Beruflich Dokumente
Kultur Dokumente
Duplicates
Web Application Assessment Report
Scan Name:
Policy:
Scan Date:
Scan Version:
Scan Type:
Site: http://zero.webappsecurity.com/
Standard
10/10/2016 1:19:47 PM
16.10.463.10
Site
Crawl Sessions:
Vulnerabilities:
Scan Duration:
Client:
437
104
21 minutes : 27 seconds
FF
Critical Issues
Poor Error Handling: Unhandled Exception
Page:
description
http://zero.webappsecurity.com:80/account/
Request:
GET /account/ HTTP/1.1
Referer: http://zero.webappsecurity.com/resources/js/placeholders.min.js
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="551A58F3CAE8D76CCDEE29CAB920CF53";
PSID="511D6DB521E43A071D015EA7E62869D3"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="ae34b422-6357-4aca-8fe7-7e449e14c9b7"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10220"; Engine="Directory+Enumeration";
SmartMode="NonServerSpecificOnly"; ThreadId="88"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="51"; smi="0"; sc="1"; ID="0dcb8edc-da07-4d15-8bb4-66a65d53899d";
X-Request-Memo: ID="50ed1642-dcbc-4d5c-8f13-cb22de7c9c32"; sc="1"; ThreadId="107";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 500 Internal Server Error
Date: Mon, 10 Oct 2016 07:51:32 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Connection: close
Content-Length: 15269
...TRUNCATED...user lacks privilege or object not found: INDEX
at org.springframework.jdbc.support.SQLException
SubclassTranslator.doTranslate(SQLExceptionSubclassTranslator.java:95)
at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate
(AbstractFallbackSQLExceptionTranslator.java:72)
Report Date: 10/10/2016
(AbstractFallbackSQLExceptionTranslator.java:72)
at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate
(AbstractFallbackSQLExceptionTranslator.java:80)
at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:407)
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:456)
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:464)
at org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:472)
at com.hp.webinspect.zero.dao.impl.AccountDaoImpl.get(AccountDaoImpl.java:36)
at com.hp.webinspect.zero.service.impl.AccountServiceImpl.get(AccountServiceImpl.java:38)
at com.hp.webinspect.zero.web.controller.MobileApiController.findAccountById(MobileApiController.java:55)
at sun.reflect.GeneratedMethodAccessor221.invok...TRUNCATED...
description
http://zero.webappsecurity.com:80/faq.html?question=1%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%
28%37%34%38%36%37%29%3c%2f%73%43%72%49%70%54%3e
Request:
GET /faq.html?question=1%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%28%37%34%38%36%37%29%3c%2f%
73%43%72%49%70%54%3e HTTP/1.1
Referer: http://zero.webappsecurity.com/faq.html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="4FB1346EF67099BEF821A6F9B62A60B6";
PSID="BA7F9A211020B77EBF4F706FEDC87676"; SessionType="AuditAttack"; CrawlType="None";
AttackType="QueryParamManipulation"; OriginatingEngineID="1354e211-9d7d-4cc1-80e6-4de3fd128002"; AttackSequence="2";
AttackParamDesc="question"; AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="5105";
Engine="Cross+Site+Scripting"; SmartMode="NonServerSpecificOnly"; AttackString="1%253c%2573%2543%2572%2549%
2570%2554%253e%2561%256c%2565%2572%2574%2528%2537%2534%2538%2536%2537%2529%253c%252f%2573%
2543%2572%2549%2570%2554%253e"; AttackStringProps="Attack"; ThreadId="104"; ThreadType="AuditorStateRequestor";
X-RequestManager-Memo: sid="45"; smi="0"; sc="1"; ID="4cd3f72c-6ab8-4d08-ad79-ecb66ce35210";
X-Request-Memo: ID="84984235-c28a-4473-8e0a-433b908b1116"; sc="1"; ThreadId="104";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=293AB9C7
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 08:03:43 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Length: 7779
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Zero - FAQ - Frequently Asked Questions</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<link type="text/css" rel="stylesheet" href="/resources/css/bootstrap.min.css"/>
<link type="text/css" rel="stylesheet" href="/resources/css/font-awesome.css"/>
<link type="text/css" rel="stylesheet" href="/resources/css/main.css"/>
<script src="/resources/js/jquery-1.8.2.min.js"></script>
<script src="/resources/js/bootstrap.min.js"></script>
<script src="/resources/js/placeholders.min.js"></script>
<script type="text/javascript">
Placeholders.init({
live: true, // Apply to future and modified elements too
hideOnFocus: true // Hide the placeholder when the element receives focus
});
</script>
Report Date: 10/10/2016
</script>
<script type="text/javascript">
$(document).ajaxError(function errorHandler(event, xhr, ajaxOptions, thrownError) {
if (xhr.status == 403) {
window.location.reload();
}
});
</script>
</head>
<body>
<div class="wrapper">
<div class="navbar navbar-fixed-top">
<div class="navbar-inner">
<div class="container">
<a href="/index.html" class="brand">Zero Bank</a>
</div>
</div>
</div>
<div class="container">
<div class="top_offset">
<div class="row">
<div class="offset2 span8">
<div class="row">
<div class="page-header">
<h3>Frequently Asked Questions</h3>
</div>
</div>
<div class="row">
<ol class="questions">
<li><a href="/faq.html?question=1">How can I edit my profile?</a></li>
<li><a href="/faq.html?question=2">How can I review my transaction history?</a></li>
</ol>
<hr/>
</div>
<div id="question1" class="row">
<div class="span1">
<div class="number">1</div>
</div>
<div class="span7">
<h4>How can I edit my profile?</h4>
</div>
</div>
<div class="row">
<div class="offset1 span7">
<p>
<ol>
<li>From any page, click your user name which appears at the top right corner of the site.</li>
<li>From the dropdown menu that displays, click My Profile.</li>
<li>Edit your profile.</li>
</ol>
</p>
</div>
</div>
<div id="question2" class="row">
<div class="span1">
<div class="number">2</div>
</div>
<div class="span7">
<h4>How can I review my transaction history?</h4>
</div>
</div>
<div class="row">
<div class="offset1 span7">
<p>
<ol>
<li>Click Account Activity.</li>
<li>Click the Show Transactions tab to view your most recent transactions.</li>
<li>Click the Find Transactions tab to show transactions by a date range.</li>
</ol>
</p>
Report Date: 10/10/2016
</p>
</div>
</div>
</div>
</div>
<span id="current_question" class="hide"></span>
<script type="text/javascript">
function getParameterByName(name) {
var regex = new RegExp("\\?.*?=(.*)$");
var results = r
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/search.html?searchTerm=12345%3c%73%43%72%3c%53%63%52%69%50%74%
3e%49%70%54%3e%61%6c%65%72%74%28%32%31%37%38%38%29%3c%2f%73%43%72%3c%53%63%52%
69%50%74%3e%49%70%54%3e
Request:
GET /search.html?searchTerm=12345%3c%73%43%72%3c%53%63%52%69%50%74%3e%49%70%54%3e%61%6c%65%
72%74%28%32%31%37%38%38%29%3c%2f%73%43%72%3c%53%63%52%69%50%74%3e%49%70%54%3e HTTP/1.1
Referer: http://zero.webappsecurity.com/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="1C7CFA469492EFFD5F19DF3B53A3FE01";
PSID="4FB1E28C3A3C661502F583F3EA8F6277"; SessionType="AuditAttack"; CrawlType="None";
AttackType="QueryParamManipulation"; OriginatingEngineID="1354e211-9d7d-4cc1-80e6-4de3fd128002";
AttackSequence="12"; AttackParamDesc="searchTerm"; AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="5105";
Engine="Cross+Site+Scripting"; SmartMode="NonServerSpecificOnly"; AttackString="12345%253c%2573%2543%2572%253c%
2553%2563%2552%2569%2550%2574%253e%2549%2570%2554%253e%2561%256c%2565%2572%2574%2528%2532%
2531%2537%2538%2538%2529%253c%252f%2573%2543%2572%253c%2553%2563%2552%2569%2550%2574%253e%
2549%2570%2554%253e"; AttackStringProps="Attack"; ThreadId="108"; ThreadType="AuditorStateRequestor";
X-RequestManager-Memo: sid="53"; smi="0"; sc="1"; ID="ae8c26a7-0222-4493-aa43-7b5efc44973d";
X-Request-Memo: ID="8ac4544f-949f-45c9-bfd2-5ad0448aa9db"; sc="1"; ThreadId="108";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:55:15 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Length: 7739
...TRUNCATED...No results were found for the query: 12345<sCrIpT>alert(21788)</sCrIpT>
</div>
</div>
...TRUNCATED...
description
http://zero.webappsecurity.com:80/sendFeedback.html
Request:
POST /sendFeedback.html HTTP/1.1
Referer: http://zero.webappsecurity.com/feedback.html
Content-Type: application/x-www-form-urlencoded
Content-Length: 182
Accept: */*
Pragma:
no-cache
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="95C1FE21147002AFF09A188D192C8D0D";
PSID="A8191E30A6A6D05B7ECBC975A580DB55"; SessionType="AuditAttack"; CrawlType="None";
AttackType="PostParamManipulation"; OriginatingEngineID="1354e211-9d7d-4cc1-80e6-4de3fd128002"; AttackSequence="34";
AttackParamDesc="name"; AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="5105";
Engine="Cross+Site+Scripting"; SmartMode="NonServerSpecificOnly"; AttackString="%253c%2561%2520%2548%2572%
2545%2566%253d%254a%2561%2556%2561%2553%2563%2552%2569%2550%2574%253a%2561%256c%2565%2572%
2574%2528%2538%2537%2532%2538%2537%2529%253e"; AttackStringProps="Attack"; ThreadId="107";
ThreadType="AuditorStateRequestor";
X-RequestManager-Memo: sid="51"; smi="0"; sc="1"; ID="077f7850-8a1b-40b5-a5cf-0c3975c7f8f7";
X-Request-Memo: ID="5e7588aa-3fb4-4b6d-aeab-d98f12c94f81"; sc="1"; ThreadId="107";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=3FF9E851
name=%3c%61%20%48%72%45%66%3d%4a%61%56%61%53%63%52%69%50%74%3a%61%6c%65%72%74%28%
38%37%32%38%37%29%3e&email=John.Doe%40somewhere.com&subject=12345&comment=12345&submit=Send%
20Message
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:58:06 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=38
Connection: Keep-Alive
Content-Length: 6674
...TRUNCATED.../div>
Thank you for your comments, <a HrEf=JaVaScRiPt:alert(87287)>.
They will be reviewed by our Custom...TRUNCATED...
description
http://zero.webappsecurity.com:80/admin/users.html
Request:
GET /admin/users.html HTTP/1.1
Referer: http://zero.webappsecurity.com/admin/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="810BCB46E8C09C737ECDC561083681F4";
PSID="B09C4D5CC22F10C01D9D84418780B93D"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="Relative";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="280";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="7916c964-49d2-4e52-a3d3-5fc08c602847";
X-Request-Memo: ID="3811efb9-c4e3-4c9a-a336-fae774879fd7"; sc="1"; ThreadId="97";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=400B9B5C
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:27 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Length: 10793
Report Date: 10/10/2016
...TRUNCATED...
<td>
536-48-3769
</td>
...TRUNCATED...
<td>
607-58-7435
</td>
...TRUNCATED...
<td>
247-54-1719
</td>
...TRUNCATED...
<td>
578-13-3713
</td>
...TRUNCATED...
<td>
449-20-3206
</td>
...TRUNCATED...
<td>
008-70-6738
</td>
...TRUNCATED...
<td>
574-56-1932
</td>
...TRUNCATED...
<td>
330-58-4012f1
</td>
...TRUNCATED...
High Issues
Web Server Misconfiguration: Unprotected File
Page:
description
http://zero.webappsecurity.com:80/server-status
Request:
GET /server-status HTTP/1.1
Referer: http://zero.webappsecurity.com/resources/js/placeholders.min.js
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="AFEDDE4F98762A991CD0720E24021F4B";
PSID="511D6DB521E43A071D015EA7E62869D3"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="63a283c6-6b75-41e3-b0c2-d7b0821c2902"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="157"; Engine="Fixed"; SmartMode="ServerSpecificOnly";
ThreadId="93"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="39"; smi="0"; sc="1"; ID="adb6c8a9-3ecc-4eed-9292-e3eb93b4a94c";
X-Request-Memo: ID="dcce354f-9cf5-4f16-8690-e9fd962794d1"; sc="1"; ThreadId="101";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=02B64950
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 08:09:39 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Content-Type: text/html;charset=UTF-8
Content-Length: 5523
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
...TRUNCATED...>Apache Status</title>
</head><body>
<h1>Apache Server Status for localhost</h1>
<dl><dt>Server Version: Apache/...TRUNCATED...
description
http://zero.webappsecurity.com:80/faq.html.bak
Request:
Report Date: 10/10/2016
description
http://zero.webappsecurity.com:80/index.html.old
Request:
GET /index.html.old HTTP/1.1
Referer: http://zero.webappsecurity.com/index.html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="7CA1E733E893A17324796A1F09B96499";
PSID="8E73B3A63EFE2AADE20745A947151EB3"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="aabf09b7-996e-479e-9ecc-9f0508d42d72"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="709"; Engine="File+Extension+Addition";
SmartMode="NonServerSpecificOnly"; ThreadId="102"; ThreadType="AuditorStateRequestor";
X-RequestManager-Memo: sid="41"; smi="0"; sc="1"; ID="9c53cb15-2bae-477f-804f-b08e1874e1b3";
X-Request-Memo: ID="c1a4a9c0-91f0-4e42-8e01-c112a269809f"; sc="1"; ThreadId="102";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:53:48 GMT
Server: ...TRUNCATED...
description
http://zero.webappsecurity.com:80/debug.txt
Request:
GET /debug.txt HTTP/1.1
Referer: http://zero.webappsecurity.com/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="29FFCB3633642C14ECBEB7D48BC76BC9";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="60b8f839-2e70-4177-8e47-f305852be435"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="1368"; Engine="Site+Search";
SmartMode="NonServerSpecificOnly";
ThreadId="83";
X-RequestManager-Memo:
sid="45"; smi="0";
sc="1"; ThreadType="AuditorStateRequestorPool";
ID="eef16f07-aaef-4645-902f-44780fdf1682";
description
http://zero.webappsecurity.com:80/index.old
Request:
GET /index.old HTTP/1.1
Referer: http://zero.webappsecurity.com/index.html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="6A2893E020A3F2C8D52B2408615E4102";
PSID="8E73B3A63EFE2AADE20745A947151EB3"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="9d2b8591-9dbe-4085-bc79-15aeab89cc57"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="2083"; Engine="File+Extension+Replacement";
SmartMode="ServerSpecificOnly"; ThreadId="103"; ThreadType="AuditorStateRequestor";
X-RequestManager-Memo: sid="43"; smi="0"; sc="1"; ID="9a50dde0-6715-4c0a-95f2-031c05a03acd";
X-Request-Memo: ID="42a2d660-c2d6-4aa6-9137-dde3b5991302"; sc="1"; ThreadId="103";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=943C3A6B
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 08:09:40 GMT
Server: ...TRUNCATED...
Insecure Transport
Page:
description
http://zero.webappsecurity.com:80/login.html
Request:
GET /login.html HTTP/1.1
Referer: http://zero.webappsecurity.com/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="37A656705626B4D1D64F6BFA191C2A08";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="Crawl"; CrawlType="Script"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; Format="Qualified"; LinkKind="HyperLink";
Locations="Unspecified"; Source="ScriptExecution"; ThreadId="281"; ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="43195029-31fc-44c5-af10-bee590481d2f";
X-Request-Memo: ID="8b6aca79-af50-417a-a722-ce1ee8309b42"; sc="1"; ThreadId="99";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:13 GMT
Server: Apache-Coyote/1.1 *
Access-Control-Allow-Origin:
Report Date: 10/10/2016
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Length: 7303
...TRUNCATED... </div>
<form id="login_form" action="/signin.html" method="post" class="form-horizontal">
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/forgot-password.html
Request:
GET /forgot-password.html HTTP/1.1
Referer: http://zero.webappsecurity.com/login.html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="35CF74765A8B6CFE70D16739EA0E6BFF";
PSID="37A656705626B4D1D64F6BFA191C2A08"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="Relative";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="1bb49c48-30c0-4105-bc0f-17075fe9b329";
X-Request-Memo: ID="1c38d3f2-e914-4b49-add0-ec54a3a063e3"; sc="2"; ThreadId="98";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:07 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 6246
...TRUNCATED...
<form id="send_password_form" action="/forgotten-password-send.html" method="post"
class="form-hor...TRUNCATED...
description
http://zero.webappsecurity.com:80/manager/html
Request:
GET /manager/html HTTP/1.1
Host: zero.webappsecurity.com
Referer: http://zero.webappsecurity.com:80/manager/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-RequestManager-Memo: Category="StateRequestor.Redirect"; TriggerID="ef3f998d-8124-4e90-b4b3-f9a91d1f6a3b"; sid="53";
smi="0"; sc="1"; ID="7a2b8d86-2551-4b54-8b44-9c6cf1856fd3";
X-Request-Memo: ID="a8959cac-20d1-40af-889e-9553f5e18bee"; sc="1"; ThreadId="108";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1
Date:
Mon,401
10 Unauthorized
Oct 2016 07:51:12 GMT
Report Date: 10/10/2016
10
description
http://zero.webappsecurity.com:80/forgot-password.html
Request:
GET /forgot-password.html HTTP/1.1
Referer: http://zero.webappsecurity.com/login.html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="35CF74765A8B6CFE70D16739EA0E6BFF";
PSID="37A656705626B4D1D64F6BFA191C2A08"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="Relative";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="1bb49c48-30c0-4105-bc0f-17075fe9b329";
X-Request-Memo: ID="1c38d3f2-e914-4b49-add0-ec54a3a063e3"; sc="2"; ThreadId="98";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:07 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 6246
...TRUNCATED...
<form id="send_password_form" action="/forgotten-password-send.html" method="post"
class="form-hor...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/login.html
Request:
GET /login.html HTTP/1.1
Referer: http://zero.webappsecurity.com/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="37A656705626B4D1D64F6BFA191C2A08";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="Crawl"; CrawlType="Script"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; Format="Qualified"; LinkKind="HyperLink";
Locations="Unspecified"; Source="ScriptExecution"; ThreadId="281"; ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="43195029-31fc-44c5-af10-bee590481d2f";
X-Request-Memo: ID="8b6aca79-af50-417a-a722-ce1ee8309b42"; sc="1"; ThreadId="99";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:13 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin:
*
Cache-Control:
no-cache, max-age=0,
must-revalidate, no-store
Report Date: 10/10/2016
11
Cross-Frame Scripting
Page:
description
http://zero.webappsecurity.com:80/login.html
Request:
GET /login.html HTTP/1.1
Referer: http://zero.webappsecurity.com/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="37A656705626B4D1D64F6BFA191C2A08";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="Crawl"; CrawlType="Script"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; Format="Qualified"; LinkKind="HyperLink";
Locations="Unspecified"; Source="ScriptExecution"; ThreadId="281"; ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="43195029-31fc-44c5-af10-bee590481d2f";
X-Request-Memo: ID="8b6aca79-af50-417a-a722-ce1ee8309b42"; sc="1"; ThreadId="99";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:13 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Length: 7303
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Zero - Log in</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<link type="text/css" rel="stylesheet" href="/resources/css/bootstrap.min.css"/>
<link type="text/css" rel="stylesheet" href="/resources/css/font-awesome.css"/>
<link type="text/css" rel="stylesheet" href="/resources/css/main.css"/>
<script src="/resources/js/jquery-1.8.2.min.js"></script>
<script src="/resources/js/bootstrap.min.js"></script>
<script src="/resources/js/placeholders.min.js"></script>
<script type="text/javascript">
Placeholders.init({
live: true, // Apply to future and modified elements too
hideOnFocus: true // Hide the placeholder when the element receives focus
});
</script>
<script type="text/javascript">
$(document).ajaxError(function errorHandler(event, xhr, ajaxOptions, thrownError) {
if (xhr.status
== 403) {
window.location.reload();
Report Date: 10/10/2016
12
window.location.reload();
}
});
</script>
</head>
<body>
<div class="wrapper">
<div class="navbar navbar-fixed-top">
<div class="navbar-inner">
<div class="container">
<a href="/index.html" class="brand">Zero Bank</a>
</div>
</div>
</div>
<div class="container">
<div class="top_offset">
<div class="row">
<div class="offset3 span6">
<div class="page-header">
<h3>Log in to ZeroBank</h3>
</div>
<form id="login_form" action="/signin.html" method="post" class="form-horizontal">
<div class="form-inputs">
<div class="control-group">
<label class="control-label" for="user_login">Login</label>
<div class="controls">
<input type="text" id="user_login" name="user_login" tabindex="1" autocomplete="off"/>
<i id="credentials" class="icon-question-sign" style="padding-left: 5px"></i>
</div>
</div>
<div class="control-group">
<label class="control-label" for="user_password">Password</label>
<div class="controls">
<input type="password" id="user_password" name="user_password" tabindex="2" autocomplete="off"/>
</div>
</div>
<div class="control-group">
<label class="control-label" for="user_remember_me">Keep me signed in</label>
<div class="controls">
<input type="checkbox" id="user_remember_me" name="user_remember_me" tabindex="3"/>
</div>
</div>
</div>
<div class="form-actions">
<input type="submit" name="submit" value="Sign in"
class="btn btn-primary" tabindex="4"/>
</div>
</form>
<a href="/forgot-password.html" tabindex="5">Forgot your password ?</a>
</div>
</div>
<script type="text/javascript">
$(function () {
$("#user_login").focus();
$("#credentials").tooltip({'trigger':'hover', 'title': 'Login/Password - username/password', placement : 'right'});
$("#login_form").submit(function(event) {
$(this).append('<input type="hidden" name="user_token" value="0fb2e347-fb59-4fb7-b6dc-40a1cc5acf76"/>');
});
});
</script>
</div>
...TRUNCATED...
Report Date: 10/10/2016
13
description
http://zero.webappsecurity.com:80/search.html?searchTerm=${5914%2b2593}
Request:
GET /search.html?searchTerm=${5914%2b2593} HTTP/1.1
Referer: http://zero.webappsecurity.com/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="80D1BCF5623CAAD9D1B2249893BE5591";
PSID="4FB1E28C3A3C661502F583F3EA8F6277"; SessionType="AuditAttack"; CrawlType="None";
AttackType="QueryParamManipulation"; OriginatingEngineID="d000c3f8-c0fa-4862-8097-613ac7b063fc"; AttackSequence="0";
AttackParamDesc="searchTerm"; AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="11310";
Engine="Expression+Language+Injection"; SmartMode="NonServerSpecificOnly"; AttackString="%24%7b5914%252b2593%7d";
AttackStringProps="Attack"; ThreadId="104"; ThreadType="AuditorStateRequestor";
X-RequestManager-Memo: sid="45"; smi="0"; sc="1"; ID="a721a744-6ef4-40d9-b1ee-1a6d5b22d327";
X-Request-Memo: ID="3aef1eda-bcd3-41d8-8dbc-121ca3149c17"; sc="1"; ThreadId="104";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:50 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Length: 7709
...TRUNCATED...s:</h2>
No results were found for the query: 8507
</div>
</div>
<d...TRUNCATED...
Medium Issues
Web Server Misconfiguration: Directory Listing
Page:
description
http://zero.webappsecurity.com:80/errors/
Request:
GET /errors/ HTTP/1.1
Referer: http://zero.webappsecurity.com/resources/js/placeholders.min.js
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="BB23AC8A7B9C89C3DE9576C0FEACCA3F";
PSID="511D6DB521E43A071D015EA7E62869D3"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="ae34b422-6357-4aca-8fe7-7e449e14c9b7"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10214"; Engine="Directory+Enumeration";
SmartMode="NonServerSpecificOnly"; ThreadId="88"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="43"; smi="0"; sc="1"; ID="80f80983-ecf1-439a-863c-27a58b849768";
X-Request-Memo: ID="2d21df20-9bb0-436e-a9b2-bb11433be3dd"; sc="1"; ThreadId="103";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Report Date: 10/10/2016
14
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:17 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Content-Type: text/html;charset=UTF-8
Content-Length: 1384
Keep-Alive: timeout=5, max=80
Connection: Keep-Alive
<html>
<head>
<title>Directory Listing For /errors/</title>
<STYLE><!--H1 {font-family:...TRUNCATED...s-serif;color:white;background-color:#525D76;font-size:22px;} H2 {fontfamily:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sansserif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;...TRUNCATED...rial,sans
-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></STYLE>
</head>
<body><h1>Directory Listing For /errors/ - <a href="/"><b>Up To /</b></a></h1><HR size="1" noshade="noshade"><table
width="100%" cellspa...TRUNCATED..."5" align="center">
<tr>
<td align="left"><font size="+1"><strong>Filename</strong></font></td>
<td align="center"><font size="+1"><strong>Size</strong></font></td>
<td align="right"><font siz...TRUNCATED...
description
http://zero.webappsecurity.com:80/admin/WS_FTP.LOG
Request:
GET /admin/WS_FTP.LOG HTTP/1.1
Referer: http://zero.webappsecurity.com/admin/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="DC2EF0E7C935D7C47528CB0D2E9C1565";
PSID="B09C4D5CC22F10C01D9D84418780B93D"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="60b8f839-2e70-4177-8e47-f305852be435"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="764"; Engine="Site+Search";
SmartMode="NonServerSpecificOnly"; ThreadId="87"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="43"; smi="0"; sc="1"; ID="c47c8ae6-5758-42e7-82e9-f1558a268886";
X-Request-Memo: ID="807fe938-5c65-4f99-b66a-76c6511855c4"; sc="1"; ThreadId="103";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:38 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"504686-1368929102000"
Last-Modified: Sun, 19 May 2013 02:05:02 GMT
Content-Length: 504686
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: text/plain
10.1.1.233 10:28
10.1.1.233 10:28
10.1.1.233 08:34
blondbkgB.jpeg
10.1.1.233 08:34
boston.htm
10.1.1.233 08:34
choices.html
10.1.1.233 08:34
concbkg.jpeg
10.1.1.233 08:34
10.1.1.233 08:34
10.1.1.231 13:47
15
description
http://zero.webappsecurity.com:80/forgotten-password-send.html
Request:
POST /forgotten-password-send.html HTTP/1.1
Referer: http://zero.webappsecurity.com/forgot-password.html
Content-Type: application/x-www-form-urlencoded
Content-Length: 155
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="3CCA0F0168FF9A4F25516C3DEC652FEB";
PSID="92B4961E57F2D1571E4CFED9894AA305"; SessionType="AuditAttack"; CrawlType="None";
AttackType="PostParamManipulation"; OriginatingEngineID="1354e211-9d7d-4cc1-80e6-4de3fd128002"; AttackSequence="20";
AttackParamDesc="email"; AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="5105"; Engine="Cross+Site+Scripting";
SmartMode="NonServerSpecificOnly"; AttackString="John.Doe%2540somewhere.com%253c%2569%2546%2572%2541%
256d%2545%2520%2573%2552%2563%253d%2578%2553%2572%2546%2574%2545%2573%2554%252e%2573%2550%
2569%253e%253c%252f%2569%2546%2572%2541%256d%2545%253e"; AttackStringProps="Attack"; ThreadId="108";
ThreadType="AuditorStateRequestor";
X-RequestManager-Memo: sid="53"; smi="0"; sc="1"; ID="d20250ee-376e-4a1f-b945-e8cb9e81fb4d";
X-Request-Memo: ID="02d55fa9-b114-421f-93f2-90fd3d61ac52"; sc="1"; ThreadId="108";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=2313C6AC
email=John.Doe%40somewhere.com%3c%69%46%72%41%6d%45%20%73%52%63%3d%78%53%72%46%74%45%73%
54%2e%73%50%69%3e%3c%2f%69%46%72%41%6d%45%3e&submit=Send%20Password
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 08:04:03 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=39
Connection: Keep-Alive
Content-Length: 5424
...TRUNCATED...ent to the following email: John.Doe@somewhere.com<iFrAmE sRc=xSrFtEsT.sPi></iFrAmE>
</div>
</div>
</div>
...TRUNCATED...
description
http://zero.webappsecurity.com:80/include/common.inc
Request:
GET /include/common.inc HTTP/1.1
Referer: http://zero.webappsecurity.com/include/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="E9A0C85302073DA2F971AC2732F2201A";
PSID="B575CF6508C02A80B46DA672DF270F32"; SessionType="AuditAttack"; CrawlType="None"; AttackType="None";
OriginatingEngineID="65cee7d3-561f-40dc-b5eb-c0b8c2383fcb"; AttackSequence="16"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10365"; Engine="Request+Modify";
SmartMode="NonServerSpecificOnly"; ThreadId="94"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="43"; smi="0"; sc="1"; ID="6d629b1a-f9c1-4935-a806-1729e5cb959f";
X-Request-Memo: ID="60a641cb-d625-4f41-a37e-c6775261712e"; sc="1"; ThreadId="103";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
16
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:54:31 GMT
Server: ...TRUNCATED...
description
http://zero.webappsecurity.com:80/
Request:
<script>alert(097531)</script> / HTTP/1.1
Content-Length:0
Content-Length:0
Content-Length:0
Host: zero.webappsecurity.com
Response:
HTTP/1.1 413 Request Entity Too Large
Date: Mon, 10 Oct 2016 08:09:38 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: *
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 912
...TRUNCATED...rce<br />/<br />
does not allow request data with <script>alert(097531)</script> requests, or the amount of data provided in
the r...TRUNCATED...
Cross-Frame Scripting
Page:
description
http://zero.webappsecurity.com:80/
Request:
GET / HTTP/1.1
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="ExternalAddedToCrawl";
CrawlType="None"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="86";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="24b6c858-ec1a-49e2-a09a-7d7c72242eb4";
X-Request-Memo: ID="a84d2393-837c-4185-b786-183812f9e186"; sc="1"; ThreadId="97";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:50:21 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 12456
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Zero - Personal Banking - Loans - Credit Cards</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<link type="text/css" rel="stylesheet" href="/resources/css/bootstrap.min.css"/>
Report Date: 10/10/2016
17
18
var featureIdToName = {
"index": "homeMenu",
"online-banking": "onlineBankingMenu",
"feedback": "feedback"
};
if (document.location.href.match(".*" + path + "$") != null) {
$("#homeMenu").addClass("active");
} else {
$.each(featureIdToName, function(featureId, featureName) {
if (document.location.href.indexOf(featureId + ".html") >= 0) {
$("#" + featureName).addClass("active");
}
});
}
$.each(featureIdToName, function(featureId, featu
...TRUNCATED...
Low Issues
Poor Error Handling: Unhandled Exception
Page:
description
http://zero.webappsecurity.com:80/docs/virtual-hosting-howto.html
Request:
GET /docs/virtual-hosting-howto.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="3789B0DC3DE1119CE46D7BC7A2B69DBC";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="bd1a6393-365a-479d-966d-22e24f2f6476";
X-Request-Memo: ID="8e38588a-e473-42d5-b44f-cc6bfd7eea96"; sc="1"; ThreadId="97";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:30 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"15437-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 15437
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
...TRUNCATED.../images/asf-logo.gif" align="right" alt="Apache Logo" border="0"></a></td></tr></table><table border="0"
width="100%"...TRUNCATED...GI</a></li><li><a href="proxy-howto.html">15) Proxy Support</a></li><li><a href="mbeans
-descriptor-howto.html"...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/security-howto.html
Request:
GET /docs/security-howto.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host:
zero.webappsecurity.com
Report Date: 10/10/2016
19
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="1F194499C7D4146D9EC2FB6CA4EFA71D";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="962ff1a4-3801-4c80-89fc-8212643d4c18";
X-Request-Memo: ID="b52d7f9d-48f3-4710-be89-310ea147fa02"; sc="1"; ThreadId="100";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:34 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"41066-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 41066
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
...TRUNCATED...g
multiple untrusted web applications, it is recommended that each web
application is deployed to a separa...TRUNCATED...tens on for connections. By default, the
connector listens on all configured IP addresses.</p>
<p>Th...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/class-loader-howto.html
Request:
GET /docs/class-loader-howto.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="3F9DBBAE2124F08F05A08341DB70E15C";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="053e3966-f932-4d26-b649-7c3256fb9f9e";
X-Request-Memo: ID="5c28cf4c-7c3c-44cf-982e-9ebadffdae81"; sc="1"; ThreadId="97";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:14 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"21196-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 21196
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
...TRUNCATED.../a></li><li><a href="monitoring.html">21) Monitoring and Management</a></li><li><a
href="logging.html">22) Logging</...TRUNCATED...ual Hosting</a></li><li><a href="aio.html">25) Advanced IO</a></li><
li><a href="extras.html">26) Additional Components...TRUNCATED...zed</a></li><li><a href="security-howto.html">28)
Security Considerations</a></li><li><a href="windows-service-howto.html">29) Windows
Service</a></l...TRUNCATED...uration</a></li><li><a href="api/index.html">Tomcat Javadocs</a></li><li><a
href="servletapi/index.html">Servlet...TRUNCATED...
20
href="servletapi/index.html">Servlet...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/realm-howto.html
Request:
GET /docs/realm-howto.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="1ECABF8131D9FB74C4F25E6F3BB95533";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="1a2ace84-1955-4345-a9e8-fadc02fda9ec";
X-Request-Memo: ID="642ab42b-ae55-4a13-8cf5-90b8052483f9"; sc="1"; ThreadId="96";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:14 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"67464-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 67464
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
...TRUNCATED...der="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff"
face="arial,helvetica.sa...TRUNCATED...ix-like operating
systems, because access to specific web application resources is granted to
all users posses...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/manager-howto.html
Request:
GET /docs/manager-howto.html HTTP/1.1
Referer: http://zero.webappsecurity.com/manager/html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="112FD5EEB1B0EC04177727EFB7E63F42";
PSID="5691FBE4D5310DEC25DD5EB591F3E328"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="Relative";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="280";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="ed87c790-51f7-4bb6-9c73-d612e6966286";
X-Request-Memo: ID="fd6d5ffc-7fab-4458-b31d-4099a01505a6"; sc="1"; ThreadId="96";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:28 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"81539-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type:
text/html
Content-Length:
81539
Report Date: 10/10/2016
21
Content-Length: 81539
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
...TRUNCATED...><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="List Available
Global JNDI "><!--()--></a><a name="List_Available_Global_JNDI_Resources"><strong>List Available Global JNDI
Resources</stron...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/setup.html
Request:
GET /docs/setup.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="78FB38A8ACEF0C9A4046CDBADE8ACEE3";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="91b98c3c-237d-473b-8586-34c28e1bfeba";
X-Request-Memo: ID="c2970dac-7f3e-47e3-a790-2df24e913f0a"; sc="1"; ThreadId="100";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:13 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"15892-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 15892
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
...TRUNCATED...<li><a href="jspapi/index.html">JSP 2.2 Javadocs</a></li><li><a href="elapi/index.html">EL 2.2 Javadocs</
a></li><li><a href="websocketapi/index.html">WebSocket 1.1 Javadocs</a></li>...TRUNCATED...li><a
href="#Windows">Windows</a></li><li><a href="#Unix_daemon">Unix daemon</a></li></ul>
</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td
bgcolor="#525D76"><font...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/security-manager-howto.html
Request:
GET /docs/security-manager-howto.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="7E424F7BB5A58C5B289CFF0AA76BF8D9";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="c787cd9b-10e4-436b-994a-29b9197c970a";
X-Request-Memo: ID="28cbc89a-d72e-43ae-a354-dae1fb465bc8"; sc="1"; ThreadId="99";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1
Date: Mon,200
10 OK
Oct 2016 07:52:14 GMT
Report Date: 10/10/2016
22
http://zero.webappsecurity.com:80/docs/ssl-howto.html
Request:
GET /docs/ssl-howto.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="6C5A14E2FD330A1E50DE39A279EC7702";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="8b14e1f3-1e24-45b1-a860-eef9e3b561bc";
X-Request-Memo: ID="1808214a-2501-47fe-bb85-9c1c9edf6156"; sc="1"; ThreadId="98";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:14 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"39773-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 39773
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
...TRUNCATED...3) First webapp</a></li><li><a href="deployer-howto.html">4) Deployer</a></li><li><a href="managerhowto.html">5...TRUNCATED...cessing.
This is a two-way process, meaning that both the server AND the browser encrypt
all traffic before se...TRUNCATED...-to-business (B2B) transactions than with individual
users. Most SSL-enabled web servers do not request Client...TRUNCATED...ding="2"><tr><td bgcolor="#828DA6"><font
color="#ffffff" face="arial,helvetica.sanserif"><a name="Prepare the Certificate Keystore"><!--()--></a><a
name="Prepare_the_Certifica...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/config/listeners.html
Request:
GET /docs/config/listeners.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/jndi-datasource-examples-howto.html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection:
Keep-Alive
X-WIPP:
AscVersion=16.10.463.10
Report Date: 10/10/2016
23
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="696E82F0D0DB9E2D37764BFE766D74AE";
PSID="4005A3D0BF6D3E8BFED6DB64AB0C2F8D"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="b2a89a24-3bdf-406a-8fb4-51431fde34cb";
X-Request-Memo: ID="455c0f28-12af-4d34-b488-f28ad4437f21"; sc="2"; ThreadId="97";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:53:24 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"42468-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 42468
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
...TRUNCATED...>
<p>Entropy source used to seed the SSLEngine's PRNG. The default value
is <code>builtin</code>. ...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/config/context.html
Request:
GET /docs/config/context.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/manager-howto.html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="4C8E34E8231AA22138A4F8CA57DA7F61";
PSID="112FD5EEB1B0EC04177727EFB7E63F42"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="cfb07bb6-870f-4813-8e5b-89dcc70b8b36";
X-Request-Memo: ID="bc0b0aa9-c3d8-46be-ba39-799ba3075213"; sc="2"; ThreadId="99";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:53:07 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"95631-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 95631
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
...TRUNCATED...ty checks, allowing JSP source code
disclosure, among other security problems.</b></p>
</td></tr><tr><td align="left" valig"><code class="attributeName">antiJARLocking</code></td><td align="left"
valign="center">
<p>If true, the Tomcat classloader will take extra measures to avoid
JAR file locking when resources are accessed inside JARs through URLs.
This will impact startup time of applications, but could prove t...TRUNCATED....</p>
</td></tr><tr><td align="left" valign="center"><code class="attributeName">antiResourceLocking</code></td><td
align="left" valer">
<p>If
true,
Tomcat will
prevent
any time
file locking.
This
will
significantly
impact
startup
of applications,
24
http://zero.webappsecurity.com:80/docs/jasper-howto.html
Request:
GET /docs/jasper-howto.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="C33DFBBAD4C4088E60F854AC44EDE617";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="f5fad4c3-fd67-44ff-9cd8-fe03c78a5797";
X-Request-Memo: ID="4eb42312-d1aa-4164-a322-d729a5f3a7cb"; sc="1"; ThreadId="99";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:14 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"27136-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 27136
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
...TRUNCATED...e generated files
compatible with? (Default value: <code>1.6</code>)</li>
<li><strong>development</strong> - ...TRUNCATED...ue
an error when the value of the class attribute in an useBean action is not a
valid bean class? <code>tr...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/appdev/processes.html
Request:
GET /docs/appdev/processes.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/appdev/index.html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="BFD4ECE108385B7050A05A6791AC2819";
PSID="16A0FCA95F27748B361F869AE08E40BF"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="d8415a51-6032-4553-9d5c-b56bfd9b2a36";
X-Request-Memo: ID="61ea2d41-be5e-4caf-8271-147f6154941e"; sc="1"; ThreadId="99";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1
Date: Mon,200
10 OK
Oct 2016 07:53:10 GMT
Report Date: 10/10/2016
25
http://zero.webappsecurity.com:80/docs/logging.html
Request:
GET /docs/logging.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="B03E0419F5D635D0EAC6624B1D254B23";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="4c6c0e3b-6350-4a20-9486-d19b4b40b26d";
X-Request-Memo: ID="142269d1-b4e6-4e49-bf25-f487cfb9ae2a"; sc="1"; ThreadId="96";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:29 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"38261-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 38261
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
...TRUNCATED...umentation in the JDK for the complete details:
</p>
<div class="codeBox"><pre><code>org.apache.catalina....TRUNCATED... prefix may be added to handler names, so that mul
tiple handlers of a
single class may be instantiated. ...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/monitoring.html
Request:
GET /docs/monitoring.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="9F4C1B8B0854C98B23B22FEFF5F16E61";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo:
sid="35"; smi="0"; sc="1"; ID="c69bb0a8-b200-4d4b-a76a-8186f40f5309";
X-Request-Memo:
ID="6ed9ecad-77f1-4afc-bc52-ca3ee97dbdcf";
sc="1"; ThreadId="97";
Report Date: 10/10/2016
26
http://zero.webappsecurity.com:80/docs/cluster-howto.html
Request:
GET /docs/cluster-howto.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="9099B5738BA56B5A5A2C4CBE80AD5F64";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="aa9fb7e0-1fb2-4905-9e2b-b47e24b9319f";
X-Request-Memo: ID="2a21be90-ee76-4e51-8388-670e0e99fd6f"; sc="1"; ThreadId="97";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:27 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"49037-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 49037
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
...TRUNCATED... href="config/index.html">Configuration</a></li><li><a href="api/index.html">Tomcat J
avadocs</a></li><li><a href="servletapi/index.html">Servlet Javadocs</a></li><...TRUNCATED...ie, so your URL must look
the same from the out
side otherwise, a new session will be created.</p>
<p>Note: Clustering support currently requires the JDK vers...TRUNCATED... Remember, if you are adding your own valves or cl
uster listeners in server.xml then the defaults are no longer valid,
make sure that you add in all the appro...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/building.html
Request:
GET /docs/building.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Report Date: 10/10/2016
27
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="92BF4760E2D0FDCA4ABB18FC0B743B5E";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="4fede3ba-e46c-473f-8253-ef124324ef8f";
X-Request-Memo: ID="93076e7c-a2b4-4b9a-bfb5-cd5b632a4b75"; sc="1"; ThreadId="96";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:48 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"21672-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 21672
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
...TRUNCATED...<li><a href="elapi/index.html">EL 2.2 Javadocs</a></li><li><a href="websocketapi/index.html">WebSocket
1.1 Javado...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/config/resources.html
Request:
GET /docs/config/resources.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/config/index.html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="D8C85E6CAB767433EC2E6A7C094C1125";
PSID="7E09004C87348100F227487435CD3213"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="45855288-73af-4d6e-af8d-a51c210129d5";
X-Request-Memo: ID="5574ac61-544a-4101-8312-8660a8c925af"; sc="1"; ThreadId="96";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:53:51 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"14649-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 14649
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
...TRUNCATED...ership</a></li><li><a href="cluster-sender.html">Channel/Sender</a></li><li><a href="clus
ter-receiver.html">Channel/Receiver</a></li><li><a href="cluster-interceptor.html">Channel/Interceptor</a></li><li><a
href="...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/changelog.html
Request:
GET /docs/changelog.html HTTP/1.1
Referer:
http://zero.webappsecurity.com/docs/
Accept: */*
Report Date: 10/10/2016
28
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="F3D4D3DB0835679411A7D304D23D3F25";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="d3fb0222-b563-436f-a2c5-fbbe1e8ab812";
X-Request-Memo: ID="fc2ff44c-5fb3-49d9-aa78-f04736ad5519"; sc="1"; ThreadId="97";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:48 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"895262-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 895262
Keep-Alive: timeout=5, max=87
Connection: Keep-Alive
...TRUNCATED... may be read as the
start of the next request leading to a 400 response. (markt)
</td></tr>
</t...TRUNCATED...
<a href="http://bz.apache.org/bugzilla/show_bug.cgi?id=56717">56717</a>: Fix duplicate
registration of
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/windows-auth-howto.html
Request:
GET /docs/windows-auth-howto.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="FF70A74D422C22B72591B6C68DE7DBA3";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="e2085897-d964-4fb8-80e5-97e2cc35784c";
X-Request-Memo: ID="49bd3422-4472-4f1c-8766-5779e21a7e15"; sc="2"; ThreadId="97";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:43 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"27921-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 27921
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
...TRUNCATED...l trusted
intranet.</li>
29
intranet.</li>
<li>The SPN must be HTTP/<hostname> and it must be exactly the same in all
the places i...TRUNCATED...
description
http://zero.webappsecurity.com:80/docs/ssi-howto.html
Request:
GET /docs/ssi-howto.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="CB04B081478DF74AFDD0F66123F0F73B";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="cdb81246-bfb8-4cf3-90bd-7ef6737b4bff";
X-Request-Memo: ID="7ed138d2-5ac8-481d-a34c-d0e719a44700"; sc="1"; ThreadId="96";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:14 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"21189-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 21189
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
...TRUNCATED... The server's IP address.</td>
</tr>
<tr>
<td>SERVER_NAME</td>
<td>
The server's hostname or IP address.</td>
</tr>
<tr>
<td>SERVER_PORT</td>
<td>
The port on which the server receiv...TRUNCATED...
description
http://zero.webappsecurity.com:80/errors/errors.log
Request:
GET /errors/errors.log HTTP/1.1
Referer: http://zero.webappsecurity.com/errors/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="C32128A8498A56E4E6435B6994687E3A";
PSID="BB23AC8A7B9C89C3DE9576C0FEACCA3F"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="Relative";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="280";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo:
sid="35"; smi="0"; sc="1"; ID="903a6949-6ac8-489d-8c93-bb0ff0a74979";
X-Request-Memo:
ID="7fb39035-d4ae-41aa-a0e7-7b0907724343";
sc="1"; ThreadId="97";
30
http://zero.webappsecurity.com:80/docs/monitoring.html
Request:
GET /docs/monitoring.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="9F4C1B8B0854C98B23B22FEFF5F16E61";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="c69bb0a8-b200-4d4b-a76a-8186f40f5309";
X-Request-Memo: ID="6ed9ecad-77f1-4afc-bc52-ca3ee97dbdcf"; sc="1"; ThreadId="97";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:29 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"46020-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 46020
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
...TRUNCATED...<property
name="cluster.server.address" value="192.168.1.75" />
<property name="cluster.server.port"...TRUNCATED...ina:type=IDataSender,host=localhost,senderAddress=192.168.111.1
31
<property name="cluster.server.port"...TRUNCATED...ina:type=IDataSender,host=localhost,senderAddress=192.168.111.1
,senderPort=9025"
attribute="connected"
...TRUNCATED...ina:type=IDataSender,host=localhost,senderAddress=192.168.111.1,senderPort=9025"
attribute="connected"
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/admin/WS_FTP.LOG
Request:
GET /admin/WS_FTP.LOG HTTP/1.1
Referer: http://zero.webappsecurity.com/admin/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="DC2EF0E7C935D7C47528CB0D2E9C1565";
PSID="B09C4D5CC22F10C01D9D84418780B93D"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="60b8f839-2e70-4177-8e47-f305852be435"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="764"; Engine="Site+Search";
SmartMode="NonServerSpecificOnly"; ThreadId="87"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="43"; smi="0"; sc="1"; ID="c47c8ae6-5758-42e7-82e9-f1558a268886";
X-Request-Memo: ID="807fe938-5c65-4f99-b66a-76c6511855c4"; sc="1"; ThreadId="103";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:38 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"504686-1368929102000"
Last-Modified: Sun, 19 May 2013 02:05:02 GMT
Content-Length: 504686
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: text/plain
10.1.1.233 10:28 B C:\OADWEB~1\BOSTON\boston.htm <-- sunburnepo\root\oad\incoming\lorenzo\boston boston.html
10.1.1.233 10:28 B C:\OADWEB~1\BOSTON\index.htm <-- sunburn repo\root\oad\incoming\lorenzo\boston index.html
10.1.1.233 08:34 B C:\Oad Web Stuff\BOSTON\blondbkgB.jpeg --...TRUNCATED...\root\oad\incoming\lorenzo\boston
blondbkgB.jpeg
10.1.1.233 08:34 B C:\Oad Web Stuff\BOSTON\boston.htm --> surepo\root\oad\incoming\lorenzo\boston boston.htm
10.1.1.233 08:34 B C:\Oad Web Stuff\BOSTON\choices.html --> ...TRUNCATED...po\root\oad\incoming\lorenzo\boston
choices.html
10.1.1.233 08:34 B C:\Oad Web Stuff\BOSTON\concbkg.jpeg --> ...TRUNCATED...po\root\oad\incoming\lorenzo\boston
concbkg.jpeg
10.1.1.233 08:34 B C:\Oad Web Stuff\BOSTON\index.htm --> sun_repo\root\oad\incoming\lorenzo\boston index.htm
10.1.1.233 08:34 B C:\Oad Web Stuff\BOSTON\water5.jpg --> surepo\root\oad\incoming\lorenzo\boston water5.jpg
cf310.1.1.231 13:47 B c:\web\boston\ws_ftp.log <-- SunSite UNC C:\old_repo\root\oad\boston ws_ftp.log
10.1.1.231 14:08 B c:\web\boston\bball.gif --> sunburn C:\ol...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/config/filter.html
Request:
GET /docs/config/filter.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/security-howto.html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="46494C4CFCA02171D7106D528B555498";
PSID="1F194499C7D4146D9EC2FB6CA4EFA71D"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="133118b0-4eff-49e5-b4ad-6236be637206";
Report Date: 10/10/2016
32
description
http://zero.webappsecurity.com:80/manager/html
Request:
GET /manager/html HTTP/1.1
Host: zero.webappsecurity.com
Referer: http://zero.webappsecurity.com:80/manager/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-RequestManager-Memo: Category="StateRequestor.Redirect"; TriggerID="ef3f998d-8124-4e90-b4b3-f9a91d1f6a3b"; sid="53";
smi="0"; sc="1"; ID="7a2b8d86-2551-4b54-8b44-9c6cf1856fd3";
X-Request-Memo: ID="a8959cac-20d1-40af-889e-9553f5e18bee"; sc="1"; ThreadId="108";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 401 Unauthorized
Date: Mon, 10 Oct 2016 07:51:12 GMT...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/admin/
Request:
GET /admin/ HTTP/1.1
Referer: http://zero.webappsecurity.com/resources/js/placeholders.min.js
Accept: */*
Pragma: no-cachegzip, deflate
Accept-Encoding:
Report Date: 10/10/2016
33
description
http://zero.webappsecurity.com:80/backup/
Request:
GET /backup/ HTTP/1.1
Referer: http://zero.webappsecurity.com/resources/js/placeholders.min.js
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="B00CD470CE6F47816EAC8B94B3E4D1FC";
PSID="511D6DB521E43A071D015EA7E62869D3"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="ae34b422-6357-4aca-8fe7-7e449e14c9b7"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10211"; Engine="Directory+Enumeration";
SmartMode="NonServerSpecificOnly"; ThreadId="88"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="39"; smi="0"; sc="1"; ID="e7914a6d-bf39-4abf-89d2-90c220d31ffa";
X-Request-Memo: ID="76d827f0-c596-4f1a-aee1-d06bd51ec5ed"; sc="1"; ThreadId="101";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 403 Forbidden
Date: Mon, 10 Oct 2016 07:51:13 GMT
S...TRUNCATED...
description
http://zero.webappsecurity.com:80/scripts/
Request:
GET /scripts/ HTTP/1.1
Referer: http://zero.webappsecurity.com/resources/js/placeholders.min.js
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="8D695AA103CB5BFCC70FFF7C6062147A";
PSID="511D6DB521E43A071D015EA7E62869D3"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="ae34b422-6357-4aca-8fe7-7e449e14c9b7"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10212"; Engine="Directory+Enumeration";
SmartMode="NonServerSpecificOnly"; ThreadId="88"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="51"; smi="0"; sc="1"; ID="831003a8-6362-49dc-9139-27971b407a19";
X-Request-Memo: ID="26b4513c-0fa0-46f2-9465-3e061e5d6534"; sc="1"; ThreadId="107";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
34
Response:
HTTP/1.1 403 Forbidden
Date: Mon, 10 Oct 2016 07:51:16 GMT
S...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/cgi-bin/
Request:
GET /cgi-bin/ HTTP/1.1
Referer: http://zero.webappsecurity.com/resources/js/placeholders.min.js
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="4F59A2869EF7F0A2D7CD991C897978A2";
PSID="511D6DB521E43A071D015EA7E62869D3"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="ae34b422-6357-4aca-8fe7-7e449e14c9b7"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10212"; Engine="Directory+Enumeration";
SmartMode="NonServerSpecificOnly"; ThreadId="88"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="47"; smi="0"; sc="1"; ID="39bf71f5-f6ed-494b-85b7-b2ed13e7bea0";
X-Request-Memo: ID="4eb5597d-fe76-49a6-9eb0-00bbaa89b896"; sc="1"; ThreadId="105";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 403 Forbidden
Date: Mon, 10 Oct 2016 07:51:14 GMT
S...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/htbin/
Request:
GET /htbin/ HTTP/1.1
Referer: http://zero.webappsecurity.com/resources/js/placeholders.min.js
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="06C0949C38AC94260BD0CEFB9FF67B42";
PSID="511D6DB521E43A071D015EA7E62869D3"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="ae34b422-6357-4aca-8fe7-7e449e14c9b7"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10212"; Engine="Directory+Enumeration";
SmartMode="NonServerSpecificOnly"; ThreadId="88"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="45"; smi="0"; sc="1"; ID="8651bed3-7987-4343-ac3a-4b626bd79b39";
X-Request-Memo: ID="415282ad-05cd-4dd7-991c-b96aa0daa42b"; sc="1"; ThreadId="104";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 403 Forbidden
Date: Mon, 10 Oct 2016 07:51:15 GMT
S...TRUNCATED...
description
http://zero.webappsecurity.com:80/include/
Request:
GET /include/ HTTP/1.1
Referer: http://zero.webappsecurity.com/resources/js/placeholders.min.js
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host:
zero.webappsecurity.com
Connection:
Keep-Alive
Report Date: 10/10/2016
35
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="B575CF6508C02A80B46DA672DF270F32";
PSID="511D6DB521E43A071D015EA7E62869D3"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="ae34b422-6357-4aca-8fe7-7e449e14c9b7"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10214"; Engine="Directory+Enumeration";
SmartMode="NonServerSpecificOnly"; ThreadId="88"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="45"; smi="0"; sc="1"; ID="50320ba5-6830-4a9e-9e1f-c2877152caf9";
X-Request-Memo: ID="719f6775-3571-4ef4-9e77-035321c009db"; sc="1"; ThreadId="104";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 403 Forbidden
Date: Mon, 10 Oct 2016 07:51:18 GMT
S...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/errors/
Request:
GET /errors/ HTTP/1.1
Referer: http://zero.webappsecurity.com/resources/js/placeholders.min.js
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="BB23AC8A7B9C89C3DE9576C0FEACCA3F";
PSID="511D6DB521E43A071D015EA7E62869D3"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="ae34b422-6357-4aca-8fe7-7e449e14c9b7"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10214"; Engine="Directory+Enumeration";
SmartMode="NonServerSpecificOnly"; ThreadId="88"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="43"; smi="0"; sc="1"; ID="80f80983-ecf1-439a-863c-27a58b849768";
X-Request-Memo: ID="2d21df20-9bb0-436e-a9b2-bb11433be3dd"; sc="1"; ThreadId="103";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:17 GMT
Server: ...TRUNCATED...
description
http://zero.webappsecurity.com:80/db/
Request:
GET /db/ HTTP/1.1
Referer: http://zero.webappsecurity.com/resources/js/placeholders.min.js
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="B9AE01903B1D6483D2F28A9BB6CEC42B";
PSID="511D6DB521E43A071D015EA7E62869D3"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="ae34b422-6357-4aca-8fe7-7e449e14c9b7"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10216"; Engine="Directory+Enumeration";
SmartMode="NonServerSpecificOnly"; ThreadId="88"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="47"; smi="0"; sc="1"; ID="ad596ec0-9acc-4b24-82ca-9bb3cce2ec7b";
X-Request-Memo: ID="18e1624d-6480-4851-aff4-c3e7bba46af9"; sc="1"; ThreadId="105";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 403 Forbidden
Date: Mon, 10 Oct 2016 07:51:24 GMT
S...TRUNCATED...
description
36
description
http://zero.webappsecurity.com:80/testing/
Request:
GET /testing/ HTTP/1.1
Referer: http://zero.webappsecurity.com/resources/js/placeholders.min.js
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="893CA5890C66F16200F5520C0F46033A";
PSID="511D6DB521E43A071D015EA7E62869D3"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="ae34b422-6357-4aca-8fe7-7e449e14c9b7"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10217"; Engine="Directory+Enumeration";
SmartMode="NonServerSpecificOnly"; ThreadId="88"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="43"; smi="0"; sc="1"; ID="ec28809d-2368-456e-9d24-338a1b701914";
X-Request-Memo: ID="ceab30e2-031b-4503-80f2-b3d81cf948b7"; sc="1"; ThreadId="103";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 403 Forbidden
Date: Mon, 10 Oct 2016 07:51:27 GMT
S...TRUNCATED...
description
http://zero.webappsecurity.com:80/docs/
Request:
GET /docs/ HTTP/1.1
Referer: http://zero.webappsecurity.com/resources/js/placeholders.min.js
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="F123B9A3291354F97AC6F79540B0A325";
PSID="511D6DB521E43A071D015EA7E62869D3"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="ae34b422-6357-4aca-8fe7-7e449e14c9b7"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10218"; Engine="Directory+Enumeration";
SmartMode="NonServerSpecificOnly"; ThreadId="88"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="47"; smi="0"; sc="1"; ID="9cc3750e-2cbb-4dd7-aca5-af08fb3677ce";
X-Request-Memo: ID="41b495e0-aabd-4c31-bd33-775eb1e270ea"; sc="1"; ThreadId="105";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:28 GMT
Server: ...TRUNCATED...
description
http://zero.webappsecurity.com:80/stats/
Request:
GET /stats/ HTTP/1.1
Referer: http://zero.webappsecurity.com/resources/js/placeholders.min.js
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo:
Category="Audit.Attack"; SID="0036DDD44B029BA89605F462C087D6CD";
37
http://zero.webappsecurity.com:80/error_log/
Request:
GET /error_log/ HTTP/1.1
Referer: http://zero.webappsecurity.com/resources/js/placeholders.min.js
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="3AAD17D0F26A97B041A9AED28823D7EF";
PSID="511D6DB521E43A071D015EA7E62869D3"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="ae34b422-6357-4aca-8fe7-7e449e14c9b7"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10229"; Engine="Directory+Enumeration";
SmartMode="NonServerSpecificOnly"; ThreadId="88"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="49"; smi="0"; sc="1"; ID="fd7bdd43-fb4c-454d-9f3f-f505ede276d4";
X-Request-Memo: ID="d8147d81-f1b6-4198-88c6-9406b4bc7c22"; sc="1"; ThreadId="106";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 403 Forbidden
Date: Mon, 10 Oct 2016 07:51:40 GMT
S...TRUNCATED...
description
http://zero.webappsecurity.com:80/user/
Request:
GET /user/ HTTP/1.1
Referer: http://zero.webappsecurity.com/resources/js/placeholders.min.js
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="6A1ED77117E1B16F946BCDF912E86C55";
PSID="511D6DB521E43A071D015EA7E62869D3"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="ae34b422-6357-4aca-8fe7-7e449e14c9b7"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10233"; Engine="Directory+Enumeration";
SmartMode="NonServerSpecificOnly"; ThreadId="88"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="51"; smi="0"; sc="1"; ID="06255d2d-d94f-491e-a00f-4af2b186cf85";
X-Request-Memo: ID="b6ec7db2-1d5c-4538-b4a4-57b1f8f4023c"; sc="1"; ThreadId="107";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 403 Forbidden
Date: Mon, 10 Oct 2016 07:51:50 GMT
S...TRUNCATED...
description
38
Page:
http://zero.webappsecurity.com:80/README.txt
Request:
GET /README.txt HTTP/1.1
Referer: http://zero.webappsecurity.com/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="A7014097004A822F436038B57058EAD5";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="AuditAttack"; CrawlType="None"; AttackType="None";
OriginatingEngineID="65cee7d3-561f-40dc-b5eb-c0b8c2383fcb"; AttackSequence="12"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10342"; Engine="Request+Modify";
SmartMode="NonServerSpecificOnly"; ThreadId="83"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="41"; smi="0"; sc="1"; ID="74c8420e-6de3-4901-ac23-623a7bd1a62a";
X-Request-Memo: ID="305d1b88-9245-4575-b56e-7f19e29822b9"; sc="1"; ThreadId="102";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:15 GMT
Server: ...TRUNCATED...
description
http://zero.webappsecurity.com:80/docs/building.html
Request:
GET /docs/building.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="92BF4760E2D0FDCA4ABB18FC0B743B5E";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="4fede3ba-e46c-473f-8253-ef124324ef8f";
X-Request-Memo: ID="93076e7c-a2b4-4b9a-bfb5-cd5b632a4b75"; sc="1"; ThreadId="96";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:48 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"21672-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 21672
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
...TRUNCATED..."><pre><code># Location of Java 7 JDK
java.7.home=C:/Program Files (x86)/Java/jdk1.7.0_72</code></pre></...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/config/host.html
Request:
GET /docs/config/host.html HTTP/1.1
Referer:*/*
http://zero.webappsecurity.com/docs/jndi-datasource-examples-howto.html
Accept:
Report Date: 10/10/2016
39
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="9BA142D4531EC16215DCD9F6E7E33584";
PSID="4005A3D0BF6D3E8BFED6DB64AB0C2F8D"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="e3dc82e3-8a3a-4298-8446-3d93674c2544";
X-Request-Memo: ID="5b7dd298-0e80-4a06-8917-818af40546db"; sc="1"; ThreadId="99";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:53:22 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"43300-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 43300
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
...TRUNCATED... in a specified base
directory (such as <code>c:\Homes</code> in this example) to be
considered...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/windows-service-howto.html
Request:
GET /docs/windows-service-howto.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="9BD235AA424324B5BDC5899093604D45";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="105ad3c1-28d2-4187-b7b2-14863f871084";
X-Request-Memo: ID="2b32fe4a-eddc-4517-9709-7b93ed3848e2"; sc="1"; ThreadId="98";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:34 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"27219-1466008848000"
Last-Modified: Wed, 15 Jun 2016 16:40:48 GMT
Content-Type: text/html
Content-Length: 27219
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
...TRUNCATED...
<div class="codeBox"><pre><code>set CATALINA_HOME=c:\tomcat_7
set CATALINA_BASE=c:\tomcat_7\instances\instance1
service
install insta...TRUNCATED...
<div
class="codeBox"><pre><code>set
CATALINA_BASE=c:\tomcat_7\instances\instance2
40
http://zero.webappsecurity.com:80/admin/WS_FTP.LOG
Request:
GET /admin/WS_FTP.LOG HTTP/1.1
Referer: http://zero.webappsecurity.com/admin/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="DC2EF0E7C935D7C47528CB0D2E9C1565";
PSID="B09C4D5CC22F10C01D9D84418780B93D"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="60b8f839-2e70-4177-8e47-f305852be435"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="764"; Engine="Site+Search";
SmartMode="NonServerSpecificOnly"; ThreadId="87"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="43"; smi="0"; sc="1"; ID="c47c8ae6-5758-42e7-82e9-f1558a268886";
X-Request-Memo: ID="807fe938-5c65-4f99-b66a-76c6511855c4"; sc="1"; ThreadId="103";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:38 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"504686-1368929102000"
Last-Modified: Sun, 19 May 2013 02:05:02 GMT
Content-Length: 504686
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: text/plain
10.1.1.233 10:28 B C:\OADWEB~1\BOSTON\boston.htm <-- sunburn C:\old_repo\root\oad\incoming\lorenzo\boston boston.html
10.1.1.233 10:28 B C:\OADWEB~1\BOSTON\index.htm <-- sunburn C:\old_repo\root\oad\incoming\lorenzo\boston index.html
10.1.1.233 08:34 B C:\Oad Web Stuff\BOSTON\blondbkgB.jpeg --> sunburn C:\old_repo\root\oad\incoming\lorenzo\boston
blondbkgB.jpeg
10.1.1.233 08:34 B C:\Oad Web Stuff\BOSTON\boston.htm --> sunburn C:\old_repo\root\oad\incoming\lorenzo\boston
boston.htm
10.1.1.233 08:34 B C:\Oad Web Stuff\BOSTON\choices.html --> sunburn C:\old_repo\root\oad\incoming\lorenzo\boston
choices.h...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/windows-auth-howto.html
Request:
GET /docs/windows-auth-howto.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="FF70A74D422C22B72591B6C68DE7DBA3";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="e2085897-d964-4fb8-80e5-97e2cc35784c";
X-Request-Memo: ID="49bd3422-4472-4f1c-8766-5779e21a7e15"; sc="2"; ThreadId="97";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:43 GMT
Server:
Apache-Coyote/1.1 *
Access-Control-Allow-Origin:
Report Date: 10/10/2016
41
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"27921-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 27921
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
...TRUNCATED...e):
<div class="codeBox"><pre><code>ktpass /out c:\tomcat.keytab /mapuser tc01@DEV.LOCAL
/p...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/html-manager-howto.html
Request:
GET /docs/html-manager-howto.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/manager-howto.html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="05A583C38101A149DDE1801354194040";
PSID="112FD5EEB1B0EC04177727EFB7E63F42"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="d0d7bc4d-0890-4888-83b0-3fba7c4590da";
X-Request-Memo: ID="28331577-d871-46f2-a1ce-9381e852cd17"; sc="1"; ThreadId="96";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:53:03 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"36392-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 36392
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
...TRUNCATED...he web application located in the directory
<code>C:\path\to\foo</code> on the Tomcat server (running on...TRUNCATED...
description
http://zero.webappsecurity.com:80/admin/
Request:
GET /admin/ HTTP/1.1
Referer: http://zero.webappsecurity.com/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="F9F85B774F218404194F09238B4A9EF9";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="60b8f839-2e70-4177-8e47-f305852be435"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10810"; Engine="Site+Search";
SmartMode="NonServerSpecificOnly"; ThreadId="83"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="41"; smi="0"; sc="1"; ID="0b1fd969-d62c-48aa-afac-df632dd5414f";
X-Request-Memo: ID="ec653cd9-e832-4472-bd32-8079961169ab"; sc="1"; ThreadId="102";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
42
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:54:27 GMT
Server: ...TRUNCATED...
description
http://zero.webappsecurity.com:80/docs/realm-howto.html
Request:
GET /docs/realm-howto.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="1ECABF8131D9FB74C4F25E6F3BB95533";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="1a2ace84-1955-4345-a9e8-fadc02fda9ec";
X-Request-Memo: ID="642ab42b-ae55-4a13-8cf5-90b8052483f9"; sc="1"; ThreadId="96";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:14 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"67464-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 67464
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
...TRUNCATED...he.catalina.realm.JNDIRealm"
connectionURL="ldap://localhost:389"
userPattern="uid={0},ou=people,dc=mycomp...TRUNCATED...he.catalina.realm.JNDIRealm"
connectionURL="ldap://localhost:389"
userBase="ou=people,dc=mycompany,dc=c...TRUNCATED...
connectionPassword="secret"
connectionURL="ldap://localhost:389"
userPassword="userPassword"
userP...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/config/listeners.html
Request:
GET /docs/config/listeners.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/jndi-datasource-examples-howto.html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="696E82F0D0DB9E2D37764BFE766D74AE";
PSID="4005A3D0BF6D3E8BFED6DB64AB0C2F8D"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="b2a89a24-3bdf-406a-8fb4-51431fde34cb";
X-Request-Memo:
ID="455c0f28-12af-4d34-b488-f28ad4437f21"; sc="2"; ThreadId="97";
Cookie:
CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Report Date: 10/10/2016
43
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:53:24 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"42468-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 42468
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
...TRUNCATED...ule.LdapLoginModule REQUIRED
userProvider="ldap://ldap-svr/ou=people,dc=example,dc=com"
userFilte...TRUNCATED...
description
http://zero.webappsecurity.com:80/account/
Request:
GET /account/ HTTP/1.1
Referer: http://zero.webappsecurity.com/resources/js/placeholders.min.js
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="551A58F3CAE8D76CCDEE29CAB920CF53";
PSID="511D6DB521E43A071D015EA7E62869D3"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="ae34b422-6357-4aca-8fe7-7e449e14c9b7"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10220"; Engine="Directory+Enumeration";
SmartMode="NonServerSpecificOnly"; ThreadId="88"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="51"; smi="0"; sc="1"; ID="0dcb8edc-da07-4d15-8bb4-66a65d53899d";
X-Request-Memo: ID="50ed1642-dcbc-4d5c-8f13-cb22de7c9c32"; sc="1"; ThreadId="107";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 500 Internal Server Error
Date: Mon, 10 Oct 2016 07:...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/<script>alert('TRACK');</script>
Request:
TRACK /<script>alert('TRACK');</script> HTTP/1.1
Referer: http://zero.webappsecurity.com/manager/html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="A4FB02D5C410323E6D90001C41301D87";
PSID="5691FBE4D5310DEC25DD5EB591F3E328"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="65cee7d3-561f-40dc-b5eb-c0b8c2383fcb"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="5152"; Engine="Request+Modify";
SmartMode="NonServerSpecificOnly"; ThreadId="89"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="41"; smi="0"; sc="1"; ID="f4a152a7-ef66-4ced-ae43-1145129b2717";
X-Request-Memo: ID="2f9e2ddb-775d-4ead-bdb8-816756b2f322"; sc="1"; ThreadId="102";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 501 Not Implemented
Date: Mon, 10 Oct 2016 07:52:21 ...TRUNCATED...
Report Date: 10/10/2016
44
description
http://zero.webappsecurity.com:80/docs/funcspecs/index.html
Request:
GET /docs/funcspecs/index.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="9ED4F10AC6184B9298A6A51C297C202A";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="ac0bae26-fb9e-448e-9639-491c1b5a57a4";
X-Request-Memo: ID="4d993be0-b9b5-48aa-b934-5d30dea3ccc9"; sc="2"; ThreadId="100";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:57 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"8461-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 8461
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Catalina Functional
Specifications (7.0.70) - Table of Contents</title><meta name="author" content="Craig R. McClanahan"><style type="text/css"
media="print">
.noPrint {display: none;}
td#mainBody {width: 100%;}
</style><style type="text/css">
code {background-color:rgb(224,255,255);padding:0 0.1em;}
code.attributeName, code.propertyName {background-color:transparent;}
table {
border-collapse: collapse;
text-align: left;
}
table *:not(table) {
/* Prevent border-collapsing for table child elements like <div> */
border-collapse: separate;
}
th {
text-align: left;
}
45
background-color: #eff8ff;
display: table; /* To prevent <pre>s from taking the complete available width. */
/*
When it is officially supported, use the following CSS instead of display: table
to prevent big <pre>s from exceeding the browser window:
max-width: available;
width: min-content;
*/
}
div.codeBox pre.wrap {
white-space: pre-wrap;
}
p.notice {
border: 1px solid rgb(255, 0, 0);
background-color: rgb(238, 238, 238);
color: rgb(0, 51, 102);
padding: 0.5em;
margin: 1em 2em 1em 1em;
}
</style></head><body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76"><table
border="0" width="100%" cellspacing="0"><!--PAGE HEADER--><tr><td><!--PROJECT LOGO--><a
href="http://tomcat.apache.org/"><img src="../images/tomcat.gif" align="right" alt="
Catalina Functional Specifications
" border="0"></a></td><td><h1><font face="arial,helvetica,sanserif">Apache Tomcat 7</font></h1><font
face="arial,helvetica,sanserif">Version 7.0.70, Jun 15 2016</font></td><td><!--APACHE LOGO--><a
href="http://www.apache.org/"><img src="../images/asf-logo.gif" align="right" alt="Apache Logo"
border="0"></a></td></tr></table><table border="0" width="100%" cellspacing="4"><!--HEADER SEPARATOR--><tr><td
colspan="2"><hr noshade size="1"></td></tr><tr><!--LEFT SIDE NAVIGATION--><td width="20%" valign="top" nowrap
class="noPrint"><p><strong>Links</strong></p><ul><li><a href="../index.html">Docs Home</a></li><li><a
href="index.html">Functional Specs</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a
href="#comments_section">User Comments</a></li></ul><p><strong>Administrative Apps</strong></p><ul><li><a
href="fs-admin-apps.html">Overall Requirements</a></li><li><a href="mbean-names.html">Tomcat MBean
Names</a></li><li><a href="fs-admin-objects.html">Administered Objects</a></li><li><a href="fs-adminopers.html">Supported Operations</a></li></ul><p><strong>Internal Servlets</strong></p><ul><li><a href="fsdefault.html">Default Servlet</a></li></ul><p><strong>Realm Implementations</strong></p><ul><li><a href="fs-jdbcrealm.html">JDBC Realm</a></li><li><a href="fs-jndi-realm.html">JNDI Realm</a></li><li><a href="fs-memory-realm.
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/servletapi/index.html
Request:
GET /docs/servletapi/index.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host:
zero.webappsecurity.com
Report Date: 10/10/2016
46
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="9A374CF6133C82D2A83C2624AADBEB16";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="1403531a-d139-41f6-a815-87b38535cc27";
X-Request-Memo: ID="1e647ffc-4e3e-44cf-988c-fcabc862b92f"; sc="1"; ThreadId="97";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:46 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"1323-1466008840000"
Last-Modified: Wed, 15 Jun 2016 16:40:40 GMT
Content-Type: text/html
Content-Length: 1323
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
<!-Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!doctype html public "-//w3c//dtd html 4.0 transitional//en" "http://www.w3.org/TR/REC-html40/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>API docs</title>
</head>
<body>
The Servlet Javadoc is not installed by default. Download and install
the "fulldocs" package to get it.
You can also access the javadoc online in the Tomcat
<a href="http://tomcat.apache.org/tomcat-7.0-doc/">
documentation bundle</a>.
</body>
</html>
Page:
http://zero.webappsecurity.com:80/docs/websocketapi/
Request:
GET /docs/websocketapi/ HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/websocketapi/index.html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo:
Category="Audit.Attack"; SID="93F640E9C0950666F44249BE903412FF";
PSID="5BE22692ADEF2CF19E101E8F2AE21ECC";
SessionType="PathTruncation"; CrawlType="None"; AttackType="None";
Report Date: 10/10/2016
47
http://zero.webappsecurity.com:80/docs/appdev/sample/
Request:
GET /docs/appdev/sample/ HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/appdev/index.html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="B2C4DB9BD43BD67F563C5590060864D1";
PSID="16A0FCA95F27748B361F869AE08E40BF"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="b67d6926-e16e-4203-8af2-9905667eb186";
Report Date: 10/10/2016
48
http://zero.webappsecurity.com:80/errors/errors.log
Request:
GET /errors/errors.log HTTP/1.1
Referer: http://zero.webappsecurity.com/errors/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Report Date: 10/10/2016
49
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="C32128A8498A56E4E6435B6994687E3A";
PSID="BB23AC8A7B9C89C3DE9576C0FEACCA3F"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="Relative";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="280";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="903a6949-6ac8-489d-8c93-bb0ff0a74979";
X-Request-Memo: ID="7fb39035-d4ae-41aa-a0e7-7b0907724343"; sc="1"; ThreadId="97";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:28 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"21684-1368929102000"
Last-Modified: Sun, 19 May 2013 02:05:02 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 21684
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Tue Jan 22 09:11:32 EST 2013 [ERROR] [local 10.5.157.10] [com.zero.bank.auth.UserAuthenticator.authenticate
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [Suspendisse] and password [Nunc].
Tue Jan 22 09:31:20 EST 2013 [ERROR] [local 10.5.157.10] [com.zero.bank.auth.UserAuthenticator.authenticate
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [pede] and password [Donec].
Tue Jan 22 10:49:37 EST 2013 [ERROR] [local 10.5.157.10] [com.zero.bank.auth.UserAuthenticator.authenticate
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [magna.] and password [eget].
Tue Jan 22 11:55:56 EST 2013 [ERROR] [local 10.5.157.10] [com.zero.bank.auth.UserAuthenticator.authenticate
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [sed] and password [risus].
Tue Jan 22 13:45:58 EST 2013 [ERROR] [local 10.5.157.10] [com.zero.bank.auth.UserAuthenticator.authenticate
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [Aliquam] and password [Morbi].
Tue Jan 22 14:55:38 EST 2013 [ERROR] [local 10.5.157.10] [com.zero.bank.auth.UserAuthenticator.authenticate
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [eu] and password [arcu.].
Tue Jan 22 16:12:29 EST 2013 [ERROR] [local 10.5.157.10] [com.zero.bank.auth.UserAuthenticator.authenticate
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [Morbi] and password [non,].
Tue Jan 22 18:51:49 EST 2013 [ERROR] [local 10.5.157.10] [com.zero.bank.auth.UserAuthenticator.authenticate
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [tellus] and password [parturient].
Tue Jan 22 18:55:01 EST 2013 [ERROR] [local 10.5.157.10] [com.zero.bank.auth.UserAuthenticator.authenticate
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [enim,] and password [vitae].
Tue Jan 22 18:57:25 EST 2013 [ERROR] [local 10.5.157.10] [com.zero.bank.auth.UserAuthenticator.authenticate
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [sapien.] and password [laoreet].
Tue Jan 22 21:26:23 EST 2013 [ERROR] [local 10.5.157.10] [com.zero.bank.auth.UserAuthenticator.authenticate
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [leo.] and password [amet].
Tue Jan 22 22:26:38 EST 2013 [ERROR] [local 10.5.157.10] [com.zero.bank.auth.UserAuthenticator.authenticate
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [commodo] and password [natoque].
Wed Jan 23 01:11:37 EST 2013 [ERROR] [local 10.5.157.10] [com.zero.bank.auth.UserAuthenticator.authenticate
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [vitae,] and password [vel,].
Wed Jan 23 03:15:20 EST 2013 [ERROR] [local 10.5.157.10] [com.zero.bank.auth.UserAuthenticator.authenticate
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [Suspendisse] and password [Nunc].
Wed Jan 23 05:39:52 EST 2013 [ERROR] [local 10.5.157.10] [com.zero.bank.auth.UserAuthenticator.authenticate
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [ipsum.] and password [Proin].
Wed Jan 23 07:02:30 EST 2013 [ERROR] [local 10.5.157.10] [com.zero.bank.auth.UserAuthenticator.authenticate
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [enim.] and password [non,].
Wed Jan 23 08:28:32 EST 2013 [ERROR] [local 10.5.157.10] [com.zero.bank.auth.UserAuthenticator.authenticate
(UserAuthenticator.java:51)] - Not possible to authenticate a user with login [at] and password [enim.].
Wed Jan 23 10:08:34 EST 2013 [ERROR] [local 10.5.157.10] [com.zero.bank.auth.U
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/appdev/sample/sample.war
Request:
GET /docs/appdev/sample/sample.war HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/appdev/sample/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Report Date: 10/10/2016
50
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="C80E2163C3B058B420F9C08BCCC51C62";
PSID="B2C4DB9BD43BD67F563C5590060864D1"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="3e19822b-2222-489c-ab42-6a4446fc16ce";
X-Request-Memo: ID="686c8472-e5a7-47a0-b06b-7f9b9014ae51"; sc="1"; ThreadId="99";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:54:13 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"4606-1466008838000"
Last-Modified: Wed, 15 Jun 2016 16:40:38 GMT
Content-Length: 51
Keep-Alive: timeout=5, max=83
Connection: Keep-Alive
Content-Type: text/plain
<truncated>application/x-zip-compressed</truncated>
Page:
http://zero.webappsecurity.com:80/docs/tribes/introduction.html
Request:
GET /docs/tribes/introduction.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="CD5E19BE8CC24688BC7308F171997466";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="07f7b923-6839-4ba7-a938-9cf0c5eb1f61";
X-Request-Memo: ID="040cfd4a-ab06-4d31-975e-edb1f8a6adf6"; sc="1"; ThreadId="100";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:53:00 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"23070-1466008840000"
Last-Modified: Wed, 15 Jun 2016 16:40:40 GMT
Content-Type: text/html
Content-Length: 23070
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Apache Tribes - The Tomcat
Cluster Communication Module (7.0.70) - Apache Tribes - Introduction</title><meta name="author" content="Filip
Hanik"><style type="text/css" media="print">
.noPrint {display: none;}
td#mainBody {width: 100%;}
</style><style type="text/css">
code {background-color:rgb(224,255,255);padding:0 0.1em;}
code.attributeName, code.propertyName {background-color:transparent;}
table {
51
table {
border-collapse: collapse;
text-align: left;
}
table *:not(table) {
/* Prevent border-collapsing for table child elements like <div> */
border-collapse: separate;
}
th {
text-align: left;
}
p.notice {
border: 1px solid rgb(255, 0, 0);
background-color: rgb(238, 238, 238);
color: rgb(0, 51, 102);
padding: 0.5em;
margin: 1em 2em 1em 1em;
}
</style></head><body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76"><table
border="0" width="100%" cellspacing="0"><!--PAGE HEADER--><tr><td><!--PROJECT LOGO--><a
href="http://tomcat.apache.org/"><img src="../images/tomcat.gif" align="right" alt="Apache Tomcat"
border="0"></a></td><td><h1><font face="arial,helvetica,sanserif">Apache Tomcat 7</font></h1><font
face="arial,helvetica,sanserif">Version 7.0.70, Jun 15 2016</font></td><td><!--APACHE LOGO--><a
href="http://www.apache.org/"><img src="../images/asf-logo.gif" align="right" alt="Apache Logo"
Report Date: 10/10/2016
52
Page:
http://zero.webappsecurity.com:80/docs/jspapi/
Request:
GET /docs/jspapi/ HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/jspapi/index.html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="EFDF7B892053C63944C29F6DB63E233F";
PSID="2972AA34C8A6AF245A423BC19C9CD9CE"; SessionType="PathTruncation"; CrawlType="None"; AttackType="None";
OriginatingEngineID="398bfe9e-1b77-4458-9691-603eea06e341"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="0"; Engine="Path+Truncation";
SmartMode="NonServerSpecificOnly"; ThreadId="87"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="55"; smi="0"; sc="1"; ID="4a1bd4fa-cd49-4e66-837e-8b448b07f7aa";
X-Request-Memo: ID="e073da79-b7e8-42ec-9389-f20a64c9afb8"; sc="1"; ThreadId="109";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=B17F0383
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 08:01:17 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"1319-1466008838000"
Last-Modified: Wed, 15 Jun 2016 16:40:38 GMT
Content-Type: text/html
Content-Length: 1319
Keep-Alive: timeout=5, max=61
Connection: Keep-Alive
<!-Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!doctype html public "-//w3c//dtd html 4.0 transitional//en" "http://www.w3.org/TR/REC-html40/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>API docs</title>
</head>
<body>
Report Date: 10/10/2016
53
<body>
The JSP Javadoc is not installed by default. Download and install
the "fulldocs" package to get it.
You can also access the javadoc online in the Tomcat
<a href="http://tomcat.apache.org/tomcat-7.0-doc/">
documentation bundle</a>.
</body>
</html>
Page:
http://zero.webappsecurity.com:80/docs/servletapi/
Request:
GET /docs/servletapi/ HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/servletapi/index.html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="564F2A0E64C26817838EE110967EF96E";
PSID="9A374CF6133C82D2A83C2624AADBEB16"; SessionType="PathTruncation"; CrawlType="None"; AttackType="None";
OriginatingEngineID="398bfe9e-1b77-4458-9691-603eea06e341"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="0"; Engine="Path+Truncation";
SmartMode="NonServerSpecificOnly"; ThreadId="94"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="47"; smi="0"; sc="1"; ID="8c384aa4-7d63-40e1-baeb-f27f8d05ff65";
X-Request-Memo: ID="2477b30e-219c-4fe7-a1bb-9e26b2e4e406"; sc="1"; ThreadId="105";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=FF9EF2E4
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 08:01:07 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"1323-1466008840000"
Last-Modified: Wed, 15 Jun 2016 16:40:40 GMT
Content-Type: text/html
Content-Length: 1323
Keep-Alive: timeout=5, max=49
Connection: Keep-Alive
<!-Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!doctype html public "-//w3c//dtd html 4.0 transitional//en" "http://www.w3.org/TR/REC-html40/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>API docs</title>
</head>
<body>
The Servlet Javadoc is not installed by default. Download and install
the "fulldocs" package to get it.
Report Date: 10/10/2016
54
http://zero.webappsecurity.com:80/docs/websocketapi/index.html
Request:
GET /docs/websocketapi/index.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="5BE22692ADEF2CF19E101E8F2AE21ECC";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="8c9ad5e8-9310-4e09-a3da-be5bb8929c4e";
X-Request-Memo: ID="7da23acc-570f-4b66-b0a5-b08d359e7995"; sc="1"; ThreadId="97";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:48 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"1185-1466008840000"
Last-Modified: Wed, 15 Jun 2016 16:40:40 GMT
Content-Type: text/html
Content-Length: 1185
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
<!-Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<title>API docs</title>
</head>
<body>
The WebSocket Javadoc is not installed by default. Download and install
the "fulldocs" package to get it.
You can also access the javadoc online in the Tomcat
<a href="http://tomcat.apache.org/tomcat-7.0-doc/">
documentation bundle</a>.
Report Date: 10/10/2016
55
</body>
</html>
Page:
http://zero.webappsecurity.com:80/docs/architecture/index.html
Request:
GET /docs/architecture/index.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="629E4A1BA8397C370A60A994699A4485";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="4c216e81-685e-4aac-878e-79af3584075a";
X-Request-Memo: ID="13cc48eb-9f89-48aa-a925-efa249ba4019"; sc="1"; ThreadId="97";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:54 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"7656-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 7656
Keep-Alive: timeout=5, max=85
Connection: Keep-Alive
<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Apache Tomcat 7
Architecture (7.0.70) - Table of Contents</title><meta name="author" content="Yoav Shapira"><style type="text/css"
media="print">
.noPrint {display: none;}
td#mainBody {width: 100%;}
</style><style type="text/css">
code {background-color:rgb(224,255,255);padding:0 0.1em;}
code.attributeName, code.propertyName {background-color:transparent;}
table {
border-collapse: collapse;
text-align: left;
}
table *:not(table) {
/* Prevent border-collapsing for table child elements like <div> */
border-collapse: separate;
}
th {
text-align: left;
}
56
border-radius: 5px;
background-color: #eff8ff;
display: table; /* To prevent <pre>s from taking the complete available width. */
/*
When it is officially supported, use the following CSS instead of display: table
to prevent big <pre>s from exceeding the browser window:
max-width: available;
width: min-content;
*/
}
div.codeBox pre.wrap {
white-space: pre-wrap;
}
p.notice {
border: 1px solid rgb(255, 0, 0);
background-color: rgb(238, 238, 238);
color: rgb(0, 51, 102);
padding: 0.5em;
margin: 1em 2em 1em 1em;
}
</style></head><body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76"><table
border="0" width="100%" cellspacing="0"><!--PAGE HEADER--><tr><td><!--PROJECT LOGO--><a
href="http://tomcat.apache.org/"><img src="../images/tomcat.gif" align="right" alt="
The Apache Tomcat Servlet/JSP Container
" border="0"></a></td><td><h1><font face="arial,helvetica,sanserif">Apache Tomcat 7</font></h1><font
face="arial,helvetica,sanserif">Version 7.0.70, Jun 15 2016</font></td><td><!--APACHE LOGO--><a
href="http://www.apache.org/"><img src="../images/asf-logo.gif" align="right" alt="Apache Logo"
border="0"></a></td></tr></table><table border="0" width="100%" cellspacing="4"><!--HEADER SEPARATOR--><tr><td
colspan="2"><hr noshade size="1"></td></tr><tr><!--LEFT SIDE NAVIGATION--><td width="20%" valign="top" nowrap
class="noPrint"><p><strong>Links</strong></p><ul><li><a href="../index.html">Docs Home</a></li><li><a
href="index.html">Architecture Home</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a
href="#comments_section">User Comments</a></li></ul><p><strong>Contents</strong></p><ul><li><a
href="index.html">Contents</a></li><li><a href="overview.html">Overview</a></li><li><a href="startup.html">Server
Startup</a></li><li><a href="requestProcess.html">Request Process</a></li></ul></td><!--RIGHT SIDE MAIN BODY--><td
width="80%" valign="top" align="left" id="mainBody"><h1>Table of Contents</h1><table border="0" cellspacing="0"
cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a
name="Preface"><strong>Preface</strong></a></font></td></tr><tr><td><blockquote>
<p>This section of the Tomc
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/appdev/
Request:
GET /docs/appdev/ HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/appdev/index.html
Accept: */*
Pragma:
no-cache
Report Date: 10/10/2016
57
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="67BA648D12849829BE2910DD0EB52792";
PSID="16A0FCA95F27748B361F869AE08E40BF"; SessionType="PathTruncation"; CrawlType="None"; AttackType="None";
OriginatingEngineID="398bfe9e-1b77-4458-9691-603eea06e341"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="0"; Engine="Path+Truncation";
SmartMode="NonServerSpecificOnly"; ThreadId="91"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="43"; smi="0"; sc="1"; ID="5d5ef683-f82b-45d1-b014-8c6cbd824fa4";
X-Request-Memo: ID="f1eb2a48-1381-489c-b321-d295c5ae7b6c"; sc="1"; ThreadId="103";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=943C3A6B
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:58:19 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"8650-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 8650
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Application Developer's
Guide (7.0.70) - Table of Contents</title><meta name="author" content="Craig R. McClanahan"><style type="text/css"
media="print">
.noPrint {display: none;}
td#mainBody {width: 100%;}
</style><style type="text/css">
code {background-color:rgb(224,255,255);padding:0 0.1em;}
code.attributeName, code.propertyName {background-color:transparent;}
table {
border-collapse: collapse;
text-align: left;
}
table *:not(table) {
/* Prevent border-collapsing for table child elements like <div> */
border-collapse: separate;
}
th {
text-align: left;
}
58
div.codeBox pre.wrap {
white-space: pre-wrap;
}
p.notice {
border: 1px solid rgb(255, 0, 0);
background-color: rgb(238, 238, 238);
color: rgb(0, 51, 102);
padding: 0.5em;
margin: 1em 2em 1em 1em;
}
</style></head><body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76"><table
border="0" width="100%" cellspacing="0"><!--PAGE HEADER--><tr><td><!--PROJECT LOGO--><a
href="http://tomcat.apache.org/"><img src="../images/tomcat.gif" align="right" alt="
The Apache Tomcat Servlet/JSP Container
" border="0"></a></td><td><h1><font face="arial,helvetica,sanserif">Apache Tomcat 7</font></h1><font
face="arial,helvetica,sanserif">Version 7.0.70, Jun 15 2016</font></td><td><!--APACHE LOGO--><a
href="http://www.apache.org/"><img src="../images/asf-logo.gif" align="right" alt="Apache Logo"
border="0"></a></td></tr></table><table border="0" width="100%" cellspacing="4"><!--HEADER SEPARATOR--><tr><td
colspan="2"><hr noshade size="1"></td></tr><tr><!--LEFT SIDE NAVIGATION--><td width="20%" valign="top" nowrap
class="noPrint"><p><strong>Links</strong></p><ul><li><a href="../index.html">Docs Home</a></li><li><a
href="index.html">App Dev Guide Home</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a
href="#comments_section">User Comments</a></li></ul><p><strong>Contents</strong></p><ul><li><a
href="index.html">Contents</a></li><li><a href="introduction.html">Introduction</a></li><li><a
href="installation.html">Installation</a></li><li><a href="deployment.html">Deployment</a></li><li><a
href="source.html">Source Code</a></li><li><a href="processes.html">Processes</a></li><li><a href="sample/">Example
App</a></li></ul></td><!--RIGHT SIDE MAIN BODY--><td width="80%" valign="top" align="left"
id="mainBody"><h1>Table of Contents</h1><table border="0" cellspacing="0" cellpadding="2"><tr><td
bgcolor="#525D76"><font color="#ffffff"
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/config/
Request:
GET /docs/config/ HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/config/index.html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="4F45282CDA6F3C357915B50276DEDC05";
PSID="7E09004C87348100F227487435CD3213"; SessionType="PathTruncation"; CrawlType="None"; AttackType="None";
OriginatingEngineID="398bfe9e-1b77-4458-9691-603eea06e341"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="0"; Engine="Path+Truncation";
SmartMode="NonServerSpecificOnly";
ThreadId="88";
X-RequestManager-Memo:
sid="39"; smi="0";
sc="1"; ThreadType="AuditorStateRequestorPool";
ID="2d26bf82-99a6-4e3b-a0ef-717f11f60dd6";
Report Date: 10/10/2016
59
table {
border-collapse: collapse;
text-align: left;
}
table *:not(table) {
/* Prevent border-collapsing for table child elements like <div> */
border-collapse: separate;
}
th {
text-align: left;
}
60
background-color: #FAFBFF;
}
table.defaultTable tr:nth-child(odd), table.detail-table tr:nth-child(odd) {
background-color: #EEEFFF;
}
table.defaultTable th, table.detail-table th {
background-color: #88b;
color: #fff;
}
table.defaultTable th, table.defaultTable td, table.detail-table th, table.detail-table td {
padding: 5px 8px;
}
p.notice {
border: 1px solid rgb(255, 0, 0);
background-color: rgb(238, 238, 238);
color: rgb(0, 51, 102);
padding: 0.5em;
margin: 1em 2em 1em 1em;
}
</style></head><body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76"><table
border="0" width="100%" cellspacing="0"><!--PAGE HEADER--><tr><td><!--PROJECT LOGO--><a
href="http://tomcat.apache.org/"><img src="../images/tomcat.gif" align="right" alt="
The Apache Tomcat Servlet/JSP Container
" border="0"></a></td><td><h1><font face="arial,helvetica,sanserif">Apache Tomcat 7</font></h1><font
face="arial,helvetica,sanserif">Version 7.0.70, Jun 15 2016</font></td><td><!--APACHE LOGO--><a
href="http://www.apache.org/"><img src="../images/asf-logo.gif" align="right" alt="Apache Logo"
border="0"></a></td></tr></table><table border="0" width="100%" cellspacing="4"><!--HEADER SEPARATOR--><tr><td
colspan="2"><hr noshade size="1"></td></tr><tr><!--LEFT SIDE NAVIGATION--><td width="20%" valign="top" nowrap
class="noPrint"><p><strong>Links</strong></p><ul><li><a href="../index.html">Docs Home</a></li><li><a
href="index.html">Config Ref. Home</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a
href="#comments_section">User Comments</a></li></ul><p><strong>Top Level Elements</strong></p><ul><li><a
href="server.html">Server</a></li><li><a
href="service.html">Service</a></li></ul><p><strong>Executors</strong></p><ul><li><a
href="executor.html">Executor</a></li></ul><p><strong>Connectors</strong></p><ul><li><a
href="http.html">HTTP</a></li><li><a
href="ajp.html">AJP</a></li></ul><p><strong>Containers</strong></p><ul><li><a
href="context.html">Context</a></li><li><a href="engine.html">Engine</a></li><li><a
href="host.html">Host</a></li><li><a href="cluster.html">Cluster</a></li></ul><p><strong>Nested
Components</strong></p><ul
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/search.html?searchTerm=12345
Request:
GET /search.html?searchTerm=12345 HTTP/1.1
Referer: http://zero.webappsecurity.com/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="4FB1E28C3A3C661502F583F3EA8F6277";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="Crawl"; CrawlType="Form"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="action"; Format="Relative";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="282";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="47285469-80aa-457f-b7a7-463caf37d211";
X-Request-Memo: ID="7c5328cd-1699-4712-b23e-8d196c922a1c"; sc="1"; ThreadId="98";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:12 GMT
Server:
Apache-Coyote/1.1 *
Access-Control-Allow-Origin:
Report Date: 10/10/2016
61
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Length: 7710
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Zero - Search Tips</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<link type="text/css" rel="stylesheet" href="/resources/css/bootstrap.min.css"/>
<link type="text/css" rel="stylesheet" href="/resources/css/font-awesome.css"/>
<link type="text/css" rel="stylesheet" href="/resources/css/main.css"/>
<script src="/resources/js/jquery-1.8.2.min.js"></script>
<script src="/resources/js/bootstrap.min.js"></script>
<script src="/resources/js/placeholders.min.js"></script>
<script type="text/javascript">
Placeholders.init({
live: true, // Apply to future and modified elements too
hideOnFocus: true // Hide the placeholder when the element receives focus
});
</script>
<script type="text/javascript">
$(document).ajaxError(function errorHandler(event, xhr, ajaxOptions, thrownError) {
if (xhr.status == 403) {
window.location.reload();
}
});
</script>
</head>
<body>
<div class="wrapper">
<div class="navbar navbar-fixed-top">
<div class="navbar-inner">
<div class="container">
<a href="/index.html" class="brand">Zero Bank</a>
<div>
<ul class="nav float-right">
<li> <form action="/search.html"
class="navbar-search pull-right" style="padding-right: 20px">
<input type="text" id="searchTerm" name="searchTerm" class="search-query" placeholder="Search"/>
</form>
</li>
<li>
<button id="signin_button" type="button" class="signin btn btn-info">
<i class="icon-signin"></i>Signin
</button>
</li>
</ul>
</div>
</div>
</div>
</div>
<script type="text/javascript">
$(function() {
var path = "/";
$("#signin_button").click(function(event) {
event.preventDefault();
window.location.href = path + "login" + ".html";
});
});
</script>
<div class="container">
Report Date: 10/10/2016
62
<div class="container">
<div class="top_offset">
<div class="row">
<div class="span12">
<div id="nav" class="clearfix">
<ul id="pages-nav">
<li id="homeMenu"><div><strong>Home</strong></div></li>
<li id="onlineBankingMenu"><div><strong>Online Banking</strong></div></li>
<li id="feedback"><div><strong>Feedback</strong></div></li>
</ul>
</div>
</div>
<script type="text/javascript">
$(function () {
var path = "/";
var featureIdToName = {
"index": "homeMenu",
"online-banking": "onlineBankingMenu",
"feedback": "feedback"
};
if (document.location.href.match(".*" + path + "$") != null) {
$("#homeMenu").addClass("active");
} else {
$.each(featureIdToName, function(featureId, featureName) {
if (document.location.href.indexOf(featureId + ".html") >= 0) {
$("#" + featureName).addClass("active");
}
});
}
$.each(featureIdToName, function(featureId, featureName) {
$("
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/resources/js/placeholders.min.js
Request:
GET /resources/js/placeholders.min.js HTTP/1.1
Referer: http://zero.webappsecurity.com/
Host: zero.webappsecurity.com
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-AscRawUrl: /resources/js/placeholders.min.js
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="511D6DB521E43A071D015EA7E62869D3";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="Crawl"; CrawlType="ScriptInclude"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="216"; ThreadType="JScriptEvent";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="6b3b66bc-ee7e-418f-a2ff-72824c2c8770";
X-Request-Memo: ID="ba10ebcc-36c7-4b8b-a7d2-a65d07b35ed5"; sc="1"; ThreadId="216";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:50:31 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"5615-1360116138000"
Last-Modified: Wed, 06 Feb 2013 02:02:18 GMT
Cache-Control: max-age=2678400
Expires: Thu, 10 Nov 2016 07:50:31 GMT
Content-Type: application/javascript;charset=UTF-8
Content-Length: 5615
Keep-Alive:
Connection: timeout=5,
Keep-Alive max=100
Report Date: 10/10/2016
63
Connection: Keep-Alive
var Placeholders=function(){var validTypes=["text","search","url","tel","email","password","number","textarea"],settings=
{live:false,hideOnFocus:false,className:"placeholderspolyfill",textColor:"#999",styleImportant:true},badKeys=
[37,38,39,40],interval,valueKeyDown,classNameRegExp=new RegExp("\\b"+settings.className+"\\b");function cursorToStart
(elem){var range;if(elem.createTextRange){range=elem.createTextRange();range.move("character",0);range.select()}else if
(elem.selectionStart){elem.focus();
elem.setSelectionRange(0,0)}}function focusHandler(){var type;if(this.value===this.getAttribute("placeholder"))if(!
settings.hideOnFocus)cursorToStart(this);else{this.className=this.className.replace
(classNameRegExp,"");this.value="";type=this.getAttribute("data-placeholdertype");if(type)this.type=type}}function blurHandler()
{var type;if(this.value===""){this.className=this.className+" "+settings.className;this.value=this.getAttribute
("placeholder");type=this.getAttribute("data-placeholdertype");if(type)this.type=
"text"}function submitHandler(){var inputs=this.getElementsByTagName
("input"),textareas=this.getElementsByTagName
("textarea"),numInputs=inputs.length,num=numInputs+textareas.length,element,placeholder,i;for(i=0;i<num;i+=1)
{element=i<numInputs?inputs[i]:textareas[i-numInputs];placeholder=element.getAttribute("placeholder");if
(element.value===placeholder)element.value=""}}function keydownHandler(event)
{valueKeyDown=this.value;return!(valueKeyDown===this.getAttribute("placeholder")&&badKeys.indexOf
(event.keyCode)>
-1)}function keyupHandler(){var type;if(this.value!==valueKeyDown){this.className=this.className.replace
(classNameRegExp,"");this.value=this.value.replace(this.getAttribute("placeholder"),"");type=this.getAttribute
("data-placeholdertype");if(type)this.type=type}if(this.value===""){blurHandler.call(this);cursorToStart(this)}}
function addEventListener(element,event,fn){if(element.addEventListener)return element.addEventListener
(event,fn.bind(element),false);if(element.attachEvent)return element.attachEvent("on"+
event,fn.bind(element))}function addEventListeners(element){if(!settings.hideOnFocus){addEventListener
(element,"keydown",keydownHandler);addEventListener(element,"keyup",keyupHandler)}addEventListener
(element,"focus",focusHandler);addEventListener(element,"blur",blurHandler)}function updatePlaceholders(){var
inputs=document.getElementsByTagName("input"),textareas=document.getElementsByTagName
("textarea"),numInputs=inputs.length,num=numInputs+textareas.length,i,form,element,oldPlaceholder,newPlaceho
lder;
for(i=0;i<num;i+=1){element=i<numInputs?inputs[i]:textareas[inumInputs];newPlaceholder=element.getAttribute("placeholder");if(validTypes.indexOf(element.type)>-1)if
(newPlaceholder){oldPlaceholder=element.getAttribute("data-currentplaceholder");if(newPlaceholder!
==oldPlaceholder){if(element.value===oldPlaceholder||element.value===newPlaceholder||!element.value)
{element.value=newPlaceholder;element.className=element.className+" "+settings.className}if(!
oldPlaceholder){if(element.form){form=element.form;
if(!form.getAttribute("data-placeholdersubmit")){addEventListener
(form,"submit",submitHandler);form.setAttribute("data-placeholdersubmit","true")}}addEventListeners(element)}
element.setAttribute("data-currentplaceholder",newPlaceholder)}}}}function createPlaceholders(){var
inputs=document.getElementsByTagName("input"),textareas=document.getElementsByTagName
("textarea"),numInputs=inputs.length,num=numInputs+textareas.length,i,element,form,placeholder;for
(i=0;i<num;i+=1){element=i<numInputs?inputs[i]:
textareas[i-numInputs];placeholder=element.getAttribute("placeholder");if(validTypes.indexOf(element.typ
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/config/index.html
Request:
GET /docs/config/index.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="7E09004C87348100F227487435CD3213";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="4b07bdfd-5bf9-4978-ba7e-148d40b25b6c";
X-Request-Memo: ID="14650510-0176-4a7f-b96f-425b7b8c369e"; sc="2"; ThreadId="96";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
64
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:46 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"11131-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 11131
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Apache Tomcat 7
Configuration Reference (7.0.70) - Overview</title><meta name="author" content="Craig R. McClanahan"><style
type="text/css" media="print">
.noPrint {display: none;}
td#mainBody {width: 100%;}
</style><style type="text/css">
code {background-color:rgb(224,255,255);padding:0 0.1em;}
code.attributeName, code.propertyName {background-color:transparent;}
table {
border-collapse: collapse;
text-align: left;
}
table *:not(table) {
/* Prevent border-collapsing for table child elements like <div> */
border-collapse: separate;
}
th {
text-align: left;
}
65
background-color: #EEEFFF;
}
table.defaultTable th, table.detail-table th {
background-color: #88b;
color: #fff;
}
table.defaultTable th, table.defaultTable td, table.detail-table th, table.detail-table td {
padding: 5px 8px;
}
p.notice {
border: 1px solid rgb(255, 0, 0);
background-color: rgb(238, 238, 238);
color: rgb(0, 51, 102);
padding: 0.5em;
margin: 1em 2em 1em 1em;
}
</style></head><body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76"><table
border="0" width="100%" cellspacing="0"><!--PAGE HEADER--><tr><td><!--PROJECT LOGO--><a
href="http://tomcat.apache.org/"><img src="../images/tomcat.gif" align="right" alt="
The Apache Tomcat Servlet/JSP Container
" border="0"></a></td><td><h1><font face="arial,helvetica,sanserif">Apache Tomcat 7</font></h1><font
face="arial,helvetica,sanserif">Version 7.0.70, Jun 15 2016</font></td><td><!--APACHE LOGO--><a
href="http://www.apache.org/"><img src="../images/asf-logo.gif" align="right" alt="Apache Logo"
border="0"></a></td></tr></table><table border="0" width="100%" cellspacing="4"><!--HEADER SEPARATOR--><tr><td
colspan="2"><hr noshade size="1"></td></tr><tr><!--LEFT SIDE NAVIGATION--><td width="20%" valign="top" nowrap
class="noPrint"><p><strong>Links</strong></p><ul><li><a href="../index.html">Docs Home</a></li><li><a
href="index.html">Config Ref. Home</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a
href="#comments_section">User Comments</a></li></ul><p><strong>Top Level Elements</strong></p><ul><li><a
href="server.html">Server</a></li><li><a
href="service.html">Service</a></li></ul><p><strong>Executors</strong></p><ul><li><a
href="executor.html">Executor</a></li></ul><p><strong>Connectors</strong></p><ul><li><a
href="http.html">HTTP</a></li><li><a
href="ajp.html">AJP</a></li></ul><p><strong>Containers</strong></p><ul><li><a
href="context.html">Context</a></li><li><a href="engine.html">Engine</a></li><li><a
href="host.html">Host</a></li><li><a href="cluster.html">Cluster</a></li></ul><p><strong>Nested
Components</strong></p><u
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/bank/pay-bills.html
Request:
GET /bank/pay-bills.html HTTP/1.1
Referer: http://zero.webappsecurity.com/online-banking.html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="6F2723FE7C386DE06B46E4BC6F7523CF";
PSID="0961B4C9AB7ECE8F80F1EFC03677941C"; SessionType="Crawl"; CrawlType="Script"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; Format="Qualified"; LinkKind="HyperLink";
Locations="Unspecified"; Source="ScriptExecution"; ThreadId="278"; ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="b08a0f65-527f-45d2-8a1d-04fd87389665";
X-Request-Memo: ID="908d55a2-13fb-402e-82cb-57de93725b0b"; sc="1"; ThreadId="100";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 302 Found
Date: Mon, 10 Oct 2016 07:52:10 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Location: http://zero.webappsecurity.com/login.html
Content-Length: 0
Keep-Alive:
Connection: timeout=5,
Keep-Alive max=97
Report Date: 10/10/2016
66
Connection: Keep-Alive
Content-Type: text/html
Page:
http://zero.webappsecurity.com:80/docs/elapi/index.html
Request:
GET /docs/elapi/index.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="82703ED3FF1FE7EB55F9833C68BD9964";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="0fcd3620-a2c9-48a7-b968-fb3e787d1d35";
X-Request-Memo: ID="656814d0-5378-4f75-aba7-8f22aebff102"; sc="1"; ThreadId="96";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:48 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"1318-1466008838000"
Last-Modified: Wed, 15 Jun 2016 16:40:38 GMT
Content-Type: text/html
Content-Length: 1318
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
<!-Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!doctype html public "-//w3c//dtd html 4.0 transitional//en" "http://www.w3.org/TR/REC-html40/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>API docs</title>
</head>
<body>
The EL Javadoc is not installed by default. Download and install
the "fulldocs" package to get it.
You can also access the javadoc online in the Tomcat
<a href="http://tomcat.apache.org/tomcat-7.0-doc/">
documentation bundle</a>.
</body>
</html>
Page:
http://zero.webappsecurity.com:80/docs/appdev/index.html
67
Page:
http://zero.webappsecurity.com:80/docs/appdev/index.html
Request:
GET /docs/appdev/index.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="16A0FCA95F27748B361F869AE08E40BF";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="9c8f336d-6c16-4d36-bf1f-618d5455d3d8";
X-Request-Memo: ID="3e48b6e2-1371-49be-b865-795260454474"; sc="1"; ThreadId="97";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:13 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"8650-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 8650
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Application Developer's
Guide (7.0.70) - Table of Contents</title><meta name="author" content="Craig R. McClanahan"><style type="text/css"
media="print">
.noPrint {display: none;}
td#mainBody {width: 100%;}
</style><style type="text/css">
code {background-color:rgb(224,255,255);padding:0 0.1em;}
code.attributeName, code.propertyName {background-color:transparent;}
table {
border-collapse: collapse;
text-align: left;
}
table *:not(table) {
/* Prevent border-collapsing for table child elements like <div> */
border-collapse: separate;
}
th {
text-align: left;
}
68
When it is officially supported, use the following CSS instead of display: table
to prevent big <pre>s from exceeding the browser window:
max-width: available;
width: min-content;
*/
}
div.codeBox pre.wrap {
white-space: pre-wrap;
}
p.notice {
border: 1px solid rgb(255, 0, 0);
background-color: rgb(238, 238, 238);
color: rgb(0, 51, 102);
padding: 0.5em;
margin: 1em 2em 1em 1em;
}
</style></head><body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76"><table
border="0" width="100%" cellspacing="0"><!--PAGE HEADER--><tr><td><!--PROJECT LOGO--><a
href="http://tomcat.apache.org/"><img src="../images/tomcat.gif" align="right" alt="
The Apache Tomcat Servlet/JSP Container
" border="0"></a></td><td><h1><font face="arial,helvetica,sanserif">Apache Tomcat 7</font></h1><font
face="arial,helvetica,sanserif">Version 7.0.70, Jun 15 2016</font></td><td><!--APACHE LOGO--><a
href="http://www.apache.org/"><img src="../images/asf-logo.gif" align="right" alt="Apache Logo"
border="0"></a></td></tr></table><table border="0" width="100%" cellspacing="4"><!--HEADER SEPARATOR--><tr><td
colspan="2"><hr noshade size="1"></td></tr><tr><!--LEFT SIDE NAVIGATION--><td width="20%" valign="top" nowrap
class="noPrint"><p><strong>Links</strong></p><ul><li><a href="../index.html">Docs Home</a></li><li><a
href="index.html">App Dev Guide Home</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a
href="#comments_section">User Comments</a></li></ul><p><strong>Contents</strong></p><ul><li><a
href="index.html">Contents</a></li><li><a href="introduction.html">Introduction</a></li><li><a
href="installation.html">Installation</a></li><li><a href="deployment.html">Deployment</a></li><li><a
href="source.html">Source Code</a></li><li><a href="processes.html">Processes</a></li><li><a href="sample/">Example
App</a></li></ul></td><!--RIGHT SIDE MAIN BODY--><td width="80%" valign="top" align="left"
id="mainBody"><h1>Table of Contents</h1><table border="0" cellspacing="0" cellpadding="2"><tr><td
bgcolor="#525D76"><font color="#ffffff"
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/bank/
Request:
GET /bank/ HTTP/1.1
Referer: http://zero.webappsecurity.com/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection:
Keep-Alive
X-WIPP:
AscVersion=16.10.463.10
Report Date: 10/10/2016
69
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="1AE4F834C44267FDE0DE9117CE4C5278";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; Format="Relative"; LinkKind="HyperLink";
Locations="Unspecified"; Source="LegacyStaticParser"; ThreadId="280"; ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="1af0b217-7635-47a2-9805-a91973caae93";
X-Request-Memo: ID="a4a8bcd1-1410-44e0-8907-82e278d28a39"; sc="1"; ThreadId="96";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 302 Found
Date: Mon, 10 Oct 2016 07:51:26 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Location: http://zero.webappsecurity.com/login.html
Content-Length: 0
Set-Cookie: JSESSIONID=238461F5; Path=/; HttpOnly
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/plain
Page:
http://zero.webappsecurity.com:80/docs/api/index.html
Request:
GET /docs/api/index.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="1B53504FE25C2CF2D3F3EE454E68D7B2";
PSID="F123B9A3291354F97AC6F79540B0A325"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="6b5d1aa8-fc58-4652-bc36-0d5a97c93427";
X-Request-Memo: ID="71ce604a-88a5-4466-bfb8-7fc7b99531b1"; sc="1"; ThreadId="97";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:45 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"1329-1466008838000"
Last-Modified: Wed, 15 Jun 2016 16:40:38 GMT
Content-Type: text/html
Content-Length: 1329
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
<!-Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License
specific language governing permissions and
limitations
underfor
thethe
License.
70
http://zero.webappsecurity.com:80/docs/elapi/
Request:
GET /docs/elapi/ HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/elapi/index.html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="2CE1DE53F4CF1FCA566114FDBCED92D5";
PSID="82703ED3FF1FE7EB55F9833C68BD9964"; SessionType="PathTruncation"; CrawlType="None"; AttackType="None";
OriginatingEngineID="398bfe9e-1b77-4458-9691-603eea06e341"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="0"; Engine="Path+Truncation";
SmartMode="NonServerSpecificOnly"; ThreadId="95"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="41"; smi="0"; sc="1"; ID="bf46b1a5-adb3-4c22-8f66-5315cd71801d";
X-Request-Memo: ID="5791b282-c979-4703-b77b-6a50e9f2cad0"; sc="1"; ThreadId="102";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=EBAB640A
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 08:01:28 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"1318-1466008838000"
Last-Modified: Wed, 15 Jun 2016 16:40:38 GMT
Content-Type: text/html
Content-Length: 1318
Keep-Alive: timeout=5, max=67
Connection: Keep-Alive
<!-Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!doctype html public "-//w3c//dtd html 4.0 transitional//en" "http://www.w3.org/TR/REC-html40/strict.dtd">
<html>
<head>
Report Date: 10/10/2016
71
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>API docs</title>
</head>
<body>
The EL Javadoc is not installed by default. Download and install
the "fulldocs" package to get it.
You can also access the javadoc online in the Tomcat
<a href="http://tomcat.apache.org/tomcat-7.0-doc/">
documentation bundle</a>.
</body>
</html>
Page:
http://zero.webappsecurity.com:80/docs/funcspecs/
Request:
GET /docs/funcspecs/ HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/funcspecs/index.html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="2FBA2CE566E4171CB0A43BE111367406";
PSID="9ED4F10AC6184B9298A6A51C297C202A"; SessionType="PathTruncation"; CrawlType="None"; AttackType="None";
OriginatingEngineID="398bfe9e-1b77-4458-9691-603eea06e341"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="0"; Engine="Path+Truncation";
SmartMode="NonServerSpecificOnly"; ThreadId="92"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="39"; smi="0"; sc="1"; ID="c129735e-bc54-496b-9d57-d97a2ebc7697";
X-Request-Memo: ID="472e2d08-dcff-4ae1-92a7-c60c5cfdd5f1"; sc="1"; ThreadId="101";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=02B64950
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 08:01:57 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"8461-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 8461
Keep-Alive: timeout=5, max=32
Connection: Keep-Alive
<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Catalina Functional
Specifications (7.0.70) - Table of Contents</title><meta name="author" content="Craig R. McClanahan"><style type="text/css"
media="print">
.noPrint {display: none;}
td#mainBody {width: 100%;}
</style><style type="text/css">
code {background-color:rgb(224,255,255);padding:0 0.1em;}
code.attributeName, code.propertyName {background-color:transparent;}
table {
border-collapse: collapse;
text-align: left;
}
table *:not(table) {
/* Prevent border-collapsing for table child elements like <div> */
border-collapse: separate;
}
th {
text-align: left;
}
Report Date: 10/10/2016
72
p.notice {
border: 1px solid rgb(255, 0, 0);
background-color: rgb(238, 238, 238);
color: rgb(0, 51, 102);
padding: 0.5em;
margin: 1em 2em 1em 1em;
}
</style></head><body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76"><table
border="0" width="100%" cellspacing="0"><!--PAGE HEADER--><tr><td><!--PROJECT LOGO--><a
href="http://tomcat.apache.org/"><img src="../images/tomcat.gif" align="right" alt="
Catalina Functional Specifications
" border="0"></a></td><td><h1><font face="arial,helvetica,sanserif">Apache Tomcat 7</font></h1><font
face="arial,helvetica,sanserif">Version 7.0.70, Jun 15 2016</font></td><td><!--APACHE LOGO--><a
href="http://www.apache.org/"><img src="../images/asf-logo.gif" align="right" alt="Apache Logo"
border="0"></a></td></tr></table><table border="0" width="100%" cellspacing="4"><!--HEADER SEPARATOR--><tr><td
colspan="2"><hr noshade size="1"></td></tr><tr><!--LEFT SIDE NAVIGATION--><td width="20%" valign="top" nowrap
class="noPrint"><p><strong>Links</strong></p><ul><li><a href="../index.html">Docs Home</a></li><li><a
href="index.html">Functional Specs</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a
href="#comments_section">User Comments</a></li></ul><p><strong>Administrative Apps</strong></p><ul><li><a
href="fs-admin-apps.html">Overall Requirements</a></li><li><a href="mbean-names.html">Tomcat MBean
Names</a></li><li><a href="fs-admin-objects.html">Administered Objects</a></li><li><a href="fs-adminopers.html">Supported Operations</a></li></ul><p><strong>Internal Servlets</strong></p><ul><li><a href="fsdefault.html">Default Servlet</a></li></ul><p><strong>Realm Implementations</strong></p><ul><li><a href="fs-jdbcrealm.html">JDBC Realm</a></li><li><a href="fs-jndi-realm.html">JNDI Realm</a></li><li><a href="fs-memory-realm.h
Report Date: 10/10/2016
73
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/manager-howto.html
Request:
GET /docs/manager-howto.html HTTP/1.1
Referer: http://zero.webappsecurity.com/manager/html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="112FD5EEB1B0EC04177727EFB7E63F42";
PSID="5691FBE4D5310DEC25DD5EB591F3E328"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="Relative";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="280";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="ed87c790-51f7-4bb6-9c73-d612e6966286";
X-Request-Memo: ID="fd6d5ffc-7fab-4458-b31d-4099a01505a6"; sc="1"; ThreadId="96";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:28 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"81539-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 81539
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Apache Tomcat 7 (7.0.70) Manager App HOW-TO</title><meta name="author" content="Craig R. McClanahan"><style type="text/css" media="print">
.noPrint {display: none;}
td#mainBody {width: 100%;}
</style><style type="text/css">
code {background-color:rgb(224,255,255);padding:0 0.1em;}
code.attributeName, code.propertyName {background-color:transparent;}
table {
border-collapse: collapse;
text-align: left;
}
table *:not(table) {
/* Prevent border-collapsing for table child elements like <div> */
border-collapse: separate;
}
th {
text-align: left;
}
74
background-color: #eff8ff;
display: table; /* To prevent <pre>s from taking the complete available width. */
/*
When it is officially supported, use the following CSS instead of display: table
to prevent big <pre>s from exceeding the browser window:
max-width: available;
width: min-content;
*/
}
div.codeBox pre.wrap {
white-space: pre-wrap;
}
p.notice {
border: 1px solid rgb(255, 0, 0);
background-color: rgb(238, 238, 238);
color: rgb(0, 51, 102);
padding: 0.5em;
margin: 1em 2em 1em 1em;
}
</style></head><body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76"><table
border="0" width="100%" cellspacing="0"><!--PAGE HEADER--><tr><td><!--PROJECT LOGO--><a
href="http://tomcat.apache.org/"><img src="./images/tomcat.gif" align="right" alt="
The Apache Tomcat Servlet/JSP Container
" border="0"></a></td><td><h1><font face="arial,helvetica,sanserif">Apache Tomcat 7</font></h1><font
face="arial,helvetica,sanserif">Version 7.0.70, Jun 15 2016</font></td><td><!--APACHE LOGO--><a
href="http://www.apache.org/"><img src="./images/asf-logo.gif" align="right" alt="Apache Logo"
border="0"></a></td></tr></table><table border="0" width="100%" cellspacing="4"><!--HEADER SEPARATOR--><tr><td
colspan="2"><hr noshade size="1"></td></tr><tr><!--LEFT SIDE NAVIGATION--><td width="20%" valign="top" nowrap
class="noPrint"><p><strong>Links</strong></p><ul><li><a href="index.html">Docs Home</a></li><li><a
href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a href="#comments_section">User
Comments</a></li></ul><p><strong>User Guide</strong></p><ul><li><a href="introduction.html">1)
Introduction</a></li><li><a href="setup.html">2) Setup</a></li><li><a href="appdev/index.html">3) First
webapp</a></li><li><a href="deployer-howto.html">4) Deployer</a></li><li><a href="manager-howto.html">5)
Manager</a></li><li><a href="realm-howto.html">6) Realms and AAA</a></li><li><a href="security-managerhowto.html">7) Security Manager</a></li><li><a href="jndi-resources-howto.html">8) JNDI Resources</a></li><li><a
href="jndi-datasource-examples-howto.html">9) JDBC DataSources</a></li><li><a href="class-loader-howto.html">10)
Classloading</a></li><li><a href="jasper-h
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/api/
Request:
GET /docs/api/ HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/api/index.html
Accept: */*
Pragma: no-cache
Accept-Encoding:
gzip, deflate
User-Agent:
Mozilla/5.0
(Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Report Date: 10/10/2016
75
http://zero.webappsecurity.com:80/docs/jspapi/index.html
Request:
GET /docs/jspapi/index.html HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP:
AscVersion=16.10.463.10
X-Scan-Memo:
Category="Crawl"; SID="2972AA34C8A6AF245A423BC19C9CD9CE";
Report Date: 10/10/2016
76
http://zero.webappsecurity.com:80/admin/index.html
Request:
GET /admin/index.html HTTP/1.1
Referer: http://zero.webappsecurity.com/admin/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="0CF01A02A1917FDBDF9FF1C597F1495C";
PSID="B09C4D5CC22F10C01D9D84418780B93D"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="Relative";
LinkKind="HyperLink";
Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="280";
ThreadType="CrawlBreadthFirstDBReader";
Report Date: 10/10/2016
77
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="e6f10847-378c-4724-90bc-ac074fc8b5b0";
X-Request-Memo: ID="b4bd0c76-c126-434f-9e68-75ad136db2b2"; sc="1"; ThreadId="100";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=680DCF39
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:27 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Length: 6602
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Zero - Admin - Home</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<link type="text/css" rel="stylesheet" href="/resources/css/bootstrap.min.css"/>
<link type="text/css" rel="stylesheet" href="/resources/css/font-awesome.css"/>
<link type="text/css" rel="stylesheet" href="/resources/css/main.css"/>
<script src="/resources/js/jquery-1.8.2.min.js"></script>
<script src="/resources/js/bootstrap.min.js"></script>
<script src="/resources/js/placeholders.min.js"></script>
<script type="text/javascript">
Placeholders.init({
live: true, // Apply to future and modified elements too
hideOnFocus: true // Hide the placeholder when the element receives focus
});
</script>
<script type="text/javascript">
$(document).ajaxError(function errorHandler(event, xhr, ajaxOptions, thrownError) {
if (xhr.status == 403) {
window.location.reload();
}
});
</script>
</head>
<body>
<div class="wrapper">
<div class="navbar navbar-fixed-top">
<div class="navbar-inner">
<div class="container">
<a href="/index.html" class="brand">Zero Bank</a>
<div>
<ul class="nav float-right">
<li> <form action="/search.html"
class="navbar-search pull-right" style="padding-right: 20px">
<input type="text" id="searchTerm" name="searchTerm" class="search-query" placeholder="Search"/>
</form>
</li>
<li>
<button id="signin_button" type="button" class="signin btn btn-info">
<i class="icon-signin"></i>Signin
</button>
</li>
</ul>
</div>
</div>
</div>
</div>
<script type="text/javascript">
78
<script type="text/javascript">
$(function() {
var path = "/";
$("#signin_button").click(function(event) {
event.preventDefault();
window.location.href = path + "login" + ".html";
});
});
</script>
<div class="container">
<div class="top_offset">
<div class="row">
<div class="span12">
<h2 class="board-header">Admin Home</h2>
</div>
</div>
<div class="row">
<div class="span3 well">
<ul class="nav nav-list">
<li class="active"><a href="/admin/index.html">Home</a></li>
<li class="divider"></li>
<li><a href="/admin/users.html">Users</a></li>
<li><a href="/admin/currencies.html">Currencies</a></li>
</ul>
</div>
<div class="span8"></div>
</div>
</div>
</div>
<div class="clearfix push"></div>
</div>
<div class="extra">
<div class="extra-inner">
<div class="container">
<div class="row">
<div class="span4">
<ul>
<li><span id="download_webinspect_link">Download WebInspect</span></li>
</ul>
</div>
<div class="span4">
<ul>
<li><span id="terms_of_use_link">Terms of Use</span></li>
</ul>
</div>
<div class="span4">
<ul>
<li><span id
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/
Request:
GET / HTTP/1.1
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo:
Category="Crawl"; SID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="ExternalAddedToCrawl";
Report Date: 10/10/2016
79
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Zero - Personal Banking - Loans - Credit Cards</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<link type="text/css" rel="stylesheet" href="/resources/css/bootstrap.min.css"/>
<link type="text/css" rel="stylesheet" href="/resources/css/font-awesome.css"/>
<link type="text/css" rel="stylesheet" href="/resources/css/main.css"/>
<script src="/resources/js/jquery-1.8.2.min.js"></script>
<script src="/resources/js/bootstrap.min.js"></script>
<script src="/resources/js/placeholders.min.js"></script>
<script type="text/javascript">
Placeholders.init({
live: true, // Apply to future and modified elements too
hideOnFocus: true // Hide the placeholder when the element receives focus
});
</script>
<script type="text/javascript">
$(document).ajaxError(function errorHandler(event, xhr, ajaxOptions, thrownError) {
if (xhr.status == 403) {
window.location.reload();
}
});
</script>
</head>
<body>
<div class="wrapper">
<div class="navbar navbar-fixed-top">
<div class="navbar-inner">
<div class="container">
<a href="/index.html" class="brand">Zero Bank</a>
<div>
<ul class="nav float-right">
<li> <form action="/search.html"
class="navbar-search pull-right" style="padding-right: 20px">
<input type="text" id="searchTerm" name="searchTerm" class="search-query" placeholder="Search"/>
</form>
</li>
<li>
<button id="signin_button" type="button" class="signin btn btn-info">
<i class="icon-signin"></i>Signin
</button>
</li>
</ul>
</div>
</div>
</div>
</div>
80
</div>
<script type="text/javascript">
$(function() {
var path = "/";
$("#signin_button").click(function(event) {
event.preventDefault();
window.location.href = path + "login" + ".html";
});
});
</script>
<div class="container">
<div class="top_offset">
<div class="row">
<div class="span12">
<div id="nav" class="clearfix">
<ul id="pages-nav">
<li id="homeMenu"><div><strong>Home</strong></div></li>
<li id="onlineBankingMenu"><div><strong>Online Banking</strong></div></li>
<li id="feedback"><div><strong>Feedback</strong></div></li>
</ul>
</div>
</div>
<script type="text/javascript">
$(function () {
var path = "/";
var featureIdToName = {
"index": "homeMenu",
"online-banking": "onlineBankingMenu",
"feedback": "feedback"
};
if (document.location.href.match(".*" + path + "$") != null) {
$("#homeMenu").addClass("active");
} else {
$.each(featureIdToName, function(featureId, featureName) {
if (document.location.href.indexOf(featureId + ".html") >= 0) {
$("#" + featureName).addClass("active");
}
});
}
$.each(featureIdToName, function(featureId, featu
...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/docs/architecture/
Request:
GET /docs/architecture/ HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/architecture/index.html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="330DD67AE1AC14BED34CAA2093BDE5A3";
PSID="629E4A1BA8397C370A60A994699A4485"; SessionType="PathTruncation"; CrawlType="None"; AttackType="None";
OriginatingEngineID="398bfe9e-1b77-4458-9691-603eea06e341"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="0"; Engine="Path+Truncation";
SmartMode="NonServerSpecificOnly"; ThreadId="88"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="53"; smi="0"; sc="1"; ID="ad7839ac-dfc5-4af1-b06c-dfc06499c1f6";
X-Request-Memo: ID="4cb9db41-1b9e-4edf-a44f-e1010a448491"; sc="1"; ThreadId="108";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=2313C6AC
Response:
HTTP/1.1 200 OK
Report Date: 10/10/2016
81
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 08:01:57 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"7656-1466008846000"
Last-Modified: Wed, 15 Jun 2016 16:40:46 GMT
Content-Type: text/html
Content-Length: 7656
Keep-Alive: timeout=5, max=68
Connection: Keep-Alive
<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Apache Tomcat 7
Architecture (7.0.70) - Table of Contents</title><meta name="author" content="Yoav Shapira"><style type="text/css"
media="print">
.noPrint {display: none;}
td#mainBody {width: 100%;}
</style><style type="text/css">
code {background-color:rgb(224,255,255);padding:0 0.1em;}
code.attributeName, code.propertyName {background-color:transparent;}
table {
border-collapse: collapse;
text-align: left;
}
table *:not(table) {
/* Prevent border-collapsing for table child elements like <div> */
border-collapse: separate;
}
th {
text-align: left;
}
82
p.notice {
border: 1px solid rgb(255, 0, 0);
background-color: rgb(238, 238, 238);
color: rgb(0, 51, 102);
padding: 0.5em;
margin: 1em 2em 1em 1em;
}
</style></head><body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76"><table
border="0" width="100%" cellspacing="0"><!--PAGE HEADER--><tr><td><!--PROJECT LOGO--><a
href="http://tomcat.apache.org/"><img src="../images/tomcat.gif" align="right" alt="
The Apache Tomcat Servlet/JSP Container
" border="0"></a></td><td><h1><font face="arial,helvetica,sanserif">Apache Tomcat 7</font></h1><font
face="arial,helvetica,sanserif">Version 7.0.70, Jun 15 2016</font></td><td><!--APACHE LOGO--><a
href="http://www.apache.org/"><img src="../images/asf-logo.gif" align="right" alt="Apache Logo"
border="0"></a></td></tr></table><table border="0" width="100%" cellspacing="4"><!--HEADER SEPARATOR--><tr><td
colspan="2"><hr noshade size="1"></td></tr><tr><!--LEFT SIDE NAVIGATION--><td width="20%" valign="top" nowrap
class="noPrint"><p><strong>Links</strong></p><ul><li><a href="../index.html">Docs Home</a></li><li><a
href="index.html">Architecture Home</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a
href="#comments_section">User Comments</a></li></ul><p><strong>Contents</strong></p><ul><li><a
href="index.html">Contents</a></li><li><a href="overview.html">Overview</a></li><li><a href="startup.html">Server
Startup</a></li><li><a href="requestProcess.html">Request Process</a></li></ul></td><!--RIGHT SIDE MAIN BODY--><td
width="80%" valign="top" align="left" id="mainBody"><h1>Table of Contents</h1><table border="0" cellspacing="0"
cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a
name="Preface"><strong>Preface</strong></a></font></td></tr><tr><td><blockquote>
<p>This section of the Tomc
...TRUNCATED...
description
http://zero.webappsecurity.com:80/docs/appdev/sample/sample.war
Request:
GET /docs/appdev/sample/sample.war HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/appdev/sample/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="C80E2163C3B058B420F9C08BCCC51C62";
PSID="B2C4DB9BD43BD67F563C5590060864D1"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="3e19822b-2222-489c-ab42-6a4446fc16ce";
X-Request-Memo: ID="686c8472-e5a7-47a0-b06b-7f9b9014ae51"; sc="1"; ThreadId="99";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:54:13 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"4606-1466008838000"
Last-Modified: Wed, 15 Jun 2016 16:40:38 GMT
Content-Length: 51
Keep-Alive: timeout=5,
Connection:
Keep-Alive max=83
Report Date: 10/10/2016
83
Connection: Keep-Alive
Content-Type: text/plain
<truncated>application/x-zip-compressed
Page:
http://zero.webappsecurity.com:80/errors/errors.log
Request:
GET /errors/errors.log HTTP/1.1
Referer: http://zero.webappsecurity.com/errors/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="C32128A8498A56E4E6435B6994687E3A";
PSID="BB23AC8A7B9C89C3DE9576C0FEACCA3F"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="Relative";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="280";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="903a6949-6ac8-489d-8c93-bb0ff0a74979";
X-Request-Memo: ID="7fb39035-d4ae-41aa-a0e7-7b0907724343"; sc="1"; ThreadId="97";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:28 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"21684-1368929102000"
Last-Modified: Sun, 19 May 2013 02:05:02 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 21684
Keep-Alive: timeout=5, max=...TRUNCATED...
Informational
Insecure Deployment: Known Application Fingerprint
Page:
description
http://zero.webappsecurity.com:80/admin/index.html
Request:
GET /admin/index.html HTTP/1.1
Referer: http://zero.webappsecurity.com/admin/WS_FTP.LOG
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="7080F83BF03970076F4C323DEDEA2BB0";
PSID="DC2EF0E7C935D7C47528CB0D2E9C1565"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="2625804f-5677-4b48-a279-2c736bdc6af0"; AttackSequence="0"; AttackParamDesc="%2fadmin%
2findex.html"; AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="3872"; Engine="Ws+Ftp+Log+Parser";
SmartMode="NonServerSpecificOnly"; ThreadId="95"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="39"; smi="0"; sc="1"; ID="e258385d-d077-4242-8c30-97be1bd5133e";
X-Request-Memo: ID="341c88c9-8040-448d-8fde-e08b06a8b771"; sc="1"; ThreadId="101";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=02B64950
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 08:06:36 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language:
en-US
Keep-Alive:
timeout=5,
max=82
Report Date: 10/10/2016
84
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Zero - Admin - Home</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<link type="text/css" rel="stylesheet" href="/resources/css/bootstrap.min.css"/>
<link type="text/css" rel="stylesheet" href="/resources/css/font-awesome.css"/>
<link type="text/css" rel="stylesheet" href="/resources/css/main.css"/>
<script src="/resources/js/jquery-1.8.2.min.js"></script>
<script src="/resources/js/bootstrap.min.js"></script>
<script src="/resources/js/placeholders.min.js"></script>
<script type="text/javascript">
Placeholders.init({
live: true, // Apply to future and modified elements too
hideOnFocus: true // Hide the placeholder when the element receives focus
});
</script>
<script type="text/javascript">
$(document).ajaxError(function errorHandler(event, xhr, ajaxOptions, thrownError) {
if (xhr.status == 403) {
window.location.reload();
}
});
</script>
</head>
<body>
<div class="wrapper">
<div class="navbar navbar-fixed-top">
<div class="navbar-inner">
<div class="container">
<a href="/index.html" class="brand">Zero Bank</a>
<div>
<ul class="nav float-right">
<li> <form action="/search.html"
class="navbar-search pull-right" style="padding-right: 20px">
<input type="text" id="searchTerm" name="searchTerm" class="search-query" placeholder="Search"/>
</form>
</li>
<li>
<button id="signin_button" type="button" class="signin btn btn-info">
<i class="icon-signin"></i>Signin
</button>
</li>
</ul>
</div>
</div>
</div>
</div>
<script type="text/javascript">
$(function() {
var path = "/";
$("#signin_button").click(function(event) {
event.preventDefault();
window.location.href = path + "login" + ".html";
});
});
</script>
<div class="container">
<div class="top_offset">
<div class="row">
<div class="span12">
Report Date: 10/10/2016
85
<div class="span12">
<h2 class="board-header">Admin Home</h2>
</div>
</div>
<div class="row">
<div class="span3 well">
<ul class="nav nav-list">
<li class="active"><a href="/admin/index.html">Home</a></li>
<li class="divider"></li>
<li><a href="/admin/users.html">Users</a></li>
<li><a href="/admin/currencies.html">Currencies</a></li>
</ul>
</div>
<div class="span8"></div>
</div>
</div>
</div>
<div class="clearfix push"></div>
</div>
<div class="extra">
<div class="extra-inner">
<div class="container">
<div class="row">
<div class="span4">
<ul>
<li><span id="download_webinspect_link">Download WebInspect</span></li>
</ul>
</div>
<div class="span4">
<ul>
<li><span id="terms_of_use_link">Terms of Use</span></li>
</ul>
</div>
<div class="span4">
<ul>
<li><span id
...TRUNCATED...
description
http://zero.webappsecurity.com:80/
Request:
OPTIONS / HTTP/1.1
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="D068159431A1203405281BA8855269F9";
PSID="5691FBE4D5310DEC25DD5EB591F3E328"; SessionType="AuditAttack"; CrawlType="None"; AttackType="None";
OriginatingEngineID="65cee7d3-561f-40dc-b5eb-c0b8c2383fcb"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10282"; Engine="Request+Modify";
SmartMode="NonServerSpecificOnly"; ThreadId="89"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="47"; smi="0"; sc="1"; ID="f2f6015c-e92a-48fe-8a65-552e7459deeb";
X-Request-Memo: ID="60829663-f488-47fe-89c4-54906b05ae3e"; sc="1"; ThreadId="105";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Date: Mon,
10 Oct 2016 07:51:58 GMT
Server:
...TRUNCATED...
Report Date: 10/10/2016
86
Server: ...TRUNCATED...
Best Practices
Compliance Failure: Missing Privacy Policy
Page:
description
http://zero.webappsecurity.com:80/
Request:
GET / HTTP/1.1
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="ExternalAddedToCrawl";
CrawlType="None"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="86";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="24b6c858-ec1a-49e2-a09a-7d7c72242eb4";
X-Request-Memo: ID="a84d2393-837c-4185-b786-183812f9e186"; sc="1"; ThreadId="97";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:50:21 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 12456
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Zero - Personal Banking - Loans - Credit Cards</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<link type="text/css" rel="stylesheet" href="/resources/css/bootstrap.min.css"/>
<link type="text/css" rel="stylesheet" href="/resources/css/font-awesome.css"/>
<link type="text/css" rel="stylesheet" href="/resources/css/main.css"/>
<script src="/resources/js/jquery-1.8.2.min.js"></script>
<script src="/resources/js/bootstrap.min.js"></script>
<script src="/resources/js/placeholders.min.js"></script>
<script type="text/javascript">
Placeholders.init({
live: true, // Apply to future and modified elements too
hideOnFocus: true // Hide the placeholder when the element receives focus
});
</script>
<script type="text/javascript">
$(document).ajaxError(function errorHandler(event, xhr, ajaxOptions, thrownError) {
if (xhr.status == 403) {
window.location.reload();
}
});
</script>
</head>
<body>
<div class="wrapper">
<div class="navbar navbar-fixed-top">
<div class="navbar-inner">
<div class="container">
<a href="/index.html" class="brand">Zero Bank</a>
Report Date: 10/10/2016
87
<div>
<ul class="nav float-right">
<li> <form action="/search.html"
class="navbar-search pull-right" style="padding-right: 20px">
<input type="text" id="searchTerm" name="searchTerm" class="search-query" placeholder="Search"/>
</form>
</li>
<li>
<button id="signin_button" type="button" class="signin btn btn-info">
<i class="icon-signin"></i>Signin
</button>
</li>
</ul>
</div>
</div>
</div>
</div>
<script type="text/javascript">
$(function() {
var path = "/";
$("#signin_button").click(function(event) {
event.preventDefault();
window.location.href = path + "login" + ".html";
});
});
</script>
<div class="container">
<div class="top_offset">
<div class="row">
<div class="span12">
<div id="nav" class="clearfix">
<ul id="pages-nav">
<li id="homeMenu"><div><strong>Home</strong></div></li>
<li id="onlineBankingMenu"><div><strong>Online Banking</strong></div></li>
<li id="feedback"><div><strong>Feedback</strong></div></li>
</ul>
</div>
</div>
<script type="text/javascript">
$(function () {
var path = "/";
var featureIdToName = {
"index": "homeMenu",
"online-banking": "onlineBankingMenu",
"feedback": "feedback"
};
if (document.location.href.match(".*" + path + "$") != null) {
$("#homeMenu").addClass("active");
} else {
$.each(featureIdToName, function(featureId, featureName) {
if (document.location.href.indexOf(featureId + ".html") >= 0) {
$("#" + featureName).addClass("active");
}
});
}
$.each(featureIdToName, function(featureId, featu
...TRUNCATED...
description
http://zero.webappsecurity.com:80/
Request:
GET / HTTP/1.1
Accept:
*/*
Report Date: 10/10/2016
88
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="ExternalAddedToCrawl";
CrawlType="None"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="86";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="24b6c858-ec1a-49e2-a09a-7d7c72242eb4";
X-Request-Memo: ID="a84d2393-837c-4185-b786-183812f9e186"; sc="1"; ThreadId="97";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:50:21 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 12456
...TRUNCATED...pull-right" style="padding-right: 20px">
<input type="text" id="searchTerm" name="searchTerm" class="search-query" placeholder="Search"/>
</form>
</li>
<li>...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/admin/currencies-add.html
Request:
GET /admin/currencies-add.html HTTP/1.1
Referer: http://zero.webappsecurity.com/admin/currencies.html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="1196B0700885BAA2AD346331C45F4326";
PSID="0CE5ABD84AD968C95357799ACE262859"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="Relative";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="ef7f353c-3e9d-4e37-b8a6-6fd4b408ac64";
X-Request-Memo: ID="6b4a2ec9-b1da-46b3-941c-55a17f95dd47"; sc="1"; ThreadId="98";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:10 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Length: 8561
...TRUNCATED...pull-right" style="padding-right: 20px">
<input type="text" id="searchTerm" name="searchTerm" class="search-query" placeholder="Search"/>
</form>
</li>
<li>...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/online-banking.html
89
Page:
http://zero.webappsecurity.com:80/online-banking.html
Request:
GET /online-banking.html HTTP/1.1
Referer: http://zero.webappsecurity.com/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="0961B4C9AB7ECE8F80F1EFC03677941C";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="Crawl"; CrawlType="Script"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; Format="Qualified"; LinkKind="HyperLink";
Locations="Unspecified"; Source="ScriptExecution"; ThreadId="280"; ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="2417e755-ecd4-476f-bab2-545851db8ef2";
X-Request-Memo: ID="3d024962-1255-43ef-accb-b591ed98e3ac"; sc="1"; ThreadId="96";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:13 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 11338
...TRUNCATED...pull-right" style="padding-right: 20px">
<input type="text" id="searchTerm" name="searchTerm" class="search-query" placeholder="Search"/>
</form>
</li>
<li>...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/admin/currencies.html
Request:
GET /admin/currencies.html HTTP/1.1
Referer: http://zero.webappsecurity.com/admin/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="0CE5ABD84AD968C95357799ACE262859";
PSID="B09C4D5CC22F10C01D9D84418780B93D"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="Relative";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="280";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="606cd668-ba36-4158-9d34-e877b5e4800e";
X-Request-Memo: ID="a38c463b-f21e-483b-b432-9225a2ec0089"; sc="1"; ThreadId="98";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=AF5EC584
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:27 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Length: 10569
...TRUNCATED...pull-right" style="padding-right: 20px">
Report Date: 10/10/2016
90
http://zero.webappsecurity.com:80/admin/index.html
Request:
GET /admin/index.html HTTP/1.1
Referer: http://zero.webappsecurity.com/admin/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="0CF01A02A1917FDBDF9FF1C597F1495C";
PSID="B09C4D5CC22F10C01D9D84418780B93D"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="Relative";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="280";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="e6f10847-378c-4724-90bc-ac074fc8b5b0";
X-Request-Memo: ID="b4bd0c76-c126-434f-9e68-75ad136db2b2"; sc="1"; ThreadId="100";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=680DCF39
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:27 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Length: 6602
...TRUNCATED...pull-right" style="padding-right: 20px">
<input type="text" id="searchTerm" name="searchTerm" class="search-query" placeholder="Search"/>
</form>
</li>
<li>...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/index.html
Request:
GET /index.html HTTP/1.1
Referer: http://zero.webappsecurity.com/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="8E73B3A63EFE2AADE20745A947151EB3";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="Relative";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="282";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="4a1b3643-8285-4215-a9a5-d69cb8fcec75";
X-Request-Memo: ID="c004c495-5a88-4e8a-986e-61fe5c86b0e3"; sc="1"; ThreadId="97";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:12 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin:
*
Cache-Control: no-cache, max-age=0,
must-revalidate, no-store
Report Date: 10/10/2016
91
http://zero.webappsecurity.com:80/admin/users.html
Request:
GET /admin/users.html HTTP/1.1
Referer: http://zero.webappsecurity.com/admin/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="810BCB46E8C09C737ECDC561083681F4";
PSID="B09C4D5CC22F10C01D9D84418780B93D"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="Relative";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="280";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="7916c964-49d2-4e52-a3d3-5fc08c602847";
X-Request-Memo: ID="3811efb9-c4e3-4c9a-a336-fae774879fd7"; sc="1"; ThreadId="97";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=400B9B5C
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:27 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Length: 10793
...TRUNCATED...pull-right" style="padding-right: 20px">
<input type="text" id="searchTerm" name="searchTerm" class="search-query" placeholder="Search"/>
</form>
</li>
<li>...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/search.html?searchTerm=12345
Request:
GET /search.html?searchTerm=12345 HTTP/1.1
Referer: http://zero.webappsecurity.com/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="4FB1E28C3A3C661502F583F3EA8F6277";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="Crawl"; CrawlType="Form"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="action"; Format="Relative";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="282";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="47285469-80aa-457f-b7a7-463caf37d211";
X-Request-Memo: ID="7c5328cd-1699-4712-b23e-8d196c922a1c"; sc="1"; ThreadId="98";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Report Date: 10/10/2016
92
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:12 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Length: 7710
...TRUNCATED...pull-right" style="padding-right: 20px">
<input type="text" id="searchTerm" name="searchTerm" class="search-query" placeholder="Search"/>
</form>
</li>
<li>...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/sendFeedback.html
Request:
POST /sendFeedback.html HTTP/1.1
Referer: http://zero.webappsecurity.com/feedback.html
Content-Type: application/x-www-form-urlencoded
Content-Length: 91
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="A8191E30A6A6D05B7ECBC975A580DB55";
PSID="EA0F5B4A7B2D5822D3AE6FEB6AC0B160"; SessionType="Crawl"; CrawlType="Form"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="action"; Format="Relative";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="ed4543ab-71ec-4a96-9342-8d2a2fcf61d6";
X-Request-Memo: ID="43763112-cd18-42cc-8477-6bef3d5757c9"; sc="2"; ThreadId="100";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
name=Jason&email=John.Doe%40somewhere.com&subject=12345&comment=12345&submit=Send%20Message
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:52:07 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 6647
...TRUNCATED...pull-right" style="padding-right: 20px">
<input type="text" id="searchTerm" name="searchTerm" class="search-query" placeholder="Search"/>
</form>
</li>
<li>...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/admin/
Request:
GET /admin/ HTTP/1.1
Referer: http://zero.webappsecurity.com/resources/js/placeholders.min.js
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host:
zero.webappsecurity.com
Connection:
Keep-Alive
Report Date: 10/10/2016
93
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Audit.Attack"; SID="B09C4D5CC22F10C01D9D84418780B93D";
PSID="511D6DB521E43A071D015EA7E62869D3"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search";
OriginatingEngineID="ae34b422-6357-4aca-8fe7-7e449e14c9b7"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10210"; Engine="Directory+Enumeration";
SmartMode="NonServerSpecificOnly"; ThreadId="88"; ThreadType="AuditorStateRequestorPool";
X-RequestManager-Memo: sid="39"; smi="0"; sc="1"; ID="44b684c9-a38e-482f-b7ae-2cf445d55017";
X-Request-Memo: ID="797be3c0-690f-46e4-a978-485cb342bb23"; sc="1"; ThreadId="101";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:11 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Length: 6602
...TRUNCATED...pull-right" style="padding-right: 20px">
<input type="text" id="searchTerm" name="searchTerm" class="search-query" placeholder="Search"/>
</form>
</li>
<li>...TRUNCATED...
Page:
http://zero.webappsecurity.com:80/feedback.html
Request:
GET /feedback.html HTTP/1.1
Referer: http://zero.webappsecurity.com/
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="EA0F5B4A7B2D5822D3AE6FEB6AC0B160";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="Crawl"; CrawlType="Script"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; Format="Qualified"; LinkKind="HyperLink";
Locations="Unspecified"; Source="ScriptExecution"; ThreadId="280"; ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="de93f96d-9d6a-49c5-a412-bd229fb62e64";
X-Request-Memo: ID="904411d1-9183-4395-bae3-a54905ef5a19"; sc="1"; ThreadId="100";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:51:25 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 9243
...TRUNCATED...pull-right" style="padding-right: 20px">
<input type="text" id="searchTerm" name="searchTerm" class="search-query" placeholder="Search"/>
</form>
</li>
<li>...TRUNCATED..."controls pictured">
<input type="text" id="name" name="name"
placeholder="Your Name" required="" tabindex="1"/>
<i class="icon-user"...TRUNCATED..."controls pictured">
<input type="text" id="email" name="email"
placeholder="Your email address" required=""
tabindex="2"/>
<i class="icon-envel...TRUNCATED..."controls
pictured">
94
description
http://zero.webappsecurity.com:80/resources/js/placeholders.min.js
Request:
GET /resources/js/placeholders.min.js HTTP/1.1
Referer: http://zero.webappsecurity.com/
Host: zero.webappsecurity.com
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-AscRawUrl: /resources/js/placeholders.min.js
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="511D6DB521E43A071D015EA7E62869D3";
PSID="306E42D0F653E7CFA6720D7F15AE506B"; SessionType="Crawl"; CrawlType="ScriptInclude"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="216"; ThreadType="JScriptEvent";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="6b3b66bc-ee7e-418f-a2ff-72824c2c8770";
X-Request-Memo: ID="ba10ebcc-36c7-4b8b-a7d2-a65d07b35ed5"; sc="1"; ThreadId="216";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:50:31 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"5615-1360116138000"
Last-Modified: Wed, 06 Feb 2013 02:02:18 GMT
Cache-Control: max-age=2678400
Expires: Thu, 10 Nov 2016 07:50:31 GMT
Content-Type: application/javascript;charset=UTF-8
Content-Length: 5615
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
var Placeholders=function(){var validTypes=["text","search","url","tel","email","password","number","textarea"],settings=
{live:false,hideOnFocus:false,className:"placeholderspolyfill",textColor:"#999",styleImportant:true},badKeys=
[37,38,39,40],interval,valueKeyDown,classNameRegExp=new RegExp("\\b"+settings.className+"\\b");function cursorToStart
(elem){var range;if(elem.createTextRange){range=elem.createTextRange();range.move("character",0);range.select()}else if
(elem.selectionStart){elem.focus();
elem.setSelectionRange(0,0)}}function focusHandler(){var type;if(this.value===this.getAttribute("placeholder"))if(!
settings.hideOnFocus)cursorToStart(this);else{this.className=this.className.replace
(classNameRegExp,"");this.value="";type=this.getAttribute("data-placeholdertype");if(type)this.type=type}}function blurHandler()
{var type;if(this.value===""){this.className=this.className+" "+settings.className;this.value=this.getAttribute
("placeholder");type=this.getAttribute("data-placeholdertype");if(type)this.type=
"text"}function submitHandler(){var inputs=this.getElementsByTagName
("input"),textareas=this.getElementsByTagName
("textarea"),numInputs=inputs.length,num=numInputs+textareas.length,element,placeholder,i;for(i=0;i<num;i+=1)
{element=i<numInputs?inputs[i]:textareas[i-numInputs];placeholder=element.getAttribute("placeholder");if
(element.value===placeholder)element.value=""}}function keydownHandler(event)
{valueKeyDown=this.value;return!(valueKeyDown===this.getAttribute("placeholder")&&badKeys.indexOf
(event.keyCode)>
-1)}function keyupHandler(){var type;if(this.value!==valueKeyDown){this.className=this.className.replace
(classNameRegExp,"");this.value=this.value.replace(this.getAttribute("placeholder"),"");type=this.getAttribute
("data-placeholdertype");if(type)this.type=type}if(this.value===""){blurHandler.call(this);cursorToStart(this)}}
function addEventListener(element,event,fn){if(element.addEventListener)return element.addEventListener
(event,fn.bind(element),false);if(element.attachEvent)return element.attachEvent("on"+
event,fn.bind(element))}function addEventListeners(element){if(!settings.hideOnFocus){addEventListener
(element,"keydown",keydownHandler);addEventListener(element,"keyup",keyupHandler)}addEventListener
(element,"focus",focusHandler);addEventListener(element,"blur",blurHandler)}function updatePlaceholders(){var
inputs=document.getElementsByTagName("input"),textareas=document.getElementsByTagName
("textarea"),numInputs=inputs.length,num=numInputs+textareas.length,i,form,element,oldPlaceholder,newPlaceho
lder;
Report Date: 10/10/2016
95
lder;
for(i=0;i<num;i+=1){element=i<numInputs?inputs[i]:textareas[inumInputs];newPlaceholder=element.getAttribute("placeholder");if(validTypes.indexOf(element.type)>-1)if
(newPlaceholder){oldPlaceholder=element.getAttribute("data-currentplaceholder");if(newPlaceholder!
==oldPlaceholder){if(element.value===oldPlaceholder||element.value===newPlaceholder||!element.value)
{element.value=newPlaceholder;element.className=element.className+" "+settings.className}if(!
oldPlaceholder){if(element.form){form=element.form;
if(!form.getAttribute("data-placeholdersubmit")){addEventListener
(form,"submit",submitHandler);form.setAttribute("data-placeholdersubmit","true")}}addEventListeners(element)}
element.setAttribute("data-currentplaceholder",newPlaceholder)}}}}function createPlaceholders(){var
inputs=document.getElementsByTagName("input"),textareas=document.getElementsByTagName
("textarea"),numInputs=inputs.length,num=numInputs+textareas.length,i,element,form,placeholder;for
(i=0;i<num;i+=1){element=i<numInputs?inputs[i]:
textareas[i-numInputs];placeholder=element.getAttribute("placeholder");if(validTypes.indexOf(element.typ
...TRUNCATED...
Web Server Misconfiguration: Insecure Content-Type Setting
Page:
description
http://zero.webappsecurity.com:80/docs/appdev/sample/
Request:
GET /docs/appdev/sample/ HTTP/1.1
Referer: http://zero.webappsecurity.com/docs/appdev/index.html
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: zero.webappsecurity.com
Connection: Keep-Alive
X-WIPP: AscVersion=16.10.463.10
X-Scan-Memo: Category="Crawl"; SID="B2C4DB9BD43BD67F563C5590060864D1";
PSID="16A0FCA95F27748B361F869AE08E40BF"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None";
OriginatingEngineID="00000000-0000-0000-0000-000000000000"; AttributeName="href"; Format="NonRooted";
LinkKind="HyperLink"; Locations="HtmlNode"; Source="ScriptExecution"; ThreadId="278";
ThreadType="CrawlBreadthFirstDBReader";
X-RequestManager-Memo: sid="35"; smi="0"; sc="1"; ID="b67d6926-e16e-4203-8af2-9905667eb186";
X-Request-Memo: ID="aecfdea2-744b-43a1-a28c-4004b66050ab"; sc="2"; ThreadId="99";
Cookie: CustomCookie=WebInspect118192ZXBCBF207B310B41649F99E1C6602870C9Y9798;JSESSIONID=238461F5
Response:
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 07:53:20 GMT
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
ETag: W/"1852-1466008838000"
Last-Modified: Wed, 15 Jun 2016 16:40:38 GMT
Content-Type: text/html
Content-Length: 1852
Keep-Alive: timeout=5, max...TRUNCATED...
96
Description
The most common cause of an unhandled exception is a failure to properly sanitize client-supplied data that is used in SQL
statements. They can also be caused by a bug in the web application's database communication code, a misconfiguration of
database connection settings, an unavailable database, or any other reason that would cause the application's database driver
to be unable to establish a working session with the server. The problem is not that web applications generate errors. All web
applications in their normal course of operation will at some point receive an unhandled exception. The problem lies not in
that these errors were received, but rather in how they are handled. Any error handling solution needs to be well-designed,
and uniform in how it handles errors. For instance, assume an attacker is attempting to access a specific file. If the request
returns an error File not Found, the attacker can be relatively sure the file does not exist. However, if the error returns
"Permission Denied," the attacker has a fairly good idea that the specific file does exist. This can be helpful to an attacker in
many ways, from determining the operating system to discovering the underlying architecture and design of the application.
The error message may also contain the location of the file that contains the offending function. This may disclose the
webroot's absolute path as well as give the attacker the location of application "include" files or database configuration
information. A fundamental necessity for a successful attack upon your web application is reconnaissance. Database server
error messages can provide information that can then be utilized when the attacker is formulating his next method of attack.
It may even disclose the portion of code that failed.
Be aware that this check is part of unknown application testing which seeks to uncover new vulnerabilities in both custom and
commercial software. Because of this, there are no specific patches or remediation information for this issue. Please note that
this vulnerability may be a false positive if the page it is flagged on is technical documentation relating to a database server.
Execution
The ways in which an attacker can exploit the conditions that caused the error depend on its cause. In the case of SQL
injection, the techniques that are used will vary from database server to database server, and even query to query. An indepth guide to SQL Injection attacks is available at http://download.hpsmartupdate.com/asclabs/sql_injection.pdf, or in the
SQL Injection vulnerability information, accessible via the Policy Manager. Primarily, the information gleaned from database
server error messages is what will allow an attacker to conduct a successful attack after he combines his various findings.
Implication
The severity of this vulnerability depends on the reason that the error message was generated. In most cases, it will be the
result of the web application attempting to use an invalid client-supplied argument in a SQL statement, which means that SQL
injection will be possible. If so, an attacker will at least be able to read the contents of the entire database arbitrarily.
Depending on the database server and the SQL statement, deleting, updating and adding records and executing arbitrary
commands may also be possible. If a software bug or bug is responsible for triggering the error, the potential impact will vary,
depending on the circumstances. The location of the application that caused the error can be useful in facilitating other kinds
of attacks. If the file is a hidden or include file, the attacker may be able to gain more information about the mechanics of the
web application, possibly even the source code. Application source code is likely to contain usernames, passwords, database
connection strings and aids the attacker greatly in discovering new vulnerabilities.
Fix
For Development:
From a development perspective, the best method of preventing problems from arising from database error messages is to
adopt secure programming techniques that prevent problems that might arise from an attacker discovering too much
information about the architecture and design of your web application. The following recommendations can be used as a basis
for that.
Stringently define the data type (for instance, a string, an alphanumeric character, etc) that the application will accept.
Use what is good instead of what is bad. Validate input for improper characters.
Do not display error messages to the end user that provide information (such as table names) that could be utilized in
orchestrating an attack.
Define the allowed set of characters. For instance, if a field is to receive a number, only let that field accept numbers.
Define the maximum and minimum data lengths for what the application will accept.
Specify acceptable numeric ranges for input.
For Security Operations:
The following recommendations will help in implementing a secure database protocol for your web application. Be advised
each database has its own method of secure lock down.
97
ODBC Error Messaging: Turn off ODBC error messaging in your database server. Never display raw ODBC or other
errors to the end user. See Removing Detailed Error Messages below, or consult your database server's documentation,
for more information.
Uniform Error Codes: Ensure that you are not inadvertently supplying information to an attacker via the use of
inconsistent or "conflicting" error messages. For instance, don't reveal unintended information by utilizing error messages
such as Access Denied, which will also let an attacker know that the file he seeks actually exists. Have consistent
terminology for files and folders that do exist, do not exist, and which have read access denied.
Informational Error Messages: Ensure that error messages do not reveal too much information. Complete or partial
paths, variable and file names, row and column names in tables, and specific database errors should never be revealed
to the end user. Remember, an attacker will gather as much information as possible, and then add pieces of seemingly
innocuous information together to craft a method of attack.
Proper Error Handling: Utilize generic error pages and error handling logic to inform end users of potential problems.
Do not provide system information or other data that could be utilized by an attacker when orchestrating an attack.
Stored Procedures: Consider using stored procedures. They require a very specific parameter format, which makes
them less susceptible to SQL Injection attacks.
Database Privileges: Utilize a least-privileges scheme for the database application. Ensure that user accounts only
have the limited functionality that is actually required. All database mechanisms should deny access until it has been
granted, not grant access until it has been denied.
For QA:
In reality, simple testing can usually determine how your web application will react to different input errors. More expansive
testing must be conducted to cause internal errors to gauge the reaction of the site. If the unhandled exception occurs in a
piece of in-house developed software, consult the developer. If it is in a commercial package, contact technical support.
The best course of action for QA associates to take is to ensure that the error handling scheme is consistent. Do you receive a
different type of error for a file that does not exist as opposed to a file that does? Are phrases like "Permission Denied" utilized
which could reveal the existence of a file to an attacker?
Reference
HP:
HP Application Security Center SQL Injection Whitepaper
Apache:
Apache HTTP Server Version 1.3 Custom Error Responses
Apache HTTP Server Version 2.0 Custom Error Responses
Microsoft:
Description of Microsoft Internet Information Services (IIS) 5.0 and 6.0 status codes
Classifications
98
_
Cross-Site Scripting vulnerability found in Get parameter question. The following attack uses plain encoding:
<sCrIpT>alert(74867)</sCrIpT>
Cross-Site Scripting vulnerabilities were verified as executing code on the web application. Cross-Site Scripting occurs when
dynamically generated web pages display user input, such as login information, that is not properly validated, allowing an
attacker to embed malicious scripts into the generated page and then execute the script on the machine of any user that
views the site. In this instance, the web application was vulnerable to an automatic payload, meaning the user simply has to
visit a page to make the malicious scripts execute. If successful, Cross-Site Scripting vulnerabilities can be exploited to
manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential
information, or execute malicious code on end user systems. Recommendations include implementing secure programming
techniques that ensure proper filtration of user-supplied data, and encoding all user supplied data to prevent inserted scripts
being sent to end users in a format that can be executed.
Execution
View the attack string included with the request to check what to search for in the response. For instance, if "(javascript:alert
('XSS')" is submitted as an attack (or another scripting language), it will also appear as part of the response. This indicates
that the web application is taking values from the HTTP request parameters and using them in the HTTP response without
first removing potentially malicious data.
99
Implication
XSS can generally be subdivided into two categories: stored and reflected attacks. The main difference between the two is in
how the payload arrives at the server. Stored attacks are just that...in some form stored on the target server, such as in a
database, or via a submission to a bulletin board or visitor log. The victim will retrieve and execute the attack code in his
browser when a request is made for the stored information. Reflected attacks, on the other hand, come from somewhere else.
This happens when user input from a web client is immediately included via server-side scripts in a dynamically generated
web page. Via some social engineering, an attacker can trick a victim, such as through a malicious link or "rigged" form, to
submit information which will be altered to include attack code and then sent to the legitimate server. The injected code is
then reflected back to the user's browser which executes it because it came from a trusted server. The implication of each
kind of attack is the same.
The main problems associated with successful Cross-Site Scripting attacks are:
Account hijacking - An attacker can hijack the user's session before the session cookie expires and take actions with the
privileges of the user who accessed the URL, such as issuing database queries and viewing the results.
Malicious script execution - Users can unknowingly execute JavaScript, VBScript, ActiveX, HTML, or even Flash content
that has been inserted into a dynamically generated page by an attacker.
Worm propagation - With Ajax applications, XSS can propagate somewhat like a virus. The XSS payload can
autonomously inject itself into pages, and easily re-inject the same host with more XSS, all of which can be done with no
hard refresh. Thus, XSS can send multiple requests using complex HTTP methods to propagate itself invisibly to the user.
Information theft - Via redirection and fake sites, attackers can connect users to a malicious server of the attacker's
choice and capture any information entered by the user.
Denial of Service - Often by utilizing malformed display requests on sites that contain a Cross-Site Scripting vulnerability,
attackers can cause a denial of service condition to occur by causing the host site to query itself repeatedly .
Browser Redirection - On certain types of sites that use frames, a user can be made to think that he is in fact on the
original site when he has been redirected to a malicious one, since the URL in the browser's address bar will remains the
same. This is because the entire page isn't being redirected, just the frame in which the JavaScript is being executed.
Manipulation of user settings - Attackers can change user settings for nefarious purposes.
For more detailed information on Cross-Site Scripting attacks, see the HP Cross-Site Scripting whitepaper.
Fix
For Development:
Cross-Site Scripting attacks can be avoided by carefully validating all input, and properly encoding all output. When validating
user input, verify that it matches the strictest definition of valid input possible. For example, if a certain parameter is supposed
to be a number, attempt to convert it to a numeric data type in your programming language.
PHP: intval("0".$_GET['q']);
ASP.NET: int.TryParse(Request.QueryString["q"], out val);
The same applies to date and time values, or anything that can be converted to a stricter type before being used. When
accepting other types of text input, make sure the value matches either a list of acceptable values (white-listing), or a strict
regular expression. If at any point the value appears invalid, do not accept it. Also, do not attempt to return the value to the
user in an error message.
Most server side scripting languages provide built in methods to convert the value of the input variable into correct, noninterpretable HTML. These should be used to sanitize all input before it is displayed to the client.
PHP: string htmlspecialchars (string string [, int quote_style])
ASP.NET: Server.HTMLEncode (strHTML String)
When reflecting values into JavaScript or another format, make sure to use a type of encoding that is appropriate. Encoding
data for HTML is not sufficient when it is reflected inside of a script or style sheet. For example, when reflecting data in a
JavaScript string, make sure to encode all non-alphanumeric characters using hex (\xHH) encoding.
If you have JavaScript on your page that accesses unsafe information (like location.href) and writes it to the page (either with
document.write, or by modifying a DOM element), make sure you encode data for HTML before writing it to the page.
JavaScript does not have a built-in function to do this, but many frameworks do. If you are lacking an available function,
something like the following will handle most cases:
s = s.replace(/&/g,'&').replace(/"/i,'"').replace(/</i,'<').replace(/>/i,'>').replace(/'/i,''')
Ensure that you are always using the right approach at the right time. Validating user input should be done as soon as it is
received. Encoding data for display should be done immediately before displaying it.
For Security Operations:
Report Date: 10/10/2016
100
Server-side encoding, where all dynamic content is first sent through an encoding function where Scripting tags will be
replaced with codes in the selected character set, can help to prevent Cross-Site Scripting attacks.
Many web application platforms and frameworks have some built-in support for preventing Cross-Site Scripting. Make sure
that any built-in protection is enabled for your platform. In some cases, a misconfiguration could allow Cross-Site Scripting. In
ASP.NET, if a page's EnableViewStateMac property is set to False, the ASP.NET view state can be used as a vector for CrossSite Scripting.
An IDS or IPS can also be used to detect or filter out XSS attacks. Below are a few regular expressions that will help detect
Cross-Site Scripting.
Regex for a simple XSS attack:
/((\%3C) <)((\%2F) \/)*[a-z0-9\%]+((\%3E) >)/ix
The above regular expression would be added into a new Snort rule as follows:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NII Cross-Site Scripting attempt";
flow:to_server,established; pcre:"/((\%3C) <)((\%2F) \/)*[a-z0-9\%]+((\%3E) >)/i"; classtype:Web-application-attack;
sid:9000; rev:5;)
Paranoid regex for XSS attacks:
/((\%3C) <)[^\n]+((\%3E) >)/I
This signature simply looks for the opening HTML tag, and its hex equivalent, followed by one or more characters other than
the new line, and then followed by the closing tag or its hex equivalent. This may end up giving a few false positives
depending upon how your web application and web server are structured, but it is guaranteed to catch anything that even
remotely resembles a Cross-Site Scripting attack.
For QA:
Fixes for Cross-Site Scripting defects will ultimately require code based fixes. Read the the following links for more information
about manually testing your application for Cross-Site Scripting.
Reference
OWASP Cross-Site Scripting Information
https://www.owasp.org/index.php/XSS
Microsoft
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q252985
Microsoft Anti-Cross Site Scripting Library
https://msdn.microsoft.com/en-us/security/aa973814.aspx
CERT
http://www.cert.org/advisories/CA-2000-02.html
Apache
http://httpd.apache.org/info/css-security/apache_specific.html
SecurityFocus.com
http://www.securityfocus.com/infocus/1768
Classifications
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
http://cwe.mitre.org/data/definitions/79.html
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
http://cwe.mitre.org/data/definitions/80.html
CWE-82: Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
http://cwe.mitre.org/data/definitions/82.html
CWE-83: Improper Neutralization of Script in Attributes in a Web Page
http://cwe.mitre.org/data/definitions/83.html
CWE-87: Improper Neutralization of Alternate XSS Syntax
http://cwe.mitre.org/data/definitions/87.html
Report Date: 10/10/2016
101
_
Cross-Site Scripting vulnerability found in Post parameter name. Triggering this vulnerability requires user action. The
following attack uses plain encoding:
<a HrEf=JaVaScRiPt:alert(87287)>
Cross-Site Scripting occurs when dynamically generated web pages display user input, such as login information, that is not
Report Date: 10/10/2016
102
Cross-Site Scripting occurs when dynamically generated web pages display user input, such as login information, that is not
properly validated, allowing an attacker to embed malicious scripts into the generated page and then execute the script on the
machine of any user that views the site. User interaction vulnerabilities such as this one require the user to trigger the
execution of the malicious scripts via an action such as clicking a link or moving the mouse pointer over text. If successful,
Cross-Site Scripting vulnerabilities can be exploited to manipulate or steal cookies, create requests that can be mistaken for
those of a valid user, compromise confidential information, or execute malicious code on end user systems. Recommendations
include implementing secure programming techniques that ensure proper filtration of user-supplied data, and encoding all
user supplied data to prevent inserted scripts being sent to end users in a format that can be executed.
Execution
View the attack string included with the request to check what to search for in the response. For instance, if "(javascript:alert
('XSS')" is submitted as an attack, it will also appear as part of the response. This indicates that the web application is taking
values from the HTTP request parameters and using them in the HTTP response without first removing potentially malicious
data.
Implication
XSS can generally be subdivided into two categories: stored and reflected attacks. The main difference between the two is in
how the payload arrives at the server. Stored attacks are just that...in some form stored on the target server, such as in a
database, or via a submission to a bulletin board or visitor log. The victim will retrieve and execute the attack code in his
browser when a request is made for the stored information. Reflected attacks, on the other hand, come from somewhere else.
This happens when user input from a web client is immediately included via server-side scripts in a dynamically generated
web page. Via some social engineering, an attacker can trick a victim, such as through a malicious link or "rigged" form, to
submit information which will be altered to include attack code and then sent to the legitimate server. The injected code is
then reflected back to the user's browser which executes it because it came from a trusted server. The implication of each
kind of attack is the same.
The main problems associated with successful Cross-Site Scripting attacks are:
Account hijacking - An attacker can hijack the user's session before the session cookie expires and take actions with the
privileges of the user who accessed the URL, such as issuing database queries and viewing the results.
Malicious script execution - Users can unknowingly execute JavaScript, VBScript, ActiveX, HTML, or even Flash content
that has been inserted into a dynamically generated page by an attacker.
Worm propagation - With Ajax applications, XSS can propagate somewhat like a virus. The XSS payload can
autonomously inject itself into pages, and easily re-inject the same host with more XSS, all of which can be done with no
hard refresh. Thus, XSS can send multiple requests using complex HTTP methods to propagate itself invisibly to the user.
Information theft - Via redirection and fake sites, attackers can connect users to a malicious server of the attacker's
choice and capture any information entered by the user.
Denial of Service - Often by utilizing malformed display requests on sites that contain a Cross-Site Scripting vulnerability,
attackers can cause a denial of service condition to occur by causing the host site to query itself repeatedly .
Browser Redirection - On certain types of sites that use frames, a user can be made to think that he is in fact on the
original site when he has been redirected to a malicious one, since the URL in the browser's address bar will remains the
same. This is because the entire page isn't being redirected, just the frame in which the JavaScript is being executed.
Manipulation of user settings - Attackers can change user settings for nefarious purposes.
For more detailed information on Cross-Site Scripting attacks, see the HP Cross-Site Scripting whitepaper.
Fix
For Development:
Cross-Site Scripting attacks can be avoided by carefully validating all input, and properly encoding all output. When validating
user input, verify that it matches the strictest definition of valid input possible. For example, if a certain parameter is supposed
to be a number, attempt to convert it to a numeric data type in your programming language.
PHP: intval("0".$_GET['q']);
ASP.NET: int.TryParse(Request.QueryString["q"], out val);
The same applies to date and time values, or anything that can be converted to a stricter type before being used. When
accepting other types of text input, make sure the value matches either a list of acceptable values (white-listing), or a strict
regular expression. If at any point the value appears invalid, do not accept it. Also, do not attempt to return the value to the
user in an error message.
Most server side scripting languages provide built in methods to convert the value of the input variable into correct, noninterpretable HTML. These should be used to sanitize all input before it is displayed to the client.
PHP: string htmlspecialchars (string string [, int quote_style])
ASP.NET: Server.HTMLEncode (strHTML String)
Report Date: 10/10/2016
103
When reflecting values into JavaScript or another format, make sure to use a type of encoding that is appropriate. Encoding
data for HTML is not sufficient when it is reflected inside of a script or style sheet. For example, when reflecting data in a
JavaScript string, make sure to encode all non-alphanumeric characters using hex (\xHH) encoding.
If you have JavaScript on your page that accesses unsafe information (like location.href) and writes it to the page (either with
document.write, or by modifying a DOM element), make sure you encode data for HTML before writing it to the page.
JavaScript does not have a built-in function to do this, but many frameworks do. If you are lacking an available function,
something like the following will handle most cases:
s = s.replace(/&/g,'&').replace(/"/i,'"').replace(/</i,'<').replace(/>/i,'>').replace(/'/i,''')
Ensure that you are always using the right approach at the right time. Validating user input should be done as soon as it is
received. Encoding data for display should be done immediately before displaying it.
For Security Operations:
Server-side encoding, where all dynamic content is first sent through an encoding function where Scripting tags will be
replaced with codes in the selected character set, can help to prevent Cross-Site Scripting attacks.
Many web application platforms and frameworks have some built-in support for preventing Cross-Site Scripting. Make sure
that any built-in protection is enabled for your platform. In some cases, a misconfiguration could allow Cross-Site Scripting. In
ASP.NET, if a page's EnableViewStateMac property is set to False, the ASP.NET view state can be used as a vector for CrossSite Scripting.
An IDS or IPS can also be used to detect or filter out XSS attacks. Below are a few regular expressions that will help detect
Cross-Site Scripting.
Regex for a simple XSS attack:
/((\%3C) <)((\%2F) \/)*[a-z0-9\%]+((\%3E) >)/ix
The above regular expression would be added into a new Snort rule as follows:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NII Cross-Site Scripting attempt";
flow:to_server,established; pcre:"/((\%3C) <)((\%2F) \/)*[a-z0-9\%]+((\%3E) >)/i"; classtype:Web-application-attack;
sid:9000; rev:5;)
Paranoid regex for XSS attacks:
/((\%3C) <)[^\n]+((\%3E) >)/I
This signature simply looks for the opening HTML tag, and its hex equivalent, followed by one or more characters other than
the new line, and then followed by the closing tag or its hex equivalent. This may end up giving a few false positives
depending upon how your web application and web server are structured, but it is guaranteed to catch anything that even
remotely resembles a Cross-Site Scripting attack.
For QA:
Fixes for Cross-Site Scripting defects will ultimately require code based fixes. Read the HP Cross-Site Scripting white paper for
more information about manually testing your application for Cross-Site Scripting.
Reference
OWASP Cross-Site Scripting Information:
https://www.owasp.org/index.php/XSS
Microsoft:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q252985
Microsoft Anti-Cross Site Scripting Library
https://msdn.microsoft.com/en-us/security/aa973814.aspx
CERT:
http://www.cert.org/advisories/CA-2000-02.html
Apache:
http://httpd.apache.org/info/css-security/apache_specific.html
SecurityFocus.com:
http://www.securityfocus.com/infocus/1768
Classifications
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
http://cwe.mitre.org/data/definitions/79.html
Report Date: 10/10/2016
104
http://cwe.mitre.org/data/definitions/79.html
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
http://cwe.mitre.org/data/definitions/80.html
CWE-82: Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
http://cwe.mitre.org/data/definitions/82.html
CWE-83: Improper Neutralization of Script in Attributes in a Web Page
http://cwe.mitre.org/data/definitions/83.html
CWE-87: Improper Neutralization of Alternate XSS Syntax
http://cwe.mitre.org/data/definitions/87.html
CWE-116: Improper Encoding or Escaping of Output
http://cwe.mitre.org/data/definitions/116.html
CWE-692: Incomplete Blacklist to Cross-Site Scripting
http://cwe.mitre.org/data/definitions/692.html
CWE-811: OWASP Top Ten 2010 Category A2 - Cross-Site Scripting (XSS)
http://cwe.mitre.org/data/definitions/811.html
Kingdom: Input Validation and Representation
http://www.hpenterprisesecurity.com/vulncat/en/vulncat/intro.html
Implication
Social Security Numbers are a highly sought out prize for attackers, and an item to which a large percentage of time would be
dedicated in an effort to find. At a minimum, this can lead to theft of the victim's identity.
Fix
When sensitive data needs to be available on your web application, mask part of the data so this information is not fully
disclosed.
Here are a few examples:
Social Security Numbers:
***-**-1234
123-**-****
Reference
105
Classifications
Execution
To verify the exploit, click the following link:http://zero.webappsecurity.com:80/server-status
Implication
A basic requirement for a successful attack upon your web application is reconnaissance. An attacker will employ a variety of
methods, including malicious scanning agents and Google searches, to find out as much information about your web
application as possible. The attacker can then use that information to formulate the next method of attack. An attacker who
discovers sensitive system information has had a large portion of reconnaissance conducted for him or her.
Fix
For Security Operations:
For security reasons, you should restrict access to the server-status page in your web server configuration. To do this,
comment out the following lines in the httpd.conf file:
<Location /server-status>
SetHandler server-status
</Location>
For Development:
Unless you are actively involved with implementing the web application server, there is not a wide range of available solutions
to prevent problems that can occur from an attacker discovering sensitive system information about your application.
Primarily, this problem will be resolved by the web application server administrator or security operations. However, there are
certain actions you can take that will help to secure your web application and make it harder for an attacker to conduct a
successful attack.
Ensure that files containing sensitive information are not left publicly accessible, or that comments left inside files do not
reveal the locations of directories best left confidential.
Do not reveal information in pathnames that are publicly displayed. Do not include drive letters or directories outside of
the web document root in the pathname when a file must call another file on the web server. Use pathnames that are
relative to the current directory or the webroot.
Do not display error messages to the end user that provide information, such as directory names, that could be used in
orchestrating an attack.
Restrict access to important files or directories only to those who actually need it.
Report Date: 10/10/2016
106
For QA:
This assessment performs the rote tasks of determining the directories and contents that are available via your web
application. For reasons of security, it is important to test the web application not only from the perspective of a normal user,
but also from that of a malicious one. Whenever possible, adopt the mindset of an attacker when testing your web application
for security defects. Access your web application from outside your firewall or IDS. Use Google or another search engine to
ensure that searches for vulnerable files or directories do not return information regarding your web application. For example,
an attacker will use a search engine, and search for directory listings such as 'index of / cgi-bin'. Make sure that your directory
structure is not obvious, and that only files that are necessary are capable of being accessed.
Reference
Apache Documentation
Configuration Files
Apache Module mod_status
Classifications
Execution
Browse to http://zero.webappsecurity.com:80/faq.html.bak and inspect the content. Response should be a return with HTTP
status code 200 and should not match target sites file not found response.
Implication
An attacker can use the information obtained from the backup file of a sensitive document to craft a precise targeted attack
against the web application. Such attacks can include, but are not limited to, SQL injection, remote file system access to
overwrite or inject malware, and database manipulation.
Fix
Webroot Security Policy: Implement a security policy that prohibits storage of backup files in webroot.
Temporary Files: Many tools and editors automatically create temporary files or backup files in the webroot. Be careful
when editing files on a production server to avoid inadvertently leaving a backup or temporary copy of the file(s) in the
webroot.
Default Installations: Often, a lot of unnecessary files and folders are installed by default. For instance, IIS installations
include demo applications. Be sure to remove any files or folders that are not required for application to work properly.
107
include demo applications. Be sure to remove any files or folders that are not required for application to work properly.
Development Backup: Source code back up should not be stored and left available on the webroot.
Further QA can include test cases to look for the presence of backup files in the webroot to ensure none are left in publicly
accessible folders of the web application.
Reference
OWASP - Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)
CWE - 200 Information Exposure
Classifications
Execution
Browse to http://zero.webappsecurity.com:80/index.html.old and inspect the content. Response should be a return with HTTP
status code 200 and should not match target sites file not found response.
Implication
An attacker can use the information obtained from the backup file of a sensitive document to craft a precise targeted attack
against the web application. Such attacks can include, but are not limited to, SQL injection, remote file system access to
overwrite or inject malware, and database manipulation.
Fix
Webroot Security Policy: Implement a security policy that prohibits storage of backup files in webroot.
Temporary Files: Many tools and editors automatically create temporary files or backup files in the webroot. Be careful
when editing files on a production server to avoid inadvertently leaving a backup or temporary copy of the file(s) in the
webroot.
Default Installations: Often, a lot of unnecessary files and folders are installed by default. For instance, IIS installations
include demo applications. Be sure to remove any files or folders that are not required for application to work properly.
Development Backup: Source code back up should not be stored and left available on the webroot.
Further QA can include test cases to look for the presence of backup files in the webroot to ensure none are left in publicly
accessible folders of the web application.
Reference
Report Date: 10/10/2016
108
OWASP - Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)
CWE - 200 Information Exposure
Classifications
Fix
For Security Operations:
Remove the application from the server. Inform developers and administrators to remove test applications from servers when
they are no longer needed. While they are in use, be sure to protect them using HTTP basic authentication.
For Development:
Contact your security or network operations team and request they investigate the issue.
For QA:
Contact your security or network operations team and request they investigate the issue.
Reference
Classifications
109
Execution
Browse to http://zero.webappsecurity.com:80/index.old and inspect the content. Response should be a return with HTTP
status code 200 and should not match target sites file not found response.
Implication
An attacker can use the information obtained from the backup file of a sensitive document to craft a precise targeted attack
against the web application. Such attacks can include, but are not limited to, SQL injection, remote file system access to
overwrite or inject malware, and database manipulation.
Fix
Webroot Security Policy: Implement a security policy that prohibits storage of backup files in webroot.
Temporary Files: Many tools and editors automatically create temporary files or backup files in the webroot. Be careful
when editing files on a production server to avoid inadvertently leaving a backup or temporary copy of the file(s) in the
webroot.
Default Installations: Often, a lot of unnecessary files and folders are installed by default. For instance, IIS installations
include demo applications. Be sure to remove any files or folders that are not required for application to work properly.
Development Backup: Source code back up should not be stored and left available on the webroot.
Further QA can include test cases to look for the presence of backup files in the webroot to ensure none are left in publicly
accessible folders of the web application.
Reference
OWASP - Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)
CWE - 200 Information Exposure
Classifications
110
Implication
An attacker who exploited this design vulnerability would be able to utilize the information to escalate their method of attack,
possibly leading to impersonation of a legitimate user, the theft of proprietary data, or execution of actions not intended by
the application developers.
Fix
For Security Operations:
Ensure that sensitive areas of your web application have proper encryption protocols in place to prevent login information and
other data that could be helpful to an attacker from being intercepted.
For Development:
Ensure that sensitive areas of your web application have proper encryption protocols in place to prevent login information and
other data that could be helpful to an attacker from being intercepted.
For QA:
Test the application not only from the perspective of a normal user, but also from the perspective of a malicious one.
Reference
Classifications
Implication
An attacker who exploited this design vulnerability would be able to utilize the information to escalate their method of attack,
possibly leading to impersonation of a legitimate user, the theft of proprietary data, or execution of actions not intended by
the application developers.
Fix
For Security Operations:
Ensure that sensitive areas of your web application have proper encryption protocols in place to prevent login information and
other data that could be helpful to an attacker from being intercepted.
Report Date: 10/10/2016
111
Reference
Classifications
Implication
An attacker who exploited this design vulnerability would be able to utilize the information to escalate their method of attack,
possibly leading to impersonation of a legitimate user, the theft of proprietary data, or execution of actions not intended by
the application developers.
Fix
Ensure that sensitive areas of your web application have proper encryption protocols in place to prevent login information and
other data that could be helpful to an attacker from being intercepted.
Reference
Advisory:http://www.kb.cert.org/vuls/id/466433
Classifications
112
http://cwe.mitre.org/data/definitions/287.html
Kingdom: API Abuse
http://www.hpenterprisesecurity.com/vulncat/en/vulncat/intro.html
Execution
Create a test page containing an HTML iframe tag whose src attribute is set to http://zero.webappsecurity.com:80/login.html.
Successful framing of the target page indicates the applications susceptibility to XFS.
Note that WebInspect will report only one instance of this check across each host within the scope of the scan. The other
visible pages on the site may, however, be vulnerable to XFS as well and hence should be protected against it with an
appropriate fix.
Implication
A Cross-Frame Scripting weakness could allow an attacker to embed the vulnerable application inside an iframe. Exploitation
of this weakness could result in:
Hijacking of user events such as keystrokes
Theft of sensitive information
Execution of privileged functionality through combination with Cross-Site Request Forgery attacks
Fix
Browser vendors have introduced and adopted a policy-based mitigation technique using the X-Frame-Options header.
Developers can use this header to instruct the browser about appropriate actions to perform if their site is included inside an
iframe.Developers must set the X-Frame-Options header to one of the following permitted values:
DENY
Deny all attempts to frame the page
SAMEORIGIN
The page can be framed by another page only if it belongs to the same origin as the page being framed
ALLOW-FROM origin
Developers can specify a list of trusted origins in the origin attribute. Only pages on origin are permitted to load this page
inside an iframe
Developers must also use client-side frame busting JavaScript as a protection against XFS. This will enable users of older
browsers that do not support the X-Frame-Options header to also be protected from clickjacking attacks.
113
Reference
HP 2012 Cyber Security Report
The X-Frame-Options header - a failure to launch
Server Configuration:
IIS
Apache, nginx
Specification:
X-Frame-Options IETF Draft
OWASP:
Clickjacking
Frame Busting:
Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites
OWASP: Busting Frame Busting
Classifications
Execution
Click http://zero.webappsecurity.com:80/search.html?searchTerm=${5914%2b2593} to verify the vulnerability in a web
browser.
Implication
Expression Language injection vulnerabilities can be used to steal sensitive application information as well as bypass
HTTPOnly cookie access restrictions. The impact depends on the information available within the application's context.
Report Date: 10/10/2016
114
HTTPOnly cookie access restrictions. The impact depends on the information available within the application's context.
Fix
The vulnerability can be fixed by upgrading to Spring framework versions 3.1 and above.
For versions below 3.1 (3.0.6 onwards, 2.5.6.SEC03 onwards and 2.5.7.SR02 onwards), set the value of
springJspExpressionSupportcontext parameter to false.
Reference
Vendor:
SpringSource
Advisory:
Expression Language Injection
CVE:
CVE-2011-2730
Expression Language:
Expression Language Specification
Classifications
Execution
http://zero.webappsecurity.com:80/errors/
Implication
Risks associated with an attacker discovering a Directory Listing on your application server depend upon what type of
directory is discovered, and what types of files are contained within it. The primary threat from an accessible Directory Listing
is that hidden files such as data files, source code, or applications under development will then be visible to a potential
attacker. In addition to accessing files containing sensitive information, other risks include an attacker utilizing the information
discovered in that directory to perform other types of attacks.
115
Fix
For Development:
you are actively involved with implementing the web application server, there is not a wide range of available solutions to
prevent problems that can occur from an attacker finding a Directory Listing. Primarily, this problem will be resolved by the
web application server administrator. However, there are certain actions you can take that will help to secure your web
application.
Restrict access to important files or directories only to those who actually need it.
Ensure that files containing sensitive information are not left publicly accessible, or that comments left inside files do not
reveal the locations of directories best left confidential.
For Security Operations:
One of the most important aspects of web application security is to restrict access to important files or directories only to
those individuals who actually need to access them. Ensure that the private architectural structure of your web application is
not exposed to anyone who wishes to view it as even seemingly innocuous directories can provide important information to a
potential attacker.
The following recommendations can help to ensure that you are not unintentionally allowing access to either information that
could be utilized in conducting an attack or propriety data stored in publicly accessible directories.
Turn off the Automatic Directory Listing feature in whatever application server package that you utilize.
Restrict access to important files or directories only to those who actually need it.
Ensure that files containing sensitive information are not left publicly accessible.
Don't follow standard naming procedures for hidden directories. For example, don't create a hidden directory called "cgi"
that contains cgi scripts. Obvious directory names are just that...readily guessed by an attacker.
Remember, the harder you make it for an attacker to access information about your web application, the more likely it is that
he will simply find an easier target.
For QA:
For reasons of security, it is important to test the web application not only from the perspective of a normal user, but also
from that of a malicious one. Whenever possible, adopt the mindset of an attacker when testing your web application for
security defects. Access your web application from outside your firewall or IDS. Utilize Google or another search engine to
ensure that searches for vulnerable files do not return information from regarding your web application. For example, an
attacker will utilize a search engine, and search for directory listings such as the following: "index of / cgi-bin". Make sure that
your directory structure is not obvious, and that only files that are necessary are capable of being accessed.
Reference
Apache:
Security Tips for Server Configuration
Protecting Confidential Documents at Your Site
Securing Apache - Access Control
IIS:
Implementing NTFS Standard Permissions on Your Web Site
Netscape:
Controlling Access to Your Server
General:
Password-protecting web pages
Web Security
116
Classifications
Execution
Click the following link to examine the contents of the WS_FTP log file discovered on your web application server.
http://zero.webappsecurity.com:80/admin/WS_FTP.LOG
Implication
When WS_FTP is used to transfer files, a log file called 'ws_ftp.log' is created on the server. This log file contains records of
every file that is accessed by WS_FTP, which could possibly contain very valuable information to an attacker because it may
list files that are otherwise "hidden." This often includes administrative or maintenance applications, web application
configuration files, applications-in-development, backed-up application source code and possible application data files.
Primarily, WS_FTP log files are valuable to attackers because they display all files in a directory, not just ones that are
intended to be used. How easy is it for an attacker to take advantage of an insecure web application via the discovery of a
WS_FTP log file on your web application server? Often, this is as simple as typing in the name of the file garnered directly
from the WS_FTP log files. In essence, gaining access to a WS_TP log file greatly reduces the amount of effort a potential
attacker must employ to gain knowledge of your web application.
A fundamental necessity for a successful attack upon your web application is reconnaissance. An attacker will employ a variety
of methods, including malicious scanning agents and Google searches, to find out as much information about your web
application as possible. That information can then be utilized when the attacker is formulating his next method of attack. An
attacker who finds a WS_FTP log files has had a large portion of his reconnaissance conducted for him.
Fix
For Development:
Unless you are actively involved with implementing the web application server, there is not a wide range of available solutions
to prevent problems that can occur from an attacker finding a WS_FTP log file. Primarily, this problem will be resolved by the
web application server administrator. However, there are certain actions you can take that will help to secure your web
application.
Restrict access to important files or directories only to those who actually need it.
Ensure that files containing sensitive information are not left publicly accessible, or that comments left inside files do not
reveal the locations of directories best left confidential.
For Security Operations:
There are two primary actions to take to eliminate the risk of a WS_FTP log file vulnerability.
117
Manually remove the WS_FTP log file from the application server.
Configure WS_FTP so that it does not create log files on servers.
One of the most important aspects of web application security is to restrict access to important files or directories only to
those individuals who actually need to access them. Ensure that the private architectural structure of your web application is
not exposed to anyone who wishes to view it as even seemingly innocuous directories can provide important information to a
potential attacker.
The following recommendations can help to ensure that you are not unintentionally allowing access to either information that
could be utilized in conducting an attack or propriety data stored in publicly accessible directories.
Ensure that files containing sensitive information are not left publicly accessible, or that comments left inside files do not
reveal the locations of directories best left confidential.
Restrict access to important files or directories only to those who actually need it.
Don't follow standard naming procedures for hidden directories. For example, don't create a hidden directory called "cgi"
that contains cgi scripts. Obvious directory names are just that...readily guessed by an attacker.
Remember, the harder you make it for an attacker to access information about your web application, the more likely it is that
he will simply find an easier target.
For QA:
For reasons of security, it is important to test the web application not only from the perspective of a normal user, but also
from that of a malicious one. Whenever possible, adopt the mindset of an attacker when testing your web application for
security defects. Access your web application from outside your firewall or IDS. Utilize Google or another search engine to
ensure that searches for vulnerable files do not return information from regarding your web application. For example, an
attacker will utilize a search engine, and search for directory listings such as the following: "index of / cgi-bin". Make sure that
your directory structure is not obvious, and that only files that are necessary are capable of being accessed.
Reference
IIS:
Microsoft IIS FTP Information
General:
Password-protecting web pages
Web Security
FTP Clients
Classifications
118
HTML tag injection vulnerabilities were identified on this web application. HTML tag injections are used to aid in Cross-Site
Request Forgeries and phishing attacks against third-party web sites, and can often double as Cross-Site Scripting
vulnerabilities. Recommendations include implementing secure programming techniques that ensure proper filtration of usersupplied data, and encoding all user supplied data to prevent inserted scripts being sent to end users in a format that can be
executed.
Execution
If the session is vulnerable to a HTML Tag Injection attack, the same HTML sent in the request will also appear as part of the
response. View the attack string included with the request to check what to search for in the response. This indicates that the
web application is taking values from the HTTP request parameters and using them in the HTTP response without first
removing potentially malicious HTML.
Implication
HTML tag injection often has implications that are identical to Cross-Site Scripting, and can generally be subdivided into two
categories: stored and reflected attacks. The main difference between the two is in how the payload arrives at the server.
Stored attacks are just that...in some form stored on the target server, such as in a database, or via a submission to a bulletin
board or visitor log. The victim will retrieve and execute the attack code in his browser when a request is made for the stored
information. Reflected attacks, on the other hand, come from somewhere else. This happens when user input from a web
client is immediately included via server-side scripts in a dynamically generated web page. Via some social engineering, an
attacker can trick a victim, such as through a malicious link or "rigged" form, to submit information which will be altered to
include attack code and then sent to the legitimate server. The injected code is then reflected back to the user's browser
which executes it because it came from a trusted server. The implication of each kind of attack is the same.
The main problems associated with successful HTML tag injection & Cross-Site Scripting attacks are:
Account hijacking - An attacker can hijack the user's session before the session cookie expires and take actions with the
privileges of the user who accessed the URL, such as issuing database queries and viewing the results.
Malicious script execution - Users can unknowingly execute JavaScript, VBScript, ActiveX, HTML, or even Flash content
that has been inserted into a dynamically generated page by an attacker.
Worm propagation - With Ajax applications, XSS can propagate somewhat like a virus. The XSS payload can
autonomously inject itself into pages, and easily re-inject the same host with more XSS, all of which can be done with no
hard refresh. Thus, XSS can send multiple requests using complex HTTP methods to propagate itself invisibly to the user.
Information theft - Via redirection and fake sites, attackers can connect users to a malicious server of the attacker's
choice and capture any information entered by the user.
Denial of Service - Often by utilizing malformed display requests on sites that contain a Cross-Site Scripting vulnerability,
attackers can cause a denial of service condition to occur by causing the host site to query itself repeatedly .
Browser Redirection - On certain types of sites that use frames, a user can be made to think that he is in fact on the
original site when he has been redirected to a malicious one, since the URL in the browser's address bar will remains the
same. This is because the entire page isn't being redirected, just the frame in which the JavaScript is being executed.
Manipulation of user settings - Attackers can change user settings for nefarious purposes.
For more detailed information on Cross-Site Scripting attacks, see the HP Cross-Site Scripting whitepaper.
Fix
For Development:
HTML Tag Injection attacks can be avoided by carefully validating all input, and properly encoding all output. When validating
user input, verify that it matches the strictest definition of valid input possible. For example, if a certain parameter is supposed
to be a number, attempt to convert it to a numeric data type in your programming language.
PHP: intval("0".$_GET['q']);
ASP.NET: int.TryParse(Request.QueryString["q"], out val);
The same applies to date and time values, or anything that can be converted to a stricter type before being used. When
accepting other types of text input, make sure the value matches either a list of acceptable values (white-listing), or a strict
regular expression. If at any point the value appears invalid, do not accept it. Also, do not attempt to return the value to the
user in an error message.
Most server side scripting languages provide built in methods to convert the value of the input variable into correct, noninterpretable HTML. These should be used to sanitize all input before it is displayed to the client.
PHP: string htmlspecialchars (string string [, int quote_style])
ASP.NET: Server.HTMLEncode (strHTML String)
When reflecting values into JavaScript or another format, make sure to use a type of encoding that is appropriate. Encoding
data for HTML is not sufficient when it is reflected inside of a script or style sheet. For example, when reflecting data in a
JavaScript string, make sure to encode all non-alphanumeric characters using hex (\xHH) encoding.
Report Date: 10/10/2016
119
JavaScript string, make sure to encode all non-alphanumeric characters using hex (\xHH) encoding.
If you have JavaScript on your page that accesses unsafe information (like location.href) and writes it to the page (either with
document.write, or by modifying a DOM element), make sure you encode data for HTML before writing it to the page.
JavaScript does not have a built-in function to do this, but many frameworks do. If you are lacking an available function,
something like the following will handle most cases:
s = s.replace(/&/g,'&').replace(/"/i,'"').replace(/</i,'<').replace(/>/i,'>').replace(/'/i,''')
Ensure that you are always using the right approach at the right time. Validating user input should be done as soon as it is
received. Encoding data for display should be done immediately before displaying it.
The above regular expression would be added into a new Snort rule as follows:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NII HTML Tag Injection attempt";
flow:to_server,established; pcre:"/((\%3C) <)((\%2F) \/)*[a-z0-9\%]+((\%3E) >)/i"; classtype:Web-application-attack;
sid:9000; rev:5;)
Paranoid regex for XSS attacks:
/((\%3C) <)[^\n]+((\%3E) >)/I
This signature simply looks for the opening HTML tag, and its hex equivalent, followed by one or more characters other than
the new line, and then followed by the closing tag or its hex equivalent. This may end up giving a few false positives
depending upon how your web application and web server are structured, but it is guaranteed to catch anything that even
remotely resembles a HTML Tag Injection attack.
For QA:
Fixes for HTML Injection defects will ultimately require code based fixes.
Reference
OWASP Cross-Site Scripting Information:
http://www.owasp.org/index.php/Cross_Site_Scripting
XSRF on OWASP:
http://www.owasp.org/index.php/XSRF
XSRF on Wikipedia:
http://en.wikipedia.org/wiki/Cross-site_request_forgery
Sans:
http://isc.sans.org/diary.php?storyid=1750
Classifications
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
http://cwe.mitre.org/data/definitions/79.html
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
http://cwe.mitre.org/data/definitions/80.html
CWE-116: Improper Encoding or Escaping of Output
http://cwe.mitre.org/data/definitions/116.html
CWE-352: Cross-Site Request Forgery (CSRF)
http://cwe.mitre.org/data/definitions/352.html
CWE-811: OWASP Top Ten 2010 Category A2 - Cross-Site Scripting (XSS)
http://cwe.mitre.org/data/definitions/811.html
Kingdom: Input Validation and Representation
http://www.hpenterprisesecurity.com/vulncat/en/vulncat/intro.html
120
Execution
Open a web browser and navigate to http://zero.webappsecurity.com:80/include/common.inc.
Implication
An attacker could view web application source code. Web application source code often contains database usernames,
passwords and connection strings and locations of sensitive files. It also reveals the detailed mechanics and design of the web
application's logic, which can be used to develop other attacks.
Fix
For Development:
Keep include files outside of the web root. Scripts can still be used to access and include them by using either relative or
absolute paths. This will prevent potential attackers from having direct access to include files from the web.
For Security Operations:
Take measures to prevent unauthorized access to important files or directories.
For QA:
From a security perspective, it is important to test the web application not only as a normal user, but also as a malicious one.
Make sure that the webroot is free from files that could be used to gather information about the application that could be
utilized in conducting more damaging attacks.
Reference
Classifications
121
Apache versions 2.0.46, 2.0.51, 2.0.55, 2.0.59, 2.2.3, and 2.2.4 are known to contain a Cross-Site Scripting vulnerability.
Cross-Site Scripting occurs when dynamically generated web pages display user input, such as login information, that is not
properly validated, allowing an attacker to embed malicious scripts into the generated page and then execute the script on the
machine of any user that views the site. If successful, Cross-Site Scripting vulnerabilities can be exploited to manipulate or
steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute
malicious code on end user systems. Apache 2.X reflects the HTTP method name within the '413 Request Entity Too Large'
error page which might allow an attacker to embed malicious script into the page via the HTTP method value.
Recommendations include updating to a fixed version of the application.
Execution
Click http://zero.webappsecurity.com:80/ to verify the vulnerability in a web browser.
Implication
Cross-Site Scripting happens when user input from a web client is immediately included via server-side scripts in a dynamically
generated web page. Via social engineering, an attacker can trick a victim, such as through a malicious link or "rigged" form,
to submit information which will be altered to include attack code and then sent to the legitimate server. The injected code is
then reflected back to the user's browser which executes it because it came from a trusted server.
The main problems associated with successful Cross-Site Scripting attacks are:
Account hijacking
Javascript-based worm propagation
Information theft
Denial of service
Browser redirection
Manipulation of user settings
For more detailed information on Cross-Site Scripting attacks, see the HP Application Security Center Cross-Site Scripting
whitepaper.
Fix
Disable Apache's default 413 error pages by adding an 'ErrorDocument 413' statement to the Apache config file.
Reference
Vendor:
http://www.apache.org/
Advisory:
http://secunia.com/advisories/27906/
CVE:
CVE-2007-6203
HP:
HP Application Security Center Cross-SiteScripting Whitepaper
CERT:
CERTAdvisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests
OWASP:
Cross-SiteScripting
Classifications
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
http://cwe.mitre.org/data/definitions/79.html
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Report Date: 10/10/2016
122
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
http://cwe.mitre.org/data/definitions/80.html
CWE-116: Improper Encoding or Escaping of Output
http://cwe.mitre.org/data/definitions/116.html
CWE-811: OWASP Top Ten 2010 Category A2 - Cross-Site Scripting (XSS)
http://cwe.mitre.org/data/definitions/811.html
Kingdom: Environment
http://www.hpenterprisesecurity.com/vulncat/en/vulncat/intro.html
Execution
Create a test page containing an HTML <iframe> tag whose src attribute is set to http://zero.webappsecurity.com:80/.
Successful framing of the target page indicates the applications susceptibility to XFS.
Note that WebInspect will report only one instance of this check across each host within the scope of the scan. The other
visible pages on the site may, however, be vulnerable to XFS as well and hence should be protected against it with an
appropriate fix.
Implication
A Cross-Frame Scripting weakness could allow an attacker to embed the vulnerable application inside an iframe. Exploitation
of this weakness could result in:
Hijacking of user events such as keystrokes
Theft of sensitive information
Execution of privileged functionality through combination with Cross-Site Request Forgery attacks
Fix
Browser vendors have introduced and adopted a policy-based mitigation technique using the X-Frame-Options header.
Developers can use this header to instruct the browser about appropriate actions to perform if their site is included inside an
iframe. Developers must set the X-Frame-Options header to one of the following permitted values:
DENY
Deny all attempts to frame the page
SAMEORIGIN
The page can be framed by another page only if it belongs to the same origin as the page being framed
ALLOW-FROM origin
Developers can specify a list of trusted origins in the origin attribute. Only pages on origin are permitted to load this page
Report Date: 10/10/2016
123
Developers can specify a list of trusted origins in the origin attribute. Only pages on origin are permitted to load this page
inside an iframe
Developers must also use client-side frame busting JavaScript as a protection against XFS. This will enable users of older
browsers that do not support the X-Frame-Options header to also be protected from clickjacking attacks.
Reference
HP 2012 Cyber Security Report
The X-Frame-Options header - a failure to launch
Server Configuration:
IIS
Apache, nginx
Specification:
X-Frame-Options IETF Draft
OWASP:
Clickjacking
Frame Busting:
Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites
OWASP: Busting Frame Busting
Classifications
Execution
To verify the issue, click the 'HTTP Response' button on the properties view and review the highlighted areas to determine the
Unix path found.
Fix
For Development:
Don't display fully qualified pathnames as part of error or informational messages. At the least, fully qualified pathnames can
provide an attacker with important information about the architecture of web application.
For Security Operations:
The following recommendations will help to ensure that a potential attacker is not deriving valuable information from any error
message that is presented.
124
Uniform Error Codes: Ensure that you are not inadvertently supplying information to an attacker via the use of
inconsistent or "conflicting" error messages. For instance, don't reveal unintended information by utilizing error messages
such as Access Denied, which will also let an attacker know that the file he seeks actually exists. Have consistent
terminology for files and folders that do exist, do not exist, and which have read access denied.
Informational Error Messages: Ensure that error messages do not reveal too much information. Complete or partial
paths, variable and file names, row and column names in tables, and specific database errors should never be revealed
to the end user. Remember, an attacker will gather as much information as possible, and then add pieces of seemingly
innocuous information together to craft a method of attack.
Proper Error Handling: Utilize generic error pages and error handling logic to inform end users of potential problems.
Do not provide system information or other data that could be utilized by an attacker when orchestrating an attack.
For QA:
In reality, simple testing can usually determine how your web application will react to different input errors. More expansive
testing must be conducted to cause internal errors to gauge the reaction of the site.
The best course of action for QA associates to take is to ensure that the error handling scheme is consistent. Do you receive a
different type of error for a file that does not exist as opposed to a file that does? Are phrases like "Permission Denied" utilized
which could reveal the existence of a file to an attacker? It is often a seemingly innocuous piece of information that provides
an attacker with the means to discover something else which he can then utilize when conducting an attack.
Reference
Classifications
Implication
A fundamental part of any successful attack is reconnaissance and information gathering. The primary danger from
exploitation of this vulnerability is that an attacker will be able to utilize the information in launching a more serious attack. It
is very simple to check for its existence, and a file most definitely on the short list of things for which a potential attacker
would look.
Fix
Report Date: 10/10/2016
125
Reference
Classifications
Fix
This issue can appear for several reasons. The most common is that the application or webserver error message discloses the
IP address. This can be solved by determining where to turn off detailed error messages in the application or webserver.
Another common reason is due to a comment located in the source of the webpage. This can easily be removed from the
source of the page.
Reference
Classifications
126
Implication
The primary danger from an attacker finding a publicly available directory on your web application server depends on what
type of directory it is, and what files it contains. Administrative directories typically contain applications capable of changing
the configuration of the running software; an attacker who gains access to an administrative application can drastically affect
the operation of the web site.
Fix
For Security Operations:
You should evaluate the production requirements for the found directory. If the directory is not required for production
operation, then the directory and its contents should be removed or restricted by a server access control mechanism. More
information about implementing access control schemes can be found in the References. Automatic directory indexing should
also be disabled, if applicable.
For Development:
This problem will be resolved by the web application server administrator. In general, do not rely on 'hidden' directories within
the web root that can contain sensitive resources or web applications. Assume an attacker knows about the existence of all
directories and files on your web site, and protect them with proper access controls.
For QA:
This problem will be resolved by the web application server administrator.
Reference
Implementing Basic Authentication in IIS
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/abbca505-6f63-4267-aac11ea89d861eb4.mspx
Implementing Basic Authentication in Apache
http://httpd.apache.org/docs/howto/auth.html#intro
Classifications
127
Summary
Directory Enumeration vulnerabilities were discovered within your web application. Risks associated with an attacker
discovering a directory on your application server depend upon what type of directory is discovered, and what types of files
are contained within it. The primary threat, other than accessing files containing sensitive information, is that an attacker can
utilize the information discovered in that directory to perform other types of attacks. Recommendations include restricting
access to important directories or files by adopting a "need to know" requirement for both the document and server root, and
turning off features such as Automatic Directory Listings that provide information that could be utilized by an attacker when
formulating or conducting an attack.
Implication
The primary danger from an attacker finding a publicly available directory on your web application server depends on what
type of directory it is, and what files it contains.
Fix
For Security Operations:
You should evaluate the production requirements for the found directory. If the directory is not required for production
operation, then the directory and its contents should be removed or restricted by a server access control mechanism. More
information about implementing access control schemes can be found in the References. Automatic directory indexing should
also be disabled, if applicable.
For Development:
This problem will be resolved by the web application server administrator. In general, do not rely on 'hidden' directories within
the web root that can contain sensitive resources or web applications. Assume an attacker knows about the existence of all
directories and files on your web site, and protect them with proper access controls.
For QA:
This problem will be resolved by the web application server administrator.
Reference
Implementing Basic Authentication in IIS
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/abbca505-6f63-4267-aac11ea89d861eb4.mspx
Implementing Basic Authentication in Apache
http://httpd.apache.org/docs/howto/auth.html#intro
Classifications
128
Fix
For Security Operations:
You should evaluate the production requirements for the found directory. If the directory is not required for production
operation, then the directory and its contents should be removed or restricted by a server access control mechanism. More
information about implementing access control schemes can be found in the References. Automatic directory indexing should
also be disabled, if applicable.
For Development:
This problem will be resolved by the web application server administrator. In general, do not rely on 'hidden' directories within
the web root that can contain sensitive resources or web applications. Assume an attacker knows about the existence of all
directories and files on your web site, and protect them with proper access controls.
For QA:
This problem will be resolved by the web application server administrator.
Reference
Implementing Basic Authentication in IIS
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/abbca505-6f63-4267-aac11ea89d861eb4.mspx
Implementing Basic Authentication in Apache
http://httpd.apache.org/docs/howto/auth.html#intro
Classifications
Fix
For Security Operations:
You should evaluate the production requirements for the found directory. If the directory is not required for production
operation, then the directory and its contents should be removed or restricted by a server access control mechanism. More
information about implementing access control schemes can be found in the References. Automatic directory indexing should
also be disabled, if applicable.
For Development:
This problem will be resolved by the web application server administrator. In general, do not rely on 'hidden' directories within
the web root that can contain sensitive resources or web applications. Assume an attacker knows about the existence of all
directories and files on your web site, and protect them with proper access controls.
For QA:
This problem will be resolved by the web application server administrator.
Report Date: 10/10/2016
129
Reference
Implementing Basic Authentication in IIS
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/abbca505-6f63-4267-aac11ea89d861eb4.mspx
Implementing Basic Authentication in Apache
http://httpd.apache.org/docs/howto/auth.html#intro
Classifications
Fix
For Security Operations:
You should evaluate the production requirements for the found directory. If the directory is not required for production
operation, then the directory and its contents should be removed or restricted by a server access control mechanism. More
information about implementing access control schemes can be found in the References. Automatic directory indexing should
also be disabled, if applicable.
For Development:
This problem will be resolved by the web application server administrator. In general, do not rely on 'hidden' directories within
the web root that can contain sensitive resources or web applications. Assume an attacker knows about the existence of all
directories and files on your web site, and protect them with proper access controls.
For QA:
This problem will be resolved by the web application server administrator.
Reference
Implementing Basic Authentication in IIS
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/abbca505-6f63-4267-aac11ea89d861eb4.mspx
Implementing Basic Authentication in Apache
http://httpd.apache.org/docs/howto/auth.html#intro
Classifications
130
Kingdom: Environment
http://www.hpenterprisesecurity.com/vulncat/en/vulncat/intro.html
Execution
Browse to http://zero.webappsecurity.com:80/testing/ and inspect the content. Response should return with HTTP status code
200 and should not match target sites file not found response.
Implication
An attacker may use the internal information obtained from the source code files to craft a precise attack against the web
application. Such attacks can include, but are not limited to, SQL injection, remote file system access, malware injection and
database manipulation.
Fix
For Security Operations:
You should evaluate the production requirements for the found directory. If the directory is not required for production
operation, then the directory and its contents should be removed or restricted by a server access control mechanism. More
information about implementing access control schemes can be found in the References. Automatic directory indexing should
also be disabled, if applicable.
For Development:
This problem will be resolved by the web application server administrator. In general, remove all source code repositories and
files from the production server and do not rely on 'hidden' directories within the web root that can contain sensitive resources
or web applications. Assume an attacker knows about the existence of all directories and files on your web site, and protect
them with proper access controls.
For QA:
This problem will be resolved by the web application server administrator.
Reference
IIS Authentication
IIS Authentication
Implementing Basic Authentication in Apache
http://httpd.apache.org/docs/howto/auth.html#intro
SVN
Serving websites from SVN checkout considered harmful
Subversion or CVS metadata exposure
Subversion or CVS metadata exposure
131
Classifications
Fix
For Security Operations:
You should evaluate the production requirements for the found directory. If the directory is not required for production
operation, then the directory and its contents should be removed or restricted by a server access control mechanism. More
information about implementing access control schemes can be found in the References. Automatic directory indexing should
also be disabled, if applicable.
For Development:
This problem will be resolved by the web application server administrator. In general, do not rely on 'hidden' directories within
the web root that can contain sensitive resources or web applications. Assume an attacker knows about the existence of all
directories and files on your web site, and protect them with proper access controls.
For QA:
This problem will be resolved by the web application server administrator.
Reference
Implementing Basic Authentication in IIS
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/abbca505-6f63-4267-aac11ea89d861eb4.mspx
Implementing Basic Authentication in Apache
http://httpd.apache.org/docs/howto/auth.html#intro
Classifications
132
Fix
For Security Operations:
You should evaluate the production requirements for the found directory. If the directory is not required for production
operation, then the directory and its contents should be removed or restricted by a server access control mechanism. More
information about implementing access control schemes can be found in the References. Automatic directory indexing should
also be disabled, if applicable.
For Development:
This problem will be resolved by the web application server administrator. In general, do not rely on 'hidden' directories within
the web root that can contain sensitive resources or web applications. Assume an attacker knows about the existence of all
directories and files on your web site, and protect them with proper access controls.
For QA:
This problem will be resolved by the web application server administrator.
Reference
Implementing Basic Authentication in IIS
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/abbca505-6f63-4267-aac11ea89d861eb4.mspx
Implementing Basic Authentication in Apache
http://httpd.apache.org/docs/howto/auth.html#intro
Classifications
Fix
For Security Operations:
You should evaluate the production requirements for the found directory. If the directory is not required for production
Report Date: 10/10/2016
133
You should evaluate the production requirements for the found directory. If the directory is not required for production
operation, then the directory and its contents should be removed or restricted by a server access control mechanism. More
information about implementing access control schemes can be found in the References. Automatic directory indexing should
also be disabled, if applicable.
For Development:
This problem will be resolved by the web application server administrator. In general, do not rely on 'hidden' directories within
the web root that can contain sensitive resources or web applications. Assume an attacker knows about the existence of all
directories and files on your web site, and protect them with proper access controls.
For QA:
This problem will be resolved by the web application server administrator.
Reference
Implementing Basic Authentication in IIS
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/abbca505-6f63-4267-aac11ea89d861eb4.mspx
Implementing Basic Authentication in Apache
http://httpd.apache.org/docs/howto/auth.html#intro
Classifications
Execution
Open a web browser and navigate to http://zero.webappsecurity.com:80/README.txt.
Implication
The disclosed documentation may aid an attacker in attacking the server and application.
Fix
For Security Operations:
Remove documentation files from all web accessible locations, or restrict access to the files via access control mechanisms.
For Development:
Have Security Operations remove this file from the production server.
134
For QA:
Have Security Operations remove this file from the production server.
Reference
Classifications
Fix
For Development:
Don't display fully qualified pathnames as part of error or informational messages. At the least, fully qualified pathnames can
provide an attacker with important information about the architecture of web application.
For Security Operations:
The following recommendations will help to ensure that a potential attacker is not deriving valuable information from any error
message that is presented.
Uniform Error Codes: Ensure that you are not inadvertently supplying information to an attacker via the use of
inconsistent or "conflicting" error messages. For instance, don't reveal unintended information by utilizing error messages
such as Access Denied, which will also let an attacker know that the file he seeks actually exists. Have consistent
terminology for files and folders that do exist, do not exist, and which have read access denied.
Informational Error Messages: Ensure that error messages do not reveal too much information. Complete or partial
paths, variable and file names, row and column names in tables, and specific database errors should never be revealed
to the end user. Remember, an attacker will gather as much information as possible, and then add pieces of seemingly
innocuous information together to craft a method of attack.
Proper Error Handling: Utilize generic error pages and error handling logic to inform end users of potential problems. Do
not provide system information or other data that could be utilized by an attacker when orchestrating an attack.
For QA:
In reality, simple testing can usually determine how your web application will react to different input errors. More expansive
testing must be conducted to cause internal errors to gauge the reaction of the site.
135
The best course of action for QA associates to take is to ensure that the error handling scheme is consistent. Do you receive a
different type of error for a file that does not exist as opposed to a file that does? Are phrases like "Permission Denied" utilized
which could reveal the existence of a file to an attacker? It is often a seemingly innocuous piece of information that provides
an attacker with the means to discover something else which he can then utilize when conducting an attack.
Reference
Classifications
Implication
Administrative directories typically contain applications capable of changing the configuration of the running software; an
attacker who gains access to an administrative application can drastically affect the operation of the web site.
Fix
For Security Operations:
You should evaluate the production requirements for the found directory. If the directory is not required for production
operation, then the directory and its contents should be removed or restricted by a server access control mechanism. More
information about implementing access control schemes can be found in the References. Automatic directory indexing should
also be disabled, if applicable.
For Development:
This problem will need to be resolved by the web application server administrator. In general, do not rely on 'hidden'
directories within the web root that can contain sensitive resources or web applications. Assume an attacker knows about the
existence of all directories and files on your web site, and protect them with proper access controls.
For QA:
This problem will be resolved by the web application server administrator.
Reference
Implementing Basic Authentication in IIS
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/abbca505-6f63-4267-aac11ea89d861eb4.mspx
Report Date: 10/10/2016
136
1ea89d861eb4.mspx
Authentication, Authorization and Access Control
http://httpd.apache.org/docs/2.0/howto/auth.html
Classifications
Implication
An attacker who discovers an LDAP query string could orchestrate more damaging attacks such as LDAP Injection which could
be utilized to retrieve information from the LDAP server.
Fix
Do not hard code LDAP query strings in your application code.
Reference
Classifications
CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
http://cwe.mitre.org/data/definitions/90.html
CWE-200: Information Exposure
http://cwe.mitre.org/data/definitions/200.html
Kingdom: Encapsulation
http://www.hpenterprisesecurity.com/vulncat/en/vulncat/intro.html
137
Implication
The server has issued a 500 error response. While the body content of the error page may not expose any information about
the technical error, the fact that an error occurred is confirmed by the 500 status code. Knowing whether certain inputs
trigger a server error can aid or inform an attacker of potential vulnerabilities.
Fix
For Security Operations:
Server error messages, such as "File Protected Against Access", often reveal more information than intended. For instance, an
attacker who receives this message can be relatively certain that file exists, which might give him the information he needs to
pursue other leads, or to perform an actual exploit. The following recommendations will help to ensure that a potential
attacker is not deriving valuable information from any server error message that is presented.
Uniform Error Codes: Ensure that you are not inadvertently supplying information to an attacker via the use of
inconsistent or "conflicting" error messages. For instance, don't reveal unintended information by utilizing error messages
such as Access Denied, which will also let an attacker know that the file he seeks actually exists. Have consistent
terminology for files and folders that do exist, do not exist, and which have read access denied.
Informational Error Messages: Ensure that error messages do not reveal too much information. Complete or partial
paths, variable and file names, row and column names in tables, and specific database errors should never be revealed
to the end user. Remember, an attacker will gather as much information as possible, and then add pieces of seemingly
innocuous information together to craft a method of attack.
Proper Error Handling: Utilize generic error pages and error handling logic to inform end users of potential problems. Do
not provide system information or other data that could be utilized by an attacker when orchestrating an attack.
Find instructions for turning off detailed error messaging in IIS at this link:
http://support.microsoft.com/kb/294807
For Development:
From a development perspective, the best method of preventing problems from arising from server error messages is to adopt
secure programming techniques that prevent problems that might arise from an attacker discovering too much information
about the architecture and design of your web application. The following recommendations can be used as a basis for that.
Stringently define the data type (for instance, a string, an alphanumeric character, etc) that the application will accept.
Use what is good instead of what is bad. Validate input for improper characters.
Do not display error messages to the end user that provide information (such as table names) that could be utilized in
orchestrating an attack.
Define the allowed set of characters. For instance, if a field is to receive a number, only let that field accept numbers.
Define the maximum and minimum data lengths for what the application will accept.
Specify acceptable numeric ranges for input.
138
For QA:
The best course of action for QA associates to take is to ensure that the error handling scheme is consistent. Do you receive a
different type of error for a file that does not exist as opposed to a file that does? Are phrases like "Permission Denied" utilized
which could reveal the existence of a file to an attacker? Inconsistent methods of dealing with errors gives an attacker a very
powerful way of gathering information about your web application.
Reference
Apache:
Security Tips for Server Configuration
Protecting Confidential Documents at Your Site
Securing Apache - Access Control
Microsoft:
How to set required NTFS permissions and user rights for an IIS 5.0 Web server
Default permissions and user rights for IIS 6.0
Description of Microsoft Internet Information Services (IIS) 5.0 and 6.0 status codes
Classifications
139
Implication
An overly permissive CORS policy can allow a malicious application to communicate with the victim application in an
inappropriate way, leading to spoofing, data theft, relay and other attacks. It can open possibilities for entire domain
compromise. For example, lets say a Resource is located on a private intranet and a universal access policy is created with
the intent that only other intranet domains can reach it. Subsequently, an internal employee browses to an Internet resource
that includes a malicious embedded JavaScript that enumerates the private resource and enables external accessibility;
effectively exposing it to the Internet. If the resource discloses any sensitive information, this attack can quickly escalate into
an unintentional breach of sensitive information.
Fix
Review your Cross-Origin-Resource-Sharing policy and consider restricting access to only trusted domains. Never use wildcard
open-access permissions (e.g. *) in the Access-Control-Allow-Origin header. Additionally, do not automatically include Access
-Control-Allow-Origin headers in the response unless the request is cross-domain. Alternatively, implement a whitelist of
known domains that are allowed to access this domain and only include domains that actually tried to access the resource.
Otherwise, reject the request and reply with only host domain not exposing all allowed domains. Reserve the use of CORS for
resources that cannot be shared in other ways (e.g. JavaScript can be accessed using SCRIPT tag as well as images can be
accessed using IMG tag from other domains). Finally, make sure that this resource does not disclose any sensitive information
and only share resources required to preserve functionality in contrast to an open domain CORS access.
Example 1:
An example of IIS server configuration for listing domains the application is allowed to communicate with.
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
u160?
<add name="Access-Control-Allow-Origin" value="www.trusted.com" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
Example 1 shows how to configure CORS headers at the server level; however, the preferred method is to make use of the
API of the language used to develop the application and set access permissions at the resource level.
Here are some programmatic samples by language:
.NET:
Append Header:
Response.AppendHeader("Access-Control-Allow-Origin", "www.trusted.com");
Check for cross domain XHR request:
if((Request.Headers["X-Requested-With"] == "XMLHttpRequest") && Request.Headers[Origin] != null))
Java:
response.addHeader("Access-Control-Allow-Origin", "www.trusted.com");
check for cross domain XHR request:
if((request.getHeader("X-Requested-With") == "XMLHttpRequest") && request.getHeader("Origin")!= null))
PHP:
header('Access-Control-Allow-Origin: www.trusted.com');
?>
Check for cross domain XHR request:
If( isset($_SERVER['HTTP_X_REQUESTED_WITH']) && ($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest')
&& isset($_SERVER[Origin]))
Reference
OWASP HTML 5 Security Cheat Sheet
https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet
Cross-Origin Resource Sharing
http://en.wikipedia.org/wiki/Cross-origin_resource_sharing
Report Date: 10/10/2016
140
http://en.wikipedia.org/wiki/Cross-origin_resource_sharing
http://www.w3.org/TR/cors/
Same Origin Policy
http://en.wikipedia.org/wiki/Same_origin_policy
Classifications
Execution
. Build a test page that includes a reference to an external JavaScript or CSS resource
. Configure the server to return the external resource with an incorrect mime type specification
. Visit the test page using an old version of Microsofts Internet Explorer (version IE 8) browser
. Interpretation of the external content as JavaScript or CSS by the browser despite the misleading mime type specification
indicates a potential for compromise.
Implication
By failing to dictate the suitable browser interpretation of the response content, application developers can expose their users
to Cross-Site Scripting or information stealing attacks.
141
Fix
Configure the web server to always send the X-Content-Type-Options: nosniff specification in the response headers. In
addition, ensure that following safety precautions are also put in place:
. Verify that the web server configuration will send the accurate mime type information in the Content-Type header of each
HTTP response
. Configure the server to send a default Content-Type of text-plain or application/octet-stream to tackle failure scenarios
. Configure the server to send Content-Disposition: attachment; filename=name; for content without an explicit content type
specification.
Reference
Microsoft Internet Explorer:
MIME-Handling Change: X-Content-Type-Options: nosniff
MIME-Handling Changes in Internet Explorer
OWASP:
OWASP Testing Guide Appendix D: Encoded Injection
List of Useful HTTP Headers
CSS Data Theft:
CVE-2010-0654
Classifications
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
http://cwe.mitre.org/data/definitions/79.html
Kingdom: Environment
http://www.hpenterprisesecurity.com/vulncat/en/vulncat/intro.html
Fix
142
Reference
Classifications
Kingdom: Environment
http://www.hpenterprisesecurity.com/vulncat/en/vulncat/intro.html
Fix
Reference
RFC 2616 Section 9: HTTP Methods:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
Apache:
Apache HTTP Server Version 2.0
Apache HTTP Server Version 1.3
Microsoft:
UrlScan Security Tool
How to configure the URLScan Tool
Setting Application Mappings in IIS 6.0
Classifications
143
Execution
All of the web pages accessible within the scope of the scan are sampled for textual content that often constitutes a privacy
policy statement. A violation is reported upon completion of the web application crawl without a successful match against any
of the web pages.
Note that the privacy policy of your application could be located on another host or within a section of the site that was not
configured as part of the scan. To validate, please try to access the privacy policy of your website and check to see if it was
part of the scan.
The content of the following resources requires manual inspection to verify if it comprises the privacy policy statement.
http://zero.webappsecurity.com:80/search.html?searchTerm=12345
Implication
Most privacy laws are created to protect residents who are users of the website. Hence, organizations from any part of the
world must adhere to these laws if they cater to customers residing in these geographical areas. Failing to do so could result
in a lawsuit by the corresponding government against the organization.
Fix
Declare a comprehensive privacy policy for the website, and ensure that it is accessible from every page that seeks personal
information from users. To verify the fix, rescan the site in order to discover and audit the newly added resources.
Descriptions:
Any standard web application privacy policy should include the following components:
Reference
California Online Privacy Protection Act
http://oag.ca.gov/privacy/COPPA
National Conference of State Legislation
http://www.ncsl.org/issues-research/telecom/state-laws-related-to-internet-privacy.aspx
Gramm-Leach-Bliley Act
http://www.gpo.gov/fdsys/pkg/PLAW-106publ102/pdf/PLAW-106publ102.pdf
Health Insurance Portability and Accountability Act of 1996
https://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/downloads/HIPAALaw.pdf
Health Insurance Portability and Accountability Act of 1996
http://ec.europa.eu/justice/policies/privacy/docs/guide/guide-ukingdom_en.pdf
Classifications
144
http://www.hpenterprisesecurity.com/vulncat/en/vulncat/intro.html
CWE-254: Security Features
http://cwe.mitre.org/data/definitions/254.html
Fix
Reference
Microsoft:
Autocomplete Security
Classifications
145
have its resources shared with another domain. These restrictions are managed by access policies typically communicated in
specialized response headers, such as:
Access-Control-Allow-Origin
Access-Control-Allow-Headers
Access-Control-Allow-Methods
However, caution should be taken when defining these headers because an overly permissive policy configured at server level
for domain or directory on a domain can open more content for cross domains access than intended. CORS can allow a
malicious application to communicate with victim application in an inappropriate way leading to information disclosure,
spoofing, data theft, relay or other attacks.Implementing CORS can increase an applications attack surface tremendously and
should be used only when absolutely necessary.
Fix
Revisit the currently implemented CORS policy and restrict sharing to only type of content that can not be shared using
alternate mechanisms. In addition, isolate CORS-enabled resources on the webserver and create a publicly accessible directory
for sharing JavaScript or image content types. Finally, instead of including list of all allowed domains in response AccessControl-Allow-Origin header, include only the domain trying to access contents.
Reference
OWASP HTML 5 Security Cheat Sheet
https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet
Cross-Origin Resource Sharing
http://en.wikipedia.org/wiki/Cross-origin_resource_sharing
http://www.w3.org/TR/cors/
Same Origin Policy
http://en.wikipedia.org/wiki/Same_origin_policy
Classifications
Execution
Verify the character set specification on every HTTP response. Character sets can be specified in the HTTP header or in an
HTML meta tag. In the case of an XML response, the character set can be specified along with the XML Declaration.
Implication
In the absence of the character set specification, a user-agent might default to a non-standard character set, or could derive
an incorrect character set based on certain characters in the response content. In some cases, both these approaches can
cause the response to be incorrectly rendered. This may enable other attacks such as Cross-site Scripting.
Report Date: 10/10/2016
146
cause the response to be incorrectly rendered. This may enable other attacks such as Cross-site Scripting.
Fix
Ensure that a suitable character set is specified for every response generated by the web application. This can be done either
by,
Modifying the code of the web application, which would require all pages to be modified.
Adding Content-Type header to the server configuration (recommended). This ensures that the header is added to all
the responses with minimal development effort.
Reference
DoD Application Security and Development STIG
http://iase.disa.mil/stigs/app_security/app_sec/app_sec.html
UTF-7 encoding used to create XSS attack
http://www.securityfocus.com/archive/1/420001
Classifications
147