Professional Documents
Culture Documents
Owasp Zap Scanner Output 2024-02-29
Owasp Zap Scanner Output 2024-02-29
Target: https://paavaierp.com/paavaipay/
All scanned sites: https://paavaierp.com
Summary of Alerts
High 0
Medium 3
Low 7
Informational 4
Alerts
Passing Rules
Generated by HostedScan
Private IP Disclosure Passive MEDIUM -
Session ID in URL Rewrite Passive MEDIUM -
Insecure JSF ViewState Passive MEDIUM -
Vulnerable JS Library (Powered by Retire.js) Passive MEDIUM -
Charset Mismatch Passive MEDIUM -
Cookie No HttpOnly Flag Passive MEDIUM -
Content-Type Header Missing Passive MEDIUM -
Application Error Disclosure Passive MEDIUM -
Information Disclosure - Debug Error Messages Passive MEDIUM -
Information Disclosure - Sensitive Information in URL Passive MEDIUM -
Information Disclosure - Sensitive Information in HTTP Referrer Header Passive MEDIUM -
Information Disclosure - Suspicious Comments Passive MEDIUM -
Open Redirect Passive MEDIUM -
Cookie Poisoning Passive MEDIUM -
User Controllable Charset Passive MEDIUM -
WSDL File Detection Passive MEDIUM -
Loosely Scoped Cookie Passive MEDIUM -
Viewstate Passive MEDIUM -
Directory Browsing Passive MEDIUM -
Heartbleed OpenSSL Vulnerability (Indicative) Passive MEDIUM -
X-Backend-Server Header Information Leak Passive MEDIUM -
Secure Pages Include Mixed Content Passive MEDIUM -
HTTP to HTTPS Insecure Transition in Form Post Passive MEDIUM -
HTTPS to HTTP Insecure Transition in Form Post Passive MEDIUM -
User Controllable JavaScript Event (XSS) Passive MEDIUM -
Big Redirect Detected (Potential Sensitive Information Leak) Passive MEDIUM -
Retrieved from Cache Passive MEDIUM -
X-ChromeLogger-Data (XCOLD) Header Information Leak Passive MEDIUM -
Cookie without SameSite Attribute Passive MEDIUM -
CSP Passive MEDIUM -
X-Debug-Token Information Leak Passive MEDIUM -
Username Hash Found Passive MEDIUM -
PII Disclosure Passive MEDIUM -
Script Passive Scan Rules Passive MEDIUM -
Stats Passive Scan Rule Passive MEDIUM -
Timestamp Disclosure Passive MEDIUM -
Hash Disclosure Passive MEDIUM -
Cross-Domain Misconfiguration Passive MEDIUM -
Weak Authentication Method Passive MEDIUM -
Reverse Tabnabbing Passive MEDIUM -
Modern Web Application Passive MEDIUM -
Alert Detail
Generated by HostedScan
Medium Absence of Anti-CSRF Tokens
No Anti-CSRF tokens were found in a HTML submission form.
A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to
perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack
is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS,
CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused
deputy, and sea surf.
CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose
information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS
can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.
URL https://paavaierp.com/paavaipay/
Method GET
Parameter
Attack
Evidence <form method="post" action="./" id="form1">
URL https://paavaierp.com/paavaipay/
Method POST
Parameter
Attack
Evidence <form method="post" action="./" id="form1">
Instances 2
Solution Phase: Architecture and Design
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
Phase: Implementation
Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script.
Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable
(CWE-330).
Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended
to perform that operation.
Generated by HostedScan
Do not use the GET method for any request that triggers a state change.
Phase: Implementation
Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may
have disabled sending the Referer for privacy reasons.
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
Reference
https://cwe.mitre.org/data/definitions/352.html
CWE Id 352
WASC Id 9
Plugin Id 10202
URL https://paavaierp.com/paavaipay/
Method GET
Parameter
Attack
Evidence
URL https://paavaierp.com/paavaipay/Handler.ashx
Method GET
Parameter
Attack
Evidence
URL https://paavaierp.com/paavaipay/Handler6.ashx
Method GET
Parameter
Attack
Evidence
URL https://paavaierp.com/robots.txt
Method GET
Parameter
Attack
Evidence
URL https://paavaierp.com/sitemap.xml
Method GET
Parameter
Attack
Evidence
URL https://paavaierp.com/paavaipay/
Method POST
Generated by HostedScan
Parameter
Attack
Evidence
Instances 6
Solution Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.
https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
https://www.w3.org/TR/CSP/
Reference https://w3c.github.io/webappsec-csp/
https://web.dev/articles/csp
https://caniuse.com/#feat=contentsecuritypolicy
https://content-security-policy.com/
CWE Id 693
WASC Id 15
Plugin Id 10038
URL https://paavaierp.com/paavaipay/
Method GET
Parameter x-frame-options
Attack
Evidence
URL https://paavaierp.com/paavaipay/Handler.ashx
Method GET
Parameter x-frame-options
Attack
Evidence
URL https://paavaierp.com/paavaipay/Handler6.ashx
Method GET
Parameter x-frame-options
Attack
Evidence
URL https://paavaierp.com/paavaipay/
Method POST
Parameter x-frame-options
Attack
Evidence
Instances 4
Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your
site/app.
Solution
If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never
expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.
Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Generated by HostedScan
CWE Id 1021
WASC Id 15
Plugin Id 10020
URL https://paavaierp.com/paavaipay/
Method GET
Parameter ASP.NET_SessionId
Attack
Evidence Set-Cookie: ASP.NET_SessionId
Instances 1
Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag
Solution
is set for cookies containing such sensitive information.
https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-
Reference
Testing_for_Cookies_Attributes.html
CWE Id 614
WASC Id 13
Plugin Id 10011
URL https://paavaierp.com/paavaipay/
Method GET
Parameter https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js
Attack
Evidence <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
URL https://paavaierp.com/paavaipay/
Method GET
Parameter https://cdnjs.cloudflare.com/ajax/libs/select2/4.0.13/js/select2.min.js
Attack
Evidence <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/select2/4.0.13/js/select2.min.js"></script>
URL https://paavaierp.com/paavaipay/
Method POST
Parameter https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js
Attack
Evidence <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
URL https://paavaierp.com/paavaipay/
Method POST
Parameter https://cdnjs.cloudflare.com/ajax/libs/select2/4.0.13/js/select2.min.js
Attack
Evidence <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/select2/4.0.13/js/select2.min.js"></script>
Generated by HostedScan
Instances 4
Solution Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.
Reference
CWE Id 829
WASC Id 15
Plugin Id 10017
Low Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers
Description
identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to.
URL https://paavaierp.com/paavaipay/
Method GET
Parameter
Attack
Evidence X-Powered-By: ASP.NET
URL https://paavaierp.com/paavaipay/Handler.ashx
Method GET
Parameter
Attack
Evidence X-Powered-By: ASP.NET
URL https://paavaierp.com/paavaipay/Handler6.ashx
Method GET
Parameter
Attack
Evidence X-Powered-By: ASP.NET
https://paavaierp.com/paavaipay/ScriptResource.axd?d=3-jcMy4j5U6S08XPVYh3zsyXvFiZWKPI8HShS-
URL 60mZe767XJvLLbeBiv13b_DnHpZmkom49pKuV4BOKcCc_KhRU-HuYQSm4AeSQ-IwVZUgRVaBDk09sv-
mehTz0heDUR6qXhpFnoH9NMLt5zxgG0Vw2&t=ffffffffe4ec58b9
Method GET
Parameter
Attack
Evidence X-Powered-By: ASP.NET
https://paavaierp.com/paavaipay/ScriptResource.axd?d=c-lsySMsiEQGnQ-JYSnm8WJ-
URL x72vn8GTGF6_4rU02PRP7E6tvEn7zdIuLtudBZpwldFQkacFePr2xRNJhNY_mwvQQQJD-
uDfciQrBKWBzyB7Vm37jf0gti3uRXcI3A3RnNOrz6nT4rtuIaGOuwDHQg2&t=ffffffffe4ec58b9
Method GET
Parameter
Attack
Evidence X-Powered-By: ASP.NET
https://paavaierp.com/paavaipay/ScriptResource.axd?d=JI9ntrl7F0Y-29ejiQIu08E5lYAYVWBBixmyaduCfFKyKWrgEcGgh71MB0YpqWspcuZM4n2OzE-
URL
olBNHoxW574ilmEAT4ObFfYD39itrE8xxIyKCoNqZlDArYQ_lvHMmXiH7ctq16snQXAf-2Oq2vQ2&t=ffffffffe4ec58b9
Method GET
Parameter
Generated by HostedScan
Attack
Evidence X-Powered-By: ASP.NET
https://paavaierp.com/paavaipay/ScriptResource.axd?d=qXiWEEfKGmd8Tzj56bggEQgrxziaT1-rfH0vGVpbZBEX01jQMs-
URL
uyvcKlAS3HMRbfpAX7LBzYFJFRB9AlWu8N0Ct4e8me0ei6RfIkhDxAKo0fVHiln5EPscZDBnuF3j5DpGWN3lPTnTieaLJwbuwbA2&t=ffffffffe4ec58b9
Method GET
Parameter
Attack
Evidence X-Powered-By: ASP.NET
https://paavaierp.com/paavaipay/ScriptResource.axd?d=x8O4UuishFSc4f4L3wA6frO_VgzpcVG48i_-
URL kv6UsE2OqiWcXDQPz1y_HYULdAsTGT_cM1xVZmACNan5s2u-
l95tXvMqItiWAr4OAddBdMS7H4tG7Fl6FjGQbO5JRBJ6pdMyyYBgpJ9r3Ob7V4zxqK75twuUyNK1zG8FntZxCFo1&t=ffffffffe4ec58b9
Method GET
Parameter
Attack
Evidence X-Powered-By: ASP.NET
https://paavaierp.com/paavaipay/WebResource.axd?
URL d=VknKo04Z8R7dKv8swXnZ1g2caaU_CTyJ0YYl_LJBz0mvmAs0lKvvgdaBQdBZzzBDOU2Hhvg32wcQda3n1Zao0NjffDPF5EtOJAg60Gck1Lw1&t=63806002348
4664551
Method GET
Parameter
Attack
Evidence X-Powered-By: ASP.NET
https://paavaierp.com/paavaipay/WebResource.axd?d=znbxMyHTMwNWgoaBzqNj0eBtz5uQn-iUxyXBgLosfgjhEUsd85uG-
URL
ErpKKIQ4tIj7yApkDwvknMiPCm5WDR9-w_OVPQZa5m_-W7jNP0TyFc1&t=638060023484664551
Method GET
Parameter
Attack
Evidence X-Powered-By: ASP.NET
URL https://paavaierp.com/robots.txt
Method GET
Parameter
Attack
Evidence X-Powered-By: ASP.NET
URL https://paavaierp.com/sitemap.xml
Method GET
Parameter
Attack
Evidence X-Powered-By: ASP.NET
URL https://paavaierp.com/paavaipay/
Method POST
Parameter
Attack
Evidence X-Powered-By: ASP.NET
Generated by HostedScan
Instances 13
Solution Ensure that your web server, application server, load balancer, etc. is configured to suppress "X-Powered-By" headers.
https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-
Reference Fingerprint_Web_Application_Framework
https://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html
CWE Id 200
WASC Id 13
Plugin Id 10037
Low Server Leaks Version Information via "Server" HTTP Response Header Field
The web/application server is leaking version information via the "Server" HTTP response header. Access to such information may facilitate attackers identifying
Description
other vulnerabilities your web/application server is subject to.
URL https://paavaierp.com/paavaipay/
Method GET
Parameter
Attack
Evidence Microsoft-IIS/10.0
URL https://paavaierp.com/paavaipay/Handler.ashx
Method GET
Parameter
Attack
Evidence Microsoft-IIS/10.0
URL https://paavaierp.com/paavaipay/Handler6.ashx
Method GET
Parameter
Attack
Evidence Microsoft-IIS/10.0
https://paavaierp.com/paavaipay/ScriptResource.axd?d=3-jcMy4j5U6S08XPVYh3zsyXvFiZWKPI8HShS-
URL 60mZe767XJvLLbeBiv13b_DnHpZmkom49pKuV4BOKcCc_KhRU-HuYQSm4AeSQ-IwVZUgRVaBDk09sv-
mehTz0heDUR6qXhpFnoH9NMLt5zxgG0Vw2&t=ffffffffe4ec58b9
Method GET
Parameter
Attack
Evidence Microsoft-IIS/10.0
https://paavaierp.com/paavaipay/ScriptResource.axd?d=c-lsySMsiEQGnQ-JYSnm8WJ-
URL x72vn8GTGF6_4rU02PRP7E6tvEn7zdIuLtudBZpwldFQkacFePr2xRNJhNY_mwvQQQJD-
uDfciQrBKWBzyB7Vm37jf0gti3uRXcI3A3RnNOrz6nT4rtuIaGOuwDHQg2&t=ffffffffe4ec58b9
Method GET
Parameter
Attack
Evidence Microsoft-IIS/10.0
https://paavaierp.com/paavaipay/ScriptResource.axd?d=JI9ntrl7F0Y-29ejiQIu08E5lYAYVWBBixmyaduCfFKyKWrgEcGgh71MB0YpqWspcuZM4n2OzE-
URL
olBNHoxW574ilmEAT4ObFfYD39itrE8xxIyKCoNqZlDArYQ_lvHMmXiH7ctq16snQXAf-2Oq2vQ2&t=ffffffffe4ec58b9
Method GET
Generated by HostedScan
Parameter
Attack
Evidence Microsoft-IIS/10.0
https://paavaierp.com/paavaipay/ScriptResource.axd?d=qXiWEEfKGmd8Tzj56bggEQgrxziaT1-rfH0vGVpbZBEX01jQMs-
URL
uyvcKlAS3HMRbfpAX7LBzYFJFRB9AlWu8N0Ct4e8me0ei6RfIkhDxAKo0fVHiln5EPscZDBnuF3j5DpGWN3lPTnTieaLJwbuwbA2&t=ffffffffe4ec58b9
Method GET
Parameter
Attack
Evidence Microsoft-IIS/10.0
https://paavaierp.com/paavaipay/ScriptResource.axd?d=x8O4UuishFSc4f4L3wA6frO_VgzpcVG48i_-
URL kv6UsE2OqiWcXDQPz1y_HYULdAsTGT_cM1xVZmACNan5s2u-
l95tXvMqItiWAr4OAddBdMS7H4tG7Fl6FjGQbO5JRBJ6pdMyyYBgpJ9r3Ob7V4zxqK75twuUyNK1zG8FntZxCFo1&t=ffffffffe4ec58b9
Method GET
Parameter
Attack
Evidence Microsoft-IIS/10.0
https://paavaierp.com/paavaipay/WebResource.axd?
URL d=VknKo04Z8R7dKv8swXnZ1g2caaU_CTyJ0YYl_LJBz0mvmAs0lKvvgdaBQdBZzzBDOU2Hhvg32wcQda3n1Zao0NjffDPF5EtOJAg60Gck1Lw1&t=63806002348
4664551
Method GET
Parameter
Attack
Evidence Microsoft-IIS/10.0
https://paavaierp.com/paavaipay/WebResource.axd?d=znbxMyHTMwNWgoaBzqNj0eBtz5uQn-iUxyXBgLosfgjhEUsd85uG-
URL
ErpKKIQ4tIj7yApkDwvknMiPCm5WDR9-w_OVPQZa5m_-W7jNP0TyFc1&t=638060023484664551
Method GET
Parameter
Attack
Evidence Microsoft-IIS/10.0
URL https://paavaierp.com/robots.txt
Method GET
Parameter
Attack
Evidence Microsoft-IIS/10.0
URL https://paavaierp.com/sitemap.xml
Method GET
Parameter
Attack
Evidence Microsoft-IIS/10.0
URL https://paavaierp.com/paavaipay/
Method POST
Parameter
Attack
Generated by HostedScan
Evidence Microsoft-IIS/10.0
Instances 13
Solution Ensure that your web server, application server, load balancer, etc. is configured to suppress the "Server" header or provide generic details.
https://httpd.apache.org/docs/current/mod/core.html#servertokens
Reference https://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)
https://www.troyhunt.com/shhh-dont-let-your-response-headers/
CWE Id 200
WASC Id 13
Plugin Id 10036
URL https://paavaierp.com/paavaipay/
Method GET
Parameter
Attack
Evidence
URL https://paavaierp.com/paavaipay/Handler.ashx
Method GET
Parameter
Attack
Evidence
URL https://paavaierp.com/paavaipay/Handler6.ashx
Method GET
Parameter
Attack
Evidence
https://paavaierp.com/paavaipay/ScriptResource.axd?d=3-jcMy4j5U6S08XPVYh3zsyXvFiZWKPI8HShS-
URL 60mZe767XJvLLbeBiv13b_DnHpZmkom49pKuV4BOKcCc_KhRU-HuYQSm4AeSQ-IwVZUgRVaBDk09sv-
mehTz0heDUR6qXhpFnoH9NMLt5zxgG0Vw2&t=ffffffffe4ec58b9
Method GET
Parameter
Attack
Evidence
https://paavaierp.com/paavaipay/ScriptResource.axd?d=c-lsySMsiEQGnQ-JYSnm8WJ-
URL x72vn8GTGF6_4rU02PRP7E6tvEn7zdIuLtudBZpwldFQkacFePr2xRNJhNY_mwvQQQJD-
uDfciQrBKWBzyB7Vm37jf0gti3uRXcI3A3RnNOrz6nT4rtuIaGOuwDHQg2&t=ffffffffe4ec58b9
Method GET
Parameter
Attack
Evidence
https://paavaierp.com/paavaipay/ScriptResource.axd?d=JI9ntrl7F0Y-29ejiQIu08E5lYAYVWBBixmyaduCfFKyKWrgEcGgh71MB0YpqWspcuZM4n2OzE-
URL
olBNHoxW574ilmEAT4ObFfYD39itrE8xxIyKCoNqZlDArYQ_lvHMmXiH7ctq16snQXAf-2Oq2vQ2&t=ffffffffe4ec58b9
Generated by HostedScan
Method GET
Parameter
Attack
Evidence
https://paavaierp.com/paavaipay/ScriptResource.axd?d=qXiWEEfKGmd8Tzj56bggEQgrxziaT1-rfH0vGVpbZBEX01jQMs-
URL
uyvcKlAS3HMRbfpAX7LBzYFJFRB9AlWu8N0Ct4e8me0ei6RfIkhDxAKo0fVHiln5EPscZDBnuF3j5DpGWN3lPTnTieaLJwbuwbA2&t=ffffffffe4ec58b9
Method GET
Parameter
Attack
Evidence
https://paavaierp.com/paavaipay/ScriptResource.axd?d=x8O4UuishFSc4f4L3wA6frO_VgzpcVG48i_-
URL kv6UsE2OqiWcXDQPz1y_HYULdAsTGT_cM1xVZmACNan5s2u-
l95tXvMqItiWAr4OAddBdMS7H4tG7Fl6FjGQbO5JRBJ6pdMyyYBgpJ9r3Ob7V4zxqK75twuUyNK1zG8FntZxCFo1&t=ffffffffe4ec58b9
Method GET
Parameter
Attack
Evidence
https://paavaierp.com/paavaipay/WebResource.axd?
URL d=VknKo04Z8R7dKv8swXnZ1g2caaU_CTyJ0YYl_LJBz0mvmAs0lKvvgdaBQdBZzzBDOU2Hhvg32wcQda3n1Zao0NjffDPF5EtOJAg60Gck1Lw1&t=63806002348
4664551
Method GET
Parameter
Attack
Evidence
https://paavaierp.com/paavaipay/WebResource.axd?d=znbxMyHTMwNWgoaBzqNj0eBtz5uQn-iUxyXBgLosfgjhEUsd85uG-
URL
ErpKKIQ4tIj7yApkDwvknMiPCm5WDR9-w_OVPQZa5m_-W7jNP0TyFc1&t=638060023484664551
Method GET
Parameter
Attack
Evidence
URL https://paavaierp.com/robots.txt
Method GET
Parameter
Attack
Evidence
URL https://paavaierp.com/sitemap.xml
Method GET
Parameter
Attack
Evidence
URL https://paavaierp.com/paavaipay/
Method POST
Parameter
Generated by HostedScan
Attack
Evidence
Instances 13
Solution Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security.
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
https://owasp.org/www-community/Security_Headers
Reference https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
https://caniuse.com/stricttransportsecurity
https://datatracker.ietf.org/doc/html/rfc6797
CWE Id 319
WASC Id 15
Plugin Id 10035
URL https://paavaierp.com/paavaipay/
Method GET
Parameter
Attack
Evidence 4.0.30319
URL https://paavaierp.com/paavaipay/Handler.ashx
Method GET
Parameter
Attack
Evidence 4.0.30319
URL https://paavaierp.com/paavaipay/Handler6.ashx
Method GET
Parameter
Attack
Evidence 4.0.30319
https://paavaierp.com/paavaipay/ScriptResource.axd?d=3-jcMy4j5U6S08XPVYh3zsyXvFiZWKPI8HShS-
URL 60mZe767XJvLLbeBiv13b_DnHpZmkom49pKuV4BOKcCc_KhRU-HuYQSm4AeSQ-IwVZUgRVaBDk09sv-
mehTz0heDUR6qXhpFnoH9NMLt5zxgG0Vw2&t=ffffffffe4ec58b9
Method GET
Parameter
Attack
Evidence 4.0.30319
https://paavaierp.com/paavaipay/ScriptResource.axd?d=c-lsySMsiEQGnQ-JYSnm8WJ-
URL x72vn8GTGF6_4rU02PRP7E6tvEn7zdIuLtudBZpwldFQkacFePr2xRNJhNY_mwvQQQJD-
uDfciQrBKWBzyB7Vm37jf0gti3uRXcI3A3RnNOrz6nT4rtuIaGOuwDHQg2&t=ffffffffe4ec58b9
Method GET
Parameter
Attack
Evidence 4.0.30319
Generated by HostedScan
URL https://paavaierp.com/paavaipay/ScriptResource.axd?d=JI9ntrl7F0Y-29ejiQIu08E5lYAYVWBBixmyaduCfFKyKWrgEcGgh71MB0YpqWspcuZM4n2OzE-
olBNHoxW574ilmEAT4ObFfYD39itrE8xxIyKCoNqZlDArYQ_lvHMmXiH7ctq16snQXAf-2Oq2vQ2&t=ffffffffe4ec58b9
Method GET
Parameter
Attack
Evidence 4.0.30319
https://paavaierp.com/paavaipay/ScriptResource.axd?d=qXiWEEfKGmd8Tzj56bggEQgrxziaT1-rfH0vGVpbZBEX01jQMs-
URL
uyvcKlAS3HMRbfpAX7LBzYFJFRB9AlWu8N0Ct4e8me0ei6RfIkhDxAKo0fVHiln5EPscZDBnuF3j5DpGWN3lPTnTieaLJwbuwbA2&t=ffffffffe4ec58b9
Method GET
Parameter
Attack
Evidence 4.0.30319
https://paavaierp.com/paavaipay/ScriptResource.axd?d=x8O4UuishFSc4f4L3wA6frO_VgzpcVG48i_-
URL kv6UsE2OqiWcXDQPz1y_HYULdAsTGT_cM1xVZmACNan5s2u-
l95tXvMqItiWAr4OAddBdMS7H4tG7Fl6FjGQbO5JRBJ6pdMyyYBgpJ9r3Ob7V4zxqK75twuUyNK1zG8FntZxCFo1&t=ffffffffe4ec58b9
Method GET
Parameter
Attack
Evidence 4.0.30319
https://paavaierp.com/paavaipay/WebResource.axd?
URL d=VknKo04Z8R7dKv8swXnZ1g2caaU_CTyJ0YYl_LJBz0mvmAs0lKvvgdaBQdBZzzBDOU2Hhvg32wcQda3n1Zao0NjffDPF5EtOJAg60Gck1Lw1&t=63806002348
4664551
Method GET
Parameter
Attack
Evidence 4.0.30319
https://paavaierp.com/paavaipay/WebResource.axd?d=znbxMyHTMwNWgoaBzqNj0eBtz5uQn-iUxyXBgLosfgjhEUsd85uG-
URL
ErpKKIQ4tIj7yApkDwvknMiPCm5WDR9-w_OVPQZa5m_-W7jNP0TyFc1&t=638060023484664551
Method GET
Parameter
Attack
Evidence 4.0.30319
URL https://paavaierp.com/paavaipay/
Method POST
Parameter
Attack
Evidence 4.0.30319
Instances 11
Solution Configure the server so it will not return those headers.
https://www.troyhunt.com/shhh-dont-let-your-response-headers/
Reference
https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/
CWE Id 933
WASC Id 14
Plugin Id 10061
Generated by HostedScan
Low X-Content-Type-Options Header Missing
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-
Description sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.
Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
URL https://paavaierp.com/paavaipay/
Method GET
Parameter x-content-type-options
Attack
Evidence
URL https://paavaierp.com/paavaipay/Handler.ashx
Method GET
Parameter x-content-type-options
Attack
Evidence
URL https://paavaierp.com/paavaipay/Handler6.ashx
Method GET
Parameter x-content-type-options
Attack
Evidence
https://paavaierp.com/paavaipay/ScriptResource.axd?d=3-jcMy4j5U6S08XPVYh3zsyXvFiZWKPI8HShS-
URL 60mZe767XJvLLbeBiv13b_DnHpZmkom49pKuV4BOKcCc_KhRU-HuYQSm4AeSQ-IwVZUgRVaBDk09sv-
mehTz0heDUR6qXhpFnoH9NMLt5zxgG0Vw2&t=ffffffffe4ec58b9
Method GET
Parameter x-content-type-options
Attack
Evidence
https://paavaierp.com/paavaipay/ScriptResource.axd?d=c-lsySMsiEQGnQ-JYSnm8WJ-
URL x72vn8GTGF6_4rU02PRP7E6tvEn7zdIuLtudBZpwldFQkacFePr2xRNJhNY_mwvQQQJD-
uDfciQrBKWBzyB7Vm37jf0gti3uRXcI3A3RnNOrz6nT4rtuIaGOuwDHQg2&t=ffffffffe4ec58b9
Method GET
Parameter x-content-type-options
Attack
Evidence
https://paavaierp.com/paavaipay/ScriptResource.axd?d=JI9ntrl7F0Y-29ejiQIu08E5lYAYVWBBixmyaduCfFKyKWrgEcGgh71MB0YpqWspcuZM4n2OzE-
URL
olBNHoxW574ilmEAT4ObFfYD39itrE8xxIyKCoNqZlDArYQ_lvHMmXiH7ctq16snQXAf-2Oq2vQ2&t=ffffffffe4ec58b9
Method GET
Parameter x-content-type-options
Attack
Evidence
https://paavaierp.com/paavaipay/ScriptResource.axd?d=qXiWEEfKGmd8Tzj56bggEQgrxziaT1-rfH0vGVpbZBEX01jQMs-
URL
uyvcKlAS3HMRbfpAX7LBzYFJFRB9AlWu8N0Ct4e8me0ei6RfIkhDxAKo0fVHiln5EPscZDBnuF3j5DpGWN3lPTnTieaLJwbuwbA2&t=ffffffffe4ec58b9
Method GET
Parameter x-content-type-options
Generated by HostedScan
Attack
Evidence
https://paavaierp.com/paavaipay/ScriptResource.axd?d=x8O4UuishFSc4f4L3wA6frO_VgzpcVG48i_-
URL kv6UsE2OqiWcXDQPz1y_HYULdAsTGT_cM1xVZmACNan5s2u-
l95tXvMqItiWAr4OAddBdMS7H4tG7Fl6FjGQbO5JRBJ6pdMyyYBgpJ9r3Ob7V4zxqK75twuUyNK1zG8FntZxCFo1&t=ffffffffe4ec58b9
Method GET
Parameter x-content-type-options
Attack
Evidence
https://paavaierp.com/paavaipay/WebResource.axd?
URL d=VknKo04Z8R7dKv8swXnZ1g2caaU_CTyJ0YYl_LJBz0mvmAs0lKvvgdaBQdBZzzBDOU2Hhvg32wcQda3n1Zao0NjffDPF5EtOJAg60Gck1Lw1&t=63806002348
4664551
Method GET
Parameter x-content-type-options
Attack
Evidence
https://paavaierp.com/paavaipay/WebResource.axd?d=znbxMyHTMwNWgoaBzqNj0eBtz5uQn-iUxyXBgLosfgjhEUsd85uG-
URL
ErpKKIQ4tIj7yApkDwvknMiPCm5WDR9-w_OVPQZa5m_-W7jNP0TyFc1&t=638060023484664551
Method GET
Parameter x-content-type-options
Attack
Evidence
URL https://paavaierp.com/paavaipay/
Method POST
Parameter x-content-type-options
Attack
Evidence
Instances 11
Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web
pages.
Solution
If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by
the web application/web server to not perform MIME-sniffing.
https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)
Reference
https://owasp.org/www-community/Security_Headers
CWE Id 693
WASC Id 15
Plugin Id 10021
URL https://paavaierp.com/paavaipay/
Method POST
Parameter rblOnlineAppLoginMode
Attack
Generated by HostedScan
Evidence txtpassword
Instances 1
Solution This is an informational alert rather than a vulnerability and so there is nothing to fix.
Reference https://www.zaproxy.org/docs/desktop/addons/authentication-helper/auth-req-id/
CWE Id
WASC Id
Plugin Id 10111
URL https://paavaierp.com/paavaipay/
Method GET
Parameter cache-control
Attack
Evidence private
URL https://paavaierp.com/paavaipay/Handler.ashx
Method GET
Parameter cache-control
Attack
Evidence private
URL https://paavaierp.com/paavaipay/Handler6.ashx
Method GET
Parameter cache-control
Attack
Evidence private
URL https://paavaierp.com/paavaipay/
Method POST
Parameter cache-control
Attack
Evidence private
Instances 4
For secure content, ensure the cache-control HTTP header is set with "no-cache, no-store, must-revalidate". If an asset should be cached consider setting the
Solution
directives "public, max-age, immutable".
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
https://grayduck.mn/2021/09/13/cache-control-recommendations/
CWE Id 525
WASC Id 13
Plugin Id 10015
Generated by HostedScan
Header Based Session Management Method. If the request is in a context which has a Session Management Method set to "Auto-Detect" then this rule will
change the session management to use the tokens identified.
URL https://paavaierp.com/paavaipay/
Method GET
Parameter ASP.NET_SessionId
Attack
Evidence 5fdn0vdz3kbyqo0rkeqtoz3a
URL https://paavaierp.com/paavaipay/
Method GET
Parameter ASP.NET_SessionId
Attack
Evidence gvph254gbwdk140k44mk0yxk
URL https://paavaierp.com/paavaipay/
Method GET
Parameter ASP.NET_SessionId
Attack
Evidence i0dpc5nbowofomx0t35sxdkz
URL https://paavaierp.com/paavaipay/
Method GET
Parameter ASP.NET_SessionId
Attack
Evidence mfwvin2gzxmy3lsui5w2h1dd
URL https://paavaierp.com/paavaipay/
Method GET
Parameter ASP.NET_SessionId
Attack
Evidence y1slvcwhumvxtqhfjtmwinfk
URL https://paavaierp.com/favicon.ico
Method GET
Parameter ASP.NET_SessionId
Attack
Evidence 5fdn0vdz3kbyqo0rkeqtoz3a
URL https://paavaierp.com/favicon.ico
Method GET
Parameter ASP.NET_SessionId
Attack
Evidence gvph254gbwdk140k44mk0yxk
URL https://paavaierp.com/favicon.ico
Method GET
Parameter ASP.NET_SessionId
Generated by HostedScan
Attack
Evidence mfwvin2gzxmy3lsui5w2h1dd
URL https://paavaierp.com/paavaipay/
Method GET
Parameter ASP.NET_SessionId
Attack
Evidence gvph254gbwdk140k44mk0yxk
URL https://paavaierp.com/paavaipay/Handler.ashx
Method GET
Parameter ASP.NET_SessionId
Attack
Evidence gvph254gbwdk140k44mk0yxk
URL https://paavaierp.com/paavaipay/Handler.ashx
Method GET
Parameter ASP.NET_SessionId
Attack
Evidence i0dpc5nbowofomx0t35sxdkz
URL https://paavaierp.com/paavaipay/Handler6.ashx
Method GET
Parameter ASP.NET_SessionId
Attack
Evidence gvph254gbwdk140k44mk0yxk
URL https://paavaierp.com/paavaipay/Handler6.ashx
Method GET
Parameter ASP.NET_SessionId
Attack
Evidence i0dpc5nbowofomx0t35sxdkz
URL https://paavaierp.com/paavaipay/Handler6.ashx
Method GET
Parameter ASP.NET_SessionId
Attack
Evidence y1slvcwhumvxtqhfjtmwinfk
https://paavaierp.com/paavaipay/ScriptResource.axd?d=c-lsySMsiEQGnQ-JYSnm8WJ-
URL x72vn8GTGF6_4rU02PRP7E6tvEn7zdIuLtudBZpwldFQkacFePr2xRNJhNY_mwvQQQJD-
uDfciQrBKWBzyB7Vm37jf0gti3uRXcI3A3RnNOrz6nT4rtuIaGOuwDHQg2&t=ffffffffe4ec58b9
Method GET
Parameter ASP.NET_SessionId
Attack
Evidence y1slvcwhumvxtqhfjtmwinfk
https://paavaierp.com/paavaipay/WebResource.axd?
URL d=VknKo04Z8R7dKv8swXnZ1g2caaU_CTyJ0YYl_LJBz0mvmAs0lKvvgdaBQdBZzzBDOU2Hhvg32wcQda3n1Zao0NjffDPF5EtOJAg60Gck1Lw1&t=63806002348
4664551
Generated by HostedScan
Method GET
Parameter ASP.NET_SessionId
Attack
Evidence y1slvcwhumvxtqhfjtmwinfk
Instances 16
Solution This is an informational alert rather than a vulnerability and so there is nothing to fix.
Reference https://www.zaproxy.org/docs/desktop/addons/authentication-helper/session-mgmt-id
CWE Id
WASC Id
Plugin Id 10112
URL https://paavaierp.com/paavaipay/
Method POST
Parameter __EVENTVALIDATION
Attack
Evidence
URL https://paavaierp.com/paavaipay/
Method POST
Parameter __VIEWSTATE
Attack
Evidence
URL https://paavaierp.com/paavaipay/
Method POST
Parameter __VIEWSTATEGENERATOR
Attack
Evidence
URL https://paavaierp.com/paavaipay/
Method POST
Parameter Button1
Attack
Evidence
URL https://paavaierp.com/paavaipay/
Method POST
Parameter Button1
Attack
Evidence
URL https://paavaierp.com/paavaipay/
Method POST
Generated by HostedScan
Parameter txtuname
Attack
Evidence
Instances 6
Solution Validate all input and sanitize output it before writing to any HTML attributes.
Reference https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
CWE Id 20
WASC Id 20
Plugin Id 10031
Generated by HostedScan