Detection

Hdiv Detection (IAST), an Interactive Application Security Testing (IAST) product, scored a 100 percent on the OWASP Security Benchmark. This is more eficient than SAST and DAST solutions.

Usage

Accuracy score

Hdiv Detection (IAST) scored a 100%, which comes from a 100% true positive rate minus a 0% false positive rate. More information

OWASP A1

CMD INJECTION

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

More Information

HEADER INJECTION

The application takes data from the user and uses it to send headers into Http responses. HTTP header injection is a general class of web application security vulnerability which occurs when Hypertext Transfer Protocol (HTTP) headers are dynamically generated based on user input. Header injection in HTTP responses can allow for HTTP response splitting, session fixation via the Set-Cookie header, cross-site scripting (XSS) and malicious redirect attacks via the location header. HTTP header injection is a relatively new area for web-based attacks and has primarily been pioneered by Amit Klein in his work on request/response smuggling/splitting.

More Information

LDAP INJECTION

LDAP Injection is an attack used to exploit web-based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.

More Information

LOG INJECTION

Log Injection occurs when unvalidated input is stored directly in log files which may lead to misinformation or the exploitation of other vulnerabilities.

More Information

REFLECTION INJECTION

The application takes data from the user and uses it to load classes by reflection. If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.

More Information

XPATH INJECTION

Similarly to SQL Injection, XPath Injection attacks occur when a website uses user-supplied information to construct an XPath query for XML data. By sending intentionally malformed information to the website, an attacker can find out how the XML data is structured, or access data that he may not normally have access to. He may even be able to elevate his privileges on the website if the XML data is being used for authentication (such as an XML-based user file).

More Information

OWASP A2

HARDCODED KEY

The use of a hard-coded cryptographic key tremendously increases the possibility that encrypted data may be recovered.

More Information

HARDCODED PASSWORD

The use of a hard-coded password increases the possibility of password guessing tremendously.

More Information

Let’s look further at the authentication cookie and assume that a XSS (cross-site scripting) vulnerability is present in the application, where the attacker can take advantage of it to steal the authentication cookie. Can we somehow prevent this from happening? It turns out that an HttpOnly flag can be used to solve this problem. When an HttpOnly flag is used, JavaScript will not be able to read this authentication cookie in case of XSS exploitation.

More Information

SESSION REWRITING

URL rewriting is the technique of transporting the Session ID within a Unified Ressource Locater better known as URL

Unlike an HTTP header which transports cookies, a session ID in a URL can be disclosed in many ways.

More Information

SESSION TIMEOUT

Session timeout defines the action window time for a user, thus this window also represents the delay in which an attacker can try to steal and use an existing user session. Therefore the longer the session timeouts, the easier it is for cross-user web attacks such as Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) to be successful.

Session timeout value should not be greater than 30 minutes. Applications that handle sensitive data tend to have not too long timeouts, usually between 15 and 30 minutes.

More Information

WEAK PASSWORD

The use of a weak passwords increases the possibility of password guessing tremendously.

More Information

OWASP A5

ADMIN CONSOLE ACTIVE

The app server admin console is automatically installed and not removed. Default accounts aren’t changed. Attacker discovers the standard admin pages are on your server, logs in with default passwords, and takes over.

More Information

DEFAULT HTML ESCAPE INVALID

Applications based on Spring tags do not escape by default but it is a good practice to activate it in web.xml as it reduces the likelihood of a XSS attack.

More Information

DIRECTORY LISTING LEAK

App server configuration allows directory listing, which could potentially yield sensitive information to an attacker.

More Information

INSECURE AUTH PROTOCOL

The application uses an authentication protocol that is not considered secure. The protocol referred to as "HTTP/1.0" includes the specification for a Basic Access Authentication scheme. That scheme is not considered to be a secure method of user authentication, as the user name and password are passed over the network in an unencrypted form.

More Information

INSECURE JSP LAYOUT

The application has JSP files outside WEB-INF folder which may cause their content to be leaked by an attacker.

More Information

According to the Secure Windows Initiative group at Microsoft, the majority of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HTTPOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.

More Information

OWASP A6

AUTOCOMPLETE MISSING

The application has a form that may leak potentially sensitive information. This could cause the browser to cache that information insecurely because neither the <form> tag nor the relevant <input> fields have the AUTOCOMPLETE attribute disabled.

More Information

INSECURE CIPHER

The application uses an encryption algorithm that doesn't meet today's generally accepted standards. Cryptography is hard, and there are many little mistakes that can make a cryptosystem leak information, or worse. Choosing an encryption algorithm that is known to be unsafe is a very common way to completely undermine security. Frequently, the use of a weak algorithm will allow sensitive data or credentials to be hijacked during transmission or when stored.

More Information

INSECURE HASHING

The application uses a hashing algorithm that doesn't meet today's generally accepted standards. Cryptography is hard, and there are many little mistakes that can make a cryptosystem leak information, or worse. Choosing a hashing algorithm that is known to be unsafe is a very common way to completely undermine security. Frequently, the use of a weak algorithm will allow credentials or data to be extracted.

More Information

WEAK RANDOMNESS

Standard pseudo-random number generators cannot withstand cryptographic attacks.

More Information

OWASP A10

UNVALIDATED REDIRECT

The application is using an untrusted input to craft a redirect/forward url.

More Information

Other

CACHE CONTROLS MISSING

The browser has a capability to temporarily store some of the pages browsed. These cached files are stored in a folder, like the Temporary Internet Files folder in the case of Internet Explorer. When we ask for these pages again, the browser displays them from its cache. This is much faster than downloading the page from the server. Let's consider the particular scenario where a user has logged in to an application with username and password. The user browses the different pages which contain sensitive information. Let's suppose a page with the user's credit card information gets cached in the browser and the user logs out of the application. Now suppose attackers access the same machine and search through the Temporary Internet Files. They will get the credit card details. The attackers do not need to know the username and password of the user to steal the information.

More Information

CLICKJACKING CONTROL MISSING

Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for one page and routing them to another, most likely owned by another application, domain, or both.

More Information

CSP HEADER INSECURE

Application is not using CSP header properly. CSP stands for Content Security Policy.

This is a W3C specification instructing the client browser which type of resources can be loaded and/or from which location. The CSP specification uses directives to define a loading behavior for a target resource type.

More Information

CSP HEADER MISSING

Application is not using CSP header. CSP stands for Content Security Policy.

This s a W3C specification instructing the client browser which type of resources can be loaded and/or from which location. The CSP specification uses directives to define a loading behavior for a target resource type.

More Information

HSTS HEADER MISSING

Application is not using HSTS header. HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header, that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.

More Information

Even if the application is using HTTPS, it is not setting secure flag on cookies which may lead to data exposure.

More Information

PARAMETER POLLUTION

Not setting the action field of a FORM tag may lead to parameter pollution if an attacker embeds the page inside an IFRAME.

More Information

PCI CLEAR PARAMETER VIOLATION

Credit card details should not be included as Http request parameters or as part of the URL as it increases tremendously the possibility to be leaked.

More Information

PCI LOGGING VIOLATION

PCI DSS standard does not allow credit card details to be leaked into log files.

More Information

RMI DETECTION

This rule activates RMI parameter tainting so that other kind of vulnerabilities are detected. If this rule is not active, no RMI parameter will be traced.

More Information

TRUST BOUNDARY VIOLATION

A trust boundary can be thought of as a line drawn through a program. On one side of the line, data is untrusted. On the other side of the line, data is assumed to be trustworthy. The purpose of validation logic is to allow data to safely cross the trust boundary - to move from untrusted to trusted. A trust boundary violation occurs when a program blurs the line between what is trusted and what is untrusted. By combining trusted and untrusted data in the same data structure, it becomes easier for programmers to mistakenly trust unvalidated data.

More Information

VERB TAMPERING

HTTP specification includes request methods other than the standard GET and POST requests. A standards-compliant web server may respond to these alternative methods in ways not anticipated by developers.

More Information

XCONTENTTYPE HEADER MISSING

Application is not using X-Content-Type-Options header. Using this header will prevent the browser from MIME-sniffing a response away from the declared content-type.

More Information

XXSSPROTECTION HEADER DISABLED

Application has disabled XSS protection by sending an insecure header value.

More Information