Compliance Report OWSAP Top 10 2013 - E-SPIN Group...OWASP TOP 10 2013 compliance report Description The primary aim of the OWASP Top 10 is to educate developers, designers, architects,

*

OWSAP Top 10 2013 Compliance Report

OWASP TOP 10 2013

~ compliance report ~

OWASP TOP 10 2013

compliance report

Description

The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizationsabout the consequences of the most important web application security weaknesses. The Top 10 provides basictechniques to protect against these high risk problem areas - and also provides guidance on where to go from here.

Disclaimer

This document or any of its content cannot account for, or be included in any form of legal advice. The outcome of avulnerability scan (or security evaluation) should be utilized to ensure that diligent measures are taken to lower the risk ofpotential exploits carried out to compromise data. Legal advice must be supplied according to its legal context. All laws and the environments in which they are applied, areconstantly changed and revised. Therefore no information provided in this document may ever be used as an alternativeto a qualified legal body or representative. A portion of this report is taken from OWASP's Top Ten 2013 Project document, that can be found athttp://www.owasp.org.

Scan

URL

Scan date

Duration

http://testhtml5.vulnweb.com:80/

25/03/2016 7:28:40

29 minutes, 55 seconds

Profile Default

Compliance at a Glance

This section of the report is a summary and lists the number of alerts found according to individual compliancecategories.

Injection (A1) -

No alerts in this category

Broken Authentication and Session Management (A2) -

Total number of alerts in this category: 1

Cross Site Scripting (XSS) (A3) -


Insecure Direct Object Reference (A4) -


Security Misconfiguration (A5) -


Sensitive Data Exposure (A6) -


Missing Function Level Access Control (A7) -


Cross Site Request Forgery (CSRF) (A8) -


Using Components with Known Vulnerabilities (A9) -


UnvalidatedRedirects and Forwards (A10) -

2


3

Compliance According to Categories: A Detailed Report

This section is a detailed report that explains each vulnerability found according to individual compliance categories.

(A1) Injection

Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of acommand or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessingdata without proper authorization.

No alerts in this category.

(A2) Broken Authentication and Session Management

Application functions related to authentication and session management are often not implemented correctly, allowingattackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume otherusers' identities.


Alerts in this category

Basic authentication over HTTP

In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent to provide a username and password when making a request. This directory is protected using Basic Authentication over an HTTP connection. With Basic Authentication the usercredentials are sent as cleartext and because HTTPS is not used, they are vulnerable to packet sniffing.

CVSS Base Score: 5.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: None- Availability Impact: None

CWE CWE-16

Affected item /admin/

Affected parameter

Variants 1

(A3) Cross Site Scripting (XSS)

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation orescaping. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface websites, or redirect the user to malicious sites.



Cross site scripting (verified)

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually inthe form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it willexecute the script in the user context allowing the attacker to access any cookies or session tokens retained by thebrowser.

4

CVSS Base Score: 6.4 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: None

CVSS3 Base Score: 5.3 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: None- Integrity Impact: Low- Availability Impact: None

CWE CWE-79

Affected item /comment

Affected parameter

Variants 1

Affected item /comment

Affected parameter id

Variants 1

Affected item /like

Affected parameter

Variants 1

Affected item /like


Variants 1

Affected item /report

Affected parameter

Variants 1

Affected item /report


Variants 1

DOM-based cross site scripting

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually inthe form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it willexecute the script in the user context allowing the attacker to access any cookies or session tokens retained by thebrowser. While a traditional cross-site scripting vulnerability occurs on the server-side code, document object model basedcross-site scripting is a type of vulnerability which affects the script code in the client's browser.

CVSS Base Score: 4.4 - Access Vector: Network- Access Complexity: Medium- Authentication: None- Confidentiality Impact: None- Integrity Impact: Partial- Availability Impact: None

CVSS3 Base Score: 5.3 - Attack Vector: Network

5

- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: None- Integrity Impact: Low- Availability Impact: None

CWE CWE-79

Affected item /

Affected parameter

Variants 5

(A4) Insecure Direct Object Reference

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as afile, directory, or database key. Without an access control check or other protection, attackers can manipulate thesereferences to access unauthorized data.


(A5) Security Misconfiguration

Good security requires having a secure configuration defined and deployed for the application, frameworks, applicationserver, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, asdefaults are often insecure. Additionally, software should be kept up to date.



nginx SPDY heap buffer overflow

A heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allowsremote attackers to execute arbitrary code via a crafted request. The problem affects nginx compiled with thengx_http_spdy_module module (which is not compiled by default) and without --with-debug configure option, if the "spdy"option of the "listen" directive is used in a configuration file.

CVSS Base Score: 5.1 - Access Vector: Network- Access Complexity: High- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: Partial

CWE CWE-122

CVE CVE-2014-0133

Affected item Web Server

Affected parameter

Variants 1

Weak password

This page is using a weak password. Acunetix WVS was able to guess the credentials required to access this page. Aweak password is short, common, a system default, or something that could be rapidly guessed by executing a bruteforce attack using a subset of all possible passwords, such as words in the dictionary, proper names, words based on theuser name or common variations on these themes.

6

CVSS Base Score: 7.5 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: Partial

CVSS3 Base Score: 7.5 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: High- Integrity Impact: None- Availability Impact: None

CWE CWE-200


Affected parameter

Variants 2

XML external entity injection

XML supports a facility known as "external entities", which instruct an XML processor to retrieve and perform an inlineinclude of XML located at a particular URI. An external XML entity can be used to append or modify the document typedeclaration (DTD) associated with an XML document. An external XML entity can also be used to include XML within thecontent of an XML document. Now assume that the XML processor parses data originating from a source under attacker control. Most of the time theprocessor will not be validating, but it MAY include the replacement text thus initiating an unexpected file open operation,or HTTP transfer, or whatever system ids the XML processor knows how to access. below is a sample XML document that will use this functionality to include the contents of a local file (/etc/passwd) <?xml version="1.0" encoding="utf-8"?><!DOCTYPE acunetix [ <!ENTITY acunetixent SYSTEM "file:///etc/passwd">]><xxx>&acunetixent;</xxx>

CVSS Base Score: 6.8 - Access Vector: Network- Access Complexity: Medium- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: Partial

CVSS3 Base Score: 10 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Changed- Confidentiality Impact: High- Integrity Impact: High- Availability Impact: High

CWE CWE-611

Affected item /forgotpw

Affected parameter text/xml

Variants 1

7

Cookie without HttpOnly flag set

This cookie does not have the HTTPOnly flag set. When a cookie is set with the HTTPOnly flag, it instructs the browserthat the cookie can only be accessed by the server and not by client-side scripts. This is an important security protectionfor session cookies.

CVSS Base Score: 0.0 - Access Vector: Network- Access Complexity: Low- Authentication: None- Confidentiality Impact: None- Integrity Impact: None- Availability Impact: None

CWE CWE-16

Affected item /

Affected parameter

Variants 1

Insecure response with wildcard '*' in Access-Control-Allow-Origin

Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts) on a web page to berequested from another domain outside the domain from which the resource originated. The Access-Control-Allow-Originheader indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or"null" in the response. If a website responds with Access-Control-Allow-Origin: * the requested resource allows sharing with every origin.Therefore, any website can make XHR (XMLHTTPRequest) requests to your site and access the responses. It's notrecommended to use the Access-Control-Allow-Origin: * header.


CWE CWE-16

Affected item /

Affected parameter

Variants 1

OPTIONS method is enabled

HTTP OPTIONS method is enabled on this web server. The OPTIONS method provides a list of the methods that aresupported by the web server, it represents a request for information about the communication options available on therequest/response chain identified by the Request-URI.


CVSS3 Base Score: 7.5 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged

8

- Confidentiality Impact: High- Integrity Impact: None- Availability Impact: None

CWE CWE-200


Affected parameter

Variants 1

(A6) Sensitive Data Exposure

Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authenticationcredentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or othercrimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautionswhen exchanged with the browser.






CWE CWE-122

CVE CVE-2014-0133


Affected parameter

Variants 1

Weak password




9

CWE CWE-200


Affected parameter

Variants 3





CWE CWE-611



Variants 3

Host header attack

In many cases, developers are trusting the HTTP Host header value and using it to generate links, import scripts andeven generate password resets links with its value. This is a very bad idea, because the HTTP Host header can becontrolled by an attacker. This can be exploited using web-cache poisoning and by abusing alternative channels likepassword reset emails.

CVSS Base Score: 2.6 - Access Vector: Local- Access Complexity: High- Authentication: None- Confidentiality Impact: Partial- Integrity Impact: Partial- Availability Impact: None

CVSS3 Base Score: 5.3 - Attack Vector: Network

10

- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: None- Integrity Impact: Low- Availability Impact: None

CWE CWE-20

Affected item /like

Affected parameter

Variants 1

Clickjacking: X-Frame-Options header missing

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Webuser into clicking on something different from what the user perceives they are clicking on, thus potentially revealingconfidential information or taking control of their computer while clicking on seemingly innocuous web pages. The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjackingattack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowedto render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content isnot embedded into other sites.


CWE CWE-693


Affected parameter

Variants 1




CWE CWE-16

Affected item /

Affected parameter

Variants 1

11




CWE CWE-16

Affected item /

Affected parameter

Variants 1





CWE CWE-200


Affected parameter

Variants 1

Possible sensitive directories

A possible sensitive directory has been found. This directory is not directly linked from the website.This check looks forcommon sensitive resources like backup directories, database dumps, administration pages, temporary directories. Eachone of these directories could help an attacker to learn more about his target.

12



CWE CWE-200

Affected item /admin

Affected parameter

Variants 1

Affected item /static/app/services

Affected parameter

Variants 1

Possible virtual host found

Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server(or pool of servers). This allows one server to share its resources, such as memory and processor cycles, withoutrequiring all services provided to use the same host name. This web server is responding differently when the Host header is manipulated and various common virtual hosts aretested. This could indicate there is a Virtual Host present.



CWE CWE-200

Affected item localhost

Affected parameter

Variants 1

Password type input with auto-complete enabled

When a new name and password is entered in a form and the form is submitted, the browser asks if the password shouldbe saved.Thereafter when the form is displayed, the name and password are filled in automatically or are completed asthe name is entered. An attacker with local access could obtain the cleartext password from the browser cache.

13



CWE CWE-200

Affected item / (64adbddee16dbd3ed58373c9670b7daa)

Affected parameter

Variants 1

(A7) Missing Function Level Access Control

Most web applications verify function level access rights before making that functionality visible in the UI. However,applications need to perform the same access control checks on the server when each function is accessed. If requestsare not verified, attackers will be able to forge requests in order to access functionality without proper authorization.






CVSS3 Base Score: 10 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None

14

- User Interaction: None- Scope: Changed- Confidentiality Impact: High- Integrity Impact: High- Availability Impact: High

CWE CWE-611



Variants 1

Host header attack



CVSS3 Base Score: 5.3 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None- User Interaction: None- Scope: Unchanged- Confidentiality Impact: None- Integrity Impact: Low- Availability Impact: None

CWE CWE-20

Affected item /like

Affected parameter

Variants 1




CWE CWE-693


Affected parameter

Variants 1

15

(A8) Cross Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victim's browser to send a forged HTTP request, including the victim's session cookieand any other automatically included authentication information, to a vulnerable web application. This allows the attackerto force the victim's browser to generate requests the vulnerable application thinks are legitimate requests from the victim.


(A9) Using Components with Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If avulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications usingcomponents with known vulnerabilities may undermine application defenses and enable a range of possible attacks andimpacts.






CWE CWE-122

CVE CVE-2014-0133


Affected parameter

Variants 1

Weak password




CWE CWE-200

16


Affected parameter

Variants 1





CWE CWE-611



Variants 1

Vulnerable Javascript library

You are using a vulnerable Javascript library. One or more vulnerabilities were reported for this version of the Javascriptlibrary. Consult Attack details and Web References for more information about the affected library and the vulnerabilitiesthat were reported.


CVSS3 Base Score: 6.5 - Attack Vector: Network- Attack Complexity: Low- Privileges Required: None

17

- User Interaction: None- Scope: Unchanged- Confidentiality Impact: Low- Integrity Impact: Low- Availability Impact: None

CWE CWE-16

Affected item /static/app/libs/sessvars.js

Affected parameter

Variants 1




CWE CWE-16

Affected item /

Affected parameter

Variants 1




CWE CWE-16

Affected item /

Affected parameter

Variants 1



18



CWE CWE-200


Affected parameter

Variants 1

(A10) UnvalidatedRedirects and Forwards

Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determinethe destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or useforwards to access unauthorized pages.


19

Affected Items: A Detailed Report

This section provides full details of the types of vulnerabilities found according to individual affected items.

/

DOM-based cross site scripting

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually inthe form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it willexecute the script in the user context allowing the attacker to access any cookies or session tokens retained by thebrowser. While a traditional cross-site scripting vulnerability occurs on the server-side code, document object model basedcross-site scripting is a type of vulnerability which affects the script code in the client's browser.

This alert belongs to the following categories: A3

CVSS Base Score: 4.4 - Access Vector: Network- Access Complexity: Medium- Authentication: None- Confidentiality Impact: None- Integrity Impact: Partial- Availability Impact: None

CWE CWE-79

Parameter Variations

5



This alert belongs to the following categories: A5, A6, A9


CWE CWE-16


1




20


CWE CWE-16


1

/ (64adbddee16dbd3ed58373c9670b7daa)

Password type input with auto-complete enabled

When a new name and password is entered in a form and the form is submitted, the browser asks if the password shouldbe saved.Thereafter when the form is displayed, the name and password are filled in automatically or are completed asthe name is entered. An attacker with local access could obtain the cleartext password from the browser cache.



CWE CWE-200


1

/admin





CWE CWE-200


1

21

/admin/

Weak password


This alert belongs to the following categories: A5, A5, A6, A6, A6, A9


CWE CWE-200


1

Basic authentication over HTTP

In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent to provide a username and password when making a request. This directory is protected using Basic Authentication over an HTTP connection. With Basic Authentication the usercredentials are sent as cleartext and because HTTPS is not used, they are vulnerable to packet sniffing.



CWE CWE-16


1

22

/comment





CWE CWE-79


1

id 1

/forgotpw



This alert belongs to the following categories: A5, A6, A6, A6, A7, A9


CWE CWE-611


text/xml 1

23

/like





CWE CWE-79


1

id 1

Host header attack


This alert belongs to the following categories: A6, A7


CWE CWE-20


1

24

/report





CWE CWE-79


1

id 1

/static/app/libs/sessvars.js

Vulnerable Javascript library

You are using a vulnerable Javascript library. One or more vulnerabilities were reported for this version of the Javascriptlibrary. Consult Attack details and Web References for more information about the affected library and the vulnerabilitiesthat were reported.



CWE CWE-16


1

25

/static/app/services





CWE CWE-200


1

localhost

Possible virtual host found

Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server(or pool of servers). This allows one server to share its resources, such as memory and processor cycles, withoutrequiring all services provided to use the same host name. This web server is responding differently when the Host header is manipulated and various common virtual hosts aretested. This could indicate there is a Virtual Host present.



CWE CWE-200


1

26

Web Server





CWE CWE-122

CVE CVE-2014-0133


1



This alert belongs to the following categories: A6, A7


CWE CWE-693


1





27

CWE CWE-200


1

28

Scanned items (coverage report)

http://testhtml5.vulnweb.com/

Vulnerabilities have been identified for this URL

2 input(s) found for this URL

Inputs

Input scheme 1

Input name Input type

/ Path Fragment

Input scheme 2


Host HTTP Header

http://testhtml5.vulnweb.com:80/login

No vulnerabilities have been identified for this URL


Inputs

Input scheme 1


password URL encoded POST

username URL encoded POST

http://testhtml5.vulnweb.com/static


No input(s) found for this URL

http://testhtml5.vulnweb.com/static/img/



http://testhtml5.vulnweb.com/static/css/



http://testhtml5.vulnweb.com/static/css/style.css



http://testhtml5.vulnweb.com/static/app/



http://testhtml5.vulnweb.com/static/app/app.js



http://testhtml5.vulnweb.com/static/app/libs/



http://testhtml5.vulnweb.com/static/app/libs/sessvars.js



29

http://testhtml5.vulnweb.com/static/app/post.js



http://testhtml5.vulnweb.com/static/app/controllers/



http://testhtml5.vulnweb.com/static/app/controllers/controllers.js



http://testhtml5.vulnweb.com/static/app/services/



http://testhtml5.vulnweb.com/static/app/services/itemsService.js



http://testhtml5.vulnweb.com/static/app/partials/



http://testhtml5.vulnweb.com/static/app/partials/popular.html



http://testhtml5.vulnweb.com/static/app/partials/itemsList.html



http://testhtml5.vulnweb.com/static/app/partials/latest.html



http://testhtml5.vulnweb.com/static/app/partials/carousel.html



http://testhtml5.vulnweb.com/static/app/partials/archive.html



http://testhtml5.vulnweb.com/static/app/partials/about.html



http://testhtml5.vulnweb.com/static/app/partials/contact.html



http://testhtml5.vulnweb.com/static/app/partials/redir.html



30

http://testhtml5.vulnweb.com/static/scr/



http://testhtml5.vulnweb.com/logout



http://testhtml5.vulnweb.com/ajax



http://testhtml5.vulnweb.com/ajax/popular



Inputs

Input scheme 1


offset URL encoded GET

http://testhtml5.vulnweb.com/ajax/latest



Inputs

Input scheme 1


offset URL encoded GET

http://testhtml5.vulnweb.com/ajax/archive



http://testhtml5.vulnweb.com/forgotpw



Inputs

Input scheme 1


text/xml Custom POST

forgot.username#text XML

http://testhtml5.vulnweb.com/like



Inputs

Input scheme 1


id URL encoded GET

http://testhtml5.vulnweb.com/comment



Inputs

31

Input scheme 1


id URL encoded GET

http://testhtml5.vulnweb.com/report



Inputs

Input scheme 1


id URL encoded GET

http://testhtml5.vulnweb.com/admin/



32

Documents

Compliance Report OWSAP Top 10 2013 - E-SPIN Group...OWASP TOP 10 2013 compliance report Description The primary aim of the OWASP Top 10 is to educate developers, designers, architects,