Apache web server configured with mod_negotiation and Multiviews enabled may, on receipt of a crafted invalid request with a extension-less filename return a pseudo directory listing of matching resources with known mime types. This feature may be abused by attackers to discover hidden resources on a server without resort to brute-force methods. The scanner has detected files on the server using this technique.

A Humans.txt file has been detected on the target.

Humans.txt is a file that contains information about the different people who have contributed to building the website.

A Security.txt file has not been detected on the target.

When security risks in web services are discovered by independent security researchers, this file defines the channels to disclose them properly & enables 3rd party researchers to disclose issues securely in a manner defined by the organization.

Organizations should consider creating a security.txt file containing contact and other information in the defined format and place it under the .well-known directory of the server.

A Security.txt file has been detected on the target.

When security risks in web services are discovered by independent security researchers, this file defines the channels to disclose them properly.

As a result, security issues may be disclosed by 3rd party researchers securely in a manner defined by the organization.

The remote host contains a file named 'robots.txt' that is intended to prevent web 'robots' from visiting certain directories in a website for maintenance or indexing purposes. A malicious user may also be able to use the contents of this file to learn of sensitive documents or directories on the affected site and either retrieve them directly or target them for other attacks.

The Sitemap Protocol allows you to inform search engines about URLs on a website that are available for crawling. In its simplest form, a Sitemap is an XML file that lists URLs for a site.

It has been discovered that many site owners are not building their Sitemaps through spidering, but by scripted runs on their web root directory structures. If this is the case, an attacker may be able to use sitemaps to enumerate all files and directories in the web server root.

The Apache server does not properly restrict access to .htaccess and/or .htpasswd files. A remote unauthenticated attacker can download these files and potentially uncover important information.

Web servers permitting directory listing are typically used for sharing files.

Directory listing allows the client to view a simple list of all the files and folders hosted on the web server. The client is then able to traverse each directory and download the files.

Cyber-criminals will utilise the presence of directory listing to discover sensitive files, download protected content, or even just learn how the web application is strurctured.

Scanner discovered that the affected page permits directory listing.

There are various methods in which a file (or files) may be uploaded to a webserver. One method that can be used is the HTTP `PUT` method. The `PUT` method is mainly used during development of applications and allows developers to upload (or put) files on the server within the web root.

By nature of the design, the `PUT` method typically does not provide any filtering and therefore allows sever side executable code (PHP, ASP, etc) to be uploaded to the server.

Cyber-criminals will search for servers supporting the `PUT` method with the intention of modifying existing pages, or uploading web shells to take control of the server.

Scanner has discovered that the affected path allows clients to use the `PUT` method. During this test, scanner has `PUT` a file on the server within the web root and successfully performed a `GET` request to its location and verified the contents.

The scanner was able to determine that a possible web backdoor or web shell exists on the remote web server by utilizing the same methods as cyber-criminals. If a server has been previously compromised, there is a high probability that the cyber-criminal has installed a backdoor so that they can easily return to the server if required. One method of achieving this is to place a web backdoor or web shell within the web root of the web server. This will then enable the cyber-criminal to access the server through an HTTP/S session. Although extremely bad practice, it is possible that the web backdoor or web shell has been placed there by an administrator so they can perform administrative activities remotely. During the initial reconnaissance stages of an attack, cyber-criminals will attempt to locate these web backdoors or shells by requesting the names of the most common and well known ones. By analyzing the response, they are able to determine if a web backdoor or web shell exists. These web backdoors or web shells can then provide an easy path for further compromise of the server.

There are a number of HTTP methods that can be used on a webserver (for example `OPTIONS`, `HEAD`, `GET`, `POST`, `PUT`, `DELETE `etc.). Each of these methods perform a different function, and each has an associated level of risk when their use is permitted on the webserver.

The `<Limit>` directive within Apache's `.htaccess` file allows administrators to define which of the methods they would like to block. However, as this is a blacklisting approach, it is inevitable that a server administrator may accidentally miss adding certain HTTP methods to be blocked, thus increasing the level of risk to the application and/or server.

The scanner detected one or more HTML object tags. This tag is used to embed multimedia like audio, video, Java applets, ActiveX, PDF and Flash in HTML pages.

Web Distributed Authoring and Versioning (WebDAV) is a facility that enables basic file management (reading and writing) to a web server. It essentially allows the webserver to be mounted by the client as a traditional file system allowing users a very simplistic means to access it as they would any other medium or network share.

If discovered, attackers will attempt to harvest information from the WebDAV enabled directories, or even upload malicious files that could then be used to compromise the server.

Scanner discovered that the affected page allows WebDAV access. This was discovered as the server allowed several specific methods that are specific to WebDAV (`PROPFIND`, `PROPPATCH`, etc.), however, further testing should be conducted on the WebDAV component specifically as scanner does support this feature.

Scanner has detected a common directory on the remote web server.

Web applications are often made up of multiple files and directories. It is possible that over time some directories may become unreferenced (unused) by the web application and forgotten about by the administrator or developer. Because web applications are built using common frameworks, they contain common directories that can be discovered (independent of server).

During the initial reconnaissance stages of an attack, cyber-criminals will attempt to locate unreferenced directories in the hope that the directory will assist in further compromise of the web application. To achieve this, they will make thousands of requests using word lists containing common names. The response headers from the server will then indicate if the directory exists.

Scanner has detected common sensitive files on the remote web server.

Web applications are often made up of multiple files and directories. It is possible that over time some files may become unreferenced (unused) by the web application and forgotten about by the administrator or developer. Because web applications are built using common frameworks, they contain common files that can be discovered (independent of server).

During the initial reconnaissance stages of an attack, cyber-criminals will attempt to locate unreferenced files in the hope that the file will assist in further compromise of the web application. To achieve this, they will make thousands of requests using word lists containing common filenames. The response headers from the server will then indicate if the file exists.

The HTTP TRACE method allows a client to send a request to the server, and have the same request sent back in the server's response. This allows the client to determine if the server is receiving the request as expected. Often this method is used for debugging purposes (e.g. to verify that a request arrives unaltered).

On many default installations the TRACE method is still enabled.

While not vulnerable by itself, it does provide a method for cyber attackers to bypass the HTTPOnly cookie flag, and therefore could allow a XSS attack to successfully access a session token.

The scanner has discovered that the affected page permits the HTTP TRACE method.

ID	Name	Severity
113165	Apache mod_negotiation Alternative Filename Disclosure	medium
113041	Humans.txt File Detected	info
112723	Security.txt File Not Detected	info
112722	Security.txt File Detected	info
98705	Robots.txt File Detected	info
98681	Sitemap.xml File Detected	info
98630	Apache .htaccess and .htpasswd Disclosure	medium
98084	Directory Listing	medium
98099	Publicly writable directory	high
98097	Backdoor Detection	critical
98095	Misconfiguration in LIMIT directive of .htaccess file	medium
98092	HTML Object	info
98087	WebDAV	info
98072	Common Directories Detection	info
98071	Common Files Detection	info
98048	HTTP TRACE Allowed	low

Detections

Analytics

Web Servers Family for Web App Scanning

medium

info

info

info

info

info

medium

medium

high

critical

medium

info

info

info

info

low