Hdiv Detection (IAST), an Interactive Application Security Testing (IAST) product, scored a 100 percent on the OWASP Security Benchmark. This is more eficient than SAST and DAST solutions.
Hdiv Detection (IAST) scored a 100%, which comes from a 100% true positive rate minus a 0% false positive rate. More information
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.
The application takes data from the user and uses it to send headers into Http responses. HTTP header injection is a general class of web application security vulnerability which occurs when Hypertext Transfer Protocol (HTTP) headers are dynamically generated based on user input. Header injection in HTTP responses can allow for HTTP response splitting, session fixation via the Set-Cookie header, cross-site scripting (XSS) and malicious redirect attacks via the location header. HTTP header injection is a relatively new area for web-based attacks and has primarily been pioneered by Amit Klein in his work on request/response smuggling/splitting.
LDAP Injection is an attack used to exploit web-based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.
Log Injection occurs when unvalidated input is stored directly in log files which may lead to misinformation or the exploitation of other vulnerabilities.
The application takes data from the user and uses it to load classes by reflection. If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.
A successful SQL injection exploit can read sensitive data from the database, modify data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. With SQL injection attacks, SQL commands are injected into data-plane input in order to execute predefined SQL commands.
Similarly to SQL Injection, XPath Injection attacks occur when a website uses user-supplied information to construct an XPath query for XML data. By sending intentionally malformed information to the website, an attacker can find out how the XML data is structured, or access data that he may not normally have access to. He may even be able to elevate his privileges on the website if the XML data is being used for authentication (such as an XML-based user file).
The use of a hard-coded cryptographic key tremendously increases the possibility that encrypted data may be recovered.
The use of a hard-coded password increases the possibility of password guessing tremendously.
NO HTTP ONLY COOKIE¶
URL rewriting is the technique of transporting the Session ID within a Unified Ressource Locater better known as URL
Unlike an HTTP header which transports cookies, a session ID in a URL can be disclosed in many ways.
Session timeout defines the action window time for a user, thus this window also represents the delay in which an attacker can try to steal and use an existing user session. Therefore the longer the session timeouts, the easier it is for cross-user web attacks such as Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) to be successful.
Session timeout value should not be greater than 30 minutes. Applications that handle sensitive data tend to have not too long timeouts, usually between 15 and 30 minutes.
The use of a weak passwords increases the possibility of password guessing tremendously.
Cross-site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites.
ADMIN CONSOLE ACTIVE¶
The app server admin console is automatically installed and not removed. Default accounts aren’t changed. Attacker discovers the standard admin pages are on your server, logs in with default passwords, and takes over.
DEFAULT HTML ESCAPE INVALID¶
Applications based on Spring tags do not escape by default but it is a good practice to activate it in web.xml as it reduces the likelihood of a XSS attack.
DIRECTORY LISTING LEAK¶
App server configuration allows directory listing, which could potentially yield sensitive information to an attacker.
INSECURE AUTH PROTOCOL¶
The application uses an authentication protocol that is not considered secure. The protocol referred to as "HTTP/1.0" includes the specification for a Basic Access Authentication scheme. That scheme is not considered to be a secure method of user authentication, as the user name and password are passed over the network in an unencrypted form.
INSECURE JSP LAYOUT¶
The application has JSP files outside WEB-INF folder which may cause their content to be leaked by an attacker.
SESSION COOKIE NOT HTTP ONLY¶
According to the Secure Windows Initiative group at Microsoft, the majority of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HTTPOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.
App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws. Attackers could use the extra information provided by error messages.
The application has a form that may leak potentially sensitive information. This could cause the browser to cache that information insecurely
because neither the
<form> tag nor the relevant
<input> fields have the
The application uses an encryption algorithm that doesn't meet today's generally accepted standards. Cryptography is hard, and there are many little mistakes that can make a cryptosystem leak information, or worse. Choosing an encryption algorithm that is known to be unsafe is a very common way to completely undermine security. Frequently, the use of a weak algorithm will allow sensitive data or credentials to be hijacked during transmission or when stored.
The application uses a hashing algorithm that doesn't meet today's generally accepted standards. Cryptography is hard, and there are many little mistakes that can make a cryptosystem leak information, or worse. Choosing a hashing algorithm that is known to be unsafe is a very common way to completely undermine security. Frequently, the use of a weak algorithm will allow credentials or data to be extracted.
Standard pseudo-random number generators cannot withstand cryptographic attacks.
A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with a “dot-dot-slash (../)” sequence and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system including application source code or configuration and critical system files. It should be noted that access to files is limited by the system’s operational access c ontrol, such as in the case of locked or in-use files on the Microsoft Windows operating system.
Some vulnerable components (e.g., framework libraries) can be identified and exploited with automated tools, expanding the threat agent pool beyond targeted attackers to include chaotic actors.
The application is using an untrusted input to craft a redirect/forward url.
CACHE CONTROLS MISSING¶
The browser has a capability to temporarily store some of the pages browsed. These cached files are stored in a folder, like the Temporary Internet Files folder in the case of Internet Explorer. When we ask for these pages again, the browser displays them from its cache. This is much faster than downloading the page from the server. Let's consider the particular scenario where a user has logged in to an application with username and password. The user browses the different pages which contain sensitive information. Let's suppose a page with the user's credit card information gets cached in the browser and the user logs out of the application. Now suppose attackers access the same machine and search through the Temporary Internet Files. They will get the credit card details. The attackers do not need to know the username and password of the user to steal the information.
CLICKJACKING CONTROL MISSING¶
Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for one page and routing them to another, most likely owned by another application, domain, or both.
CSP HEADER INSECURE¶
Application is not using CSP header properly. CSP stands for Content Security Policy.
This is a W3C specification instructing the client browser which type of resources can be loaded and/or from which location. The CSP specification uses directives to define a loading behavior for a target resource type.
CSP HEADER MISSING¶
Application is not using CSP header. CSP stands for Content Security Policy.
This s a W3C specification instructing the client browser which type of resources can be loaded and/or from which location. The CSP specification uses directives to define a loading behavior for a target resource type.
HSTS HEADER MISSING¶
Application is not using HSTS header. HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header, that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.
HTML RESOURCE INTEGRITY¶
Subresource Integrity (SRI) is a security feature that enables browsers to verify that files they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched file must match.
Even if the application is using HTTPS, it is not setting secure flag on cookies which may lead to data exposure.
Not setting the action field of a FORM tag may lead to parameter pollution if an attacker embeds the page inside an IFRAME.
PCI CLEAR PARAMETER VIOLATION¶
Credit card details should not be included as Http request parameters or as part of the URL as it increases tremendously the possibility to be leaked.
PCI LOGGING VIOLATION¶
PCI DSS standard does not allow credit card details to be leaked into log files.
This rule activates RMI parameter tainting so that other kind of vulnerabilities are detected. If this rule is not active, no RMI parameter will be traced.
TRUST BOUNDARY VIOLATION¶
A trust boundary can be thought of as a line drawn through a program. On one side of the line, data is untrusted. On the other side of the line, data is assumed to be trustworthy. The purpose of validation logic is to allow data to safely cross the trust boundary - to move from untrusted to trusted. A trust boundary violation occurs when a program blurs the line between what is trusted and what is untrusted. By combining trusted and untrusted data in the same data structure, it becomes easier for programmers to mistakenly trust unvalidated data.
Data which is untrusted also cannot be trusted to be well formed. Malformed or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code when deserialized.
HTTP specification includes request methods other than the standard GET and POST requests. A standards-compliant web server may respond to these alternative methods in ways not anticipated by developers.
WEAK CROSS DOMAIN POLICY¶
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts) on a web page to be requested from another domain outside the domain from which the resource originated. The Access-Control-Allow-Origin header indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
XCONTENTTYPE HEADER MISSING¶
Application is not using X-Content-Type-Options header. Using this header will prevent the browser from MIME-sniffing a response away from the declared content-type.
XXSSPROTECTION HEADER DISABLED¶
Application has disabled XSS protection by sending an insecure header value.