Supply chain attacks occur when one or more dependencies of an application are compromised, making the malicious code being shipped to the web application and, allowing threat actors to perform various operations depending on the logic of the code being altered like credentials stealing or application backdooring.

By default, PHP accepts a maximum of 1000 variables in a request. If there are more input variables than specified, an E_WARNING is issued, and further input variables are truncated from the request depending on server configuration and application code, this can have various impacts such as bypassing function call.

PHP versions 5.0.0 < 8.1.29, 8.2.x < 8.2.20, 8.3.x < 8.3.8 is affected by a vulnerability allowing an unauthenticated attacker to execute remote code via a specially forged request only when PHP is installed with Apache2 and PHP-CGI on Windows with certain languages (code pages).

Concrete CMS installed on the remote host is configured to operate in debug mode. While this environment can help speed up development of web applications, it can leak information about the underlying web applications.

Concrete CMS Login Panel has been detected on the target web application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

Unrestricted file upload vulnerability occurs when the application suffers from a lack of validation of files being uploaded to its filesystem. When an attacker is able to upload files not matching the application expectations in terms of names, type, content or size, it could lead to various issues such as arbitrary files overwrite, denial of service or even remote code execution.

Note that this plugin requires the 'File Upload' assessment option enabled in the scan configuration.

Vercel is a popular Cloud provider helping developers hosting their javascript and typescript codebases. Vercel publishes the '/_src' endpoint which allows project team members to view application source code. When the 'Logs and Source Protection' option is disabled, the default protection is disabled and allow any unauthorized actor to access the source code.

Web application components can sometimes rely on request HTTP headers like 'X-Original-URL' or 'X-Rewrite-URL' to override the original path of this request. Attackers can leverage this vulnerability to conduct further attacks in order to bypass restrictions or conduct cache poisonning attacks.

Quarkus installed on the remote host is configured to operate in development mode (devMode). While this environment can help speed up development of web applications, it can leak information about the underlying web applications.

The scanner has detected the presence of a payment form during the crawling of the target web application. Details about the form are provided in the plugin output.

Web applications often rely on proxy server to route requests to the right web service. An Open Proxy vulnerabilities occurs when a web server is configured to act as forward proxy, allowing anyone to use it to relay web traffic. This setup can may allow an attacker to use the proxy server to make requests to an external or internal server.\n\nThe corse issue arises because the proxy does not authenticate its users, thereby offering no control over who users the server's resources or for what purpose.

In PHP versions pior to 7.4.22, when the integrated web server is used, an attacker can with a specially forged request, obtain the source code due to an improper handling of multiple requests in quick succession, leading to the server treating requested files as static files instead of executing scripts.

Serialization is the process of converting an object to a stream of bytes, in order to store or send it through the network. By opposition, deserialization is the process of reconstructing an object from this stream of bytes.

Web applications often use serialized data transmitted from the client which, depending on how it is implemented, can be abused by a malicious actor to conduct his attacks on the target application.

Modern web applications are often deployed with a chain of HTTP servers which ensure the transmission of the HTTP traffic from users to the service. Typical deployments include the usage of a front-end server, usually a load balancer or a reverse proxy, which will then transmit the requests to one or more back-end servers.

HTTP request smuggling occurs when the front-end server and the back-end server show discrepancies in the way they process HTTP requests `content-length` and `transfer-encoding` headers. A remote and unauthenticated attacker can leverage this class of vulnerability to bypass access controls or gain access to sensitive data, or to compromise offer users traffic without interaction.

The HTTP/2 protocol is usually negotiated over the TLS application layer protocol negotiation extension (TLS-ALPN). A persistent HTTP/2 connection can also be made from a HTTP/1.1 request using the `Upgrade` header with the `h2c` value to specify a cleartext communication. The scanner detected that the target is supporting this H2C connection upgrade. If the target application is deployed on a reverse-proxy architecture, attackers could potentially abuse this feature to bypass reverse-proxy access controls or authentication enforcement.

GraphQL engines sometimes support combining a group of requests into a single one to try optimizing network performances between the client and the GraphQL server. When supported and enabled, this feature implementation should be reviewed as it could be abused by an attacker to bypass application rate limits or conduct Denial of Service (DoS) attacks.

This is an informational notice that the scanner was able to detect that the target application is using Microsoft Entra ID.

This is an informational notice that the scanner was able to detect that the target application is using a Microsoft Azure service.

This is an informational notice that the scanner was able to detect that the target application is using an Google Cloud cloud service.

This is an informational notice that the scanner was able to detect that the target application is using an Amazon Web Services cloud service.

This is an informational notice that the scanner was able to detect a gRPC request/response.

This is an informational notice that the scanner was able to detect a SOAP API.

A Web Services Description Language (WSDL) file has been detected on this url.

Due to a misconfiguration in Microsoft SharePoint Server. An attacker with anonymous privileges can enumeration the SharePoint user accounts.

Due to a misconfiguration in Microsoft SharePoint Server. An attacker with anonymous privileges can access to the SharePoint web services page.

Due to a misconfiguration in Microsoft SharePoint Server. An attacker with anonymous privileges can access to the SharePoint interface page.

Deploying web applications often require developers or system administrators to configure DNS records to target a third party service. Most common scenarios include to either configure a canonical name record (CNAME) or to declare specific name server records (NS) to delegate a specific DNS zone management.

A subdomain takeover vulnerability exists when an attacker can gain control over a subdomain or even an entire zone of the target domain depending on the configuration. By exploiting this vulnerability, the attacker can then provide content which could looks legit to any customer or user of the target domain name and conduct further attacks.

The plugin currently supports the following services: - Agile CRM - Aha! - Anima - AnnounceKit - Atlassian BitBucket - AWS S3 Bucket - CampaignMonitor - Canny - Clever Cloud - Digital Ocean - Frontify - Gemfury - Getresponse - Ghost - GitHub Pages - Hatena Blog - Help Juice - Help Scout - Helprace - JetBrains - LaunchRock - Meteor - Ngrok - Pantheon - Pingdom - Proposify - Readme.io - Readthedocs - Shopify - Short.io - Smartjobboard - Strikingly - Surge - SurveySparrow - Uberflip - Uptimerobot - WordPress - Wix - Worksites - Zendesk

Developers often combine and minify their application JavaScript sources to help the server delivering it more efficiently to the client browsers. Sometimes, web applications JavaScript code may also be transpiled from another language like CoffeeScript of TypeScript.

A source map is a file that maps from the transformed source code to the original source, allowing the browser to reconstruct the original source code and present it to the debugger.

ServiceNow is a popular cloud platform enabling developers to build custom applications around automation for their organizations. ServiceNow widgets are JavaScript based components used to define content of the portal pages and can be either builtin or customized by developers. Widgets access control does not rely on ServiceNow ACLs but on fields set on the widget record itself.

When the widgets permissions are not properly configured, a remote and unauthenticated attacker could leverage this misconfiguration to retrieve sensitive information from the remote ServiceNow instance.

Pimcore versions before 10.1.3 suffer from an user enumeration vulnerability through the administration panel lost password feature. By submitting multiple usernames, a remote and unauthenticated attacker can infer the valid administrative accounts on the target Pimcore instance.

Pimcore Administration Panel has been detected on the target web application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

The instance of MediaWiki running on the remote host allows access to API URLs associated with the SiteInfo module. The SiteInfo api endpoint reports information about the server components, how the web server is configured and its usage, and it may prove useful to an attacker seeking to attack the server or host.

Well-known URIs are used to store site-wide metadata and to make it available for some web-based protocols which require the discovery of a policy or retrieve specific information about a given host. These URIs use the `/.well-known` path prefix and are standardized to avoid collisions.

A caching system has been detected on the application and is vulnerable to web cache poisoning. By manipulating specific unkeyed inputs (headers or cookies that are not included when generating the cache key) it was possible to force the caching system to cache a response that contains user-controlled input. If a response is cached in a shared web cache, such as those commonly found in proxy servers, then all users of that cache will continue to receive the malicious content until the cache entry is purged. In this case, the affected resource will be unreachable, which, depending on the resource, can cause a DoS (Denial Of Service).

Note that the scanner performs a safe check that does not affect website visitors but only the scanner itself.

In certain ActivityPub WebFinger implementations it is possible to enumerate usernames (known as actors) on the API webfinger service using wildcard searches. This information may potentially expose personal profile addresses, identity service, telephone numbers, avatar selection or other informations via the api endpoint even if user listings and directories are disabled in the ActivityPub server application itself.

The web application on the remote server has a PHP debug bar which is accessible without protection.

A remote attacker can exploit this to gain more knowledge about the host, allowing an attacker to conduct further attacks.

Web Application Description Language (WADL) file has been detected on this url.

OpenID Connect is an identity layer on top of the OAuth 2.0 protocol which aims to determine the provider URL for an end user. By leveraging the `/.well-known/webfinger` endpoint, it is sometimes possible to determine if an anonymous account exists on the target server. By leveraging this information, a remote and unauthenticated attacker could logon using the anonymous account and try conducting further attacks being authenticated.

Chrome Logger is a Google Chrome extension used to debug server side applications in the Chrome console. By installing the extension in their Chrome browser and a server-side library on their application, developers can retrieve the configured debug information directly in Chrome.

As Chrome Logger works by transmitting server data to the client through response HTTP headers `X-ChromePhp-Data` or `X-ChromeLogger-Data` using base64 encoding, an attacker could retrieve any sensitive data logged with Chrome Logger and leverage it to conduct further attacks.

Sitecore CMS version 9.x / 10.x may be vulnerable to user enumeration by unauthenticated users through a specific endpoint.

A ActivityPub json endpoint has been detected and is available as an attachment below. ActivityPub is a W3C recomended standard that provides a client to server API for creating, updating and deleting content, as well as a federated server to server API for delivering notifications and subscribing to content via REST api endpoints.

This is an informational notice that the scanner was able to detect one or more installed Joomla plugins.

This is an informational notice that the scanner was able to detect one or more installed Drupal plugins.

CraftCMS installed on the remote host is configured to operate in development mode (devMode). While this environment can help speed up development of web applications, it can leak information about the underlying web applications.

In default CraftCMS installation there is available methodology to enumerate user information. These CraftCMS users may then be used in brute-force attacks against CraftCMS login page to guess passwords.

CraftCMS Administration Panel has been detected on the target web application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

In a DotNetNuke CMS installation it may be possible to enumerate user information. These DotNetNuke usernames may then be used in brute-force attacks against the login page to guess password credentials and gain access to perform further attacks. Only the first 5 usernames have been analysed during the test.

Web applications relying on JavaScript often need to perform cross-origin communication between `Window` objects such as a page and an embedded iframe or a popup window. The postMessage API allows developers to circumvent the same-origin policy restrictions in order to exchange data between scripts located on different origins.
 Depending on the application needs, messages event listeners could be added to use received messages in part of its logic. However, if the data received in these messages are used, for example, to build the page DOM, an attacker could leverage this issue to inject malicious data and conduct client-side attacks like Cross-Site Scripting (XSS) or Prototype Pollution.

Web applications relying on JavaScript often need to perform cross-origin communication between `Window` objects such as a page and an embedded iframe or a popup window. The postMessage API allows developers to circumvent the same-origin policy restrictions in order to exchange data between scripts located on different origins.
 Depending on the application needs, the messages can be sent to the wildcard origin `*`, allowing any other object to read it. However, if the data sent through postMessage() are not intended to be public, an attacker could leverage this issue to capture sensitive data from a target web application.

A caching system has been detected on the application and is vulnerable to web cache deception. By manipulating the URL it is possible to force the application to cache pages that are only accessible by an authenticated user. Once cached, these pages can be accessed by an unauthenticated user.

ID	Name	Severity
114358	Malicious Third Party Domain Detected	medium
114322	PHP Input Variables Exceeded	medium
114300	PHP CGI Argument Injection Remote Code Execution	critical
114293	Concrete CMS Debug Mode Enabled	medium
114292	Concrete CMS Login Panel Detected	medium
114283	Unrestricted File Upload	high
114278	Vercel Source Code Exposure	high
114262	Request URL Override	medium
114257	Quarkus DevMode Enabled	medium
114244	Payment Form Detected	info
114237	Open Proxy	high
114232	PHP Development Server < 7.4.22 Source Disclosure	medium
114224	Serialized Data Detected	info
114223	HTTP Request Smuggling	high
114219	HTTP/2 Cleartext Upgrade Support Detected	info
114211	GraphQL Batching	info
114202	Microsoft Entra ID Detected	info
114201	Microsoft Azure Detected	info
114200	Google Cloud Platform Detected	info
114199	Amazon Web Services Detected	info
114167	gRPC Detected	info
114166	SOAP API Detected	info
113973	Web Services Description Language (WSDL) File Detected	info
114149	Microsoft SharePoint User Enumeration	medium
114148	Microsoft SharePoint Exposed Web Services	medium
114147	Microsoft SharePoint Exposed Interfaces	medium
114146	Subdomain Takeover	medium
114132	JavaScript Source Map Detected	info
114106	ServiceNow Widgets Data Exposure	medium
114089	Pimcore User Enumeration	medium
114065	Pimcore Administration Panel Login Form Detected	medium
114064	MediaWiki Status Module Information Disclosure	medium
114029	Well-Known URIs Detected	info
114006	Web Cache Poisoning Denial of Service	high
113978	ActivityPub Username Enumeration	medium
113975	PHP Debug Bar Enabled	medium
113974	Web Application Description Language (WADL) File Detected	info
113972	OpenID Connect Anonymous Account	info
113951	Chrome Logger Information Disclosure	medium
113904	Sitecore Unauthenticated User Enumeration	medium
113901	ActivityPub Protocol Detected	info
113899	Joomla Plugins Detected	info
113898	Drupal Plugins Detected	info
113895	CraftCMS DevMode Enabled	medium
113894	CraftCMS User Enumeration	medium
113893	CraftCMS Administration Panel Login Form Detected	medium
113871	DotNetNuke User Enumeration	medium
113851	PostMessage Wildcard Event Listener Detected	info
113837	PostMessage Wildcard Target Origin Detected	info
113580	Web Cache Deception	high

Detections

Analytics

Web Applications Family for Web App Scanning

medium

medium

critical

medium

medium

high

high

medium

medium

info

high

medium

info

high

info

info

info

info

info

info

info

info

info

medium

medium

medium

medium

info

medium

medium

medium

medium

info

high

medium

medium

info

info

medium

medium

info

info

info

medium

medium

medium

medium

info

info

high