•       Cross-Site Scripting (XSS) [2 urls]
Description: Client-side malicious script can be injected into the web application which is then returned to the user's browser. This law can be exploited to access cookies and other sensitive information retained by your browser and rewrite the content of the HTML page.
Affected URLs:
POST request for http://10.66.81.133/vulnerabilities/xss_s/; Details: param=>txtName, unfiltered dangers=>["'", "\"", "<", ">"];param=>mtxMessage, unfiltered dangers=>["'", "\"", "<", ">"];
GET request for http://10.66.81.133/vulnerabilities/xss_r/?name=param; Details: param=>name, unfiltered dangers=>["'", "\"", "<", ">"];
Remediation: User inputs must be validated, filtered or encoded before being returned as part of the HTML code of a page.
References:
CWE-931 - http://cwe.mitre.org/data/definitions/931.html

•       SQL Injection [3 urls]
Description: Client-side sql code can be injected into the web application. This law can be exploited to read, modify sensitive data, execute administration operations on the database, recover the content of a given file present on the DBMS file system and issue commands to the operating system.
Affected URLs:
GET request for http://10.66.81.133/vulnerabilities/brute/?Login=2'%20AND%20user_id%20IN%20(SELECT%20user%20FROM%20users%20u1,users%20u2)%20AND%20'a'='a&password=2'%20AND%20user_id%20IN%20(SELECT%20user%20FROM%20users%20u1,users%20u2)%20AND%20'a'='a&username=2'%20AND%20user_id%20IN%20(SELECT%20user%20FROM%20users%20u1,users%20u2)%20AND%20'a'='a
GET request for http://10.66.81.133/vulnerabilities/sqli/?Submit=2'%20AND%20user_id%20IN%20(SELECT%20user%20FROM%20users%20u1,users%20u2)%20AND%20'a'='a&id=2'%20AND%20user_id%20IN%20(SELECT%20user%20FROM%20users%20u1,users%20u2)%20AND%20'a'='a
GET request for http://10.66.81.133/vulnerabilities/sqli_blind/?Submit=1'%20HAVING%20MAX(CASE%20WHEN%201=1%20THEN%20BENCHMARK(50000000,ENCODE('foobar','barbaz'))%20ELSE%200%20END)%20AND%20'1'='1&id=1'%20HAVING%20MAX(CASE%20WHEN%201=1%20THEN%20BENCHMARK(50000000,ENCODE('foobar','barbaz'))%20ELSE%200%20END)%20AND%20'1'='1
Remediation: User inputs must be validated, filtered or or encoded before being included in database queries.
References:
OWASP - https://www.owasp.org/index.php/SQL_Injection

•       Path Traversal [1 url]
Description: Path traversal vulnerabilities exist in this web server, which may enable an attacker to read sensitive information from the server, or overwrite sensitive files, leading ultimately to arbitrary command execution on the server.
Affected URLs:
GET request for http://10.66.81.133/vulnerabilities/fi?page=include.php
Remediation: Avoid passing user-submitted data to any file system API.
References:
OWASP - https://www.owasp.org/index.php/Path_traversal

•       Session Fixation [1 url]
Description: Session fixation attack is a class of session hijacking. The flaw is exploited by fixing an existent session ID on the victim's browser, and then hijacking the validated session ID after victim is authenticated.
Affected URLs:
POST request for http://10.66.81.133/login.php
Remediation: Always generate and assign a new session ID after user is authenticated.
References:
CWE-384 - http://cwe.mitre.org/data/definitions/384.html

•       SSL/TLS Mis-configuration [1 issue]
Description: SSL/TLS mis-configuration exists on the target's web server. The configuration can not secure the communication between browser and server well.
Issues:
1.  Target URL does not appear to support SSL.
Advice:
1.  Enable SSL for your site, or at least make sure the urls which transmit sensitive data are only accessible through secure HTTPS connections.
Reference:
OWASP - https://www.owasp.org/index.php/Testing_for_SSL-TLS_(OWASP-CM-001)


•       Frame busting [26 urls]
Description: Use multiple transparent or opaque layers to trick users into clicking on another page when they were intending to click on the the top level page.
Affected URLs:
http://10.66.81.133/login.php
http://10.66.81.133/index.php
http://10.66.81.133/
http://10.66.81.133/instructions.php
http://10.66.81.133/setup.php
http://10.66.81.133/security.php
http://10.66.81.133/phpinfo.php
http://10.66.81.133/about.php
http://10.66.81.133/vulnerabilities/exec/
http://10.66.81.133/vulnerabilities/brute/
http://10.66.81.133/vulnerabilities/csrf/
http://10.66.81.133/vulnerabilities/captcha/
http://10.66.81.133/vulnerabilities/sqli_blind/
http://10.66.81.133/vulnerabilities/fi/?page=include.php
http://10.66.81.133/instructions.php?doc=6804231b-7041-4efd-87e1-add89c17ac54
http://10.66.81.133/vulnerabilities/upload/
http://10.66.81.133/vulnerabilities/xss_r/
http://10.66.81.133/vulnerabilities/sqli/
http://10.66.81.133/vulnerabilities/xss_s/
http://10.66.81.133/vulnerabilities/brute/?username=&password=&Login=Login
http://10.66.81.133/vulnerabilities/csrf/?password_new=&password_conf=&Change=Change
http://10.66.81.133/vulnerabilities/sqli_blind/?id=&Submit=Submit
http://10.66.81.133/security.php?test=f8497e55-0eff-4590-a48e-4bbdf9981326
http://10.66.81.133/ids_log.php
http://10.66.81.133/vulnerabilities/xss_r/?name=
http://10.66.81.133/vulnerabilities/sqli/?id=&Submit=Submit
Advice: Send the x-frame-options: deny/sameorigin response header to prevent framing from other domains.
Reference:
OWASP - https://www.owasp.org/index.php/List_of_useful_HTTP_headers

•       Cookie Attributes - Secure flag [all cookies]
Description: Cookies without Secure flag is allowed to be transmitted through an unencrypted channel which makes it susceptible to sniffing.
Affected cookies:
All of the cookies.
Advice: Use the Secure flag when generating a cookie.
References:
CWE-614 - http://cwe.mitre.org/data/definitions/614.html

•       Method Check [16 urls]
Description: Some HTTP methods are designed to aid developers in deploying and testing HTTP applications. These HTTP methods can be used for nefarious purposes if the web server is misconfigured.
Affected URLs:
TRACE enabled on http://10.66.81.133/
OPTIONS, TRACE enabled on http://10.66.81.133/dvwa/
OPTIONS, TRACE enabled on http://10.66.81.133/dvwa/css/
OPTIONS, TRACE enabled on http://10.66.81.133/dvwa/images/
OPTIONS, TRACE enabled on http://10.66.81.133/dvwa/js/
OPTIONS, TRACE enabled on http://10.66.81.133/vulnerabilities/
TRACE enabled on http://10.66.81.133/vulnerabilities/brute/
TRACE enabled on http://10.66.81.133/vulnerabilities/exec/
TRACE enabled on http://10.66.81.133/vulnerabilities/csrf/
TRACE enabled on http://10.66.81.133/vulnerabilities/captcha/
TRACE enabled on http://10.66.81.133/vulnerabilities/fi/
TRACE enabled on http://10.66.81.133/vulnerabilities/sqli/
TRACE enabled on http://10.66.81.133/vulnerabilities/sqli_blind/
TRACE enabled on http://10.66.81.133/vulnerabilities/upload/
TRACE enabled on http://10.66.81.133/vulnerabilities/xss_r/
TRACE enabled on http://10.66.81.133/vulnerabilities/xss_s/
Advice: Disable the HTTP methods that are listed.
References:
OWASP - https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_(OWASP-CM-008)
Apache - http://httpd.apache.org/docs/2.2/mod/core.html#limitexcept
Nginx - http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_except

•       Cookie Attributes - Session expiration [1 cookie]
Description: Session cookies without expires attribute will stay active until user manually ends the browser process. It is a failure in secure session management when an application does not have a defined session expiration time-out set.
Affected cookies:
PHPSESSID=8qdm1o5cnb0vdh9cclbunu1n73; path=/ (response of GET http://10.66.81.133/login.php )
Advice: Set expiration time for session cookies.
References:
OWASP - https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

•       Brute-force [1 url]
Description: It appears that your site does not have any mitigation method to prevent from brute-force attacks on login pages.
Affected URLs:
POST request for http://10.66.81.133
Advice: Implement mitigations such as locking out accounts after unsuccessful login trials or introducing time delays between successive attempts to login.
References:
OWASP - https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Prevent_Brute-Force_Attacks

•       Cookie Attributes - HttpOnly flag [all cookies]
Description: Cookies without HttpOnly flag is susceptible to be accessed by client-side code.
Affected cookies:
All of the cookies.
Advice: Use the HttpOnly flag when generating a cookie.
References:
OWASP - https://www.owasp.org/index.php/HttpOnly

•       Anti-reflection(XSS) [all urls]
Description: It appears that your site does not use the X-XSS-PROTECTION header to mitigate reflected XSS attacks.
Affected URLs:
All URLs in the sitemap.
Advice: Implement X-XSS-PROTECTION header.
References:
OWASP - https://www.owasp.org/index.php/List_of_useful_HTTP_headers

•       Strict MIME Type [66 urls]
Description: MIME type mismatch found or nosniff header missed. Some browsers will automatically switch to using an interpreter for the real content type. This increases exposure to XSS attack.
Affected URLs:
URLs without nosniff response header. Number of pages: 65
GET request for http://10.66.81.133/
GET request for http://10.66.81.133/about.php
GET request for http://10.66.81.133/dvwa/css/login.css
GET request for http://10.66.81.133/dvwa/css/main.css
GET request for http://10.66.81.133/dvwa/images/lock.png
GET request for http://10.66.81.133/dvwa/images/login_logo.png
GET request for http://10.66.81.133/dvwa/images/logo.png
GET request for http://10.66.81.133/dvwa/images/spanner.png
GET request for http://10.66.81.133/dvwa/js/dvwaPage.js
GET request for http://10.66.81.133/ids_log.php
GET request for http://10.66.81.133/ids_log.php?clear_log=param
GET request for http://10.66.81.133/index.php
GET request for http://10.66.81.133/instructions.php
GET request for http://10.66.81.133/instructions.php?doc=param
GET request for http://10.66.81.133/login.php
GET request for http://10.66.81.133/phpinfo.php
GET request for http://10.66.81.133/phpinfo.php?=param
GET request for http://10.66.81.133/security.php
GET request for http://10.66.81.133/security.php?phpids=param
GET request for http://10.66.81.133/security.php?test=param
GET request for http://10.66.81.133/setup.php
GET request for http://10.66.81.133/vulnerabilities/brute
GET request for http://10.66.81.133/vulnerabilities/brute/
GET request for http://10.66.81.133/vulnerabilities/brute/?Login=param&password=param&username=param
GET request for http://10.66.81.133/vulnerabilities/brute/?username=param&password=param&Login=param
GET request for http://10.66.81.133/vulnerabilities/brute?Login=param&password=param&username=param
GET request for http://10.66.81.133/vulnerabilities/brute?username=param&password=param&Login=param
GET request for http://10.66.81.133/vulnerabilities/captcha
GET request for http://10.66.81.133/vulnerabilities/captcha/
GET request for http://10.66.81.133/vulnerabilities/csrf
GET request for http://10.66.81.133/vulnerabilities/csrf/
GET request for http://10.66.81.133/vulnerabilities/csrf/?Change=param&password_conf=param&password_new=param
GET request for http://10.66.81.133/vulnerabilities/csrf/?password_new=param&password_conf=param&Change=param
GET request for http://10.66.81.133/vulnerabilities/csrf?Change=param&password_conf=param&password_new=param
GET request for http://10.66.81.133/vulnerabilities/csrf?password_new=param&password_conf=param&Change=param
GET request for http://10.66.81.133/vulnerabilities/exec
GET request for http://10.66.81.133/vulnerabilities/exec/
GET request for http://10.66.81.133/vulnerabilities/fi/?page=param
GET request for http://10.66.81.133/vulnerabilities/fi?page=param
GET request for http://10.66.81.133/vulnerabilities/sqli
GET request for http://10.66.81.133/vulnerabilities/sqli/
GET request for http://10.66.81.133/vulnerabilities/sqli/?Submit=param&id=param
GET request for http://10.66.81.133/vulnerabilities/sqli/?id=param&Submit=param
GET request for http://10.66.81.133/vulnerabilities/sqli?Submit=param&id=param
GET request for http://10.66.81.133/vulnerabilities/sqli?id=param&Submit=param
GET request for http://10.66.81.133/vulnerabilities/sqli_blind
GET request for http://10.66.81.133/vulnerabilities/sqli_blind/
GET request for http://10.66.81.133/vulnerabilities/sqli_blind/?Submit=param&id=param
GET request for http://10.66.81.133/vulnerabilities/sqli_blind/?id=param&Submit=param
GET request for http://10.66.81.133/vulnerabilities/sqli_blind?Submit=param&id=param
GET request for http://10.66.81.133/vulnerabilities/sqli_blind?id=param&Submit=param
GET request for http://10.66.81.133/vulnerabilities/upload
GET request for http://10.66.81.133/vulnerabilities/upload/
GET request for http://10.66.81.133/vulnerabilities/xss_r
GET request for http://10.66.81.133/vulnerabilities/xss_r/
GET request for http://10.66.81.133/vulnerabilities/xss_r/?name=param
GET request for http://10.66.81.133/vulnerabilities/xss_r?name=param
GET request for http://10.66.81.133/vulnerabilities/xss_s
GET request for http://10.66.81.133/vulnerabilities/xss_s/
POST request for http://10.66.81.133/login.php
POST request for http://10.66.81.133/security.php
POST request for http://10.66.81.133/security.php?test=param
POST request for http://10.66.81.133/setup.php
POST request for http://10.66.81.133/vulnerabilities/upload/
POST request for http://10.66.81.133/vulnerabilities/xss_s/
Actual content type is mismatched with Content-Type header. Number of pages: 1
POST request for http://10.66.81.133/security.php?test=param
Advice: Use response header X-Content-Type-Options: nosniff to prevent MIME sniffing or make sure MIME type mismatch not exist.
References:
OWASP - https://www.owasp.org/index.php/List_of_useful_HTTP_headers
CAPEC-209 - http://capec.mitre.org/data/definitions/209.html

A whole url list of the scanned target. Number of pages:31

• http://10.66.81.133/
  
• http://10.66.81.133/login.php
  
• http://10.66.81.133/dvwa/
  
• http://10.66.81.133/dvwa/css/
  
• http://10.66.81.133/dvwa/css/login.css
  

• http://10.66.81.133/dvwa/css/main.css
• http://10.66.81.133/dvwa/images/
  
• http://10.66.81.133/dvwa/images/login_logo.png
  
• http://10.66.81.133/dvwa/images/logo.png
  
• http://10.66.81.133/dvwa/images/spanner.png
  
• http://10.66.81.133/dvwa/images/lock.png
  
• http://10.66.81.133/dvwa/js/
  
• http://10.66.81.133/dvwa/js/dvwaPage.js
  
• http://10.66.81.133/index.php
  
• http://10.66.81.133/instructions.php
  
• http://10.66.81.133/setup.php
  
• http://10.66.81.133/vulnerabilities/
  
• http://10.66.81.133/vulnerabilities/brute/
  
• http://10.66.81.133/vulnerabilities/exec/
  
• http://10.66.81.133/vulnerabilities/csrf/
  
• http://10.66.81.133/vulnerabilities/captcha/
  
• http://10.66.81.133/vulnerabilities/fi/
  
• http://10.66.81.133/vulnerabilities/sqli/
  
• http://10.66.81.133/vulnerabilities/sqli_blind/
  
• http://10.66.81.133/vulnerabilities/upload/
  
• http://10.66.81.133/vulnerabilities/xss_r/
  
• http://10.66.81.133/vulnerabilities/xss_s/
  
• http://10.66.81.133/security.php
  
• http://10.66.81.133/phpinfo.php
  
• http://10.66.81.133/about.php
  
• http://10.66.81.133/ids_log.php