My report app v1.1

MyApp

Active, Verified

High (S1)

In the majority of today’s web applications, clients are required to submit forms which can perform sensitive operations. An example of such a form being used would be when an administrator wishes to create a new user for the application. In the simplest version of the form, the administrator would fill-in: * Name * Password * Role (level of access) Continuing with this example, Cross Site Request Forgery (CSRF) would occur when the administrator is tricked into clicking on a link, which if logged into the application, would automatically submit the form without any further interaction. Cyber- criminals will look for sites where sensitive functions are performed in this manner and then craft malicious requests that will be used against clients via a social engineering attack. There are 3 things that are required for a CSRF attack to occur: 1\. The form must perform some sort of sensitive action. 2\. The victim (the administrator the example above) must have an active session. 3\. Most importantly, all parameter values must be known or guessable. Arachni discovered that all parameters within the form were known or predictable and therefore the form could be vulnerable to CSRF. Manual verification may be required to check whether the submission will then perform a sensitive action, such as reset a password, modify user profiles, post content on a forum, etc.

No impact provided

http://target:7070:7070/WebGoat/register.mvc

Based on the risk (determined by manual verification) of whether the form + submission performs a sensitive action, the addition of anti-CSRF tokens may + be required. These tokens can be configured in such a way that each session + generates a new anti-CSRF token or such that each individual request requires + a new token. It is important that the server track and maintain the status of + each token (in order to reject requests accompanied by invalid ones) and + therefore prevent cyber-criminals from knowing, guessing or reusing them. For + examples of framework specific remediation options, please refer to the + references. +  +

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)  +  + http://en.wikipedia.org/wiki/Cross-site_request_forgery  +  + http://www.cgisecurity.com/csrf-faq.html +  +

MyApp

Active, Verified

Medium (S2)

The HTTP protocol by itself is clear text, meaning that any data that is transmitted via HTTP can be captured and the contents viewed. To keep data private, and prevent it from being intercepted, HTTP is often tunnelled through either Secure Sockets Layer (SSL), or Transport Layer Security (TLS). When either of these encryption standards are used it is referred to as HTTPS. Cyber-criminals will often attempt to compromise credentials passed from the client to the server using HTTP. This can be conducted via various different Man-in-The-Middle (MiTM) attacks or through network packet captures. Arachni discovered that the affected page contains a password input, however, the value of the field is not sent to the server utilising HTTPS. Therefore it is possible that any submitted credential may become compromised.

No impact provided

http://target:7070:7070/WebGoat/login

The affected site should be secured utilising the latest and most secure + encryption protocols. These include SSL version 3.0 and TLS version 1.2. While + TLS 1.2 is the latest and the most preferred protocol, not all browsers will + support this encryption method. Therefore, the more common SSL is included. + Older protocols such as SSL version 2, and weak ciphers (< 128 bit) should + also be disabled. +  +

http://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection +  +

MyApp

Active, Verified

Medium (S2)

The HTTP protocol by itself is clear text, meaning that any data that is transmitted via HTTP can be captured and the contents viewed. To keep data private, and prevent it from being intercepted, HTTP is often tunnelled through either Secure Sockets Layer (SSL), or Transport Layer Security (TLS). When either of these encryption standards are used it is referred to as HTTPS. Cyber-criminals will often attempt to compromise credentials passed from the client to the server using HTTP. This can be conducted via various different Man-in-The-Middle (MiTM) attacks or through network packet captures. Arachni discovered that the affected page contains a password input, however, the value of the field is not sent to the server utilising HTTPS. Therefore it is possible that any submitted credential may become compromised.

No impact provided

http://target:7070:7070/WebGoat/register.mvc

The affected site should be secured utilising the latest and most secure + encryption protocols. These include SSL version 3.0 and TLS version 1.2. While + TLS 1.2 is the latest and the most preferred protocol, not all browsers will + support this encryption method. Therefore, the more common SSL is included. + Older protocols such as SSL version 2, and weak ciphers (< 128 bit) should + also be disabled. +  +

http://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection +  +

MyApp

Active, Verified

Medium (S2)

The HTTP protocol by itself is clear text, meaning that any data that is transmitted via HTTP can be captured and the contents viewed. To keep data private, and prevent it from being intercepted, HTTP is often tunnelled through either Secure Sockets Layer (SSL), or Transport Layer Security (TLS). When either of these encryption standards are used it is referred to as HTTPS. Cyber-criminals will often attempt to compromise credentials passed from the client to the server using HTTP. This can be conducted via various different Man-in-The-Middle (MiTM) attacks or through network packet captures. Arachni discovered that the affected page contains a password input, however, the value of the field is not sent to the server utilising HTTPS. Therefore it is possible that any submitted credential may become compromised.

No impact provided

http://target:7070:7070/WebGoat/register.mvc

The affected site should be secured utilising the latest and most secure + encryption protocols. These include SSL version 3.0 and TLS version 1.2. While + TLS 1.2 is the latest and the most preferred protocol, not all browsers will + support this encryption method. Therefore, the more common SSL is included. + Older protocols such as SSL version 2, and weak ciphers (< 128 bit) should + also be disabled. +  +

http://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection +  +

MyApp

Active, Verified

Medium (S2)

The HTTP protocol by itself is clear text, meaning that any data that is transmitted via HTTP can be captured and the contents viewed. To keep data private, and prevent it from being intercepted, HTTP is often tunnelled through either Secure Sockets Layer (SSL), or Transport Layer Security (TLS). When either of these encryption standards are used it is referred to as HTTPS. Cyber-criminals will often attempt to compromise credentials passed from the client to the server using HTTP. This can be conducted via various different Man-in-The-Middle (MiTM) attacks or through network packet captures. Arachni discovered that the affected page contains a password input, however, the value of the field is not sent to the server utilising HTTPS. Therefore it is possible that any submitted credential may become compromised.

No impact provided

http://target:7070:7070/WebGoat/register.mvc

The affected site should be secured utilising the latest and most secure + encryption protocols. These include SSL version 3.0 and TLS version 1.2. While + TLS 1.2 is the latest and the most preferred protocol, not all browsers will + support this encryption method. Therefore, the more common SSL is included. + Older protocols such as SSL version 2, and weak ciphers (< 128 bit) should + also be disabled. +  +

http://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection +  +

MyApp

Active, Verified

Low (S3)

In typical form-based web applications, it is common practice for developers to allow autocomplete within the HTML form to improve the usability of the page. With autocomplete enabled (default), the browser is allowed to cache previously entered form values. For legitimate purposes, this allows the user to quickly re-enter the same data when completing the form multiple times. When autocomplete is enabled on either/both the username and password fields, this could allow a cyber-criminal with access to the victim’s computer the ability to have the victim’s credentials automatically entered as the cyber-criminal visits the affected page. Arachni has discovered that the affected page contains a form containing a password field that has not disabled autocomplete.

No impact provided

http://target:7070:7070/WebGoat/login

The autocomplete value can be configured in two different locations. The + first and most secure location is to disable the autocomplete attribute on + the HTML tag. This will disable autocomplete for all inputs within that + form. An example of disabling autocomplete within the form tag is . The + second slightly less desirable option is to disable the autocomplete + attribute for a specific HTML tag. While this may be the less desired + solution from a security perspective, it may be preferred method for usability + reasons, depending on size of the form. An example of disabling the + autocomplete attribute within a password input tag is . +  +

MyApp

Active, Verified

Low (S3)

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. The server didn’t return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

No impact provided

http://target:7070:7070/WebGoat

Configure your web server to include an X-Frame-Options header. +  +

http://tools.ietf.org/html/rfc7034  +  + https://www.owasp.org/index.php/Clickjacking  +  + https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options +  +

MyApp

Active, Verified

Low (S3)

In typical form-based web applications, it is common practice for developers to allow autocomplete within the HTML form to improve the usability of the page. With autocomplete enabled (default), the browser is allowed to cache previously entered form values. For legitimate purposes, this allows the user to quickly re-enter the same data when completing the form multiple times. When autocomplete is enabled on either/both the username and password fields, this could allow a cyber-criminal with access to the victim’s computer the ability to have the victim’s credentials automatically entered as the cyber-criminal visits the affected page. Arachni has discovered that the affected page contains a form containing a password field that has not disabled autocomplete.

No impact provided

http://target:7070:7070/WebGoat/register.mvc

The autocomplete value can be configured in two different locations. The + first and most secure location is to disable the autocomplete attribute on + the HTML tag. This will disable autocomplete for all inputs within that + form. An example of disabling autocomplete within the form tag is . The + second slightly less desirable option is to disable the autocomplete + attribute for a specific HTML tag. While this may be the less desired + solution from a security perspective, it may be preferred method for usability + reasons, depending on size of the form. An example of disabling the + autocomplete attribute within a password input tag is . +  +

MyApp

Active, Verified

Info (S4)

The server responded with a non 200 (OK) nor 404 (Not Found) status code. This is a non-issue, however exotic HTTP response status codes can provide useful insights into the behavior of the web application and assist with the penetration test.

No impact provided

http://target:7070:7070/WebGoat/register.mvc

n/a +  +

http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html +  +

MyApp

Active, Verified

Info (S4)

HTTP by itself is a stateless protocol. Therefore the server is unable to determine which requests are performed by which client, and which clients are authenticated or unauthenticated. The use of HTTP cookies within the headers, allows a web server to identify each individual client and can therefore determine which clients hold valid authentication, from those that do not. These are known as session cookies. When a cookie is set by the server (sent the header of an HTTP response) there are several flags that can be set to configure the properties of the cookie and how it is to be handled by the browser. The HttpOnly flag assists in the prevention of client side-scripts (such as JavaScript) accessing and using the cookie. This can help prevent XSS attacks targeting the cookies holding the client’s session token (setting the HttpOnly flag does not prevent, nor safeguard against XSS vulnerabilities themselves).

No impact provided

http://target:7070:7070/WebGoat/

The initial step to remedy this would be to determine whether any client-side + scripts (such as JavaScript) need to access the cookie and if not, set the + HttpOnly flag. Additionally, it should be noted that some older browsers are + not compatible with the HttpOnly flag, and therefore setting this flag will + not protect those clients against this form of attack. +  +

https://www.owasp.org/index.php/HttpOnly +  +