Rack-Mini-Profiler is a middleware that displays a speed badge for each html page. Designed to work in both production and development but when the 'enable_advanced_debugging_tools' option is selected it is possible to access sensitive information such as environment variables and other secrets stored in memory.

The scanner has detected the presence of a form during the crawling of the target web application. Details about the form are provided in the plugin output.

Microsoft Power Apps is a low-code development platform designed to help users build rich web and mobile applications. Power Apps enables users to publish table data as OData feeds, providing a RESTful web service by default available to any user.

The scanner detected the presence of public data in the OData feed of the target Power Apps application.

Microsoft Power Apps is a low-code development platform designed to help users build rich web and mobile applications. By leveraging the multiple services, data sources and connectors provided by the Power Apps environment, an user with a Microsoft Office 365 subscription including Power Apps can quickly create business-oriented applications and make them publicly available.

It is possible to obtain an overview of the remote Nginx web server's Vhost traffic activity and performance by requesting the URL '/status'. This overview includes information such as current hosts, server version and requests being processed, the number of workers idle and service requests, and CPU utilization.

WordPress Database Repair functionality has been detected on the target web application.

This may present an attacker with information regarding the database schema in use which may be used to mount further attacks.

GraphQL is an open-source query and manipulation language for APIs and a server-side runtime built to handle these queries on the application dataset. Some web applications provide a friendly user interface to help developers building GraphQL queries and get the results.

The scanner detected the presence of one or more GraphQL interfaces.

GraphQL is an open-source query and manipulation language for APIs and a server-side runtime built to handle these queries on the application dataset. By default, GraphQL has a feature which suggests field names to be used in the queries or mutations from the wrong ones provided in the received requests. By leveraging this capability, an attacker could conduct a bruteforce attack to discover the GraphQL schema and potential hidden or private endpoints, and could try accessing sensitive information or performing arbitrary actions on the target server.

The scanner detected that the remote GraphQL server has field suggestions enabled.

GraphQL is an open-source query and manipulation language for APIs and a server-side runtime built to handle these queries on the application dataset. GraphQL introspection allows to query all information related to the supported schema and queries on a GraphQL server instance. By leveraging this misconfiguration, an attacker could retrieve sensitive information or conduct further attacks on the discovered endpoints.

The scanner detected that GraphQL introspection is enabled on one of several endpoints of the target application. The SDL schema generated from the introspection is available as an attachment.

X-Cart Concierge module has been detected on the target X-Cart installation.

This may present an attacker with sensitive information to mount further attacks & may leak the admin account email used to log into the store, official company name, license type of the store and other sensitive data

X-Cart sensitive files have been detected on the target X-Cart installation.

This may present an attacker with sensitive information to mount further attacks.

GraphQL is an open-source query and manipulation language for APIs and a server-side runtime built to handle these queries on the application dataset. It is a popular alternative to traditional REST or SOAP APIs, providing flexibility and an optimized data fetching method.

The scanner detected the usage of GraphQL on the target application.

In a default phpBB installation there are unauthenticated methods to enumerate member usernames. These phpBB users can then be used in brute-force attacks against phpBB login page to guess passwords.

An information disclosure vulnerability is present on the remote server due to exposure of Microsoft FrontPage extensions configuration files in the _vti_pvt directory.

phpBB sensitive directories have been detected on the target phpBB installation.

This may present an attacker with sensitive information to mount further attacks.

Prototype-based programming languages rely on the process of defining objects used as prototypes to be then extended or cloned in order to create new objects. Once instantiated, these objects will inherit from the properties and methods of their prototype.

JavaScript is one of the most common prototype-based language in modern web applications, on both server-side and client-side components. Nearly all the JavaScript objects are instances of Object, making them inherit from the properties and methods of the Object prototype.

A client-side prototype pollution vulnerability exists when an attacker is able to modify the properties of the Object prototype in the context of the web browser, exposing the application users to further issues like Cross-Site Scripting or Denial of Service attacks.

Magento configuation files have been detected on the target web application. These files may contain sensitive information about confidential customer's data.

Magento data files have been detected on the target web application. These files may contain sensitive information about confidential customer's data.

Magento log files have been detected on the target web application.

These files may contain sensitive information about application and server configuration, logins and passwords or confidential customer's data.

The scanner may have been able to detect several versions of the API for one or more endpoints.

JSON Web Tokens can be signed to protect against data tampering. By using an asymmetric or a symmetric signing algorithm, the application computes a signature of the token data which will be verified during token decoding to ensure its integrity.

JSON Web Tokens can be configured by an application with the 'none' algorithm and an empty signature, leaving the data unsigned and mutable without any verification. In addition, some libraries used to handle JSON Web Tokens may also have a bad implementation of this algorithm, leading to the tokens set with the 'none' algorithm being verified even when they are originally created with a signature.

Depending on the token usage, attackers could leverage this vulnerability to forge valid tokens and impersonate other users, or gain further privileges.

JSON Web Tokens can be signed to protect against data tampering. By using an asymmetric or a symmetric signing algorithm, the application computes a signature of the token data which will be verified during token decoding to ensure its integrity. When using a symmetric algorithm, the signature is created from the chosen HMAC function along with a secret key.

Using weak keys makes it vulnerable to bruteforce attacks, allowing tokens to be manipulated and signed on behalf of the application. Depending on the token usage, attackers could leverage this vulnerability to forge valid tokens and impersonate other users, or gain further privileges.

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a data structure for securely transmitting claims between parties as a JSON object. A JSON Web Token can be instantiated as a JSON Web Signature (JWS) or a JSON Web Encryption (JWE) depending on the application security considerations.

JSON Web Signature based tokens are the most commonly used in API implementations and are built with three base64 URL encoded parts separated by periods :

- JSON Object Signing and Encryption (JOSE) header : describes at least the algorithm used for signing or encryption (alg) and the type (typ) of the content being processed. For JSON Web Tokens, the type will usually be set to 'JWT'.

- Payload : JSON object containing the claims to share. Claims can be of three classes : registered (from the specification), public or private and their names must be unique inside the claims set.

- Signature : computed by using the specific algorithm in header and a secret or a private key. This ensures the integrity of the JSON Web Token.

The scanner detected the presence of a JSON Web Signature based token containing the information provided in the output.

A Adobe Flash file has been detected on this url. Flash will be EOL on December 31, 2020.

A OpenAPI configuration file has been detected and is available as an attachment below. OpenAPI is a specification that helps with documentation and consumption of REST APIs and may also be used to configure API scanning.

The Hypertext Transfer Protocol (HTTP) is the underlying protocol of the World Wide Web. Since its first release, HTTP has evolved to support modern web usages and currently exists in three versions:
 - HTTP/1.0
 - HTTP/1.1
 - HTTP/2

The scanner identified the supported versions of the HTTP protocol on the target web application.

Serialization is the process of converting an object to a stream of bytes, in order to store or send it through the network. By opposition, deserialization is the process of reconstructing an object from this stream of bytes.

When an application performs untrusted data deserialization, an attacker could inject a custom serialized Java object to trigger malicious code execution on the system or to generate a Denial of Service attack (DoS).

It was determined that the target Java application is vulnerable to this attack as it deserializes an user-supplied object.

In default WordPress installation there are several methods to enumerate authors username. These WordPress users can then be used in brute-force attacks against WordPress login page to guess passwords.

The scanner collected the cookies returned by the application during the scan. The list includes the following information for each cookie:
 - Name: name of the cookie
 - Value: value of the cookie
 - Domain: hosts to which the cookie will be sent
 - Path: URL path which must exist in the requested resource before sending the cookie
 - Expires: maximum lifetime of the cookie as an HTTP-date timestamp
 - Max-Age: number of seconds until the cookie expires
 - HttpOnly: cookie is set to be not accessible via JavaScript, XMLHttpRequest and Request APIs
 - Secure: cookie will be sent to the server only when a request is made using HTTPS
 - SameSite: cookie will be sent along with cross-site request according the defined policy
 - URL: first URL discovered which set the cookie in its response
 - Set-Method: method used by the application to set the cookie (Set-Cookie or JavaScript)
 - Audited: cookie will be audited by plugins during the scan
 - Reason Not Audited: reason given for the cookie not being audited during the scan

Web applications often rely on network requests to query external resources and retrieve data in order to process it.

A Server-Side Request Forgery (SSRF) vulnerability exists when an attacker is able to control these outbound requests and send it to a resource he owns, to the localhost itself, or to a private host in the target application internal network.

By injecting a specific request and using various protocols (like HTTPS or Gopher for example), the attacker can leverage this vulnerability to try gaining access to sensitive data, performing unauthorized modifications or getting remote code execution in the target environment.

Depending on the web application configuration, the vulnerability may be of three types:

 - Blind : the application executes the malicious request but does not return any response to the attacker. The exploitation is difficult as the attacker has to only rely on his own knowledge of the target to conduct his attack.

 - Half-blind : the malicious request is executed and the response is partially returned to the the attacker. For example, the application may return different error messages related to the status of the outbound request. The exploitation remains difficult, however the attacker can gather information to help conducting his attack further.

 - Non-blind : The application returns the full content of the response to the malicious request. The exploitation is easier and generally makes the impact of this vulnerability more critical.

The scanner has been able to detect a Server-Side Request Forgery vulnerability by injecting a crafted request in the target application which performed an external request and returned a partial or full response.

Oracle WebLogic UDDI Explorer allows authorized users to access and modify information about the web services published in the private WebLogic Server UDDI registries.

The scanner has been able to detect that this service is exposed on the target web application and could be leveraged by an attacker to help conduct further attacks.

The scanner has detected publicly accessible directory listings on the Magento web application. This may expose sensitive information to an attacker which may allow for further exploitation techniques to be leveraged, possibly leading to sensitive information leakage or a compromise of the target server.

Laravel log file /storage/logs/laravel.log has been detected on the target web application.

This file may contain sensitive information about application and server configuration (debug and stack trace) and could help an attacker conduct further attacks.

Magento 1 cache files are stored in the public directory of Magento installation. Misconfigured authorisation for /var directory has been detected. As cache filenames can be predicted they could be accessed and then exposed critical information like database login/password for example.

Sensitive Magento 2 API can be accessed by anonymous users. Therefore, confidential merchant information can be exposed like offline products, stock information or store configuration for example.

Magento authenticated RSS Feed has been detected on the target web application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

A JetBrains .idea Directory has been detected. This directory contains project specific settings in xml format. These configuration files may include sensitive information such as server configuration settings, component module information, compiler information, credentials, project history and stack fingerprinting data.

These files should not be publicly accessible and thus should be removed immediately.

Subresource Integrity (SRI) is a web security standard that enables browsers to verify that resources hosted by third parties (CDN for example) are delivered without unexpected manipulation.

SRI works by comparing a cryptographic hash declared in the integrity attribute of the resource tag (like script or link) used to fetch the resource and the calculated hash value of this resource.

A mismatch between integrity attribute hash and calculated hash has been detected for one or more resources.

Subresource Integrity (SRI) is a web security standard that enables browsers to verify that resources hosted by third parties (CDN for example) are delivered without unexpected manipulation.

SRI works by comparing a cryptographic hash declared in the integrity attribute of the resource tag (like script or link) used to fetch the resource and the calculated hash value of this resource.

No SRI have been detected for one or more resources.

Magento Connect Manager has been detected on the target web application. This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

Magento Administration Panel has been detected on the target web application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

An information disclosure vulnerability exists in the remote web server due to the disclosure of the error_log file. An unauthenticated, remote attacker can exploit this, via a simple GET request, to disclose potentially sensitive information.

An environment configuration file (.env) has been detected on the web application by the scanner. It may be possible for an attacker to view sensitive information (database login and password or API keys for example) and then conduct further attacks.

Apache Tomcat Manager has been detected on the target web application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

The default error page, default index page, example JSPs, and/or example servlets are installed on the remote Apache Tomcat server. These files should be removed as they may help an attacker uncover information about the remote Tomcat install or host itself.

The web server on the remote host allows read access to WordPress debug file /wp-content/debug.log which contains debugging information such as PHP notices, warnings and errors. That means WordPress debug mode is enabled or if disabled log file has not been deleted.

A remote attacker can exploit this to gain more knowledge about the host, allowing an attacker to conduct further attacks.

It is possible to obtain an overview of the remote Apache Tomcat Connectors configuration.

By accessing this overview page; a remote, unauthenticated attacker can discover a large amount of information about the remote web server, including :
 - The IP address of the host.
 - The version of the operating system.
 - The web server version.
 - URI Mappings.
 - AJP workers configuration.

Apache Struts 2 Config Browser Plugin is a module to help view Struts application's configuration at runtime.

This plugin has been detected on the web application by the scanner. It may be possible for an attacker to view Apache Struts version, loaded configuration or accessible action URLs for example and then conduct further attacks.

Sitefinity Administration Panel has been detected on the target web application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

Oracle WebLogic Server administration console has been detected on the target web application. This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

ID	Name	Severity
113043	Rack-Mini-Profiler Information Disclosure	medium
98148	Form Detected	info
112949	Power Apps OData Feeds Detected	info
112925	Power Apps Application Detected	info
112922	Nginx Vhost Traffic Status Information Disclosure	medium
112921	WordPress Database Repair Enabled	medium
112907	GraphQL Interface Detected	info
112895	GraphQL Field Suggestions Detected	medium
112894	GraphQL Introspection Enabled	medium
112893	X-Cart Concierge Module Information Disclosure	medium
112811	X-Cart Files Information Disclosure	medium
112809	GraphQL API Detected	info
112804	phpBB User Enumeration	medium
112772	Microsoft FrontPage Insecure Extension Configuration	medium
112771	phpBB Directories Information Disclosure	medium
112719	Client-Side Prototype Pollution	high
98988	Magento Configuration Files	high
98987	Magento Data Files	high
98937	Magento Log File Detected	high
112714	API Versions Detected	info
112703	JSON Web Token None Hashing Algorithm	high
112697	JSON Web Token Weak Secret	high
112686	JSON Web Token Detected	info
112630	Flash File Detected	info
112615	OpenAPI File Detected	info
112613	Allowed HTTP Versions	info
98780	Java Object Deserialization	critical
98203	WordPress User Enumeration	medium
98061	Cookies Collected	info
112439	Server-Side Request Forgery	high
112421	Oracle WebLogic UDDI Explorer Detected	medium
98986	Magento Directory Listing	medium
98943	Laravel Log File Detected	medium
98765	Magento Cacheleak	high
98703	Magento API Anonymous Access	medium
98702	Magento RSS Feed Brute Force	medium
98701	JetBrains .idea Directory Detected	medium
98649	Invalid Subresource Integrity	medium
98647	Missing Subresource Integrity	info
98644	Magento Connect Manager Detected	medium
98642	Magento Administration Panel Login Form Detected	medium
98593	PHP error_log File Detected	medium
98538	Environment Configuration File Detected	high
98525	Apache Tomcat Manager Detected	medium
98524	Apache Tomcat Default Files	medium
98407	WordPress Debug Mode	medium
98398	JK Status Manager Information Disclosure	medium
112547	Apache Struts 2 Config Browser Detected	medium
112528	Sitefinity Administration Panel Login Form Detected	medium
112545	Oracle WebLogic Server Administration Console Detected	medium

Detections

Analytics

Web Applications Family for Web App Scanning

medium

info

info

info

medium

medium

info

medium

medium

medium

medium

info

medium

medium

medium

high

high

high

high

info

high

high

info

info

info

info

critical

medium

info

high

medium

medium

medium

high

medium

medium

medium

medium

info

medium

medium

medium

high

medium

medium

medium

medium

medium

medium

medium