Advanced Information Security Mid Exam

Acunetix Website Audit
7 June, 2016
Web Application Security Consortium:

Threat Classification
~ compliance report ~
Generated by Acunetix WVS Reporter (v10.0 Build 20150707)
Web Application Security Consortium: Threat Classification
Scan
URL
Scan date
Duration
Profile
http://192.168.1.3:80/
6/6/2016 5:59:47 PM
15 hours, 7 minutes
Default
Compliance at a Glance
This section of the report is a summary and lists the number of alerts found according to individual compliance categories.
- Authentication: Brute Force (1.1)

No alerts in this category
- Insufficient Authentication (1.2)
- Weak Password Recovery Validation (1.3)
- Credential/Session Prediction (2.1)
- Insufficient Authorization (2.2)
- Insufficient Session Expiration (2.3)
- Session Fixation (2.4)
- Content Spoofing (3.1)
- Cross-site Scripting (3.2)

- Buffer Overflow (4.1)
- Format String Attack (4.2)
- LDAP Injection (4.3)
- OS Commanding (4.4)
- SQL Injection (4.5)
- SSI Injection (4.6)
- XPath Injection (4.7)
- Directory Indexing (5.1)
- Information Leakage (5.2)
Total number of alerts in this category: 176
- Path Traversal (5.3)
- Predictable Resource Location (5.4)
- Abuse of Functionality (6.1)
- Denial of Service (6.2)
- Insufficient Anti-automation (6.3)
- Insufficient Process Validation (6.4)
Compliance According to Categories: A Detailed Report

This section is a detailed report that explains each vulnerability found according to individual compliance categories.
(1.1) Authentication: Brute Force

A Brute Force attack is an automated process of trial and error used to guess a person's username, password, credit-card
number or cryptographic key.
Acunetix authentication tester can be used to bruteforce authentication schemes based either on HTTP protocol NTLM or
Basic authentication or HTML form based authentication.
No alerts in this category.
(1.2) Insufficient Authentication

Insufficient Authentication occurs when a web site permits an attacker to access sensitive content or functionality without
having to properly authenticate. Web-based administration tools are a good example of web sites providing access to
sensitive functionality. Depending on the specific online resource, these web applications should not be directly accessible
without the user required to properly verify their identity.
To get around setting up authentication, some resources are protected by "hiding" the specific location and not linking the
location into the main web site or other public places. However, this approach is nothing more than "Security Through
Obscurity". Its important to understand that simply because a resource is unknown to an attacker, it still remains
accessible directly through a specific URL. The specific URL could be discovered through a Brute Force probing for
common file and directory locations (/admin for example), error messages, referrer logs, or perhaps documented in help
files. These resources, whether they are content or functionality driven, should be adequately protected.
(1.3) Weak Password Recovery Validation

Weak Password Recovery Validation is when a web site permits an attacker to illegally obtain, change or recover another
user's password. Conventional web site authentication methods require users to select and remember a password or
passphrase. The user should be the only person that knows the password and it must be remembered precisely. As time
passes, a user's ability to remember a password fades. The matter is further complicated when the average user visits 20
sites requiring them to supply a password. (RSA Survey: http://news.bbc.co.uk/1/hi/technology/3639679.stm) Thus,
Password Recovery is an important part in servicing online users.
(2.1) Credential/Session Prediction

Credential/Session Prediction is a method of hijacking or impersonating a web site user. Deducing or guessing the unique
value that identifies a particular session or user accomplishes the attack. Also known as Session Hijacking, the
consequences could allow attackers the ability to issue web site requests with the compromised user's privileges.
(2.2) Insufficient Authorization

Insufficient Authorization is when a web site permits access to sensitive content or functionality that should require
increased access control restrictions. When a user is authenticated to a web site, it does not necessarily mean that he
should have full access to all content and that functionality should be granted arbitrarily.
Authorization procedures are performed after authentication, enforcing what a user, service or application is permitted to
do. Thoughtful restrictions should govern particular web site activity according to policy. Sensitive portions of a web site
may need to be restricted to everyone expect to perhaps an administrator.
(2.3) Insufficient Session Expiration

Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for
authorization. Insufficient Session Expiration increases a web site's exposure to attacks that steal or impersonate other
users.
(2.4) Session Fixation

Session Fixation is an attack technique that forces a user's session ID to an explicit value. Depending on the functionality
of the target web site, a number of techniques can be utilized to "fix" the session ID value. These techniques range from
Cross-site Scripting exploits to peppering the web site with previously made HTTP requests. After a user's session ID has
been fixed, the attacker will wait for them to login. Once the user does so, the attacker uses the predefined session ID
value to assume their online identity.
(3.1) Content Spoofing

Content Spoofing is an attack technique used to trick a user into believing that certain content appearing on a web site is
legitimate and not from an external source.
Some web pages are served using dynamically built HTML content sources. For example, the source location of a frame
<frame src="http://foo.example/file.html">
could be specified by a URL parameter value:
http://foo.example/page?frame_src=http://foo.example/file.html
An attacker may be able to replace the "frame_src" parameter value with "
frame_src=http://attacker.example/spoof.html
". When the resulting web page is served, the browser location bar visibly remains under the user expected domain
(foo.example), but the foreign data (attacker.example) is shrouded by legitimate content.
(3.2) Cross-site Scripting

Cross-site Scripting (XSS) is an attack technique that forces a web site to echo attacker-supplied executable code, which
loads in a user's browser. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX,
Java, Flash, or any other browser-supported technology.
When an attacker gets a user's browser to execute his code, the code will run within the security context (or zone) of the
hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data
accessible by the browser. A Cross-site Scripted user could have his account hijacked (cookie theft), their browser
redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Crosssite
Scripting attacks essentially compromise the trust relationship between a user and the web site.
(4.1) Buffer Overflow

Buffer Overflow exploits are attacks that alter the flow of an application by overwriting parts of memory. Buffer Overflow is
a common software flaw that results in an error condition. This error condition occurs when data written to memory
exceed the allocated size of the buffer. As the buffer is overflowed, adjacent memory addresses are overwritten causing
the software to fault or crash. When unrestricted, properly-crafted input can be used to overflow the buffer resulting in a
number of security issues.
A Buffer Overflow can be used as a Denial of Service attack when memory is corrupted, resulting in software failure. Even
more critical is the ability of a Buffer Overflow attack to alter application flow and force unintended actions. This scenario
can occur in several ways. Buffer Overflow vulnerabilities have been used to overwrite stack pointers and redirect the
program to execute malicious instructions. Buffer Overflows have also been used to change program variables.
(4.2) Format String Attack

Format String Attacks alter the flow of an application by using string formatting library features to access other memory
space. Vulnerabilities occur when user-supplied data are used directly as formatting string input for certain C/C++
functions (e.g. fprintf, printf, sprintf, setproctitle, syslog, ...).
If an attacker passes a format string consisting of printf conversion characters (e.g. "%f", "%p", "%n", etc.) as parameter
value to the web application, they may:
- Execute arbitrary code on the server
- Read values off the stack
- Cause segmentation faults / software crashes
(4.3) LDAP Injection

LDAP Injection is an attack technique used to exploit web sites that construct LDAP statements from user-supplied input.
Lightweight Directory Access Protocol (LDAP) is an open-standard protocol for both querying and manipulating X.500
directory services. The LDAP protocol runs over Internet transport protocols, such as TCP. Web applications may use
user-supplied input to create custom LDAP statements for dynamic web page requests.
(4.4) OS Commanding
OS Commanding is an attack technique used to exploit web sites by executing Operating System commands through
manipulation of application input.
When a web application does not properly sanitize user-supplied input before using it within application code, it may be
possible to trick the application into executing Operating System commands. The executed commands will run with the
same permissions of the component that executed the command (e.g. Database server, Web application server, Web
server, etc.).
(4.5) SQL Injection

SQL Injection is an attack technique used to exploit web sites that construct SQL statements from user-supplied input.
When a web application fails to properly sanitize user-supplied input, it is possible for an attacker to alter the construction
of backend SQL statements. When an attacker is able to modify a SQL statement, the process will run with the same
permissions as the component that executed the command. (e.g. Database server, Web application server, Web server,
etc.). The impact of this attack can allow attackers to gain total control of the database or even execute commands on the
system.
(4.6) SSI Injection
SSI Injection (Server-side Include) is a server-side exploit technique that allows an attacker to send code into a web
application, which will later be executed locally by the web server. SSI Injection exploits a web application's failure to
sanitize user-supplied data before they are inserted into a server-side interpreted HTML file.
If an attacker submits a Server-side Include statement, he may have the ability to execute arbitrary operating system
commands, or include a restricted file's contents the next time the page is served.
(4.7) XPath Injection

XPath Injection is an attack technique used to exploit web sites that construct XPath queries from user-supplied input.
XPath 1.0 is a language used to refer to parts of an XML document. It can be used directly by an application to query an
XML document, or as part of a larger operation such as applying an XSLT transformation to an XML document, or
applying an XQuery to an XML document.
(5.1) Directory Indexing

Automatic directory listing/indexing is a web server function that lists all of the files within a requested directory if the
normal base file (index.html/home.html/default.htm) is not present. When a user requests the main page of a web site,
they normally type in a URL such as: http://www.example.com - using the domain name and excluding a specific file. The
web server processes this request and searches the document root directory for the default file name and sends this page
to the client. If this page is not present, the web server will issue a directory listing and send the output to the client.
Essentially, this is equivalent to issuing an "ls" (Unix) or "dir" (Windows) command within this directory and showing the
results in HTML form. From an attack and countermeasure perspective, it is important to realize that unintended directory
listings may be possible due to software vulnerabilities.
(5.2) Information Leakage

Information Leakage is when a web site reveals sensitive data, such as developer comments or error messages, which
may aid an attacker in exploiting the system. Sensitive information may be present within HTML comments, error
messages, source code, or simply left in plain sight. There are many ways a web site can be coaxed into revealing this
type of information. While leakage does not necessarily represent a breach in security, it does give an attacker useful
guidance for future exploitation. Leakage of sensitive information may carry various levels of risk and should be limited
whenever possible.
Alerts in this category
Microsoft IIS tilde directory enumeration
It is possible to detect short names of files and directories which have an 8.3 file naming scheme equivalent in Windows
by using some vectors in several versions of Microsoft IIS. For instance, it is possible to detect all short-names of ".aspx"
files as they have 4 letters in their extensions. This can be a major issue especially for the .Net websites which are
vulnerable to direct URL access as an attacker can find important files and folders that they are not normally visible.
CVSS
Base Score: 5.0
CWE
- Access Vector: Network

- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: None
- Availability Impact: None
CWE-20
Affected item
/
Affected parameter
Variants
1
Application error message

This page contains an error/warning message that may disclose sensitive information. The message can also contain the
location of the file that produced the unhandled exception.
This may be a false positive if the error message is found in documentation pages.
CVSS
Base Score: 5.0
CWE

CWE-200
Affected item
Affected parameter
Variants
Affected item
/account/edit/endalamaw
FirstName
1

Affected parameter UserName
Variants
1
Affected item
/account/edit/zelalem
Affected parameter LastName
Variants
1
Affected item
/account/login
Affected parameter Password
Variants
1
Affected item
/account/usergroups/endalamaw
Affected parameter UserName
Variants
1
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
/finance/bankaccounts/edit/10
AccountName
1
BankAdress
1
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
AccountName
1
BankAdress
1
BankBranch
1
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
AccountName
1
BankAdress
1
Affected parameter BankBranch

Variants
1
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
BankAdress
1
BankBranch
1
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
__RequestVerificationToken
1
AccountName
1
AccountNumber
1

Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
BankAdress
1
BankBranch
1
BankName
1
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
AccountName
1
BankAdress
1
BankBranch
1
BankName
1
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
AccountName
1
BankAdress
1
BankBranch
1
Affected item
Affected parameter AccountName
Variants
1
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
BankAdress
1
BankBranch
1
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
AccountName
1
BankAdress
1
BankBranch
1
BankName
1
Affected item

Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
AccountName
1
BankAdress
1
BankBranch
1
BankName
1
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
AccountName
1
BankAdress
1
BankBranch
1
Affected item
/hr/disciplinaymeasureranks/edit/2
Affected parameter DisciplinayMeasureRank
Variants
1
Affected item
Affected parameter DisciplinayMeasureRank
Variants
1
Affected item
/hr/disciplinaymeasuretypes/edit/10
Affected parameter Measure
Variants
1
Affected item
Variants
Affected item
Variants
1
Affected item
Variants
1
Affected item
Variants
1
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
/hr/empbscappraisalperiods/edit/1
1
AppraisalPeriod
1
Affected item
Affected parameter AppraisalPeriod
Variants
1
10
Affected item
Variants
1
Affected item
Variants
1
Affected item
Variants
1
Error message on page
CVSS
Base Score: 5.0
CWE

CWE-200
Affected item
/finance/json/description
Affected parameter
Variants
1
Affected item
/fleetmanagement/fleetsetupequipmentcategory/fleetsetupequipmentcategories_read
Affected parameter
Variants
1
Affected item
/fleetmanagement/fleetsetupequipmentfuelstandard/fleetsetupequipmentfuelstandards_read
Affected parameter
Variants
1
Affected item
/fleetmanagement/fleetsetupequipmentfueltype/fleetsetupequipmentfueltypes_read
Affected parameter
Variants
1
Affected item
/fleetmanagement/fleetsetupequipmentname/fleetsetupequipmentnames_read
Affected parameter
Variants
1
Affected item
/fleetmanagement/fleetsetupequipmentstatus/fleetsetupequipmentstatus_read
Affected parameter
Variants
1
Affected item
/fleetmanagement/fleetsetupequipmenttype/fleetsetupequipmenttypes_read
Affected parameter
Variants
1
Affected item
/fleetmanagement/fleetsetupinsurancetype/fleetsetupinsurancetypes_read
Affected parameter
Variants
1
Affected item
/fleetmanagement/fleetsetupmaintenancecenter/fleetsetupmaintenancecenters_read
Affected parameter
Variants
11
Affected item
/fleetmanagement/fleetsetupoperatorposition/fleetsetupoperatorpositions_read
Affected parameter
Variants
1
Affected item
/fleetmanagement/fleetsetuprepairtype/fleetsetuprepairtypes_read
Affected parameter
Variants
1
Affected item
/hr/disciplinaymeasuretypes
Affected parameter
Variants
1
Affected item
/procurement/reportprocurement
Affected parameter
Variants
1
Affected item
/procurement/reportprocurement/getlotdetails
Affected parameter
Variants
1
Affected item
/upload
Affected parameter
Variants
1
Internal server error
CVSS
Base Score: 5.0
CWE

CWE-200
Affected item
/
Affected parameter /
Variants
3
Affected item
/account/delete/enanu
Affected parameter __RequestVerificationToken
Variants
1
Affected item
/account/delete/endalamaw
Variants
1
Affected item
/account/delete/zelalem
Variants
1
Affected item
Affected parameter
Variants
Affected item
Affected parameter
/account/edit/enanu
1
/account/edit/enanu
Email

Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
1
/account/edit/enanu
FirstName
1
/account/edit/enanu
LastName
1
/account/edit/enanu
UserName
1
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
1
Email
1
FirstName
1
LastName
1
UserName
1
12
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
/account/login
2
/account/login
Password
1
/account/login
ReturnUrl
1
/account/login
UserName
1
Affected item
/account/logoff
Variants
1
Affected item
/account/register
Variants
1
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
/account/usergroups/enanu
1
Groups[0].GroupId
1
Groups[1].GroupId
1

Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Groups[2].GroupId
1
Groups[3].GroupId
1
Groups[3].Selected
1
Groups[4].GroupId
1
Groups[4].Selected
1
Groups[5].GroupId
1
Groups[5].Selected
1
Groups[6].GroupId
1
13
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Groups[6].Selected
1
Groups[7].GroupId
1
Groups[7].Selected
1
Groups[8].GroupId
1
Groups[8].Selected
1
UserName
1
Affected item
/finance/budgetallocationandusage/
Affected parameter BudgetYear
Variants
1
Affected item
/finance/budgetallocationandusage/budgetallocationandusageexcel
Variants
1
Affected item
/finance/budgetallocationandusage/budgetallocationandusageprint
Variants
1
Affected item
14
Affected parameter id
Variants
1
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
/
fleetmanagement/fleetsetupequipmentmanufacturer/fleetsetupequipmentmanufacturers_read
filter
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
filter
1
group
1
1
/
group
1
/
page
1
/
pageSize
1
/
sort
1
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
page
1
pageSize
1
sort
1
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
filter
1
group
1
page
1
pageSize
1
sort
1
Affected item
/home/setculture
Affected parameter Referer
Variants
1
Affected item
/hr/disciplinaymeasuretypes/delete/10
Variants
Affected item
Variants
1
Affected item
Variants
1
Affected item
Variants
1
Affected item
Variants
1
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
1
CreatedBy
1
CreatedOn
15
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
1
DisciplinayMeasureRanksID
1
DisciplinayMeasureTypesID
1
ExpireYear
1
Measure
1
PercentageEffectOnPromotion
1
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
1
CreatedBy
1
CreatedOn
1
1

Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
1
ExpireYear
1
Measure
1
1
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
1
CreatedBy
1
CreatedOn
1
16
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
1
1
ExpireYear
1
Measure
1
1
Affected item
Affected parameter
Variants
Affected item
Affected parameter
Variants
/hr/empbscappraisalperiods/create
1
IsClosed
1
ASP.NET version disclosure

The HTTP responses returned by this web application include anheader named X-AspNet-Version. The value of this
header is used by Visual Studio to determine which version of ASP.NET is in use. It is not necessary for production sites
and should be disabled.
CVSS
Base Score: 0.0
CWE

- Confidentiality Impact: None
CWE-200
17
Affected item
/
Affected parameter
Variants
1
Email address found
One or more email addresses have been found on this page. The majority of spam comes from email addresses
harvested off the internet. The spam-bots (also known as email harvesters and email extractors) are programs that scour
the internet looking for email addresses on any website they come across. Spambot programs look for strings like
myname@mydomain.com and then record any addresses found.
CVSS
Base Score: 5.0
CWE

CWE-200
Affected item
/account
Affected parameter
Variants
1
Affected item
Affected parameter
Variants
1
Affected item
Affected parameter
Variants
1
Microsoft IIS version disclosure
The HTTP responses returned by this web application include a header named Server. The value of this header includes
the version of Microsoft IIS server.
CVSS
Base Score: 0.0
CWE

CWE-200
Affected item
/
Affected parameter
Variants
1
Password type input with auto-complete enabled
When a new name and password is entered in a form and the form is submitted, the browser asks if the password should
be saved.Thereafter when the form is displayed, the name and password are filled in automatically or are completed as
the name is entered. An attacker with local access could obtain the cleartext password from the browser cache.
CVSS
Base Score: 0.0


CWE
CWE-200
Affected item
/account/login
Affected parameter
Variants
1
Affected item
/account/login (1f2dc0e26bedda9d5aebd00f748cb9d1)
Affected parameter
Variants
1
Affected item
/account/login (8f687fa47b22a02f27a3174aed84ccc0)
Affected parameter
Variants
1
Affected item
/account/login (d4c7aaa78ab87dfcc2f6d60cf3c9605e)
Affected parameter
Variants
1
Affected item
/account/login (f679e9569fc981ca88e5e9c01ef99b87)
Affected parameter
Variants
1
Affected item
/account/register
18
Affected parameter
Variants
2
Possible internal IP address disclosure
A string matching an internal IPv4 address was found on this page. This may disclose information about the IP addressing
scheme of the internal network. This information can be used to conduct further attacks.
This alert may be a false positive, manual confirmation is required.
CVSS
Base Score: 5.0
CWE

CWE-200
Affected item
/home/setculture
Affected parameter
Variants
1
Possible username or password disclosure
A username and/or password was found in this file. This information could be sensitive.
CVSS
Base Score: 5.0
CWE

CWE-200
Affected item
/content/ace/font-awesome/4.2.0/css/font-awesome.min.css
Affected parameter
Variants
19
(5.3) Path Traversal

The Path Traversal attack technique forces access to files, directories, and commands that potentially reside outside the
web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the
contents of arbitrary files anywhere on the web server. Any device that exposes an HTTPbased interface is potentially
vulnerable to Path Traversal.
Most web sites restrict user access to a specific portion of the filesystem, typically called the "web document root" or "CGI
root" directory. These directories contain the files intended for user access and the executables necessary to drive web
application functionality. To access files or execute commands anywhere on the file-system, Path Traversal attacks will
utilize the ability of special-characters sequences.
(5.4) Predictable Resource Location
Predictable Resource Location is an attack technique used to uncover hidden web site content and functionality. By
making educated guesses, the attack is a brute force search looking for content that is not intended for public viewing.
Temporary files, backup files, configuration files, and sample files are all examples of potentially leftover files. These brute
force searches are easy because hidden files will often have common naming convention and reside in standard
locations. These files may disclose sensitive information about web application internals, database information,
passwords, machine names, file paths to other sensitive areas, or possibly contain vulnerabilities. Disclosure of this
information is valuable to an attacker.
(6.1) Abuse of Functionality

Abuse of Functionality is an attack technique that uses a web site's own features and functionality to consume, defraud, or
circumvents access controls mechanisms. Some functionality of a web site, possibly even security features, may be
abused to cause unexpected behavior. When a piece of functionality is open to abuse, an attacker could potentially annoy
other users or perhaps defraud the system entirely. The potential and level of abuse will vary from web site to web site
and application to application.
HTML form without CSRF protection
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type
of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.
Acunetix WVS found a HTML form with no apparent CSRF protection implemented. Consult details for more information
about the affected HTML form.
CVSS
Base Score: 2.6
CWE

- Access Complexity: High
- Integrity Impact: Partial
CWE-352
Affected item
/
Affected parameter
Variants
2
Affected item
/account
Affected parameter
Variants
4
Affected item
/finance/accountstransactions
Affected parameter
Variants
2
Affected item
/finance/budgetagainstpreviousyear
Affected parameter
Variants
2
Affected item
/finance/budgetallocationandusage
Affected parameter
Variants
2
Affected item
/finance/json/fromaccountcode
Affected parameter
Variants
2
20
Affected item
/finance/reportfinance/accountanalysis
Affected parameter
Variants
2
Affected item
/finance/reportfinance/accountanalysisbysegment
Affected parameter
Variants
2
Affected item
/finance/reportfinance/aragingbyinvoice
Affected parameter
Variants
2
Affected item
/finance/reportfinance/cashflow
Affected parameter
Variants
2
Affected item
/finance/reportfinance/chartofaccount
Affected parameter
Variants
2
Affected item
/finance/reportfinance/customerlist
Affected parameter
Variants
2
Affected item
/finance/reportfinance/incomestatement
Affected parameter
Variants
2
Affected item
/finance/reportfinance/incomestatementbyproject
Affected parameter
Variants
2
Affected item
/finance/reportfinance/supplierlist
Affected parameter
Variants
2
Affected item
/finance/reportfinance/trialbalance
Affected parameter
Variants
2
Affected item
/hr/certificatesandletters
Affected parameter
Variants
2
Affected item
/hr/upload
Affected parameter
Variants
2
Affected item
/inventory/reportinventory/issueitem
Affected parameter
Variants
2
Affected item
/inventory/reportinventory/stockbalance
Affected parameter
Variants
2
Affected item
/payroll/payrollreports/bonusincometaxreport
Affected parameter
Variants
2
Affected item
/payroll/payrollreports/monthlypensionreport
21
Affected parameter
Variants
2
Affected item
/payroll/payrollreports/reportbycontributiontypelist
Affected parameter
Variants
2
Login page password-guessing attack
A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack
is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols
until you discover the one correct combination that works.
This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommended to
implement some type of account lockout after a defined number of incorrect password attempts. Consult Web references
for more information about fixing this problem.
CVSS
Base Score: 5.0
CWE

CWE-307
Affected item
/account/login
Affected parameter
Variants
1
Possible CSRF (Cross-site request forgery)
Manual confirmation is required for this alert.
This script is possibly vulnerable to cross-site request forgery. Cross Site Reference Forgery (CSRF/XSRF) is a class of
attack that affects web based applications with a predictable structure for invocation. An attacker tricks the user into
performing an action of the attackers choosing by directing the victim's actions on the target application with a link or other
content.
The attack works by including a link or script in a page that accesses a site to which the user is known (or is supposed) to
have authenticated. Here is an example:
<img src="http://bank.example/withdraw?from=victim&amount=1000000&to=attacker">
If the bank keeps authentication information in a cookie, and if the cookie hasn't expired, then victim's browser's attempt
to load the image will submit the withdrawal form with his cookie.
This vulnerability is also known by several other names including Session Riding and One-Click Attack.
Affected item
/finance/json/bankaccounts (6e57e52fb25f1aa27d063b6c42189ce6)
Affected parameter
Variants
1
Affected item
/finance/json/description (c002f292f84915c9792f54c0abc710d4)
Affected parameter
Variants
22
Affected item
/finance/json/fromaccountcode (6e57e52fb25f1aa27d063b6c42189ce6)
Affected parameter
Variants
1
Affected item
/finance/json/toaccountcode (6e57e52fb25f1aa27d063b6c42189ce6)
Affected parameter
Variants
1
Affected item
/
Affected parameter fleetmanagement/fleetsetupequipmentmanufacturer/fleetsetupequipmentmanufacturers_read
Variants
Affected item
/
Variants
1
Affected item
/
Variants
1
Affected item
Affected parameter (11e076bff3d87afafd26c723d1fdc6a3)
Variants
1
Affected item
Affected parameter (11e076bff3d87afafd26c723d1fdc6a3)
Variants
1
(6.2) Denial of Service

Denial of Service (DoS) is an attack technique with the intent of preventing a web site from serving normal user activity.
DoS attacks, which are easily normally applied to the network layer, are also possible at the application layer. These
malicious attacks can succeed by starving a system of critical resources, vulnerability exploit, or abuse of functionality.
Slow response time
This page had a slow response time. This type of files can be targeted in denial of service attacks. An attacker can
request this page repeatedly from multiple computers until the server becomes overloaded.
CVSS
Base Score: 5.0
CWE

- Availability Impact: Partial
CWE-400
Affected item
Affected parameter
Variants
1
Affected item
/projectmanagement/projectestimationnames
Affected parameter
Variants
1
23
(6.3) Insufficient Anti-automation

Insufficient Anti-automation is when a web site permits an attacker to automate a process that should only be performed
manually. Certain web site functionalities should be protected against automated attacks.
Left unchecked, automated robots (programs) or attackers could repeatedly exercise web site functionality attempting to
exploit or defraud the system. An automated robot could potentially execute thousands of requests a minute, causing
potential loss of performance or service.
(6.4) Insufficient Process Validation

Insufficient Process Validation is when a web site permits an attacker to bypass or circumvent the intended flow control of
an application. If the user state through a process is not verified and enforced, the web site could be vulnerable to
exploitation or fraud.
Affected Items: A Detailed Report

This section provides full details of the types of vulnerabilities found according to individual affected items.
/
Microsoft IIS tilde directory enumeration
24
It is possible to detect short names of files and directories which have an 8.3 file naming scheme equivalent in Windows
by using some vectors in several versions of Microsoft IIS. For instance, it is possible to detect all short-names of ".aspx"
files as they have 4 letters in their extensions. This can be a major issue especially for the .Net websites which are
vulnerable to direct URL access as an attacker can find important files and folders that they are not normally visible.
This alert belongs to the following categories: 5.2
CVSS
Base Score: 5.0
CWE

CWE-20
Parameter
Variations
1

This alert belongs to the following categories: 6.1, 6.1
CVSS
Base Score: 2.6
CWE

CWE-352
Parameter
Variations
1


CVSS
Base Score: 5.0

25
CWE
CWE-200
Parameter
/
Variations
3
ASP.NET version disclosure

The HTTP responses returned by this web application include anheader named X-AspNet-Version. The value of this
header is used by Visual Studio to determine which version of ASP.NET is in use. It is not necessary for production sites
and should be disabled.
CVSS
Base Score: 0.0
CWE

CWE-200
Parameter
Variations
1
Microsoft IIS version disclosure

The HTTP responses returned by this web application include a header named Server. The value of this header includes
the version of Microsoft IIS server.
CVSS
Base Score: 0.0
CWE

CWE-200
Parameter
/account
Variations
1
26

CVSS
Base Score: 2.6
CWE

CWE-352
Parameter
Variations
2
Email address found

CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
/account/delete/enanu
Variations
1
27
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Variations
1
/account/delete/endalamaw
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Variations
1
28

CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Variations
1
Email address found

CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
/account/edit/enanu
Variations
1
29

CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Email
FirstName
LastName
UserName
Variations
1
1
1
1
1
30
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
FirstName
UserName
Variations
1
1

CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Email
FirstName
LastName
UserName
Variations
1
1
1
1
1
31
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
LastName
Variations
1
Email address found

CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
/account/login
Variations
1
32

CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Password
Variations
1

CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Password
ReturnUrl
UserName
Variations
2
1
1
1
Login page password-guessing attack

A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack
is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols
until you discover the one correct combination that works.
This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommended to
implement some type of account lockout after a defined number of incorrect password attempts. Consult Web references
for more information about fixing this problem.
33
CVSS
Base Score: 5.0
CWE

CWE-307
Parameter
Variations
1

CVSS
Base Score: 0.0
CWE

CWE-200
Parameter
Variations
1
/account/login (1f2dc0e26bedda9d5aebd00f748cb9d1)
CVSS
Base Score: 0.0
CWE

CWE-200
Parameter
Variations
1
34
/account/login (8f687fa47b22a02f27a3174aed84ccc0)
CVSS
Base Score: 0.0
CWE

CWE-200
Parameter
Variations
1
/account/login (d4c7aaa78ab87dfcc2f6d60cf3c9605e)
CVSS
Base Score: 0.0
CWE
Parameter

CWE-200
Variations
1
35
/account/login (f679e9569fc981ca88e5e9c01ef99b87)
CVSS
Base Score: 0.0
CWE

CWE-200
Parameter
Variations
1
/account/logoff
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Variations
1
36
/account/register
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Variations
1

CVSS
Base Score: 0.0
CWE
Parameter

CWE-200
Variations
2
37
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Groups[0].GroupId
Groups[1].GroupId
Groups[2].GroupId
Groups[3].GroupId
Groups[3].Selected
Groups[4].GroupId
Groups[4].Selected
Groups[5].GroupId
Groups[5].Selected
Groups[6].GroupId
Groups[6].Selected
Groups[7].GroupId
Groups[7].Selected
Groups[8].GroupId
Groups[8].Selected
UserName
Variations
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
38
/account/usergroups/endalamaw
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
UserName
/content/ace/font-awesome/4.2.0/css/font-awesome.min.css
Possible username or password disclosure
A username and/or password was found in this file. This information could be sensitive.
Variations
1
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Variations
1
39
/finance/accountstransactions
CVSS
Base Score: 2.6
CWE

CWE-352
Parameter
Variations
1
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
AccountName
BankAdress
Variations
1
1
40
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
AccountName
BankAdress
BankBranch
Variations
1
1
1
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
AccountName
BankAdress
BankBranch
Variations
1
1
1
41
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
BankAdress
BankBranch
Variations
1
1
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
AccountName
AccountNumber
Variations
1
1
1
42
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
BankAdress
BankBranch
BankName
Variations
1
1
1

CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
AccountName
BankAdress
BankBranch
BankName
Variations
1
1
1
1
43
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
AccountName
BankAdress
BankBranch
Variations
1
1
1

CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
AccountName
BankAdress
BankBranch
Variations
1
1
1
44
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
AccountName
BankAdress
BankBranch
BankName
Variations
1
1
1
1
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
AccountName
BankAdress
BankBranch
BankName
Variations
1
1
1
1
45
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
AccountName
BankAdress
BankBranch
Variations
1
1
1
/finance/budgetagainstpreviousyear
CVSS
Base Score: 2.6
CWE

CWE-352
Parameter
Variations
1
46
/finance/budgetallocationandusage
CVSS
Base Score: 2.6
CWE
Parameter

CWE-352
Variations
/finance/budgetallocationandusage/
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
BudgetYear
Variations
1
47
/finance/budgetallocationandusage/budgetallocationandusageexcel
CVSS
Base Score: 5.0
CWE
Parameter
BudgetYear

CWE-200
Variations
1
/finance/budgetallocationandusage/budgetallocationandusageprint
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
BudgetYear
Variations
1
48
/finance/json/bankaccounts (6e57e52fb25f1aa27d063b6c42189ce6)
content.
Parameter
Variations
1
49
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Variations
1

CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
id
Variations
1
50
/finance/json/description (c002f292f84915c9792f54c0abc710d4)
content.
Parameter
Variations
1
/finance/json/fromaccountcode
CVSS
Base Score: 2.6
CWE

CWE-352
Parameter
Variations
1
51
/finance/json/fromaccountcode (6e57e52fb25f1aa27d063b6c42189ce6)
content.
Parameter
Variations
1
/finance/json/toaccountcode (6e57e52fb25f1aa27d063b6c42189ce6)
content.
Parameter
Variations
1
52
/finance/reportfinance/accountanalysis
CVSS
Base Score: 2.6
CWE

CWE-352
Parameter
Variations
1
/finance/reportfinance/accountanalysisbysegment
CVSS
Base Score: 2.6
CWE

CWE-352
Parameter
Variations
1
53
/finance/reportfinance/aragingbyinvoice

CVSS
Base Score: 2.6
CWE

CWE-352
Parameter
Variations
1
/finance/reportfinance/cashflow
CVSS
Base Score: 2.6
CWE

CWE-352
Parameter
Variations
1
54
/finance/reportfinance/chartofaccount

CVSS
Base Score: 2.6
CWE

CWE-352
Parameter
Variations
1
/finance/reportfinance/customerlist
CVSS
Base Score: 2.6
CWE

CWE-352
Parameter
/finance/reportfinance/incomestatement
Variations
1
55

CVSS
Base Score: 2.6
CWE

CWE-352
Parameter
Variations
1
/finance/reportfinance/incomestatementbyproject
CVSS
Base Score: 2.6
CWE

CWE-352
Parameter
/finance/reportfinance/supplierlist
Variations
1
56

CVSS
Base Score: 2.6
CWE

CWE-352
Parameter
Variations
1
/finance/reportfinance/trialbalance
CVSS
Base Score: 2.6
CWE

CWE-352
Parameter
Variations
1
/fleetmanagement/fleetsetupequipmentcategory/fleetsetupequipmentcategories_read
57

CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Variations
1
/fleetmanagement/fleetsetupequipmentfuelstandard/fleetsetupequipmentfuelstandards_read
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Variations
1
/fleetmanagement/fleetsetupequipmentfueltype/fleetsetupequipmentfueltypes_read
58

CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Variations
1
/fleetmanagement/fleetsetupequipmentmanufacturer/fleetsetupequipmentmanufacturers_read
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
filter
group
page
pageSize
sort
Variations
1
1
1
1
1
59
content.
Parameter
Variations
1
content.
Parameter
Variations
1
60
content.
Parameter
Variations
1
/fleetmanagement/fleetsetupequipmentname/fleetsetupequipmentnames_read
CVSS
Base Score: 5.0
CWE
Parameter

CWE-200
Variations
1
61
/fleetmanagement/fleetsetupequipmentstatus/fleetsetupequipmentstatus_read
CVSS
Base Score: 5.0
CWE
Parameter

CWE-200
Variations
1
62
CVSS
Base Score: 5.0
CWE
Parameter

CWE-200
Variations
1
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
filter
group
page
pageSize
sort
Variations
1
1
1
1
1
63
content.
Parameter
Variations
/fleetmanagement/fleetsetupinsurancetype/fleetsetupinsurancetypes_read
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Variations
1
64
/fleetmanagement/fleetsetupmaintenancecenter/fleetsetupmaintenancecenters_read
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Variations
1
/fleetmanagement/fleetsetupoperatorposition/fleetsetupoperatorpositions_read
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Variations
1
65
CVSS
Base Score: 5.0
CWE
CWE-200
Parameter
Variations
1

CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
filter
group
page
pageSize
sort
Variations
1
1
1
1
1
66
content.

Parameter
Variations
1
67
/home/setculture
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Referer
Variations
1
Possible internal IP address disclosure

A string matching an internal IPv4 address was found on this page. This may disclose information about the IP addressing
scheme of the internal network. This information can be used to conduct further attacks.
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
/hr/certificatesandletters
Variations
1
68

CVSS
Base Score: 2.6
CWE

CWE-352
Parameter
Variations
1
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
DisciplinayMeasureRank
Variations
1
69
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Variations
1
70

CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Variations
1
Slow response time

CVSS
Base Score: 5.0
CWE

CWE-400
Parameter
Variations
1
71

CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Variations
1
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Variations
1
72
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Variations
1
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Variations
1
73
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Variations
1
74
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Measure
Variations
1

CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
CreatedBy
CreatedOn
ExpireYear
Measure
Variations
1
1
1
1
1
1
1
1
75
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Measure
Variations
1

CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
CreatedBy
CreatedOn
ExpireYear
Measure
Variations
1
1
1
1
1
1
1
76
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Measure
Variations
1

CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
CreatedBy
CreatedOn
ExpireYear
Variations
1
1
1
1
1
1
Measure
1
1
77
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Measure
Variations
1
CVSS
Base Score: 5.0
CWE
Parameter
Measure

CWE-200
Variations
1
78
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
IsClosed
Variations
1
1
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
AppraisalPeriod
Variations
1
1
79
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
AppraisalPeriod
Variations
1
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
AppraisalPeriod
Variations
1
80
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
AppraisalPeriod
Variations
1
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
AppraisalPeriod
Variations
1
81
/hr/upload
CVSS
Base Score: 2.6
CWE

CWE-352
Parameter
Variations
1
/inventory/reportinventory/issueitem
CVSS
Base Score: 2.6
CWE

CWE-352
Parameter
Variations
1
82
/inventory/reportinventory/stockbalance
CVSS
Base Score: 2.6
CWE

CWE-352
Parameter
Variations
1
/payroll/payrollreports/bonusincometaxreport

CVSS
Base Score: 2.6
CWE

CWE-352
Parameter
Variations
1
83
/payroll/payrollreports/monthlypensionreport
CVSS
Base Score: 2.6
CWE

CWE-352
Parameter
Variations
1
/payroll/payrollreports/reportbycontributiontypelist

CVSS
Base Score: 2.6
CWE

CWE-352
Parameter
Variations
1
84
/procurement/reportprocurement
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Variations
1
/procurement/reportprocurement/getlotdetails
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Variations
1
85
/projectmanagement/projectestimationnames
Slow response time
CVSS
Base Score: 5.0
CWE

CWE-400
Parameter
Variations
1
/upload
CVSS
Base Score: 5.0
CWE

CWE-200
Parameter
Variations
1
86
Scanned items (coverage report)

http://192.168.1.3/
Vulnerabilities have been identified for this URL
56 input(s) found for this URL
Inputs
Input scheme 1
Input name
/
/
Input type
Path Fragment
Path Fragment
Input scheme 2
Input name
/
/
/
Input type
Path Fragment
Path Fragment
Path Fragment
Input scheme 3
Input name
/
/
/
/
Input type
Path Fragment
Path Fragment
Path Fragment
Path Fragment
Input scheme 4
Input name
-
Input type
Path Fragment
/
/
/
/
Path Fragment
Path Fragment
Path Fragment
Path Fragment
Path Fragment
Path Fragment
Input scheme 5
Input name
/
Input type
Path Fragment
Input scheme 6
Input name
/
/
/
/
Input type
Path Fragment
Path Fragment
Path Fragment
Path Fragment
Path Fragment
Path Fragment
Path Fragment
Input scheme 7
Input name
/
/
Input type
Path Fragment
Path Fragment
Path Fragment
Path Fragment
Path Fragment
Path Fragment
87
/
/
Path Fragment
Path Fragment
Input scheme 8
Input name
/
/
/
/
Input type
Path Fragment
Path Fragment
Path Fragment
Path Fragment
Path Fragment
Path Fragment
Path Fragment
Input scheme 9
Input name
/
/
/
/
Input scheme 10
Input name
Input type
Path Fragment
Path Fragment
Path Fragment
Path Fragment
Path Fragment
Path Fragment
Path Fragment
Path Fragment
Input type
Path Fragment
/
/
/
/
Path Fragment
Path Fragment
Path Fragment
Path Fragment
Path Fragment
Path Fragment
Path Fragment
Input scheme 11
Input name
Host
Input type
HTTP Header
http://192.168.1.3/account
Inputs
Input scheme 1
Input name
SearchString
Input type
URL encoded POST
Input scheme 2
Input name
page
Input type
URL encoded GET
Input scheme 3
Input name
page
SearchString
Input type
URL encoded GET
URL encoded POST
88
http://192.168.1.3/account/login
Inputs
Input scheme 1
Input name
ReturnUrl
Input type
URL encoded GET
Input scheme 2
Input name
ReturnUrl
Password
UserName
Input type
URL encoded GET
URL encoded POST
URL encoded POST
URL encoded POST
Input scheme 3
Input name
Password
UserName
Input type
URL encoded POST
URL encoded POST
URL encoded POST
http://192.168.1.3/account/logoff
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
http://192.168.1.3/account/manage
No vulnerabilities have been identified for this URL
No input(s) found for this URL
http://192.168.1.3/account/delete
http://192.168.1.3/account/delete/bizuneh
http://192.168.1.3/account/delete/abeje
http://192.168.1.3/account/delete/admin
http://192.168.1.3/account/delete/abiyu

http://192.168.1.3/account/delete/meaza
http://192.168.1.3/account/delete/animaw
http://192.168.1.3/account/delete/abrham
http://192.168.1.3/account/delete/abeyus
http://192.168.1.3/account/delete/alemnew
http://192.168.1.3/account/delete/birhanu
http://192.168.1.3/account/delete/zelalem
89

Inputs
Input scheme 1
Input name
Input type
URL encoded POST
http://192.168.1.3/account/delete/enanu
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
http://192.168.1.3/account/delete/endalamaw
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
http://192.168.1.3/account/edit

http://192.168.1.3/account/edit/admin
http://192.168.1.3/account/edit/meaza
http://192.168.1.3/account/edit/abeje
http://192.168.1.3/account/edit/abiyu
http://192.168.1.3/account/edit/animaw
http://192.168.1.3/account/edit/abeyus
90
http://192.168.1.3/account/edit/abrham
http://192.168.1.3/account/edit/bizuneh
http://192.168.1.3/account/edit/birhanu
http://192.168.1.3/account/edit/alemnew
http://192.168.1.3/account/edit/zelalem
Inputs
Input scheme 1
Input name
Email
FirstName
LastName
UserName
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
http://192.168.1.3/account/edit/enanu
91
Inputs
Input scheme 1
Input name
Email
FirstName
LastName
UserName
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
http://192.168.1.3/account/edit/endalamaw
Inputs
Input scheme 1
Input name
Email
FirstName
LastName
UserName
http://192.168.1.3/account/usergroups
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST

http://192.168.1.3/account/usergroups/bizuneh
http://192.168.1.3/account/usergroups/abeje
http://192.168.1.3/account/usergroups/abiyu
http://192.168.1.3/account/usergroups/meaza
http://192.168.1.3/account/usergroups/admin
http://192.168.1.3/account/usergroups/abrham
http://192.168.1.3/account/usergroups/animaw
92
http://192.168.1.3/account/usergroups/birhanu
http://192.168.1.3/account/usergroups/abeyus
http://192.168.1.3/account/usergroups/alemnew
http://192.168.1.3/account/usergroups/zelalem
Inputs
Input scheme 1
Input name
Groups[0].GroupId
Input type
POST (multipart)
POST (multipart)
Groups[0].Selected
Groups[1].GroupId
Groups[1].Selected
Groups[2].GroupId
Groups[2].Selected
Groups[3].GroupId
Groups[3].Selected
Groups[4].GroupId
Groups[4].Selected
Groups[5].GroupId
Groups[5].Selected
Groups[6].GroupId
Groups[6].Selected
Groups[7].GroupId
Groups[7].Selected
Groups[8].GroupId
Groups[8].Selected
UserName
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
http://192.168.1.3/account/usergroups/endalamaw
Inputs
Input scheme 1
Input name
Groups[0].GroupId
Groups[0].Selected
Groups[1].GroupId
Groups[1].Selected
Groups[2].GroupId
Groups[2].Selected
Groups[3].GroupId
Input type
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)

Groups[3].Selected
Groups[4].GroupId
Groups[4].Selected
Groups[5].GroupId
Groups[5].Selected
Groups[6].GroupId
Groups[6].Selected
Groups[7].GroupId
Groups[7].Selected
Groups[8].GroupId
Groups[8].Selected
UserName
93
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
http://192.168.1.3/account/usergroups/enanu
Inputs
Input scheme 1
Input name
Input type
Groups[0].GroupId
Groups[0].Selected
Groups[1].GroupId
Groups[1].Selected
Groups[2].GroupId
Groups[2].Selected
Groups[3].GroupId
Groups[3].Selected
Groups[4].GroupId
Groups[4].Selected
Groups[5].GroupId
Groups[5].Selected
Groups[6].GroupId
Groups[6].Selected
Groups[7].GroupId
Groups[7].Selected
Groups[8].GroupId
Groups[8].Selected
UserName
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
POST (multipart)
http://192.168.1.3/account/userpermissions
http://192.168.1.3/account/userpermissions/bizuneh
http://192.168.1.3/account/userpermissions/meaza

http://192.168.1.3/account/userpermissions/animaw
http://192.168.1.3/account/userpermissions/birhanu
http://192.168.1.3/account/userpermissions/abeje
http://192.168.1.3/account/userpermissions/admin
http://192.168.1.3/account/userpermissions/abeyus
94
http://192.168.1.3/account/userpermissions/abrham
http://192.168.1.3/account/userpermissions/abiyu
http://192.168.1.3/account/userpermissions/alemnew
http://192.168.1.3/account/userpermissions/zelalem
http://192.168.1.3/account/userpermissions/endalamaw
http://192.168.1.3/account/userpermissions/enanu
http://192.168.1.3/account/register
Inputs
Input scheme 1
Input name
ConfirmPassword
Email
FirstName
LastName
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST

Password
UserName
http://192.168.1.3/content/
http://192.168.1.3/content/images/
http://192.168.1.3/content/ace/
http://192.168.1.3/content/ace/css/
95
URL encoded POST
URL encoded POST
http://192.168.1.3/content/ace/css/ace.min.css
http://192.168.1.3/content/ace/css/ace-rtl.min.css
http://192.168.1.3/content/ace/css/bootstrap.min.css
http://192.168.1.3/content/ace/css/images/
http://192.168.1.3/content/ace/fonts/
http://192.168.1.3/content/ace/fonts/fonts.googleapis.com.css
http://192.168.1.3/content/ace/font-awesome/
http://192.168.1.3/content/ace/font-awesome/4.2.0/
http://192.168.1.3/content/ace/font-awesome/4.2.0/css/

http://192.168.1.3/content/ace/font-awesome/4.2.0/css/font-awesome.min.css
http://192.168.1.3/content/ace/font-awesome/4.2.0/fonts/
http://192.168.1.3/content/ace/js/
http://192.168.1.3/content/ace/js/jquery.2.1.1.min.js
http://192.168.1.3/content/ace/js/ace-extra.min.js
96

http://192.168.1.3/content/ace/js/bootstrap.min.js
http://192.168.1.3/content/ace/js/jquery-ui.custom.min.js
http://192.168.1.3/content/ace/js/jquery.ui.touch-punch.min.js
http://192.168.1.3/content/ace/js/jquery.easypiechart.min.js
http://192.168.1.3/content/ace/js/jquery.sparkline.min.js
http://192.168.1.3/content/ace/js/jquery.flot.min.js
http://192.168.1.3/content/ace/js/jquery.flot.pie.min.js
http://192.168.1.3/content/ace/js/jquery.flot.resize.min.js
http://192.168.1.3/content/ace/js/ace-elements.min.js
http://192.168.1.3/content/ace/js/ace.min.js
http://192.168.1.3/content/exceedstyle.css
http://192.168.1.3/content/jqury-ui/
http://192.168.1.3/content/jqury-ui/jquery-ui.css
97
http://192.168.1.3/content/jqury-ui/jquery-ui.js
http://192.168.1.3/content/jqury-ui/images
http://192.168.1.3/content/jstree/
http://192.168.1.3/content/jstree/themes/
http://192.168.1.3/content/jstree/themes/default/
http://192.168.1.3/content/jstree/themes/default/style.min.css
http://192.168.1.3/content/jstree/jstree.min.js
http://192.168.1.3/content/kendo/
http://192.168.1.3/content/kendo/2016.1.112/
http://192.168.1.3/content/kendo/2016.1.112/kendo.dataviz.min.css
http://192.168.1.3/content/kendo/2016.1.112/kendo.bootstrap.min.css
http://192.168.1.3/content/kendo/2016.1.112/kendo.mobile.all.min.css
http://192.168.1.3/content/kendo/2016.1.112/kendo.common-bootstrap.min.css
http://192.168.1.3/content/kendo/2016.1.112/kendo.dataviz.bootstrap.min.css
98
http://192.168.1.3/content/kendo/2016.1.112/bootstrap/
http://192.168.1.3/content/kendo/2016.1.112/%23clip
http://192.168.1.3/content/kendo/2016.1.112/images/
http://192.168.1.3/content/kendo/2016.1.112/textures/
http://192.168.1.3/content/kendo/2016.1.112/fonts/
http://192.168.1.3/content/kendo/2016.1.112/fonts/dejavu/
http://192.168.1.3/content/kendo/2016.1.112/fonts/glyphs/
http://192.168.1.3/home
http://192.168.1.3/home/setculture
Inputs
Input scheme 1
Input name
culture
http://192.168.1.3/home/index
http://192.168.1.3/hr
http://192.168.1.3/hr/cosigns
http://192.168.1.3/hr/allowances
Input type
URL encoded POST
99

http://192.168.1.3/hr/ranks
http://192.168.1.3/hr/steps
http://192.168.1.3/hr/discipline
http://192.168.1.3/hr/leavetypes
http://192.168.1.3/hr/attendance
http://192.168.1.3/hr/orgcharts
http://192.168.1.3/hr/assignment
http://192.168.1.3/hr/orglocations
http://192.168.1.3/hr/teamjobtitles
http://192.168.1.3/hr/sexes
http://192.168.1.3/hr/regions
http://192.168.1.3/hr/nations
http://192.168.1.3/hr/religions
http://192.168.1.3/hr/fiscalyears
100

http://192.168.1.3/hr/persontitles
http://192.168.1.3/hr/nationalities
http://192.168.1.3/hr/mothertongues
http://192.168.1.3/hr/maritalstatus
http://192.168.1.3/hr/trainingcourses
http://192.168.1.3/hr/empleaveperiods
http://192.168.1.3/hr/incomingletters
http://192.168.1.3/hr/healthincidents
http://192.168.1.3/hr/orginformations
http://192.168.1.3/hr/empbscbehaviors
http://192.168.1.3/hr/publicdocuments
http://192.168.1.3/hr/salarystructures
http://192.168.1.3/hr/employmentstatus
101
http://192.168.1.3/hr/recruitmentplans
http://192.168.1.3/hr/educationalfields
http://192.168.1.3/hr/trainingproviders
http://192.168.1.3/hr/educationallevels
http://192.168.1.3/hr/outgoingletters
http://192.168.1.3/hr/upload
Inputs
Input scheme 1
Input name
File
Input type
POST (multipart)
http://192.168.1.3/hr/upload/download
http://192.168.1.3/hr/employeeprofiles
http://192.168.1.3/hr/sectionjobtitles
http://192.168.1.3/hr/divisionjobtitles
http://192.168.1.3/hr/terminationletters
http://192.168.1.3/hr/orgglobaljobtitles
http://192.168.1.3/hr/terminationreasons
102
http://192.168.1.3/hr/retirementlauncher
http://192.168.1.3/hr/reports
http://192.168.1.3/hr/reports/detailreports
http://192.168.1.3/hr/reports/summaryreports
http://192.168.1.3/hr/supportingdocuments
http://192.168.1.3/hr/transportallowances
http://192.168.1.3/hr/departmentjobtitles
http://192.168.1.3/hr/trainingapplications
http://192.168.1.3/hr/empbscappraisalperiods
http://192.168.1.3/hr/empbscappraisalperiods/edit
http://192.168.1.3/hr/empbscappraisalperiods/edit/5
Inputs
Input scheme 1
Input name
AppraisalPeriod
CreatedBy
CreatedOn
DayFrom
DayTo
EmpBSCAppraisalPeriodID
IsClosed
103
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
MonthFrom
MonthTo
YearFrom
YearTo
URL encoded POST

URL encoded POST
URL encoded POST
URL encoded POST
Inputs
Input scheme 1
Input name
AppraisalPeriod
CreatedBy
CreatedOn
DayFrom
DayTo
IsClosed
MonthFrom
MonthTo
YearFrom
YearTo
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
Inputs
Input scheme 1
Input name
AppraisalPeriod
CreatedBy
CreatedOn
DayFrom
DayTo
IsClosed
MonthFrom
MonthTo
YearFrom
YearTo
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
104
Inputs
Input scheme 1
Input name
AppraisalPeriod
Input type
URL encoded POST
URL encoded POST
CreatedBy
CreatedOn
DayFrom
DayTo
IsClosed
MonthFrom
MonthTo
YearFrom
YearTo
URL encoded POST

URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
Inputs
Input scheme 1
Input name
AppraisalPeriod
CreatedBy
CreatedOn
DayFrom
DayTo
IsClosed
MonthFrom
MonthTo
YearFrom
YearTo
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
http://192.168.1.3/hr/empbscappraisalperiods/delete
http://192.168.1.3/hr/empbscappraisalperiods/delete/2
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
105
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
http://192.168.1.3/hr/empbscappraisalperiods/details
http://192.168.1.3/hr/empbscappraisalperiods/details/4
106
http://192.168.1.3/hr/empbscappraisalperiods/create
Inputs
Input scheme 1
Input name
Input type
AppraisalPeriod
DayFrom
DayTo
IsClosed
MonthFrom
MonthTo
YearFrom
YearTo
URL encoded POST

URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
http://192.168.1.3/hr/retirementnotification
http://192.168.1.3/hr/empleavetakenslauncher
http://192.168.1.3/hr/trainingneedassesments
http://192.168.1.3/hr/empbscperformanceplans
http://192.168.1.3/hr/trainingreportbycourse
http://192.168.1.3/hr/addallowancetoemployees
http://192.168.1.3/hr/earlyretirementlauncher
http://192.168.1.3/hr/disciplinaymeasureranks
http://192.168.1.3/hr/disciplinaymeasureranks/edit
http://192.168.1.3/hr/disciplinaymeasureranks/edit/3
107
Inputs
Input scheme 1
Input name
CreatedBy
Input type
URL encoded POST
URL encoded POST
CreatedOn
URL encoded POST

URL encoded POST
URL encoded POST
http://192.168.1.3/hr/disciplinaymeasureranks/edit/2
Inputs
Input scheme 1
Input name
CreatedBy
CreatedOn
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
http://192.168.1.3/hr/disciplinaymeasureranks/delete
http://192.168.1.3/hr/disciplinaymeasureranks/delete/3
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
http://192.168.1.3/hr/disciplinaymeasureranks/delete/2
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
http://192.168.1.3/hr/disciplinaymeasureranks/details
http://192.168.1.3/hr/disciplinaymeasureranks/details/3
http://192.168.1.3/hr/disciplinaymeasureranks/details/2

http://192.168.1.3/hr/trainingcoursetrackings
108
http://192.168.1.3/hr/emppayrollnodaysworkeds
http://192.168.1.3/hr/employeerequisitionforms
http://192.168.1.3/hr/trainingreportbyemployee
http://192.168.1.3/hr/outsourcecompanyprofiles
http://192.168.1.3/hr/terminationotherslauncher
http://192.168.1.3/hr/empannualleaveusagereport
http://192.168.1.3/hr/outsourcecompanyworkeddays
http://192.168.1.3/hr/applicantprobationslauncher
http://192.168.1.3/hr/empbscperformanceevaluations
http://192.168.1.3/hr/contractemployeerequisitions
http://192.168.1.3/hr/disciplineemployeerecognition
http://192.168.1.3/hr/empannualleavepaidincashes
http://192.168.1.3/hr/annualleaveentitlementupdate
http://192.168.1.3/hr/empdisciplinayrecognitiontypes
109
http://192.168.1.3/hr/empannualleaveusagesingereport
http://192.168.1.3/hr/empannualleavetransferonebyones
http://192.168.1.3/hr/empterminationclearancelauncher
http://192.168.1.3/hr/outsourcecompanyworkeddaysreport
http://192.168.1.3/hr/recruitmentresultreportbyvacancy
http://192.168.1.3/hr/certificatesandletters
Inputs
Input scheme 1
Input name
choice
EmpFullName
EmpID
Input type
URL encoded POST
URL encoded POST
URL encoded POST
http://192.168.1.3/hr/certificatesandletters/experience
http://192.168.1.3/hr/certificatesandletters/certificate
http://192.168.1.3/hr/promotionandtransferapplicantlists
http://192.168.1.3/hr/empannualleaveentitlementviewmodels
http://192.168.1.3/hr/disciplinaymeasuretypes

http://192.168.1.3/hr/disciplinaymeasuretypes/edit
110

http://192.168.1.3/hr/disciplinaymeasuretypes/edit/9
Inputs
Input scheme 1
Input name
CreatedBy
CreatedOn
ExpireYear
Measure
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
Inputs
Input scheme 1
Input name
CreatedBy
CreatedOn
ExpireYear
Measure
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
Inputs
Input scheme 1
Input name
CreatedBy
CreatedOn
ExpireYear
Measure
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
Inputs
Input scheme 1
111
Input name
CreatedBy
CreatedOn
ExpireYear
Measure
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
Inputs
Input scheme 1
Input name
CreatedBy
CreatedOn
ExpireYear
Measure
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
http://192.168.1.3/hr/disciplinaymeasuretypes/delete
http://192.168.1.3/hr/disciplinaymeasuretypes/delete/9
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
112
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
http://192.168.1.3/hr/disciplinaymeasuretypes/details
http://192.168.1.3/hr/disciplinaymeasuretypes/details/8
http://192.168.1.3/roles
http://192.168.1.3/groups
http://192.168.1.3/inventory
113
http://192.168.1.3/inventory/uoms
http://192.168.1.3/inventory/items
http://192.168.1.3/inventory/stores
http://192.168.1.3/inventory/issues
http://192.168.1.3/inventory/goodreceives
http://192.168.1.3/inventory/storereturns
http://192.168.1.3/inventory/itemcategories
http://192.168.1.3/inventory/itemtransfers
http://192.168.1.3/inventory/purchasereturns
http://192.168.1.3/inventory/stockadjustments
http://192.168.1.3/inventory/storerequisitions
http://192.168.1.3/inventory/purchaserequisitions
http://192.168.1.3/inventory/storeitemassignments
http://192.168.1.3/inventory/departmentcostcenters
114
http://192.168.1.3/inventory/reportinventory
http://192.168.1.3/inventory/reportinventory/issueitem
Inputs
Input scheme 1
Input name
dt1
dt2
Input type
URL encoded POST
URL encoded POST
http://192.168.1.3/inventory/reportinventory/transferitem
Inputs
Input scheme 1
Input name
dt1
dt2
Input type
URL encoded POST
URL encoded POST
http://192.168.1.3/inventory/reportinventory/stockbalance
Inputs
Input scheme 1
Input name
category
Input type
URL encoded POST
http://192.168.1.3/inventory/reportinventory/goodsreceive
Inputs
Input scheme 1
Input name
dt1
dt2
Input type
URL encoded POST
URL encoded POST
http://192.168.1.3/inventory/reportinventory/adjustmentitem
Inputs
Input scheme 1
Input name
dt1
dt2
http://192.168.1.3/inventory/reportinventory/storereturnitem
Inputs
Input type
URL encoded POST
URL encoded POST

Input scheme 1
Input name
dt1
dt2
115
Input type
URL encoded POST
URL encoded POST
http://192.168.1.3/inventory/reportinventory/purchasereturnitem
Inputs
Input scheme 1
Input name
dt1
dt2
Input type
URL encoded POST
URL encoded POST
http://192.168.1.3/inventory/reportinventory/storerequisitionitem
Inputs
Input scheme 1
Input name
dt1
dt2
Input type
URL encoded POST
URL encoded POST
http://192.168.1.3/inventory/reportinventory/issueitemexcel
Inputs
Input scheme 1
Input name
dt1
dt2
Input type
URL encoded GET
URL encoded GET
http://192.168.1.3/inventory/reportinventory/issueitemprint
Inputs
Input scheme 1
Input name
dt1
dt2
Input type
URL encoded GET
URL encoded GET
http://192.168.1.3/inventory/reportinventory/transferitemprint
Inputs
Input scheme 1
Input name
dt1
dt2
http://192.168.1.3/inventory/reportinventory/transferitemexcel
Input type
URL encoded GET
URL encoded GET

116
Inputs
Input scheme 1
Input name
dt1
dt2
Input type
URL encoded GET
URL encoded GET
http://192.168.1.3/inventory/reportinventory/stockbalanceprint
Inputs
Input scheme 1
Input name
category
Input type
URL encoded GET
http://192.168.1.3/inventory/reportinventory/stockbalanceexcel
Inputs
Input scheme 1
Input name
category
Input type
URL encoded GET
http://192.168.1.3/inventory/reportinventory/goodsreceiveprint
Inputs
Input scheme 1
Input name
dt1
dt2
Input type
URL encoded GET
URL encoded GET
http://192.168.1.3/inventory/reportinventory/goodsreceiveexcel
Inputs
Input scheme 1
Input name
dt1
dt2
Input type
URL encoded GET
URL encoded GET
http://192.168.1.3/inventory/reportinventory/storereturnitemexcel
Inputs
Input scheme 1
Input name
dt1
dt2
http://192.168.1.3/inventory/reportinventory/storereturnitemprint
Input type
URL encoded GET
URL encoded GET

Inputs
Input scheme 1
Input name
dt1
dt2
117
Input type
URL encoded GET
URL encoded GET
http://192.168.1.3/inventory/reportinventory/adjustmentitemprint
Inputs
Input scheme 1
Input name
dt1
dt2
Input type
URL encoded GET
URL encoded GET
http://192.168.1.3/inventory/reportinventory/adjustmentitemexcel
Inputs
Input scheme 1
Input name
dt1
dt2
Input type
URL encoded GET
URL encoded GET
http://192.168.1.3/inventory/reportinventory/purchasereturnitemprint
Inputs
Input scheme 1
Input name
dt1
dt2
Input type
URL encoded GET
URL encoded GET
http://192.168.1.3/inventory/reportinventory/purchasereturnitemexcel
Inputs
Input scheme 1
Input name
dt1
dt2
Input type
URL encoded GET
URL encoded GET
http://192.168.1.3/inventory/reportinventory/storerequisitionitemprint
Inputs
Input scheme 1
Input name
dt1
dt2
Input type
URL encoded GET
URL encoded GET
http://192.168.1.3/inventory/reportinventory/storerequisitionitemexcel
118
Inputs
Input scheme 1
Input name
dt1
dt2
Input type
URL encoded GET
URL encoded GET
http://192.168.1.3/inventory/storekeeperassignments
http://192.168.1.3/globaluseraccesslogs
http://192.168.1.3/orgbranchusermappings
http://192.168.1.3/finance
http://192.168.1.3/finance/glledgerposting
http://192.168.1.3/finance/glrecordjournals
http://192.168.1.3/finance/arinvoices
http://192.168.1.3/finance/bankaccounts
http://192.168.1.3/finance/bankaccounts/edit
http://192.168.1.3/finance/bankaccounts/edit/14
Inputs
Input scheme 1
Input name
AccountCode
AccountControl
Input type
URL encoded POST
URL encoded POST
URL encoded POST
AccountDesc
AccountName
AccountNumber
AccountUse
URL encoded POST

URL encoded POST
URL encoded POST
URL encoded POST

BankAccountID
BankAdress
BankBranch
BankName
Status
119
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
Inputs
Input scheme 1
Input name
AccountCode
AccountControl
AccountDesc
AccountName
AccountNumber
AccountUse
BankAccountID
BankAdress
BankBranch
BankName
Status
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
Inputs
Input scheme 1
Input name
AccountCode
AccountControl
AccountDesc
AccountName
AccountNumber
AccountUse
BankAccountID
BankAdress
BankBranch
BankName
Status
Inputs
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
Input scheme 1
Input name
AccountCode
AccountControl
Input type
URL encoded POST
URL encoded POST
URL encoded POST

AccountDesc
AccountName
AccountNumber
AccountUse
BankAccountID
BankAdress
BankBranch
BankName
Status
120
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
Inputs
Input scheme 1
Input name
AccountCode
AccountControl
AccountDesc
AccountName
AccountNumber
AccountUse
BankAccountID
BankAdress
BankBranch
BankName
Status
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
Inputs
Input scheme 1
Input name
AccountCode
AccountControl
AccountDesc
AccountName
AccountNumber
AccountUse
BankAccountID
BankAdress
BankBranch
BankName
Status
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
Inputs

Input scheme 1
Input name
AccountCode
AccountControl
AccountDesc
AccountName
AccountNumber
AccountUse
BankAccountID
BankAdress
BankBranch
BankName
Status
121
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
Inputs
Input scheme 1
Input name
AccountCode
AccountControl
AccountDesc
AccountName
AccountNumber
AccountUse
BankAccountID
BankAdress
BankBranch
BankName
Status
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
Inputs
Input scheme 1
Input name
AccountCode
AccountControl
AccountDesc
AccountName
AccountNumber
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
AccountUse
BankAccountID
BankAdress
BankBranch
BankName
Status
URL encoded POST

URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
122
Inputs
Input scheme 1
Input name
AccountCode
AccountControl
AccountDesc
AccountName
AccountNumber
AccountUse
BankAccountID
BankAdress
BankBranch
BankName
Status
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
Inputs
Input scheme 1
Input name
AccountCode
AccountControl
AccountDesc
AccountName
AccountNumber
AccountUse
BankAccountID
BankAdress
BankBranch
BankName
Status
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
Inputs
Input scheme 1
Input name
Input type
AccountCode
AccountControl
AccountDesc
AccountName
AccountNumber
AccountUse
BankAccountID
URL encoded POST

URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST

BankAdress
BankBranch
BankName
Status
123
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
http://192.168.1.3/finance/bankaccounts/delete
http://192.168.1.3/finance/bankaccounts/delete/6
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
Inputs
Input scheme 1
Input name
124
Input type
URL encoded POST
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
Inputs
Input scheme 1
Input name
Input type
URL encoded POST
Inputs
Input scheme 1
Input name

http://192.168.1.3/finance/bankaccounts/details
http://192.168.1.3/finance/bankaccounts/details/7
Input type
URL encoded POST
125
http://192.168.1.3/finance/budgetusages
126
http://192.168.1.3/finance/apsetupitems
http://192.168.1.3/finance/budgetdefines
http://192.168.1.3/finance/budgetmonthlies
http://192.168.1.3/finance/arcustomertypes
http://192.168.1.3/finance/arremitaddresses
http://192.168.1.3/finance/appaybleinvoices
http://192.168.1.3/finance/approcurementsuppliers
http://192.168.1.3/finance/budgetallocationandusage
Inputs
Input scheme 1
Input name
BudgetMonth
BudgetYear
Input type
URL encoded POST
URL encoded POST
http://192.168.1.3/finance/budgetallocationandusage/budgetallocationandusageexcel
Inputs
Input scheme 1
Input name
BudgetMonth
BudgetYear
Input type
URL encoded GET
URL encoded GET
http://192.168.1.3/finance/budgetallocationandusage/budgetallocationandusageprint
Inputs
Input scheme 1
Input name
BudgetMonth
BudgetYear
Input type
URL encoded GET
URL encoded GET
127
http://192.168.1.3/finance/reconciliationschedules
http://192.168.1.3/finance/reconcilationbankaccounts
http://192.168.1.3/finance/budgetagainstpreviousyear
Inputs
Input scheme 1
Input name
period
Input type
URL encoded POST
http://192.168.1.3/finance/budgetagainstpreviousyear/budgetyearlyprint
Inputs
Input scheme 1
Input name
period
Input type
URL encoded GET
http://192.168.1.3/finance/budgetagainstpreviousyear/budgetyearlyexcel
Inputs
Input scheme 1
Input name
period
http://192.168.1.3/finance/reconcilationbookaccounts
http://192.168.1.3/finance/arsetupreceiptbalanceaccounts
Input type
URL encoded GET
http://192.168.1.3/finance/arsetupproductserviceaccounts
http://192.168.1.3/finance/arcustomerprofiles
http://192.168.1.3/finance/gljournalcategoriers
128
http://192.168.1.3/finance/accountstransactions
Inputs
Input scheme 1
Input name
CategoryNames
EffectiveDates
JournalReferences
Period
Source
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
Input scheme 2
Input name
page
Input type
URL encoded GET
Input scheme 3
Input name
page
CategoryNames
EffectiveDates
JournalReferences
Period
Source
Input type
URL encoded GET
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
http://192.168.1.3/finance/accountstransactions/details
http://192.168.1.3/finance/accountstransactions/details/1684

129
130
131

132

133
134
135

http://192.168.1.3/finance/accountstransactions/details/53105-1-00-000000
136

http://192.168.1.3/finance/accountstransactions/details/11350-1-00-ta0003
http://192.168.1.3/finance/accountstransactions/details/18000-1-00-ba0003
http://192.168.1.3/finance/accountstransactions/details/11110-1-00-ch0055
http://192.168.1.3/finance/accountstransactions/details/11110%20-1-00-ch0055
http://192.168.1.3/finance/accountstransactions/details/69050%20-1-00-000000
http://192.168.1.3/finance/accountstransactions/details/11110%20%c2%a0-1-00-ch0055
http://192.168.1.3/finance/accountstransactions/details/11130-1-00-rf0020
http://192.168.1.3/finance/accountstransactions/details/11140-1-00-cb0021
http://192.168.1.3/finance/accountstransactions/details/11140-1-00-cb0001
http://192.168.1.3/finance/accountstransactions/details/21370-1-00-tl0002
137
http://192.168.1.3/finance/accountstransactions/details/11140-1-00-cb0001%20%c2%a0
http://192.168.1.3/finance/accountstransactions/details/63120-1-fs-000000
http://192.168.1.3/finance/accountstransactions/details/11120-1-00-pc0006
http://192.168.1.3/finance/accountstransactions/details/12100-1-00-in0004
http://192.168.1.3/finance/accountstransactions/details/30030-1-00-3060gn
http://192.168.1.3/finance/accountstransactions/details/11110-1-00-ch0045
http://192.168.1.3/finance/accountstransactions/details/11320-1-00-y00125
138
http://192.168.1.3/finance/accountstransactions/details/11499-1-00-pi0000
http://192.168.1.3/finance/accountstransactions/details/11350-1-00-ta0001
http://192.168.1.3/finance/accountstransactions/details/11330-1-00-s00984
http://192.168.1.3/finance/arstandardcollections
http://192.168.1.3/finance/glchartofaccountaccounts
http://192.168.1.3/finance/glchartofaccountlocations
http://192.168.1.3/finance/armiscelaneouscollections
http://192.168.1.3/finance/glchartofaccountsubaccounts
http://192.168.1.3/finance/glchartofaccountcostcenters
http://192.168.1.3/finance/budgetagainstpreviousyearmonthly
139

Inputs
Input scheme 1
Input name
period
Input type
URL encoded POST
http://192.168.1.3/finance/budgetagainstpreviousyearmonthly/budgetmonthlyexcel
Inputs
Input scheme 1
Input name
period
Input type
URL encoded GET
http://192.168.1.3/finance/budgetagainstpreviousyearmonthly/budgetmonthlyprint
Inputs
Input scheme 1
Input name
period

http://192.168.1.3/finance/gltaxrates
http://192.168.1.3/finance/paymentterms
http://192.168.1.3/finance/glfiscalyears
http://192.168.1.3/finance/glcountrytypes
http://192.168.1.3/finance/paymentmethods
http://192.168.1.3/finance/glvatwithholdings
http://192.168.1.3/finance/finsetupcurrencies
http://192.168.1.3/finance/reportfinance
Input type
URL encoded GET
140

http://192.168.1.3/finance/reportfinance/cashflow
Inputs
Input scheme 1
Input name
branchCode
dt2
Input type
URL encoded POST
URL encoded POST
http://192.168.1.3/finance/reportfinance/balancesheet
Inputs
Input scheme 1
Input name
branchCode
dt2
Input type
URL encoded POST
URL encoded POST
http://192.168.1.3/finance/reportfinance/supplierlist
Inputs
Input scheme 1
Input name
businessType
supplierType
141
Input type
URL encoded POST
URL encoded POST
http://192.168.1.3/finance/reportfinance/customerlist
Inputs
Input scheme 1
Input name
custype
Input type
URL encoded POST
Input scheme 2
Input name
page
Input type
URL encoded GET
Input scheme 3
Input name
custype
page
Input type
URL encoded GET
URL encoded GET
Input scheme 4
Input name
page
custype
Input type
URL encoded GET
URL encoded POST
Input scheme 5
Input name
Input type
custype
page
custype
URL encoded GET

URL encoded GET
URL encoded POST
http://192.168.1.3/finance/reportfinance/trialbalance
Inputs
Input scheme 1
Input name
Branch
dt1
Input type
URL encoded POST
URL encoded POST
http://192.168.1.3/finance/reportfinance/chartofaccount
Inputs
Input scheme 1
Input name
Account
AccountType
Input type
URL encoded POST
URL encoded POST
http://192.168.1.3/finance/reportfinance/accountanalysis
Inputs
Input scheme 1
Input name
Category
dt1
dt2
142
Input type
URL encoded POST
URL encoded POST
URL encoded POST
http://192.168.1.3/finance/reportfinance/incomestatement
Inputs
Input scheme 1
Input name
branchCode
dt1
dt2
Input type
URL encoded POST
URL encoded POST
URL encoded POST
http://192.168.1.3/finance/reportfinance/aragingbyinvoice
Inputs
Input scheme 1
Input name
agetype
http://192.168.1.3/finance/reportfinance/aragingbycustomer
Input type
URL encoded POST

Inputs
Input scheme 1
Input name
agetype
Input type
URL encoded POST
http://192.168.1.3/finance/reportfinance/accountanalysisbysegment
Inputs
Input scheme 1
Input name
acctFrom
acctTo
dt1
dt2
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
http://192.168.1.3/finance/reportfinance/incomestatementbyproject
Inputs
Input scheme 1
Input name
costcenterCode
dt1
dt2
Input type
URL encoded POST
URL encoded POST
URL encoded POST
143
http://192.168.1.3/finance/reportfinance/chartofaccountexcel
Inputs
Input scheme 1
Input name
AccountType
Input type
URL encoded GET
Input scheme 2
Input name
Account
AccountType
Input type
URL encoded GET
URL encoded GET
http://192.168.1.3/finance/reportfinance/accountanalysisexcel
http://192.168.1.3/finance/reportfinance/trialbalanceexcel
Inputs
Input scheme 1
Input name
CostCenter
dt1
Input type
URL encoded GET
URL encoded GET
http://192.168.1.3/finance/reportfinance/trialbalanceprint
Inputs
Input scheme 1
Input name
CostCenter
dt1
Input type
URL encoded GET
URL encoded GET
http://192.168.1.3/finance/reportfinance/incomestatementprint
Inputs
Input scheme 1
Input name
dt2
Input type
URL encoded GET
http://192.168.1.3/finance/reportfinance/customerlistexcel
Inputs
Input scheme 1
Input name
custype
Input type
URL encoded GET
144
http://192.168.1.3/finance/reportfinance/customerlistprint
Inputs
Input scheme 1
Input name
custype
Input type
URL encoded GET
http://192.168.1.3/finance/reportfinance/supplierlistexcel
Inputs
Input scheme 1
Input name
businessType
supplierType
Input type
URL encoded GET
URL encoded GET
http://192.168.1.3/finance/reportfinance/supplierlistprint
Inputs
Input scheme 1
Input name
Input type
businessType
supplierType
URL encoded GET

URL encoded GET
http://192.168.1.3/finance/reportfinance/aragingbyinvoiceprint
Inputs
Input scheme 1
Input name
agetype
Input type
URL encoded GET
http://192.168.1.3/finance/reportfinance/aragingbyinvoiceexcel
Inputs
Input scheme 1
Input name
agetype
Input type
URL encoded GET
http://192.168.1.3/finance/reportfinance/aragingbycustomerprint
Inputs
Input scheme 1
Input name
agetype
Input type
URL encoded GET
145
http://192.168.1.3/finance/reportfinance/aragingbycustomerexcel
Inputs
Input scheme 1
Input name
agetype
Input type
URL encoded GET
http://192.168.1.3/finance/reportfinance/accountanalysisbysegmentexcel
http://192.168.1.3/finance/reportfinance/incomestatementbyprojectprint
Inputs
Input scheme 1
Input name
costcenterCode
dt2
http://192.168.1.3/finance/reportfinance/incomestatementbyprojectexcel
Input type
URL encoded GET
URL encoded GET

Inputs
Input scheme 1
Input name
costcenterCode
dt2
Input type
URL encoded GET
URL encoded GET
http://192.168.1.3/finance/finsetupcurrencyexchanges
http://192.168.1.3/finance/finsetupcashflowconfigurations
http://192.168.1.3/finance/json
http://192.168.1.3/finance/json/fromaccountcode
Inputs
Input scheme 1
Input name
Accounts
CostCenter
Location
SubAccount
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
146
http://192.168.1.3/finance/json/toaccountcode
Inputs
Input scheme 1
Input name
Accounts
CostCenter
Location
SubAccount
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
http://192.168.1.3/finance/json/description
Inputs
Input scheme 1
Input name
id
http://192.168.1.3/finance/json/bankaccounts
Input type
URL encoded POST
Inputs
Input scheme 1
Input name
Accounts
CostCenter
Location
SubAccount
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
http://192.168.1.3/userprofile
http://192.168.1.3/userprofile/mybranches
http://192.168.1.3/payroll
http://192.168.1.3/payroll/pensions
http://192.168.1.3/payroll/payrollbonus
http://192.168.1.3/payroll/payrollprocess
http://192.168.1.3/payroll/emppayrollloans
http://192.168.1.3/payroll/empcontributions
http://192.168.1.3/payroll/emppayrolladavances
http://192.168.1.3/payroll/emppayrolladditions
http://192.168.1.3/payroll/empfixedcontributions
http://192.168.1.3/payroll/emppayrolllabourunions
147
http://192.168.1.3/payroll/emppayrollovertimetwoes
http://192.168.1.3/payroll/emppayrollcalculatebonus
http://192.168.1.3/payroll/emppayrollcreditassociations
http://192.168.1.3/payroll/payrollpayslip
http://192.168.1.3/payroll/payrollreports
http://192.168.1.3/payroll/payrollreports/overtimehours
http://192.168.1.3/payroll/payrollreports/bonusbanksliplist
http://192.168.1.3/payroll/payrollreports/payrollbanksliplist
148
http://192.168.1.3/payroll/payrollreports/detailreport
http://192.168.1.3/payroll/payrollreports/summaryreport
http://192.168.1.3/payroll/payrollreports/monthlypensionreport
Inputs
Input scheme 1
Input name
period
http://192.168.1.3/payroll/payrollreports/bonusincometaxreport
Inputs
Input type
URL encoded POST
Input scheme 1
Input name
fyear
Input type
URL encoded POST
http://192.168.1.3/payroll/payrollreports/payrollbasicsalarylist
Inputs
Input scheme 1
Input name
page
Input type
URL encoded GET
http://192.168.1.3/payroll/payrollreports/monthlyincometaxreport
Inputs
Input scheme 1
Input name
period
Input type
URL encoded POST
http://192.168.1.3/payroll/payrollreports/reportbycontributiontypelist
Inputs
Input scheme 1
Input name
period
source
type
Input type
URL encoded POST
URL encoded POST
URL encoded POST
149
http://192.168.1.3/payroll/payrollreports/monthlylabourandcreditreport
Inputs
Input scheme 1
Input name
period
http://192.168.1.3/payroll/payrollreports/bonusincometaxreportprint
http://192.168.1.3/payroll/payrollreports/bonusincometaxreportexcel
http://192.168.1.3/payroll/payrollreports/monthlypensionreportprint
Input type
URL encoded POST
http://192.168.1.3/payroll/payrollreports/monthlypensionreportexcel
http://192.168.1.3/payroll/payrollreports/monthlyincometaxreportprint
http://192.168.1.3/payroll/payrollreports/monthlyincometaxreportexcel
http://192.168.1.3/payroll/payrollreports/payrollbasicsalarylistexcel
http://192.168.1.3/payroll/payrollreports/payrollbasicsalarylistprint
http://192.168.1.3/payroll/payrollreports/monthlylabourandcreditreportprint
http://192.168.1.3/payroll/payrollreports/monthlylabourandcreditreportexcel
http://192.168.1.3/payroll/payrollreports/reportbycontributiontypelistprint
http://192.168.1.3/payroll/payrollreports/reportbycontributiontypelistexcel
http://192.168.1.3/payroll/payrollperiods
http://192.168.1.3/payroll/overtimetypetwoes
http://192.168.1.3/payroll/payrollpaymentbanks
http://192.168.1.3/payroll/payrollemployeeaccounts
http://192.168.1.3/payroll/payrollcontributiontypes
150
http://192.168.1.3/payroll/payrollemployeebankaccounts
http://192.168.1.3/globalbranchsetups
http://192.168.1.3/fixedasset
http://192.168.1.3/fixedasset/fixedassetgroups
http://192.168.1.3/fixedasset/fixedassetdepreciationsetups
http://192.168.1.3/fixedasset/fixedassetclearingaccountsetups
http://192.168.1.3/fixedasset/usercards
http://192.168.1.3/fixedasset/fixedassetcategories
http://192.168.1.3/fixedasset/fixedassetsubcategories
http://192.168.1.3/fixedasset/fixedassetregistrations
http://192.168.1.3/scripts/
http://192.168.1.3/scripts/etp/
http://192.168.1.3/scripts/etp/jquery.calendars.picker.css
http://192.168.1.3/scripts/etp/jquery.plugin.js
151
http://192.168.1.3/scripts/etp/jquery.calendars.js
http://192.168.1.3/scripts/etp/jquery.calendars.plus.js
http://192.168.1.3/scripts/etp/jquery.calendars.picker.js
http://192.168.1.3/scripts/etp/jquery.calendars.ethiopian.js
http://192.168.1.3/scripts/etp/jquery.calendars.ethiopian-am.js
http://192.168.1.3/scripts/kendo/
http://192.168.1.3/scripts/kendo/2016.1.112/
http://192.168.1.3/scripts/kendo/2016.1.112/jquery.min.js
http://192.168.1.3/scripts/kendo/2016.1.112/jszip.min.js
http://192.168.1.3/scripts/kendo/2016.1.112/kendo.all.min.js
http://192.168.1.3/scripts/kendo/2016.1.112/kendo.aspnetmvc.min.js
http://192.168.1.3/scripts/kendo.modernizr.custom.js
http://192.168.1.3/scripts/jquery.unobtrusive-ajax.js
http://192.168.1.3/scripts/jquery.validate.min.js
152

http://192.168.1.3/scripts/jquery.validate.unobtrusive.js
http://192.168.1.3/scripts/js.cookie.js
http://192.168.1.3/scripts/matrixscript.js
http://192.168.1.3/scripts/matrixscript1.js
http://192.168.1.3/scripts/matrixcommon.js
http://192.168.1.3/scripts/selector.js
http://192.168.1.3/scripts/jquery-1.10.2.min.js
http://192.168.1.3/procurement
http://192.168.1.3/procurement/tenders
http://192.168.1.3/procurement/purchaseorders
http://192.168.1.3/procurement/itempriceindexes
http://192.168.1.3/procurement/procurementplans
http://192.168.1.3/procurement/purchasefollowups
http://192.168.1.3/procurement/proformapurchases
153

http://192.168.1.3/procurement/procurementsuppliers
http://192.168.1.3/procurement/procurementlcmanagements
http://192.168.1.3/procurement/procurementbankguarantees
http://192.168.1.3/procurement/procurementcpomanagements
http://192.168.1.3/procurement/reportprocurement
Inputs
Input scheme 1
Input name
page
Input type
URL encoded GET
http://192.168.1.3/procurement/reportprocurement/tenderreport
Inputs
Input scheme 1
Input name
SearchString
Input type
URL encoded POST
154
http://192.168.1.3/procurement/reportprocurement/purchaseorderitem
Inputs
Input scheme 1
Input name
dt1
dt2
http://192.168.1.3/procurement/reportprocurement/purchaserequisitionitem
Inputs
Input scheme 1
Input type
URL encoded POST
URL encoded POST
Input name
dt1
dt2
Input type
URL encoded POST
URL encoded POST
http://192.168.1.3/procurement/reportprocurement/tenderdetails
http://192.168.1.3/procurement/reportprocurement/tenderdetails/9
155
http://192.168.1.3/procurement/reportprocurement/purchaseorderitemexcel
Inputs
Input scheme 1
Input name
Input type
dt1
dt2
URL encoded GET

URL encoded GET
http://192.168.1.3/procurement/reportprocurement/purchaseorderitemprint
Inputs
Input scheme 1
Input name
dt1
dt2
Input type
URL encoded GET
URL encoded GET
http://192.168.1.3/procurement/reportprocurement/purchaserequisitionitemexcel
Inputs
Input scheme 1
Input name
dt1
dt2
Input type
URL encoded GET
URL encoded GET
http://192.168.1.3/procurement/reportprocurement/purchaserequisitionitemprint
Inputs
Input scheme 1
Input name
dt1
dt2
Input type
URL encoded GET
URL encoded GET
http://192.168.1.3/procurement/reportprocurement/getlotdetails
http://192.168.1.3/procurement/reportprocurement/getlotdetails/8

156

http://192.168.1.3/procurement/procurementcontractmanagements
Inputs
157
Input scheme 1
Input name
SearchString
Input type
URL encoded POST
http://192.168.1.3/procurement/procurementcontractmanagements/edit
http://192.168.1.3/procurement/procurementcontractmanagements/edit/4
http://192.168.1.3/procurement/procurementcontractmanagements/delete
http://192.168.1.3/procurement/procurementcontractmanagements/delete/7
http://192.168.1.3/procurement/procurementcontractmanagements/details
158
http://192.168.1.3/procurement/procurementcontractmanagements/details/7
http://192.168.1.3/procurement/procurementsuppliercategories
Inputs
Input scheme 1
Input name
SearchString
Input type
URL encoded POST
http://192.168.1.3/procurement/procurementsuppliercategories/edit
http://192.168.1.3/procurement/procurementsuppliercategories/edit/9
159
http://192.168.1.3/procurement/procurementsuppliercategories/delete
http://192.168.1.3/procurement/procurementsuppliercategories/delete/7
http://192.168.1.3/procurement/procurementsuppliercategories/details
http://192.168.1.3/procurement/procurementsuppliercategories/details/4
160

http://192.168.1.3/procurement/procurementannualneedassesments
Inputs
Input scheme 1
Input name
SearchString
Input type
URL encoded POST
Input scheme 2
Input name
page
Input type
URL encoded GET
http://192.168.1.3/procurement/procurementannualneedassesments/edit
http://192.168.1.3/procurement/procurementannualneedassesments/edit/13
161

http://192.168.1.3/procurement/procurementannualneedassesments/delete
http://192.168.1.3/procurement/procurementannualneedassesments/delete/14
http://192.168.1.3/procurement/procurementannualneedassesments/details
http://192.168.1.3/procurement/procurementannualneedassesments/details/13
162
http://192.168.1.3/globalorginformations
http://192.168.1.3/fleetmanagement
http://192.168.1.3/fleetmanagement/fleetsetuprepairtype
163
http://192.168.1.3/fleetmanagement/fleetsetuprepairtype/fleetsetuprepairtypes_read
Inputs
Input scheme 1
Input name
Input type
grid-mode
URL encoded GET
Input scheme 2
Input name
filter
group
page
pageSize
sort
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
http://192.168.1.3/fleetmanagement/fleetsetupequipmenttype
http://192.168.1.3/fleetmanagement/fleetsetupequipmenttype/fleetsetupequipmenttypes_read
Inputs
Input scheme 1
Input name
grid-mode
Input type
URL encoded GET
Input scheme 2
Input name
filter
group
page
pageSize
sort
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
http://192.168.1.3/fleetmanagement/fleetsetupequipmentname
http://192.168.1.3/fleetmanagement/fleetsetupequipmentname/fleetsetupequipmentnames_read
Inputs
Input scheme 1
Input name
grid-mode
Input type
URL encoded GET
http://192.168.1.3/fleetmanagement/fleetsetupinsurancetype

http://192.168.1.3/fleetmanagement/fleetsetupinsurancetype/fleetsetupinsurancetypes_read
Inputs
Input scheme 1
164
Input name
grid-mode
Input type
URL encoded GET
http://192.168.1.3/fleetmanagement/fleetsetupequipmentstatus
http://192.168.1.3/fleetmanagement/fleetsetupequipmentstatus/fleetsetupequipmentstatus_read
Inputs
Input scheme 1
Input name
grid-mode
Input type
URL encoded GET
http://192.168.1.3/fleetmanagement/fleetsetupmaintenancecenter
http://192.168.1.3/fleetmanagement/fleetsetupmaintenancecenter/fleetsetupmaintenancecenters_read
Inputs
Input scheme 1
Input name
grid-mode
Input type
URL encoded GET
http://192.168.1.3/fleetmanagement/fleetsetupoperatorposition
http://192.168.1.3/fleetmanagement/fleetsetupoperatorposition/fleetsetupoperatorpositions_read
Inputs
Input scheme 1
Input name
grid-mode
Input type
URL encoded GET
http://192.168.1.3/fleetmanagement/fleetsetupequipmentfueltype
http://192.168.1.3/fleetmanagement/fleetsetupequipmentfueltype/fleetsetupequipmentfueltypes_read
Inputs
Input scheme 1
Input name
grid-mode
http://192.168.1.3/fleetmanagement/fleetequipmentregistrations
165
Input type
URL encoded GET

http://192.168.1.3/fleetmanagement/fleetsetupequipmentcategory
http://192.168.1.3/fleetmanagement/fleetsetupequipmentcategory/fleetsetupequipmentcategories_read
Inputs
Input scheme 1
Input name
grid-mode
Input type
URL encoded GET
http://192.168.1.3/fleetmanagement/fleetsetupequipmentmanufacturer
http://192.168.1.3/fleetmanagement/fleetsetupequipmentmanufacturer/fleetsetupequipmentmanufacturers_read
Inputs
Input scheme 1
Input name
grid-mode
Input type
URL encoded GET
Input scheme 2
Input name
filter
group
page
pageSize
sort
Input type
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
URL encoded POST
http://192.168.1.3/fleetmanagement/fleetsetupequipmentfuelstandard
http://192.168.1.3/fleetmanagement/fleetsetupequipmentfuelstandard/fleetsetupequipmentfuelstandards_read
Inputs
Input scheme 1
Input name
grid-mode

http://192.168.1.3/projectmanagement
http://192.168.1.3/projectmanagement/projectestimationnames
Input type
URL encoded GET
166

http://192.168.1.3/fonts/
http://192.168.1.3/upload
167

Advanced Information Security Mid Exam

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Advanced Information Security Mid Exam

Hochgeladen von

Copyright:

Verfügbare Formate

Acunetix Website Audit

Web Application Security Consortium:

Generated by Acunetix WVS Reporter (v10.0 Build 20150707)

Web Application Security Consortium: Threat Classification

- Authentication: Brute Force (1.1)

- Cross-site Scripting (3.2)

Acunetix Website Audit

Compliance According to Categories: A Detailed Report

(1.1) Authentication: Brute Force

(1.2) Insufficient Authentication

(1.3) Weak Password Recovery Validation

(2.1) Credential/Session Prediction

(2.2) Insufficient Authorization

(2.3) Insufficient Session Expiration

Acunetix Website Audit

(2.4) Session Fixation

(3.1) Content Spoofing

(3.2) Cross-site Scripting

(4.1) Buffer Overflow

Acunetix Website Audit

(4.2) Format String Attack

(4.3) LDAP Injection

(4.5) SQL Injection

(4.6) SSI Injection

(4.7) XPath Injection

Acunetix Website Audit

(5.1) Directory Indexing

(5.2) Information Leakage

Base Score: 5.0

- Access Vector: Network

Application error message

Base Score: 5.0

- Access Vector: Network

Acunetix Website Audit

Affected parameter BankBranch

Acunetix Website Audit

Acunetix Website Audit

Base Score: 5.0

- Access Vector: Network

Base Score: 5.0

- Access Vector: Network

Acunetix Website Audit

Acunetix Website Audit

Acunetix Website Audit

Acunetix Website Audit

ASP.NET version disclosure

Base Score: 0.0

- Access Vector: Network

Acunetix Website Audit

Base Score: 5.0

- Access Vector: Network

Base Score: 0.0

- Access Vector: Network

Base Score: 0.0

Acunetix Website Audit

Base Score: 5.0

- Access Vector: Network

Base Score: 5.0

- Access Vector: Network

(5.3) Path Traversal

(5.4) Predictable Resource Location

(6.1) Abuse of Functionality

Base Score: 2.6

- Access Vector: Network