This is an informational notice that the scanner was able to detect public projects on the target GitLab instance.

This is an informational notice that the scanner was able to detect a GitLab public sign-up page on the target instance.

This is an informational notice that the scanner was able to detect an application using Auth0 Identity Provider.

This is an informational notice that the scanner was able to detect an application using Azure Entra ID.

.NET Framework offers an alternative to cookie based session management named 'cookieless' by allowing developers to store the session ID directly in URLs rather than in cookies. When enabled, this feature can be abused to make session hijacking attacks easier to exploit or to craft valid URLs in order to bypass security mechanisms such as Web Application Firewalls (WAFs) or path based restrictions.

This is an informational notice that the scanner was able to detect a REST API.

On-Premise installation of Microsoft Exchange is prone to a user enumeration through the ActiveSync protocol using the AutodiscoverV2 endpoint.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Microsoft Remote Desktop Web Access instance on the target application.

Deploying web applications often require developers or system administrators to configure DNS records to target a third party service. Most common scenarios include to either configure a canonical name record (CNAME) or to declare specific name server records (NS) to delegate a specific DNS zone management. DNS dangling records exist because they target external services which do not exist anymore. When this is directly exploitable, a remote and unauthenticated attacker can perform a DNS takeover.

The plugin currently supports the following services: - Gitbook - Hubspot - Intercom - JazzHR - Kinsta - Lemlist - Netlify - Smugsmug - Teamwork - Tilda - UserVoice

The Envoy Admin interface is an optional Envoy component that lets you view configuration and statistics, modify server behavior and filter traffic according to specific filter rules.

But this unauthenticated interface can expose private information about the running service, allows modification of runtime settings and can also be used to shut the server down.

When the 'x-envoy-peer-metadata' and/or 'x-envoy-peer-metadata-id' headers are present, they may include data deemed sensitive about the Kubernetes environment.

PhpSysInfo is a customizable PHP script that displays information about the system.

The scanner detected the usage of PhpSysInfo on the target application.

This is an informational plugin to inform the user that the scanner detected that the target application handles specific HTTP headers as hop-by-hop headers.

This is an informational plugin to inform the user that the scanner detected the presence of one or multiple virtual hosts on the target server.

HTML5 WebSockets allow developers to create bi-directionnal communication channels between clients (usually web browsers) and servers. To initialize the communication, the WebSocket protocol requires a handshake performed with the HTTP protocol to ugprade the communication. When a web application only leverage on the client cookies to authenticate its users, a remote and unauthenticated could initiate a WebSocket handhsake from a malicious page to force the victim to authenticate against the target, therefore gaining access to the WebSocket traffic exchanged between the victim user and the target web application.

Express.js applications with Cookie-Session use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in an environment variable and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Express.js applications with Express-Session use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in an environment variable and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Pyramid applications use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in an environment variable and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Ruby On Rails applications use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in the .env file and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Django applications use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in the settings.py file and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Flask applications use an application key to encrypt and sign various data, including session cookies and other sensitive information.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Laravel applications use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in the .env file and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

This is an informational plugin to inform the user that the scanner has detected the usage of Service Worker on the target web application.

This is an informational plugin to inform the user that the scanner has detected the usage of WebSockets on the target web application.

Web applications heavily rely on external resources such as JavaScript files, Cascading Style Sheets (CSS) or images. When an application uses links which targets external resources which do not exist, an attacker could try gaining control over this resource to inject code in the target web application or get application users traffic on their malicious servers.

Supply chain attacks occur when one or more dependencies of an application are compromised, making the malicious code being shipped to the web application and, allowing threat actors to perform various operations depending on the logic of the code being altered like credentials stealing or application backdooring.

By default, PHP accepts a maximum of 1000 variables in a request. If there are more input variables than specified, an E_WARNING is issued, and further input variables are truncated from the request depending on server configuration and application code, this can have various impacts such as bypassing function call.

PHP versions 5.0.0 < 8.1.29, 8.2.x < 8.2.20, 8.3.x < 8.3.8 is affected by a vulnerability allowing an unauthenticated attacker to execute remote code via a specially forged request only when PHP is installed with Apache2 and PHP-CGI on Windows with certain languages (code pages).

Concrete CMS installed on the remote host is configured to operate in debug mode. While this environment can help speed up development of web applications, it can leak information about the underlying web applications.

Concrete CMS Login Panel has been detected on the target web application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

Unrestricted file upload vulnerability occurs when the application suffers from a lack of validation of files being uploaded to its filesystem. When an attacker is able to upload files not matching the application expectations in terms of names, type, content or size, it could lead to various issues such as arbitrary files overwrite, denial of service or even remote code execution.

Note that this plugin requires the 'File Upload' assessment option enabled in the scan configuration.

Vercel is a popular Cloud provider helping developers hosting their javascript and typescript codebases. Vercel publishes the '/_src' endpoint which allows project team members to view application source code. When the 'Logs and Source Protection' option is disabled, the default protection is disabled and allow any unauthorized actor to access the source code.

Web application components can sometimes rely on request HTTP headers like 'X-Original-URL' or 'X-Rewrite-URL' to override the original path of this request. Attackers can leverage this vulnerability to conduct further attacks in order to bypass restrictions or conduct cache poisonning attacks.

Quarkus installed on the remote host is configured to operate in development mode (devMode). While this environment can help speed up development of web applications, it can leak information about the underlying web applications.

The scanner has detected the presence of a payment form during the crawling of the target web application. Details about the form are provided in the plugin output.

Web applications often rely on proxy server to route requests to the right web service. An Open Proxy vulnerabilities occurs when a web server is configured to act as forward proxy, allowing anyone to use it to relay web traffic. This setup can may allow an attacker to use the proxy server to make requests to an external or internal server.\n\nThe corse issue arises because the proxy does not authenticate its users, thereby offering no control over who users the server's resources or for what purpose.

In PHP versions pior to 7.4.22, when the integrated web server is used, an attacker can with a specially forged request, obtain the source code due to an improper handling of multiple requests in quick succession, leading to the server treating requested files as static files instead of executing scripts.

Serialization is the process of converting an object to a stream of bytes, in order to store or send it through the network. By opposition, deserialization is the process of reconstructing an object from this stream of bytes.

Web applications often use serialized data transmitted from the client which, depending on how it is implemented, can be abused by a malicious actor to conduct his attacks on the target application.

Modern web applications are often deployed with a chain of HTTP servers which ensure the transmission of the HTTP traffic from users to the service. Typical deployments include the usage of a front-end server, usually a load balancer or a reverse proxy, which will then transmit the requests to one or more back-end servers.

HTTP request smuggling occurs when the front-end server and the back-end server show discrepancies in the way they process HTTP requests `content-length` and `transfer-encoding` headers. A remote and unauthenticated attacker can leverage this class of vulnerability to bypass access controls or gain access to sensitive data, or to compromise offer users traffic without interaction.

The HTTP/2 protocol is usually negotiated over the TLS application layer protocol negotiation extension (TLS-ALPN). A persistent HTTP/2 connection can also be made from a HTTP/1.1 request using the `Upgrade` header with the `h2c` value to specify a cleartext communication. The scanner detected that the target is supporting this H2C connection upgrade. If the target application is deployed on a reverse-proxy architecture, attackers could potentially abuse this feature to bypass reverse-proxy access controls or authentication enforcement.

GraphQL engines sometimes support combining a group of requests into a single one to try optimizing network performances between the client and the GraphQL server. When supported and enabled, this feature implementation should be reviewed as it could be abused by an attacker to bypass application rate limits or conduct Denial of Service (DoS) attacks.

This is an informational notice that the scanner was able to detect that the target application is using Microsoft Entra ID.

This is an informational notice that the scanner was able to detect that the target application is using a Microsoft Azure service.

This is an informational notice that the scanner was able to detect that the target application is using an Google Cloud cloud service.

This is an informational notice that the scanner was able to detect that the target application is using an Amazon Web Services cloud service.

This is an informational notice that the scanner was able to detect a gRPC request/response.

This is an informational notice that the scanner was able to detect a SOAP API.

A Web Services Description Language (WSDL) file has been detected on this url.

Due to a misconfiguration in Microsoft SharePoint Server. An attacker with anonymous privileges can enumeration the SharePoint user accounts.

Due to a misconfiguration in Microsoft SharePoint Server. An attacker with anonymous privileges can access to the SharePoint web services page.

ID	Name	Severity
114617	GitLab Public Projects Detected	info
114616	GitLab Public Sign-Up Detected	info
114613	Auth0 Identity Provider Detected	info
114611	Azure Entra ID Identity Provider Detected	info
114610	ASP.NET Cookieless Session State Enabled	low
114608	REST API Detected	info
114590	Microsoft Exchange Autodiscover V2 User Enumeration	medium
114573	Microsoft Remote Desktop Web Access Detected	info
114572	DNS Dangling Record	medium
114570	Envoy Admin Interface Exposed	medium
114571	Istio Sensitive Information Disclosure	high
114528	PhpSysInfo Detected	medium
114505	HTTP Hop-By-Hop Headers Detected	info
114503	Virtual Hosts Detected	info
114502	Cross-Site WebSocket Hijacking	high
114439	Express.js Cookie-Session Weak Secret Key	high
114438	Express.js Express-Session Weak Secret Key	high
114437	Pyramid Weak Secret Key	high
114436	Ruby On Rails Weak Secret Key	high
114435	Django Weak Secret Key	high
114434	Flask Weak Secret Key	high
114432	Laravel Weak Secret Key	high
114429	Service Worker Detected	info
114395	WebSocket Detected	info
114386	External Broken Resources Detected	low
114358	Malicious Third Party Domain Detected	medium
114322	PHP Input Variables Exceeded	medium
114300	PHP CGI Argument Injection Remote Code Execution	critical
114293	Concrete CMS Debug Mode Enabled	medium
114292	Concrete CMS Login Panel Detected	medium
114283	Unrestricted File Upload	high
114278	Vercel Source Code Exposure	high
114262	Request URL Override	medium
114257	Quarkus DevMode Enabled	medium
114244	Payment Form Detected	info
114237	Open Proxy	high
114232	PHP Development Server < 7.4.22 Source Disclosure	medium
114224	Serialized Data Detected	info
114223	HTTP Request Smuggling	high
114219	HTTP/2 Cleartext Upgrade Support Detected	info
114211	GraphQL Batching	info
114202	Microsoft Entra ID Detected	info
114201	Microsoft Azure Detected	info
114200	Google Cloud Platform Detected	info
114199	Amazon Web Services Detected	info
114167	gRPC Detected	info
114166	SOAP API Detected	info
113973	Web Services Description Language (WSDL) File Detected	info
114149	Microsoft SharePoint User Enumeration	medium
114148	Microsoft SharePoint Exposed Web Services	medium

Detections

Analytics

Web Applications Family for Web App Scanning

info

info

info

info

low

info

medium

info

medium

medium

high

medium

info

info

high

high

high

high

high

high

high

high

info

info

low

medium

medium

critical

medium

medium

high

high

medium

medium

info

high

medium

info

high

info

info

info

info

info

info

info

info

info

medium

medium