Manual
Vulns
The following tables sumarises all vulnerability types detected by Cohesion.
$ cohesion show vulns
| Name | Level | Description |
|---|---|---|
| Command Injection | 8 | Command injection is a technique, which allows an attacker to execute system commands by abusing an application feature. The injection typically occurs when the developer is using user input to construct an executable command specific to the pseudo system shell in use. |
| Expression Language Injection | 8 | Expression Language Injection occurs when attacker controlled data enters an interpreter, i.e. the data is evaluated as code. |
| Local File Include | 8 | A Local File Include is a vulnerability, which allows attackers to retrieve or execute server-side files. The vulnerability arises by the fact that the developer is allowing not sanitised user-supplied input to be used in functions used to open, read or display the content of files. |
| Remote Code Injection | 8 | Remote Code Injection is a vulnerability, which allows an attacker to remotely inject code into an application in order to change its execution flow. The issue typically occurs due to the fact that the application is written in a language, which allows dynamic evaluation of code at runtime. |
| Remote File Include | 8 | A Remote File Include is a vulnerability, which allows attackers to manipulate the application in order to include a remote file hosted on a 3rd-party server. This file may be executable, typically written in a scripting language. |
| SQL Injection | 8 | SQL Injection is a code injection technique, which exploits a security vulnerability occurring in the database layer of a web application. The vulnerability is present when user input is incorrectly filtered for special characters embedded in a SQL statement and thereby unexpectedly executed, i.e. the input was injected into the SQL statement issued by the web application. |
| Vanilla SQL Injection | 8 | SQL Injection is a code injection technique, which exploits a security vulnerability occurring in the database layer of a web application. The vulnerability is present when user input is incorrectly filtered for special characters embedded in a SQL statement and thereby unexpectedly executed, i.e. the input was injected into the SQL statement issued by the web application. |
| Weak Session Management | 8 | This happens when the web application produces a session cookie, which value is easily guessable. For example the session may be based on unix timestamps or just an MD5 of a timestamp, etc. |
| Default Login | 8 | A default login is a kind of login, which is the same for every instance of the application. It’s typically used to grant a first time access to hardware bundled control panels and administration interfaces. |
| Cross-site Scripting | 7 | XSS is a type of web application security vulnerability, which allows code injection by malicious web users into the web pages viewed by other users. |
| LDAP Injection | 7 | LDAP Injection is a Code Injection technique used against applications, which construct LDAP statement based on user input. LDAP is an application protocol used to access and maintain distributed directory services like Microsoft’s Active Directory. |
| Persistent Cross-site Scripting | 7 | XSS is a type of web application security vulnerability, which allows code injection by malicious web users into the web pages viewed by other users. Stored Cross-site Scripting is a type of XSS where the injected content is permanently stored on to the web server/application. Whenever a user requests an infected page from the server the payload is directly delivered embedded in the response so it will be executed without the need of user intervention. |
| Reflected Cross-site Scripting | 7 | XSS is a type of web application security vulnerability, which allows code injection by malicious web users into the web pages viewed by other users. Reflected Cross-site Scripting is a type of XSS where the injected code is reflected off the web server. This kind of XSS is short-lived and requires a phishing vector to be delivered to the victim. |
| XML Injection | 7 | XML Injection is a Code Injection variant, which can be used by attackers to include malicious XML block, which is then used by an XML processor. |
| XPATH Injection | 7 | XPATH Injection is a Code Injection technique which is used when an application uses user supplied data to craft XPATH queries to retrieve and write data stored in XML form. |
| Cross-site Request Forgery | 6 | CSRF is an attack which forces an end-user to execute unwanted actions on a web application with which he is currently authenticated. Applications susceptible of this attack have no way to distinguish legit requests from forged ones. |
| Open Cross Domain Policy | 6 | A Cross Domain Policy File is used to enforce the same origin policy in modern web applications (especially Flash and Silverlight based) by preventing some types of content from being accessed or modified from another domain via the client (a browser or a plugin). An open cross-domain is the vulnerability, which occur when the policy file explicitly allows every external domain. |
| CRLF Injection | 5 | CRLF stands for Carriage Return Linefeed, which is a special sequence of characters (0x0D 0x0A in hex) used by the HTTP protocol as a line separator. A CRLF Injection attack occurs when an attacker manages to force the application to return the CRLF sequence plus attacker’s supplied data as part of the response headers. |
| Frame Injection | 5 | Frame Injection is a type of Code Injection attack where a frame is injected into the web application’s front-facing features. Usually the frame injected is a concealed iframe pointing to an attacker controlled page. |
| Open Redirect | 5 | An Open Redirect is a vulnerability where the application takes user input to generate some form of redirection without validating the to-be-redirected-to location. |
| Response Splitting | 5 | Response Splitting happens when not sanitised data is passed to the vulnerable application and it is used to build a response header. An attacker may force the web server to form a malformed output stream, which is then interpreted by the victim’s browser as two HTTP responses instead of one. Response splitting is usually useful only with proxies or when the browser is using request pipelining. |
| Directory Traversal | 5 | A Directory Traversal is a type of attack which aims to access files or directories that are stored outside the web root folder by injecting characters representing “traverse to parent directory” like ‘../’ in Unix. The goal of this attack is to force an application to access a file that is not intended to be accessible. |
| Inadequate Session Revocation | 5 | This vulnerability occurs when the session is not properly revoked after an user logout request. |
| .NET Tracing Capabilities | 5 | .NET provides powerful application debugging capabilities, which can be abused by attackers to obtain various pieces of critical information including session cookies and session state. |
| Source Version Control Disclosure | 5 | Version control systems, such as git, svn and others, provide means to record source code changes in a developer friendly way. |
| SQL Error | 4 | |
| HTTP Authentication Scheme | 4 | |
| Unrestricted File Upload | 4 | |
| Get Based Login Form | 3 | |
| Clear Text Login Form | 3 | |
| Session Cookie not Flagged as HTTPOnly | 3 | The “HTTPOnly” flag applies to the Set-Cookie HTTP response header to indicate that the cookie cannot be accessed by client-side code such as JavaScript, Flash, and other client-side components. |
| Session Cookie not Flagged as Secure | 3 | This flag applies to the Set-Cookie HTTP response header to indicate that the cookie cannot be sent by the browser over insecure channel such as HTTP. |
| Session Fixation | 3 | This may indicate that the application suffers from a “Session Fixation” vulnerability. |
| Directory Listing Enabled | 2 | Directory listings may disclose information about the web application and it’s environment that was not intended to be public. |
| Error Disclosure | 2 | |
| IP Disclosure | 2 | |
| Path Disclosure | 2 | Usually this leak is due to descriptive application and server errors. |
| Source Leakage | 2 | This may be due to a misconfigured server or application. |
| User Disclosure | 2 | |
| Discovered SOAP Service | 2 | SOAP (Simple Object Access Protocol) is a protocol specification for exchanging structured information in the implementation of Web Services. It’s based on XML and it’s primarily used to build API services. |
| Autocomplete Enabled | 2 | Autocomplete is a HTML tag attribute used to disable the form auto completion mechanism of the browser. |
| Redirect Response With Body | 1 | This is often due to a programming error or a security problem. |
| X-Frame-Options Error | 1 | |
| XSS Protection Error | 1 | A basic XSS protection mechanism is present in every modern browser. This mechanism is active by default but may be disabled by setting the response header “X-XSS-Protection” to the value “0”. |
| Banner Disclosure | 1 | |
| Forbidden Resource | 1 | |
| Email Disclosure | 1 | |
| Outdated Software Version | 1 | |
| Software Type Disclosure | 1 | |
| Microsoft Office Document | 1 | Microsoft Office Documents often contain hidden metadata like username, author name, company name, the name of the computer, which was used to create the document and so on. |
| Directory Listing Denied | 1 | This error is generated when there is no index file in the requested directory and the server or application is not configured to reveal the directory contents. This, however, indicates that the directory exists. |
| Referer Leakage | 1 | The HTTP Referer header is used to store the URL of the page from which the user is coming from. Confidential information about the user may be leaked if it is stored in query parameters used by the application. |
| Additional Applications | 1 | Unmaintained applications may come with bugs and security vulnerability and can be a threat to the security and integrity of the web server. |
| Backup Files | 1 | |
| Common Files | 1 | Common files are files which are usually left by automated/default installations that are not necessarily still required by the web application but may still contain sensitive information. |
| Admin Page Discovered | 1 | Any administration pages can be used as a potential way of gaining administrative access to the application. |
| Version Control Files | 1 | These files are used by version control software to store meta-data and configurations about the repository used to store the application’s source code. |
| Insecure Storage of Credentials | 1 | |
| Strict Transport Security | 1 | This header is used to force browsers to connect to the application trough a SSL connection. |
| Cookie Domain Mismatch | 1 | |
| Cookies Scoped to Parent Domain | 1 | |
| ViewState Not Encrypted | 1 | The ViewState is a field used in ASP.NET applications to save the current state of the application. If it’s used to store sensitive data, like user’s details, it should be properly encrypted to maintain the confidentiality of the data. |
| ViewState not Signed | 1 | The ViewState is a field used in ASP.NET applications to save the current state of the application. To avoid data tampering the ViewState value should be signed by enforcing a MAC (Machine Authentication Check) mechanism. |
| Dangerous Methods Enabled | 1 | Uncommon HTTP methods like PUT, DELETE and all other WEBDAV methods are considered dangerous. |
| Open Cross-Origin Resource Sharing | 1 | Cross-origin Resource Sharing (CORS) is a specification, which allows Web applications the ability to offer its resources for public consumption from different domains. CORS is typically used in cross-origin APIs designed to be consumed by JavaScript applications. |
| Permissive Cross-Origin Resource Sharing | 1 | Cross-origin Resource Sharing (CORS) is a specification, which allows Web applications the ability to offer its resources for public consumption from different domains. CORS is typically used in cross-origin APIs designed to be consumed by JavaScript applications. |
| X-Frame-Options Not Used | 1 | This header indicates whether or not a browser should be allowed to render a page in a <frame> or <iframe> . Web applications can use this to avoid clickjacking attacks, by ensuring content is not embedded into other sites. |
| Permissive X-Frame Options Used | 1 | This header indicates whether or not a browser should be allowed to render a page in a <frame> or <iframe> . Web applications can use this to avoid clickjacking attacks, by ensuring content is not embedded into other sites. |
| XSS Protection Disabled | 1 | A basic XSS protection mechanism is present in every modern browser. This mechanism is active by default but may be disabled by setting the response header “X-XSS-Protection” to the value “0”. |
| Debug Methods Enabled | 1 | The HTTP methods TRACK and TRACE are usually used for debugging purpose. |
| File Upload | 1 | File upload facilities are usually considered dangerous because they can be abused to leverage various types of attacks. |
| Password Via GET | 1 | Sending passwords via GET parameter is considered a bad programming practice since this information can be easily read from the browser’s address bar, history or from the web server logs. |
| Weak Password Detected | 1 | |
| Cross Script Include | 1 | |
| Base Response Difference | 0 | |
| CVE Finding | 0 | CVE (The Common Vulnerabilities and Exposures) system provides a reference-method for publicly known information-security vulnerabilities and exposures. |
| OSVDB Finding | 0 | Open Source Vulnerability Database (OSVDB) is an independent and open-source database created by and for the community. The goal of the project is to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. |
| Generic Finding | 0 | |
| Virtual Host Discovery | 0 | Virtual Hosting is a method that allows a single server to serve resources for multiple web application. The presence of Virtual hosts usually indicate that the target application is sharing resources with other applications, i.e. shared-hosting environment. |