JSON Web Tokens can be signed to protect against data tampering. By using an asymmetric or a symmetric signing algorithm, the application computes a signature of the token data which will be verified during token decoding to ensure its integrity. When using a symmetric algorithm, the signature is created from the chosen HMAC function along with a secret key.

Using weak keys makes it vulnerable to bruteforce attacks, allowing tokens to be manipulated and signed on behalf of the application. Depending on the token usage, attackers could leverage this vulnerability to forge valid tokens and impersonate other users, or gain further privileges.

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a data structure for securely transmitting claims between parties as a JSON object. A JSON Web Token can be instantiated as a JSON Web Signature (JWS) or a JSON Web Encryption (JWE) depending on the application security considerations.

JSON Web Signature based tokens are the most commonly used in API implementations and are built with three base64 URL encoded parts separated by periods :

- JSON Object Signing and Encryption (JOSE) header : describes at least the algorithm used for signing or encryption (alg) and the type (typ) of the content being processed. For JSON Web Tokens, the type will usually be set to 'JWT'.

- Payload : JSON object containing the claims to share. Claims can be of three classes : registered (from the specification), public or private and their names must be unique inside the claims set.

- Signature : computed by using the specific algorithm in header and a secret or a private key. This ensures the integrity of the JSON Web Token.

The scanner detected the presence of a JSON Web Signature based token containing the information provided in the output.

A Adobe Flash file has been detected on this url. Flash will be EOL on December 31, 2020.

A OpenAPI configuration file has been detected and is available as an attachment below. OpenAPI is a specification that helps with documentation and consumption of REST APIs and may also be used to configure API scanning.

The Hypertext Transfer Protocol (HTTP) is the underlying protocol of the World Wide Web. Since its first release, HTTP has evolved to support modern web usages and currently exists in three versions:
 - HTTP/1.0
 - HTTP/1.1
 - HTTP/2

The scanner identified the supported versions of the HTTP protocol on the target web application.

Serialization is the process of converting an object to a stream of bytes, in order to store or send it through the network. By opposition, deserialization is the process of reconstructing an object from this stream of bytes.

When an application performs untrusted data deserialization, an attacker could inject a custom serialized Java object to trigger malicious code execution on the system or to generate a Denial of Service attack (DoS).

It was determined that the target Java application is vulnerable to this attack as it deserializes an user-supplied object.

In default WordPress installation there are several methods to enumerate authors username. These WordPress users can then be used in brute-force attacks against WordPress login page to guess passwords.

The scanner collected the cookies returned by the application during the scan. The list includes the following information for each cookie:
 - Name: name of the cookie
 - Value: value of the cookie
 - Domain: hosts to which the cookie will be sent
 - Path: URL path which must exist in the requested resource before sending the cookie
 - Expires: maximum lifetime of the cookie as an HTTP-date timestamp
 - Max-Age: number of seconds until the cookie expires
 - HttpOnly: cookie is set to be not accessible via JavaScript, XMLHttpRequest and Request APIs
 - Secure: cookie will be sent to the server only when a request is made using HTTPS
 - SameSite: cookie will be sent along with cross-site request according the defined policy
 - URL: first URL discovered which set the cookie in its response
 - Set-Method: method used by the application to set the cookie (Set-Cookie or JavaScript)
 - Audited: cookie will be audited by plugins during the scan
 - Reason Not Audited: reason given for the cookie not being audited during the scan

Web applications often rely on network requests to query external resources and retrieve data in order to process it.

A Server-Side Request Forgery (SSRF) vulnerability exists when an attacker is able to control these outbound requests and send it to a resource he owns, to the localhost itself, or to a private host in the target application internal network.

By injecting a specific request and using various protocols (like HTTPS or Gopher for example), the attacker can leverage this vulnerability to try gaining access to sensitive data, performing unauthorized modifications or getting remote code execution in the target environment.

Depending on the web application configuration, the vulnerability may be of three types:

 - Blind : the application executes the malicious request but does not return any response to the attacker. The exploitation is difficult as the attacker has to only rely on his own knowledge of the target to conduct his attack.

 - Half-blind : the malicious request is executed and the response is partially returned to the the attacker. For example, the application may return different error messages related to the status of the outbound request. The exploitation remains difficult, however the attacker can gather information to help conducting his attack further.

 - Non-blind : The application returns the full content of the response to the malicious request. The exploitation is easier and generally makes the impact of this vulnerability more critical.

The scanner has been able to detect a Server-Side Request Forgery vulnerability by injecting a crafted request in the target application which performed an external request and returned a partial or full response.

Oracle WebLogic UDDI Explorer allows authorized users to access and modify information about the web services published in the private WebLogic Server UDDI registries.

The scanner has been able to detect that this service is exposed on the target web application and could be leveraged by an attacker to help conduct further attacks.

The scanner has detected publicly accessible directory listings on the Magento web application. This may expose sensitive information to an attacker which may allow for further exploitation techniques to be leveraged, possibly leading to sensitive information leakage or a compromise of the target server.

Laravel log file /storage/logs/laravel.log has been detected on the target web application.

This file may contain sensitive information about application and server configuration (debug and stack trace) and could help an attacker conduct further attacks.

Magento 1 cache files are stored in the public directory of Magento installation. Misconfigured authorisation for /var directory has been detected. As cache filenames can be predicted they could be accessed and then exposed critical information like database login/password for example.

Sensitive Magento 2 API can be accessed by anonymous users. Therefore, confidential merchant information can be exposed like offline products, stock information or store configuration for example.

Magento authenticated RSS Feed has been detected on the target web application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

A JetBrains .idea Directory has been detected. This directory contains project specific settings in xml format. These configuration files may include sensitive information such as server configuration settings, component module information, compiler information, credentials, project history and stack fingerprinting data.

These files should not be publicly accessible and thus should be removed immediately.

Subresource Integrity (SRI) is a web security standard that enables browsers to verify that resources hosted by third parties (CDN for example) are delivered without unexpected manipulation.

SRI works by comparing a cryptographic hash declared in the integrity attribute of the resource tag (like script or link) used to fetch the resource and the calculated hash value of this resource.

A mismatch between integrity attribute hash and calculated hash has been detected for one or more resources.

Subresource Integrity (SRI) is a web security standard that enables browsers to verify that resources hosted by third parties (CDN for example) are delivered without unexpected manipulation.

SRI works by comparing a cryptographic hash declared in the integrity attribute of the resource tag (like script or link) used to fetch the resource and the calculated hash value of this resource.

No SRI have been detected for one or more resources.

Magento Connect Manager has been detected on the target web application. This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

Magento Administration Panel has been detected on the target web application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

An information disclosure vulnerability exists in the remote web server due to the disclosure of the error_log file. An unauthenticated, remote attacker can exploit this, via a simple GET request, to disclose potentially sensitive information.

An environment configuration file (.env) has been detected on the web application by the scanner. It may be possible for an attacker to view sensitive information (database login and password or API keys for example) and then conduct further attacks.

Apache Tomcat Manager has been detected on the target web application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

The default error page, default index page, example JSPs, and/or example servlets are installed on the remote Apache Tomcat server. These files should be removed as they may help an attacker uncover information about the remote Tomcat install or host itself.

The web server on the remote host allows read access to WordPress debug file /wp-content/debug.log which contains debugging information such as PHP notices, warnings and errors. That means WordPress debug mode is enabled or if disabled log file has not been deleted.

A remote attacker can exploit this to gain more knowledge about the host, allowing an attacker to conduct further attacks.

It is possible to obtain an overview of the remote Apache Tomcat Connectors configuration.

By accessing this overview page; a remote, unauthenticated attacker can discover a large amount of information about the remote web server, including :
 - The IP address of the host.
 - The version of the operating system.
 - The web server version.
 - URI Mappings.
 - AJP workers configuration.

Apache Struts 2 Config Browser Plugin is a module to help view Struts application's configuration at runtime.

This plugin has been detected on the web application by the scanner. It may be possible for an attacker to view Apache Struts version, loaded configuration or accessible action URLs for example and then conduct further attacks.

Sitefinity Administration Panel has been detected on the target web application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

Oracle WebLogic Server administration console has been detected on the target web application. This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

When a file is uploaded to WordPress Media Library it becomes an attachment. Then theses files can be attached to a post or not. If files are confidential until they are published it will be easy to enumerate WordPress attachments and access these files.

Many PHP installation tutorials instruct the user to create a PHP file that calls the PHP function 'phpinfo()' for debugging purposes, and various PHP applications may also include such a file by default. By accessing it, a remote attacker can discover a large amount of information about the remote web server configuration to help conduct further attacks, including :
 - Versions of the web server, operating system and PHP components
 - Details of the PHP configuration
 - Loaded PHP extensions with their configurations
 - Server environment variables.

It is possible to obtain an overview of the remote Apache web server's configuration by requesting the URL '/server-info'. This overview includes information such as installed modules, their configuration, and assorted run-time settings.

It is possible to obtain an overview of the remote Apache web server's activity and performance by requesting the URL '/server-status'. This overview includes information such as current hosts and requests being processed, the number of workers idle and service requests, and CPU utilization.

The instance of lighttpd running on the remote host allows unauthenticated access to URLs associated with the Status module (mod_status), at least from the WAS server. Mod_status reports information about how the web server is configured and its usage, and it may prove useful to an attacker seeking to attack the server or host.

The scanner has detected publicly accessible Joomla! directory index on the target web application. This may expose information relating to the web server to an attacker which may allow for further exploitation techniques to be leveraged, possibly leading to a compromise of the target server

The scanner has detected publicly accessible Drupal directory index on the target web application. This may expose information relating to the web server to an attacker which may allow for further exploitation techniques to be leveraged, possibly leading to a compromise of the target server

The scanner has detected publicly accessible WordPress directory listing on the target web application. This may expose information relating to the web server to an attacker which may allow for further exploitation techniques to be leveraged, possibly leading to a compromise of the target server

The scanner has detected publicly accessible Joomla! configuration file(s) on the target web application.

These files likely contain extremely sensitive server information including administrative database credentials.

This may present an attacker with an exploit vector which could be leveraged using other techniques, possibly leading to a full compromise of the target server

The scanner has detected publicly accessible Drupal configuration file(s) on the target web application.

These files likely contains extremely sensitive server information including administrative database credentials.

This may present an attacker with an exploit vector which could be leveraged using other techniques, possibly leading to a full compromise of the target server

The scanner has detected publicly accessible WordPress configuration file(s) on the target web application.

These files likely contains extremely sensitive server information including administrative database credentials.

This may present an attacker with an exploit vector which could be leveraged using other techniques, possibly leading to a full compromise of the target server

In some default Drupal installations there are methods which may allow attackers to enumerate a authors username. This information may then be used in brute-force or dictionary attacks against the login form in order to guess passwords.

In default Joomla! installation there is available methodology to enumerate user information. These Joomla! users may then be used in brute-force attacks against Joomla! login page to guess passwords.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Joomla User Registration Form on the target application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack

This is an informational plugin to inform the user that the scanner has detected a publicly accessible WordPress User Registration Form on the target application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Drupal User Registration Form on the target application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack

Drupal Administration Panel has been detected on the target web application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

WordPress Administration Panel has been detected on the target web application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

Joomla! Administration Panel has been detected on the target web application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

This is an informational plugin to inform the user what technologies the framework has detected on the target application, which can then be examined and checked for known vulnerable software versions

Web applications occasionally use DOM input values to store the address of the page to which the client will be redirected -- for example: `yoursite.com/#/?redirect=www.yoursite.com/404.asp`

An unvalidated redirect occurs when the client is able to modify the affected parameter value and thus control the location of the redirection. For example, the following URL `yoursite.com/#/?redirect=www.anothersite.com` will redirect to `www.anothersite.com`.

Cyber-criminals will abuse these vulnerabilities in social engineering attacks to get users to unknowingly visit malicious web sites.

Scanner has discovered that the web page does not validate the parameter value prior to redirecting the client to the injected value.

ID	Name	Severity
112697	JSON Web Token Weak Secret	high
112686	JSON Web Token Detected	info
112630	Flash File Detected	info
112615	OpenAPI File Detected	info
112613	Allowed HTTP Versions	info
98780	Java Object Deserialization	critical
98203	WordPress User Enumeration	medium
98061	Cookies Collected	info
112439	Server-Side Request Forgery	high
112421	Oracle WebLogic UDDI Explorer Detected	medium
98986	Magento Directory Listing	medium
98943	Laravel Log File Detected	medium
98765	Magento Cacheleak	high
98703	Magento API Anonymous Access	medium
98702	Magento RSS Feed Brute Force	medium
98701	JetBrains .idea Directory Detected	medium
98649	Invalid Subresource Integrity	medium
98647	Missing Subresource Integrity	info
98644	Magento Connect Manager Detected	medium
98642	Magento Administration Panel Login Form Detected	medium
98593	PHP error_log File Detected	medium
98538	Environment Configuration File Detected	high
98525	Apache Tomcat Manager Detected	medium
98524	Apache Tomcat Default Files	medium
98407	WordPress Debug Mode	medium
98398	JK Status Manager Information Disclosure	medium
112547	Apache Struts 2 Config Browser Detected	medium
112528	Sitefinity Administration Panel Login Form Detected	medium
112545	Oracle WebLogic Server Administration Console Detected	medium
98224	WordPress Media Attachment Enumeration	info
98223	PHPinfo Information Disclosure	medium
98226	Apache mod_info Information Disclosure	medium
98225	Apache mod_status Information Disclosure	medium
112361	Lighttpd Status Module Information Disclosure	medium
98214	Joomla! Directory Listing	medium
98213	Drupal Directory Listing	medium
98212	WordPress Directory Listing	medium
98211	Joomla! Configuration Backup Files Detected	medium
98210	Drupal Configuration Backup Files Detected	medium
98204	WordPress Configuration Backup Files Detected	medium
98209	Drupal User Enumeration	medium
98208	Joomla! User Enumeration	medium
98205	Joomla! User Registration Form Detected	info
98202	WordPress User Registration Form Detected	info
98201	Drupal User Registration Form Detected	info
98200	Drupal Administration Panel Login Form Detected	medium
98207	WordPress Administration Panel Login Form Detected	medium
98206	Joomla! Administration Panel Login Form Detected	medium
98059	Technologies Detected	info
98103	Unvalidated DOM redirect	medium

Detections

Analytics

Web Applications Family for Web App Scanning

high

info

info

info

info

critical

medium

info

high

medium

medium

medium

high

medium

medium

medium

medium

info

medium

medium

medium

high

medium

medium

medium

medium

medium

medium

medium

info

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

info

info

info

medium

medium

medium

info

medium