Due to a misconfiguration in Microsoft SharePoint Server. An attacker with anonymous privileges can access to the SharePoint interface page.

Deploying web applications often require developers or system administrators to configure DNS records to target a third party service. Most common scenarios include to either configure a canonical name record (CNAME) or to declare specific name server records (NS) to delegate a specific DNS zone management.

A subdomain takeover vulnerability exists when an attacker can gain control over a subdomain or even an entire zone of the target domain depending on the configuration. By exploiting this vulnerability, the attacker can then provide content which could looks legit to any customer or user of the target domain name and conduct further attacks.

The plugin currently supports the following services: - Agile CRM - Aha! - Anima - AnnounceKit - Atlassian BitBucket - AWS S3 Bucket - CampaignMonitor - Canny - Clever Cloud - Digital Ocean - Frontify - Gemfury - Getresponse - Ghost - GitHub Pages - Hatena Blog - Help Juice - Help Scout - Helprace - JetBrains - LaunchRock - Meteor - Ngrok - Pantheon - Pingdom - Proposify - Readme.io - Readthedocs - Shopify - Short.io - Smartjobboard - Strikingly - Surge - SurveySparrow - Uberflip - Uptimerobot - WordPress - Wix - Worksites - Zendesk

Developers often combine and minify their application JavaScript sources to help the server delivering it more efficiently to the client browsers. Sometimes, web applications JavaScript code may also be transpiled from another language like CoffeeScript of TypeScript.

A source map is a file that maps from the transformed source code to the original source, allowing the browser to reconstruct the original source code and present it to the debugger.

ServiceNow is a popular cloud platform enabling developers to build custom applications around automation for their organizations. ServiceNow widgets are JavaScript based components used to define content of the portal pages and can be either builtin or customized by developers. Widgets access control does not rely on ServiceNow ACLs but on fields set on the widget record itself.

When the widgets permissions are not properly configured, a remote and unauthenticated attacker could leverage this misconfiguration to retrieve sensitive information from the remote ServiceNow instance.

Pimcore versions before 10.1.3 suffer from an user enumeration vulnerability through the administration panel lost password feature. By submitting multiple usernames, a remote and unauthenticated attacker can infer the valid administrative accounts on the target Pimcore instance.

Pimcore Administration Panel has been detected on the target web application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

The instance of MediaWiki running on the remote host allows access to API URLs associated with the SiteInfo module. The SiteInfo api endpoint reports information about the server components, how the web server is configured and its usage, and it may prove useful to an attacker seeking to attack the server or host.

Well-known URIs are used to store site-wide metadata and to make it available for some web-based protocols which require the discovery of a policy or retrieve specific information about a given host. These URIs use the `/.well-known` path prefix and are standardized to avoid collisions.

A caching system has been detected on the application and is vulnerable to web cache poisoning. By manipulating specific unkeyed inputs (headers or cookies that are not included when generating the cache key) it was possible to force the caching system to cache a response that contains user-controlled input. If a response is cached in a shared web cache, such as those commonly found in proxy servers, then all users of that cache will continue to receive the malicious content until the cache entry is purged. In this case, the affected resource will be unreachable, which, depending on the resource, can cause a DoS (Denial Of Service).

Note that the scanner performs a safe check that does not affect website visitors but only the scanner itself.

In certain ActivityPub WebFinger implementations it is possible to enumerate usernames (known as actors) on the API webfinger service using wildcard searches. This information may potentially expose personal profile addresses, identity service, telephone numbers, avatar selection or other informations via the api endpoint even if user listings and directories are disabled in the ActivityPub server application itself.

The web application on the remote server has a PHP debug bar which is accessible without protection.

A remote attacker can exploit this to gain more knowledge about the host, allowing an attacker to conduct further attacks.

Web Application Description Language (WADL) file has been detected on this url.

OpenID Connect is an identity layer on top of the OAuth 2.0 protocol which aims to determine the provider URL for an end user. By leveraging the `/.well-known/webfinger` endpoint, it is sometimes possible to determine if an anonymous account exists on the target server. By leveraging this information, a remote and unauthenticated attacker could logon using the anonymous account and try conducting further attacks being authenticated.

Chrome Logger is a Google Chrome extension used to debug server side applications in the Chrome console. By installing the extension in their Chrome browser and a server-side library on their application, developers can retrieve the configured debug information directly in Chrome.

As Chrome Logger works by transmitting server data to the client through response HTTP headers `X-ChromePhp-Data` or `X-ChromeLogger-Data` using base64 encoding, an attacker could retrieve any sensitive data logged with Chrome Logger and leverage it to conduct further attacks.

Sitecore CMS version 9.x / 10.x may be vulnerable to user enumeration by unauthenticated users through a specific endpoint.

A ActivityPub json endpoint has been detected and is available as an attachment below. ActivityPub is a W3C recomended standard that provides a client to server API for creating, updating and deleting content, as well as a federated server to server API for delivering notifications and subscribing to content via REST api endpoints.

This is an informational notice that the scanner was able to detect one or more installed Joomla plugins.

This is an informational notice that the scanner was able to detect one or more installed Drupal plugins.

CraftCMS installed on the remote host is configured to operate in development mode (devMode). While this environment can help speed up development of web applications, it can leak information about the underlying web applications.

In default CraftCMS installation there is available methodology to enumerate user information. These CraftCMS users may then be used in brute-force attacks against CraftCMS login page to guess passwords.

CraftCMS Administration Panel has been detected on the target web application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

In a DotNetNuke CMS installation it may be possible to enumerate user information. These DotNetNuke usernames may then be used in brute-force attacks against the login page to guess password credentials and gain access to perform further attacks. Only the first 5 usernames have been analysed during the test.

Web applications relying on JavaScript often need to perform cross-origin communication between `Window` objects such as a page and an embedded iframe or a popup window. The postMessage API allows developers to circumvent the same-origin policy restrictions in order to exchange data between scripts located on different origins.
 Depending on the application needs, messages event listeners could be added to use received messages in part of its logic. However, if the data received in these messages are used, for example, to build the page DOM, an attacker could leverage this issue to inject malicious data and conduct client-side attacks like Cross-Site Scripting (XSS) or Prototype Pollution.

Web applications relying on JavaScript often need to perform cross-origin communication between `Window` objects such as a page and an embedded iframe or a popup window. The postMessage API allows developers to circumvent the same-origin policy restrictions in order to exchange data between scripts located on different origins.
 Depending on the application needs, the messages can be sent to the wildcard origin `*`, allowing any other object to read it. However, if the data sent through postMessage() are not intended to be public, an attacker could leverage this issue to capture sensitive data from a target web application.

A caching system has been detected on the application and is vulnerable to web cache deception. By manipulating the URL it is possible to force the application to cache pages that are only accessible by an authenticated user. Once cached, these pages can be accessed by an unauthenticated user.

This is an informational notice that the scanner identified a potential form with a password.

The scanner was able to detect that the application uses the HTTP GET method to transmit a password, the information of a URL can be stored in various places (web server, proxy, ...) and can be transmitted to a third party via the Referer header which also increases the chances of interception by an attacker.

This is an informational notice that the scanner identified a potential signup form.

This is an informational notice that the scanner identified a potential password change form.

This is an informational notice that the scanner was able to detect the current WordPress installed theme.

This is an informational notice that the scanner was able to detect one or more installed WordPress plugins.

DotNetNuke Administration Panel login has been detected on the target web application. This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

TYPO3 Administration Panel has been detected on the target web application. This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

Amazon Cognito is a cloud product from Amazon Web Services (AWS) which provides user authentication, authorization and management services for web and mobile applications. By using Amazon Cognito, developers can quickly add a user management feature to their applications, control and enforce permissions on these users by defining roles, or federate identities from external identity providers.

When configured with an identity pool ID, Amazon Cognito allows a remote unauthenticated user to retrieve temporary AWS credentials related to the Cognito role to be used against the target application AWS account. Depending on the permissions attached to the role, an attacker could leverage these credentials to gain access to sensitive information, or perform arbitrary modifications on the other cloud assets of the target AWS account.

Amazon Cognito is a cloud product from Amazon Web Services (AWS) which provides user authentication, authorization and management services for web and mobile applications. By using Amazon Cognito, developers can quickly add a user management feature to their applications, control and enforce permissions on these users by defining roles, or federate identities from external identity providers. Under certain conditions, Amazon Cognito allows an unauthenticated attacker to infer the existence of the accounts on the target application by abusing the sign-in and sign-up features.

Amazon Cognito is a cloud product from Amazon Web Services (AWS) which provides user authentication, authorization and management services for web and mobile applications.

By using Amazon Cognito, developers can quickly add a user management feature to their applications, control and enforce permissions on these users by defining roles, or federate identities from external identity providers.

The scanner detected the usage of Amazon Cognito on the target application.

Rails has several gems, including a native one allowing access to a ruby console through the application. Badly configured, this console is accessible without authorization to any user, which allows to execute arbitrary code remotely.

The ViewState is a parameter specific to the ASP.NET framework, it's used as a breadcrumb trail when the user navigates the application preserving values and controls between different web pages. Present on the pages in the __viewstate parameter, all the values are serialized and encoded in base64 in a hidden field. In addition to the base64 encoding, the viewstate can also be signed with a MAC (Message Authentication Code) to guarantee integrity and also encrypted to guarantee confidentiality.

If the viewstate is not signed, depending on the information stored inside, an attacker might be able to modify the information stored inside and therefore possibly achieve a Remote Code Execution.

A caching system has been detected on the application and is vulnerable to web cache poisoning. By manipulating specific unkeyed inputs (headers or cookies that are not included when generating the cache key) it was possible to force the caching system to cache a response that contains user-controlled input. If a response is cached in a shared web cache, such as those commonly found in proxy servers, then all users of that cache will continue to receive the malicious content until the cache entry is purged.

OpenAPI specification is an API description format for REST APIs. An OpenAPI file is written in YAML or JSON and describes all the API properties like the available endpoints with the related operations or the authentication methods.

The `Schema` object allows the definition of input and output data types which can be objects or primitives and arrays. When some data types properties are missing on objects specified in the definition file, the API implementation could potentially allow malicious input formats, leaving it open to multiple vulnerabilities like Denial of Service (DoS) or Remote Code Execution (RCE).

The scanner analyzed an OpenAPI definition file and detected the lack of properties on some data types.

This is an informational notice that the scanner was able to detect an application using Google Web Toolkit.

Serialization is the process of converting an object to a stream of bytes, in order to store or send it through the network. By opposition, deserialization is the process of reconstructing an object from this stream of bytes.

When PHP web applications use the `unserialize()` function to perform user-supplied data deserialization, an attacker could inject a custom serialized PHP object in order to achieve a remote code execution on the system or to generate a Denial of Service attack (DoS).

An HTTP Parameter Pollution (HTTP) exploits the possibility of including several parameters with the same name in an HTTP request or by including a new encoded parameter. Depending on the web server, its parameters will be parsed in a different way (i.e. parsing only the first/last occurrence of the parameter or concatenating all occurrences into a field or array). This can create unexpected behavior on both the client side and the server side of the application by example, tricking the first server or if the parameters are then passed to a second server which will parse it in a different way.

By exploiting these effects, an attacker may be able to bypass input validation, trigger application errors, or change the values of internal variables. As HTTP Parameter Pollution (abbreviated as HPP) affects a building block of all web technologies, both server-side and client-side attacks exist.

Serialization is the process of converting an object to a stream of bytes, in order to store or send it through the network. By opposition, deserialization is the process of reconstructing an object from this stream of bytes.

When Python web applications use the `pickle` library to perform user-supplied data deserialization, an attacker could inject a custom serialized Python object in order to achieve a remote code execution on the system or to generate a Denial of Service attack (DoS).

Atlassian Jira is a software application used for issue tracking and project management. An internal only Atlassian Jira Service Desk instance may be misconfigured to be accessible to 3rd parties to sign up, potentially leading to attackers creating accounts and raising ticket requests for privileged internal access, and in some cases expose email addresses and other sensitive information contained inside.

OpenAPI specification is an API description format for REST APIs. An OpenAPI file is written in YAML or JSON and describes all the API properties like the available endpoints with the related operations or the authentication methods.

The `consumes` field defines the expected data types for `POST`, `PUT` or `PATCH` requests. When missing in the definition, the API implementation could potentially accept any data type, leaving it open to server-side vulnerabilities like SQL or XML External Entities (XXE) injections.

The `produces` field defines the MIME type of the response returned by the API. When missing, the API implementation could potentially respond with any data type, leaving it open to arbitrary data leaks or client-side attacks like Cross-Site Scripting (XSS).

The scanner analyzed an OpenAPI definition file (version 2) and detected the lack of either the `consumes` or the `produces` fields.

HTTP Verb Tampering is an attack that bypasses an authentication or control system that is based on the HTTP Verb. Sometimes, Web Server authentication mechanisms use verb-based authentication with access controls. Such security mechanisms include access control rules for requests with specific HTTP methods. Due to the HTTP specification that includes request methods other than the standard GET and POST requests, a standards compliant web server may respond to these alternative methods in ways not anticipated by developers. So if an application restricts only GET requests it might still be possible to access the page using a POST, PUT, PATCH or other method.

Salesforce Lightning is a component-based framework which is designed to help organizations building data-driven SaaS applications. By assembling those components called `Aura components`, developers can quickly create custom web pages in their Salesforce application and perform specific actions on Salesforce objects and records through an exposed API.

When guest permissions are not properly enforced on Aura components, an unauthenticated attacker could abuse this feature to extract sensitive information stored by the Salesforce application.

Adobe ColdFusion server administration console has been detected on the target web application. This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

A PHP OPcache information page has been detected, potentially including server statistics, settings and cached files, software versions and providing real-time updates for the information. This information may then assist in the compromise of the web application.

ID	Name	Severity
114147	Microsoft SharePoint Exposed Interfaces	medium
114146	Subdomain Takeover	medium
114132	JavaScript Source Map Detected	info
114106	ServiceNow Widgets Data Exposure	medium
114089	Pimcore User Enumeration	medium
114065	Pimcore Administration Panel Login Form Detected	medium
114064	MediaWiki Status Module Information Disclosure	medium
114029	Well-Known URIs Detected	info
114006	Web Cache Poisoning Denial of Service	high
113978	ActivityPub Username Enumeration	medium
113975	PHP Debug Bar Enabled	medium
113974	Web Application Description Language (WADL) File Detected	info
113972	OpenID Connect Anonymous Account	info
113951	Chrome Logger Information Disclosure	medium
113904	Sitecore Unauthenticated User Enumeration	medium
113901	ActivityPub Protocol Detected	info
113899	Joomla Plugins Detected	info
113898	Drupal Plugins Detected	info
113895	CraftCMS DevMode Enabled	medium
113894	CraftCMS User Enumeration	medium
113893	CraftCMS Administration Panel Login Form Detected	medium
113871	DotNetNuke User Enumeration	medium
113851	PostMessage Wildcard Event Listener Detected	info
113837	PostMessage Wildcard Target Origin Detected	info
113580	Web Cache Deception	high
113579	Form With Password Detected	info
98146	Password Submitted Using GET Method	medium
113554	Signup Form Detected	info
113553	Password Reset Form Detected	info
113455	WordPress Current Theme Detected	info
113452	WordPress Plugins Detected	info
113422	DotNetNuke Administration Panel Login Form Detected	medium
113392	TYPO3 Administration Panel Login Form Detected	medium
113374	Amazon Cognito Insecure Permissions	medium
113371	Amazon Cognito User Enumeration	medium
113370	Amazon Cognito Detected	info
113342	Rails Web Console Detected	critical
113340	ASP.NET ViewState Remote Code Execution	critical
113338	Web Cache Poisoning	high
113258	OpenAPI Permissive Input Validation	medium
113247	Google Web Toolkit Detected	info
113237	PHP Object Deserialization	critical
113230	HTTP Parameter Pollution	medium
113229	Python Object Deserialization	critical
113218	Jira Service Desk Sign Up Detected	medium
113170	OpenAPI Missing MIME Types	medium
113211	HTTP Verb Tampering	medium
113207	Salesforce Lightning Objects Guest Permissions	medium
113068	Adobe ColdFusion Server Administration Console Detected	medium
113059	OPcache UI Detected	medium

Detections

Analytics

Web Applications Family for Web App Scanning

medium

medium

info

medium

medium

medium

medium

info

high

medium

medium

info

info

medium

medium

info

info

info

medium

medium

medium

medium

info

info

high

info

medium

info

info

info

info

medium

medium

medium

medium

info

critical

critical

high

medium

info

critical

medium

critical

medium

medium

medium

medium

medium

medium