Scan Report
|
03 Jun 2024
|
Vulnerabilities of all selected scans are consolidated into one report so that you can view their evolution.
|
Takashi Moriyama
|
Moriyama
|
mryam3tm
|
17203 NE 33rd St
|
|
Redmond, Washington 98052 United States of America
|
|
Target and Filters
Scans (1)
|
Web Application Vulnerability Scan - Redmunch - May 30, 2024
|
Web Applications (1)
|
Redmunch
|
|
|
Summary
|
Security Risk
|
Vulnerabilities
|
Sensitive Contents
|
Information Gathered
|
|
2
|
0
|
18
|
|
Findings by Severity
|
Vulnerabilities by Group
|
OWASP Top 10 2021 Vulnerabilities
|
|
Scan
|
Date
|
Level 5
|
Level 4
|
Level 3
|
Level 2
|
Level 1
|
Sensitive Contents
|
Information Gathered
|
Web Application Vulnerability Scan - Redmunch - May 30, 2024
|
30 May 2024 14:01 GMT-0800
|
0
|
0
|
1
|
0
|
1
|
0
|
18
|
|
|
|
Vulnerability
(2)
|
Path Disclosure
(1)
|
150246 Path-relative stylesheet import (PRSSI) vulnerability
(1)
|
150246 Path-relative stylesheet import (PRSSI) vulnerability
|
|
|
URL: https://www.redmunch.com/
|
|
Finding #
|
26575898
(295486694)
|
Severity
|
Confirmed Vulnerability - Level 1
|
Unique #
|
cf494cfe-cb22-4858-9eac-f5726483b969
|
|
|
Group
|
Path Disclosure
|
Detection Date
|
30 May 2024 14:01 GMT-0800
|
CWE
|
|
|
|
OWASP
|
|
|
|
WASC
|
-
|
|
|
CVSS V3 Base
3.1
CVSS V3 Temporal
2.9
CVSS V3 Attack Vector
Network
|
|
Details
Threat
Impact
An attacker may trick browsers into importing JavaScript or HTML code as a stylesheet. This has been shown to enable a number of different attacks, including cross-site scripting (XSS) and exfiltration of CSRF tokens.
Solution
It is recommended to use absolute URLs for CSS imports. Alternately you can add the HTML "base" tag in the document which defines the base URL or target location for all the relative URLs. The vulnerability can also be mitigated by using the following best practices to harden the web pages:
- Set a DOCTYPE which does not allow Quirks mode as explained at https://hsivonen.fi/doctype/
- Set response header X-Frame-Options: deny
- Set response header X-Content-Type-Options: nosniff.
|
Detection Information
Parameter
|
No param has been required for detecting the information.
|
Authentication
|
In order to detect this vulnerability, no authentication has been required.
|
Access Path
|
Here is the path followed by the scanner to reach the exploitable URL:
|
http://www.redmunch.com/
|
|
Payloads
|
#1 Request
GET https://www.redmunch.com/
|
Referer: http://www.redmunch.com/ Host: www.redmunch.com User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.177 Safari/537.36 Accept: */*
|
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
|
#1 Response
Relative Path CSS Links found: <link rel="stylesheet" href="styles.css">
|
|
|
Information Disclosure
(1)
|
150124 Clickjacking - Framable Page
(1)
|
150124 Clickjacking - Framable Page
|
|
|
URL: https://www.redmunch.com/
|
|
Finding #
|
26552922
(295486693)
|
Severity
|
Confirmed Vulnerability - Level 3
|
Unique #
|
873649f2-b263-4d5e-933c-81cffd2edcd4
|
|
|
Group
|
Information Disclosure
|
Detection Date
|
30 May 2024 14:01 GMT-0800
|
CWE
|
|
|
|
OWASP
|
|
|
|
WASC
|
|
|
|
CVSS V3 Base
5.8
CVSS V3 Temporal
5.2
CVSS V3 Attack Vector
Network
|
|
Details
Threat
The web page can be framed. This means that clickjacking attacks against users are possible. Note: For both 150245 and 150124 only 10 pages are reported and only responses with status code 200 ok are tested and reported
Impact
With clickjacking, an attacker can trick a victim user into clicking an invisible frame on the web page, thereby causing the victim to take an action they did not intend to take.
Solution
|
Detection Information
Parameter
|
No param has been required for detecting the information.
|
Authentication
|
In order to detect this vulnerability, no authentication has been required.
|
Access Path
|
Here is the path followed by the scanner to reach the exploitable URL:
|
http://www.redmunch.com/
|
|
Payloads
|
#1 Request
GET https://www.redmunch.com/
|
Host: www.redmunch.com User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.177 Safari/537.36 Accept: */*
|
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
|
#1 Response
The URI was framed.
|
|
|
Information Gathered
(18)
|
Scan Diagnostics
(11)
|
6 DNS Host Name
(1)
|
6 DNS Host Name
|
|
|
|
Finding #
|
12223504
(295486691)
|
Severity
|
Information Gathered - Level 1
|
Unique #
|
f8e603f4-a946-429d-b777-60de8a52a3bf
|
|
|
Group
|
Scan Diagnostics
|
Detection Date
|
30 May 2024 14:01 GMT-0800
|
CWE
|
-
|
|
|
OWASP
|
-
|
|
|
WASC
|
-
|
|
|
|
Details
Threat
The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section.
Impact
N/A
Solution
N/A
|
|
SSL Data
Flags
|
-
|
Protocol
|
-
|
Virtual Host
|
20.69.151.16
|
IP
|
20.69.151.16
|
Port
|
-
|
Result
|
#table IP_address Host_name 20.69.151.16 No_registered_hostname
|
|
|
|
45038 Host Scan Time - Scanner
(1)
|
45038 Host Scan Time - Scanner
|
|
|
|
Finding #
|
12223505
(295486692)
|
Severity
|
Information Gathered - Level 1
|
Unique #
|
1f386f83-5d26-47a6-874f-04218b32d0b7
|
|
|
Group
|
Scan Diagnostics
|
Detection Date
|
30 May 2024 14:01 GMT-0800
|
CWE
|
-
|
|
|
OWASP
|
-
|
|
|
WASC
|
-
|
|
|
|
Details
Threat
The Host Scan Time is the period of time it takes the scanning engine to perform the vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below. The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the service's Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners.
Impact
N/A
Solution
N/A
|
|
SSL Data
Flags
|
-
|
Protocol
|
-
|
Virtual Host
|
www.redmunch.com
|
IP
|
20.69.151.16
|
Port
|
-
|
Result
|
Scan duration: 1152 seconds Start time: Thu May 30 21:00:58 UTC 2024 End time: Thu May 30 21:20:10 UTC 2024
|
|
|
|
150009 Links Crawled
(1)
|
150009 Links Crawled
|
|
|
|
Finding #
|
12223500
(295486688)
|
Severity
|
Information Gathered - Level 1
|
Unique #
|
1722cff8-9b9a-49dd-b4f0-e652a816525e
|
|
|
Group
|
Scan Diagnostics
|
Detection Date
|
30 May 2024 14:01 GMT-0800
|
CWE
|
-
|
|
|
OWASP
|
-
|
|
|
WASC
|
-
|
|
|
|
Details
Threat
The list of unique links crawled and HTML forms submitted by the scanner appear in the Results section. This list may contain fewer links than the maximum threshold defined. NOTE: This list also includes: - All the unique links that are reported in QID 150140 (Redundant links/URL paths crawled and not crawled) - All the forms reported in QID 150152 (Forms Crawled) - All the forms in QID 150115 (Authentication Form Found) - Certain requests from QID 150172 (Requests Crawled)
Impact
N/A
Solution
N/A
|
Results
Duration of crawl phase (seconds): 176.00 Number of links: 4 (This number excludes form requests and links re-requested during authentication.)
https://www.redmunch.com/ https://www.redmunch.com/favicon.ico http://www.redmunch.com/ http://www.redmunch.com/favicon.ico
|
|
|
150010 External Links Discovered
(1)
|
150010 External Links Discovered
|
|
|
|
Finding #
|
12230050
(295486686)
|
Severity
|
Information Gathered - Level 1
|
Unique #
|
6834fca2-b351-4eb8-85e4-cec1bec130db
|
|
|
Group
|
Scan Diagnostics
|
Detection Date
|
30 May 2024 14:01 GMT-0800
|
CWE
|
-
|
|
|
OWASP
|
-
|
|
|
WASC
|
-
|
|
|
|
Details
Threat
External links discovered during the scan are listed in the Results section. These links were out of scope for the scan and were not crawled.
Impact
N/A
Solution
N/A
|
Results
Number of links: 6 https://appservice.azureedge.net/css/static-apps/v3/main.css https://appservice.azureedge.net/images/static-apps/v3/favicon.svg https://appservice.azureedge.net/scripts/static-apps/v3/loc.min.js https://ajax.aspnetcdn.com/ajax/bootstrap/5.2.3/bootstrap.min.js https://ajax.aspnetcdn.com/ajax/bootstrap/5.2.3/css/bootstrap.min.css https://ajax.aspnetcdn.com/ajax/jquery/jquery-3.7.1.min.js
|
|
|
150020 Links Rejected By Crawl Scope or Exclusion List
(1)
|
150020 Links Rejected By Crawl Scope or Exclusion List
|
|
|
|
Finding #
|
12223495
(295486678)
|
Severity
|
Information Gathered - Level 1
|
Unique #
|
948eaedf-9881-471b-a49a-78a70838b359
|
|
|
Group
|
Scan Diagnostics
|
Detection Date
|
30 May 2024 14:01 GMT-0800
|
CWE
|
-
|
|
|
OWASP
|
-
|
|
|
WASC
|
-
|
|
|
|
Details
Threat
One or more links were not crawled because of an explicit rule to exclude them. This also occurs if a link is malformed. Exclude list and Include list entries can cause links to be rejected. If a scan is limited to a specific starting directory, then links outside that directory will neither be crawled or tested. Links that contain a host name or IP address different from the target application are considered external links and not crawled by default; those types of links are not listed here. This often happens when the scope of a scan is limited to the directory of the starting URL. The scope can be changed in the Web Application Record. During the test phase, some path-based tests may be rejected if the scan is limited to the directory of the starting URL and the test would fall outside that directory. In these cases, the number of rejected links may be too high to list in the Results section.
Impact
Links listed here were neither crawled or tested by the Web application scanning engine.
Solution
A link might have been intentionally matched by a exclude or include list entry. Verify that no links in this list were unintentionally rejected.
|
Results
Links not permitted: (This list includes links from QIDs: 150010,150041,150143,150170)
External links discovered: https://appservice.azureedge.net/css/static-apps/v3/main.css https://appservice.azureedge.net/images/static-apps/v3/favicon.svg https://appservice.azureedge.net/scripts/static-apps/v3/loc.min.js https://ajax.aspnetcdn.com/ajax/bootstrap/5.2.3/bootstrap.min.js https://ajax.aspnetcdn.com/ajax/bootstrap/5.2.3/css/bootstrap.min.css https://ajax.aspnetcdn.com/ajax/jquery/jquery-3.7.1.min.js
IP based excluded links:
|
|
|
150021 Scan Diagnostics
(1)
|
150021 Scan Diagnostics
|
|
|
|
Finding #
|
12223496
(295486679)
|
Severity
|
Information Gathered - Level 1
|
Unique #
|
dee15ef4-ec81-4838-befa-e1587bb78a6b
|
|
|
Group
|
Scan Diagnostics
|
Detection Date
|
30 May 2024 14:01 GMT-0800
|
CWE
|
-
|
|
|
OWASP
|
-
|
|
|
WASC
|
-
|
|
|
|
Details
Threat
This check provides various details of the scan's performance and behavior. In some cases, this check can be used to identify problems that the scanner encountered when crawling the target Web application.
Impact
The scan diagnostics data provides technical details about the crawler's performance and behavior. This information does not necessarily imply problems with the Web application.
Solution
No action is required.
|
Results
Loaded 0 exclude list entries. Loaded 0 allow list entries. HTML form authentication unavailable, no WEBAPP entry found Target web application page http://www.redmunch.com/ fetched. Status code:307, Content-Type:text/html, load time:1 milliseconds. Batch #0 VirtualHostDiscovery: estimated time < 10 minutes (70 tests, 0 inputs) VirtualHostDiscovery: 70 vulnsigs tests, completed 69 requests, 6 seconds. Completed 69 requests of 70 estimated requests (98.5714%). All tests completed. Batch #0 CMSDetection: estimated time < 1 minute (1 tests, 1 inputs) [CMSDetection phase] : No potential CMS found using Blind Elephant algorithm. Aborting the CMS Detection phase CMSDetection: 1 vulnsigs tests, completed 56 requests, 2 seconds. Completed 56 requests of 56 estimated requests (100%). All tests completed. Collected 5 links overall in 0 hours 2 minutes duration. Batch #0 BannersVersionReporting: estimated time < 1 minute (1 tests, 1 inputs) BannersVersionReporting: 1 vulnsigs tests, completed 0 requests, 0 seconds. Completed 0 requests of 1 estimated requests (0%). All tests completed. Path manipulation: Estimated requests (payloads x links): files with extension:(0 x 2) + files:(0 x 2) + directories:(9 x 2) + paths:(0 x 4) = total (18) Batch #0 WS Directory Path manipulation: estimated time < 1 minute (9 tests, 4 inputs) WS Directory Path manipulation: 9 vulnsigs tests, completed 18 requests, 0 seconds. Completed 18 requests of 18 estimated requests (100%). All tests completed. Batch #0 WS enumeration: estimated time < 1 minute (11 tests, 4 inputs) WS enumeration: 11 vulnsigs tests, completed 24 requests, 1 seconds. Completed 24 requests of 44 estimated requests (54.5455%). All tests completed. Batch #1 URI parameter manipulation (no auth): estimated time < 1 minute (113 tests, 0 inputs) Batch #1 URI parameter manipulation (no auth): 113 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Batch #1 URI blind SQL manipulation (no auth): estimated time < 1 minute (8 tests, 0 inputs) Batch #1 URI blind SQL manipulation (no auth): 8 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Batch #1 URI parameter time-based tests (no auth): estimated time < 1 minute (16 tests, 0 inputs) Batch #1 URI parameter time-based tests (no auth): 16 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Batch #1 URI parameter time-based tests for Apache Struts Vulnerabilities (no auth): estimated time < 1 minute (1 tests, 0 inputs) Batch #1 URI parameter time-based tests for Apache Struts Vulnerabilities (no auth): 1 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Batch #4 WebCgiOob: estimated time < 1 minute (135 tests, 1 inputs) Batch #4 WebCgiOob: 135 vulnsigs tests, completed 360 requests, 8 seconds. Completed 360 requests of 632 estimated requests (56.962%). All tests completed. Potential LDAP Login Bypass no tests enabled. No XML requests found. Skipping XXE tests. Batch #4 DOM XSS exploitation: estimated time < 1 minute (4 tests, 0 inputs) Batch #4 DOM XSS exploitation: 4 vulnsigs tests, completed 0 requests, 1 seconds. No tests to execute. Batch #4 HTTP call manipulation: estimated time < 1 minute (38 tests, 0 inputs) Batch #4 HTTP call manipulation: 38 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Batch #4 Open Redirect analysis: estimated time < 1 minute (2 tests, 0 inputs) Batch #4 Open Redirect analysis: 2 vulnsigs tests, completed 0 requests, 2 seconds. No tests to execute. CSRF tests will not be launched because the scan is not successfully authenticated. Batch #4 File Inclusion analysis: estimated time < 1 minute (1 tests, 5 inputs) Batch #4 File Inclusion analysis: 1 vulnsigs tests, completed 0 requests, 0 seconds. Completed 0 requests of 5 estimated requests (0%). All tests completed. Batch #4 Cookie manipulation: estimated time < 1 minute (47 tests, 0 inputs) Batch #4 Cookie manipulation: 47 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Batch #4 Header manipulation: estimated time < 1 minute (47 tests, 4 inputs) Batch #4 Header manipulation: 47 vulnsigs tests, completed 726 requests, 11 seconds. Completed 726 requests of 520 estimated requests (139.615%). XSS optimization removed 232 links. All tests completed. Batch #4 shell shock detector: estimated time < 1 minute (1 tests, 4 inputs) Batch #4 shell shock detector: 1 vulnsigs tests, completed 6 requests, 0 seconds. Completed 6 requests of 4 estimated requests (150%). All tests completed. Batch #4 shell shock detector(form): estimated time < 1 minute (1 tests, 0 inputs) Batch #4 shell shock detector(form): 1 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Cookies Without Consent no tests enabled. Batch #5 HTTP Time Bandit: estimated time < 1 minute (1 tests, 10 inputs) Batch #5 HTTP Time Bandit: 1 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Path manipulation: Estimated requests (payloads x links): files with extension:(0 x 2) + files:(0 x 2) + directories:(4 x 2) + paths:(11 x 4) = total (52) Batch #5 Path XSS manipulation: estimated time < 1 minute (15 tests, 4 inputs) Batch #5 Path XSS manipulation: 15 vulnsigs tests, completed 50 requests, 1 seconds. Completed 50 requests of 52 estimated requests (96.1538%). All tests completed. Path manipulation: Estimated requests (payloads x links): files with extension:(0 x 2) + files:(0 x 2) + directories:(1 x 2) + paths:(0 x 4) = total (2) Batch #5 Tomcat Vuln manipulation: estimated time < 1 minute (1 tests, 4 inputs) Batch #5 Tomcat Vuln manipulation: 1 vulnsigs tests, completed 2 requests, 0 seconds. Completed 2 requests of 2 estimated requests (100%). All tests completed. Path manipulation: Estimated requests (payloads x links): files with extension:(0 x 2) + files:(0 x 2) + directories:(16 x 2) + paths:(0 x 4) = total (32) Batch #5 Time based path manipulation: estimated time < 1 minute (16 tests, 5 inputs) Batch #5 Time based path manipulation: 16 vulnsigs tests, completed 64 requests, 660 seconds. Completed 64 requests of 32 estimated requests (200%). All tests completed. Path manipulation: Estimated requests (payloads x links): files with extension:(1 x 2) + files:(12 x 2) + directories:(145 x 2) + paths:(14 x 4) = total (372) Batch #5 Path manipulation: estimated time < 1 minute (172 tests, 4 inputs) Batch #5 Path manipulation: 172 vulnsigs tests, completed 346 requests, 5 seconds. Completed 346 requests of 372 estimated requests (93.0108%). All tests completed. WebCgiHrsTests: no test enabled Batch #5 WebCgiGeneric: estimated time < 10 minutes (543 tests, 1 inputs) Batch #5 WebCgiGeneric: 543 vulnsigs tests, completed 821 requests, 13 seconds. Completed 821 requests of 3008 estimated requests (27.2939%). All tests completed. Batch #5 Open Redirect analysis: estimated time < 1 minute (2 tests, 0 inputs) Batch #5 Open Redirect analysis: 2 vulnsigs tests, completed 0 requests, 5 seconds. No tests to execute. Duration of Crawl Time: 176.00 (seconds) Duration of Test Phase: 876.00 (seconds) Total Scan Time: 1052.00 (seconds)
Total requests made: 2752 Average server response time: 0.06 seconds
Average browser load time: 0.06 seconds
|
|
|
150152 Forms Crawled
(1)
|
150152 Forms Crawled
|
|
|
|
Finding #
|
12223498
(295486681)
|
Severity
|
Information Gathered - Level 1
|
Unique #
|
29944a3a-c359-4308-98b5-14ec82604e6b
|
|
|
Group
|
Scan Diagnostics
|
Detection Date
|
30 May 2024 14:01 GMT-0800
|
CWE
|
-
|
|
|
OWASP
|
-
|
|
|
WASC
|
-
|
|
|
|
Details
Threat
The Results section lists the unique forms that were identified and submitted by the scanner. The forms listed in this QID do not include authentication forms (i.e. login forms), which are reported separately under QID 150115. The scanner does a redundancy check on forms by inspecting the form fields. Forms determined to be the redundant based on identical form fields will not be tested. If desired, you can enable 'Include form action URI in form uniqueness calculation' in the WAS option profile to have the scanner also consider the form's action attribute in the redundancy check. NOTE: Any regular expression specified under 'Redundant Links' are not applied to forms. Forms (unique or redundant) are not reported under QID 150140.
Impact
N/A
Solution
N/A
|
Results
Total internal forms seen (this count includes duplicate forms): 0
Crawled forms (Total: 0) NOTE: This does not include authentication forms. Authentication forms are reported separately in QID 150115
|
|
|
150247 Web Server and Technologies Detected
(1)
|
150247 Web Server and Technologies Detected
|
|
|
|
Finding #
|
12230048
(295486677)
|
Severity
|
Information Gathered - Level 1
|
Unique #
|
c90cd845-c851-4555-9b6c-badf4ed92005
|
|
|
Group
|
Scan Diagnostics
|
Detection Date
|
30 May 2024 14:01 GMT-0800
|
CWE
|
|
|
|
OWASP
|
-
|
|
|
WASC
|
-
|
|
|
|
Details
Threat
Information disclosure is an application weakness in revealing sensitive data, such as technical details of the system or environment. This check reports the various technologies used by the web application based on the information available in different components of the Request-Response.
Impact
An attacker may use sensitive data to exploit the target web application, its hosting network, or its users.
Solution
Ensure that your web servers do not reveal any sensitive information about your technology stack and system details Please review the issues reported below:
|
Results
Number of technologies detected: 1 Technology name: Bootstrap Technology version: Bootstrap 5.2.3 Matched Components: html response match: tible" content="IE=edge"> <title>Azure Static Web Apps - 404: Not found</title> <link rel="shortcut icon" href="https://appservice.azureedge.net/images/static-apps/v3/favicon.svg" type="image/x-icon"> <link rel="stylesheet" href="https://ajax.aspnetcdn.com/ajax/bootstrap/5.2.3/css/bootstrap.min.css" crossorigin="anonymous"> <link rel="stylesheet" type="text/css" href="https://appservice.azureedge.net/css/static-apps/v3/main.css"> <script src="https://appservice.azureedge.net/scripts/static-apps/ script tag match: <script src="https://ajax.aspnetcdn.com/ajax/bootstrap/5.2.3/bootstrap.min.js" crossorigin="anonymous"></script> Matched links: reporting only first 3 links https://www.redmunch.com/favicon.ico
|
|
|
150528 Server Returns HTTP 4XX Error Code During Scanning
(1)
|
150528 Server Returns HTTP 4XX Error Code During Scanning
|
|
|
|
Finding #
|
12230047
(295486676)
|
Severity
|
Information Gathered - Level 1
|
Unique #
|
311bcbc3-d8d2-426d-8876-42d362ff354d
|
|
|
Group
|
Scan Diagnostics
|
Detection Date
|
30 May 2024 14:01 GMT-0800
|
CWE
|
-
|
|
|
OWASP
|
-
|
|
|
WASC
|
-
|
|
|
|
Details
Threat
During the WAS scan, links with HTTP 4xx response code were observed and these are listed in the Results section. The HTTP 4xx message indicates a client error. The list of supported 4xx response code are as below: 400 - Bad Request 401 - Unauthorized 403 - Forbidden 404 - Not Found 405 - Method Not Allowed 407 - Proxy Authentication Required 408 - Request Timeout 413 - Payload Too Large 414 - URI Too Long
Impact
The presence of a HTTP 4xx error during the crawl phase indicates that some problem exists on the website that will be encountered during normal usage of the Web application. Note WAS depends on responses to detect many vulnerabilities if the link does not respond with an expected response then any vulnerabilities present on such links may not be detected.
Solution
Review each link to determine why the client encountered an error while requesting the link. Additionally review and investigate the results of QID 150042 which lists 5xx errors, QID 150019 which lists unexpected response codes and QID 150097 which lists a potential blocked request.
|
Results
Number of links with 4xx response code: 1 (Only first 50 such links are listed)
404 https://www.redmunch.com/favicon.ico
|
|
|
150545 JavaScript Library Loaded via External Server
(1)
|
150545 JavaScript Library Loaded via External Server
|
|
|
|
Finding #
|
12230049
(295486685)
|
Severity
|
Information Gathered - Level 1
|
Unique #
|
5f2bf708-f3b9-4a42-a0be-18f5bb3341ff
|
|
|
Group
|
Scan Diagnostics
|
Detection Date
|
30 May 2024 14:01 GMT-0800
|
CWE
|
|
|
|
OWASP
|
-
|
|
|
WASC
|
-
|
|
|
|
Details
Threat
WAS will report out-of-scope JavaScript libraries discovered by the scanner during crawling and are provided in the Results section. Out-of-Scope means the link was not "in scope" per the Web Application configuration. The discovered libraries are reported only once based on the page on which they were first detected. Each library is reported along with other information such as the URL of page on which it was first found, the version, and the URL of the .js file. Check results of QID 150176, if present, for the in-scope JavaScript libraries detected
Impact
When including third-party functionality, such as a JavaScript library, the application trust those libraries added. Without sufficient protection mechanisms, the functionality could be malicious in nature (i.e. either by coming from an untrusted source, being spoofed, or being modified in transit from a trusted source).
Solution
Use digital signatures or similar mechanisms to verify the software or data is from the expected source and has not been altered. Ensure libraries and dependencies, are consuming trusted repositories. If you have a higher risk profile, consider hosting an internal known-good repository that's vetted.
|
Results
Number of unique external facing JS libraries: 2 Javascript library : Bootstrap Version : 5.2.3 Script uri : https://ajax.aspnetcdn.com/ajax/bootstrap/5.2.3/bootstrap.min.js Found on the following page(only first page is reported): https://www.redmunch.com/favicon.ico
===============================================================
Javascript library : jQuery Version : 3.7.1 Script uri : https://ajax.aspnetcdn.com/ajax/jquery/jquery-3.7.1.min.js Found on the following page(only first page is reported): https://www.redmunch.com/favicon.ico
===============================================================
|
|
|
150546 First Link Crawled Response Code Information
(1)
|
150546 First Link Crawled Response Code Information
|
|
|
|
Finding #
|
12223493
(295486684)
|
Severity
|
Information Gathered - Level 1
|
Unique #
|
57253852-1721-4aaa-b1dc-b3276f114f2c
|
|
|
Group
|
Scan Diagnostics
|
Detection Date
|
30 May 2024 14:01 GMT-0800
|
CWE
|
-
|
|
|
OWASP
|
-
|
|
|
WASC
|
-
|
|
|
|
Details
Threat
The Web server returned the following information from where the Web application scanning engine initiated. Information reported includes First Link Crawled, response Code, response Header, and response Body (first 500 characters). The first link crawled is the "Web Application URL (or Swagger file URL)" set in the Web Application profile.
Impact
An erroneous response might be indicative of a problem in the Web server, or the scan configuration.
Solution
Review the information to check if this is in line with the expected scan configuration. Refer to the output of QIDs 150009, 150019, 150021, 150042 and 150528 (if present) for additional details.
|
Results
Base URI: http://www.redmunch.com/ Response Code: 307 Response Header: Cross-Origin-Resource-Policy: Cross-Origin Location: https://www.redmunch.com/ Non-Authoritative-Reason: HSTS Response Body: <html><head></head><body></body></html>
|
|
|
Security Weaknesses
(7)
|
150202 Missing header: X-Content-Type-Options
(1)
|
150202 Missing header: X-Content-Type-Options
|
|
|
|
Finding #
|
12230051
(295486687)
|
Severity
|
Information Gathered - Level 2
|
Unique #
|
e002eb87-f069-4807-9f5e-dea09f8dc97a
|
|
|
Group
|
Security Weaknesses
|
Detection Date
|
30 May 2024 14:01 GMT-0800
|
CWE
|
|
|
|
OWASP
|
|
|
|
WASC
|
|
|
|
|
Details
Threat
The X-Content-Type-Options response header is not present. WAS reports missing X-Content-Type-Options header on each crawled link for both static and dynamic responses. The scanner performs the check not only on 200 responses but 4xx and 5xx responses as well. It's also possible the QID will be reported on directory-level links.
Impact
All web browsers employ a content-sniffing algorithm that inspects the contents of HTTP responses and also occasionally overrides the MIME type provided by the server. If X-Content-Type-Options header is not present, browsers can potentially be tricked into treating non-HTML response as HTML. An attacker can then potentially leverage the functionality to perform a cross-site scripting (XSS) attack. This specific case is known as a Content-Sniffing XSS (CS-XSS) attack.
Solution
It is recommended to disable browser content sniffing by adding the X-Content-Type-Options header to the HTTP response with a value of 'nosniff'. Also, ensure that the 'Content-Type' header is set correctly on responses.
|
Results
X-Content-Type-Options: Header missing Response headers on link: GET https://www.redmunch.com/favicon.ico response code: 404 content-type: text/html date: Thu, 30 May 2024 21:02:25 GMT
Header missing on the following link(s): (Only first 50 such pages are listed)
GET https://www.redmunch.com/favicon.ico response code: 404
|
|
|
150206 Content-Security-Policy Not Implemented
(1)
|
150206 Content-Security-Policy Not Implemented
|
|
|
|
Finding #
|
12223502
(295486689)
|
Severity
|
Information Gathered - Level 2
|
Unique #
|
67a2ebdb-b8ad-481a-85b5-9deaab8aca19
|
|
|
Group
|
Security Weaknesses
|
Detection Date
|
30 May 2024 14:01 GMT-0800
|
CWE
|
|
|
|
OWASP
|
|
|
|
WASC
|
|
|
|
|
Details
Threat
No Content-Security-Policy (CSP) is specified for the page. WAS checks for the missing CSP on all static and dynamic pages. It checks for CSP in the response headers (Content-Security-Policy, X-Content-Security-Policy or X-Webkit-CSP) and in response body (http-equiv="Content-Security-Policy" meta tag). HTTP 4xx and 5xx responses can also be susceptible to attacks such as XSS. For better security it's important to set appropriate CSP policies on 4xx and 5xx responses as well.
Impact
Content-Security Policy is a defense mechanism that can significantly reduce the risk and impact of XSS attacks in modern browsers. The CSP specification provides a set of content restrictions for web resources and a mechanism for transmitting the policy from a server to a client where the policy is enforced. When a Content Security Policy is specified, a number of default behaviors in user agents are changed; specifically inline content and JavaScript eval constructs are not interpreted without additional directives. In short, CSP allows you to create a whitelist of sources of the trusted content. The CSP policy instructs the browser to only render resources from those whitelisted sources. Even though an attacker can find a security vulnerability in the application through which to inject script, the script won't match the whitelisted sources defined in the CSP policy, and therefore will not be executed. The absence of Content Security Policy in the response will allow the attacker to exploit vulnerabilities as the protection provided by the browser is not at all leveraged by the Web application. If secure CSP configuration is not implemented, browsers will not be able to block content-injection attacks such as Cross-Site Scripting and Clickjacking.
Solution
|
Results
Content-Security-Policy: Header missing Response headers on link: GET https://www.redmunch.com/ response code: 200 cache-control: public, must-revalidate, max-age=30 content-encoding: br content-type: text/html date: Thu, 30 May 2024 21:02:10 GMT etag: "96717626" last-modified: Thu, 30 May 2024 17:41:35 GMT referrer-policy: same-origin strict-transport-security: max-age=10886400; includeSubDomains; preload vary: Accept-Encoding x-content-type-options: nosniff x-dns-prefetch-control: off x-xss-protection: 1; mode=block
Header missing on the following link(s): (Only first 50 such pages are listed)
GET https://www.redmunch.com/ response code: 200 GET https://www.redmunch.com/favicon.ico response code: 404 GET https://www.redmunch.com/styles.css response code: 200
|
|
|
150208 Missing header: Referrer-Policy
(1)
|
150208 Missing header: Referrer-Policy
|
|
|
|
Finding #
|
12230046
(295486675)
|
Severity
|
Information Gathered - Level 2
|
Unique #
|
cfc2bd79-2266-41ff-b008-abb2af443070
|
|
|
Group
|
Security Weaknesses
|
Detection Date
|
30 May 2024 14:01 GMT-0800
|
CWE
|
|
|
|
OWASP
|
|
|
|
WASC
|
|
|
|
|
Details
Threat
No Referrer Policy is specified for the link. WAS checks for the missing Referrer Policy on all static and dynamic pages. It checks for one of the following Referrer Policy in the response headers: 1) no-referrer 2) no-referrer-when-downgrade 3) same-origin 4) origin 5) origin-when-cross-origin 6) strict-origin 7) strict-origin-when-cross-origin
If the Referrer Policy header is not found , WAS checks in response body for meta tag containing tag name as "referrer" and one of the above Referrer Policy.
Impact
The Referrer-Policy header controls how much referrer information is sent to a site when navigating to it. Absence of Referrer-Policy header can lead to leakage of sensitive information via the referrer header.
Solution
|
Results
Referrer-Policy: Header missing Response headers on link: GET https://www.redmunch.com/favicon.ico response code: 404 content-type: text/html date: Thu, 30 May 2024 21:02:25 GMT
Header missing on the following link(s): (Only first 50 such pages are listed)
GET https://www.redmunch.com/favicon.ico response code: 404
|
|
|
150248 Missing header: Permissions-Policy
(1)
|
150248 Missing header: Permissions-Policy
|
|
|
|
Finding #
|
12223499
(295486682)
|
Severity
|
Information Gathered - Level 2
|
Unique #
|
5707d9e0-f9ee-40d4-804f-05057a57b0b9
|
|
|
Group
|
Security Weaknesses
|
Detection Date
|
30 May 2024 14:01 GMT-0800
|
CWE
|
|
|
|
OWASP
|
|
|
|
WASC
|
-
|
|
|
|
Details
Threat
The Permissions-Policy response header is not present.
Impact
Permissions-Policy allows web developers to selectively enable, disable, or modify the behavior of some of the browser features and APIs within their application. A user agent has a set of supported features(Policy Controlled Features), which is the set of features which it allows to be controlled through policies. Not defining policy for unused and risky policy controlled features may leave application vulnerable.
Solution
|
Results
Permissions-Policy: Header missing Response headers on link: GET https://www.redmunch.com/ response code: 200 cache-control: public, must-revalidate, max-age=30 content-encoding: br content-type: text/html date: Thu, 30 May 2024 21:02:10 GMT etag: "96717626" last-modified: Thu, 30 May 2024 17:41:35 GMT referrer-policy: same-origin strict-transport-security: max-age=10886400; includeSubDomains; preload vary: Accept-Encoding x-content-type-options: nosniff x-dns-prefetch-control: off x-xss-protection: 1; mode=block
Header missing on the following link(s): (Only first 50 such pages are listed)
GET https://www.redmunch.com/ response code: 200 GET https://www.redmunch.com/favicon.ico response code: 404 GET https://www.redmunch.com/styles.css response code: 200
|
|
|
150249 Misconfigured Header: Cache-Control
(1)
|
150249 Misconfigured Header: Cache-Control
|
|
|
|
Finding #
|
12223501
(295486683)
|
Severity
|
Information Gathered - Level 2
|
Unique #
|
6f429b6d-6f9c-4694-9e11-eee768f233d3
|
|
|
Group
|
Security Weaknesses
|
Detection Date
|
30 May 2024 14:01 GMT-0800
|
CWE
|
|
|
|
OWASP
|
|
|
|
WASC
|
-
|
|
|
|
Details
Threat
Cache-Control header present but directives may not configured to adequately safeguard sensitive information. For Example: Cache-Control directive set to public. max-age value is greater than 86400.
Impact
If directive is set to public, the resource can be stored by any cache. If max-age value is greater than 86400 for sensitive information may lead to information leakage.
Solution
Please check that resources with sensitive information are not configured with Cache-Control public directive. Also please make sure that max-age directive value set properly to not cache sensitive information for longer period than needed. References: Mozilla Documentation Cache-Control
|
Results
Cache-Control: Header misconfigured. Cache-Control public directive found. Cache-Control:public, must-revalidate, max-age=30 on the link: GET https://www.redmunch.com/ response code: 200
Cache-Control: Header misconfigured. Cache-Control public directive found. Cache-Control:public, must-revalidate, max-age=30 on the link: GET https://www.redmunch.com/styles.css response code: 200
|
|
|
150204 Missing header: X-XSS-Protection
(1)
|
150204 Missing header: X-XSS-Protection
|
|
|
|
Finding #
|
12230052
(295486690)
|
Severity
|
Information Gathered - Level 1
|
Unique #
|
2b5e1c4a-c695-443b-a664-a6364e7abda4
|
|
|
Group
|
Security Weaknesses
|
Detection Date
|
30 May 2024 14:01 GMT-0800
|
CWE
|
|
|
|
OWASP
|
|
|
|
WASC
|
|
|
|
|
Details
Threat
The X-XSS-Protection response header is not present.
Impact
The X-XSS-Protection response header provides a layer of protection against reflected cross-site scripting (XSS) attacks by instructing browsers to abort rendering a page in which a reflected XSS attack has been detected. This is a best-effort second line of defense measure which helps prevent an attacker from using evasion techniques to avoid the neutralization mechanisms that the filters use by default. When configured appropriately, browser-level XSS filters can provide additional layers of defense against web application attacks. Note that HTTP 4xx and 5xx responses can also be susceptible to attacks such as XSS. For better security the X-XSS-Protection header should be set on 4xx and 5xx responses as well.
Solution
|
Results
X-Xss-Protection: Header missing Response headers on link: GET https://www.redmunch.com/favicon.ico response code: 404 content-type: text/html date: Thu, 30 May 2024 21:02:25 GMT
Header missing on the following link(s): (Only first 50 such pages are listed)
GET https://www.redmunch.com/favicon.ico response code: 404
|
|
|
150245 Missing header: X-Frame-Options
(1)
|
150245 Missing header: X-Frame-Options
|
|
|
|
Finding #
|
12223497
(295486680)
|
Severity
|
Information Gathered - Level 1
|
Unique #
|
17acaed9-91b6-4f9f-883c-b3a53a10f040
|
|
|
Group
|
Security Weaknesses
|
Detection Date
|
30 May 2024 14:01 GMT-0800
|
CWE
|
|
|
|
OWASP
|
|
|
|
WASC
|
|
|
|
|
Details
Threat
The X-Frame-Options header is not set in the HTTP response, meaning the page can potentially be loaded into an attacker-controlled frame. This could lead to clickjacking, where an attacker adds an invisible layer on top of the legitimate page to trick users into clicking on a malicious link or taking a harmful action. Note: Only responses with status code 200 ok are tested and reported for 150245 and 150124
Impact
Without an X-Frame-Options response header, clickjacking may be possible. However, if the application properly uses the Content-Security-Policy "frame-ancestors" directive, then modern web browsers would stop the page from being framed and prevent clickjacking.
Solution
|
Results
X-Frame-Options header is missing or not set to DENY or SAMEORIGIN for the following pages: (Only first 10 such pages are reported)
GET https://www.redmunch.com/ Response code: 200 Response headers: cache-control: public, must-revalidate, max-age=30 content-encoding: br content-type: text/html date: Thu, 30 May 2024 21:02:10 GMT etag: "96717626" last-modified: Thu, 30 May 2024 17:41:35 GMT referrer-policy: same-origin strict-transport-security: max-age=10886400; includeSubDomains; preload vary: Accept-Encoding x-content-type-options: nosniff x-dns-prefetch-control: off x-xss-protection: 1; mode=block
|
|
|
|
|
Appendix
Scan Details
Web Application Vulnerability Scan - Redmunch - May 30, 2024
|
Reference
|
was/1717102810014.17294573
|
Date
|
30 May 2024 14:01 GMT-0800
|
Mode
|
On-Demand
|
Progressive Scanning
|
Disabled
|
Type
|
Vulnerability
|
Authentication
|
None
|
Scanner Appliance
|
External (IP: 139.87.104.123, Scanner: 0.6.680b2-1, WAS: 10.1.0-3, Signatures: 2.6.34-2)
|
Profile
|
Initial WAS Options
|
DNS Override
|
-
|
Duration
|
00:19:15
|
Status
|
Finished
|
Authentication Status
|
None
|
|
Option Profile Details
|
Form Submission
|
BOTH
|
Form Crawl Scope
|
Do not include form action URI in uniqueness calculation
|
Maximum links to test in scope
|
300
|
User Agent
|
-
|
Request Parameter Set
|
Initial Parameters
|
Document Type
|
Ignore common binary files
|
Enhanced Crawling
|
Disabled
|
SmartScan
|
Disabled
|
Timeout Error Threshold
|
100
|
Unexpected Error Threshold
|
300
|
Performance Settings
|
Pre-defined
|
Scan Intensity
|
Low
|
Bruteforce Option
|
Minimal
|
Detection Scope
|
Core
|
Include additional XSS payloads
|
No
|
Credit Card Numbers Search
|
Off
|
Social Security Numbers (US) Search
|
Off
|
|
Web Application Details: Redmunch
|
Name
|
Redmunch
|
ID
|
648243115
|
URL
|
http://www.redmunch.com
|
Owner
|
Takashi Moriyama (mryam3tm)
|
Scope
|
Limit to URL hostname
|
Tags
|
-
|
Custom Attributes
|
-
|
|
Severity Levels
Confirmed Vulnerabilities
|
Vulnerabilities (QIDs) are design flaws, programming errors, or mis-configurations that make your web application and web application platform susceptible to malicious attacks. Depending on the level of the security risk, the successful exploitation of a vulnerability can vary from the disclosure of information to a complete compromise of the web application and/or the web application platform. Even if the web application isn't fully compromised, an exploited vulnerability could still lead to the web application being used to launch attacks against users of the site.
|
Minimal
|
Basic information disclosure (e.g. web server type, programming language) might enable intruders to discover other vulnerabilities, but lack of this information does not make the vulnerability harder to find.
|
|
Medium
|
Intruders may be able to collect sensitive information about the application platform, such as the precise version of software used. With this information, intruders can easily exploit known vulnerabilities specific to software versions. Other types of sensitive information might disclose a few lines of source code or hidden directories.
|
|
Serious
|
Vulnerabilities at this level typically disclose security-related information that could result in misuse or an exploit. Examples include source code disclosure or transmitting authentication credentials over non-encrypted channels.
|
|
Critical
|
Intruders can exploit the vulnerability to gain highly sensitive content or affect other users of the web application. Examples include certain types of cross-site scripting and SQL injection attacks.
|
|
Urgent
|
Intruders can exploit the vulnerability to compromise the web application's data store, obtain information from other users' accounts, or obtain command execution on a host in the web application's architecture.
|
Potential Vulnerabilities
|
Potential Vulnerabilities indicate that the scanner observed a weakness or error that is commonly used to attack a web application, and the scanner was unable to confirm if the weakness or error could be exploited. Where possible, the QID's description and results section include information and hints for following-up with manual analysis. For example, the exploitability of a QID may be influenced by characteristics that the scanner cannot confirm, such as the web application's network architecture, or the test to confirm exploitability requires more intrusive testing than the scanner is designed to conduct.
|
Minimal
|
Presence of this vulnerability is indicative of basic information disclosure (e.g. web server type, programming language) and might enable intruders to discover other vulnerabilities. For example in this scenario, information such as web server type, programming language, passwords or file path references can be disclosed.
|
|
Medium
|
Presence of this vulnerability is indicative of basic information disclosure (e.g. web server type, programming language) and might enable intruders to discover other vulnerabilities. For example version of software or session data can be disclosed, which could be used to exploit.
|
|
Serious
|
Presence of this vulnerability might give access to security-related information to intruders who are bound to misuse or exploit. Examples of what could happen if this vulnerability was exploited include bringing down the server or causing hindrance to the regular service.
|
|
Critical
|
Presence of this vulnerability might give intruders the ability to gain highly sensitive content or affect other users of the web application.
|
|
Urgent
|
Presence of this vulnerability might enable intruders to compromise the web application's data store, obtain information from other users' accounts, or obtain command execution on a host in the web application's architecture. For example in this scenario, the web application users can potentially be targeted if the application is exploited.
|
Sensitive Content
|
Sensitive content may be detected based on known patterns (credit card numbers, social security numbers) or custom patterns (strings, regular expressions), depending on the option profile used. Intruders may gain access to sensitive content that could result in misuse or other exploits.
|
Minimal
|
Sensitive content was found in the web server response. During our scan of the site form(s) were found with field(s) for credit card number or social security number. This information disclosure could result in a confidentiality breach and could be a target for intruders. For this reason we recommend caution.
|
|
Medium
|
Sensitive content was found in the web server response. Specifically our service found a certain sensitive content pattern (defined in the option profile). This information disclosure could result in a confidentiality breach and could be a target for intruders. For this reason we recommend caution.
|
|
Serious
|
Sensitive content was found in the web server response - a valid social security number or credit card information. This infomation disclosure could result in a confidentiality breach, and it gives intruders access to valid sensitive content that could be misused.
|
Information Gathered
|
Information Gathered issues (QIDs) include visible information about the web application's platform, code, or architecture. It may also include information about users of the web application.
|
Minimal
|
Intruders may be able to retrieve sensitive information related to the web application platform.
|
|
Medium
|
Intruders may be able to retrieve sensitive information related to internal functionality or business logic of the web application.
|
|
Serious
|
Intruders may be able to detect highly sensitive data, such as personally identifiable information (PII) about other users of the web application.
|
|
|
|
|
|