PhpSysInfo is a customizable PHP script that displays information about the system.

The scanner detected the usage of PhpSysInfo on the target application.

This is an informational plugin to inform the user that the scanner detected that the target application handles specific HTTP headers as hop-by-hop headers.

This is an informational plugin to inform the user that the scanner detected the presence of one or multiple virtual hosts on the target server.

HTML5 WebSockets allow developers to create bi-directionnal communication channels between clients (usually web browsers) and servers. To initialize the communication, the WebSocket protocol requires a handshake performed with the HTTP protocol to ugprade the communication. When a web application only leverage on the client cookies to authenticate its users, a remote and unauthenticated could initiate a WebSocket handhsake from a malicious page to force the victim to authenticate against the target, therefore gaining access to the WebSocket traffic exchanged between the victim user and the target web application.

Express.js applications with Cookie-Session use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in an environment variable and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Express.js applications with Express-Session use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in an environment variable and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Pyramid applications use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in an environment variable and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Ruby On Rails applications use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in the .env file and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Django applications use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in the settings.py file and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Flask applications use an application key to encrypt and sign various data, including session cookies and other sensitive information.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Laravel applications use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in the .env file and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

This is an informational plugin to inform the user that the scanner has detected the usage of Service Worker on the target web application.

This is an informational plugin to inform the user that the scanner has detected the usage of WebSockets on the target web application.

Web applications heavily rely on external resources such as JavaScript files, Cascading Style Sheets (CSS) or images. When an application uses links which targets external resources which do not exist, an attacker could try gaining control over this resource to inject code in the target web application or get application users traffic on their malicious servers.

Supply chain attacks occur when one or more dependencies of an application are compromised, making the malicious code being shipped to the web application and, allowing threat actors to perform various operations depending on the logic of the code being altered like credentials stealing or application backdooring.

By default, PHP accepts a maximum of 1000 variables in a request. If there are more input variables than specified, an E_WARNING is issued, and further input variables are truncated from the request depending on server configuration and application code, this can have various impacts such as bypassing function call.

PHP versions 5.0.0 < 8.1.29, 8.2.x < 8.2.20, 8.3.x < 8.3.8 is affected by a vulnerability allowing an unauthenticated attacker to execute remote code via a specially forged request only when PHP is installed with Apache2 and PHP-CGI on Windows with certain languages (code pages).

Concrete CMS installed on the remote host is configured to operate in debug mode. While this environment can help speed up development of web applications, it can leak information about the underlying web applications.

Concrete CMS Login Panel has been detected on the target web application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

Unrestricted file upload vulnerability occurs when the application suffers from a lack of validation of files being uploaded to its filesystem. When an attacker is able to upload files not matching the application expectations in terms of names, type, content or size, it could lead to various issues such as arbitrary files overwrite, denial of service or even remote code execution.

Note that this plugin requires the 'File Upload' assessment option enabled in the scan configuration.

Vercel is a popular Cloud provider helping developers hosting their javascript and typescript codebases. Vercel publishes the '/_src' endpoint which allows project team members to view application source code. When the 'Logs and Source Protection' option is disabled, the default protection is disabled and allow any unauthorized actor to access the source code.

Web application components can sometimes rely on request HTTP headers like 'X-Original-URL' or 'X-Rewrite-URL' to override the original path of this request. Attackers can leverage this vulnerability to conduct further attacks in order to bypass restrictions or conduct cache poisonning attacks.

Quarkus installed on the remote host is configured to operate in development mode (devMode). While this environment can help speed up development of web applications, it can leak information about the underlying web applications.

The scanner has detected the presence of a payment form during the crawling of the target web application. Details about the form are provided in the plugin output.

Web applications often rely on proxy server to route requests to the right web service. An Open Proxy vulnerabilities occurs when a web server is configured to act as forward proxy, allowing anyone to use it to relay web traffic. This setup can may allow an attacker to use the proxy server to make requests to an external or internal server.\n\nThe corse issue arises because the proxy does not authenticate its users, thereby offering no control over who users the server's resources or for what purpose.

In PHP versions pior to 7.4.22, when the integrated web server is used, an attacker can with a specially forged request, obtain the source code due to an improper handling of multiple requests in quick succession, leading to the server treating requested files as static files instead of executing scripts.

Serialization is the process of converting an object to a stream of bytes, in order to store or send it through the network. By opposition, deserialization is the process of reconstructing an object from this stream of bytes.

Web applications often use serialized data transmitted from the client which, depending on how it is implemented, can be abused by a malicious actor to conduct his attacks on the target application.

Modern web applications are often deployed with a chain of HTTP servers which ensure the transmission of the HTTP traffic from users to the service. Typical deployments include the usage of a front-end server, usually a load balancer or a reverse proxy, which will then transmit the requests to one or more back-end servers.

HTTP request smuggling occurs when the front-end server and the back-end server show discrepancies in the way they process HTTP requests `content-length` and `transfer-encoding` headers. A remote and unauthenticated attacker can leverage this class of vulnerability to bypass access controls or gain access to sensitive data, or to compromise offer users traffic without interaction.

The HTTP/2 protocol is usually negotiated over the TLS application layer protocol negotiation extension (TLS-ALPN). A persistent HTTP/2 connection can also be made from a HTTP/1.1 request using the `Upgrade` header with the `h2c` value to specify a cleartext communication. The scanner detected that the target is supporting this H2C connection upgrade. If the target application is deployed on a reverse-proxy architecture, attackers could potentially abuse this feature to bypass reverse-proxy access controls or authentication enforcement.

GraphQL engines sometimes support combining a group of requests into a single one to try optimizing network performances between the client and the GraphQL server. When supported and enabled, this feature implementation should be reviewed as it could be abused by an attacker to bypass application rate limits or conduct Denial of Service (DoS) attacks.

This is an informational notice that the scanner was able to detect that the target application is using Microsoft Entra ID.

This is an informational notice that the scanner was able to detect that the target application is using a Microsoft Azure service.

This is an informational notice that the scanner was able to detect that the target application is using an Google Cloud cloud service.

This is an informational notice that the scanner was able to detect that the target application is using an Amazon Web Services cloud service.

This is an informational notice that the scanner was able to detect a gRPC request/response.

This is an informational notice that the scanner was able to detect a SOAP API.

A Web Services Description Language (WSDL) file has been detected on this url.

Due to a misconfiguration in Microsoft SharePoint Server. An attacker with anonymous privileges can enumeration the SharePoint user accounts.

Due to a misconfiguration in Microsoft SharePoint Server. An attacker with anonymous privileges can access to the SharePoint web services page.

Due to a misconfiguration in Microsoft SharePoint Server. An attacker with anonymous privileges can access to the SharePoint interface page.

Deploying web applications often require developers or system administrators to configure DNS records to target a third party service. Most common scenarios include to either configure a canonical name record (CNAME) or to declare specific name server records (NS) to delegate a specific DNS zone management.

A subdomain takeover vulnerability exists when an attacker can gain control over a subdomain or even an entire zone of the target domain depending on the configuration. By exploiting this vulnerability, the attacker can then provide content which could looks legit to any customer or user of the target domain name and conduct further attacks.

Developers often combine and minify their application JavaScript sources to help the server delivering it more efficiently to the client browsers. Sometimes, web applications JavaScript code may also be transpiled from another language like CoffeeScript of TypeScript.

A source map is a file that maps from the transformed source code to the original source, allowing the browser to reconstruct the original source code and present it to the debugger.

ServiceNow is a popular cloud platform enabling developers to build custom applications around automation for their organizations. ServiceNow widgets are JavaScript based components used to define content of the portal pages and can be either builtin or customized by developers. Widgets access control does not rely on ServiceNow ACLs but on fields set on the widget record itself.

When the widgets permissions are not properly configured, a remote and unauthenticated attacker could leverage this misconfiguration to retrieve sensitive information from the remote ServiceNow instance.

Pimcore versions before 10.1.3 suffer from an user enumeration vulnerability through the administration panel lost password feature. By submitting multiple usernames, a remote and unauthenticated attacker can infer the valid administrative accounts on the target Pimcore instance.

Pimcore Administration Panel has been detected on the target web application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

The instance of MediaWiki running on the remote host allows access to API URLs associated with the SiteInfo module. The SiteInfo api endpoint reports information about the server components, how the web server is configured and its usage, and it may prove useful to an attacker seeking to attack the server or host.

Well-known URIs are used to store site-wide metadata and to make it available for some web-based protocols which require the discovery of a policy or retrieve specific information about a given host. These URIs use the `/.well-known` path prefix and are standardized to avoid collisions.

A caching system has been detected on the application and is vulnerable to web cache poisoning. By manipulating specific unkeyed inputs (headers or cookies that are not included when generating the cache key) it was possible to force the caching system to cache a response that contains user-controlled input. If a response is cached in a shared web cache, such as those commonly found in proxy servers, then all users of that cache will continue to receive the malicious content until the cache entry is purged. In this case, the affected resource will be unreachable, which, depending on the resource, can cause a DoS (Denial Of Service).

Note that the scanner performs a safe check that does not affect website visitors but only the scanner itself.

In certain ActivityPub WebFinger implementations it is possible to enumerate usernames (known as actors) on the API webfinger service using wildcard searches. This information may potentially expose personal profile addresses, identity service, telephone numbers, avatar selection or other informations via the api endpoint even if user listings and directories are disabled in the ActivityPub server application itself.

The web application on the remote server has a PHP debug bar which is accessible without protection.

A remote attacker can exploit this to gain more knowledge about the host, allowing an attacker to conduct further attacks.

ID	Name	Severity
114528	PhpSysInfo Detected	medium
114505	HTTP Hop-By-Hop Headers Detected	info
114503	Virtual Hosts Detected	info
114502	Cross-Site WebSocket Hijacking	high
114439	Express.js Cookie-Session Weak Secret Key	high
114438	Express.js Express-Session Weak Secret Key	high
114437	Pyramid Weak Secret Key	high
114436	Ruby On Rails Weak Secret Key	high
114435	Django Weak Secret Key	high
114434	Flask Weak Secret Key	high
114432	Laravel Weak Secret Key	high
114429	Service Worker Detected	info
114395	WebSocket Detected	info
114386	External Broken Resources Detected	low
114358	Malicious Third Party Domain Detected	medium
114322	PHP Input Variables Exceeded	medium
114300	PHP CGI Argument Injection Remote Code Execution	critical
114293	Concrete CMS Debug Mode Enabled	medium
114292	Concrete CMS Login Panel Detected	medium
114283	Unrestricted File Upload	high
114278	Vercel Source Code Exposure	high
114262	Request URL Override	medium
114257	Quarkus DevMode Enabled	medium
114244	Payment Form Detected	info
114237	Open Proxy	high
114232	PHP Development Server < 7.4.22 Source Disclosure	medium
114224	Serialized Data Detected	info
114223	HTTP Request Smuggling	high
114219	HTTP/2 Cleartext Upgrade Support Detected	info
114211	GraphQL Batching	info
114202	Microsoft Entra ID Detected	info
114201	Microsoft Azure Detected	info
114200	Google Cloud Platform Detected	info
114199	Amazon Web Services Detected	info
114167	gRPC Detected	info
114166	SOAP API Detected	info
113973	Web Services Description Language (WSDL) File Detected	info
114149	Microsoft SharePoint User Enumeration	medium
114148	Microsoft SharePoint Exposed Web Services	medium
114147	Microsoft SharePoint Exposed Interfaces	medium
114146	Subdomain Takeover	medium
114132	JavaScript Source Map Detected	info
114106	ServiceNow Widgets Data Exposure	medium
114089	Pimcore User Enumeration	medium
114065	Pimcore Administration Panel Login Form Detected	medium
114064	MediaWiki Status Module Information Disclosure	medium
114029	Well-Known URIs Detected	info
114006	Web Cache Poisoning Denial of Service	high
113978	ActivityPub Username Enumeration	medium
113975	PHP Debug Bar Enabled	medium

Detections

Analytics

Web Applications Family for Web App Scanning

medium

info

info

high

high

high

high

high

high

high

high

info

info

low

medium

medium

critical

medium

medium

high

high

medium

medium

info

high

medium

info

high

info

info

info

info

info

info

info

info

info

medium

medium

medium

medium

info

medium

medium

medium

medium

info

high

medium

medium