery is an attack that involves forcing a victim to send

an HTTP request to a target destination without their knowledge or intent in
order to perform an action as the victim. The underlying cause is application
functionality using predictable URL
/form actions in a repeatable way. The nature of the attack is that CSRF
exploits the trust that a web site has for a user. By contrast, cross-site
scripting (XSS) exploits the trust that auser has for a web site. Like XSS, CSRF
Description CSRF attacks are effective in a number of situations, including:

* The victim has an active session on the target site.

* The victim is authenticated via HTTP auth on the target site.

* The victim is on the same local network as the target site.

CSRF has primarily been used to perform an action against a target site using the victim's
privileges, but recent techniques have been discovered to disclose information by gaining
access to the response. The risk of information disclosure is dramatically increased when
the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF,
allowing the attack to operate within the bounds of the same-origin policy.

URL http://testphp.vulnweb.com
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Other csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
Info _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/artists.php
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Other csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
Info _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/artists.php?artist=1
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Other csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
Info _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/artists.php?artist=2
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Other csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
Info _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/artists.php?artist=3
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Other csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
Info _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/cart.php
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Other csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
Info _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/categories.php
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Other csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
Info _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/disclaimer.php
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Other csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
Info _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/guestbook.php
Method GET
Attack
Evidence <form action="" method="post" name="faddentry">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Other csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
Info _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "name" "submit" ].
URL http://testphp.vulnweb.com/guestbook.php
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Other csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
Info _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 2: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/index.php
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Other csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
Info _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/listproducts.php?artist=1
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/listproducts.php?artist=2
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/listproducts.php?artist=3
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/listproducts.php?cat=1
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/listproducts.php?cat=2
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/listproducts.php?cat=3
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/listproducts.php?cat=4
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/login.php
Method GET
Attack
Evidence <form name="loginform" method="post" action="userinfo.php">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "pass" "uname" ].
URL http://testphp.vulnweb.com/login.php
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 2: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/product.php?pic=1
Method GET
Attack
Evidence <form name='f_addcart' method='POST' action='cart.php'>
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "addcart" "price" ].
URL http://testphp.vulnweb.com/product.php?pic=1
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 2: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/product.php?pic=2
Method GET
Attack
Evidence <form name='f_addcart' method='POST' action='cart.php'>
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "addcart" "price" ].
URL http://testphp.vulnweb.com/product.php?pic=2
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 2: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/product.php?pic=3
Method GET
Attack
Evidence <form name='f_addcart' method='POST' action='cart.php'>
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "addcart" "price" ].
URL http://testphp.vulnweb.com/product.php?pic=3
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 2: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/product.php?pic=4
Method GET
Attack
Evidence <form name='f_addcart' method='POST' action='cart.php'>
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "addcart" "price" ].
URL http://testphp.vulnweb.com/product.php?pic=4
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 2: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/product.php?pic=5
Method GET
Attack
Evidence <form name='f_addcart' method='POST' action='cart.php'>
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "addcart" "price" ].
URL http://testphp.vulnweb.com/product.php?pic=5
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 2: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/product.php?pic=6
Method GET
Attack
Evidence <form name='f_addcart' method='POST' action='cart.php'>
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "addcart" "price" ].
URL http://testphp.vulnweb.com/product.php?pic=6
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 2: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/product.php?pic=7
Method GET
Attack
Evidence <form name='f_addcart' method='POST' action='cart.php'>
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "addcart" "price" ].
URL http://testphp.vulnweb.com/product.php?pic=7
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 2: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/signup.php
Method GET
Attack
Evidence <form name="form1" method="post" action="/secured/newuser.php">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
Othe
_csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
rInfo
HTML form: [Form 1: "signup" "ucc" "uemail" "upass" "upass2" "uphone" "urname"
"uuname" ].
URL http://testphp.vulnweb.com/signup.php
Method GET
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 2: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/cart.php
Method POST
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/guestbook.php
Method POST
Attack
Evidence <form action="" method="post" name="faddentry">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "name" "submit" ].
URL http://testphp.vulnweb.com/guestbook.php
Method POST
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 2: "goButton" "searchFor" ].
URL http://testphp.vulnweb.com/search.php?test=query
Method POST
Attack
Evidence <form action="search.php?test=query" method="post">
No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken,
Othe csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
rInfo _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] was found in the following
HTML form: [Form 1: "goButton" "searchFor" ].
Instances 40
Phase: Architecture and Design

Use a vetted library or framework that does not allow this weakness to occur or provides
constructs that make this weakness easier to avoid.

For example, use anti-CSRF packages such as the OWASP CSRFGuard.

Phase: Implementation

Ensure that your application is free of cross-site scripting issues, because most CSRF
defenses can be bypassed using attacker-controlled script.
Phase: Architecture and Design

Generate a unique nonce for each form, place the nonce into the form, and verify the nonce
upon receipt of the form. Be sure that the nonce is not predictable (CWE-330).

Solution Note that this can be bypassed using XSS.

Identify especially dangerous operations. When the user performs a dangerous operation,
send a separate confirmation request to ensure that the user intended to perform that
operation.

Note that this can be bypassed using XSS.

Use the ESAPI Session Management control.

This control includes a component for CSRF.

Do not use the GET method for any request that triggers a state change.

Phase: Implementation

Check the HTTP Referer header to see if the request originated from an expected page.
This could break legitimate functionality, because users or proxies may have disabled
sending the Referer for privacy reasons.
http://projects.webappsec.org/Cross-Site-Request-Forgery
Reference
https://cwe.mitre.org/data/definitions/352.html
CWE Id 352
WASC Id 9
Plugin Id 10202

Medium Content Security Policy (CSP) Header Not Set

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate
certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.
These attacks are used for everything from data theft to site defacement or distribution of
Description malware. CSP provides a set of standard HTTP headers that allow website owners to
declare approved sources of content that browsers should be allowed to load on that page
— covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable
objects such as Java applets, ActiveX, audio and video files.

URL http://testphp.vulnweb.com
Method GET
Attack
Evidence
Other
Info
URL http://testphp.vulnweb.com/AJAX/index.php
Method GET
Attack
Evidence
Other
Info
URL http://testphp.vulnweb.com/artists.php
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/artists.php?artist=1
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/artists.php?artist=2
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/artists.php?artist=3
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/cart.php
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/categories.php
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/disclaimer.php
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/guestbook.php
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/high
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/hpp/
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/hpp/?pp=12
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/hpp/params.php?p=valid&pp=12
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/index.php
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?artist=1
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?artist=2
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?artist=3
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?cat=1
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?cat=2
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?cat=3
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?cat=4
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/login.php
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/BuyProduct-1/
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/BuyProduct-2/
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/BuyProduct-3/
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/color-printer/3/
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/network-attached-storage-dlink/1/
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/web-camera-a4tech/2/
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/RateProduct-1.html
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/RateProduct-2.html
Method GET
Attack
Evidence
Other
Info
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/RateProduct-3.html
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/privacy.php
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=1
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=2
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=3
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=4
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=5
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=6
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=7
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/robots.txt
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/signup.php
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/sitemap.xml
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/cart.php
Method POST
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/guestbook.php
Method POST
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/search.php?test=query
Method POST
Attack
Evidence
Other
Info
URL http://testphp.vulnweb.com/secured/newuser.php
Method POST
Attack
Evidence
Other
Info
Instances 48
Ensure that your web server, application server, load balancer, etc. is configured to set the
Solution
Content-Security-Policy header.
https://developer.mozilla.org/en-US/docs/Web/Security/CSP
/Introducing_Content_Security_Policy
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html

Reference http://www.w3.org/TR/CSP/
http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
http://caniuse.com/#feat=contentsecuritypolicy
http://content-security-policy.com/
CWE Id 693
WASC Id 15
Plugin Id 10038

Medium Missing Anti-clickjacking Header

The response does not include either Content-Security-Policy with 'frame-ancestors'
Description
directive or X-Frame-Options to protect against 'ClickJacking' attacks.

URL http://testphp.vulnweb.com
Method GET
Attack
Evidence
Other
Info
URL http://testphp.vulnweb.com/AJAX/index.php
Method GET
Attack
Evidence
Other
Info
URL http://testphp.vulnweb.com/artists.php
Method GET
Attack
Evidence
Other
Info
URL http://testphp.vulnweb.com/artists.php?artist=1
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/artists.php?artist=2
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/artists.php?artist=3
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/cart.php
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/categories.php
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/disclaimer.php
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/guestbook.php
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/hpp/
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/hpp/?pp=12
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/hpp/params.php?p=valid&pp=12
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/index.php
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?artist=1
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?artist=2
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?artist=3
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?cat=1
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?cat=2
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?cat=3
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?cat=4
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/login.php
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/BuyProduct-1/
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/BuyProduct-2/
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/BuyProduct-3/
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/color-printer/3/
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/network-attached-storage-dlink/1/
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/web-camera-a4tech/2/
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/RateProduct-1.html
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/RateProduct-2.html
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/RateProduct-3.html
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=1
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=2
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=3
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=4
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=5
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=6
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=7
Method GET
Attack
Evidence
Othe
rInfo
URL http://testphp.vulnweb.com/signup.php
Method GET
Attack
Evidence
Other
Info
URL http://testphp.vulnweb.com/cart.php
Method POST
Attack
Evidence
Other
Info
URL http://testphp.vulnweb.com/guestbook.php
Method POST
Attack
Evidence
Other
Info
URL http://testphp.vulnweb.com/search.php?test=query
Method POST
Attack
Evidence
Other
Info
URL http://testphp.vulnweb.com/secured/newuser.php
Method POST
Attack
Evidence
Other
Info
Instances 44
Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP
headers. Ensure one of them is set on all web pages returned by your site/app.

Solution If you expect the page to be framed only by pages on your server (e.g. it's part of a
FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page
to be framed, you should use DENY. Alternatively consider implementing Content Security
Policy's "frame-ancestors" directive.
Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
CWE Id 1021
WASC Id 15
Plugin Id 10020

Low Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
The web/application server is leaking information via one or more "X-Powered-By" HTTP
response headers. Access to such information may facilitate attackers identifying other
Description
frameworks/components your web application is reliant upon and the vulnerabilities such
components may be subject to.

URL http://testphp.vulnweb.com
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/AJAX/index.php
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/artists.php
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/artists.php?artist=1
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/artists.php?artist=2
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/artists.php?artist=3
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/cart.php
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/categories.php
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/disclaimer.php
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/guestbook.php
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/hpp/
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/hpp/?pp=12
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/hpp/params.php?p=valid&pp=12
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/index.php
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?artist=1
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?artist=2
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?artist=3
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?cat=1
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?cat=2
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?cat=3
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?cat=4
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/login.php
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/BuyProduct-1/
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/BuyProduct-2/
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/BuyProduct-3/
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/color-printer/3/
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/network-attached-storage-dlink/1/
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/web-camera-a4tech/2/
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/RateProduct-1.html
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/RateProduct-2.html
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/RateProduct-3.html
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/privacy.php
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=1
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=2
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=3
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=4
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Other
Info
URL http://testphp.vulnweb.com/product.php?pic=5
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=6
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=7
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo

URL http://testphp.vulnweb.com/showimage.php?file='%20+%20pict.item(0).firstChild.
nodeValue%20+%20'
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/1.jpg
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/1.jpg&size=160
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/2.jpg
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/2.jpg&size=160
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/3.jpg
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/3.jpg&size=160
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/4.jpg
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/4.jpg&size=160
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/5.jpg
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/5.jpg&size=160
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/6.jpg
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/6.jpg&size=160
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/7.jpg
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/7.jpg&size=160
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/signup.php
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/userinfo.php
Method GET
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/cart.php
Method POST
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Othe
rInfo
URL http://testphp.vulnweb.com/guestbook.php
Method POST
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Other
Info
URL http://testphp.vulnweb.com/search.php?test=query
Method POST
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Other
Info
URL http://testphp.vulnweb.com/secured/newuser.php
Method POST
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Other
Info
URL http://testphp.vulnweb.com/userinfo.php
Method POST
Attack
Evidence X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Other
Info
Instances 62
Ensure that your web server, application server, load balancer, etc. is configured to
Solution
suppress "X-Powered-By" headers.
http://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-
Reference headers.aspx
http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html
CWE Id 200
WASC Id 13
Plugin Id 10037

Low Server Leaks Version Information via "Server" HTTP Response Header Field
The web/application server is leaking version information via the "Server" HTTP response
Description header. Access to such information may facilitate attackers identifying other vulnerabilities
your web/application server is subject to.

URL http://testphp.vulnweb.com
Method GET
Attack
Evidence nginx/1.19.0
Other
Info
URL http://testphp.vulnweb.com/AJAX/index.php
Method GET
Attack
Evidence nginx/1.19.0
Other
Info
URL http://testphp.vulnweb.com/AJAX/styles.css
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/artists.php
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/artists.php?artist=1
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/artists.php?artist=2
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/artists.php?artist=3
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/cart.php
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/categories.php
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/disclaimer.php
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/Flash/add.swf
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/guestbook.php
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/high
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/hpp/
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/hpp/?pp=12
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/hpp/params.php?p=valid&pp=12
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/images/logo.gif
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/images/remark.gif
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/index.php
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?artist=1
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?artist=2
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?artist=3
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?cat=1
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?cat=2
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?cat=3
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/listproducts.php?cat=4
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/login.php
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/BuyProduct-1/
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/BuyProduct-2/
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/BuyProduct-3/
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/color-printer/3/
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/network-attached-storage-dlink/1/
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/web-camera-a4tech/2/
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/images/1.jpg
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/images/2.jpg
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/images/3.jpg
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/RateProduct-1.html
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/RateProduct-2.html
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/RateProduct-3.html
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/privacy.php
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=1
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=2
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=3
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=4
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=5
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=6
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/product.php?pic=7
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/robots.txt
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/secured/style.css
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo

URL http://testphp.vulnweb.com/showimage.php?file='%20+%20pict.item(0).firstChild.
nodeValue%20+%20'
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/1.jpg
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/1.jpg&size=160
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/2.jpg
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/2.jpg&size=160
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/3.jpg
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/3.jpg&size=160
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/4.jpg
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/4.jpg&size=160
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/5.jpg
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/5.jpg&size=160
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/6.jpg
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/6.jpg&size=160
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/7.jpg
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/7.jpg&size=160
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/signup.php
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/sitemap.xml
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/style.css
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/userinfo.php
Method GET
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/cart.php
Method POST
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/guestbook.php
Method POST
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/search.php?test=query
Method POST
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/secured/newuser.php
Method POST
Attack
Evidence nginx/1.19.0
Othe
rInfo
URL http://testphp.vulnweb.com/userinfo.php
Method POST
Attack
Evidence nginx/1.19.0
Othe
rInfo
Instances 74
Ensure that your web server, application server, load balancer, etc. is configured to
Solution
suppress the "Server" header or provide generic details.
http://httpd.apache.org/docs/current/mod/core.html#servertokens
http://msdn.microsoft.com/en-us/library/ff648552.aspx#ht_urlscan_007
Reference
http://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-
headers.aspx
http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html
CWE Id 200
WASC Id 13
Plugin Id 10036

Low X-Content-Type-Options Header Missing

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows
older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response
body, potentially causing the response body to be interpreted and displayed as a content
Description
type other than the declared content type. Current (early 2014) and legacy versions of
Firefox will use the declared content type (if one is set), rather than performing MIME-
sniffing.

URL http://testphp.vulnweb.com
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still
Other affected by injection issues, in which case there is still concern for browsers sniffing pages
Info away from their actual content type. At "High" threshold this scan rule will not alert on client
or server error responses.
URL http://testphp.vulnweb.com/AJAX/index.php
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still
Other affected by injection issues, in which case there is still concern for browsers sniffing pages
Info away from their actual content type. At "High" threshold this scan rule will not alert on client
or server error responses.
URL http://testphp.vulnweb.com/AJAX/styles.css
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still
Other affected by injection issues, in which case there is still concern for browsers sniffing pages
Info away from their actual content type. At "High" threshold this scan rule will not alert on client
or server error responses.
URL http://testphp.vulnweb.com/artists.php
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still
Other affected by injection issues, in which case there is still concern for browsers sniffing pages
Info away from their actual content type. At "High" threshold this scan rule will not alert on client
or server error responses.
URL http://testphp.vulnweb.com/artists.php?artist=1
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/artists.php?artist=2
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/artists.php?artist=3
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/cart.php
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/categories.php
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/disclaimer.php
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/Flash/add.swf
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/guestbook.php
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/hpp/
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/hpp/?pp=12
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/hpp/params.php?p=valid&pp=12
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/images/logo.gif
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/images/remark.gif
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe
stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo
pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/index.php
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/listproducts.php?artist=1
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/listproducts.php?artist=2
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/listproducts.php?artist=3
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/listproducts.php?cat=1
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/listproducts.php?cat=2
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still
Othe affected by injection issues, in which case there is still concern for browsers sniffing pages
rInfo away from their actual content type. At "High" threshold this scan rule will not alert on client
or server error responses.
URL http://testphp.vulnweb.com/listproducts.php?cat=3
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/listproducts.php?cat=4
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/login.php
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/BuyProduct-1/
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/BuyProduct-2/
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still
Other affected by injection issues, in which case there is still concern for browsers sniffing pages
Info away from their actual content type. At "High" threshold this scan rule will not alert on client
or server error responses.
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/BuyProduct-3/
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/color-printer/3/
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/network-attached-storage-dlink/1/
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/Details/web-camera-a4tech/2/
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/images/1.jpg
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/images/2.jpg
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still
Othe affected by injection issues, in which case there is still concern for browsers sniffing pages
rInfo away from their actual content type. At "High" threshold this scan rule will not alert on client
or server error responses.
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/images/3.jpg
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/RateProduct-1.html
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/RateProduct-2.html
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/Mod_Rewrite_Shop/RateProduct-3.html
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/product.php?pic=1
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/product.php?pic=2
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/product.php?pic=3
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/product.php?pic=4
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/product.php?pic=5
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/product.php?pic=6
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/product.php?pic=7
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/secured/style.css
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/showimage.php?file='%20+%20pict.item(0).firstChild.
nodeValue%20+%20'
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/1.jpg
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/1.jpg&size=160
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/2.jpg
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/2.jpg&size=160
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/3.jpg
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/3.jpg&size=160
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/4.jpg
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/4.jpg&size=160
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/5.jpg
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/5.jpg&size=160
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/6.jpg
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/6.jpg&size=160
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/7.jpg
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/showimage.php?file=./pictures/7.jpg&size=160
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/signup.php
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/style.css
Method GET
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/cart.php
Method POST
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often
Othe stillaffected by injection issues, in which case there is still concern for browsers sniffing
rInfo pages away from their actual content type. At "High" threshold this scan rule will not alert
on client or server error responses.
URL http://testphp.vulnweb.com/guestbook.php
Method POST
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still
Other affected by injection issues, in which case there is still concern for browsers sniffing pages
Info away from their actual content type. At "High" threshold this scan rule will not alert on client
or server error responses.
URL http://testphp.vulnweb.com/search.php?test=query
Method POST
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still
Other affected by injection issues, in which case there is still concern for browsers sniffing pages
Info away from their actual content type. At "High" threshold this scan rule will not alert on client
or server error responses.
URL http://testphp.vulnweb.com/secured/newuser.php
Method POST
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still
Other affected by injection issues, in which case there is still concern for browsers sniffing pages
Info away from their actual content type. At "High" threshold this scan rule will not alert on client
or server error responses.
Instances 68
Ensure that the application/web server sets the Content-Type header appropriately, and
that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.
Solution
If possible, ensure that the end user uses a standards-compliant and modern web browser
that does not perform MIME-sniffing at all, or that can be directed by the web application
/web server to not perform MIME-sniffing.
http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
Reference
https://owasp.org/www-community/Security_Headers
CWE Id 693
WASC Id 15
Plugin Id 10021

Informational Authentication Request Identified

The given request has been identified as an authentication request. The 'Other Info' field
contains a set of key=value lines which identify any relevant fields. If the request is in a
Description
context which has an Authentication Method set to "Auto-Detect" then this rule will change
the authentication to match the request identified.

URL http://testphp.vulnweb.com/secured/newuser.php
Method POST
Attack
Evidence upass
Other userParam=uemail userValue=ZAP passwordParam=upass referer=http://testphp.vulnweb.
Info com/signup.php
Instances 1
Solution This is an informational alert rather than a vulnerability and so there is nothing to fix.
Reference https://www.zaproxy.org/docs/desktop/addons/authentication-helper/auth-req-id/
CWE Id
WASC Id
Plugin Id 10111

Informational Charset Mismatch (Header Versus Meta Content-Type Charset)

This check identifies responses where the HTTP Content-Type header declares a charset
different from the charset defined by the body of the HTML or XML. When there's a charset
mismatch between the HTTP header and content body Web browsers can be forced into an
undesirable content-sniffing mode to determine the content's correct character set.
Description
An attacker could manipulate content on the page to be interpreted in an encoding of their
choice. For example, if an attacker can control content at the beginning of the page, they
could inject script using UTF-7 encoded text and manipulate some browsers into
interpreting that text.

URL http://testphp.vulnweb.com
Method GET
Attack
Evidence
Other There was a charset mismatch between the HTTP Header and the META content-type
Info encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/AJAX/index.php
Method GET
Attack
Evidence
Other There was a charset mismatch between the HTTP Header and the META content-type
Info encoding declarations: [UTF-8] and [iso-8859-1] do not match.
URL http://testphp.vulnweb.com/artists.php
Method GET
Attack
Evidence
Other There was a charset mismatch between the HTTP Header and the META content-type
Info encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/artists.php?artist=1
Method GET
Attack
Evidence
Other There was a charset mismatch between the HTTP Header and the META content-type
Info encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/artists.php?artist=2
Method GET
Attack
Evidence
Other There was a charset mismatch between the HTTP Header and the META content-type
Info encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/artists.php?artist=3
Method GET
Attack
Evidence
Othe There was a charset mismatch between the HTTP Header and the META content-type
rInfo encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/cart.php
Method GET
Attack
Evidence
Othe There was a charset mismatch between the HTTP Header and the META content-type
rInfo encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/categories.php
Method GET
Attack
Evidence
Othe There was a charset mismatch between the HTTP Header and the META content-type
rInfo encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/disclaimer.php
Method GET
Attack
Evidence
Othe There was a charset mismatch between the HTTP Header and the META content-type
rInfo encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/guestbook.php
Method GET
Attack
Evidence
Othe There was a charset mismatch between the HTTP Header and the META content-type
rInfo encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/index.php
Method GET
Attack
Evidence
Othe There was a charset mismatch between the HTTP Header and the META content-type
rInfo encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/listproducts.php?artist=1
Method GET
Attack
Evidence
Othe There was a charset mismatch between the HTTP Header and the META content-type
rInfo encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/listproducts.php?artist=2
Method GET
Attack
Evidence
Other There was a charset mismatch between the HTTP Header and the META content-type
Info encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/listproducts.php?artist=3
Method GET
Attack
Evidence
Othe There was a charset mismatch between the HTTP Header and the META content-type
rInfo encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/listproducts.php?cat=1
Method GET
Attack
Evidence
Othe There was a charset mismatch between the HTTP Header and the META content-type
rInfo encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/listproducts.php?cat=2
Method GET
Attack
Evidence
Othe There was a charset mismatch between the HTTP Header and the META content-type
rInfo encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/listproducts.php?cat=3
Method GET
Attack
Evidence
Othe There was a charset mismatch between the HTTP Header and the META content-type
rInfo encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/listproducts.php?cat=4
Method GET
Attack
Evidence
Othe There was a charset mismatch between the HTTP Header and the META content-type
rInfo encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/login.php
Method GET
Attack
Evidence
Othe There was a charset mismatch between the HTTP Header and the META content-type
rInfo encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/product.php?pic=1
Method GET
Attack
Evidence
Othe There was a charset mismatch between the HTTP Header and the META content-type
rInfo encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/product.php?pic=2
Method GET
Attack
Evidence
Othe There was a charset mismatch between the HTTP Header and the META content-type
rInfo encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/product.php?pic=3
Method GET
Attack
Evidence
Othe There was a charset mismatch between the HTTP Header and the META content-type
rInfo encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/product.php?pic=4
Method GET
Attack
Evidence
Othe There was a charset mismatch between the HTTP Header and the META content-type
rInfo encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/product.php?pic=5
Method GET
Attack
Evidence
Othe There was a charset mismatch between the HTTP Header and the META content-type
rInfo encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/product.php?pic=6
Method GET
Attack
Evidence
Othe There was a charset mismatch between the HTTP Header and the META content-type
rInfo encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/product.php?pic=7
Method GET
Attack
Evidence
Othe There was a charset mismatch between the HTTP Header and the META content-type
rInfo encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/signup.php
Method GET
Attack
Evidence
Othe There was a charset mismatch between the HTTP Header and the META content-type
rInfo encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/cart.php
Method POST
Attack
Evidence
Other There was a charset mismatch between the HTTP Header and the META content-type
Info encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/guestbook.php
Method POST
Attack
Evidence
Other There was a charset mismatch between the HTTP Header and the META content-type
Info encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/search.php?test=query
Method POST
Attack
Evidence
Other There was a charset mismatch between the HTTP Header and the META content-type
Info encoding declarations: [UTF-8] and [iso-8859-2] do not match.
URL http://testphp.vulnweb.com/secured/newuser.php
Method POST
Attack
Evidence
Other There was a charset mismatch between the HTTP Header and the META content-type
Info encoding declarations: [UTF-8] and [iso-8859-1] do not match.
Instances 31
Force UTF-8 for all text content in both the HTTP header and meta tags in HTML or
Solution
encoding declarations in XML.
Reference http://code.google.com/p/browsersec/wiki/Part2#Character_set_handling_and_detection
CWE Id 436
WASC Id 15
Plugin Id 90011

Informational Information Disclosure - Suspicious Comments

The response appears to contain suspicious comments which may help an attacker. Note:
Description
Matches made within script blocks or files are against the entire content not only comments.

URL http://testphp.vulnweb.com/AJAX/index.php
Method GET
Attack
Evidence where
The following pattern was used: \bWHERE\b and was detected in the element starting with:
Other
"<script type="text/javascript"> var httpreq = null; function SetContent(XML) { var items =
Info
XML.getElementsByTagName('i", see evidence field for the suspicious comment/snippet.
Instances 1
Remove all comments that return information that may help an attacker and fix any
Solution
underlying problems they refer to.
Reference
CWE Id 200
WASC Id 13
Plugin Id 10027

Informational Modern Web Application

The application appears to be a modern web application. If you need to explore it
Description
automatically then the Ajax Spider may well be more effective than the standard one.

URL http://testphp.vulnweb.com/AJAX/index.php
Method GET
Attack
Evidence <a href="#" onclick="loadSomething('titles.php')">titles</a>
Other Links have been found that do not have traditional href attributes, which is an indication that
Info this is a modern web application.
URL http://testphp.vulnweb.com/artists.php
Method GET
Attack
<a href='#' onClick="window.open('./comment.php?aid=1','comment','width=500,
Evidence
height=400')">comment on this artist</a>
Other Links have been found that do not have traditional href attributes, which is an indication that
Info this is a modern web application.
URL http://testphp.vulnweb.com/artists.php?artist=1
Method GET
Attack
<a href='#' onClick="window.open('./comment.php?aid=1','comment','width=500,
Evidence
height=400')">comment on this artist</a>
Other Links have been found that do not have traditional href attributes, which is an indication that
Info this is a modern web application.
URL http://testphp.vulnweb.com/artists.php?artist=2
Method GET
Attack
<a href='#' onClick="window.open('./comment.php?aid=2','comment','width=500,
Evidence
height=400')">comment on this artist</a>
Other Links have been found that do not have traditional href attributes, which is an indication that
Info this is a modern web application.
URL http://testphp.vulnweb.com/artists.php?artist=3
Method GET
Attack
<a href='#' onClick="window.open('./comment.php?aid=3','comment','width=500,
Evidence
height=400')">comment on this artist</a>
Other Links have been found that do not have traditional href attributes, which is an indication that
Info this is a modern web application.
URL http://testphp.vulnweb.com/listproducts.php?artist=1
Method GET
Attack
<a href='#' onClick="window.open('./comment.php?pid=1','comment','width=500,
Evidence
height=400')">comment on this picture</a>
Other Links have been found that do not have traditional href attributes, which is an indication that
Info this is a modern web application.
URL http://testphp.vulnweb.com/listproducts.php?artist=2
Method GET
Attack
<a href='#' onClick="window.open('./comment.php?pid=7','comment','width=500,
Evidence
height=400')">comment on this picture</a>
Other Links have been found that do not have traditional href attributes, which is an indication that
Info this is a modern web application.
URL http://testphp.vulnweb.com/listproducts.php?cat=1
Method GET
Attack
<a href='#' onClick="window.open('./comment.php?pid=1','comment','width=500,
Evidence
height=400')">comment on this picture</a>
Other Links have been found that do not have traditional href attributes, which is an indication that
Info this is a modern web application.
URL http://testphp.vulnweb.com/listproducts.php?cat=2
Method GET
Attack
<a href='#' onClick="window.open('./comment.php?pid=6','comment','width=500,
Evidence
height=400')">comment on this picture</a>
Other Links have been found that do not have traditional href attributes, which is an indication that
Info this is a modern web application.
Instances 9
Solution This is an informational alert and so no changes are required.
Reference
CWE Id
WASC Id
Plugin Id 10109

Informational User Controllable HTML Element Attribute (Potential XSS)

This check looks at user-supplied input in query string parameters and POST data to
identify where certain HTML attribute values might be controlled. This provides hot-spot
Description
detection for XSS (cross-site scripting) that will require further review by a security analyst
to determine exploitability.

URL http://testphp.vulnweb.com/guestbook.php
Method POST
Attack
Evidence
User-controlled HTML attribute values were found. Try injecting special characters to see if
Other XSS might be possible. The page at the following URL: http://testphp.vulnweb.com
Info /guestbook.php appears to include user input in: a(n) [input] tag [value] attribute The user
input found was: submit=add message The user-controlled value was: add message
URL http://testphp.vulnweb.com/search.php?test=query
Method POST
Attack
Evidence
User-controlled HTML attribute values were found. Try injecting special characters to see if
Other XSS might be possible. The page at the following URL: http://testphp.vulnweb.com/search.
Info php?test=query appears to include user input in: a(n) [input] tag [name] attribute The user
input found was: goButton=go The user-controlled value was: gobutton
URL http://testphp.vulnweb.com/search.php?test=query
Method POST
Attack
Evidence
User-controlled HTML attribute values were found. Try injecting special characters to see if
Othe XSS might be possible. The page at the following URL: http://testphp.vulnweb.com/search.
rInfo php?test=query appears to include user input in: a(n) [input] tag [value] attribute The user
input found was: goButton=go The user-controlled value was: go
Instances 3
Solution Validate all input and sanitize output it before writing to any HTML attributes.
Reference http://websecuritytool.codeplex.com/wikipage?title=Checks#user-controlled-html-attribute
CWE Id 20
WASC Id 20
Plugin Id 10031
Burp Scanner Report

Summary
The table below shows the numbers of issues identified in different categories. Issues are classified according to severity as High, Medium, Low, Information or
False Positive. This reflects the likely impact of each issue for a typical organization. Issues are also classified according to confidence as Certain, Firm or Tentative.
This reflects the inherent reliability of the technique that was used to identify the issue.

Confidence

Certain Firm Tentative Total

High 0 0 0 0

Medium 0 0 0 0

Severity Low 1 0 0 1

Information 0 0 0 0

False Positive 0 0 0 0

The chart below shows the aggregated numbers of issues identified in each category. Solid colored bars represent issues with a confidence level of Certain, and the
bars fade as the confidence level falls.

Number of issues

0 1 2 3 4

High

Severity Medium

Low

Contents
1. Unencrypted communications

1. Unencrypted communications

Summary
Severity: Low

Confidence: Certain

Host: http://testhtml5.vulnweb.com

Path: /

Issue description
The application allows users to connect to it over unencrypted connections. An attacker suitably positioned to view a legitimate user's network traffic could record
and monitor their interactions with the application and obtain any information the user supplies. Furthermore, an attacker able to modify traffic could use the
application as a platform for attacks against its users and third-party websites. Unencrypted connections have been exploited by ISPs and governments to track
users, and to inject adverts and malicious JavaScript. Due to these concerns, web browser vendors are planning to visually flag unencrypted connections as
hazardous.

To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the victim's network traffic. This scenario typically occurs when a client
communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer.
Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could
also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure.

Please note that using a mixture of encrypted and unencrypted communications is an ineffective defense against active attackers, because they can easily remove
references to encrypted resources when these references are transmitted over an unencrypted connection.

Issue remediation
Applications should use transport-level encryption (SSL/TLS) to protect all communications passing between the client and the server. The Strict-Transport-Security
HTTP header should be used to ensure that clients refuse to access the server over an insecure connection.

References
Marking HTTP as non-secure
Configuring Server-Side SSL/TLS
HTTP Strict Transport Security

Vulnerability classifications
CWE-326: Inadequate Encryption Strength
CAPEC-94: Man in the Middle Attack
CAPEC-157: Sniffing Attacks

Report generated by Burp Suite web vulnerability scanner v2023.10.3.7, at Thu Dec 07 16:29:39 WIB 2023.

Vulnerability Assessment and Attack Plan Report (Rohit Roy) PDF
No ratings yet
Vulnerability Assessment and Attack Plan Report (Rohit Roy) PDF
31 pages
Web Security Audit Summary
No ratings yet
Web Security Audit Summary
188 pages
Supply Chain Management: Nahdlah Nurul Juli Adi Prasetyo Haris Muhammad
No ratings yet
Supply Chain Management: Nahdlah Nurul Juli Adi Prasetyo Haris Muhammad
14 pages
Espíritu Del Koala
No ratings yet
Espíritu Del Koala
2 pages
Developer Example
No ratings yet
Developer Example
87 pages
These Have Made A Strong Foundation For Realizing The Association Between Producer and Retail Trade
No ratings yet
These Have Made A Strong Foundation For Realizing The Association Between Producer and Retail Trade
1 page
Zara's Tech-Driven Fashion Success
No ratings yet
Zara's Tech-Driven Fashion Success
7 pages
SQL Injection Testing Guide
No ratings yet
SQL Injection Testing Guide
1 page
SF Bota Newsletter November 2022
No ratings yet
SF Bota Newsletter November 2022
6 pages
2024-10-21-ZAP-Report-SMART OFFICE
No ratings yet
2024-10-21-ZAP-Report-SMART OFFICE
49 pages
Vapt Report
No ratings yet
Vapt Report
2 pages
Smart Scan Practise Vulweb1
No ratings yet
Smart Scan Practise Vulweb1
163 pages
Understanding The Cross Site Request Forgery (CSRF) Attack - by Grzegorz Piechnik - Medium
No ratings yet
Understanding The Cross Site Request Forgery (CSRF) Attack - by Grzegorz Piechnik - Medium
15 pages
Laboratory4-ITT557-2020878252-SITI FARHANA
No ratings yet
Laboratory4-ITT557-2020878252-SITI FARHANA
10 pages
Cross-Site Request Forgery
No ratings yet
Cross-Site Request Forgery
6 pages
CSRF Attack Lab: ITT557 Solutions
No ratings yet
CSRF Attack Lab: ITT557 Solutions
7 pages
What Is Cros1
No ratings yet
What Is Cros1
21 pages
CSRF Notes
No ratings yet
CSRF Notes
7 pages
Introduction To SSRF
No ratings yet
Introduction To SSRF
9 pages
Machine Learning For Web Vulnerability Detection: The Case of Cross-Site Request Forgery
No ratings yet
Machine Learning For Web Vulnerability Detection: The Case of Cross-Site Request Forgery
9 pages
Affected Items Report
No ratings yet
Affected Items Report
336 pages
CSRF 1704535172
No ratings yet
CSRF 1704535172
6 pages
Week 5 Cross Site Request Forgery
No ratings yet
Week 5 Cross Site Request Forgery
7 pages
Web Security Audit for Koota Koperasi
No ratings yet
Web Security Audit for Koota Koperasi
26 pages
Cross-Site Request Forgery
No ratings yet
Cross-Site Request Forgery
3 pages
Lab 1
No ratings yet
Lab 1
14 pages
CSRF 1730684378
No ratings yet
CSRF 1730684378
12 pages
An Automated Detection System of Cross Site Request Forgery (CSRF) Vulnerability in Web Applications
100% (1)
An Automated Detection System of Cross Site Request Forgery (CSRF) Vulnerability in Web Applications
5 pages
4 - XSS - CSRF
No ratings yet
4 - XSS - CSRF
21 pages
Web Security Testing
No ratings yet
Web Security Testing
11 pages
CSRF Attack Prevention Guide
No ratings yet
CSRF Attack Prevention Guide
8 pages
Wa0033.
No ratings yet
Wa0033.
9 pages
Vulnerability Scan: Hostedscan Security
No ratings yet
Vulnerability Scan: Hostedscan Security
17 pages
CSRF Presentation
No ratings yet
CSRF Presentation
10 pages
WebSecurity 2/3
No ratings yet
WebSecurity 2/3
91 pages
Cross Site Forgery
No ratings yet
Cross Site Forgery
3 pages
Understanding CSRF 1707389934
No ratings yet
Understanding CSRF 1707389934
11 pages
Vulnerability Scan: Hostedscan Security
No ratings yet
Vulnerability Scan: Hostedscan Security
26 pages
Webapps
No ratings yet
Webapps
112 pages
(CyberSec'24) Lab07 - Student Version
No ratings yet
(CyberSec'24) Lab07 - Student Version
45 pages
Cross-Site Request Forgery: Collin Jackson
No ratings yet
Cross-Site Request Forgery: Collin Jackson
31 pages
Advanced XSS and CSRF Exploitation - @CyberFreeCourses
No ratings yet
Advanced XSS and CSRF Exploitation - @CyberFreeCourses
62 pages
9thADV SSRF1
No ratings yet
9thADV SSRF1
13 pages
W02 Web CSRF
No ratings yet
W02 Web CSRF
26 pages
Result
No ratings yet
Result
49 pages
Server-Side Attacks
No ratings yet
Server-Side Attacks
41 pages
BSCP Tracker
No ratings yet
BSCP Tracker
207 pages
Cross Site Request Forgery
No ratings yet
Cross Site Request Forgery
5 pages
CS445 Lab5
No ratings yet
CS445 Lab5
10 pages
Club Hack Magazine 04 PDF
No ratings yet
Club Hack Magazine 04 PDF
26 pages
CSRF
No ratings yet
CSRF
11 pages
Security Penetration Test Report of VULNWEB PDF
44% (9)
Security Penetration Test Report of VULNWEB PDF
12 pages
CSRF Attck
No ratings yet
CSRF Attck
21 pages
Web Pentesting Sample Report
No ratings yet
Web Pentesting Sample Report
25 pages
WebHacking All Bugs
No ratings yet
WebHacking All Bugs
84 pages
CSRF Task 9
No ratings yet
CSRF Task 9
11 pages
Vulnerability Scan Report 1/2023
No ratings yet
Vulnerability Scan Report 1/2023
30 pages
Headless
No ratings yet
Headless
15 pages
PENTEST-Introduction To Web Pentest
No ratings yet
PENTEST-Introduction To Web Pentest
10 pages
Report For Foophones: by Utkarsh Munra
No ratings yet
Report For Foophones: by Utkarsh Munra
37 pages

Kelompok 1 - Laporan Tugas Burpsuite Dan Zap Proxy

Uploaded by

Kelompok 1 - Laporan Tugas Burpsuite Dan Zap Proxy

Uploaded by

TUGAS BURPSUITE DAN ZAP PROXY

KEAMANAN SISTEM INFORMASI

Adika Caesar Prijatna (4112210018)

PROGRAM STUDI SISTEM INFORMASI

ZAP Scanning Report

ZAP Version: 2.14.0

Risk Level Number of

Medium Absence of Anti-CSRF Tokens

A cross-site request forgery is an attack that involves forcing a victim to send

* The victim has an active session on the target site.

* The victim is authenticated via HTTP auth on the target site.

* The victim is on the same local network as the target site.

For example, use anti-CSRF packages such as the OWASP CSRFGuard.

Solution Note that this can be bypassed using XSS.

Note that this can be bypassed using XSS.

Use the ESAPI Session Management control.

This control includes a component for CSRF.

Medium Content Security Policy (CSP) Header Not Set

Medium Missing Anti-clickjacking Header

Low X-Content-Type-Options Header Missing

Informational Authentication Request Identified

Informational Charset Mismatch (Header Versus Meta Content-Type Charset)

Informational Information Disclosure - Suspicious Comments

Informational Modern Web Application

Informational User Controllable HTML Element Attribute (Potential XSS)

Certain Firm Tentative Total

You might also like