TYPO3 Administration Panel has been detected on the target web application. This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

Amazon Cognito is a cloud product from Amazon Web Services (AWS) which provides user authentication, authorization and management services for web and mobile applications. By using Amazon Cognito, developers can quickly add a user management feature to their applications, control and enforce permissions on these users by defining roles, or federate identities from external identity providers.

When configured with an identity pool ID, Amazon Cognito allows a remote unauthenticated user to retrieve temporary AWS credentials related to the Cognito role to be used against the target application AWS account. Depending on the permissions attached to the role, an attacker could leverage these credentials to gain access to sensitive information, or perform arbitrary modifications on the other cloud assets of the target AWS account.

Amazon Cognito is a cloud product from Amazon Web Services (AWS) which provides user authentication, authorization and management services for web and mobile applications. By using Amazon Cognito, developers can quickly add a user management feature to their applications, control and enforce permissions on these users by defining roles, or federate identities from external identity providers. Under certain conditions, Amazon Cognito allows an unauthenticated attacker to infer the existence of the accounts on the target application by abusing the sign-in and sign-up features.

Amazon Cognito is a cloud product from Amazon Web Services (AWS) which provides user authentication, authorization and management services for web and mobile applications.

By using Amazon Cognito, developers can quickly add a user management feature to their applications, control and enforce permissions on these users by defining roles, or federate identities from external identity providers.

The scanner detected the usage of Amazon Cognito on the target application.

Rails has several gems, including a native one allowing access to a ruby console through the application. Badly configured, this console is accessible without authorization to any user, which allows to execute arbitrary code remotely.

The ViewState is a parameter specific to the ASP.NET framework, it's used as a breadcrumb trail when the user navigates the application preserving values and controls between different web pages. Present on the pages in the __viewstate parameter, all the values are serialized and encoded in base64 in a hidden field. In addition to the base64 encoding, the viewstate can also be signed with a MAC (Message Authentication Code) to guarantee integrity and also encrypted to guarantee confidentiality.

If the viewstate is not signed, depending on the information stored inside, an attacker might be able to modify the information stored inside and therefore possibly achieve a Remote Code Execution.

A caching system has been detected on the application and is vulnerable to web cache poisoning. By manipulating specific unkeyed inputs (headers or cookies that are not included when generating the cache key) it was possible to force the caching system to cache a response that contains user-controlled input. If a response is cached in a shared web cache, such as those commonly found in proxy servers, then all users of that cache will continue to receive the malicious content until the cache entry is purged.

OpenAPI specification is an API description format for REST APIs. An OpenAPI file is written in YAML or JSON and describes all the API properties like the available endpoints with the related operations or the authentication methods.

The `Schema` object allows the definition of input and output data types which can be objects or primitives and arrays. When some data types properties are missing on objects specified in the definition file, the API implementation could potentially allow malicious input formats, leaving it open to multiple vulnerabilities like Denial of Service (DoS) or Remote Code Execution (RCE).

The scanner analyzed an OpenAPI definition file and detected the lack of properties on some data types.

This is an informational notice that the scanner was able to detect an application using Google Web Toolkit.

Serialization is the process of converting an object to a stream of bytes, in order to store or send it through the network. By opposition, deserialization is the process of reconstructing an object from this stream of bytes.

When PHP web applications use the `unserialize()` function to perform user-supplied data deserialization, an attacker could inject a custom serialized PHP object in order to achieve a remote code execution on the system or to generate a Denial of Service attack (DoS).

An HTTP Parameter Pollution (HTTP) exploits the possibility of including several parameters with the same name in an HTTP request or by including a new encoded parameter. Depending on the web server, its parameters will be parsed in a different way (i.e. parsing only the first/last occurrence of the parameter or concatenating all occurrences into a field or array). This can create unexpected behavior on both the client side and the server side of the application by example, tricking the first server or if the parameters are then passed to a second server which will parse it in a different way.

By exploiting these effects, an attacker may be able to bypass input validation, trigger application errors, or change the values of internal variables. As HTTP Parameter Pollution (abbreviated as HPP) affects a building block of all web technologies, both server-side and client-side attacks exist.

Serialization is the process of converting an object to a stream of bytes, in order to store or send it through the network. By opposition, deserialization is the process of reconstructing an object from this stream of bytes.

When Python web applications use the `pickle` library to perform user-supplied data deserialization, an attacker could inject a custom serialized Python object in order to achieve a remote code execution on the system or to generate a Denial of Service attack (DoS).

Atlassian Jira is a software application used for issue tracking and project management. An internal only Atlassian Jira Service Desk instance may be misconfigured to be accessible to 3rd parties to sign up, potentially leading to attackers creating accounts and raising ticket requests for privileged internal access, and in some cases expose email addresses and other sensitive information contained inside.

OpenAPI specification is an API description format for REST APIs. An OpenAPI file is written in YAML or JSON and describes all the API properties like the available endpoints with the related operations or the authentication methods.

The `consumes` field defines the expected data types for `POST`, `PUT` or `PATCH` requests. When missing in the definition, the API implementation could potentially accept any data type, leaving it open to server-side vulnerabilities like SQL or XML External Entities (XXE) injections.

The `produces` field defines the MIME type of the response returned by the API. When missing, the API implementation could potentially respond with any data type, leaving it open to arbitrary data leaks or client-side attacks like Cross-Site Scripting (XSS).

The scanner analyzed an OpenAPI definition file (version 2) and detected the lack of either the `consumes` or the `produces` fields.

HTTP Verb Tampering is an attack that bypasses an authentication or control system that is based on the HTTP Verb. Sometimes, Web Server authentication mechanisms use verb-based authentication with access controls. Such security mechanisms include access control rules for requests with specific HTTP methods. Due to the HTTP specification that includes request methods other than the standard GET and POST requests, a standards compliant web server may respond to these alternative methods in ways not anticipated by developers. So if an application restricts only GET requests it might still be possible to access the page using a POST, PUT, PATCH or other method.

Salesforce Lightning is a component-based framework which is designed to help organizations building data-driven SaaS applications. By assembling those components called `Aura components`, developers can quickly create custom web pages in their Salesforce application and perform specific actions on Salesforce objects and records through an exposed API.

When guest permissions are not properly enforced on Aura components, an unauthenticated attacker could abuse this feature to extract sensitive information stored by the Salesforce application.

Adobe ColdFusion server administration console has been detected on the target web application. This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

A PHP OPcache information page has been detected, potentially including server statistics, settings and cached files, software versions and providing real-time updates for the information. This information may then assist in the compromise of the web application.

Rack-Mini-Profiler is a middleware that displays a speed badge for each html page. Designed to work in both production and development but when the 'enable_advanced_debugging_tools' option is selected it is possible to access sensitive information such as environment variables and other secrets stored in memory.

The scanner has detected the presence of a form during the crawling of the target web application. Details about the form are provided in the plugin output.

Microsoft Power Apps is a low-code development platform designed to help users build rich web and mobile applications. Power Apps enables users to publish table data as OData feeds, providing a RESTful web service by default available to any user.

The scanner detected the presence of public data in the OData feed of the target Power Apps application.

Microsoft Power Apps is a low-code development platform designed to help users build rich web and mobile applications. By leveraging the multiple services, data sources and connectors provided by the Power Apps environment, an user with a Microsoft Office 365 subscription including Power Apps can quickly create business-oriented applications and make them publicly available.

It is possible to obtain an overview of the remote Nginx web server's Vhost traffic activity and performance by requesting the URL '/status'. This overview includes information such as current hosts, server version and requests being processed, the number of workers idle and service requests, and CPU utilization.

WordPress Database Repair functionality has been detected on the target web application.

This may present an attacker with information regarding the database schema in use which may be used to mount further attacks.

GraphQL is an open-source query and manipulation language for APIs and a server-side runtime built to handle these queries on the application dataset. Some web applications provide a friendly user interface to help developers building GraphQL queries and get the results.

The scanner detected the presence of one or more GraphQL interfaces.

GraphQL is an open-source query and manipulation language for APIs and a server-side runtime built to handle these queries on the application dataset. By default, GraphQL has a feature which suggests field names to be used in the queries or mutations from the wrong ones provided in the received requests. By leveraging this capability, an attacker could conduct a bruteforce attack to discover the GraphQL schema and potential hidden or private endpoints, and could try accessing sensitive information or performing arbitrary actions on the target server.

The scanner detected that the remote GraphQL server has field suggestions enabled.

GraphQL is an open-source query and manipulation language for APIs and a server-side runtime built to handle these queries on the application dataset. GraphQL introspection allows to query all information related to the supported schema and queries on a GraphQL server instance. By leveraging this misconfiguration, an attacker could retrieve sensitive information or conduct further attacks on the discovered endpoints.

The scanner detected that GraphQL introspection is enabled on one of several endpoints of the target application.

X-Cart Concierge module has been detected on the target X-Cart installation.

This may present an attacker with sensitive information to mount further attacks & may leak the admin account email used to log into the store, official company name, license type of the store and other sensitive data

X-Cart sensitive files have been detected on the target X-Cart installation.

This may present an attacker with sensitive information to mount further attacks.

GraphQL is an open-source query and manipulation language for APIs and a server-side runtime built to handle these queries on the application dataset. It is a popular alternative to traditional REST or SOAP APIs, providing flexibility and an optimized data fetching method.

The scanner detected the usage of GraphQL on the target application.

In a default phpBB installation there are unauthenticated methods to enumerate member usernames. These phpBB users can then be used in brute-force attacks against phpBB login page to guess passwords.

An information disclosure vulnerability is present on the remote server due to exposure of Microsoft FrontPage extensions configuration files in the _vti_pvt directory.

phpBB sensitive directories have been detected on the target phpBB installation.

This may present an attacker with sensitive information to mount further attacks.

Prototype-based programming languages rely on the process of defining objects used as prototypes to be then extended or cloned in order to create new objects. Once instantiated, these objects will inherit from the properties and methods of their prototype.

JavaScript is one of the most common prototype-based language in modern web applications, on both server-side and client-side components. Nearly all the JavaScript objects are instances of Object, making them inherit from the properties and methods of the Object prototype.

A client-side prototype pollution vulnerability exists when an attacker is able to modify the properties of the Object prototype in the context of the web browser, exposing the application users to further issues like Cross-Site Scripting or Denial of Service attacks.

Magento configuation files have been detected on the target web application. These files may contain sensitive information about confidential customer's data.

Magento data files have been detected on the target web application. These files may contain sensitive information about confidential customer's data.

Magento log files have been detected on the target web application.

These files may contain sensitive information about application and server configuration, logins and passwords or confidential customer's data.

The scanner may have been able to detect several versions of the API for one or more endpoints.

JSON Web Tokens can be signed to protect against data tampering. By using an asymmetric or a symmetric signing algorithm, the application computes a signature of the token data which will be verified during token decoding to ensure its integrity.

JSON Web Tokens can be configured by an application with the 'none' algorithm and an empty signature, leaving the data unsigned and mutable without any verification. In addition, some libraries used to handle JSON Web Tokens may also have a bad implementation of this algorithm, leading to the tokens set with the 'none' algorithm being verified even when they are originally created with a signature.

Depending on the token usage, attackers could leverage this vulnerability to forge valid tokens and impersonate other users, or gain further privileges.

JSON Web Tokens can be signed to protect against data tampering. By using an asymmetric or a symmetric signing algorithm, the application computes a signature of the token data which will be verified during token decoding to ensure its integrity. When using a symmetric algorithm, the signature is created from the chosen HMAC function along with a secret key.

Using weak keys makes it vulnerable to bruteforce attacks, allowing tokens to be manipulated and signed on behalf of the application. Depending on the token usage, attackers could leverage this vulnerability to forge valid tokens and impersonate other users, or gain further privileges.

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a data structure for securely transmitting claims between parties as a JSON object. A JSON Web Token can be instantiated as a JSON Web Signature (JWS) or a JSON Web Encryption (JWE) depending on the application security considerations.

JSON Web Signature based tokens are the most commonly used in API implementations and are built with three base64 URL encoded parts separated by periods :

- JSON Object Signing and Encryption (JOSE) header : describes at least the algorithm used for signing or encryption (alg) and the type (typ) of the content being processed. For JSON Web Tokens, the type will usually be set to 'JWT'.

- Payload : JSON object containing the claims to share. Claims can be of three classes : registered (from the specification), public or private and their names must be unique inside the claims set.

- Signature : computed by using the specific algorithm in header and a secret or a private key. This ensures the integrity of the JSON Web Token.

The scanner detected the presence of a JSON Web Signature based token containing the information provided in the output.

A Adobe Flash file has been detected on this url. Flash will be EOL on December 31, 2020.

A OpenAPI configuration file has been detected and is available as an attachment below. OpenAPI is a specification that helps with documentation and consumption of REST APIs and may also be used to configure API scanning.

The Hypertext Transfer Protocol (HTTP) is the underlying protocol of the World Wide Web. Since its first release, HTTP has evolved to support modern web usages and currently exists in three versions:
 - HTTP/1.0
 - HTTP/1.1
 - HTTP/2

The scanner identified the supported versions of the HTTP protocol on the target web application.

Serialization is the process of converting an object to a stream of bytes, in order to store or send it through the network. By opposition, deserialization is the process of reconstructing an object from this stream of bytes.

When an application performs untrusted data deserialization, an attacker could inject a custom serialized Java object to trigger malicious code execution on the system or to generate a Denial of Service attack (DoS).

It was determined that the target Java application is vulnerable to this attack as it deserializes an user-supplied object.

In default WordPress installation there are several methods to enumerate authors username. These WordPress users can then be used in brute-force attacks against WordPress login page to guess passwords.

The scanner collected the cookies returned by the application during the scan. The list includes the following information for each cookie:
 - Name: name of the cookie
 - Value: value of the cookie
 - Domain: hosts to which the cookie will be sent
 - Path: URL path which must exist in the requested resource before sending the cookie
 - Expires: maximum lifetime of the cookie as an HTTP-date timestamp
 - Max-Age: number of seconds until the cookie expires
 - HttpOnly: cookie is set to be not accessible via JavaScript, XMLHttpRequest and Request APIs
 - Secure: cookie will be sent to the server only when a request is made using HTTPS
 - SameSite: cookie will be sent along with cross-site request according the defined policy
 - URL: first URL discovered which set the cookie in its response
 - Set-Method: method used by the application to set the cookie (Set-Cookie or JavaScript)
 - Audited: cookie will be audited by plugins during the scan
 - Reason Not Audited: reason given for the cookie not being audited during the scan

Web applications often rely on network requests to query external resources and retrieve data in order to process it.

A Server-Side Request Forgery (SSRF) vulnerability exists when an attacker is able to control these outbound requests and send it to a resource he owns, to the localhost itself, or to a private host in the target application internal network.

By injecting a specific request and using various protocols (like HTTPS or Gopher for example), the attacker can leverage this vulnerability to try gaining access to sensitive data, performing unauthorized modifications or getting remote code execution in the target environment.

Depending on the web application configuration, the vulnerability may be of three types:

 - Blind : the application executes the malicious request but does not return any response to the attacker. The exploitation is difficult as the attacker has to only rely on his own knowledge of the target to conduct his attack.

 - Half-blind : the malicious request is executed and the response is partially returned to the the attacker. For example, the application may return different error messages related to the status of the outbound request. The exploitation remains difficult, however the attacker can gather information to help conducting his attack further.

 - Non-blind : The application returns the full content of the response to the malicious request. The exploitation is easier and generally makes the impact of this vulnerability more critical.

The scanner has been able to detect a Server-Side Request Forgery vulnerability by injecting a crafted request in the target application which performed an external request and returned a partial or full response.

Oracle WebLogic UDDI Explorer allows authorized users to access and modify information about the web services published in the private WebLogic Server UDDI registries.

The scanner has been able to detect that this service is exposed on the target web application and could be leveraged by an attacker to help conduct further attacks.

The scanner has detected publicly accessible directory listings on the Magento web application. This may expose sensitive information to an attacker which may allow for further exploitation techniques to be leveraged, possibly leading to sensitive information leakage or a compromise of the target server.

ID	Name	Severity
113392	TYPO3 Administration Panel Login Form Detected	low
113374	Amazon Cognito Insecure Permissions	medium
113371	Amazon Cognito User Enumeration	medium
113370	Amazon Cognito Detected	info
113342	Rails Web Console Detected	critical
113340	ASP.NET ViewState Remote Code Execution	critical
113338	Web Cache Poisoning	medium
113258	OpenAPI Permissive Input Validation	medium
113247	Google Web Toolkit Detected	info
113237	PHP Object Deserialization	critical
113230	HTTP Parameter Pollution	medium
113229	Python Object Deserialization	critical
113218	Jira Service Desk Sign Up Detected	low
113170	OpenAPI Missing MIME Types	medium
113211	HTTP Verb Tampering	medium
113207	Salesforce Lightning Objects Guest Permissions	low
113068	Adobe ColdFusion Server Administration Console Detected	medium
113059	OPcache UI Detected	medium
113043	Rack-Mini-Profiler Information Disclosure	medium
98148	Form Detected	info
112949	Power Apps OData Feeds Detected	info
112925	Power Apps Application Detected	info
112922	Nginx Vhost Traffic Status Information Disclosure	medium
112921	WordPress Database Repair Enabled	low
112907	GraphQL Interface Detected	info
112895	GraphQL Field Suggestions Detected	medium
112894	GraphQL Introspection Enabled	medium
112893	X-Cart Concierge Module Information Disclosure	medium
112811	X-Cart Files Information Disclosure	medium
112809	GraphQL Detected	info
112804	phpBB User Enumeration	medium
112772	Microsoft FrontPage Insecure Extension Configuration	medium
112771	phpBB Directories Information Disclosure	medium
112719	Client-Side Prototype Pollution	high
98988	Magento Configuration Files	high
98987	Magento Data Files	high
98937	Magento Log File Detected	high
112714	API Versions Detected	info
112703	JSON Web Token None Hashing Algorithm	high
112697	JSON Web Token Weak Secret	high
112686	JSON Web Token Detected	info
112630	Flash File Detected	info
112615	OpenAPI File Detected	info
112613	Allowed HTTP Versions	info
98780	Java Object Deserialization	critical
98203	WordPress User Enumeration	medium
98061	Cookies Collected	info
112439	Server-Side Request Forgery	high
112421	Oracle WebLogic UDDI Explorer Detected	low
98986	Magento Directory Listing	medium

Detections

Analytics

Web Applications Family for Web App Scanning

low

medium

medium

info

critical

critical

medium

medium

info

critical

medium

critical

low

medium

medium

low

medium

medium

medium

info

info

info

medium

low

info

medium

medium

medium

medium

info

medium

medium

medium

high

high

high

high

info

high

high

info

info

info

info

critical

medium

info

high

low

medium