AVAINTCON Consulting 1250 Rene Lvesques W Suite 2200 Montreal, Quebec H3B 4W8

Scan Results Report

Data Information Type: Author: Company: Generation date: WAS Scan Result Robert Woodlock AVAINTCON Consulting 11 Sep 2012 07:16PM GMT+0000 Settings Sort Criteria Sort by descending Severity

Scan Information
Title Scan Type Launch Mode Start Date End Date Web Application Target URL Authentication Record Option Profile Web Application Vulnerability Scan - avaintcon.com Vulnerability Scheduled 08 Sep 2012 06:00AM GMT+0000 08 Sep 2012 09:20AM GMT+0000 avaintcon.com http://avaintcon.com/ None Initial WAS Options

Scan Summary
Security Risk Authentication Status None 00:08:27 273 Links 7161 Links 03:10:31 95,117

Crawling Phase
Crawl Duration # Links Crawled # Links In Queue

Vulnerability Assessment Phase

Assessment Time # Requests

Findings By Type

Sensitive Content By Group

Vulnerabilities by Group / Level

Name XSS SQL PATH INFO

Level 1 6 0 0 10

Level 2 0 0 46 0

Level 3 0 0 0 1

Level 4 0 0 0 0

Level 5 6 0 0 0

Total 12 0 46 11

Vulnerabilities by OWASP

Top WASC Threats

Code A-1 A-2 A-3 A-4 A-5 A-6 A-7 A-8 A-9 A-10

# Vulns 0 12 0 46 0 1 0 46 0 0

Results
150001 / Cross-Site Scripting (XSS)

Reflected Cross-Site Scripting (XSS) Vulnerabilities

URL: http://avaintcon.com/forums/index.php?app=core&do=search&fromsearch=1&module=search&section=search CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: CWE-79 A2: Cross-Site Scripting (XSS) WASC-8: CROSS-SITE SCRIPTING search_app_filters[forums][noPreview] XSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application might include the user's name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data contain characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web browser. The XSS payload is echoed in HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendered by the browser. In order to exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL with the XSS payload. Impact: XSS exploits pose a significant threat to a Web application, its users and user data. XSS exploits target the users of a Web application rather than the Web application itself. An exploit can lead to theft of the user's credentials and personal or financial information. Complex exploits and attack scenarios are possible via XSS because it enables an attacker to execute dynamic code. Consequently, any capability or feature available to the Web browser (for example HTML, JavaScript, Flash and Java applets) can be used to as a part of a compromise. Filter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers. Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or JavaScript. Results

Solution:

Authenticated: Form Entry Point: Payload :

http://avaintcon.com/forums/index.php?app=core&do=search&fromMainBar=1&module=search search_app=forums&search_term=1&andor_type=and&search_content=both&search_tags=1&search_app_filters[core][sortKey]=date&search_author=1&search_app_filters[core][sortDir]=0&se arch_date_start=1&search_app_filters[forums][sortKey]=date&search_app_filters[forums][forums][]=5&search_app_filters[forums][sortDir]=0&search_app_filters[members][searchInKey]=memb

Result :

ers&search_app_filters[forums][noPreview]=1%20%3Cscript%3E_q_q%3Drandom()%3C%2Fscript%3E&search_app_filters[members][members][sortKey]=date&search_app_filters[members][ members][sortDir]=0&search_app_filters[members][comments][sortKey]=date&search_date_end=1&search_app_filters[forums][pCount]=1&search_app_filters[members][comments][sortDir]=0& search_app_filters[forums][pViews]=1&submit=Search%20Now ums][sortKey]=date&amp;search_content=both&amp;search_tags=1&amp;search_app_filters[forums][sortKey]=date&amp;search_app_filters[forums][forums][]=5&amp;search_app_filters[foru ms][sortDir]=0&amp;search_app_filters[forums][noPreview]=1 <script>_q_q=random()</script>&amp;search_app_filters[forums][pCount]=1&amp;search_app_filters[forums][pViews]=1&amp;search_app_filters[forums][searchInKey]=&amp;search_term=1& amp;search_app=forums'>Forums</a></li><li ><a href='http://avaintcon.com/forums/index.php? %00<script>_q=random(@REQUESTID@)</script> [sortKey]=date&amp;search_content=both&amp;search_tags=1&amp;search_app_filters[forums][sortKey]=date&amp;search_app_filters[forums][forums][]=5&amp;search_app_filters[forums][s ortDir]=0&amp;search_app_filters[forums][noPreview]=<script>_q=random(X157834420Y14Z)</script>&amp;search_app_filters[forums][pCount]=1&amp;search_app_filters[forums][pViews]=1 &amp;search_app_filters[forums][searchInKey]=&amp;search_term=1&amp;search_app=forums'>Forums</a></li><li ><a href='http://avaintcon.com/forums/inde search_app=forums&search_term=1&andor_type=and&search_content=both&search_tags=1&search_app_filters[core][sortKey]=date&search_author=1&search_app_filters[core][sortDir]=0&se arch_date_start=1&search_app_filters[forums][sortKey]=date&search_app_filters[forums][forums][]=5&search_app_filters[forums][sortDir]=0&search_app_filters[members][searchInKey]=memb ers&search_app_filters[forums][noPreview]=%22'%3E%3Cqqs%20%60%3b!-%3D%26%7b()%7d%3E&search_app_filters[members][members][sortKey]=date&search_app_filters[members][members][sortDir]=0&search_app_filters[members][comments][sortKey]=date&s earch_date_end=1&search_app_filters[forums][pCount]=1&search_app_filters[members][comments][sortDir]=0&search_app_filters[forums][pViews]=1&submit=Search%20Now s[forums][sortKey]=date&amp;search_content=both&amp;search_tags=1&amp;search_app_filters[forums][sortKey]=date&amp;search_app_filters[forums][forums][]=5&amp;search_app_filters[f orums][sortDir]=0&amp;search_app_filters[forums][noPreview]="'><qqs `;!-=&{()}>&amp;search_app_filters[forums][pCount]=1&amp;search_app_filters[forums][pViews]=1&amp;search_app_filters[forums][searchInKey]=&amp;search_term=1&amp;search_app=forums' >Forums</a></li><li ><a href='http://avaintcon.com/forums/index.php?app=cor '%20onEvent=@REQUESTID@%20 ='active'><a href='http://avaintcon.com/forums/index.php?app=core&amp;module=search&amp;do=search&amp;andor_type=and&amp;sid=e6a1fec63d100798fa3b4773043fd7a1&amp;search_author=1&a mp;search_date_start=1&amp;search_date_end=1&amp;search_app_filters[forums][sortKey]=date&amp;search_content=both&amp;search_tags=1&amp;search_app_filters[forums][sortKey]=d ate&amp;search_app_filters[forums][forums][]=5&amp;search_app_filters[forums][sortDir]=0&amp;search_app_filters[forums][noPreview]=' onEvent=X1578344 "%20onEvent=@REQUESTID@%20 comment: A significant portion of the XSS test payload appeared in the web page, but the page's DOM was not modified as expected for a successful exploit. This result should be manually verified to determine its accuracy. ='active'><a href='http://avaintcon.com/forums/index.php?app=core&amp;module=search&amp;do=search&amp;andor_type=and&amp;sid=d11ef30f7a3e33b8814dc477a250717c&amp;search_author=1&a mp;search_date_start=1&amp;search_date_end=1&amp;search_app_filters[forums][sortKey]=date&amp;search_content=both&amp;search_tags=1&amp;search_app_filters[forums][sortKey]=d ate&amp;search_app_filters[forums][forums][]=5&amp;search_app_filters[forums][sortDir]=0&amp;search_app_filters[forums][noPreview]=" onEvent=X1578344

Payload : Result :

Payload :

Result :

Payload : Result :

Payload : Result :

Payload :

Result :

search_app=forums&search_term=1&andor_type=and&search_content=both&search_tags=1&search_app_filters[core][sortKey]=date&search_author=1&search_app_filters[core][sortDir]=0&se arch_date_start=1&search_app_filters[forums][sortKey]=date&search_app_filters[forums][forums][]=5&search_app_filters[forums][sortDir]=0&search_app_filters[members][searchInKey]=memb ers&search_app_filters[forums][noPreview]=%22'%3E%3Cqss%3E&search_app_filters[members][members][sortKey]=date&search_app_filters[members][members][sortDir]=0&search_app_filt ers[members][comments][sortKey]=date&search_date_end=1&search_app_filters[forums][pCount]=1&search_app_filters[members][comments][sortDir]=0&search_app_filters[forums][pViews]= 1&submit=Search%20Now filters[forums][sortKey]=date&amp;search_content=both&amp;search_tags=1&amp;search_app_filters[forums][sortKey]=date&amp;search_app_filters[forums][forums][]=5&amp;search_app_filt ers[forums][sortDir]=0&amp;search_app_filters[forums][noPreview]="'><qss>&amp;search_app_filters[forums][pCount]=1&amp;search_app_filters[forums][pViews]=1&amp;search_app_filters[f orums][searchInKey]=&amp;search_term=1&amp;search_app=forums'>Forums</a></li><li ><a href='http://avaintcon.com/forums/index.php?app=core&amp; "'><qss%20a=@REQUESTID@> forums][sortKey]=date&amp;search_content=both&amp;search_tags=1&amp;search_app_filters[forums][sortKey]=date&amp;search_app_filters[forums][forums][]=5&amp;search_app_filters[for ums][sortDir]=0&amp;search_app_filters[forums][noPreview]="'><qss a=X157834420Y14Z>&amp;search_app_filters[forums][pCount]=1&amp;search_app_filters[forums][pViews]=1&amp;search_app_filters[forums][searchInKey]=&amp;search_term=1&amp;searc h_app=forums'>Forums</a></li><li ><a href='http://avaintcon.com/forums/index.php?app=

Payload : Result :

150001

/ Cross-Site Scripting (XSS)

Reflected Cross-Site Scripting (XSS) Vulnerabilities

URL: http://avaintcon.com/forums/index.php?app=core&do=search&fromsearch=1&module=search&section=search CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: CWE-79 A2: Cross-Site Scripting (XSS) WASC-8: CROSS-SITE SCRIPTING search_app_filters[forums][pViews] XSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application might include the user's name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data contain characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web browser. The XSS payload is echoed in HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendered by the browser. In order to exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL with the XSS payload. Impact: XSS exploits pose a significant threat to a Web application, its users and user data. XSS exploits target the users of a Web application rather than the Web application itself. An exploit can lead to theft of the user's credentials and personal or financial information. Complex exploits and attack scenarios are possible via XSS because it enables an attacker to execute dynamic code. Consequently, any capability or feature available to the Web browser (for example HTML, JavaScript, Flash and Java applets) can be used to as a part of a compromise. Filter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers. Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or JavaScript. Results

Solution:

Authenticated: Form Entry Point: Payload : Result :

http://avaintcon.com/forums/index.php?app=core&do=search&fromMainBar=1&module=search "%20onEvent=@REQUESTID@%20 comment: A significant portion of the XSS test payload appeared in the web page, but the page's DOM was not modified as expected for a successful exploit. This result should be manually verified to determine its accuracy. ='active'><a href='http://avaintcon.com/forums/index.php?app=core&amp;module=search&amp;do=search&amp;andor_type=and&amp;sid=cac440f35c9bc195cecc12b2faf8d522&amp;search_author=1&a mp;search_date_start=1&amp;search_date_end=1&amp;search_app_filters[forums][sortKey]=date&amp;search_content=both&amp;search_tags=1&amp;search_app_filters[forums][sortKey]=d ate&amp;search_app_filters[forums][forums][]=5&amp;search_app_filters[forums][sortDir]=0&amp;search_app_filters[forums][noPreview]=1&amp;search_app_f

Payload : Result :

"'><qss%20a=@REQUESTID@> ters[forums][sortKey]=date&amp;search_app_filters[forums][forums][]=5&amp;search_app_filters[forums][sortDir]=0&amp;search_app_filters[forums][noPreview]=1&amp;search_app_filters[foru ms][pCount]=1&amp;search_app_filters[forums][pViews]="'><qss a=X157834420Y21Z>&amp;search_app_filters[forums][searchInKey]=&amp;search_term=1&amp;search_app=forums'>Forums</a></li><li ><a href='http://avaintcon.com/forums/index.php?app=core&amp;module=search&amp;do=search&amp;andor_type=and&amp;sid=53cf79908af7130e60 '%20onEvent=@REQUESTID@%20 ='active'><a href='http://avaintcon.com/forums/index.php?app=core&amp;module=search&amp;do=search&amp;andor_type=and&amp;sid=69a301938ebcc64e831355c0413a083f&amp;search_author=1& amp;search_date_start=1&amp;search_date_end=1&amp;search_app_filters[forums][sortKey]=date&amp;search_content=both&amp;search_tags=1&amp;search_app_filters[forums][sortKey]= date&amp;search_app_filters[forums][forums][]=5&amp;search_app_filters[forums][sortDir]=0&amp;search_app_filters[forums][noPreview]=1&amp;search_app_f search_app=forums&search_term=1&andor_type=and&search_content=both&search_tags=1&search_app_filters[core][sortKey]=date&search_author=1&search_app_filters[core][sortDir]=0&se arch_date_start=1&search_app_filters[forums][sortKey]=date&search_app_filters[forums][forums][]=5&search_app_filters[forums][sortDir]=0&search_app_filters[members][searchInKey]=memb ers&search_app_filters[forums][noPreview]=1&search_app_filters[members][members][sortKey]=date&search_app_filters[members][members][sortDir]=0&search_app_filters[members][comme nts][sortKey]=date&search_date_end=1&search_app_filters[forums][pCount]=1&search_app_filters[members][comments][sortDir]=0&search_app_filters[forums][pViews]=1%20%3Cscript%3E_

Payload : Result :

Payload :