Scribd Logo
Upload

Welcome to Scribd!

  • 18K views

    GSC - Demo - Testfire Security Report PDF

    Uploaded by

    Anonymous QPhFTEII62
    The summary provides high level information about the key findings from the security scan in 3 sentences: The scan found 12 total issues - 3 high severity SQL injection issues, 3 low severity database error pattern issues, and 6 informational application error issues. The SQL injection issues and database error pattern issues allowed accessing and modifying database entries. The application error issues exposed debugging information due to missing input validation and parameter checking. All 12 issues were found on a single URL handling funds transfers.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    GSC - Demo - Testfire Security Report PDF

    Uploaded by

    Anonymous QPhFTEII62
    18K views12 pages
    The summary provides high level information about the key findings from the security scan in 3 sentences: The scan found 12 total issues - 3 high severity SQL injection issues, 3 low severity database error pattern issues, and 6 informational application error issues. The SQL injection issues and database error pattern issues allowed accessing and modifying database entries. The application error issues exposed debugging information due to missing input validation and parameter checking. All 12 issues were found on a single URL handling funds transfers.

    Original Title

    GSC_demo.testfire Security Report.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The summary provides high level information about the key findings from the security scan in 3 sentences: The scan found 12 total issues - 3 high severity SQL injection issues, 3 low severity database error pattern issues, and 6 informational application error issues. The SQL injection issues and database error pattern issues allowed accessing and modifying database entries. The application error issues exposed debugging information due to missing input validation and parameter checking. All 12 issues were found on a single URL handling funds transfers.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    18K views12 pages

    GSC - Demo - Testfire Security Report PDF

    Uploaded by

    Anonymous QPhFTEII62
    The summary provides high level information about the key findings from the security scan in 3 sentences: The scan found 12 total issues - 3 high severity SQL injection issues, 3 low severity database error pattern issues, and 6 informational application error issues. The SQL injection issues and database error pattern issues allowed accessing and modifying database entries. The application error issues exposed debugging information due to missing input validation and parameter checking. All 12 issues were found on a single URL handling funds transfers.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 12

    Web Application Report

    This report includes important security information about your web


    application.

    Security Report
    This report was created by IBM Security AppScan Standard 9.0.3.2, Rules: 3488
    Scan started: 3/9/2015 10:59:00 AM

    Table of Contents
    Introduction
    General Information
    Login Settings

    Summary
    Issue Types
    Vulnerable URLs
    Fix Recommendations
    Security Risks
    Causes
    WASC Threat Classification

    Issues Sorted by Issue Type


    SQL Injection 3
    Database Error Pattern Found
    Application Error 6

    11/05/2016

    Introduction
    This report contains the results of a web application security scan performed by IBM Security AppScan Standard.
    High severity issues:

    Low severity issues:


    Informational severity issues:

    3
    6

    Total security issues included in the report: 12


    Total security issues discovered in the scan: 12

    General Information
    Scan file name:

    GSC_demo.testfire

    Scan started:

    3/9/2015 10:59:00 AM

    Test policy:

    Web Services(Modified)

    Host

    demo.testfire.net

    Operating system: Win32


    Web server:

    IIS

    Application server: Any

    Login Settings
    Login method:

    Recorded login

    Concurrent logins:

    Enabled

    JavaScript execution:

    Disabled

    In-session detection:

    Enabled

    In-session pattern:
    Tracked or session ID cookies:
    Tracked or session ID parameters:
    Login sequence:

    11/05/2016

    Summary
    Issue Types

    TOC

    Issue Type

    Number of Issues

    H SQL Injection

    L Database Error Pattern Found

    I Application Error

    Vulnerable URLs

    TOC

    URL

    Number of Issues

    H https://demo.testfire.net/transfer/transfer.asmx

    Fix Recommendations

    12

    TOC

    Remediation Task

    Number of Issues

    H Review possible solutions for hazardous character injection

    L Verify that parameter values are in their expected ranges and types.
    Do not output debugging error messages and exceptions

    Security Risks

    TOC

    Risk

    Number of Issues

    H It is possible to view, modify or delete database entries and tables

    I It is possible to gather sensitive debugging information

    11/05/2016

    Causes

    TOC

    Cause

    Number of Issues

    H Sanitation of hazardous characters was not performed correctly on


    user input

    I Proper bounds checking were not performed on incoming parameter


    values

    I No validation was done in order to make sure that user input matches 6
    the data type expected

    WASC Threat Classification

    TOC

    Threat

    Number of Issues

    Information Leakage

    SQL Injection

    11/05/2016

    Issues Sorted by Issue Type


    SQL Injection

    Issue 1 of 3

    TOC

    TOC

    SQL Injection
    Severity:

    High

    CVSS Score: 9,7


    URL:

    https://demo.testfire.net/transfer/transfer.asmx

    Entity:

    ->Envelope->Body->TransferBalance->transDetails (Parameter)

    Risk:

    It is possible to view, modify or delete database entries and tables

    Causes:

    Sanitation of hazardous characters was not performed correctly on user input

    Fix:

    Review possible solutions for hazardous character injection


    Reasoning: The test result seems to indicate a vulnerability because the response contains SQL Server
    errors. This suggests that the test managed to penetrate the application and reach the SQL
    query itself, by injecting hazardous characters.

    Issue 2 of 3

    11/05/2016

    TOC

    SQL Injection
    Severity:

    High

    CVSS Score: 9,7


    URL:

    https://demo.testfire.net/transfer/transfer.asmx

    Entity:

    ->Envelope->Body->TransferBalance->transDetails->debitAccount (Parameter)

    Risk:

    It is possible to view, modify or delete database entries and tables

    Causes:

    Sanitation of hazardous characters was not performed correctly on user input

    Fix:

    Review possible solutions for hazardous character injection


    Reasoning: The test result seems to indicate a vulnerability because the response contains SQL Server
    errors. This suggests that the test managed to penetrate the application and reach the SQL
    query itself, by injecting hazardous characters.

    Issue 3 of 3

    TOC

    SQL Injection
    Severity:

    High

    CVSS Score: 9,7


    URL:

    https://demo.testfire.net/transfer/transfer.asmx

    Entity:

    ->Envelope->Body->TransferBalance->transDetails->creditAccount (Parameter)

    Risk:

    It is possible to view, modify or delete database entries and tables

    Causes:

    Sanitation of hazardous characters was not performed correctly on user input

    Fix:

    Review possible solutions for hazardous character injection


    Reasoning: The test result seems to indicate a vulnerability because the response contains SQL Server
    errors. This suggests that the test managed to penetrate the application and reach the SQL
    query itself, by injecting hazardous characters.

    11/05/2016

    Database Error Pattern Found

    Issue 1 of 3

    TOC

    TOC

    Database Error Pattern Found


    Severity:

    Low

    CVSS Score: 5,0


    URL:

    https://demo.testfire.net/transfer/transfer.asmx

    Entity:

    ->Envelope->Body->TransferBalance->transDetails (Global)

    Risk:

    It is possible to view, modify or delete database entries and tables

    Causes:

    Sanitation of hazardous characters was not performed correctly on user input

    Fix:

    Review possible solutions for hazardous character injection


    Reasoning: The test result seems to indicate a vulnerability because the response contains SQL Server
    errors. This suggests that the test managed to penetrate the application and reach the SQL
    query itself, by injecting hazardous characters.

    Issue 2 of 3

    TOC

    Database Error Pattern Found


    Severity:

    Low

    CVSS Score: 5,0


    URL:

    https://demo.testfire.net/transfer/transfer.asmx

    Entity:

    ->Envelope->Body->TransferBalance->transDetails->debitAccount (Global)

    Risk:

    It is possible to view, modify or delete database entries and tables

    Causes:

    Sanitation of hazardous characters was not performed correctly on user input

    Fix:

    Review possible solutions for hazardous character injection


    Reasoning: The test result seems to indicate a vulnerability because the response contains SQL Server
    errors. This suggests that the test managed to penetrate the application and reach the SQL
    query itself, by injecting hazardous characters.

    11/05/2016

    Issue 3 of 3

    TOC

    Database Error Pattern Found


    Severity:

    Low

    CVSS Score: 5,0


    URL:

    https://demo.testfire.net/transfer/transfer.asmx

    Entity:

    ->Envelope->Body->TransferBalance->transDetails->creditAccount (Global)

    Risk:

    It is possible to view, modify or delete database entries and tables

    Causes:

    Sanitation of hazardous characters was not performed correctly on user input

    Fix:

    Review possible solutions for hazardous character injection


    Reasoning: The test result seems to indicate a vulnerability because the response contains SQL Server
    errors. This suggests that the test managed to penetrate the application and reach the SQL
    query itself, by injecting hazardous characters.

    11/05/2016

    Application Error

    Issue 1 of 6

    TOC

    TOC

    Application Error
    Severity:

    Informational

    CVSS Score: 0,0


    URL:

    https://demo.testfire.net/transfer/transfer.asmx

    Entity:

    ->Envelope->Body->TransferBalance->transDetails->creditAccount (Parameter)

    Risk:

    It is possible to gather sensitive debugging information

    Causes:

    Proper bounds checking were not performed on incoming parameter values


    No validation was done in order to make sure that user input matches the data type expected

    Fix:

    Verify that parameter values are in their expected ranges and types. Do not output debugging error
    messages and exceptions
    Reasoning: The application has responded with an error message, indicating an undefined state that
    may expose sensitive information.

    Issue 2 of 6

    TOC

    Application Error
    Severity:

    Informational

    CVSS Score: 0,0


    URL:

    https://demo.testfire.net/transfer/transfer.asmx

    Entity:

    ->Envelope (Parameter)

    Risk:

    It is possible to gather sensitive debugging information

    Causes:

    Proper bounds checking were not performed on incoming parameter values


    No validation was done in order to make sure that user input matches the data type expected

    Fix:

    Verify that parameter values are in their expected ranges and types. Do not output debugging error
    messages and exceptions
    Reasoning: The application has responded with an error message, indicating an undefined state that
    may expose sensitive information.

    11/05/2016

    Issue 3 of 6

    TOC

    Application Error
    Severity:

    Informational

    CVSS Score: 0,0


    URL:

    https://demo.testfire.net/transfer/transfer.asmx

    Entity:

    ->Envelope->Body->TransferBalance->transDetails (Parameter)

    Risk:

    It is possible to gather sensitive debugging information

    Causes:

    Proper bounds checking were not performed on incoming parameter values


    No validation was done in order to make sure that user input matches the data type expected

    Fix:

    Verify that parameter values are in their expected ranges and types. Do not output debugging error
    messages and exceptions
    Reasoning: The application has responded with an error message, indicating an undefined state that
    may expose sensitive information.

    Issue 4 of 6

    TOC

    Application Error
    Severity:

    Informational

    CVSS Score: 0,0


    URL:

    https://demo.testfire.net/transfer/transfer.asmx

    Entity:

    ->Envelope->Body->TransferBalance->transDetails->transferDate (Parameter)

    Risk:

    It is possible to gather sensitive debugging information

    Causes:

    Proper bounds checking were not performed on incoming parameter values


    No validation was done in order to make sure that user input matches the data type expected

    Fix:

    Verify that parameter values are in their expected ranges and types. Do not output debugging error
    messages and exceptions
    Reasoning: The application has responded with an error message, indicating an undefined state that
    may expose sensitive information.

    Issue 5 of 6

    11/05/2016

    TOC

    10

    Application Error
    Severity:

    Informational

    CVSS Score: 0,0


    URL:

    https://demo.testfire.net/transfer/transfer.asmx

    Entity:

    ->Envelope->Body->TransferBalance->transDetails->transferAmount (Parameter)

    Risk:

    It is possible to gather sensitive debugging information

    Causes:

    Proper bounds checking were not performed on incoming parameter values


    No validation was done in order to make sure that user input matches the data type expected

    Fix:

    Verify that parameter values are in their expected ranges and types. Do not output debugging error
    messages and exceptions
    Reasoning: The application has responded with an error message, indicating an undefined state that
    may expose sensitive information.

    Issue 6 of 6

    TOC

    Application Error
    Severity:

    Informational

    CVSS Score: 0,0


    URL:

    https://demo.testfire.net/transfer/transfer.asmx

    Entity:

    ->Envelope->Body->TransferBalance->transDetails->debitAccount (Parameter)

    Risk:

    It is possible to gather sensitive debugging information

    Causes:

    Proper bounds checking were not performed on incoming parameter values


    No validation was done in order to make sure that user input matches the data type expected

    Fix:

    Verify that parameter values are in their expected ranges and types. Do not output debugging error
    messages and exceptions
    Reasoning: The application has responded with an error message, indicating an undefined state that
    may expose sensitive information.

    11/05/2016

    11

    You might also like