- SSL/TLS Mis-configuration [1 issue]
Description: SSL/TLS mis-configuration exists on the target's web server. The configuration can not secure the communication between browser and server well.
Issues:
1. Target URL does not appear to support SSL.
Advice:
1. Enable SSL for your site, or at least make sure the urls which transmit sensitive data are only accessible through secure HTTPS connections.
Reference:
OWASP - https://www.owasp.org/index.php/Testing_for_SSL-TLS_(OWASP-CM-001)
- Frame busting [26 urls]
Description: Use multiple transparent or opaque layers to trick users into clicking on another page when they were intending to click on the the top level page.
Affected URLs:
http://10.66.81.133/login.php
http://10.66.81.133/index.php
http://10.66.81.133/
http://10.66.81.133/instructions.php
http://10.66.81.133/setup.php
http://10.66.81.133/security.php
http://10.66.81.133/phpinfo.php
http://10.66.81.133/about.php
http://10.66.81.133/vulnerabilities/exec/
http://10.66.81.133/vulnerabilities/brute/
http://10.66.81.133/vulnerabilities/csrf/
http://10.66.81.133/vulnerabilities/captcha/
http://10.66.81.133/vulnerabilities/sqli_blind/
http://10.66.81.133/vulnerabilities/fi/?page=include.php
http://10.66.81.133/instructions.php?doc=6804231b-7041-4efd-87e1-add89c17ac54
http://10.66.81.133/vulnerabilities/upload/
http://10.66.81.133/vulnerabilities/xss_r/
http://10.66.81.133/vulnerabilities/sqli/
http://10.66.81.133/vulnerabilities/xss_s/
http://10.66.81.133/vulnerabilities/brute/?username=&password=&Login=Login
http://10.66.81.133/vulnerabilities/csrf/?password_new=&password_conf=&Change=Change
http://10.66.81.133/vulnerabilities/sqli_blind/?id=&Submit=Submit
http://10.66.81.133/security.php?test=f8497e55-0eff-4590-a48e-4bbdf9981326
http://10.66.81.133/ids_log.php
http://10.66.81.133/vulnerabilities/xss_r/?name=
http://10.66.81.133/vulnerabilities/sqli/?id=&Submit=Submit
Advice: Send the x-frame-options: deny/sameorigin response header to prevent framing from other domains.
Reference:
OWASP - https://www.owasp.org/index.php/List_of_useful_HTTP_headers
- Cookie Attributes - Secure flag [all cookies]
Description: Cookies without Secure flag is allowed to be transmitted through an unencrypted channel which makes it susceptible to sniffing.
Affected cookies:
All of the cookies.
Advice: Use the Secure flag when generating a cookie.
References:
CWE-614 - http://cwe.mitre.org/data/definitions/614.html
- Method Check [16 urls]
Description: Some HTTP methods are designed to aid developers in deploying and testing HTTP applications. These HTTP methods can be used for nefarious purposes if the web server is misconfigured.
Affected URLs:
TRACE enabled on http://10.66.81.133/
OPTIONS, TRACE enabled on http://10.66.81.133/dvwa/
OPTIONS, TRACE enabled on http://10.66.81.133/dvwa/css/
OPTIONS, TRACE enabled on http://10.66.81.133/dvwa/images/
OPTIONS, TRACE enabled on http://10.66.81.133/dvwa/js/
OPTIONS, TRACE enabled on http://10.66.81.133/vulnerabilities/
TRACE enabled on http://10.66.81.133/vulnerabilities/brute/
TRACE enabled on http://10.66.81.133/vulnerabilities/exec/
TRACE enabled on http://10.66.81.133/vulnerabilities/csrf/
TRACE enabled on http://10.66.81.133/vulnerabilities/captcha/
TRACE enabled on http://10.66.81.133/vulnerabilities/fi/
TRACE enabled on http://10.66.81.133/vulnerabilities/sqli/
TRACE enabled on http://10.66.81.133/vulnerabilities/sqli_blind/
TRACE enabled on http://10.66.81.133/vulnerabilities/upload/
TRACE enabled on http://10.66.81.133/vulnerabilities/xss_r/
TRACE enabled on http://10.66.81.133/vulnerabilities/xss_s/
Advice: Disable the HTTP methods that are listed.
References:
OWASP - https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_(OWASP-CM-008)
Apache - http://httpd.apache.org/docs/2.2/mod/core.html#limitexcept
Nginx - http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_except
- Cookie Attributes - Session expiration [1 cookie]
Description: Session cookies without expires attribute will stay active until user manually ends the browser process. It is a failure in secure session management when an application does not have a defined session expiration time-out set.
Affected cookies:
PHPSESSID=8qdm1o5cnb0vdh9cclbunu1n73; path=/ (response of GET http://10.66.81.133/login.php )
Advice: Set expiration time for session cookies.
References:
OWASP - https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)
- Brute-force [1 url]
Description: It appears that your site does not have any mitigation method to prevent from brute-force attacks on login pages.
Affected URLs:
POST request for http://10.66.81.133
Advice: Implement mitigations such as locking out accounts after unsuccessful login trials or introducing time delays between successive attempts to login.
References:
OWASP - https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Prevent_Brute-Force_Attacks
- Cookie Attributes - HttpOnly flag [all cookies]
Description: Cookies without HttpOnly flag is susceptible to be accessed by client-side code.
Affected cookies:
All of the cookies.
Advice: Use the HttpOnly flag when generating a cookie.
References:
OWASP - https://www.owasp.org/index.php/HttpOnly
- Anti-reflection(XSS) [all urls]
Description: It appears that your site does not use the X-XSS-PROTECTION header to mitigate reflected XSS attacks.
Affected URLs: All URLs in the sitemap.
Advice: Implement X-XSS-PROTECTION header.
References:
OWASP - https://www.owasp.org/index.php/List_of_useful_HTTP_headers
- Strict MIME Type [66 urls]
Description: MIME type mismatch found or nosniff header missed. Some browsers will automatically switch to using an interpreter for the real content type. This increases exposure to XSS attack.
Affected URLs:
URLs without nosniff response header. Number of pages: 65
GET request for http://10.66.81.133/
GET request for http://10.66.81.133/about.php
GET request for http://10.66.81.133/dvwa/css/login.css
GET request for http://10.66.81.133/dvwa/css/main.css
GET request for http://10.66.81.133/dvwa/images/lock.png
GET request for http://10.66.81.133/dvwa/images/login_logo.png
GET request for http://10.66.81.133/dvwa/images/logo.png
GET request for http://10.66.81.133/dvwa/images/spanner.png
GET request for http://10.66.81.133/dvwa/js/dvwaPage.js
GET request for http://10.66.81.133/ids_log.php
GET request for http://10.66.81.133/ids_log.php?clear_log=param
GET request for http://10.66.81.133/index.php
GET request for http://10.66.81.133/instructions.php
GET request for http://10.66.81.133/instructions.php?doc=param
GET request for http://10.66.81.133/login.php
GET request for http://10.66.81.133/phpinfo.php
GET request for http://10.66.81.133/phpinfo.php?=param
GET request for http://10.66.81.133/security.php
GET request for http://10.66.81.133/security.php?phpids=param
GET request for http://10.66.81.133/security.php?test=param
GET request for http://10.66.81.133/setup.php
GET request for http://10.66.81.133/vulnerabilities/brute
GET request for http://10.66.81.133/vulnerabilities/brute/
GET request for http://10.66.81.133/vulnerabilities/brute/?Login=param&password=param&username=param
GET request for http://10.66.81.133/vulnerabilities/brute/?username=param&password=param&Login=param
GET request for http://10.66.81.133/vulnerabilities/brute?Login=param&password=param&username=param
GET request for http://10.66.81.133/vulnerabilities/brute?username=param&password=param&Login=param
GET request for http://10.66.81.133/vulnerabilities/captcha
GET request for http://10.66.81.133/vulnerabilities/captcha/
GET request for http://10.66.81.133/vulnerabilities/csrf
GET request for http://10.66.81.133/vulnerabilities/csrf/
GET request for http://10.66.81.133/vulnerabilities/csrf/?Change=param&password_conf=param&password_new=param
GET request for http://10.66.81.133/vulnerabilities/csrf/?password_new=param&password_conf=param&Change=param
GET request for http://10.66.81.133/vulnerabilities/csrf?Change=param&password_conf=param&password_new=param
GET request for http://10.66.81.133/vulnerabilities/csrf?password_new=param&password_conf=param&Change=param
GET request for http://10.66.81.133/vulnerabilities/exec
GET request for http://10.66.81.133/vulnerabilities/exec/
GET request for http://10.66.81.133/vulnerabilities/fi/?page=param
GET request for http://10.66.81.133/vulnerabilities/fi?page=param
GET request for http://10.66.81.133/vulnerabilities/sqli
GET request for http://10.66.81.133/vulnerabilities/sqli/
GET request for http://10.66.81.133/vulnerabilities/sqli/?Submit=param&id=param
GET request for http://10.66.81.133/vulnerabilities/sqli/?id=param&Submit=param
GET request for http://10.66.81.133/vulnerabilities/sqli?Submit=param&id=param
GET request for http://10.66.81.133/vulnerabilities/sqli?id=param&Submit=param
GET request for http://10.66.81.133/vulnerabilities/sqli_blind
GET request for http://10.66.81.133/vulnerabilities/sqli_blind/
GET request for http://10.66.81.133/vulnerabilities/sqli_blind/?Submit=param&id=param
GET request for http://10.66.81.133/vulnerabilities/sqli_blind/?id=param&Submit=param
GET request for http://10.66.81.133/vulnerabilities/sqli_blind?Submit=param&id=param
GET request for http://10.66.81.133/vulnerabilities/sqli_blind?id=param&Submit=param
GET request for http://10.66.81.133/vulnerabilities/upload
GET request for http://10.66.81.133/vulnerabilities/upload/
GET request for http://10.66.81.133/vulnerabilities/xss_r
GET request for http://10.66.81.133/vulnerabilities/xss_r/
GET request for http://10.66.81.133/vulnerabilities/xss_r/?name=param
GET request for http://10.66.81.133/vulnerabilities/xss_r?name=param
GET request for http://10.66.81.133/vulnerabilities/xss_s
GET request for http://10.66.81.133/vulnerabilities/xss_s/
POST request for http://10.66.81.133/login.php
POST request for http://10.66.81.133/security.php
POST request for http://10.66.81.133/security.php?test=param
POST request for http://10.66.81.133/setup.php
POST request for http://10.66.81.133/vulnerabilities/upload/
POST request for http://10.66.81.133/vulnerabilities/xss_s/
Actual content type is mismatched with Content-Type header. Number of pages: 1
POST request for http://10.66.81.133/security.php?test=param
Advice: Use response header X-Content-Type-Options: nosniff to prevent MIME sniffing or make sure MIME type mismatch not exist.
References:
OWASP - https://www.owasp.org/index.php/List_of_useful_HTTP_headers
CAPEC-209 - http://capec.mitre.org/data/definitions/209.html