Manual

Vulns

The following tables sumarises all vulnerability types detected by Cohesion.

$ cohesion show vulns
NameLevelDescription
Command Injection8Command injection is a technique, which allows an attacker to execute system commands by abusing an application feature. The injection typically occurs when the developer is using user input to construct an executable command specific to the pseudo system shell in use.
Expression Language Injection8Expression Language Injection occurs when attacker controlled data enters an interpreter, i.e. the data is evaluated as code.
Local File Include8A Local File Include is a vulnerability, which allows attackers to retrieve or execute server-side files. The vulnerability arises by the fact that the developer is allowing not sanitised user-supplied input to be used in functions used to open, read or display the content of files.
Remote Code Injection8Remote Code Injection is a vulnerability, which allows an attacker to remotely inject code into an application in order to change its execution flow. The issue typically occurs due to the fact that the application is written in a language, which allows dynamic evaluation of code at runtime.
Remote File Include8A Remote File Include is a vulnerability, which allows attackers to manipulate the application in order to include a remote file hosted on a 3rd-party server. This file may be executable, typically written in a scripting language.
SQL Injection8SQL Injection is a code injection technique, which exploits a security vulnerability occurring in the database layer of a web application. The vulnerability is present when user input is incorrectly filtered for special characters embedded in a SQL statement and thereby unexpectedly executed, i.e. the input was injected into the SQL statement issued by the web application.
Vanilla SQL Injection8SQL Injection is a code injection technique, which exploits a security vulnerability occurring in the database layer of a web application. The vulnerability is present when user input is incorrectly filtered for special characters embedded in a SQL statement and thereby unexpectedly executed, i.e. the input was injected into the SQL statement issued by the web application.
Weak Session Management8This happens when the web application produces a session cookie, which value is easily guessable. For example the session may be based on unix timestamps or just an MD5 of a timestamp, etc.
Default Login8A default login is a kind of login, which is the same for every instance of the application. It’s typically used to grant a first time access to hardware bundled control panels and administration interfaces.
Cross-site Scripting7XSS is a type of web application security vulnerability, which allows code injection by malicious web users into the web pages viewed by other users.
LDAP Injection7LDAP Injection is a Code Injection technique used against applications, which construct LDAP statement based on user input. LDAP is an application protocol used to access and maintain distributed directory services like Microsoft’s Active Directory.
Persistent Cross-site Scripting7XSS is a type of web application security vulnerability, which allows code injection by malicious web users into the web pages viewed by other users. Stored Cross-site Scripting is a type of XSS where the injected content is permanently stored on to the web server/application. Whenever a user requests an infected page from the server the payload is directly delivered embedded in the response so it will be executed without the need of user intervention.
Reflected Cross-site Scripting7XSS is a type of web application security vulnerability, which allows code injection by malicious web users into the web pages viewed by other users. Reflected Cross-site Scripting is a type of XSS where the injected code is reflected off the web server. This kind of XSS is short-lived and requires a phishing vector to be delivered to the victim.
XML Injection7XML Injection is a Code Injection variant, which can be used by attackers to include malicious XML block, which is then used by an XML processor.
XPATH Injection7XPATH Injection is a Code Injection technique which is used when an application uses user supplied data to craft XPATH queries to retrieve and write data stored in XML form.
Cross-site Request Forgery6CSRF is an attack which forces an end-user to execute unwanted actions on a web application with which he is currently authenticated. Applications susceptible of this attack have no way to distinguish legit requests from forged ones.
Open Cross Domain Policy6A Cross Domain Policy File is used to enforce the same origin policy in modern web applications (especially Flash and Silverlight based) by preventing some types of content from being accessed or modified from another domain via the client (a browser or a plugin). An open cross-domain is the vulnerability, which occur when the policy file explicitly allows every external domain.
CRLF Injection5CRLF stands for Carriage Return Linefeed, which is a special sequence of characters (0x0D 0x0A in hex) used by the HTTP protocol as a line separator. A CRLF Injection attack occurs when an attacker manages to force the application to return the CRLF sequence plus attacker’s supplied data as part of the response headers.
Frame Injection5Frame Injection is a type of Code Injection attack where a frame is injected into the web application’s front-facing features. Usually the frame injected is a concealed iframe pointing to an attacker controlled page.
Open Redirect5An Open Redirect is a vulnerability where the application takes user input to generate some form of redirection without validating the to-be-redirected-to location.
Response Splitting5Response Splitting happens when not sanitised data is passed to the vulnerable application and it is used to build a response header. An attacker may force the web server to form a malformed output stream, which is then interpreted by the victim’s browser as two HTTP responses instead of one. Response splitting is usually useful only with proxies or when the browser is using request pipelining.
Directory Traversal5A Directory Traversal is a type of attack which aims to access files or directories that are stored outside the web root folder by injecting characters representing “traverse to parent directory” like ‘../’ in Unix. The goal of this attack is to force an application to access a file that is not intended to be accessible.
Inadequate Session Revocation5This vulnerability occurs when the session is not properly revoked after an user logout request.
.NET Tracing Capabilities5.NET provides powerful application debugging capabilities, which can be abused by attackers to obtain various pieces of critical information including session cookies and session state.
Source Version Control Disclosure5Version control systems, such as git, svn and others, provide means to record source code changes in a developer friendly way.
SQL Error4
HTTP Authentication Scheme4
Unrestricted File Upload4
Get Based Login Form3
Clear Text Login Form3
Session Cookie not Flagged as HTTPOnly3The “HTTPOnly” flag applies to the Set-Cookie HTTP response header to indicate that the cookie cannot be accessed by client-side code such as JavaScript, Flash, and other client-side components.
Session Cookie not Flagged as Secure3This flag applies to the Set-Cookie HTTP response header to indicate that the cookie cannot be sent by the browser over insecure channel such as HTTP.
Session Fixation3This may indicate that the application suffers from a “Session Fixation” vulnerability.
Directory Listing Enabled2Directory listings may disclose information about the web application and it’s environment that was not intended to be public.
Error Disclosure2
IP Disclosure2
Path Disclosure2Usually this leak is due to descriptive application and server errors.
Source Leakage2This may be due to a misconfigured server or application.
User Disclosure2
Discovered SOAP Service2SOAP (Simple Object Access Protocol) is a protocol specification for exchanging structured information in the implementation of Web Services. It’s based on XML and it’s primarily used to build API services.
Autocomplete Enabled2Autocomplete is a HTML tag attribute used to disable the form auto completion mechanism of the browser.
Redirect Response With Body1This is often due to a programming error or a security problem.
X-Frame-Options Error1
XSS Protection Error1A basic XSS protection mechanism is present in every modern browser. This mechanism is active by default but may be disabled by setting the response header “X-XSS-Protection” to the value “0”.
Banner Disclosure1
Forbidden Resource1
Email Disclosure1
Outdated Software Version1
Software Type Disclosure1
Microsoft Office Document1Microsoft Office Documents often contain hidden metadata like username, author name, company name, the name of the computer, which was used to create the document and so on.
Directory Listing Denied1This error is generated when there is no index file in the requested directory and the server or application is not configured to reveal the directory contents. This, however, indicates that the directory exists.
Referer Leakage1The HTTP Referer header is used to store the URL of the page from which the user is coming from. Confidential information about the user may be leaked if it is stored in query parameters used by the application.
Additional Applications1Unmaintained applications may come with bugs and security vulnerability and can be a threat to the security and integrity of the web server.
Backup Files1
Common Files1Common files are files which are usually left by automated/default installations that are not necessarily still required by the web application but may still contain sensitive information.
Admin Page Discovered1Any administration pages can be used as a potential way of gaining administrative access to the application.
Version Control Files1These files are used by version control software to store meta-data and configurations about the repository used to store the application’s source code.
Insecure Storage of Credentials1
Strict Transport Security1This header is used to force browsers to connect to the application trough a SSL connection.
Cookie Domain Mismatch1
Cookies Scoped to Parent Domain1
ViewState Not Encrypted1The ViewState is a field used in ASP.NET applications to save the current state of the application. If it’s used to store sensitive data, like user’s details, it should be properly encrypted to maintain the confidentiality of the data.
ViewState not Signed1The ViewState is a field used in ASP.NET applications to save the current state of the application. To avoid data tampering the ViewState value should be signed by enforcing a MAC (Machine Authentication Check) mechanism.
Dangerous Methods Enabled1Uncommon HTTP methods like PUT, DELETE and all other WEBDAV methods are considered dangerous.
Open Cross-Origin Resource Sharing1Cross-origin Resource Sharing (CORS) is a specification, which allows Web applications the ability to offer its resources for public consumption from different domains. CORS is typically used in cross-origin APIs designed to be consumed by JavaScript applications.
Permissive Cross-Origin Resource Sharing1Cross-origin Resource Sharing (CORS) is a specification, which allows Web applications the ability to offer its resources for public consumption from different domains. CORS is typically used in cross-origin APIs designed to be consumed by JavaScript applications.
X-Frame-Options Not Used1This header indicates whether or not a browser should be allowed to render a page in a <frame> or <iframe> . Web applications can use this to avoid clickjacking attacks, by ensuring content is not embedded into other sites.
Permissive X-Frame Options Used1This header indicates whether or not a browser should be allowed to render a page in a <frame> or <iframe> . Web applications can use this to avoid clickjacking attacks, by ensuring content is not embedded into other sites.
XSS Protection Disabled1A basic XSS protection mechanism is present in every modern browser. This mechanism is active by default but may be disabled by setting the response header “X-XSS-Protection” to the value “0”.
Debug Methods Enabled1The HTTP methods TRACK and TRACE are usually used for debugging purpose.
File Upload1File upload facilities are usually considered dangerous because they can be abused to leverage various types of attacks.
Password Via GET1Sending passwords via GET parameter is considered a bad programming practice since this information can be easily read from the browser’s address bar, history or from the web server logs.
Weak Password Detected1
Cross Script Include1
Base Response Difference0
CVE Finding0CVE (The Common Vulnerabilities and Exposures) system provides a reference-method for publicly known information-security vulnerabilities and exposures.
OSVDB Finding0Open Source Vulnerability Database (OSVDB) is an independent and open-source database created by and for the community. The goal of the project is to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities.
Generic Finding0
Virtual Host Discovery0Virtual Hosting is a method that allows a single server to serve resources for multiple web application. The presence of Virtual hosts usually indicate that the target application is sharing resources with other applications, i.e. shared-hosting environment.
Previous
Levels