-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathtest2.json
547 lines (547 loc) · 36.3 KB
/
test2.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
{
"@version": "2.10.0",
"@generated": "Wed, 24 Mar 2021 07:45:05",
"site": [
{
"@name": "http://testhtml5.vulnweb.com",
"@host": "testhtml5.vulnweb.com",
"@port": "80",
"@ssl": "false",
"alerts": [
{
"pluginid": "10109",
"alertRef": "10109",
"alert": "Modern Web Application",
"name": "Modern Web Application",
"riskcode": "0",
"confidence": "2",
"riskdesc": "Informational (Medium)",
"desc": "<p>The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.<\/p>",
"instances": [
{
"uri": "http://testhtml5.vulnweb.com/",
"method": "GET",
"evidence": "<a href=\"#\" class=\"btn\" id=\"loginFormForgot\">Forgot Pwd?<\/a>"
},
{
"uri": "http://testhtml5.vulnweb.com",
"method": "GET",
"evidence": "<a href=\"#\" class=\"btn\" id=\"loginFormForgot\">Forgot Pwd?<\/a>"
}
],
"count": "2",
"solution": "<p>This is an informational alert and so no changes are required.<\/p>",
"otherinfo": "<p>Links have been found that do not have traditional href attributes, which is an indication that this is a modern web application.<\/p>",
"reference": "<p><\/p>",
"sourceid": "3"
},
{
"pluginid": "10108",
"alertRef": "10108",
"alert": "Reverse Tabnabbing",
"name": "Reverse Tabnabbing",
"riskcode": "2",
"confidence": "2",
"riskdesc": "Medium (Medium)",
"desc": "<p>At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the \"noopener\" and \"noreferrer\" keywords in the \"rel\" attribute, which allows the target page to take control of this page.<\/p>",
"instances": [
{
"uri": "http://testhtml5.vulnweb.com/",
"method": "GET",
"evidence": "<a target=\"_blank\" href=\"http://www.acunetix.com/\">Website<\/a>"
},
{
"uri": "http://testhtml5.vulnweb.com",
"method": "GET",
"evidence": "<a target=\"_blank\" href=\"http://www.acunetix.com/\">Website<\/a>"
}
],
"count": "2",
"solution": "<p>Do not use a target attribute, or if you have to then also add the attribute: rel=\"noopener noreferrer\".<\/p>",
"reference": "<p>https://owasp.org/www-community/attacks/Reverse_Tabnabbing<\/p><p>https://dev.to/ben/the-targetblank-vulnerability-by-example<\/p><p>https://mathiasbynens.github.io/rel-noopener/<\/p><p>https://medium.com/@jitbit/target-blank-the-most-underestimated-vulnerability-ever-96e328301f4c<\/p>",
"sourceid": "3"
},
{
"pluginid": "10021",
"alertRef": "10021",
"alert": "X-Content-Type-Options Header Missing",
"name": "X-Content-Type-Options Header Missing",
"riskcode": "1",
"confidence": "2",
"riskdesc": "Low (Medium)",
"desc": "<p>The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.<\/p>",
"instances": [
{
"uri": "http://testhtml5.vulnweb.com/static/img/logo2.png",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://testhtml5.vulnweb.com/static/app/app.js",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://testhtml5.vulnweb.com/static/app/controllers/controllers.js",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://testhtml5.vulnweb.com/",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://testhtml5.vulnweb.com",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://testhtml5.vulnweb.com/static/css/style.css",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://testhtml5.vulnweb.com/static/app/services/itemsService.js",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://testhtml5.vulnweb.com/static/app/post.js",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://testhtml5.vulnweb.com/static/app/libs/sessvars.js",
"method": "GET",
"param": "X-Content-Type-Options"
}
],
"count": "9",
"solution": "<p>Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.<\/p><p>If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.<\/p>",
"otherinfo": "<p>This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.<\/p><p>At \"High\" threshold this scan rule will not alert on client or server error responses.<\/p>",
"reference": "<p>http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx<\/p><p>https://owasp.org/www-community/Security_Headers<\/p>",
"cweid": "16",
"wascid": "15",
"sourceid": "3"
},
{
"pluginid": "10027",
"alertRef": "10027",
"alert": "Information Disclosure - Suspicious Comments",
"name": "Information Disclosure - Suspicious Comments",
"riskcode": "0",
"confidence": "1",
"riskdesc": "Informational (Low)",
"desc": "<p>The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.<\/p>",
"instances": [
{
"uri": "http://testhtml5.vulnweb.com/static/app/post.js",
"method": "GET",
"evidence": "username"
},
{
"uri": "http://testhtml5.vulnweb.com/static/app/post.js",
"method": "GET",
"evidence": "admin"
},
{
"uri": "http://testhtml5.vulnweb.com/static/app/post.js",
"method": "GET",
"evidence": "from"
}
],
"count": "3",
"solution": "<p>Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.<\/p>",
"otherinfo": "<p>The following pattern was used: \\bUSERNAME\\b and was detected 2 times, the first in the element starting with: \" data: \"<forgot><username>\" + $('#username').attr(\"value\") + \"<\/username><\/forgot>\",\n\", see evidence field for the suspicious comment/snippet.<\/p>",
"reference": "<p><\/p>",
"cweid": "200",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "10017",
"alertRef": "10017",
"alert": "Cross-Domain JavaScript Source File Inclusion",
"name": "Cross-Domain JavaScript Source File Inclusion",
"riskcode": "1",
"confidence": "2",
"riskdesc": "Low (Medium)",
"desc": "<p>The page includes one or more script files from a third-party domain.<\/p>",
"instances": [
{
"uri": "http://testhtml5.vulnweb.com/",
"method": "GET",
"param": "https://ajax.googleapis.com/ajax/libs/angularjs/1.0.6/angular.min.js",
"evidence": "<script src=\"https://ajax.googleapis.com/ajax/libs/angularjs/1.0.6/angular.min.js\"><\/script>"
},
{
"uri": "http://testhtml5.vulnweb.com",
"method": "GET",
"param": "http://netdna.bootstrapcdn.com/twitter-bootstrap/2.3.1/js/bootstrap.min.js",
"evidence": "<script src=\"http://netdna.bootstrapcdn.com/twitter-bootstrap/2.3.1/js/bootstrap.min.js\"><\/script>"
},
{
"uri": "http://testhtml5.vulnweb.com",
"method": "GET",
"param": "http://code.jquery.com/jquery-1.9.1.min.js",
"evidence": "<script src=\"http://code.jquery.com/jquery-1.9.1.min.js\"><\/script>"
},
{
"uri": "http://testhtml5.vulnweb.com/",
"method": "GET",
"param": "http://bxss.s3.amazonaws.com/ad.js",
"evidence": "<script src=\"http://bxss.s3.amazonaws.com/ad.js\"><\/script>"
},
{
"uri": "http://testhtml5.vulnweb.com",
"method": "GET",
"param": "http://bxss.s3.amazonaws.com/ad.js",
"evidence": "<script src=\"http://bxss.s3.amazonaws.com/ad.js\"><\/script>"
},
{
"uri": "http://testhtml5.vulnweb.com/",
"method": "GET",
"param": "http://code.jquery.com/jquery-1.9.1.min.js",
"evidence": "<script src=\"http://code.jquery.com/jquery-1.9.1.min.js\"><\/script>"
},
{
"uri": "http://testhtml5.vulnweb.com/",
"method": "GET",
"param": "http://netdna.bootstrapcdn.com/twitter-bootstrap/2.3.1/js/bootstrap.min.js",
"evidence": "<script src=\"http://netdna.bootstrapcdn.com/twitter-bootstrap/2.3.1/js/bootstrap.min.js\"><\/script>"
},
{
"uri": "http://testhtml5.vulnweb.com",
"method": "GET",
"param": "https://ajax.googleapis.com/ajax/libs/angularjs/1.0.6/angular.min.js",
"evidence": "<script src=\"https://ajax.googleapis.com/ajax/libs/angularjs/1.0.6/angular.min.js\"><\/script>"
}
],
"count": "8",
"solution": "<p>Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.<\/p>",
"reference": "<p><\/p>",
"cweid": "829",
"wascid": "15",
"sourceid": "3"
},
{
"pluginid": "10098",
"alertRef": "10098",
"alert": "Cross-Domain Misconfiguration",
"name": "Cross-Domain Misconfiguration",
"riskcode": "2",
"confidence": "2",
"riskdesc": "Medium (Medium)",
"desc": "<p>Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server<\/p>",
"instances": [
{
"uri": "http://testhtml5.vulnweb.com",
"method": "GET",
"evidence": "Access-Control-Allow-Origin: *"
},
{
"uri": "http://testhtml5.vulnweb.com/",
"method": "GET",
"evidence": "Access-Control-Allow-Origin: *"
}
],
"count": "2",
"solution": "<p>Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).<\/p><p>Configure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.<\/p>",
"otherinfo": "<p>The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.<\/p>",
"reference": "<p>http://www.hpenterprisesecurity.com/vulncat/en/vulncat/vb/html5_overly_permissive_cors_policy.html<\/p>",
"cweid": "264",
"wascid": "14",
"sourceid": "3"
},
{
"pluginid": "10036",
"alertRef": "10036",
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"riskcode": "1",
"confidence": "3",
"riskdesc": "Low (High)",
"desc": "<p>The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.<\/p>",
"instances": [
{
"uri": "http://testhtml5.vulnweb.com/static/img/logo2.png",
"method": "GET",
"evidence": "nginx/1.19.0"
},
{
"uri": "http://testhtml5.vulnweb.com/static/css/style.css",
"method": "GET",
"evidence": "nginx/1.19.0"
},
{
"uri": "http://testhtml5.vulnweb.com/static/app/controllers/controllers.js",
"method": "GET",
"evidence": "nginx/1.19.0"
},
{
"uri": "http://testhtml5.vulnweb.com",
"method": "GET",
"evidence": "nginx/1.19.0"
},
{
"uri": "http://testhtml5.vulnweb.com/static/app/libs/sessvars.js",
"method": "GET",
"evidence": "nginx/1.19.0"
},
{
"uri": "http://testhtml5.vulnweb.com/static/app/app.js",
"method": "GET",
"evidence": "nginx/1.19.0"
},
{
"uri": "http://testhtml5.vulnweb.com/static/app/post.js",
"method": "GET",
"evidence": "nginx/1.19.0"
},
{
"uri": "http://testhtml5.vulnweb.com/sitemap.xml",
"method": "GET",
"evidence": "nginx/1.19.0"
},
{
"uri": "http://testhtml5.vulnweb.com/",
"method": "GET",
"evidence": "nginx/1.19.0"
},
{
"uri": "http://testhtml5.vulnweb.com/static/app/services/itemsService.js",
"method": "GET",
"evidence": "nginx/1.19.0"
},
{
"uri": "http://testhtml5.vulnweb.com/robots.txt",
"method": "GET",
"evidence": "nginx/1.19.0"
}
],
"count": "11",
"solution": "<p>Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.<\/p>",
"reference": "<p>http://httpd.apache.org/docs/current/mod/core.html#servertokens<\/p><p>http://msdn.microsoft.com/en-us/library/ff648552.aspx#ht_urlscan_007<\/p><p>http://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-headers.aspx<\/p><p>http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html<\/p>",
"cweid": "200",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "10038",
"alertRef": "10038",
"alert": "Content Security Policy (CSP) Header Not Set",
"name": "Content Security Policy (CSP) Header Not Set",
"riskcode": "2",
"confidence": "3",
"riskdesc": "Medium (High)",
"desc": "<p>Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.<\/p>",
"instances": [
{
"uri": "http://testhtml5.vulnweb.com/sitemap.xml",
"method": "GET"
},
{
"uri": "http://testhtml5.vulnweb.com/",
"method": "GET"
},
{
"uri": "http://testhtml5.vulnweb.com",
"method": "GET"
},
{
"uri": "http://testhtml5.vulnweb.com/robots.txt",
"method": "GET"
}
],
"count": "4",
"solution": "<p>Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header, to achieve optimal browser support: \"Content-Security-Policy\" for Chrome 25+, Firefox 23+ and Safari 7+, \"X-Content-Security-Policy\" for Firefox 4.0+ and Internet Explorer 10+, and \"X-WebKit-CSP\" for Chrome 14+ and Safari 6+.<\/p>",
"reference": "<p>https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy<\/p><p>https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html<\/p><p>http://www.w3.org/TR/CSP/<\/p><p>http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html<\/p><p>http://www.html5rocks.com/en/tutorials/security/content-security-policy/<\/p><p>http://caniuse.com/#feat=contentsecuritypolicy<\/p><p>http://content-security-policy.com/<\/p>",
"cweid": "16",
"wascid": "15",
"sourceid": "3"
},
{
"pluginid": "10027",
"alertRef": "10027",
"alert": "Information Disclosure - Suspicious Comments",
"name": "Information Disclosure - Suspicious Comments",
"riskcode": "0",
"confidence": "2",
"riskdesc": "Informational (Medium)",
"desc": "<p>The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.<\/p>",
"instances": [
{
"uri": "http://testhtml5.vulnweb.com",
"method": "GET",
"evidence": "Username"
},
{
"uri": "http://testhtml5.vulnweb.com/",
"method": "GET",
"evidence": "Username"
}
],
"count": "2",
"solution": "<p>Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.<\/p>",
"otherinfo": "<p>The following pattern was used: \\bUSERNAME\\b and was detected in the element starting with: \"<!-- Username -->\", see evidence field for the suspicious comment/snippet.<\/p>",
"reference": "<p><\/p>",
"cweid": "200",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "10010",
"alertRef": "10010",
"alert": "Cookie No HttpOnly Flag",
"name": "Cookie No HttpOnly Flag",
"riskcode": "1",
"confidence": "2",
"riskdesc": "Low (Medium)",
"desc": "<p>A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.<\/p>",
"instances": [
{
"uri": "http://testhtml5.vulnweb.com/login",
"method": "POST",
"param": "username",
"evidence": "Set-Cookie: username"
}
],
"count": "1",
"solution": "<p>Ensure that the HttpOnly flag is set for all cookies.<\/p>",
"reference": "<p>https://owasp.org/www-community/HttpOnly<\/p>",
"cweid": "16",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "10054",
"alertRef": "10054",
"alert": "Cookie Without SameSite Attribute",
"name": "Cookie Without SameSite Attribute",
"riskcode": "1",
"confidence": "2",
"riskdesc": "Low (Medium)",
"desc": "<p>A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.<\/p>",
"instances": [
{
"uri": "http://testhtml5.vulnweb.com/login",
"method": "POST",
"param": "username",
"evidence": "Set-Cookie: username"
}
],
"count": "1",
"solution": "<p>Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.<\/p>",
"reference": "<p>https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site<\/p>",
"cweid": "16",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "10020",
"alertRef": "10020",
"alert": "X-Frame-Options Header Not Set",
"name": "X-Frame-Options Header Not Set",
"riskcode": "2",
"confidence": "2",
"riskdesc": "Medium (Medium)",
"desc": "<p>X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.<\/p>",
"instances": [
{
"uri": "http://testhtml5.vulnweb.com/",
"method": "GET",
"param": "X-Frame-Options"
},
{
"uri": "http://testhtml5.vulnweb.com",
"method": "GET",
"param": "X-Frame-Options"
}
],
"count": "2",
"solution": "<p>Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's \"frame-ancestors\" directive. <\/p>",
"reference": "<p>https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options<\/p>",
"cweid": "16",
"wascid": "15",
"sourceid": "3"
},
{
"pluginid": "10003",
"alertRef": "10003",
"alert": "Vulnerable JS Library",
"name": "Vulnerable JS Library",
"riskcode": "2",
"confidence": "2",
"riskdesc": "Medium (Medium)",
"desc": "<p>The identified library sessvars, version 1.00 is vulnerable.<\/p>",
"instances": [
{
"uri": "http://testhtml5.vulnweb.com/static/app/libs/sessvars.js",
"method": "GET",
"evidence": "sessvars ver 1.00"
}
],
"count": "1",
"solution": "<p>Please upgrade to the latest version of sessvars.<\/p>",
"reference": "<p>http://www.thomasfrank.se/sessionvars.html<\/p><p><\/p>",
"cweid": "829",
"sourceid": "3"
},
{
"pluginid": "10202",
"alertRef": "10202",
"alert": "Absence of Anti-CSRF Tokens",
"name": "Absence of Anti-CSRF Tokens",
"riskcode": "1",
"confidence": "2",
"riskdesc": "Low (Medium)",
"desc": "<p>No Anti-CSRF tokens were found in a HTML submission form.<\/p><p>A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.<\/p><p><\/p><p>CSRF attacks are effective in a number of situations, including:<\/p><p> * The victim has an active session on the target site.<\/p><p> * The victim is authenticated via HTTP auth on the target site.<\/p><p> * The victim is on the same local network as the target site.<\/p><p><\/p><p>CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.<\/p>",
"instances": [
{
"uri": "http://testhtml5.vulnweb.com/",
"method": "GET",
"evidence": "<form class=\"modal-body\" action=\"/login\" method=\"POST\" id=\"loginForm\">"
},
{
"uri": "http://testhtml5.vulnweb.com",
"method": "GET",
"evidence": "<form class=\"modal-body\" action=\"/login\" method=\"POST\" id=\"loginForm\">"
}
],
"count": "2",
"solution": "<p>Phase: Architecture and Design<\/p><p>Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.<\/p><p>For example, use anti-CSRF packages such as the OWASP CSRFGuard.<\/p><p><\/p><p>Phase: Implementation<\/p><p>Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script.<\/p><p><\/p><p>Phase: Architecture and Design<\/p><p>Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330).<\/p><p>Note that this can be bypassed using XSS.<\/p><p><\/p><p>Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.<\/p><p>Note that this can be bypassed using XSS.<\/p><p><\/p><p>Use the ESAPI Session Management control.<\/p><p>This control includes a component for CSRF.<\/p><p><\/p><p>Do not use the GET method for any request that triggers a state change.<\/p><p><\/p><p>Phase: Implementation<\/p><p>Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.<\/p>",
"otherinfo": "<p>No known Anti-CSRF token [anticsrf, CSRFToken, __RequestVerificationToken, csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token, _csrf, _csrfSecret, __csrf_magic, CSRF] was found in the following HTML form: [Form 1: \"username\" \"password\" ].<\/p>",
"reference": "<p>http://projects.webappsec.org/Cross-Site-Request-Forgery<\/p><p>http://cwe.mitre.org/data/definitions/352.html<\/p>",
"cweid": "352",
"wascid": "9",
"sourceid": "3"
},
{
"pluginid": "10029",
"alertRef": "10029",
"alert": "Cookie Poisoning",
"name": "Cookie Poisoning",
"riskcode": "0",
"confidence": "1",
"riskdesc": "Informational (Low)",
"desc": "<p>This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug.<\/p>",
"instances": [
{
"uri": "http://testhtml5.vulnweb.com/login",
"method": "POST",
"param": "username"
}
],
"count": "1",
"solution": "<p>Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters.<\/p>",
"otherinfo": "<p>An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example: http://nottrusted.com/page?value=maliciousInput.<\/p><p><\/p><p>This was identified at:<\/p><p><\/p><p>http://testhtml5.vulnweb.com/login<\/p><p><\/p><p>User-input was found in the following cookie:<\/p><p>username=admin; Path=/<\/p><p><\/p><p>The user input was:<\/p><p>username=admin<\/p>",
"reference": "<p>http://websecuritytool.codeplex.com/wikipage?title=Checks#user-controlled-cookie<\/p>",
"cweid": "20",
"wascid": "20",
"sourceid": "3"
}
]
}
]
}