HTTP PUT is enabled on the web server. The file /7e3171d6f3b2563.txt was uploaded to the server using the PUT verb, and the contents of the file were subsequently retrieved using the GET verb.
The HTTP PUT method is used to upload data which is saved on the server at a user-supplied URL. If enabled, an attacker can place arbitrary, and potentially malicious, content into the application. Depending on the server's configuration, this may lead to compromise of other users (by uploading client-executable scripts), compromise of the server (by uploading server-executable code), or other attacks.
You should refer to your platform's documentation to determine how to disable the HTTP PUT method on the server.
PUT /7e3171d6f3b2563.txt HTTP/1.0 Host: primeworld.com Content-Length: 16
ASP.NET debugging is enabled on the server. The user context used to scan the application does not appear to be permitted to perform debugging, so this is not an immediately exploitable issue. However, if you were able to obtain or guess appropriate platform-level credentials, you may be able to perform debugging.
ASP.NET allows remote debugging of web applications, if configured to do so. By default, debugging is subject to access control and requires platform-level authentication.
If an attacker can successfully start a remote debugging session, this is likely to disclose sensitive information about the web application and supporting infrastructure which may be valuable in formulating targetted attacks against the system.
To disable debugging, open the Web.config file for the application, and find the <compilation> element within the <system.web> section. Set the debug attribute to "false". Note that it is also possible to enable debugging for all applications within the Machine.config file. You should confirm that debug attribute in the <compilation> element has not been set to "true" within the Machine.config file also.
It is strongly recommended that you refer to your platform's documentation relating to this issue, and do not rely solely on the above remediation.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
GET / HTTP/1.1 Host: primeworld.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site which robots are allowed, or not allowed, to crawl and index.
The presence of the robots.txt does not in itself present any kind of security vulnerability. However, it is often used to identify restricted or private areas of a site's contents. The information in the file may therefore help an attacker to map out the site's contents, especially if some of the locations identified are not linked from elsewhere in the site. If the application relies on robots.txt to protect access to these areas, and does not enforce proper access control over them, then this presents a serious vulnerability.
The robots.txt file is not itself a security threat, and its correct use can represent good practice for non-security reasons. You should not assume that all web robots will honour the file's instructions. Rather, assume that attackers will pay close attention to any locations identified in the file. Do not rely on robots.txt to provide any kind of protection over unauthorised access.
GET /robots.txt HTTP/1.0 Host: primeworld.com
HTTP/1.1 200 OK Content-Length: 74 Content-Type: text/plain Last-Modified: Wed, 31 Mar 2010 12:41:36 GMT Accept-Ranges: bytes ETag: "4963b680cfd0ca1:114a" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Thu, 21 Apr 2011 21:05:56 GMT Connection: close