Vulns

The following tables sumarises all vulnerability types detected by Cohesion.

$ cohesion show vulns

┌──────────────┬───────┬────────────────────────────────────────────────────────┐
│ Title        │ Level │ Description                                            │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Command      │ 8     │ Command injection is a technique, which allows an      │
│ Injection    │       │ attacker to execute system commands by abusing an      │
│              │       │ application feature. The injection typically occurs    │
│              │       │ when the developer is using user input to construct an │
│              │       │ executable command specific to the pseudo system shell │
│              │       │ in use.                                                │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Expression   │ 8     │ Expression Language Injection occurs when attacker     │
│ Language     │       │ controlled data enters an interpreter, i.e. the data   │
│ Injection    │       │ is evaluated as code.                                  │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Local File   │ 8     │ A Local File Include is a vulnerability, which allows  │
│ Include      │       │ attackers to retrieve or execute server-side files.    │
│              │       │ The vulnerability arises by the fact that the          │
│              │       │ developer is allowing not sanitised user-supplied      │
│              │       │ input to be used in functions used to open, read or    │
│              │       │ display the content of files.                          │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Remote Code  │ 8     │ Remote Code Injection is a vulnerability, which allows │
│ Injection    │       │ an attacker to remotely inject code into an            │
│              │       │ application in order to change its execution flow. The │
│              │       │ issue typically occurs due to the fact that the        │
│              │       │ application is written in a language, which allows     │
│              │       │ dynamic evaluation of code at runtime.                 │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Remote File  │ 8     │ A Remote File Include is a vulnerability, which allows │
│ Include      │       │ attackers to manipulate the application in order to    │
│              │       │ include a remote file hosted on a 3rd-party server.    │
│              │       │ This file may be executable, typically written in a    │
│              │       │ scripting language.                                    │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ SQL          │ 8     │ SQL Injection is a code injection technique, which     │
│ Injection    │       │ exploits a security vulnerability occurring in the     │
│              │       │ database layer of a web application. The vulnerability │
│              │       │ is present when user input is incorrectly filtered for │
│              │       │ special characters embedded in a SQL statement and     │
│              │       │ thereby unexpectedly executed, i.e. the input was      │
│              │       │ injected into the SQL statement issued by the web      │
│              │       │ application.                                           │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Vanilla SQL  │ 8     │ SQL Injection is a code injection technique, which     │
│ Injection    │       │ exploits a security vulnerability occurring in the     │
│              │       │ database layer of a web application. The vulnerability │
│              │       │ is present when user input is incorrectly filtered for │
│              │       │ special characters embedded in a SQL statement and     │
│              │       │ thereby unexpectedly executed, i.e. the input was      │
│              │       │ injected into the SQL statement issued by the web      │
│              │       │ application.                                           │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Weak Session │ 8     │ This happens when the web application produces a       │
│ Management   │       │ session cookie, which value is easily guessable. For   │
│              │       │ example the session may be based on unix timestamps or │
│              │       │ just an MD5 of a timestamp, etc.                       │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Default      │ 8     │ A default login is a kind of login, which is the same  │
│ Login        │       │ for every instance of the application. It’s typically  │
│              │       │ used to grant a first time access to hardware bundled  │
│              │       │ control panels and administration interfaces.          │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Cross-site   │ 7     │ XSS is a type of web application security              │
│ Scripting    │       │ vulnerability, which allows code injection by          │
│              │       │ malicious web users into the web pages viewed by other │
│              │       │ users.                                                 │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ LDAP         │ 7     │ LDAP Injection is a Code Injection technique used      │
│ Injection    │       │ against applications, which construct LDAP statement   │
│              │       │ based on user input. LDAP is an application protocol   │
│              │       │ used to access and maintain distributed directory      │
│              │       │ services like Microsoft’s Active Directory.            │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Persistent   │ 7     │ XSS is a type of web application security              │
│ Cross-site   │       │ vulnerability, which allows code injection by          │
│ Scripting    │       │ malicious web users into the web pages viewed by other │
│              │       │ users.                                                 │
│              │       │ Stored Cross-site Scripting is a type of XSS where the │
│              │       │ injected content is permanently stored on to the web   │
│              │       │ server/application. Whenever a user requests an        │
│              │       │ infected page from the server the payload is directly  │
│              │       │ delivered embedded in the response so it will be       │
│              │       │ executed without the need of user intervention.        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Reflected    │ 7     │ XSS is a type of web application security              │
│ Cross-site   │       │ vulnerability, which allows code injection by          │
│ Scripting    │       │ malicious web users into the web pages viewed by other │
│              │       │ users.                                                 │
│              │       │ Reflected Cross-site Scripting is a type of XSS where  │
│              │       │ the injected code is reflected off the web server.     │
│              │       │ This kind of XSS is short-lived and requires a         │
│              │       │ phishing vector to be delivered to the victim.         │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ XML          │ 7     │ XML Injection is a Code Injection variant, which can   │
│ Injection    │       │ be used by attackers to include malicious XML block,   │
│              │       │ which is then used by an XML processor.                │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ XPATH        │ 7     │ XPATH Injection is a Code Injection technique which is │
│ Injection    │       │ used when an application uses user supplied data to    │
│              │       │ craft XPATH queries to retrieve and write data stored  │
│              │       │ in XML form.                                           │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Cross-site   │ 6     │ CSRF is an attack which forces an end-user to execute  │
│ Request      │       │ unwanted actions on a web application with which he is │
│ Forgery      │       │ currently authenticated. Applications susceptible of   │
│              │       │ this attack have no way to distinguish legit requests  │
│              │       │ from forged ones.                                      │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Open Cross   │ 6     │ A Cross Domain Policy File is used to enforce the same │
│ Domain       │       │ origin policy in modern web applications (especially   │
│ Policy       │       │ Flash and Silverlight based) by preventing some types  │
│              │       │ of content from being accessed or modified from        │
│              │       │ another domain via the client (a browser or a plugin). │
│              │       │ An open cross-domain is the vulnerability, which occur │
│              │       │ when the policy file explicitly allows every external  │
│              │       │ domain.                                                │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ CRLF         │ 5     │ CRLF stands for Carriage Return Linefeed, which is a   │
│ Injection    │       │ special sequence of characters (0x0D 0x0A in hex) used │
│              │       │ by the HTTP protocol as a line separator. A CRLF       │
│              │       │ Injection attack occurs when an attacker manages to    │
│              │       │ force the application to return the CRLF sequence plus │
│              │       │ attacker’s supplied data as part of the response       │
│              │       │ headers.                                               │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Frame        │ 5     │ Frame Injection is a type of Code Injection attack     │
│ Injection    │       │ where a frame is injected into the web application’s   │
│              │       │ front-facing features. Usually the frame injected is a │
│              │       │ concealed iframe pointing to an attacker controlled    │
│              │       │ page.                                                  │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Open         │ 5     │ An Open Redirect is a vulnerability where the          │
│ Redirect     │       │ application takes user input to generate some form of  │
│              │       │ redirection without validating the to-be-redirected-to │
│              │       │ location.                                              │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Response     │ 5     │ Response Splitting happens when not sanitised data is  │
│ Splitting    │       │ passed to the vulnerable application and it is used to │
│              │       │ build a response header. An attacker may force the web │
│              │       │ server to form a malformed output stream, which is     │
│              │       │ then interpreted by the victim’s browser as two HTTP   │
│              │       │ responses instead of one.                              │
│              │       │ Response splitting is usually useful only with proxies │
│              │       │ or when the browser is using request pipelining.       │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Directory    │ 5     │ A Directory Traversal is a type of attack which aims   │
│ Traversal    │       │ to access files or directories that are stored outside │
│              │       │ the web root folder by injecting characters            │
│              │       │ representing “traverse to parent directory” like ‘../’ │
│              │       │ in Unix. The goal of this attack is to force an        │
│              │       │ application to access a  file that is not intended to  │
│              │       │ be accessible.                                         │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Inadequate   │ 5     │ This vulnerability occurs when the session is not      │
│ Session      │       │ properly revoked after an user logout request.         │
│ Revocation   │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ .NET Tracing │ 5     │ .NET provides powerful application debugging           │
│ Capabilities │       │ capabilities, which can be abused by attackers to      │
│              │       │ obtain various pieces of critical information          │
│              │       │ including session cookies and session state.           │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Source       │ 5     │ Version control systems, such as git, svn and others,  │
│ Version      │       │ provide means to record source code changes in a       │
│ Control      │       │ developer friendly way.                                │
│ Disclosure   │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ SQL Error    │ 4     │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ HTTP         │ 4     │                                                        │
│ Authenticat… │       │                                                        │
│ Scheme       │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Unrestricted │ 4     │                                                        │
│ File Upload  │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Get Based    │ 3     │                                                        │
│ Login Form   │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Clear Text   │ 3     │                                                        │
│ Login Form   │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Session      │ 3     │ The “HTTPOnly” flag applies to the Set-Cookie HTTP     │
│ Cookie not   │       │ response header to indicate that the cookie cannot be  │
│ Flagged as   │       │ accessed by client-side code such as JavaScript,       │
│ HTTPOnly     │       │ Flash, and other client-side components.               │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Session      │ 3     │ This flag applies to the Set-Cookie HTTP response      │
│ Cookie not   │       │ header to indicate that the cookie cannot be sent by   │
│ Flagged as   │       │ the browser over insecure channel such as HTTP.        │
│ Secure       │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Session      │ 3     │ This may indicate that the application suffers from a  │
│ Fixation     │       │ “Session Fixation” vulnerability.                      │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Directory    │ 2     │ Directory listings may disclose information about the  │
│ Listing      │       │ web application and it’s environment that was not      │
│ Enabled      │       │ intended to be public.                                 │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Error        │ 2     │                                                        │
│ Disclosure   │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ IP           │ 2     │                                                        │
│ Disclosure   │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Path         │ 2     │ Usually this leak is due to descriptive application    │
│ Disclosure   │       │ and server errors.                                     │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Source       │ 2     │ This may be due to a misconfigured server or           │
│ Leakage      │       │ application.                                           │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ User         │ 2     │                                                        │
│ Disclosure   │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Discovered   │ 2     │ SOAP (Simple Object Access Protocol) is a protocol     │
│ SOAP Service │       │ specification for exchanging structured information in │
│              │       │ the implementation of Web Services. It’s based on XML  │
│              │       │ and it’s primarily used to build API services.         │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Autocomplete │ 2     │ Autocomplete is a HTML tag attribute used to disable   │
│ Enabled      │       │ the form auto completion mechanism of the browser.     │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Redirect     │ 1     │ This is often due to a programming error or a security │
│ Response     │       │ problem.                                               │
│ With Body    │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ X-Frame-Opt… │ 1     │                                                        │
│ Error        │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ XSS          │ 1     │ A basic XSS protection mechanism is present in every   │
│ Protection   │       │ modern browser. This mechanism is active by default    │
│ Error        │       │ but may be disabled by setting the response header     │
│              │       │ “X-XSS-Protection” to the value “0”.                   │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Banner       │ 1     │                                                        │
│ Disclosure   │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Forbidden    │ 1     │                                                        │
│ Resource     │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Email        │ 1     │                                                        │
│ Disclosure   │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Outdated     │ 1     │                                                        │
│ Software     │       │                                                        │
│ Version      │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Software     │ 1     │                                                        │
│ Type         │       │                                                        │
│ Disclosure   │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Microsoft    │ 1     │ Microsoft Office Documents often contain hidden        │
│ Office       │       │ metadata like username, author name, company name, the │
│ Document     │       │ name of the computer, which was used to create the     │
│              │       │ document and so on.                                    │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Directory    │ 1     │ This error is generated when there is no index file in │
│ Listing      │       │ the requested directory and the server or application  │
│ Denied       │       │ is not configured to reveal the directory contents.    │
│              │       │ This, however, indicates that the directory exists.    │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Referer      │ 1     │ The HTTP Referer header is used to store the URL of    │
│ Leakage      │       │ the page from which the user is coming from.           │
│              │       │ Confidential information about the user may be leaked  │
│              │       │ if it is stored in query parameters used by the        │
│              │       │ application.                                           │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Additional   │ 1     │ Unmaintained applications may come with bugs and       │
│ Applications │       │ security vulnerability and can be a threat to the      │
│              │       │ security and integrity of the web server.              │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Backup Files │ 1     │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Common Files │ 1     │ Common files are files which are usually left by       │
│              │       │ automated/default installations that are not           │
│              │       │ necessarily still required by the web application but  │
│              │       │ may still contain sensitive information.               │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Admin Page   │ 1     │ Any administration pages can be used as a potential    │
│ Discovered   │       │ way of gaining administrative access to the            │
│              │       │ application.                                           │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Version      │ 1     │ These files are used by version control software to    │
│ Control      │       │ store meta-data and configurations about the           │
│ Files        │       │ repository used to store the application’s source      │
│              │       │ code.                                                  │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Insecure     │ 1     │                                                        │
│ Storage of   │       │                                                        │
│ Credentials  │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Strict       │ 1     │ This header is used to force browsers to connect to    │
│ Transport    │       │ the application trough a SSL connection.               │
│ Security     │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Cookie       │ 1     │                                                        │
│ Domain       │       │                                                        │
│ Mismatch     │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Cookies      │ 1     │                                                        │
│ Scoped to    │       │                                                        │
│ Parent       │       │                                                        │
│ Domain       │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ ViewState    │ 1     │ The ViewState is a field used in ASP.NET applications  │
│ Not          │       │ to save the current state of the application. If it’s  │
│ Encrypted    │       │ used to store sensitive data, like user’s details, it  │
│              │       │ should be properly encrypted to maintain the           │
│              │       │ confidentiality of the data.                           │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ ViewState    │ 1     │ The ViewState is a field used in ASP.NET applications  │
│ not Signed   │       │ to save the current state of the application. To avoid │
│              │       │ data tampering the ViewState value should be signed by │
│              │       │ enforcing a MAC (Machine Authentication Check)         │
│              │       │ mechanism.                                             │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Dangerous    │ 1     │ Uncommon HTTP methods like PUT, DELETE and all other   │
│ Methods      │       │ WEBDAV methods are considered dangerous.               │
│ Enabled      │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Open         │ 1     │ Cross-origin Resource Sharing (CORS) is a              │
│ Cross-Origin │       │ specification, which allows Web applications the       │
│ Resource     │       │ ability to offer its resources for public consumption  │
│ Sharing      │       │ from different domains. CORS is typically used in      │
│              │       │ cross-origin APIs designed to be consumed by           │
│              │       │ JavaScript applications.                               │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Permissive   │ 1     │ Cross-origin Resource Sharing (CORS) is a              │
│ Cross-Origin │       │ specification, which allows Web applications the       │
│ Resource     │       │ ability to offer its resources for public consumption  │
│ Sharing      │       │ from different domains. CORS is typically used in      │
│              │       │ cross-origin APIs designed to be consumed by           │
│              │       │ JavaScript applications.                               │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ X-Frame-Opt… │ 1     │ This header indicates whether or not a browser should  │
│ Not Used     │       │ be allowed to render a page in a <frame> or <iframe> . │
│              │       │ Web applications can use this to avoid clickjacking    │
│              │       │ attacks, by ensuring content is not embedded into      │
│              │       │ other sites.                                           │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Permissive   │ 1     │ This header indicates whether or not a browser should  │
│ X-Frame      │       │ be allowed to render a page in a <frame> or <iframe> . │
│ Options Used │       │ Web applications can use this to avoid clickjacking    │
│              │       │ attacks, by ensuring content is not embedded into      │
│              │       │ other sites.                                           │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ XSS          │ 1     │ A basic XSS protection mechanism is present in every   │
│ Protection   │       │ modern browser. This mechanism is active by default    │
│ Disabled     │       │ but may be disabled by setting the response header     │
│              │       │ “X-XSS-Protection” to the value “0”.                   │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Debug        │ 1     │ The HTTP methods TRACK and TRACE are usually used for  │
│ Methods      │       │ debugging purpose.                                     │
│ Enabled      │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ File Upload  │ 1     │ File upload facilities are usually considered          │
│              │       │ dangerous because they can be abused to leverage       │
│              │       │ various types of attacks.                              │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Password Via │ 1     │ Sending passwords via GET parameter is considered a    │
│ GET          │       │ bad programming practice since this information can be │
│              │       │ easily read from the browser’s address bar, history or │
│              │       │ from the web server logs.                              │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Weak         │ 1     │                                                        │
│ Password     │       │                                                        │
│ Detected     │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Cross Script │ 1     │                                                        │
│ Include      │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Base         │ 0     │                                                        │
│ Response     │       │                                                        │
│ Difference   │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ CVE Finding  │ 0     │ CVE (The Common Vulnerabilities and Exposures) system  │
│              │       │ provides a reference-method for publicly known         │
│              │       │ information-security vulnerabilities and exposures.    │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ OSVDB        │ 0     │ Open Source Vulnerability Database (OSVDB) is an       │
│ Finding      │       │ independent and open-source database created by and    │
│              │       │ for the community. The goal of the project is to       │
│              │       │ provide accurate, detailed, current, and unbiased      │
│              │       │ technical information on security vulnerabilities.     │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Generic      │ 0     │                                                        │
│ Finding      │       │                                                        │
├──────────────┼───────┼────────────────────────────────────────────────────────┤
│ Virtual Host │ 0     │ Virtual Hosting is a method that allows a single       │
│ Discovery    │       │ server to serve resources for multiple web             │
│              │       │ application. The presence of Virtual hosts usually     │
│              │       │ indicate that the target application is sharing        │
│              │       │ resources with other applications, i.e. shared-hosting │
│              │       │ environment.                                           │
└──────────────┴───────┴────────────────────────────────────────────────────────┘