This is an informational plugin to inform the user that the scanner detected that the target application handles specific HTTP headers as hop-by-hop headers.

This is an informational plugin to inform the user that the scanner detected the presence of one or multiple virtual hosts on the target server.

HTML5 WebSockets allow developers to create bi-directionnal communication channels between clients (usually web browsers) and servers. To initialize the communication, the WebSocket protocol requires a handshake performed with the HTTP protocol to ugprade the communication. When a web application only leverage on the client cookies to authenticate its users, a remote and unauthenticated could initiate a WebSocket handhsake from a malicious page to force the victim to authenticate against the target, therefore gaining access to the WebSocket traffic exchanged between the victim user and the target web application.

Express.js applications with Cookie-Session use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in an environment variable and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Express.js applications with Express-Session use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in an environment variable and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Pyramid applications use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in an environment variable and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Ruby On Rails applications use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in the .env file and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Django applications use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in the settings.py file and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Flask applications use an application key to encrypt and sign various data, including session cookies and other sensitive information.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Laravel applications use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in the .env file and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

This is an informational plugin to inform the user that the scanner has detected the usage of Service Worker on the target web application.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Gradio instance on the target application. Gradio is a software to build machine learning apps in Python. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected the usage of WebSockets on the target web application.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Danswer instance on the target application. Danswer is the AI Assistant connected to your company's docs, apps, and people. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Dify instance on the target application. Dify is an open-source LLM app development platform. This detection is included in the AI and LLM category.

Web applications heavily rely on external resources such as JavaScript files, Cascading Style Sheets (CSS) or images. When an application uses links which targets external resources which do not exist, an attacker could try gaining control over this resource to inject code in the target web application or get application users traffic on their malicious servers.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible ChatGPT-web instance. ChatGPT-web is a simple one-page web interface to the OpenAI ChatGPT API. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible H2O Flow instance on the target application. H2O Flow is an open-source user interface for H2O, an open-source, distributed and scalable machine learning and predictive analytics platform. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected the presence of a manifest used by ChatGPT plugins on the target application. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Ray instance on the target application. Ray is an open-source framework to build and scale Machine Learning (ML) and Python applications. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible ZenML instance on the target application. ZenML is an open-source framework dedicated to MLOps abstracting the underlying infrastructure. This detection is included in the AI and LLM category.

Supply chain attacks occur when one or more dependencies of an application are compromised, making the malicious code being shipped to the web application and, allowing threat actors to perform various operations depending on the logic of the code being altered like credentials stealing or application backdooring.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Ollama instance on the target application. Ollama is an open-source application to quickly set up various LLMs. This detection is included in the AI and LLM category.

By default, PHP accepts a maximum of 1000 variables in a request. If there are more input variables than specified, an E_WARNING is issued, and further input variables are truncated from the request depending on server configuration and application code, this can have various impacts such as bypassing function call.

This is an informational plugin to inform the user that the scanner has detected the usage of the ChatGPT.JS client-side library on the target application. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Langflow instance on the target application. Langflow is an open-source visual framework for building multi-agent and RAG. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible MLflow instance on the target application. MLflow is a platform to streamline machine learning development and simplify model operations. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Flowise instance on the target application. Flowise is a builder for LLM applications. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible LibreChat instance on the target application. LibreChat is an enhanced open-source ChatGPT clone. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible NextChat (formerly ChatGPT-Next-Web) instance on the target application. NextChat is a collection of tools to help developers build their own AI service around most popular LLMs. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Quivr instance on the target application. Quivr is RAG Framework specialized for building GenAI Second Brains and allows discussion with a variety of documents using different LLM models. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Open WebUI instance on the target application. Open WebUI offer an extensible web application designed for various LLM while offering a feature-rich environment. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible AnythingLLM instance on the target application. AnythingLLM let you choose between different LLM or vector database to use and allow to convert any document or content into references that the selected language model can use while chatting. This detection is included in the AI and LLM category.

PHP versions 5.0.0 < 8.1.29, 8.2.x < 8.2.20, 8.3.x < 8.3.8 is affected by a vulnerability allowing an unauthenticated attacker to execute remote code via a specially forged request only when PHP is installed with Apache2 and PHP-CGI on Windows with certain languages (code pages).

Concrete CMS installed on the remote host is configured to operate in debug mode. While this environment can help speed up development of web applications, it can leak information about the underlying web applications.

Concrete CMS Login Panel has been detected on the target web application.

This may present an attacker with an exploit vector which could be leveraged using other techniques, such as a Brute-Force or Dictionary Attack, allowing an attacker to gain access to administrative functionality.

Unrestricted file upload vulnerability occurs when the application suffers from a lack of validation of files being uploaded to its filesystem. When an attacker is able to upload files not matching the application expectations in terms of names, type, content or size, it could lead to various issues such as arbitrary files overwrite, denial of service or even remote code execution.

Note that this plugin requires the 'File Upload' assessment option enabled in the scan configuration.

Vercel is a popular Cloud provider helping developers hosting their javascript and typescript codebases. Vercel publishes the '/_src' endpoint which allows project team members to view application source code. When the 'Logs and Source Protection' option is disabled, the default protection is disabled and allow any unauthorized actor to access the source code.

Web application components can sometimes rely on request HTTP headers like 'X-Original-URL' or 'X-Rewrite-URL' to override the original path of this request. Attackers can leverage this vulnerability to conduct further attacks in order to bypass restrictions or conduct cache poisonning attacks.

Quarkus installed on the remote host is configured to operate in development mode (devMode). While this environment can help speed up development of web applications, it can leak information about the underlying web applications.

The scanner has detected the presence of a payment form during the crawling of the target web application. Details about the form are provided in the plugin output.

Web applications often rely on proxy server to route requests to the right web service. An Open Proxy vulnerabilities occurs when a web server is configured to act as forward proxy, allowing anyone to use it to relay web traffic. This setup can may allow an attacker to use the proxy server to make requests to an external or internal server.\n\nThe corse issue arises because the proxy does not authenticate its users, thereby offering no control over who users the server's resources or for what purpose.

In PHP versions pior to 7.4.22, when the integrated web server is used, an attacker can with a specially forged request, obtain the source code due to an improper handling of multiple requests in quick succession, leading to the server treating requested files as static files instead of executing scripts.

Serialization is the process of converting an object to a stream of bytes, in order to store or send it through the network. By opposition, deserialization is the process of reconstructing an object from this stream of bytes.

Web applications often use serialized data transmitted from the client which, depending on how it is implemented, can be abused by a malicious actor to conduct his attacks on the target application.

Modern web applications are often deployed with a chain of HTTP servers which ensure the transmission of the HTTP traffic from users to the service. Typical deployments include the usage of a front-end server, usually a load balancer or a reverse proxy, which will then transmit the requests to one or more back-end servers.

HTTP request smuggling occurs when the front-end server and the back-end server show discrepancies in the way they process HTTP requests `content-length` and `transfer-encoding` headers. A remote and unauthenticated attacker can leverage this class of vulnerability to bypass access controls or gain access to sensitive data, or to compromise offer users traffic without interaction.

The HTTP/2 protocol is usually negotiated over the TLS application layer protocol negotiation extension (TLS-ALPN). A persistent HTTP/2 connection can also be made from a HTTP/1.1 request using the `Upgrade` header with the `h2c` value to specify a cleartext communication. The scanner detected that the target is supporting this H2C connection upgrade. If the target application is deployed on a reverse-proxy architecture, attackers could potentially abuse this feature to bypass reverse-proxy access controls or authentication enforcement.

GraphQL engines sometimes support combining a group of requests into a single one to try optimizing network performances between the client and the GraphQL server. When supported and enabled, this feature implementation should be reviewed as it could be abused by an attacker to bypass application rate limits or conduct Denial of Service (DoS) attacks.

This is an informational notice that the scanner was able to detect that the target application is using Microsoft Entra ID.

This is an informational notice that the scanner was able to detect that the target application is using a Microsoft Azure service.

This is an informational notice that the scanner was able to detect that the target application is using an Google Cloud cloud service.

ID	Name	Severity
114505	HTTP Hop-By-Hop Headers Detected	info
114503	Virtual Hosts Detected	info
114502	Cross-Site WebSocket Hijacking	high
114439	Express.js Cookie-Session Weak Secret Key	high
114438	Express.js Express-Session Weak Secret Key	high
114437	Pyramid Weak Secret Key	high
114436	Ruby On Rails Weak Secret Key	high
114435	Django Weak Secret Key	high
114434	Flask Weak Secret Key	high
114432	Laravel Weak Secret Key	high
114429	Service Worker Detected	info
114407	Gradio Detected	info
114395	WebSocket Detected	info
114392	Danswer Detected	info
114391	Dify Detected	info
114386	External Broken Resources Detected	low
114389	ChatGPT-web Detected	info
114367	H2O Flow Detected	info
114362	ChatGPT Plugin Manifest Detected	info
114361	Ray Detected	info
114359	ZenML Detected	info
114358	Malicious Third Party Domain Detected	medium
114327	Ollama Detected	info
114322	PHP Input Variables Exceeded	medium
114321	Chatgpt.js Detected	info
114319	Langflow Detected	info
114317	MLflow Detected	info
114309	Flowise Detected	info
114308	LibreChat Detected	info
114307	NextChat Detected	info
114305	Quivr Detected	info
114304	Open WebUI Detected	info
114303	AnythingLLM Detected	info
114300	PHP CGI Argument Injection Remote Code Execution	critical
114293	Concrete CMS Debug Mode Enabled	medium
114292	Concrete CMS Login Panel Detected	medium
114283	Unrestricted File Upload	high
114278	Vercel Source Code Exposure	high
114262	Request URL Override	medium
114257	Quarkus DevMode Enabled	medium
114244	Payment Form Detected	info
114237	Open Proxy	high
114232	PHP Development Server < 7.4.22 Source Disclosure	medium
114224	Serialized Data Detected	info
114223	HTTP Request Smuggling	high
114219	HTTP/2 Cleartext Upgrade Support Detected	info
114211	GraphQL Batching	info
114202	Microsoft Entra ID Detected	info
114201	Microsoft Azure Detected	info
114200	Google Cloud Platform Detected	info

Detections

Analytics

Web Applications Family for Web App Scanning

info

info

high

high

high

high

high

high

high

high

info

info

info

info

info

low

info

info

info

info

info

medium

info

medium

info

info

info

info

info

info

info

info

info

critical

medium

medium

high

high

medium

medium

info

high

medium

info

high

info

info

info

info

info