Web Application Report

This report includes important security information about your web

application.

Security Report
This report was created by IBM Security AppScan Standard 9.0.3.2, Rules: 3488
Scan started: 3/9/2015 10:59:00 AM

Table of Contents
Introduction
General Information
Login Settings

Summary
Issue Types
Vulnerable URLs
Fix Recommendations
Security Risks
Causes
WASC Threat Classification

Issues Sorted by Issue Type

SQL Injection 3
Database Error Pattern Found
Application Error 6

11/05/2016

Introduction
This report contains the results of a web application security scan performed by IBM Security AppScan Standard.
High severity issues:

Low severity issues:

Informational severity issues:

3
6

Total security issues included in the report: 12

Total security issues discovered in the scan: 12

General Information
Scan file name:

GSC_demo.testfire

Scan started:

3/9/2015 10:59:00 AM

Test policy:

Web Services(Modified)

Host

demo.testfire.net

Operating system: Win32

Web server:

IIS

Application server: Any

Login Settings
Login method:

Recorded login

Concurrent logins:

Enabled

JavaScript execution:

Disabled

In-session detection:

Enabled

In-session pattern:
Tracked or session ID cookies:
Tracked or session ID parameters:
Login sequence:

11/05/2016

Summary
Issue Types

TOC

Issue Type

Number of Issues

H SQL Injection

L Database Error Pattern Found

I Application Error

Vulnerable URLs

TOC

URL

Number of Issues

H https://demo.testfire.net/transfer/transfer.asmx

Fix Recommendations

12

TOC

Remediation Task

Number of Issues

H Review possible solutions for hazardous character injection

L Verify that parameter values are in their expected ranges and types.
Do not output debugging error messages and exceptions

Security Risks

TOC

Risk

Number of Issues

H It is possible to view, modify or delete database entries and tables

I It is possible to gather sensitive debugging information

11/05/2016

Causes

TOC

Cause

Number of Issues

H Sanitation of hazardous characters was not performed correctly on

user input

I Proper bounds checking were not performed on incoming parameter

values

I No validation was done in order to make sure that user input matches 6
the data type expected

WASC Threat Classification

TOC

Threat

Number of Issues

Information Leakage

SQL Injection

11/05/2016

Issues Sorted by Issue Type

SQL Injection

Issue 1 of 3

TOC

TOC

SQL Injection
Severity:

High

CVSS Score: 9,7

URL:

https://demo.testfire.net/transfer/transfer.asmx

Entity:

->Envelope->Body->TransferBalance->transDetails (Parameter)

Risk:

It is possible to view, modify or delete database entries and tables

Causes:

Sanitation of hazardous characters was not performed correctly on user input

Fix:

Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because the response contains SQL Server
errors. This suggests that the test managed to penetrate the application and reach the SQL
query itself, by injecting hazardous characters.

Issue 2 of 3

11/05/2016

TOC

SQL Injection
Severity:

High

CVSS Score: 9,7

URL:

https://demo.testfire.net/transfer/transfer.asmx

Entity:

->Envelope->Body->TransferBalance->transDetails->debitAccount (Parameter)

Risk:

It is possible to view, modify or delete database entries and tables

Causes:

Sanitation of hazardous characters was not performed correctly on user input

Fix:

Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because the response contains SQL Server
errors. This suggests that the test managed to penetrate the application and reach the SQL
query itself, by injecting hazardous characters.

Issue 3 of 3

TOC

SQL Injection
Severity:

High

CVSS Score: 9,7

URL:

https://demo.testfire.net/transfer/transfer.asmx

Entity:

->Envelope->Body->TransferBalance->transDetails->creditAccount (Parameter)

Risk:

It is possible to view, modify or delete database entries and tables

Causes:

Sanitation of hazardous characters was not performed correctly on user input

Fix:

Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because the response contains SQL Server
errors. This suggests that the test managed to penetrate the application and reach the SQL
query itself, by injecting hazardous characters.

11/05/2016

Database Error Pattern Found

Issue 1 of 3

TOC

TOC

Database Error Pattern Found

Severity:

Low

CVSS Score: 5,0

URL:

https://demo.testfire.net/transfer/transfer.asmx

Entity:

->Envelope->Body->TransferBalance->transDetails (Global)

Risk:

It is possible to view, modify or delete database entries and tables

Causes:

Sanitation of hazardous characters was not performed correctly on user input

Fix:

Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because the response contains SQL Server
errors. This suggests that the test managed to penetrate the application and reach the SQL
query itself, by injecting hazardous characters.

Issue 2 of 3

TOC

Database Error Pattern Found

Severity:

Low

CVSS Score: 5,0

URL:

https://demo.testfire.net/transfer/transfer.asmx

Entity:

->Envelope->Body->TransferBalance->transDetails->debitAccount (Global)

Risk:

It is possible to view, modify or delete database entries and tables

Causes:

Sanitation of hazardous characters was not performed correctly on user input

Fix:

Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because the response contains SQL Server
errors. This suggests that the test managed to penetrate the application and reach the SQL
query itself, by injecting hazardous characters.

11/05/2016

Issue 3 of 3

TOC

Database Error Pattern Found

Severity:

Low

CVSS Score: 5,0

URL:

https://demo.testfire.net/transfer/transfer.asmx

Entity:

->Envelope->Body->TransferBalance->transDetails->creditAccount (Global)

Risk:

It is possible to view, modify or delete database entries and tables

Causes:

Sanitation of hazardous characters was not performed correctly on user input

Fix:

Review possible solutions for hazardous character injection

Reasoning: The test result seems to indicate a vulnerability because the response contains SQL Server
errors. This suggests that the test managed to penetrate the application and reach the SQL
query itself, by injecting hazardous characters.

11/05/2016

Application Error

Issue 1 of 6

TOC

TOC

Application Error
Severity:

Informational

CVSS Score: 0,0

URL:

https://demo.testfire.net/transfer/transfer.asmx

Entity:

->Envelope->Body->TransferBalance->transDetails->creditAccount (Parameter)

Risk:

It is possible to gather sensitive debugging information

Causes:

Proper bounds checking were not performed on incoming parameter values

No validation was done in order to make sure that user input matches the data type expected

Fix:

Verify that parameter values are in their expected ranges and types. Do not output debugging error
messages and exceptions
Reasoning: The application has responded with an error message, indicating an undefined state that
may expose sensitive information.

Issue 2 of 6

TOC

Application Error
Severity:

Informational

CVSS Score: 0,0

URL:

https://demo.testfire.net/transfer/transfer.asmx

Entity:

->Envelope (Parameter)

Risk:

It is possible to gather sensitive debugging information

Causes:

Proper bounds checking were not performed on incoming parameter values

No validation was done in order to make sure that user input matches the data type expected

Fix:

Verify that parameter values are in their expected ranges and types. Do not output debugging error
messages and exceptions
Reasoning: The application has responded with an error message, indicating an undefined state that
may expose sensitive information.

11/05/2016

Issue 3 of 6

TOC

Application Error
Severity:

Informational

CVSS Score: 0,0

URL:

https://demo.testfire.net/transfer/transfer.asmx

Entity:

->Envelope->Body->TransferBalance->transDetails (Parameter)

Risk:

It is possible to gather sensitive debugging information

Causes:

Proper bounds checking were not performed on incoming parameter values

No validation was done in order to make sure that user input matches the data type expected

Fix:

Verify that parameter values are in their expected ranges and types. Do not output debugging error
messages and exceptions
Reasoning: The application has responded with an error message, indicating an undefined state that
may expose sensitive information.

Issue 4 of 6

TOC

Application Error
Severity:

Informational

CVSS Score: 0,0

URL:

https://demo.testfire.net/transfer/transfer.asmx

Entity:

->Envelope->Body->TransferBalance->transDetails->transferDate (Parameter)

Risk:

It is possible to gather sensitive debugging information

Causes:

Proper bounds checking were not performed on incoming parameter values

No validation was done in order to make sure that user input matches the data type expected

Fix:

Verify that parameter values are in their expected ranges and types. Do not output debugging error
messages and exceptions
Reasoning: The application has responded with an error message, indicating an undefined state that
may expose sensitive information.

Issue 5 of 6

11/05/2016

TOC

10

Application Error
Severity:

Informational

CVSS Score: 0,0

URL:

https://demo.testfire.net/transfer/transfer.asmx

Entity:

->Envelope->Body->TransferBalance->transDetails->transferAmount (Parameter)

Risk:

It is possible to gather sensitive debugging information

Causes:

Proper bounds checking were not performed on incoming parameter values

No validation was done in order to make sure that user input matches the data type expected

Fix:

Verify that parameter values are in their expected ranges and types. Do not output debugging error
messages and exceptions
Reasoning: The application has responded with an error message, indicating an undefined state that
may expose sensitive information.

Issue 6 of 6

TOC

Application Error
Severity:

Informational

CVSS Score: 0,0

URL:

https://demo.testfire.net/transfer/transfer.asmx

Entity:

->Envelope->Body->TransferBalance->transDetails->debitAccount (Parameter)

Risk:

It is possible to gather sensitive debugging information

Causes:

Proper bounds checking were not performed on incoming parameter values

No validation was done in order to make sure that user input matches the data type expected

Fix:

Verify that parameter values are in their expected ranges and types. Do not output debugging error
messages and exceptions
Reasoning: The application has responded with an error message, indicating an undefined state that
may expose sensitive information.

11/05/2016

11