This is an informational plugin to inform the user that the scanner has detected a publicly accessible H2O Flow instance on the target application. H2O Flow is an open-source user interface for H2O, an open-source, distributed and scalable machine learning and predictive analytics platform.

This is an informational plugin to inform the user that the scanner has detected the presence of a manifest used by ChatGPT plugins on the target application.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Ray instance on the target application. Ray is an open-source framework to build and scale Machine Learning (ML) and Python applications.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible ZenML instance on the target application. ZenML is an open-source framework dedicated to MLOps abstracting the underlying infrastructure.

Supply chain attacks occur when one or more dependencies of an application are compromised, making the malicious code being shipped to the web application and, allowing threat actors to perform various operations depending on the logic of the code being altered like credentials stealing or application backdooring.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Ollama instance on the target application. Ollama is an open-source application to quickly set up various LLMs

By default, PHP accepts a maximum of 1000 variables in a request. If there are more input variables than specified, an E_WARNING is issued, and further input variables are truncated from the request depending on server configuration and application code, this can have various impacts such as bypassing function call.

This is an informational plugin to inform the user that the scanner has detected the usage of the ChatGPT.JS client-side library on the target application.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Langflow instance on the target application. Langflow is an open-source visual framework for building multi-agent and RAG.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible MLflow instance on the target application. MLflow is a platform to streamline machine learning development and simplify model operations.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Flowise instance on the target application. Flowise is a builder for LLM applications.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible LibreChat instance on the target application. LibreChat is an enhanced open-source ChatGPT clone.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible NextChat (formerly ChatGPT-Next-Web) instance on the target application. NextChat is a collection of tools to help developers build their own AI service around most popular LLMs.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Quivr instance on the target application. Quivr is RAG Framework specialized for building GenAI Second Brains and allows discussion with a variety of documents using different LLM models.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Open WebUI instance on the target application. Open WebUI offer an extensible web application designed for various LLM while offering a feature-rich environment.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible AnythingLLM instance on the target application. AnythingLLM let you choose beetween differents LLM or vector database to use and allow to convert any document or content into references that the selected language model can use while chatting.

PHP versions 5.0.0 < 8.1.29, 8.2.x < 8.2.20, 8.3.x < 8.3.8 is affected by a vulnerability allowing an unauthenticated attacker to execute remote code via a specially forged request only when PHP is installed with Apache2 and PHP-CGI on Windows with certain languages (code pages).

Concrete CMS installed on the remote host is configured to operate in debug mode. While this environment can help speed up development of web applications, it can leak information about the underlying web applications.

Concrete CMS Login Panel has been detected on the target web application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

Unrestricted file upload vulnerability occurs when the application suffers from a lack of validation of files being uploaded to its filesystem. When an attacker is able to upload files not matching the application expectations in terms of names, type, content or size, it could lead to various issues such as arbitrary files overwrite, denial of service or even remote code execution.

Note that this plugin requires the 'File Upload' assessment option enabled in the scan configuration.

Vercel is a popular Cloud provider helping developers hosting their javascript and typescript codebases. Vercel publishes the '/_src' endpoint which allows project team members to view application source code. When the 'Logs and Source Protection' option is disabled, the default protection is disabled and allow any unauthorized actor to access the source code.

Web application components can sometimes rely on request HTTP headers like 'X-Original-URL' or 'X-Rewrite-URL' to override the original path of this request. Attackers can leverage this vulnerability to conduct further attacks in order to bypass restrictions or conduct cache poisonning attacks.

Quarkus installed on the remote host is configured to operate in development mode (devMode). While this environment can help speed up development of web applications, it can leak information about the underlying web applications.

The scanner has detected the presence of a payment form during the crawling of the target web application. Details about the form are provided in the plugin output.

Web applications often rely on proxy server to route requests to the right web service. An Open Proxy vulnerabilities occurs when a web server is configured to act as forward proxy, allowing anyone to use it to relay web traffic. This setup can may allow an attacker to use the proxy server to make requests to an external or internal server.\n\nThe corse issue arises because the proxy does not authenticate its users, thereby offering no control over who users the server's resources or for what purpose.

In PHP versions pior to 7.4.22, when the integrated web server is used, an attacker can with a specially forged request, obtain the source code due to an improper handling of multiple requests in quick succession, leading to the server treating requested files as static files instead of executing scripts.

Serialization is the process of converting an object to a stream of bytes, in order to store or send it through the network. By opposition, deserialization is the process of reconstructing an object from this stream of bytes.

Web applications often use serialized data transmitted from the client which, depending on how it is implemented, can be abused by a malicious actor to conduct his attacks on the target application.

Modern web applications are often deployed with a chain of HTTP servers which ensure the transmission of the HTTP traffic from users to the service. Typical deployments include the usage of a front-end server, usually a load balancer or a reverse proxy, which will then transmit the requests to one or more back-end servers.

HTTP request smuggling occurs when the front-end server and the back-end server show discrepancies in the way they process HTTP requests `content-length` and `transfer-encoding` headers. A remote and unauthenticated attacker can leverage this class of vulnerability to bypass access controls or gain access to sensitive data, or to compromise offer users traffic without interaction.

The HTTP/2 protocol is usually negotiated over the TLS application layer protocol negotiation extension (TLS-ALPN). A persistent HTTP/2 connection can also be made from a HTTP/1.1 request using the `Upgrade` header with the `h2c` value to specify a cleartext communication. The scanner detected that the target is supporting this H2C connection upgrade. If the target application is deployed on a reverse-proxy architecture, attackers could potentially abuse this feature to bypass reverse-proxy access controls or authentication enforcement.

GraphQL engines sometimes support combining a group of requests into a single one to try optimizing network performances between the client and the GraphQL server. When supported and enabled, this feature implementation should be reviewed as it could be abused by an attacker to bypass application rate limits or conduct Denial of Service (DoS) attacks.

This is an informational notice that the scanner was able to detect that the target application is using Microsoft Entra ID.

This is an informational notice that the scanner was able to detect that the target application is using a Microsoft Azure service.

This is an informational notice that the scanner was able to detect that the target application is using an Google Cloud cloud service.

This is an informational notice that the scanner was able to detect that the target application is using an Amazon Web Services cloud service.

This is an informational notice that the scanner was able to detect a gRPC request/response.

This is an informational notice that the scanner was able to detect a SOAP API.

A Web Services Description Language (WSDL) file has been detected on this url.

Due to a misconfiguration in Microsoft SharePoint Server. An attacker with anonymous privileges can enumeration the SharePoint user accounts.

Due to a misconfiguration in Microsoft SharePoint Server. An attacker with anonymous privileges can access to the SharePoint web services page.

Due to a misconfiguration in Microsoft SharePoint Server. An attacker with anonymous privileges can access to the SharePoint interface page.

Deploying web applications often require developers or system administrators to configure DNS records to target a third party service. Most common scenarios include to either configure a canonical name record (CNAME) or to declare specific name server records (NS) to delegate a specific DNS zone management.

A subdomain takeover vulnerability exists when an attacker can gain control over a subdomain or even an entire zone of the target domain depending on the configuration. By exploiting this vulnerability, the attacker can then provide content which could looks legit to any customer or user of the target domain name and conduct further attacks.

Developers often combine and minify their application JavaScript sources to help the server delivering it more efficiently to the client browsers. Sometimes, web applications JavaScript code may also be transpiled from another language like CoffeeScript of TypeScript.

A source map is a file that maps from the transformed source code to the original source, allowing the browser to reconstruct the original source code and present it to the debugger.

ServiceNow is a popular cloud platform enabling developers to build custom applications around automation for their organizations. ServiceNow widgets are JavaScript based components used to define content of the portal pages and can be either builtin or customized by developers. Widgets access control does not rely on ServiceNow ACLs but on fields set on the widget record itself.

When the widgets permissions are not properly configured, a remote and unauthenticated attacker could leverage this misconfiguration to retrieve sensitive information from the remote ServiceNow instance.

Pimcore versions before 10.1.3 suffer from an user enumeration vulnerability through the administration panel lost password feature. By submitting multiple usernames, a remote and unauthenticated attacker can infer the valid administrative accounts on the target Pimcore instance.

Pimcore Administration Panel has been detected on the target web application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

The instance of MediaWiki running on the remote host allows access to API URLs associated with the SiteInfo module. The SiteInfo api endpoint reports information about the server components, how the web server is configured and its usage, and it may prove useful to an attacker seeking to attack the server or host.

Well-known URIs are used to store site-wide metadata and to make it available for some web-based protocols which require the discovery of a policy or retrieve specific information about a given host. These URIs use the `/.well-known` path prefix and are standardized to avoid collisions.

A caching system has been detected on the application and is vulnerable to web cache poisoning. By manipulating specific unkeyed inputs (headers or cookies that are not included when generating the cache key) it was possible to force the caching system to cache a response that contains user-controlled input. If a response is cached in a shared web cache, such as those commonly found in proxy servers, then all users of that cache will continue to receive the malicious content until the cache entry is purged. In this case, the affected resource will be unreachable, which, depending on the resource, can cause a DoS (Denial Of Service).

Note that the scanner performs a safe check that does not affect website visitors but only the scanner itself.

In certain ActivityPub WebFinger implementations it is possible to enumerate usernames (known as actors) on the API webfinger service using wildcard searches. This information may potentially expose personal profile addresses, identity service, telephone numbers, avatar selection or other informations via the api endpoint even if user listings and directories are disabled in the ActivityPub server application itself.

The web application on the remote server has a PHP debug bar which is accessible without protection.

A remote attacker can exploit this to gain more knowledge about the host, allowing an attacker to conduct further attacks.

ID	Name	Severity
114367	H2O Flow Detected	info
114362	ChatGPT Plugin Manifest Detected	info
114361	Ray Detected	info
114359	ZenML Detected	info
114358	Malicious Third Party Domain Detected	high
114327	Ollama Detected	info
114322	PHP Input Variables Exceeded	medium
114321	Chatgpt.js Detected	info
114319	Langflow Detected	info
114317	MLflow Detected	info
114309	Flowise Detected	info
114308	LibreChat Detected	info
114307	NextChat Detected	info
114305	Quivr Detected	info
114304	Open WebUI Detected	info
114303	AnythingLLM Detected	info
114300	PHP CGI Argument Injection Remote Code Execution	critical
114293	Concrete CMS Debug Mode Enabled	medium
114292	Concrete CMS Login Panel Detected	low
114283	Unrestricted File Upload	high
114278	Vercel Source Code Exposure	high
114262	Request URL Override	medium
114257	Quarkus DevMode Enabled	medium
114244	Payment Form Detected	info
114237	Open Proxy	high
114232	PHP Development Server < 7.4.22 Source Disclosure	high
114224	Serialized Data Detected	info
114223	HTTP Request Smuggling	high
114219	HTTP/2 Cleartext Upgrade Support Detected	info
114211	GraphQL Batching	info
114202	Microsoft Entra ID Detected	info
114201	Microsoft Azure Detected	info
114200	Google Cloud Platform Detected	info
114199	Amazon Web Services Detected	info
114167	gRPC Detected	info
114166	SOAP API Detected	info
113973	Web Services Description Language (WSDL) File Detected	info
114149	Microsoft SharePoint User Enumeration	medium
114148	Microsoft SharePoint Exposed Web Services	medium
114147	Microsoft SharePoint Exposed Interfaces	medium
114146	Subdomain Takeover	high
114132	JavaScript Source Map Detected	info
114106	ServiceNow Widgets Data Exposure	low
114089	Pimcore User Enumeration	medium
114065	Pimcore Administration Panel Login Form Detected	low
114064	MediaWiki Status Module Information Disclosure	medium
114029	Well-Known URIs Detected	info
114006	Web Cache Poisoning Denial of Service	high
113978	ActivityPub Username Enumeration	medium
113975	PHP Debug Bar Enabled	medium

Detections

Analytics

Web Applications Family for Web App Scanning

info

info

info

info

high

info

medium

info

info

info

info

info

info

info

info

info

critical

medium

low

high

high

medium

medium

info

high

high

info

high

info

info

info

info

info

info

info

info

info

medium

medium

medium

high

info

low

medium

low

medium

info

high

medium

medium