VULNERABILITIES
Vulnerabilities
IMPORTANT
45 %
LOW
36 %
INFORMATION
18 %
XSS, Cross Site Scripting in admin.iconnection.com, CWE-79, CAPEC-86, DORK, GHDB REPORT SUMMARYPublic Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK SearchLoading
Netsparker - Scan Report Summary
|
||||||||||
|
Total RequestsAverage Speedreq/sec. |
11
identified
8
confirmed
0
critical
2
informational
|
||||||||
DORK TESTSDORK TESTS
|
||||||||||
|
Authentication
Scheduled
|
|||||||||
VULNERABILITIESVulnerabilities
|
||
|
|
IMPORTANT
45 %
LOW
36 %
INFORMATION
18 %
|
|
VULNERABILITY SUMMARYVulnerability Summary
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application.
The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically the output location is HTML. Where the output is HTML ensure that all active content is removed prior to its presentation to the server.
Prior to sanitizing user input, ensure you have a pre-defined list of both expected and acceptable characters with which you populate a white-list. This list needs only be defined once and should be used to sanitize and validate all subsequent input.
There are a number of pre-defined, well structured white-list libraries available for many different environments, good examples of these include, OWASP Reform and Microsoft Anti Cross-site Scripting libraries are good examples.
|
- /Login.aspx
/Login.aspx CONFIRMED |
| Parameter | Type | Value |
| Type | GET | '+alert(9)+' |
| __VIEWSTATE | POST | dDwxMTA4NTIwNzE2O3Q8O2w8aTwwPjtpPDE Oz47bDx0PDtsPGk8MT47PjtsPHQ8O2w8aTwwPjtpPDE O2k8Mj47aTw0PjtpPDU O2k8Nz47PjtsPHQ8cDxwPGw8VmlzaWJsZTs O2w8bzxmPjs Pjs Ozs O3Q8cDxwPGw8VGV4dDtWaXNpYmxlOz47bDxEaWQgeW91IGZvcmdldCB5b3VyIHBhc3N3b3JkPztvPGY Oz4 Oz47Oz47dDxwPHA8bDxUZXh0Oz47bDxcZTs Pjs Ozs O3Q8cDxwPGw8VGV4dDs O2w8XGU7Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7PjtsPFxlOz4 Oz47Oz47dDw7bDxpPDA Oz47bDx0PDtsPGk8MT47aTwzPjtpPDc O2k8OT47aTwxMT47aTwxMz47aTwxNT47aTwxNz47aTwxOT47PjtsPHQ8cDxwPGw8VGV4dDs O2w8UGFzc3dvcmQgQXNzaXN0YW5jZTs Pjs Ozs O3Q8cDxwPGw8VGV4dDs O2w8VXNlciBOYW1lOz4 Oz47Oz47dDxwPHA8bDxUZXh0Oz47bDxQbGVhc2UgZW50ZXIgdGhlIHVzZXJuYW1lIHlvdSB1c2UgdG8gbG9naW47Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7VmlzaWJsZTs O2w8U2VjcmV0IFF1ZXN0aW9uO288Zj47Pj47Pjs7Pjt0PHA8cDxsPFZpc2libGU7PjtsPG88Zj47Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7VmlzaWJsZTs O2w8U2VjcmV0IEFuc3dlcjtvPGY Oz4 Oz47Oz47dDxwPHA8bDxWaXNpYmxlOz47bDxvPGY Oz4 Oz47Oz47dDxwPHA8bDxUZXh0Oz47bDxTdWJtaXQ7Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7PjtsPENhbmNlbDs Pjs Ozs Oz4 Oz4 Oz4 Oz4 O3Q8cDxwPGw8VmlzaWJsZTs O2w8bzxmPjs Pjs Ozs Oz4 Oz7dH3muZizjItM3zCp3yFdiS577sw== |
| secretQuestion%3AtxtUserName | POST | Smith |
| secretQuestion%3AbtnSubmit | POST | Submit |
|
- /Login.aspx
/Login.aspx CONFIRMED |
| Parameter | Type | Value |
| Type | GET | '+alert(9)+' |
| __VIEWSTATE | POST | dDwxMTA4NTIwNzE2O3Q8O2w8aTwwPjtpPDE Oz47bDx0PDtsPGk8MT47PjtsPHQ8O2w8aTwwPjtpPDE O2k8Mj47aTw0PjtpPDU O2k8Nz47PjtsPHQ8cDxwPGw8VmlzaWJsZTs O2w8bzxmPjs Pjs Ozs O3Q8cDxwPGw8VGV4dDtWaXNpYmxlOz47bDxEaWQgeW91IGZvcmdldCB5b3VyIHBhc3N3b3JkPztvPGY Oz4 Oz47Oz47dDxwPHA8bDxUZXh0Oz47bDxcZTs Pjs Ozs O3Q8cDxwPGw8VGV4dDs O2w8XGU7Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7PjtsPFxlOz4 Oz47Oz47dDw7bDxpPDA Oz47bDx0PDtsPGk8MT47aTwzPjtpPDc O2k8OT47aTwxMT47aTwxMz47aTwxNT47aTwxNz47aTwxOT47PjtsPHQ8cDxwPGw8VGV4dDs O2w8UGFzc3dvcmQgQXNzaXN0YW5jZTs Pjs Ozs O3Q8cDxwPGw8VGV4dDs O2w8VXNlciBOYW1lOz4 Oz47Oz47dDxwPHA8bDxUZXh0Oz47bDxQbGVhc2UgZW50ZXIgdGhlIHVzZXJuYW1lIHlvdSB1c2UgdG8gbG9naW47Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7VmlzaWJsZTs O2w8U2VjcmV0IFF1ZXN0aW9uO288Zj47Pj47Pjs7Pjt0PHA8cDxsPFZpc2libGU7PjtsPG88Zj47Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7VmlzaWJsZTs O2w8U2VjcmV0IEFuc3dlcjtvPGY Oz4 Oz47Oz47dDxwPHA8bDxWaXNpYmxlOz47bDxvPGY Oz4 Oz47Oz47dDxwPHA8bDxUZXh0Oz47bDxTdWJtaXQ7Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7PjtsPENhbmNlbDs Pjs Ozs Oz4 Oz4 Oz4 Oz4 O3Q8cDxwPGw8VmlzaWJsZTs O2w8bzxmPjs Pjs Ozs Oz4 Oz7dH3muZizjItM3zCp3yFdiS577sw== |
| secretQuestion:btnCancel | POST | Cancel |
| secretQuestion:btnSubmit | POST | Submit |
| secretQuestion:txtUserName | POST | Smith |
|
- /Login.aspx
/Login.aspx CONFIRMED |
| Parameter | Type | Value |
| Type | GET | '+alert(9)+' |
| __VIEWSTATE | POST | dDwxMTA4NTIwNzE2O3Q8O2w8aTwwPjtpPDE Oz47bDx0PDtsPGk8MT47PjtsPHQ8O2w8aTwwPjtpPDE O2k8Mj47aTw0PjtpPDU O2k8Nz47PjtsPHQ8cDxwPGw8VmlzaWJsZTs O2w8bzxmPjs Pjs Ozs O3Q8cDxwPGw8VGV4dDtWaXNpYmxlOz47bDxEaWQgeW91IGZvcmdldCB5b3VyIHBhc3N3b3JkPztvPGY Oz4 Oz47Oz47dDxwPHA8bDxUZXh0Oz47bDxcZTs Pjs Ozs O3Q8cDxwPGw8VGV4dDs O2w8XGU7Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7PjtsPFxlOz4 Oz47Oz47dDw7bDxpPDA Oz47bDx0PDtsPGk8MT47aTwzPjtpPDc O2k8OT47aTwxMT47aTwxMz47aTwxNT47aTwxNz47aTwxOT47PjtsPHQ8cDxwPGw8VGV4dDs O2w8UGFzc3dvcmQgQXNzaXN0YW5jZTs Pjs Ozs O3Q8cDxwPGw8VGV4dDs O2w8VXNlciBOYW1lOz4 Oz47Oz47dDxwPHA8bDxUZXh0Oz47bDxQbGVhc2UgZW50ZXIgdGhlIHVzZXJuYW1lIHlvdSB1c2UgdG8gbG9naW47Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7VmlzaWJsZTs O2w8U2VjcmV0IFF1ZXN0aW9uO288Zj47Pj47Pjs7Pjt0PHA8cDxsPFZpc2libGU7PjtsPG88Zj47Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7VmlzaWJsZTs O2w8U2VjcmV0IEFuc3dlcjtvPGY Oz4 Oz47Oz47dDxwPHA8bDxWaXNpYmxlOz47bDxvPGY Oz4 Oz47Oz47dDxwPHA8bDxUZXh0Oz47bDxTdWJtaXQ7Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7PjtsPENhbmNlbDs Pjs Ozs Oz4 Oz4 Oz4 Oz4 O3Q8cDxwPGw8VmlzaWJsZTs O2w8bzxmPjs Pjs Ozs Oz4 Oz7dH3muZizjItM3zCp3yFdiS577sw== |
| secretQuestion%3AtxtUserName | POST | Smith |
| secretQuestion%3AbtnCancel | POST | Cancel |
|
- /Login.aspx
/Login.aspx CONFIRMED |
| Parameter | Type | Value |
| Type | GET | '+alert(9)+' |
| __VIEWSTATE | POST | dDwxMTA4NTIwNzE2O3Q8O2w8aTwwPjtpPDE Oz47bDx0PDtsPGk8MT47PjtsPHQ8O2w8aTwwPjtpPDE O2k8Mj47aTw0PjtpPDU O2k8Nz47PjtsPHQ8cDxwPGw8VmlzaWJsZTs O2w8bzxmPjs Pjs Ozs O3Q8cDxwPGw8VGV4dDtWaXNpYmxlOz47bDxEaWQgeW91IGZvcmdldCB5b3VyIHBhc3N3b3JkPztvPGY Oz4 Oz47Oz47dDxwPHA8bDxUZXh0Oz47bDxcZTs Pjs Ozs O3Q8cDxwPGw8VGV4dDs O2w8XGU7Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7PjtsPFxlOz4 Oz47Oz47dDw7bDxpPDA Oz47bDx0PDtsPGk8MT47aTwzPjtpPDc O2k8OT47aTwxMT47aTwxMz47aTwxNT47aTwxNz47aTwxOT47PjtsPHQ8cDxwPGw8VGV4dDs O2w8UGFzc3dvcmQgQXNzaXN0YW5jZTs Pjs Ozs O3Q8cDxwPGw8VGV4dDs O2w8VXNlciBOYW1lOz4 Oz47Oz47dDxwPHA8bDxUZXh0Oz47bDxQbGVhc2UgZW50ZXIgdGhlIHVzZXJuYW1lIHlvdSB1c2UgdG8gbG9naW47Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7VmlzaWJsZTs O2w8U2VjcmV0IFF1ZXN0aW9uO288Zj47Pj47Pjs7Pjt0PHA8cDxsPFZpc2libGU7PjtsPG88Zj47Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7VmlzaWJsZTs O2w8U2VjcmV0IEFuc3dlcjtvPGY Oz4 Oz47Oz47dDxwPHA8bDxWaXNpYmxlOz47bDxvPGY Oz4 Oz47Oz47dDxwPHA8bDxUZXh0Oz47bDxTdWJtaXQ7Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7PjtsPENhbmNlbDs Pjs Ozs Oz4 Oz4 Oz4 Oz4 O3Q8cDxwPGw8VmlzaWJsZTs O2w8bzxmPjs Pjs Ozs Oz4 Oz7dH3muZizjItM3zCp3yFdiS577sw== |
| secretQuestion%3AtxtUserName | POST | Smith |
|
- /login.aspx
/login.aspx CONFIRMED |
autocomplete="off" to the form tag or to individual "input" fields.|
- /login.aspx
/login.aspx CONFIRMED |
|
- /login.aspx
/login.aspx CONFIRMED |
X-AspNet-Version banner of HTTP response or default ASP.NET error page.
web.config file to prevent information leakage by using custom error pages and removing X-AspNet-Version from HTTP responses.
<System.Web>
< httpRuntime enableVersionHeader="false" />
<customErrors mode="On" defaultRedirect="~/error/GeneralError.aspx">
<error statusCode="403" redirect="~/error/Forbidden.aspx" />
<error statusCode="404" redirect="~/error/PageNotFound.aspx" />
<error statusCode="500" redirect="~/error/InternalError.aspx" />
</customErrors>
</System.Web>
|
- /
/ |
<%@Page ViewStateEncryptionMode="Always" %>You can also set this option for the whole application by using web.config files. Apply the following configuration for your application's web.config file.
<System.Web> <pages viewStateEncryptionMode="Always"> </System.Web>
|
- /login.aspx
/login.aspx |
|
- /Includes/
/Includes/ CONFIRMED |
SERVER header of its HTTP response.
|
- /
/ |