By Client Services Team, Indusface
SR No. | Vulnerability Title | % of vulnerability |
1 | Application Error message | 43% |
2 | Browsable Web directory | 11% |
3 | Cross-Site Scripting | 10% |
4 | Potential Information Leakage | 10% |
5 | SQL Injection | 7% |
6 | Debug feature enabled | 6% |
7 | Possible Sensitive Directories/Files Exposed | 4% |
8 | Source Code Disclosure | 3% |
9 | OS Command Injection | 3% |
10 | Possible Backup File(s) | 1% |
Find such security issues on your website with Indusface WAS Free Website Scanner.
An attacker can try to force the target website to produce error messages bypassing different attack vectors to different parameters and then analyze the errors to get target information. This page contains an error/warning message that may disclose sensitive information.
A web directory was found to be browsable, which means that anyone can see the contents of the directory. Browsable directories could allow an attacker to view “hidden” files in the webroot, including CGI scripts, data files, or backup pages.
The next category in our OWASP Top 10 vulnerabilities list is XSS. This flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface websites, or redirect the user to malicious sites.
The application uses the ASP.NET 2.0 view state (__VIEWSTATE) feature without encryption to maintain the application state. Application designers have been known to put passwords and other sensitive data inside the view state. Therefore, it is a good idea to always use view state encryption in ASP.NET applications.
Web applications that do not properly sanitize user input before passing it to a database system are vulnerable to SQL injection. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.
The ASP.NET application is running in debug mode which allows a remote user to gather information about an application by using the DEBUG verb in an HTTP request. This can leak information including source code, hidden filenames, and detailed error messages.
These directories/files are not directly linked to the website. This check looks for common sensitive resources like backup directories, database dumps, administration pages, temporary directories. Each one of these directories could help an attacker to learn more about his target.
Source code disclosure allows a malicious user to obtain the source code of a server-side application from a webpage. Disclosure of source code can be devastating for a web application.
A webform contains fields with data that is probably sensitive in nature. This form of data is submitted over an unencrypted connection, which could allow hackers to sniff the network and view the data in plaintext.
Possible Backup files are usually created by developers to back up their work or by administrators when making backups of the webserver.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.
This post was last modified on December 21, 2023 11:15
Explore crucial tactics like Asset Inventory, Patch Management, Access Control & Authentication, and additional best… Read More
Delve into the data privacy questions including consent protocols, data minimization strategies, user rights management,… Read More
Secure Node.js APIs using best practices: Employ proper HTTP methods, robust authentication, and API-specific security… Read More