Node.js Express installed on the remote host is configured to operate in development mode (devMode). While this environment can help speed up development of web applications, it can leak information about the underlying web applications as well as the installation of Express, Node.js.

This is an informational notice that the scanner was able to detect custom HTTP headers in the target application's responses.

Netdisco is a web-based network management tool. When accessible without authentication, an attacker can gain unauthorized access to the Netdisco interface, potentially leading to information disclosure or further exploitation of the system.

Apache Airflow is a platform to programmatically author, schedule and monitor workflows. When authentication is not enabled, an attacker can access the Airflow web interface without any credentials. This may allow an attacker to view and modify workflows, access sensitive information, and potentially execute arbitrary code on the server hosting Airflow.

pyLoad is an open-source download manager written in Python. By default, pyLoad is configured with a default username and password allowing any attacker to log in to the application and have full access to its functionality. An attacker can leverage this vulnerability to perform further attacks against the application.

GoCD is an open-source continuous delivery server. When accessible without authentication, an attacker can gain unauthorized access to the GoCD interface, potentially leading to information disclosure or further exploitation of the system.

Anteon is an eBPF-based Kubernetes Monitoring and Performance Testing Platform. When accessible without authentication, an attacker can gain unauthorized access to the Anteon interface, potentially leading to information disclosure or further exploitation of the system.

Clickhouse is an open-source columnar database management system for online analytical processing. The Clickhouse HTTP interface allows users to interact with the database using HTTP requests.

When no authentication is configured, the Clickhouse API can be accessed without any credentials. This can lead to unauthorized access to sensitive data and potential data breaches.

Tiny File Manager is a web-based file manager that allows users to manage files on a server through a web interface. By default, Tiny File Manager comes with a default username and password combination. If these default credentials are not changed, a remote and unauthenticated attacker could gain unauthorized access to the application and perform arbitrary actions on it.

Tiny File Manager is a web-based file manager written in PHP. It allows users to manage files on a web server through a simple and user-friendly interface. When authentication is not enforced, an attacker can access the File Browser interface without any credentials. This can lead to unauthorized access to files and directories on the server, potentially exposing sensitive information or allowing for further exploitation of the system.

File Browser is an open-source web-based file manager that allows users to manage files on a server through a web interface. If the File Browser instance is accessible without authentication, it can lead to unauthorized access to sensitive files and directories on the server.

cAdvisor (short for container Advisor) is an open-source tool developed by Google that provides real-time monitoring and performance analysis of running containers. By default, cAdvisor does not require authentication to access the application. This allows an attacker to access sensitive data.

Jenkins is an open-source automation server used to automate various aspects of software development, including building, testing, and deploying application. If authentication is not enforced, an attacker can gain administrative access to Jenkins, potentially allowing for the execution of arbitrary code, theft of sensitive information, and full control over the CI/CD pipeline.

Jenkins is an open-source automation server used to automate various aspects of software development, including building, testing, and deploying applications. An internal only Jenkins instance may be misconfigured to allow user registration, potentially leading to attackers creating accounts and gaining unauthorized access to the Jenkins instance and its resources.

OAuth Dynamic Client Registration allows for various metadata fields such as 'client_name', 'website_uri' during the registration process. When the OAuth server accepts permissive values for such fields, such as ones starting with javascript://, an attacker could exploit this to perform Cross-Site Scripting (XSS) attacks. OAuth Dynamic Client Registration is very common in the context of Model Context Protocol (MCP) servers, allowing attackers to target AI developers

OAuth Dynamic Client Registration requires specifying redirect URIs during the registration process. When the OAuth server accepts permissive redirect URIs, such as those allowing arbitrary hosts or ones starting with javascript://, an attacker could exploit this to perform Open Redirect or Cross-Site Scripting (XSS) attacks. OAuth Dynamic Client Registration is very common in the context of Model Context Protocol (MCP) servers, allowing attackers to target AI developers.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible OAuth Dynamic Client Registration endpoint on the target application. OAuth Dynamic Client Registration allows clients to register dynamically with an authorization server and is very common in the context of Model Context Protocol (MCP) servers used for AI development.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Microsoft Exchange Admin Center instance on the target application.

Serialization is the process of converting an object to a stream of bytes, in order to store or send it through the network. By opposition, deserialization is the process of reconstructing an object from this stream of bytes.

When an application using the FastJSON library performs untrusted data deserialization, an attacker could inject a custom serialized JSON object to trigger malicious code execution on the system or to generate a Denial of Service attack (DoS).

It was determined that the target Java application using FastJSON is vulnerable to this attack as it deserializes a user-supplied object.

GraphQL is an open-source query and manipulation language for APIs. Unlike regular queries that only read data, mutations are operations designed to modify data on the server. When GraphQL APIs allow mutation operations without requiring proper authentication, attackers can manipulate, insert, update, or delete data without authorization.

GraphQL is an open-source query and manipulation language for APIs. GraphQL alias overloading is a vulnerability where an attacker sends queries with numerous aliased fields to cause server performance degradation. The server must process each alias separately, which can lead to excessive CPU usage, memory consumption, and potentially denial of service.

GraphQL is an open-source query and manipulation language for APIs. When a GraphQL API does not enforce limits on query length or complexity, attackers can submit extremely large and complex queries that consume excessive server resources, potentially causing denial of service conditions.

GraphQL is an open-source query and manipulation language for APIs. When GraphQL is run in a 'debug mode' it can leak information about the underlying web applications.

This is an informational notice that the scanner was able to detect a public Docker registry instance.

This is an informational notice that the scanner was able to detect public snippets on the target GitLab instance.

This is an informational notice that the scanner was able to detect public projects on the target GitLab instance.

This is an informational notice that the scanner was able to detect a GitLab public sign-up page on the target instance.

This is an informational notice that the scanner was able to detect an application using Auth0 Identity Provider.

This is an informational notice that the scanner was able to detect an application using Azure Entra ID.

.NET Framework offers an alternative to cookie based session management named 'cookieless' by allowing developers to store the session ID directly in URLs rather than in cookies. When enabled, this feature can be abused to make session hijacking attacks easier to exploit or to craft valid URLs in order to bypass security mechanisms such as Web Application Firewalls (WAFs) or path based restrictions.

This is an informational notice that the scanner was able to detect a REST API.

On-Premise installation of Microsoft Exchange is prone to a user enumeration through the ActiveSync protocol using the AutodiscoverV2 endpoint.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Microsoft Remote Desktop Web Access instance on the target application.

Deploying web applications often require developers or system administrators to configure DNS records to target a third party service. Most common scenarios include to either configure a canonical name record (CNAME) or to declare specific name server records (NS) to delegate a specific DNS zone management. DNS dangling records exist because they target external services which do not exist anymore. When this is directly exploitable, a remote and unauthenticated attacker can perform a DNS takeover.

The plugin currently supports the following services: - Gitbook - Hubspot - Intercom - JazzHR - Kinsta - Lemlist - Netlify - Smugsmug - Teamwork - Tilda - UserVoice

The Envoy Admin interface is an optional Envoy component that lets you view configuration and statistics, modify server behavior and filter traffic according to specific filter rules.

But this unauthenticated interface can expose private information about the running service, allows modification of runtime settings and can also be used to shut the server down.

When the 'x-envoy-peer-metadata' and/or 'x-envoy-peer-metadata-id' headers are present, they may include data deemed sensitive about the Kubernetes environment.

PhpSysInfo is a customizable PHP script that displays information about the system.

The scanner detected the usage of PhpSysInfo on the target application.

This is an informational plugin to inform the user that the scanner detected that the target application handles specific HTTP headers as hop-by-hop headers.

This is an informational plugin to inform the user that the scanner detected the presence of one or multiple virtual hosts on the target server.

HTML5 WebSockets allow developers to create bi-directionnal communication channels between clients (usually web browsers) and servers. To initialize the communication, the WebSocket protocol requires a handshake performed with the HTTP protocol to ugprade the communication. When a web application only leverage on the client cookies to authenticate its users, a remote and unauthenticated could initiate a WebSocket handhsake from a malicious page to force the victim to authenticate against the target, therefore gaining access to the WebSocket traffic exchanged between the victim user and the target web application.

Express.js applications with Cookie-Session use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in an environment variable and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Express.js applications with Express-Session use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in an environment variable and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Pyramid applications use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in an environment variable and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Ruby On Rails applications use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in the .env file and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Django applications use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in the settings.py file and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Flask applications use an application key to encrypt and sign various data, including session cookies and other sensitive information.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Laravel applications use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in the .env file and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

This is an informational plugin to inform the user that the scanner has detected the usage of Service Worker on the target web application.

This is an informational plugin to inform the user that the scanner has detected the usage of WebSockets on the target web application.

Web applications heavily rely on external resources such as JavaScript files, Cascading Style Sheets (CSS) or images. When an application uses links which targets external resources which do not exist, an attacker could try gaining control over this resource to inject code in the target web application or get application users traffic on their malicious servers.

ID	Name	Severity
115007	Node.js Express DevMode Enabled	medium
115006	Custom HTTP Header Detected	info
115002	Netdisco Unauthenticated Access	medium
114986	Apache Airflow Unauthenticated Access	medium
114979	pyLoad Default Credentials	critical
114976	GoCD Unauthenticated Access	medium
114975	Anteon Unauthenticated Access	medium
114974	Clickhouse API Unauthenticated Access	medium
114973	Tiny File Manager Default Credentials	critical
114972	Tiny File Manager Unauthenticated Access	medium
114971	File Browser Unauthenticated Access	medium
114970	cAdvisor Unauthenticated Access	medium
114968	Jenkins Unauthenticated Access	critical
114967	Jenkins User Registration Form Detected	medium
114920	OAuth Dynamic Client Registration Permissive Metadata Field	low
114919	OAuth Dynamic Client Registration Permissive Redirect URI	low
114918	OAuth Dynamic Client Registration Detected	info
114903	Microsoft Exchange Admin Center Detected	info
114884	FastJSON Object Deserialization	critical
114882	GraphQL Unauthenticated Mutation Detected	medium
114868	GraphQL Alias Overloading Enabled	medium
114867	GraphQL Query Length Not Limited	medium
114866	GraphQL Debug Mode Enabled	medium
114621	Docker Public Registry Detected	info
114619	GitLab Public Snippets Detected	info
114617	GitLab Public Projects Detected	info
114616	GitLab Public Sign-Up Detected	info
114613	Auth0 Identity Provider Detected	info
114611	Azure Entra ID Identity Provider Detected	info
114610	ASP.NET Cookieless Session State Enabled	low
114608	REST API Detected	info
114590	Microsoft Exchange Autodiscover V2 User Enumeration	medium
114573	Microsoft Remote Desktop Web Access Detected	info
114572	DNS Dangling Record	medium
114570	Envoy Admin Interface Exposed	medium
114571	Istio Sensitive Information Disclosure	high
114528	PhpSysInfo Detected	medium
114505	HTTP Hop-By-Hop Headers Detected	info
114503	Virtual Hosts Detected	info
114502	Cross-Site WebSocket Hijacking	high
114439	Express.js Cookie-Session Weak Secret Key	high
114438	Express.js Express-Session Weak Secret Key	high
114437	Pyramid Weak Secret Key	high
114436	Ruby On Rails Weak Secret Key	high
114435	Django Weak Secret Key	high
114434	Flask Weak Secret Key	high
114432	Laravel Weak Secret Key	high
114429	Service Worker Detected	info
114395	WebSocket Detected	info
114386	External Broken Resources Detected	low

Detections

Analytics

Web Applications Family for Web App Scanning

medium

info

medium

medium

critical

medium

medium

medium

critical

medium

medium

medium

critical

medium

low

low

info

info

critical

medium

medium

medium

medium

info

info

info

info

info

info

low

info

medium

info

medium

medium

high

medium

info

info

high

high

high

high

high

high

high

high

info

info

low