• Home

  • Documents

  • WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL...
54
WEB VULNERABILITY SCANNING REPORT DVWA 24 MAR 20 23:34 CET hps://dvwa.dev.crashtest.cloud/

WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

  • Upload
    others

  • View
    61

  • Download
    2

Embed Size (px)

Citation preview

Page 1: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

WEB VULNERABILITY

SCANNINGREPORT

DVWA24 MAR 20 2334 CET

httpsdvwadevcrashtestcloud

DVWA - 24 Mar 20 2334 CET

1 Overview

11 Vulnerability OverviewBased on our testing we identified 54 vulnerabilities

5critical

10high

33medium

4low

2informational

0 33

Figure 11 Total number of vulnerabilities for rdquoDVWArdquo

Risk Description Base Score

informational Informational findings do not pose any threat but have solelyinformational purpose

0

low Low severity findings do not impose an immediate threatSuch findings should be reviewed for their specific impact onthe application and be fixed accordingly

01 - 39

medium Medium findings may cause serious harm in combination withother security vulnerabilites These findings should be consid-ered during project planning and be fixed within short time

4 - 69

high Findings in this category pose an immediate threat and shouldbe fixed immediately

7 - 89

critical These findings are very critical whilst posing an immediatethreat Fixing these issues should be the highest priority re-gardless of any other issues

9 - 10

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 2 of 54

DVWA - 24 Mar 20 2334 CET

12 Scanner OverviewDuring the scan the Crashtest Security Suite was looking for the following kinds of vulnerabilitiesand security issues

Server Version Fingerprinting Web Application Version Fingerprinting CVE Comparison Heartbleed ROBOT BREACH BEAST Old SSLTLS Version SSLTLS Cipher Order SSLTLS Perfect Forward Secrecy SSLTLS Session Resumption SSLTLS secure algorithm SSLTLS key size SSLTLS trust chain SSLTLS expiration date SSLTLS revocation (CRL OCSP) SSLTLS OCSP stapling

Security Headers Content-Security-Policy headers Portscan Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL Injection Out-of-band SQL Injection Reflected Cross-site scripting (XSS) Stored Cross-site scripting (XSS) Cross-Site Request Forgery (CSRF) File Inclusion Directory Fuzzer File Fuzzer Command Injection XML External Entity Processing (XXE)

121 Status for executed Scanners

Scanner Percentage Status

File Inclusion 100 18 completedFingerprinting 100 1 completedCross-Site Scripting (XSS) 100 18 completedXML External Entity (XXE) 100 18 completedCVE 100 1 completedCross-Site Request Forgery (CSRF) 100 18 completedDeserialization 100 18 completedFuzzer 100 1 completedPortscan 100 1 completedSQL Injection 100 18 completedTransport Layer Security (TLSSSL) 100 1 completedCommand Injection 100 18 completed

100 131 completed

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 3 of 54

DVWA - 24 Mar 20 2334 CET

13 Findings Checklist

131 FILEINCLUSION

Severity Finding Noticed Fixed

critical Local File Inclusion Found file inclusion withmethod rdquogetrdquo for parameter rdquopagerdquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesfirdquo withpayload rdquoetcpasswdrdquo

2 2

132 FINGERPRINTING

Severity Finding Noticed Fixed

high Fingerprint Web Application Framework Found PHP run-ning in version 559 (3 connected CVE issues have beenfound The most severe vulnerability has a CVSS score ofhigh (7510) See Appendix PHP 559 CVE Findings fora detailed list of the CVEs)

2 2

medium Fingerprint Web Server The webserver is runningApache 247 (17 connected CVE issues have been foundThe most severe vulnerability has a CVSS score ofmedium (6810) See Appendix Apache 247 CVE Find-ings for a detailed list of the CVEs)

2 2

133 PORTSCAN

Severity Finding Noticed Fixed

informational Portscanner Found open port rdquo80tcprdquo with servicename rdquoApache httpdrdquo

2 2

informational Portscanner Found open port rdquo443tcprdquo with servicename rdquoApache httpdrdquo

2 2

134 SQLINJECTION

Severity Finding Noticed Fixed

critical SQL Injection Found boolean-based blind sqlinjection forparameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquoAND 8968=(SELECT (CASE WHEN (8968=8968) THEN8968 ELSE (SELECT 7909 UNION SELECT 5090) END))ndashmFLn

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 4 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedcritical SQL Injection Found boolean-based blind sqlinjection

for parameter username (GET) on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquoAND 5434=5434 AND rsquobYyErsquo=rsquobYyE

2 2

135 DESERIALIZATION

Severity Finding Noticed Fixed

high Insecure Deserialization Found insecure deserializa-tion for method rdquogetrdquo with parameter rdquodatardquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesdeserializerdquowith payload rdquophpinfo()rdquo

2 2

136 XSS

Severity Finding Noticed Fixed

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesxss_r Theparameter rsquonamersquo seems vulnerable for payload rsquoltsvgb2d54995-0dcd-4b11-aeaf-67cb770883f3 rdquoonsgtrsquo

2 2

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesdeserializeThe parameter rsquodatarsquo seems vulnerable for payload rsquoltsvg3159c2ae-840b-425d-8d90-c2bdc0395f8c rdquoonsgtrsquo

2 2

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesxss_s Theparameter rsquomtxMessagersquo seems vulnerable for payloadrsquoltsvg 11cb1881-5005-4361-8249-6a016f7c8f65 rdquoonsgtrsquo

2 2

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesxss_s Theparameter rsquotxtNamersquo seems vulnerable for payload rsquoltsvg94b36753-bbd7-413a-acff-d73b5ca88140 rdquoonsgtrsquo

2 2

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesnosql Theparameter rsquotextrsquo seems vulnerable for payload rsquoltsvg0b34a9ce-6ad4-4df3-91ff-891fb958a9a3 rdquoonsgtrsquo

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 5 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedmedium Cross-Site Scripting (XSS) Found

possible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesnosql Theparameter rsquotitlersquo seems vulnerable for payload rsquoltsvg4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

2 2

137 XXE

Severity Finding Noticed Fixed

critical XXE Found XXE in parameter rdquoxmlrdquo with methodrdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquoencoding=rsquoutf-8rsquogtltDOCTYPE creds [ltELEMENT userANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

2 2

138 COMMANDINJECTION

Severity Finding Noticed Fixed

critical Command Injection Found command injection in pa-rameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payloadrdquo echo crashtest-security$((1212))rdquo

2 2

139 FUZZER

Severity Finding Noticed Fixed

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on theURL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET requeston the URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on theURL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URLwithout prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URLwithout prior knowledge

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 6 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedmedium Sensitive Data Exposure Retrieved httpsdvwadev

crashtestcloudinstructionsphp by using a GET requeston the URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request onthe URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on theURL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request onthe URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on theURL without prior knowledge

2 2

1310 SSLTLS

Severity Finding Noticed Fixed

medium TLS Key Size The certificate key size is RSA 1024 bits 2 2

medium SSL RC4 The detected cipher uses the encryption algo-rithm RC4 which is vulnerable for various attacks

2 2

high SSL Protocol Version TLS 11 is offered by the serverThis version of TLS is deprecated You should use TLS12 or TLS 13

2 2

high SSL Protocol Version TLS 10 is offered by the serverThis version of TLS is deprecated You should use TLS12 or TLS 13

2 2

high SSL Protocol Version SSLv3 is offered by the serverSSLv3 is insecure and should not be used TLS 12 or TLS13 should be used instead

2 2

high Certificate Revocation Neither CRL nor OCSP URI pro-vided

2 2

low SSL LOGJAMCommonPrimes LOGJAM vulnerability de-tected CVE-2015-4000

2 2

high SSL Cipherlist LOW Low ciphers like DES RC2 RC4 areused by the server You should use a stronger cipher

2 2

medium X-XSS-Protection Header The X-XSS-Protection headeris not set for URL httpsdvwadevcrashtestcloud

2 2

medium SSLBEASTVULNERABLE ndash but also supports higher pro-tocols TLSv11 TLSv12 (likely mitigated)

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 7 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedlow SSL Cipherlist AVERAGE The server is configured to use

average ciphers like SEED + 128+256 Bit CBC ciphers(AES CAMELLIA and ARIA) which are deprecated

2 2

medium X-Content-Type-Options Header The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

2 2

medium SSL Insecure Algorithm Weak signature algorithm MD5is used You should use SHA-256 SHA-384 or SHA-512instead

2 2

medium Content-Security-Policy Header The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

2 2

medium SSL Cipher Block Chaining TLS1 BEAST TLS1 TheBEAST attack leverages weakness in the cipher blockchaining (CBC) which allows man in the middle attacks

2 2

medium X-Frame-OptionsHeader The X-Frame-Options header isnot set for URL httpsdvwadevcrashtestcloud

2 2

high SSL Cipherlist 3DES IDEA Cipher suits based on DES(Data Encryption Standard) and IDEA (International DataEncryption Algorithm) are not recommended for generaluse in TLS In TLS 12 and TLS 13 DES and IDEA are re-moved You should use TLS 12 or TLS 13

2 2

medium SSL SWEET32 64 bit block ciphers are used which arevulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

2 2

high SSL Trust There is no subject alt name definedBrowsers are complaining

2 2

high SSL Trust The CN or SAN in the certificate does notmatch the tested URL

2 2

medium Referrer-Policy Header The Referrer-Policy header is notset for URL httpsdvwadevcrashtestcloud

2 2

low SSL Cipher Block Chaining SSL3 BEAST SSL3 TheBEAST attack leverages weakness in the cipher blockchaining (CBC) which allows man in the middle attacks

2 2

medium Non Httponly Cookies The cookie with the name PH-PSESSID does not have the flag httponly set This mayleak sensitive information This was found on URL httpsdvwadevcrashtestcloud

2 2

low SSL POODLE The detected SSL version is vulnerable toSSL POODLE

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 8 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedmedium SSL Cipher Order There is no cipher order configured

There should be a cipher order from strongest to weakestto prevent clients from using weaker ciphers before tryingstronger ones first

2 2

medium TLS Configuration The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching cipherin list missing)) could not be found in the list of ciphersthat the server advertised

2 2

medium Missing HSTS HSTS is not offered by the server 2 2

medium Insecure Cookies The cookie with the name PHPSESSIDdoes not have the flag secure set This may leak sensi-tive information This was found on URL httpsdvwadevcrashtestcloud

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 9 of 54

DVWA - 24 Mar 20 2334 CET

Contents1 Overview 2

11 Vulnerability Overview 212 Scanner Overview 3

121 Status for executed Scanners 313 Findings Checklist 4

131 FILEINCLUSION 4132 FINGERPRINTING 4133 PORTSCAN 4134 SQLINJECTION 4135 DESERIALIZATION 5136 XSS 5137 XXE 6138 COMMANDINJECTION 6139 FUZZER 61310 SSLTLS 7

2 Findings 1221 DESERIALIZATION 12

211 What is this 12212 Insecure Deserialization 12

22 FILEINCLUSION 13221 What is this 13222 Local File Inclusion 13

23 FINGERPRINTING 14231 What is this 14232 Fingerprint Web Application Framework 14233 Fingerprint Web Server 16

24 PORTSCAN 17241 What is this 17242 Portscanner 17

25 XSS 18251 What is this 18252 Cross-Site Scripting (XSS) 18

26 XXE 20261 What is this 20262 XXE 20

27 COMMANDINJECTION 21271 What is this 21272 Command Injection 21

28 FUZZER 22281 What is this 22282 Sensitive Data Exposure 22

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 10 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION 24291 What is this 24292 SQL Injection 24

210 SSLTLS 262101 What is this 262102 TLS Key Size 262103 SSL RC4 272104 SSL Protocol Version 282105 Certificate Revocation 292106 SSL LOGJAM Common Primes 302107 SSL Cipherlist LOW 312108 X-XSS-Protection Header 322109 SSL BEAST 3321010SSL Cipherlist AVERAGE 3421011X-Content-Type-Options Header 3521012SSL Insecure Algorithm 3621013Content-Security-Policy Header 3721014SSL Cipher Block Chaining TLS1 3821015X-Frame-Options Header 3921016SSL Cipherlist 3DES IDEA 4021017SSL SWEET32 4121018SSL Trust 4221019Referrer-Policy Header 4321020SSL Cipher Block Chaining SSL3 4421021Non Httponly Cookies 4521022SSL POODLE 4621023SSL Cipher Order 4721024TLS Configuration 4821025Missing HSTS 4921026Insecure Cookies 50

211 Appendix 512111 PHP 559 CVE Findings 512112 Apache 247 CVE Findings 51

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 11 of 54

DVWA - 24 Mar 20 2334 CET

2 Findings

21 DESERIALIZATION

211 What is thisInsecure Deserialization is an attack where a manipulated object is injected into the contextof the web application If the application is vulnerable the object is deserialized and executedwhich can result in SQL Injection Path Traversal Application Denial of Service and Remote CodeExecution

212 Insecure DeserializationSeverity

Base Score high (8110)

Impact medium (5910)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Insecure Deserialization allows an attacker to inject a manipulated object into the web applica-tion

Finding

bull Found insecure deserialization for method rdquogetrdquo with parameter rdquodatardquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesdeserializerdquo with payload rdquophpinfo()rdquo

How to fixDo not pass untrusted serialized objects to the unserialize function

Recommendationshttpswikicrashtest-securitycominsecure-deserialization

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 12 of 54

DVWA - 24 Mar 20 2334 CET

22 FILEINCLUSION

221 What is thisLocalremote file inclusion is a vulnerability which is caused by including files into the web ap-plication without validating which file is going to be included The attacker attempts to includearbitrary files from the webserverś hard drive to identify existing user accounts or passwordsIn some cases it is possible to include files from a remote server which is under control of theattacker This vulnerability can lead to exposing sensitive files on the webserver and could alsoresult in a remote code execution which would entirely compromise the target machine

222 Local File InclusionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Local file inclusion allows an attacker to include arbitrary local files into the website

Finding

bull Found file inclusion with method rdquogetrdquo for parameter rdquopagerdquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesfirdquo with payload rdquoetcpasswdrdquo

How to fixEvery user input has to be checked for malicious requests by the web application For examplethe files which are allowed to be included (whitelisted) are written into an array For every requestthe web application should check the whitelist if the required file is allowed for inclusion

Recommendationshttpswikicrashtest-securitycomfile-inclusion

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 13 of 54

DVWA - 24 Mar 20 2334 CET

23 FINGERPRINTING

231 What is thisThe responses a server sends to its client often contain more information then necessary Thissurplus of information makes it possible to draw conclusions about the servers software or usedprogramming languages It could reveal the version of the web application and the libraries inuse The analysis of these information is called fingerprinting Based on fingerprinting an at-tacker can get valuable input to plan and carry out his attack Without it an attacker is attackingblindly Whenever a special version of a server or a web application is vulnerable for an attackcrawlers search the web for traces of this version and start an attack if they found one So it islikely that someone gets attacked just because they leak these information and therefore showthat your application or server is vulnerable

232 Fingerprint Web Application FrameworkSeverity

Base Score high (7510)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The installed web application framework(s) offer information about their version This opensattackers the possibility to look for exploits specifically targetting the software running in itsexact version

Finding

bull Found PHP running in version 559 (3 connected CVE issues have been found The mostsevere vulnerability has a CVSS score of high (7510) See Appendix PHP 559 CVE Find-ings for a detailed list of the CVEs)

How to fixDepending on the used application there are multiple ways to remove version informationSome applications also share the information in multiple places which makes it harder to re-move it Common places for version information are the filename of included libraries likerdquojquery321minjsrdquo or the documentation within a file where the version number is stated withinthe first lines While some information is required to be left within these files as a part of thecopyright other information like the version number can be removed Other places could bethe footer of an application rdquopowered by Wordpress 491rdquo or meta-tags within the header of thewebsite Unlike servers most web applications cannot remove these information via a configfile and therefore need to be removed manually by editing the specific templates and files Moredetails on how to fix this problem can be found in the knowledge database (see Recommenda-tions)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 14 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomprevent-web-application-framework-information-leakage

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 15 of 54

DVWA - 24 Mar 20 2334 CET

233 Fingerprint Web ServerSeverity

Base Score medium (6810)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver publicly provides information about itself such as the name or version Thisopens attackers the possibility to look for exploits specifically targetting the webserver in itsexact version

Finding

bull The webserver is running Apache 247 (17 connected CVE issues have been found Themost severe vulnerability has a CVSS score of medium (6810) See Appendix Apache 247CVE Findings for a detailed list of the CVEs)

How to fixThe amount of information a server is sharing can be set in its configuration files Depending onthe used webserver the configuration file can be found on different locations (see Recommen-dations to find the exact location) In most cases it is sufficient to change one or two settingsto avoid publishing unnecessary information After saving the changes it is recommended torestart or reload the webserver to activate the changes

Recommendationshttpswikicrashtest-securitycomserver-version-fingerprinting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 16 of 54

DVWA - 24 Mar 20 2334 CET

24 PORTSCAN

241 What is thisA port is a kind of door on the server that can be used to connect to a specific service For awebserver the port 80 and port 443 which are for HTTPHTTPS are most likely open to servethe website to the users Other ports should be closed if they are not needed for any serviceThe portscanner tests the webserver with a SYN scan for a wide range of possibly open portsand reports them back If there are any other open ports except of port 80 and port 443 theyshould be blocked by the firewall if they are not needed

242 PortscannerSeverity

Base Score informational (010)

Impact informational (010)

Exploitability informational (010)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Unneeded open ports on the webserver opens a large attack surface to a malicious user Thiscan be used to find unmaintained and possibly vulnerable network services that can be targeted

Finding

bull Found open port rdquo80tcprdquo with service name rdquoApache httpdrdquobull Found open port rdquo443tcprdquo with service name rdquoApache httpdrdquo

How to fixUnnecessarily open ports can be closed by setting up a firewall and block connections to allports except of those that are needed by the server Furthermore services that are not neededshould be uninstalled

Recommendationshttpswikicrashtest-securitycominsecure-network-services-open-port-scanner

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 17 of 54

DVWA - 24 Mar 20 2334 CET

25 XSS

251 What is thisCross-site scripting (XSS) refers to exploiting a computer security vulnerability in web applica-tions by causing an attacker to infect web pages with client-side scripts that are invoked by otherusers In 2007 XSS accounted for about 80 of the exploited vulnerabilities in web applicationson cross-site scripting accounts The impact of XSS can be between a small nuisance and asignificant security risk depending on the sensitivity of the data With XSS an attacker can forexample bypass access controls steal client data or place external content like advertisementredirects or spam in an application Cross-site scripting provides the foundation for a variety ofother attacks such as session hijacking or session fixation

252 Cross-Site Scripting (XSS)Severity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cross-Site Scripting (XSS) allows an attacker to send malicious code to a different user

Finding

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_rThe parameter rsquonamersquo seems vulnerable for payload rsquoltsvg b2d54995-0dcd-4b11-aeaf-67cb770883f3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesdeserializeThe parameter rsquodatarsquo seems vulnerable for payload rsquoltsvg 3159c2ae-840b-425d-8d90-c2bdc0395f8c rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquomtxMessagersquo seems vulnerable for payload rsquoltsvg 11cb1881-5005-4361-8249-6a016f7c8f65 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquotxtNamersquo seems vulnerable for payload rsquoltsvg 94b36753-bbd7-413a-acff-d73b5ca88140 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotextrsquo seems vulnerable for payload rsquoltsvg 0b34a9ce-6ad4-4df3-91ff-891fb958a9a3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotitlersquo seems vulnerable for payload rsquoltsvg 4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 18 of 54

DVWA - 24 Mar 20 2334 CET

How to fixXSS can be prevented by sanitizing the users input before saving to a database or returning itback to the user In most cases the attacker injects JavaScript into the application By escapingthe rdquoltscriptgtrdquo tags this can be avoided More details on how to fix this problem can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomcross-site-scripting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 19 of 54

DVWA - 24 Mar 20 2334 CET

26 XXE

261 What is thisXXE is a vulnerability that arises if web applications handle XML documents from an untrustedsource without proper validation In order to exploit this vulnerability an attacker extends theXML document with a document type definition (DTD) that includes a external entity If thewebsite passes the XML document to the XML parser the external entity will be called in somecases This can lead to sensitive data exposure or even remote code execution

262 XXESeverity

Base Score critical (9410)

Impact medium (5510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

XXE allows an attacker to inject malicious XML documents into the website which is then exe-cuted This can lead to sensitive data disclosure or remote code execution

Finding

bull Found XXE in parameter rdquoxmlrdquo with method rdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquo encoding=rsquoutf-8rsquogtltDOCTYPEcreds [ltELEMENT user ANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

How to fixIf XML documents are communicated from an untrusted source the XML processor should beconfigured to disallow any declared document type definition (DTD) included in the XML docu-ment

Recommendationshttpswikicrashtest-securitycomxxe-processing

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 20 of 54

DVWA - 24 Mar 20 2334 CET

27 COMMANDINJECTION

271 What is thisCommand injection is a vulnerability which is caused if the web application executes data froman untrusted source without proper validation With this vulnerability an attacker can executeany available system command This can lead to a entirely compromised system

272 Command InjectionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Command injection allows an attacker to execute arbitrary system commands

Finding

bull Found command injection in parameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payload rdquo echo crashtest-security$((1212))rdquo

How to fixEvery user input has to be checked for malicious requests by the web application Untrusteduser input should not be passed to functions like rdquoexec()rdquo or rdquosystem()rdquo without a sanity check

Recommendationshttpswikicrashtest-securitycomcommand-injection

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 21 of 54

DVWA - 24 Mar 20 2334 CET

28 FUZZER

281 What is thisFuzzing or robustness testing fuzzy testing or negative testing is a software testing techniquethat uses random or pre-defined data as input of a program The random data can be usedto simulate the later use in which not only plausible data must be processed In this casethe Fuzzer is looking for publicly available default paths through which attackers could gainaccess to the system Those default paths may leak sensitive information or grant access tofunctionality which modifies the application

282 Sensitive Data ExposureSeverity

Base Score medium (5310)

Impact low (1410)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server grants access to a file or directory which might contain sensitive data This can eitherleak sensitive data itself or allow an attacker to use the provided information to prepare a furtherattack

Finding

bull Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URL withoutprior knowledge

bull Retrieved httpsdvwadevcrashtestcloudinstructionsphp by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on the URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 22 of 54

DVWA - 24 Mar 20 2334 CET

without prior knowledge

How to fixIn some cases it is completely OK to expose certain file paths as long as it is on purpose Whilethey can be exposed on purpose others may be unwillingly exposed These paths can either beprotected by Basic Auth (htaccess) or be removed as they might not be needed on a productionenvironment More details on how to avoid exposing unnecessary information can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsensitive-data-exposure

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 23 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 2: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

1 Overview

11 Vulnerability OverviewBased on our testing we identified 54 vulnerabilities

5critical

10high

33medium

4low

2informational

0 33

Figure 11 Total number of vulnerabilities for rdquoDVWArdquo

Risk Description Base Score

informational Informational findings do not pose any threat but have solelyinformational purpose

0

low Low severity findings do not impose an immediate threatSuch findings should be reviewed for their specific impact onthe application and be fixed accordingly

01 - 39

medium Medium findings may cause serious harm in combination withother security vulnerabilites These findings should be consid-ered during project planning and be fixed within short time

4 - 69

high Findings in this category pose an immediate threat and shouldbe fixed immediately

7 - 89

critical These findings are very critical whilst posing an immediatethreat Fixing these issues should be the highest priority re-gardless of any other issues

9 - 10

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 2 of 54

DVWA - 24 Mar 20 2334 CET

12 Scanner OverviewDuring the scan the Crashtest Security Suite was looking for the following kinds of vulnerabilitiesand security issues

Server Version Fingerprinting Web Application Version Fingerprinting CVE Comparison Heartbleed ROBOT BREACH BEAST Old SSLTLS Version SSLTLS Cipher Order SSLTLS Perfect Forward Secrecy SSLTLS Session Resumption SSLTLS secure algorithm SSLTLS key size SSLTLS trust chain SSLTLS expiration date SSLTLS revocation (CRL OCSP) SSLTLS OCSP stapling

Security Headers Content-Security-Policy headers Portscan Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL Injection Out-of-band SQL Injection Reflected Cross-site scripting (XSS) Stored Cross-site scripting (XSS) Cross-Site Request Forgery (CSRF) File Inclusion Directory Fuzzer File Fuzzer Command Injection XML External Entity Processing (XXE)

121 Status for executed Scanners

Scanner Percentage Status

File Inclusion 100 18 completedFingerprinting 100 1 completedCross-Site Scripting (XSS) 100 18 completedXML External Entity (XXE) 100 18 completedCVE 100 1 completedCross-Site Request Forgery (CSRF) 100 18 completedDeserialization 100 18 completedFuzzer 100 1 completedPortscan 100 1 completedSQL Injection 100 18 completedTransport Layer Security (TLSSSL) 100 1 completedCommand Injection 100 18 completed

100 131 completed

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 3 of 54

DVWA - 24 Mar 20 2334 CET

13 Findings Checklist

131 FILEINCLUSION

Severity Finding Noticed Fixed

critical Local File Inclusion Found file inclusion withmethod rdquogetrdquo for parameter rdquopagerdquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesfirdquo withpayload rdquoetcpasswdrdquo

2 2

132 FINGERPRINTING

Severity Finding Noticed Fixed

high Fingerprint Web Application Framework Found PHP run-ning in version 559 (3 connected CVE issues have beenfound The most severe vulnerability has a CVSS score ofhigh (7510) See Appendix PHP 559 CVE Findings fora detailed list of the CVEs)

2 2

medium Fingerprint Web Server The webserver is runningApache 247 (17 connected CVE issues have been foundThe most severe vulnerability has a CVSS score ofmedium (6810) See Appendix Apache 247 CVE Find-ings for a detailed list of the CVEs)

2 2

133 PORTSCAN

Severity Finding Noticed Fixed

informational Portscanner Found open port rdquo80tcprdquo with servicename rdquoApache httpdrdquo

2 2

informational Portscanner Found open port rdquo443tcprdquo with servicename rdquoApache httpdrdquo

2 2

134 SQLINJECTION

Severity Finding Noticed Fixed

critical SQL Injection Found boolean-based blind sqlinjection forparameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquoAND 8968=(SELECT (CASE WHEN (8968=8968) THEN8968 ELSE (SELECT 7909 UNION SELECT 5090) END))ndashmFLn

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 4 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedcritical SQL Injection Found boolean-based blind sqlinjection

for parameter username (GET) on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquoAND 5434=5434 AND rsquobYyErsquo=rsquobYyE

2 2

135 DESERIALIZATION

Severity Finding Noticed Fixed

high Insecure Deserialization Found insecure deserializa-tion for method rdquogetrdquo with parameter rdquodatardquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesdeserializerdquowith payload rdquophpinfo()rdquo

2 2

136 XSS

Severity Finding Noticed Fixed

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesxss_r Theparameter rsquonamersquo seems vulnerable for payload rsquoltsvgb2d54995-0dcd-4b11-aeaf-67cb770883f3 rdquoonsgtrsquo

2 2

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesdeserializeThe parameter rsquodatarsquo seems vulnerable for payload rsquoltsvg3159c2ae-840b-425d-8d90-c2bdc0395f8c rdquoonsgtrsquo

2 2

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesxss_s Theparameter rsquomtxMessagersquo seems vulnerable for payloadrsquoltsvg 11cb1881-5005-4361-8249-6a016f7c8f65 rdquoonsgtrsquo

2 2

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesxss_s Theparameter rsquotxtNamersquo seems vulnerable for payload rsquoltsvg94b36753-bbd7-413a-acff-d73b5ca88140 rdquoonsgtrsquo

2 2

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesnosql Theparameter rsquotextrsquo seems vulnerable for payload rsquoltsvg0b34a9ce-6ad4-4df3-91ff-891fb958a9a3 rdquoonsgtrsquo

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 5 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedmedium Cross-Site Scripting (XSS) Found

possible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesnosql Theparameter rsquotitlersquo seems vulnerable for payload rsquoltsvg4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

2 2

137 XXE

Severity Finding Noticed Fixed

critical XXE Found XXE in parameter rdquoxmlrdquo with methodrdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquoencoding=rsquoutf-8rsquogtltDOCTYPE creds [ltELEMENT userANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

2 2

138 COMMANDINJECTION

Severity Finding Noticed Fixed

critical Command Injection Found command injection in pa-rameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payloadrdquo echo crashtest-security$((1212))rdquo

2 2

139 FUZZER

Severity Finding Noticed Fixed

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on theURL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET requeston the URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on theURL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URLwithout prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URLwithout prior knowledge

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 6 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedmedium Sensitive Data Exposure Retrieved httpsdvwadev

crashtestcloudinstructionsphp by using a GET requeston the URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request onthe URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on theURL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request onthe URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on theURL without prior knowledge

2 2

1310 SSLTLS

Severity Finding Noticed Fixed

medium TLS Key Size The certificate key size is RSA 1024 bits 2 2

medium SSL RC4 The detected cipher uses the encryption algo-rithm RC4 which is vulnerable for various attacks

2 2

high SSL Protocol Version TLS 11 is offered by the serverThis version of TLS is deprecated You should use TLS12 or TLS 13

2 2

high SSL Protocol Version TLS 10 is offered by the serverThis version of TLS is deprecated You should use TLS12 or TLS 13

2 2

high SSL Protocol Version SSLv3 is offered by the serverSSLv3 is insecure and should not be used TLS 12 or TLS13 should be used instead

2 2

high Certificate Revocation Neither CRL nor OCSP URI pro-vided

2 2

low SSL LOGJAMCommonPrimes LOGJAM vulnerability de-tected CVE-2015-4000

2 2

high SSL Cipherlist LOW Low ciphers like DES RC2 RC4 areused by the server You should use a stronger cipher

2 2

medium X-XSS-Protection Header The X-XSS-Protection headeris not set for URL httpsdvwadevcrashtestcloud

2 2

medium SSLBEASTVULNERABLE ndash but also supports higher pro-tocols TLSv11 TLSv12 (likely mitigated)

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 7 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedlow SSL Cipherlist AVERAGE The server is configured to use

average ciphers like SEED + 128+256 Bit CBC ciphers(AES CAMELLIA and ARIA) which are deprecated

2 2

medium X-Content-Type-Options Header The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

2 2

medium SSL Insecure Algorithm Weak signature algorithm MD5is used You should use SHA-256 SHA-384 or SHA-512instead

2 2

medium Content-Security-Policy Header The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

2 2

medium SSL Cipher Block Chaining TLS1 BEAST TLS1 TheBEAST attack leverages weakness in the cipher blockchaining (CBC) which allows man in the middle attacks

2 2

medium X-Frame-OptionsHeader The X-Frame-Options header isnot set for URL httpsdvwadevcrashtestcloud

2 2

high SSL Cipherlist 3DES IDEA Cipher suits based on DES(Data Encryption Standard) and IDEA (International DataEncryption Algorithm) are not recommended for generaluse in TLS In TLS 12 and TLS 13 DES and IDEA are re-moved You should use TLS 12 or TLS 13

2 2

medium SSL SWEET32 64 bit block ciphers are used which arevulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

2 2

high SSL Trust There is no subject alt name definedBrowsers are complaining

2 2

high SSL Trust The CN or SAN in the certificate does notmatch the tested URL

2 2

medium Referrer-Policy Header The Referrer-Policy header is notset for URL httpsdvwadevcrashtestcloud

2 2

low SSL Cipher Block Chaining SSL3 BEAST SSL3 TheBEAST attack leverages weakness in the cipher blockchaining (CBC) which allows man in the middle attacks

2 2

medium Non Httponly Cookies The cookie with the name PH-PSESSID does not have the flag httponly set This mayleak sensitive information This was found on URL httpsdvwadevcrashtestcloud

2 2

low SSL POODLE The detected SSL version is vulnerable toSSL POODLE

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 8 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedmedium SSL Cipher Order There is no cipher order configured

There should be a cipher order from strongest to weakestto prevent clients from using weaker ciphers before tryingstronger ones first

2 2

medium TLS Configuration The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching cipherin list missing)) could not be found in the list of ciphersthat the server advertised

2 2

medium Missing HSTS HSTS is not offered by the server 2 2

medium Insecure Cookies The cookie with the name PHPSESSIDdoes not have the flag secure set This may leak sensi-tive information This was found on URL httpsdvwadevcrashtestcloud

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 9 of 54

DVWA - 24 Mar 20 2334 CET

Contents1 Overview 2

11 Vulnerability Overview 212 Scanner Overview 3

121 Status for executed Scanners 313 Findings Checklist 4

131 FILEINCLUSION 4132 FINGERPRINTING 4133 PORTSCAN 4134 SQLINJECTION 4135 DESERIALIZATION 5136 XSS 5137 XXE 6138 COMMANDINJECTION 6139 FUZZER 61310 SSLTLS 7

2 Findings 1221 DESERIALIZATION 12

211 What is this 12212 Insecure Deserialization 12

22 FILEINCLUSION 13221 What is this 13222 Local File Inclusion 13

23 FINGERPRINTING 14231 What is this 14232 Fingerprint Web Application Framework 14233 Fingerprint Web Server 16

24 PORTSCAN 17241 What is this 17242 Portscanner 17

25 XSS 18251 What is this 18252 Cross-Site Scripting (XSS) 18

26 XXE 20261 What is this 20262 XXE 20

27 COMMANDINJECTION 21271 What is this 21272 Command Injection 21

28 FUZZER 22281 What is this 22282 Sensitive Data Exposure 22

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 10 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION 24291 What is this 24292 SQL Injection 24

210 SSLTLS 262101 What is this 262102 TLS Key Size 262103 SSL RC4 272104 SSL Protocol Version 282105 Certificate Revocation 292106 SSL LOGJAM Common Primes 302107 SSL Cipherlist LOW 312108 X-XSS-Protection Header 322109 SSL BEAST 3321010SSL Cipherlist AVERAGE 3421011X-Content-Type-Options Header 3521012SSL Insecure Algorithm 3621013Content-Security-Policy Header 3721014SSL Cipher Block Chaining TLS1 3821015X-Frame-Options Header 3921016SSL Cipherlist 3DES IDEA 4021017SSL SWEET32 4121018SSL Trust 4221019Referrer-Policy Header 4321020SSL Cipher Block Chaining SSL3 4421021Non Httponly Cookies 4521022SSL POODLE 4621023SSL Cipher Order 4721024TLS Configuration 4821025Missing HSTS 4921026Insecure Cookies 50

211 Appendix 512111 PHP 559 CVE Findings 512112 Apache 247 CVE Findings 51

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 11 of 54

DVWA - 24 Mar 20 2334 CET

2 Findings

21 DESERIALIZATION

211 What is thisInsecure Deserialization is an attack where a manipulated object is injected into the contextof the web application If the application is vulnerable the object is deserialized and executedwhich can result in SQL Injection Path Traversal Application Denial of Service and Remote CodeExecution

212 Insecure DeserializationSeverity

Base Score high (8110)

Impact medium (5910)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Insecure Deserialization allows an attacker to inject a manipulated object into the web applica-tion

Finding

bull Found insecure deserialization for method rdquogetrdquo with parameter rdquodatardquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesdeserializerdquo with payload rdquophpinfo()rdquo

How to fixDo not pass untrusted serialized objects to the unserialize function

Recommendationshttpswikicrashtest-securitycominsecure-deserialization

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 12 of 54

DVWA - 24 Mar 20 2334 CET

22 FILEINCLUSION

221 What is thisLocalremote file inclusion is a vulnerability which is caused by including files into the web ap-plication without validating which file is going to be included The attacker attempts to includearbitrary files from the webserverś hard drive to identify existing user accounts or passwordsIn some cases it is possible to include files from a remote server which is under control of theattacker This vulnerability can lead to exposing sensitive files on the webserver and could alsoresult in a remote code execution which would entirely compromise the target machine

222 Local File InclusionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Local file inclusion allows an attacker to include arbitrary local files into the website

Finding

bull Found file inclusion with method rdquogetrdquo for parameter rdquopagerdquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesfirdquo with payload rdquoetcpasswdrdquo

How to fixEvery user input has to be checked for malicious requests by the web application For examplethe files which are allowed to be included (whitelisted) are written into an array For every requestthe web application should check the whitelist if the required file is allowed for inclusion

Recommendationshttpswikicrashtest-securitycomfile-inclusion

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 13 of 54

DVWA - 24 Mar 20 2334 CET

23 FINGERPRINTING

231 What is thisThe responses a server sends to its client often contain more information then necessary Thissurplus of information makes it possible to draw conclusions about the servers software or usedprogramming languages It could reveal the version of the web application and the libraries inuse The analysis of these information is called fingerprinting Based on fingerprinting an at-tacker can get valuable input to plan and carry out his attack Without it an attacker is attackingblindly Whenever a special version of a server or a web application is vulnerable for an attackcrawlers search the web for traces of this version and start an attack if they found one So it islikely that someone gets attacked just because they leak these information and therefore showthat your application or server is vulnerable

232 Fingerprint Web Application FrameworkSeverity

Base Score high (7510)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The installed web application framework(s) offer information about their version This opensattackers the possibility to look for exploits specifically targetting the software running in itsexact version

Finding

bull Found PHP running in version 559 (3 connected CVE issues have been found The mostsevere vulnerability has a CVSS score of high (7510) See Appendix PHP 559 CVE Find-ings for a detailed list of the CVEs)

How to fixDepending on the used application there are multiple ways to remove version informationSome applications also share the information in multiple places which makes it harder to re-move it Common places for version information are the filename of included libraries likerdquojquery321minjsrdquo or the documentation within a file where the version number is stated withinthe first lines While some information is required to be left within these files as a part of thecopyright other information like the version number can be removed Other places could bethe footer of an application rdquopowered by Wordpress 491rdquo or meta-tags within the header of thewebsite Unlike servers most web applications cannot remove these information via a configfile and therefore need to be removed manually by editing the specific templates and files Moredetails on how to fix this problem can be found in the knowledge database (see Recommenda-tions)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 14 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomprevent-web-application-framework-information-leakage

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 15 of 54

DVWA - 24 Mar 20 2334 CET

233 Fingerprint Web ServerSeverity

Base Score medium (6810)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver publicly provides information about itself such as the name or version Thisopens attackers the possibility to look for exploits specifically targetting the webserver in itsexact version

Finding

bull The webserver is running Apache 247 (17 connected CVE issues have been found Themost severe vulnerability has a CVSS score of medium (6810) See Appendix Apache 247CVE Findings for a detailed list of the CVEs)

How to fixThe amount of information a server is sharing can be set in its configuration files Depending onthe used webserver the configuration file can be found on different locations (see Recommen-dations to find the exact location) In most cases it is sufficient to change one or two settingsto avoid publishing unnecessary information After saving the changes it is recommended torestart or reload the webserver to activate the changes

Recommendationshttpswikicrashtest-securitycomserver-version-fingerprinting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 16 of 54

DVWA - 24 Mar 20 2334 CET

24 PORTSCAN

241 What is thisA port is a kind of door on the server that can be used to connect to a specific service For awebserver the port 80 and port 443 which are for HTTPHTTPS are most likely open to servethe website to the users Other ports should be closed if they are not needed for any serviceThe portscanner tests the webserver with a SYN scan for a wide range of possibly open portsand reports them back If there are any other open ports except of port 80 and port 443 theyshould be blocked by the firewall if they are not needed

242 PortscannerSeverity

Base Score informational (010)

Impact informational (010)

Exploitability informational (010)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Unneeded open ports on the webserver opens a large attack surface to a malicious user Thiscan be used to find unmaintained and possibly vulnerable network services that can be targeted

Finding

bull Found open port rdquo80tcprdquo with service name rdquoApache httpdrdquobull Found open port rdquo443tcprdquo with service name rdquoApache httpdrdquo

How to fixUnnecessarily open ports can be closed by setting up a firewall and block connections to allports except of those that are needed by the server Furthermore services that are not neededshould be uninstalled

Recommendationshttpswikicrashtest-securitycominsecure-network-services-open-port-scanner

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 17 of 54

DVWA - 24 Mar 20 2334 CET

25 XSS

251 What is thisCross-site scripting (XSS) refers to exploiting a computer security vulnerability in web applica-tions by causing an attacker to infect web pages with client-side scripts that are invoked by otherusers In 2007 XSS accounted for about 80 of the exploited vulnerabilities in web applicationson cross-site scripting accounts The impact of XSS can be between a small nuisance and asignificant security risk depending on the sensitivity of the data With XSS an attacker can forexample bypass access controls steal client data or place external content like advertisementredirects or spam in an application Cross-site scripting provides the foundation for a variety ofother attacks such as session hijacking or session fixation

252 Cross-Site Scripting (XSS)Severity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cross-Site Scripting (XSS) allows an attacker to send malicious code to a different user

Finding

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_rThe parameter rsquonamersquo seems vulnerable for payload rsquoltsvg b2d54995-0dcd-4b11-aeaf-67cb770883f3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesdeserializeThe parameter rsquodatarsquo seems vulnerable for payload rsquoltsvg 3159c2ae-840b-425d-8d90-c2bdc0395f8c rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquomtxMessagersquo seems vulnerable for payload rsquoltsvg 11cb1881-5005-4361-8249-6a016f7c8f65 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquotxtNamersquo seems vulnerable for payload rsquoltsvg 94b36753-bbd7-413a-acff-d73b5ca88140 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotextrsquo seems vulnerable for payload rsquoltsvg 0b34a9ce-6ad4-4df3-91ff-891fb958a9a3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotitlersquo seems vulnerable for payload rsquoltsvg 4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 18 of 54

DVWA - 24 Mar 20 2334 CET

How to fixXSS can be prevented by sanitizing the users input before saving to a database or returning itback to the user In most cases the attacker injects JavaScript into the application By escapingthe rdquoltscriptgtrdquo tags this can be avoided More details on how to fix this problem can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomcross-site-scripting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 19 of 54

DVWA - 24 Mar 20 2334 CET

26 XXE

261 What is thisXXE is a vulnerability that arises if web applications handle XML documents from an untrustedsource without proper validation In order to exploit this vulnerability an attacker extends theXML document with a document type definition (DTD) that includes a external entity If thewebsite passes the XML document to the XML parser the external entity will be called in somecases This can lead to sensitive data exposure or even remote code execution

262 XXESeverity

Base Score critical (9410)

Impact medium (5510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

XXE allows an attacker to inject malicious XML documents into the website which is then exe-cuted This can lead to sensitive data disclosure or remote code execution

Finding

bull Found XXE in parameter rdquoxmlrdquo with method rdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquo encoding=rsquoutf-8rsquogtltDOCTYPEcreds [ltELEMENT user ANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

How to fixIf XML documents are communicated from an untrusted source the XML processor should beconfigured to disallow any declared document type definition (DTD) included in the XML docu-ment

Recommendationshttpswikicrashtest-securitycomxxe-processing

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 20 of 54

DVWA - 24 Mar 20 2334 CET

27 COMMANDINJECTION

271 What is thisCommand injection is a vulnerability which is caused if the web application executes data froman untrusted source without proper validation With this vulnerability an attacker can executeany available system command This can lead to a entirely compromised system

272 Command InjectionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Command injection allows an attacker to execute arbitrary system commands

Finding

bull Found command injection in parameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payload rdquo echo crashtest-security$((1212))rdquo

How to fixEvery user input has to be checked for malicious requests by the web application Untrusteduser input should not be passed to functions like rdquoexec()rdquo or rdquosystem()rdquo without a sanity check

Recommendationshttpswikicrashtest-securitycomcommand-injection

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 21 of 54

DVWA - 24 Mar 20 2334 CET

28 FUZZER

281 What is thisFuzzing or robustness testing fuzzy testing or negative testing is a software testing techniquethat uses random or pre-defined data as input of a program The random data can be usedto simulate the later use in which not only plausible data must be processed In this casethe Fuzzer is looking for publicly available default paths through which attackers could gainaccess to the system Those default paths may leak sensitive information or grant access tofunctionality which modifies the application

282 Sensitive Data ExposureSeverity

Base Score medium (5310)

Impact low (1410)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server grants access to a file or directory which might contain sensitive data This can eitherleak sensitive data itself or allow an attacker to use the provided information to prepare a furtherattack

Finding

bull Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URL withoutprior knowledge

bull Retrieved httpsdvwadevcrashtestcloudinstructionsphp by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on the URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 22 of 54

DVWA - 24 Mar 20 2334 CET

without prior knowledge

How to fixIn some cases it is completely OK to expose certain file paths as long as it is on purpose Whilethey can be exposed on purpose others may be unwillingly exposed These paths can either beprotected by Basic Auth (htaccess) or be removed as they might not be needed on a productionenvironment More details on how to avoid exposing unnecessary information can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsensitive-data-exposure

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 23 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 3: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

12 Scanner OverviewDuring the scan the Crashtest Security Suite was looking for the following kinds of vulnerabilitiesand security issues

Server Version Fingerprinting Web Application Version Fingerprinting CVE Comparison Heartbleed ROBOT BREACH BEAST Old SSLTLS Version SSLTLS Cipher Order SSLTLS Perfect Forward Secrecy SSLTLS Session Resumption SSLTLS secure algorithm SSLTLS key size SSLTLS trust chain SSLTLS expiration date SSLTLS revocation (CRL OCSP) SSLTLS OCSP stapling

Security Headers Content-Security-Policy headers Portscan Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL Injection Out-of-band SQL Injection Reflected Cross-site scripting (XSS) Stored Cross-site scripting (XSS) Cross-Site Request Forgery (CSRF) File Inclusion Directory Fuzzer File Fuzzer Command Injection XML External Entity Processing (XXE)

121 Status for executed Scanners

Scanner Percentage Status

File Inclusion 100 18 completedFingerprinting 100 1 completedCross-Site Scripting (XSS) 100 18 completedXML External Entity (XXE) 100 18 completedCVE 100 1 completedCross-Site Request Forgery (CSRF) 100 18 completedDeserialization 100 18 completedFuzzer 100 1 completedPortscan 100 1 completedSQL Injection 100 18 completedTransport Layer Security (TLSSSL) 100 1 completedCommand Injection 100 18 completed

100 131 completed

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 3 of 54

DVWA - 24 Mar 20 2334 CET

13 Findings Checklist

131 FILEINCLUSION

Severity Finding Noticed Fixed

critical Local File Inclusion Found file inclusion withmethod rdquogetrdquo for parameter rdquopagerdquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesfirdquo withpayload rdquoetcpasswdrdquo

2 2

132 FINGERPRINTING

Severity Finding Noticed Fixed

high Fingerprint Web Application Framework Found PHP run-ning in version 559 (3 connected CVE issues have beenfound The most severe vulnerability has a CVSS score ofhigh (7510) See Appendix PHP 559 CVE Findings fora detailed list of the CVEs)

2 2

medium Fingerprint Web Server The webserver is runningApache 247 (17 connected CVE issues have been foundThe most severe vulnerability has a CVSS score ofmedium (6810) See Appendix Apache 247 CVE Find-ings for a detailed list of the CVEs)

2 2

133 PORTSCAN

Severity Finding Noticed Fixed

informational Portscanner Found open port rdquo80tcprdquo with servicename rdquoApache httpdrdquo

2 2

informational Portscanner Found open port rdquo443tcprdquo with servicename rdquoApache httpdrdquo

2 2

134 SQLINJECTION

Severity Finding Noticed Fixed

critical SQL Injection Found boolean-based blind sqlinjection forparameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquoAND 8968=(SELECT (CASE WHEN (8968=8968) THEN8968 ELSE (SELECT 7909 UNION SELECT 5090) END))ndashmFLn

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 4 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedcritical SQL Injection Found boolean-based blind sqlinjection

for parameter username (GET) on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquoAND 5434=5434 AND rsquobYyErsquo=rsquobYyE

2 2

135 DESERIALIZATION

Severity Finding Noticed Fixed

high Insecure Deserialization Found insecure deserializa-tion for method rdquogetrdquo with parameter rdquodatardquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesdeserializerdquowith payload rdquophpinfo()rdquo

2 2

136 XSS

Severity Finding Noticed Fixed

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesxss_r Theparameter rsquonamersquo seems vulnerable for payload rsquoltsvgb2d54995-0dcd-4b11-aeaf-67cb770883f3 rdquoonsgtrsquo

2 2

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesdeserializeThe parameter rsquodatarsquo seems vulnerable for payload rsquoltsvg3159c2ae-840b-425d-8d90-c2bdc0395f8c rdquoonsgtrsquo

2 2

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesxss_s Theparameter rsquomtxMessagersquo seems vulnerable for payloadrsquoltsvg 11cb1881-5005-4361-8249-6a016f7c8f65 rdquoonsgtrsquo

2 2

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesxss_s Theparameter rsquotxtNamersquo seems vulnerable for payload rsquoltsvg94b36753-bbd7-413a-acff-d73b5ca88140 rdquoonsgtrsquo

2 2

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesnosql Theparameter rsquotextrsquo seems vulnerable for payload rsquoltsvg0b34a9ce-6ad4-4df3-91ff-891fb958a9a3 rdquoonsgtrsquo

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 5 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedmedium Cross-Site Scripting (XSS) Found

possible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesnosql Theparameter rsquotitlersquo seems vulnerable for payload rsquoltsvg4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

2 2

137 XXE

Severity Finding Noticed Fixed

critical XXE Found XXE in parameter rdquoxmlrdquo with methodrdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquoencoding=rsquoutf-8rsquogtltDOCTYPE creds [ltELEMENT userANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

2 2

138 COMMANDINJECTION

Severity Finding Noticed Fixed

critical Command Injection Found command injection in pa-rameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payloadrdquo echo crashtest-security$((1212))rdquo

2 2

139 FUZZER

Severity Finding Noticed Fixed

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on theURL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET requeston the URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on theURL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URLwithout prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URLwithout prior knowledge

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 6 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedmedium Sensitive Data Exposure Retrieved httpsdvwadev

crashtestcloudinstructionsphp by using a GET requeston the URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request onthe URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on theURL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request onthe URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on theURL without prior knowledge

2 2

1310 SSLTLS

Severity Finding Noticed Fixed

medium TLS Key Size The certificate key size is RSA 1024 bits 2 2

medium SSL RC4 The detected cipher uses the encryption algo-rithm RC4 which is vulnerable for various attacks

2 2

high SSL Protocol Version TLS 11 is offered by the serverThis version of TLS is deprecated You should use TLS12 or TLS 13

2 2

high SSL Protocol Version TLS 10 is offered by the serverThis version of TLS is deprecated You should use TLS12 or TLS 13

2 2

high SSL Protocol Version SSLv3 is offered by the serverSSLv3 is insecure and should not be used TLS 12 or TLS13 should be used instead

2 2

high Certificate Revocation Neither CRL nor OCSP URI pro-vided

2 2

low SSL LOGJAMCommonPrimes LOGJAM vulnerability de-tected CVE-2015-4000

2 2

high SSL Cipherlist LOW Low ciphers like DES RC2 RC4 areused by the server You should use a stronger cipher

2 2

medium X-XSS-Protection Header The X-XSS-Protection headeris not set for URL httpsdvwadevcrashtestcloud

2 2

medium SSLBEASTVULNERABLE ndash but also supports higher pro-tocols TLSv11 TLSv12 (likely mitigated)

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 7 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedlow SSL Cipherlist AVERAGE The server is configured to use

average ciphers like SEED + 128+256 Bit CBC ciphers(AES CAMELLIA and ARIA) which are deprecated

2 2

medium X-Content-Type-Options Header The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

2 2

medium SSL Insecure Algorithm Weak signature algorithm MD5is used You should use SHA-256 SHA-384 or SHA-512instead

2 2

medium Content-Security-Policy Header The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

2 2

medium SSL Cipher Block Chaining TLS1 BEAST TLS1 TheBEAST attack leverages weakness in the cipher blockchaining (CBC) which allows man in the middle attacks

2 2

medium X-Frame-OptionsHeader The X-Frame-Options header isnot set for URL httpsdvwadevcrashtestcloud

2 2

high SSL Cipherlist 3DES IDEA Cipher suits based on DES(Data Encryption Standard) and IDEA (International DataEncryption Algorithm) are not recommended for generaluse in TLS In TLS 12 and TLS 13 DES and IDEA are re-moved You should use TLS 12 or TLS 13

2 2

medium SSL SWEET32 64 bit block ciphers are used which arevulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

2 2

high SSL Trust There is no subject alt name definedBrowsers are complaining

2 2

high SSL Trust The CN or SAN in the certificate does notmatch the tested URL

2 2

medium Referrer-Policy Header The Referrer-Policy header is notset for URL httpsdvwadevcrashtestcloud

2 2

low SSL Cipher Block Chaining SSL3 BEAST SSL3 TheBEAST attack leverages weakness in the cipher blockchaining (CBC) which allows man in the middle attacks

2 2

medium Non Httponly Cookies The cookie with the name PH-PSESSID does not have the flag httponly set This mayleak sensitive information This was found on URL httpsdvwadevcrashtestcloud

2 2

low SSL POODLE The detected SSL version is vulnerable toSSL POODLE

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 8 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedmedium SSL Cipher Order There is no cipher order configured

There should be a cipher order from strongest to weakestto prevent clients from using weaker ciphers before tryingstronger ones first

2 2

medium TLS Configuration The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching cipherin list missing)) could not be found in the list of ciphersthat the server advertised

2 2

medium Missing HSTS HSTS is not offered by the server 2 2

medium Insecure Cookies The cookie with the name PHPSESSIDdoes not have the flag secure set This may leak sensi-tive information This was found on URL httpsdvwadevcrashtestcloud

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 9 of 54

DVWA - 24 Mar 20 2334 CET

Contents1 Overview 2

11 Vulnerability Overview 212 Scanner Overview 3

121 Status for executed Scanners 313 Findings Checklist 4

131 FILEINCLUSION 4132 FINGERPRINTING 4133 PORTSCAN 4134 SQLINJECTION 4135 DESERIALIZATION 5136 XSS 5137 XXE 6138 COMMANDINJECTION 6139 FUZZER 61310 SSLTLS 7

2 Findings 1221 DESERIALIZATION 12

211 What is this 12212 Insecure Deserialization 12

22 FILEINCLUSION 13221 What is this 13222 Local File Inclusion 13

23 FINGERPRINTING 14231 What is this 14232 Fingerprint Web Application Framework 14233 Fingerprint Web Server 16

24 PORTSCAN 17241 What is this 17242 Portscanner 17

25 XSS 18251 What is this 18252 Cross-Site Scripting (XSS) 18

26 XXE 20261 What is this 20262 XXE 20

27 COMMANDINJECTION 21271 What is this 21272 Command Injection 21

28 FUZZER 22281 What is this 22282 Sensitive Data Exposure 22

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 10 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION 24291 What is this 24292 SQL Injection 24

210 SSLTLS 262101 What is this 262102 TLS Key Size 262103 SSL RC4 272104 SSL Protocol Version 282105 Certificate Revocation 292106 SSL LOGJAM Common Primes 302107 SSL Cipherlist LOW 312108 X-XSS-Protection Header 322109 SSL BEAST 3321010SSL Cipherlist AVERAGE 3421011X-Content-Type-Options Header 3521012SSL Insecure Algorithm 3621013Content-Security-Policy Header 3721014SSL Cipher Block Chaining TLS1 3821015X-Frame-Options Header 3921016SSL Cipherlist 3DES IDEA 4021017SSL SWEET32 4121018SSL Trust 4221019Referrer-Policy Header 4321020SSL Cipher Block Chaining SSL3 4421021Non Httponly Cookies 4521022SSL POODLE 4621023SSL Cipher Order 4721024TLS Configuration 4821025Missing HSTS 4921026Insecure Cookies 50

211 Appendix 512111 PHP 559 CVE Findings 512112 Apache 247 CVE Findings 51

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 11 of 54

DVWA - 24 Mar 20 2334 CET

2 Findings

21 DESERIALIZATION

211 What is thisInsecure Deserialization is an attack where a manipulated object is injected into the contextof the web application If the application is vulnerable the object is deserialized and executedwhich can result in SQL Injection Path Traversal Application Denial of Service and Remote CodeExecution

212 Insecure DeserializationSeverity

Base Score high (8110)

Impact medium (5910)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Insecure Deserialization allows an attacker to inject a manipulated object into the web applica-tion

Finding

bull Found insecure deserialization for method rdquogetrdquo with parameter rdquodatardquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesdeserializerdquo with payload rdquophpinfo()rdquo

How to fixDo not pass untrusted serialized objects to the unserialize function

Recommendationshttpswikicrashtest-securitycominsecure-deserialization

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 12 of 54

DVWA - 24 Mar 20 2334 CET

22 FILEINCLUSION

221 What is thisLocalremote file inclusion is a vulnerability which is caused by including files into the web ap-plication without validating which file is going to be included The attacker attempts to includearbitrary files from the webserverś hard drive to identify existing user accounts or passwordsIn some cases it is possible to include files from a remote server which is under control of theattacker This vulnerability can lead to exposing sensitive files on the webserver and could alsoresult in a remote code execution which would entirely compromise the target machine

222 Local File InclusionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Local file inclusion allows an attacker to include arbitrary local files into the website

Finding

bull Found file inclusion with method rdquogetrdquo for parameter rdquopagerdquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesfirdquo with payload rdquoetcpasswdrdquo

How to fixEvery user input has to be checked for malicious requests by the web application For examplethe files which are allowed to be included (whitelisted) are written into an array For every requestthe web application should check the whitelist if the required file is allowed for inclusion

Recommendationshttpswikicrashtest-securitycomfile-inclusion

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 13 of 54

DVWA - 24 Mar 20 2334 CET

23 FINGERPRINTING

231 What is thisThe responses a server sends to its client often contain more information then necessary Thissurplus of information makes it possible to draw conclusions about the servers software or usedprogramming languages It could reveal the version of the web application and the libraries inuse The analysis of these information is called fingerprinting Based on fingerprinting an at-tacker can get valuable input to plan and carry out his attack Without it an attacker is attackingblindly Whenever a special version of a server or a web application is vulnerable for an attackcrawlers search the web for traces of this version and start an attack if they found one So it islikely that someone gets attacked just because they leak these information and therefore showthat your application or server is vulnerable

232 Fingerprint Web Application FrameworkSeverity

Base Score high (7510)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The installed web application framework(s) offer information about their version This opensattackers the possibility to look for exploits specifically targetting the software running in itsexact version

Finding

bull Found PHP running in version 559 (3 connected CVE issues have been found The mostsevere vulnerability has a CVSS score of high (7510) See Appendix PHP 559 CVE Find-ings for a detailed list of the CVEs)

How to fixDepending on the used application there are multiple ways to remove version informationSome applications also share the information in multiple places which makes it harder to re-move it Common places for version information are the filename of included libraries likerdquojquery321minjsrdquo or the documentation within a file where the version number is stated withinthe first lines While some information is required to be left within these files as a part of thecopyright other information like the version number can be removed Other places could bethe footer of an application rdquopowered by Wordpress 491rdquo or meta-tags within the header of thewebsite Unlike servers most web applications cannot remove these information via a configfile and therefore need to be removed manually by editing the specific templates and files Moredetails on how to fix this problem can be found in the knowledge database (see Recommenda-tions)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 14 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomprevent-web-application-framework-information-leakage

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 15 of 54

DVWA - 24 Mar 20 2334 CET

233 Fingerprint Web ServerSeverity

Base Score medium (6810)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver publicly provides information about itself such as the name or version Thisopens attackers the possibility to look for exploits specifically targetting the webserver in itsexact version

Finding

bull The webserver is running Apache 247 (17 connected CVE issues have been found Themost severe vulnerability has a CVSS score of medium (6810) See Appendix Apache 247CVE Findings for a detailed list of the CVEs)

How to fixThe amount of information a server is sharing can be set in its configuration files Depending onthe used webserver the configuration file can be found on different locations (see Recommen-dations to find the exact location) In most cases it is sufficient to change one or two settingsto avoid publishing unnecessary information After saving the changes it is recommended torestart or reload the webserver to activate the changes

Recommendationshttpswikicrashtest-securitycomserver-version-fingerprinting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 16 of 54

DVWA - 24 Mar 20 2334 CET

24 PORTSCAN

241 What is thisA port is a kind of door on the server that can be used to connect to a specific service For awebserver the port 80 and port 443 which are for HTTPHTTPS are most likely open to servethe website to the users Other ports should be closed if they are not needed for any serviceThe portscanner tests the webserver with a SYN scan for a wide range of possibly open portsand reports them back If there are any other open ports except of port 80 and port 443 theyshould be blocked by the firewall if they are not needed

242 PortscannerSeverity

Base Score informational (010)

Impact informational (010)

Exploitability informational (010)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Unneeded open ports on the webserver opens a large attack surface to a malicious user Thiscan be used to find unmaintained and possibly vulnerable network services that can be targeted

Finding

bull Found open port rdquo80tcprdquo with service name rdquoApache httpdrdquobull Found open port rdquo443tcprdquo with service name rdquoApache httpdrdquo

How to fixUnnecessarily open ports can be closed by setting up a firewall and block connections to allports except of those that are needed by the server Furthermore services that are not neededshould be uninstalled

Recommendationshttpswikicrashtest-securitycominsecure-network-services-open-port-scanner

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 17 of 54

DVWA - 24 Mar 20 2334 CET

25 XSS

251 What is thisCross-site scripting (XSS) refers to exploiting a computer security vulnerability in web applica-tions by causing an attacker to infect web pages with client-side scripts that are invoked by otherusers In 2007 XSS accounted for about 80 of the exploited vulnerabilities in web applicationson cross-site scripting accounts The impact of XSS can be between a small nuisance and asignificant security risk depending on the sensitivity of the data With XSS an attacker can forexample bypass access controls steal client data or place external content like advertisementredirects or spam in an application Cross-site scripting provides the foundation for a variety ofother attacks such as session hijacking or session fixation

252 Cross-Site Scripting (XSS)Severity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cross-Site Scripting (XSS) allows an attacker to send malicious code to a different user

Finding

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_rThe parameter rsquonamersquo seems vulnerable for payload rsquoltsvg b2d54995-0dcd-4b11-aeaf-67cb770883f3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesdeserializeThe parameter rsquodatarsquo seems vulnerable for payload rsquoltsvg 3159c2ae-840b-425d-8d90-c2bdc0395f8c rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquomtxMessagersquo seems vulnerable for payload rsquoltsvg 11cb1881-5005-4361-8249-6a016f7c8f65 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquotxtNamersquo seems vulnerable for payload rsquoltsvg 94b36753-bbd7-413a-acff-d73b5ca88140 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotextrsquo seems vulnerable for payload rsquoltsvg 0b34a9ce-6ad4-4df3-91ff-891fb958a9a3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotitlersquo seems vulnerable for payload rsquoltsvg 4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 18 of 54

DVWA - 24 Mar 20 2334 CET

How to fixXSS can be prevented by sanitizing the users input before saving to a database or returning itback to the user In most cases the attacker injects JavaScript into the application By escapingthe rdquoltscriptgtrdquo tags this can be avoided More details on how to fix this problem can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomcross-site-scripting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 19 of 54

DVWA - 24 Mar 20 2334 CET

26 XXE

261 What is thisXXE is a vulnerability that arises if web applications handle XML documents from an untrustedsource without proper validation In order to exploit this vulnerability an attacker extends theXML document with a document type definition (DTD) that includes a external entity If thewebsite passes the XML document to the XML parser the external entity will be called in somecases This can lead to sensitive data exposure or even remote code execution

262 XXESeverity

Base Score critical (9410)

Impact medium (5510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

XXE allows an attacker to inject malicious XML documents into the website which is then exe-cuted This can lead to sensitive data disclosure or remote code execution

Finding

bull Found XXE in parameter rdquoxmlrdquo with method rdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquo encoding=rsquoutf-8rsquogtltDOCTYPEcreds [ltELEMENT user ANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

How to fixIf XML documents are communicated from an untrusted source the XML processor should beconfigured to disallow any declared document type definition (DTD) included in the XML docu-ment

Recommendationshttpswikicrashtest-securitycomxxe-processing

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 20 of 54

DVWA - 24 Mar 20 2334 CET

27 COMMANDINJECTION

271 What is thisCommand injection is a vulnerability which is caused if the web application executes data froman untrusted source without proper validation With this vulnerability an attacker can executeany available system command This can lead to a entirely compromised system

272 Command InjectionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Command injection allows an attacker to execute arbitrary system commands

Finding

bull Found command injection in parameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payload rdquo echo crashtest-security$((1212))rdquo

How to fixEvery user input has to be checked for malicious requests by the web application Untrusteduser input should not be passed to functions like rdquoexec()rdquo or rdquosystem()rdquo without a sanity check

Recommendationshttpswikicrashtest-securitycomcommand-injection

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 21 of 54

DVWA - 24 Mar 20 2334 CET

28 FUZZER

281 What is thisFuzzing or robustness testing fuzzy testing or negative testing is a software testing techniquethat uses random or pre-defined data as input of a program The random data can be usedto simulate the later use in which not only plausible data must be processed In this casethe Fuzzer is looking for publicly available default paths through which attackers could gainaccess to the system Those default paths may leak sensitive information or grant access tofunctionality which modifies the application

282 Sensitive Data ExposureSeverity

Base Score medium (5310)

Impact low (1410)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server grants access to a file or directory which might contain sensitive data This can eitherleak sensitive data itself or allow an attacker to use the provided information to prepare a furtherattack

Finding

bull Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URL withoutprior knowledge

bull Retrieved httpsdvwadevcrashtestcloudinstructionsphp by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on the URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 22 of 54

DVWA - 24 Mar 20 2334 CET

without prior knowledge

How to fixIn some cases it is completely OK to expose certain file paths as long as it is on purpose Whilethey can be exposed on purpose others may be unwillingly exposed These paths can either beprotected by Basic Auth (htaccess) or be removed as they might not be needed on a productionenvironment More details on how to avoid exposing unnecessary information can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsensitive-data-exposure

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 23 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 4: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

13 Findings Checklist

131 FILEINCLUSION

Severity Finding Noticed Fixed

critical Local File Inclusion Found file inclusion withmethod rdquogetrdquo for parameter rdquopagerdquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesfirdquo withpayload rdquoetcpasswdrdquo

2 2

132 FINGERPRINTING

Severity Finding Noticed Fixed

high Fingerprint Web Application Framework Found PHP run-ning in version 559 (3 connected CVE issues have beenfound The most severe vulnerability has a CVSS score ofhigh (7510) See Appendix PHP 559 CVE Findings fora detailed list of the CVEs)

2 2

medium Fingerprint Web Server The webserver is runningApache 247 (17 connected CVE issues have been foundThe most severe vulnerability has a CVSS score ofmedium (6810) See Appendix Apache 247 CVE Find-ings for a detailed list of the CVEs)

2 2

133 PORTSCAN

Severity Finding Noticed Fixed

informational Portscanner Found open port rdquo80tcprdquo with servicename rdquoApache httpdrdquo

2 2

informational Portscanner Found open port rdquo443tcprdquo with servicename rdquoApache httpdrdquo

2 2

134 SQLINJECTION

Severity Finding Noticed Fixed

critical SQL Injection Found boolean-based blind sqlinjection forparameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquoAND 8968=(SELECT (CASE WHEN (8968=8968) THEN8968 ELSE (SELECT 7909 UNION SELECT 5090) END))ndashmFLn

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 4 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedcritical SQL Injection Found boolean-based blind sqlinjection

for parameter username (GET) on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquoAND 5434=5434 AND rsquobYyErsquo=rsquobYyE

2 2

135 DESERIALIZATION

Severity Finding Noticed Fixed

high Insecure Deserialization Found insecure deserializa-tion for method rdquogetrdquo with parameter rdquodatardquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesdeserializerdquowith payload rdquophpinfo()rdquo

2 2

136 XSS

Severity Finding Noticed Fixed

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesxss_r Theparameter rsquonamersquo seems vulnerable for payload rsquoltsvgb2d54995-0dcd-4b11-aeaf-67cb770883f3 rdquoonsgtrsquo

2 2

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesdeserializeThe parameter rsquodatarsquo seems vulnerable for payload rsquoltsvg3159c2ae-840b-425d-8d90-c2bdc0395f8c rdquoonsgtrsquo

2 2

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesxss_s Theparameter rsquomtxMessagersquo seems vulnerable for payloadrsquoltsvg 11cb1881-5005-4361-8249-6a016f7c8f65 rdquoonsgtrsquo

2 2

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesxss_s Theparameter rsquotxtNamersquo seems vulnerable for payload rsquoltsvg94b36753-bbd7-413a-acff-d73b5ca88140 rdquoonsgtrsquo

2 2

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesnosql Theparameter rsquotextrsquo seems vulnerable for payload rsquoltsvg0b34a9ce-6ad4-4df3-91ff-891fb958a9a3 rdquoonsgtrsquo

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 5 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedmedium Cross-Site Scripting (XSS) Found

possible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesnosql Theparameter rsquotitlersquo seems vulnerable for payload rsquoltsvg4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

2 2

137 XXE

Severity Finding Noticed Fixed

critical XXE Found XXE in parameter rdquoxmlrdquo with methodrdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquoencoding=rsquoutf-8rsquogtltDOCTYPE creds [ltELEMENT userANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

2 2

138 COMMANDINJECTION

Severity Finding Noticed Fixed

critical Command Injection Found command injection in pa-rameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payloadrdquo echo crashtest-security$((1212))rdquo

2 2

139 FUZZER

Severity Finding Noticed Fixed

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on theURL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET requeston the URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on theURL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URLwithout prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URLwithout prior knowledge

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 6 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedmedium Sensitive Data Exposure Retrieved httpsdvwadev

crashtestcloudinstructionsphp by using a GET requeston the URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request onthe URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on theURL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request onthe URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on theURL without prior knowledge

2 2

1310 SSLTLS

Severity Finding Noticed Fixed

medium TLS Key Size The certificate key size is RSA 1024 bits 2 2

medium SSL RC4 The detected cipher uses the encryption algo-rithm RC4 which is vulnerable for various attacks

2 2

high SSL Protocol Version TLS 11 is offered by the serverThis version of TLS is deprecated You should use TLS12 or TLS 13

2 2

high SSL Protocol Version TLS 10 is offered by the serverThis version of TLS is deprecated You should use TLS12 or TLS 13

2 2

high SSL Protocol Version SSLv3 is offered by the serverSSLv3 is insecure and should not be used TLS 12 or TLS13 should be used instead

2 2

high Certificate Revocation Neither CRL nor OCSP URI pro-vided

2 2

low SSL LOGJAMCommonPrimes LOGJAM vulnerability de-tected CVE-2015-4000

2 2

high SSL Cipherlist LOW Low ciphers like DES RC2 RC4 areused by the server You should use a stronger cipher

2 2

medium X-XSS-Protection Header The X-XSS-Protection headeris not set for URL httpsdvwadevcrashtestcloud

2 2

medium SSLBEASTVULNERABLE ndash but also supports higher pro-tocols TLSv11 TLSv12 (likely mitigated)

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 7 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedlow SSL Cipherlist AVERAGE The server is configured to use

average ciphers like SEED + 128+256 Bit CBC ciphers(AES CAMELLIA and ARIA) which are deprecated

2 2

medium X-Content-Type-Options Header The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

2 2

medium SSL Insecure Algorithm Weak signature algorithm MD5is used You should use SHA-256 SHA-384 or SHA-512instead

2 2

medium Content-Security-Policy Header The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

2 2

medium SSL Cipher Block Chaining TLS1 BEAST TLS1 TheBEAST attack leverages weakness in the cipher blockchaining (CBC) which allows man in the middle attacks

2 2

medium X-Frame-OptionsHeader The X-Frame-Options header isnot set for URL httpsdvwadevcrashtestcloud

2 2

high SSL Cipherlist 3DES IDEA Cipher suits based on DES(Data Encryption Standard) and IDEA (International DataEncryption Algorithm) are not recommended for generaluse in TLS In TLS 12 and TLS 13 DES and IDEA are re-moved You should use TLS 12 or TLS 13

2 2

medium SSL SWEET32 64 bit block ciphers are used which arevulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

2 2

high SSL Trust There is no subject alt name definedBrowsers are complaining

2 2

high SSL Trust The CN or SAN in the certificate does notmatch the tested URL

2 2

medium Referrer-Policy Header The Referrer-Policy header is notset for URL httpsdvwadevcrashtestcloud

2 2

low SSL Cipher Block Chaining SSL3 BEAST SSL3 TheBEAST attack leverages weakness in the cipher blockchaining (CBC) which allows man in the middle attacks

2 2

medium Non Httponly Cookies The cookie with the name PH-PSESSID does not have the flag httponly set This mayleak sensitive information This was found on URL httpsdvwadevcrashtestcloud

2 2

low SSL POODLE The detected SSL version is vulnerable toSSL POODLE

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 8 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedmedium SSL Cipher Order There is no cipher order configured

There should be a cipher order from strongest to weakestto prevent clients from using weaker ciphers before tryingstronger ones first

2 2

medium TLS Configuration The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching cipherin list missing)) could not be found in the list of ciphersthat the server advertised

2 2

medium Missing HSTS HSTS is not offered by the server 2 2

medium Insecure Cookies The cookie with the name PHPSESSIDdoes not have the flag secure set This may leak sensi-tive information This was found on URL httpsdvwadevcrashtestcloud

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 9 of 54

DVWA - 24 Mar 20 2334 CET

Contents1 Overview 2

11 Vulnerability Overview 212 Scanner Overview 3

121 Status for executed Scanners 313 Findings Checklist 4

131 FILEINCLUSION 4132 FINGERPRINTING 4133 PORTSCAN 4134 SQLINJECTION 4135 DESERIALIZATION 5136 XSS 5137 XXE 6138 COMMANDINJECTION 6139 FUZZER 61310 SSLTLS 7

2 Findings 1221 DESERIALIZATION 12

211 What is this 12212 Insecure Deserialization 12

22 FILEINCLUSION 13221 What is this 13222 Local File Inclusion 13

23 FINGERPRINTING 14231 What is this 14232 Fingerprint Web Application Framework 14233 Fingerprint Web Server 16

24 PORTSCAN 17241 What is this 17242 Portscanner 17

25 XSS 18251 What is this 18252 Cross-Site Scripting (XSS) 18

26 XXE 20261 What is this 20262 XXE 20

27 COMMANDINJECTION 21271 What is this 21272 Command Injection 21

28 FUZZER 22281 What is this 22282 Sensitive Data Exposure 22

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 10 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION 24291 What is this 24292 SQL Injection 24

210 SSLTLS 262101 What is this 262102 TLS Key Size 262103 SSL RC4 272104 SSL Protocol Version 282105 Certificate Revocation 292106 SSL LOGJAM Common Primes 302107 SSL Cipherlist LOW 312108 X-XSS-Protection Header 322109 SSL BEAST 3321010SSL Cipherlist AVERAGE 3421011X-Content-Type-Options Header 3521012SSL Insecure Algorithm 3621013Content-Security-Policy Header 3721014SSL Cipher Block Chaining TLS1 3821015X-Frame-Options Header 3921016SSL Cipherlist 3DES IDEA 4021017SSL SWEET32 4121018SSL Trust 4221019Referrer-Policy Header 4321020SSL Cipher Block Chaining SSL3 4421021Non Httponly Cookies 4521022SSL POODLE 4621023SSL Cipher Order 4721024TLS Configuration 4821025Missing HSTS 4921026Insecure Cookies 50

211 Appendix 512111 PHP 559 CVE Findings 512112 Apache 247 CVE Findings 51

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 11 of 54

DVWA - 24 Mar 20 2334 CET

2 Findings

21 DESERIALIZATION

211 What is thisInsecure Deserialization is an attack where a manipulated object is injected into the contextof the web application If the application is vulnerable the object is deserialized and executedwhich can result in SQL Injection Path Traversal Application Denial of Service and Remote CodeExecution

212 Insecure DeserializationSeverity

Base Score high (8110)

Impact medium (5910)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Insecure Deserialization allows an attacker to inject a manipulated object into the web applica-tion

Finding

bull Found insecure deserialization for method rdquogetrdquo with parameter rdquodatardquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesdeserializerdquo with payload rdquophpinfo()rdquo

How to fixDo not pass untrusted serialized objects to the unserialize function

Recommendationshttpswikicrashtest-securitycominsecure-deserialization

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 12 of 54

DVWA - 24 Mar 20 2334 CET

22 FILEINCLUSION

221 What is thisLocalremote file inclusion is a vulnerability which is caused by including files into the web ap-plication without validating which file is going to be included The attacker attempts to includearbitrary files from the webserverś hard drive to identify existing user accounts or passwordsIn some cases it is possible to include files from a remote server which is under control of theattacker This vulnerability can lead to exposing sensitive files on the webserver and could alsoresult in a remote code execution which would entirely compromise the target machine

222 Local File InclusionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Local file inclusion allows an attacker to include arbitrary local files into the website

Finding

bull Found file inclusion with method rdquogetrdquo for parameter rdquopagerdquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesfirdquo with payload rdquoetcpasswdrdquo

How to fixEvery user input has to be checked for malicious requests by the web application For examplethe files which are allowed to be included (whitelisted) are written into an array For every requestthe web application should check the whitelist if the required file is allowed for inclusion

Recommendationshttpswikicrashtest-securitycomfile-inclusion

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 13 of 54

DVWA - 24 Mar 20 2334 CET

23 FINGERPRINTING

231 What is thisThe responses a server sends to its client often contain more information then necessary Thissurplus of information makes it possible to draw conclusions about the servers software or usedprogramming languages It could reveal the version of the web application and the libraries inuse The analysis of these information is called fingerprinting Based on fingerprinting an at-tacker can get valuable input to plan and carry out his attack Without it an attacker is attackingblindly Whenever a special version of a server or a web application is vulnerable for an attackcrawlers search the web for traces of this version and start an attack if they found one So it islikely that someone gets attacked just because they leak these information and therefore showthat your application or server is vulnerable

232 Fingerprint Web Application FrameworkSeverity

Base Score high (7510)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The installed web application framework(s) offer information about their version This opensattackers the possibility to look for exploits specifically targetting the software running in itsexact version

Finding

bull Found PHP running in version 559 (3 connected CVE issues have been found The mostsevere vulnerability has a CVSS score of high (7510) See Appendix PHP 559 CVE Find-ings for a detailed list of the CVEs)

How to fixDepending on the used application there are multiple ways to remove version informationSome applications also share the information in multiple places which makes it harder to re-move it Common places for version information are the filename of included libraries likerdquojquery321minjsrdquo or the documentation within a file where the version number is stated withinthe first lines While some information is required to be left within these files as a part of thecopyright other information like the version number can be removed Other places could bethe footer of an application rdquopowered by Wordpress 491rdquo or meta-tags within the header of thewebsite Unlike servers most web applications cannot remove these information via a configfile and therefore need to be removed manually by editing the specific templates and files Moredetails on how to fix this problem can be found in the knowledge database (see Recommenda-tions)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 14 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomprevent-web-application-framework-information-leakage

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 15 of 54

DVWA - 24 Mar 20 2334 CET

233 Fingerprint Web ServerSeverity

Base Score medium (6810)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver publicly provides information about itself such as the name or version Thisopens attackers the possibility to look for exploits specifically targetting the webserver in itsexact version

Finding

bull The webserver is running Apache 247 (17 connected CVE issues have been found Themost severe vulnerability has a CVSS score of medium (6810) See Appendix Apache 247CVE Findings for a detailed list of the CVEs)

How to fixThe amount of information a server is sharing can be set in its configuration files Depending onthe used webserver the configuration file can be found on different locations (see Recommen-dations to find the exact location) In most cases it is sufficient to change one or two settingsto avoid publishing unnecessary information After saving the changes it is recommended torestart or reload the webserver to activate the changes

Recommendationshttpswikicrashtest-securitycomserver-version-fingerprinting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 16 of 54

DVWA - 24 Mar 20 2334 CET

24 PORTSCAN

241 What is thisA port is a kind of door on the server that can be used to connect to a specific service For awebserver the port 80 and port 443 which are for HTTPHTTPS are most likely open to servethe website to the users Other ports should be closed if they are not needed for any serviceThe portscanner tests the webserver with a SYN scan for a wide range of possibly open portsand reports them back If there are any other open ports except of port 80 and port 443 theyshould be blocked by the firewall if they are not needed

242 PortscannerSeverity

Base Score informational (010)

Impact informational (010)

Exploitability informational (010)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Unneeded open ports on the webserver opens a large attack surface to a malicious user Thiscan be used to find unmaintained and possibly vulnerable network services that can be targeted

Finding

bull Found open port rdquo80tcprdquo with service name rdquoApache httpdrdquobull Found open port rdquo443tcprdquo with service name rdquoApache httpdrdquo

How to fixUnnecessarily open ports can be closed by setting up a firewall and block connections to allports except of those that are needed by the server Furthermore services that are not neededshould be uninstalled

Recommendationshttpswikicrashtest-securitycominsecure-network-services-open-port-scanner

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 17 of 54

DVWA - 24 Mar 20 2334 CET

25 XSS

251 What is thisCross-site scripting (XSS) refers to exploiting a computer security vulnerability in web applica-tions by causing an attacker to infect web pages with client-side scripts that are invoked by otherusers In 2007 XSS accounted for about 80 of the exploited vulnerabilities in web applicationson cross-site scripting accounts The impact of XSS can be between a small nuisance and asignificant security risk depending on the sensitivity of the data With XSS an attacker can forexample bypass access controls steal client data or place external content like advertisementredirects or spam in an application Cross-site scripting provides the foundation for a variety ofother attacks such as session hijacking or session fixation

252 Cross-Site Scripting (XSS)Severity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cross-Site Scripting (XSS) allows an attacker to send malicious code to a different user

Finding

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_rThe parameter rsquonamersquo seems vulnerable for payload rsquoltsvg b2d54995-0dcd-4b11-aeaf-67cb770883f3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesdeserializeThe parameter rsquodatarsquo seems vulnerable for payload rsquoltsvg 3159c2ae-840b-425d-8d90-c2bdc0395f8c rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquomtxMessagersquo seems vulnerable for payload rsquoltsvg 11cb1881-5005-4361-8249-6a016f7c8f65 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquotxtNamersquo seems vulnerable for payload rsquoltsvg 94b36753-bbd7-413a-acff-d73b5ca88140 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotextrsquo seems vulnerable for payload rsquoltsvg 0b34a9ce-6ad4-4df3-91ff-891fb958a9a3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotitlersquo seems vulnerable for payload rsquoltsvg 4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 18 of 54

DVWA - 24 Mar 20 2334 CET

How to fixXSS can be prevented by sanitizing the users input before saving to a database or returning itback to the user In most cases the attacker injects JavaScript into the application By escapingthe rdquoltscriptgtrdquo tags this can be avoided More details on how to fix this problem can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomcross-site-scripting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 19 of 54

DVWA - 24 Mar 20 2334 CET

26 XXE

261 What is thisXXE is a vulnerability that arises if web applications handle XML documents from an untrustedsource without proper validation In order to exploit this vulnerability an attacker extends theXML document with a document type definition (DTD) that includes a external entity If thewebsite passes the XML document to the XML parser the external entity will be called in somecases This can lead to sensitive data exposure or even remote code execution

262 XXESeverity

Base Score critical (9410)

Impact medium (5510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

XXE allows an attacker to inject malicious XML documents into the website which is then exe-cuted This can lead to sensitive data disclosure or remote code execution

Finding

bull Found XXE in parameter rdquoxmlrdquo with method rdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquo encoding=rsquoutf-8rsquogtltDOCTYPEcreds [ltELEMENT user ANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

How to fixIf XML documents are communicated from an untrusted source the XML processor should beconfigured to disallow any declared document type definition (DTD) included in the XML docu-ment

Recommendationshttpswikicrashtest-securitycomxxe-processing

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 20 of 54

DVWA - 24 Mar 20 2334 CET

27 COMMANDINJECTION

271 What is thisCommand injection is a vulnerability which is caused if the web application executes data froman untrusted source without proper validation With this vulnerability an attacker can executeany available system command This can lead to a entirely compromised system

272 Command InjectionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Command injection allows an attacker to execute arbitrary system commands

Finding

bull Found command injection in parameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payload rdquo echo crashtest-security$((1212))rdquo

How to fixEvery user input has to be checked for malicious requests by the web application Untrusteduser input should not be passed to functions like rdquoexec()rdquo or rdquosystem()rdquo without a sanity check

Recommendationshttpswikicrashtest-securitycomcommand-injection

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 21 of 54

DVWA - 24 Mar 20 2334 CET

28 FUZZER

281 What is thisFuzzing or robustness testing fuzzy testing or negative testing is a software testing techniquethat uses random or pre-defined data as input of a program The random data can be usedto simulate the later use in which not only plausible data must be processed In this casethe Fuzzer is looking for publicly available default paths through which attackers could gainaccess to the system Those default paths may leak sensitive information or grant access tofunctionality which modifies the application

282 Sensitive Data ExposureSeverity

Base Score medium (5310)

Impact low (1410)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server grants access to a file or directory which might contain sensitive data This can eitherleak sensitive data itself or allow an attacker to use the provided information to prepare a furtherattack

Finding

bull Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URL withoutprior knowledge

bull Retrieved httpsdvwadevcrashtestcloudinstructionsphp by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on the URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 22 of 54

DVWA - 24 Mar 20 2334 CET

without prior knowledge

How to fixIn some cases it is completely OK to expose certain file paths as long as it is on purpose Whilethey can be exposed on purpose others may be unwillingly exposed These paths can either beprotected by Basic Auth (htaccess) or be removed as they might not be needed on a productionenvironment More details on how to avoid exposing unnecessary information can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsensitive-data-exposure

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 23 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 5: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedcritical SQL Injection Found boolean-based blind sqlinjection

for parameter username (GET) on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquoAND 5434=5434 AND rsquobYyErsquo=rsquobYyE

2 2

135 DESERIALIZATION

Severity Finding Noticed Fixed

high Insecure Deserialization Found insecure deserializa-tion for method rdquogetrdquo with parameter rdquodatardquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesdeserializerdquowith payload rdquophpinfo()rdquo

2 2

136 XSS

Severity Finding Noticed Fixed

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesxss_r Theparameter rsquonamersquo seems vulnerable for payload rsquoltsvgb2d54995-0dcd-4b11-aeaf-67cb770883f3 rdquoonsgtrsquo

2 2

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesdeserializeThe parameter rsquodatarsquo seems vulnerable for payload rsquoltsvg3159c2ae-840b-425d-8d90-c2bdc0395f8c rdquoonsgtrsquo

2 2

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesxss_s Theparameter rsquomtxMessagersquo seems vulnerable for payloadrsquoltsvg 11cb1881-5005-4361-8249-6a016f7c8f65 rdquoonsgtrsquo

2 2

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesxss_s Theparameter rsquotxtNamersquo seems vulnerable for payload rsquoltsvg94b36753-bbd7-413a-acff-d73b5ca88140 rdquoonsgtrsquo

2 2

medium Cross-Site Scripting (XSS) Foundpossible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesnosql Theparameter rsquotextrsquo seems vulnerable for payload rsquoltsvg0b34a9ce-6ad4-4df3-91ff-891fb958a9a3 rdquoonsgtrsquo

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 5 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedmedium Cross-Site Scripting (XSS) Found

possible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesnosql Theparameter rsquotitlersquo seems vulnerable for payload rsquoltsvg4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

2 2

137 XXE

Severity Finding Noticed Fixed

critical XXE Found XXE in parameter rdquoxmlrdquo with methodrdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquoencoding=rsquoutf-8rsquogtltDOCTYPE creds [ltELEMENT userANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

2 2

138 COMMANDINJECTION

Severity Finding Noticed Fixed

critical Command Injection Found command injection in pa-rameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payloadrdquo echo crashtest-security$((1212))rdquo

2 2

139 FUZZER

Severity Finding Noticed Fixed

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on theURL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET requeston the URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on theURL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URLwithout prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URLwithout prior knowledge

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 6 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedmedium Sensitive Data Exposure Retrieved httpsdvwadev

crashtestcloudinstructionsphp by using a GET requeston the URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request onthe URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on theURL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request onthe URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on theURL without prior knowledge

2 2

1310 SSLTLS

Severity Finding Noticed Fixed

medium TLS Key Size The certificate key size is RSA 1024 bits 2 2

medium SSL RC4 The detected cipher uses the encryption algo-rithm RC4 which is vulnerable for various attacks

2 2

high SSL Protocol Version TLS 11 is offered by the serverThis version of TLS is deprecated You should use TLS12 or TLS 13

2 2

high SSL Protocol Version TLS 10 is offered by the serverThis version of TLS is deprecated You should use TLS12 or TLS 13

2 2

high SSL Protocol Version SSLv3 is offered by the serverSSLv3 is insecure and should not be used TLS 12 or TLS13 should be used instead

2 2

high Certificate Revocation Neither CRL nor OCSP URI pro-vided

2 2

low SSL LOGJAMCommonPrimes LOGJAM vulnerability de-tected CVE-2015-4000

2 2

high SSL Cipherlist LOW Low ciphers like DES RC2 RC4 areused by the server You should use a stronger cipher

2 2

medium X-XSS-Protection Header The X-XSS-Protection headeris not set for URL httpsdvwadevcrashtestcloud

2 2

medium SSLBEASTVULNERABLE ndash but also supports higher pro-tocols TLSv11 TLSv12 (likely mitigated)

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 7 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedlow SSL Cipherlist AVERAGE The server is configured to use

average ciphers like SEED + 128+256 Bit CBC ciphers(AES CAMELLIA and ARIA) which are deprecated

2 2

medium X-Content-Type-Options Header The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

2 2

medium SSL Insecure Algorithm Weak signature algorithm MD5is used You should use SHA-256 SHA-384 or SHA-512instead

2 2

medium Content-Security-Policy Header The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

2 2

medium SSL Cipher Block Chaining TLS1 BEAST TLS1 TheBEAST attack leverages weakness in the cipher blockchaining (CBC) which allows man in the middle attacks

2 2

medium X-Frame-OptionsHeader The X-Frame-Options header isnot set for URL httpsdvwadevcrashtestcloud

2 2

high SSL Cipherlist 3DES IDEA Cipher suits based on DES(Data Encryption Standard) and IDEA (International DataEncryption Algorithm) are not recommended for generaluse in TLS In TLS 12 and TLS 13 DES and IDEA are re-moved You should use TLS 12 or TLS 13

2 2

medium SSL SWEET32 64 bit block ciphers are used which arevulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

2 2

high SSL Trust There is no subject alt name definedBrowsers are complaining

2 2

high SSL Trust The CN or SAN in the certificate does notmatch the tested URL

2 2

medium Referrer-Policy Header The Referrer-Policy header is notset for URL httpsdvwadevcrashtestcloud

2 2

low SSL Cipher Block Chaining SSL3 BEAST SSL3 TheBEAST attack leverages weakness in the cipher blockchaining (CBC) which allows man in the middle attacks

2 2

medium Non Httponly Cookies The cookie with the name PH-PSESSID does not have the flag httponly set This mayleak sensitive information This was found on URL httpsdvwadevcrashtestcloud

2 2

low SSL POODLE The detected SSL version is vulnerable toSSL POODLE

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 8 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedmedium SSL Cipher Order There is no cipher order configured

There should be a cipher order from strongest to weakestto prevent clients from using weaker ciphers before tryingstronger ones first

2 2

medium TLS Configuration The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching cipherin list missing)) could not be found in the list of ciphersthat the server advertised

2 2

medium Missing HSTS HSTS is not offered by the server 2 2

medium Insecure Cookies The cookie with the name PHPSESSIDdoes not have the flag secure set This may leak sensi-tive information This was found on URL httpsdvwadevcrashtestcloud

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 9 of 54

DVWA - 24 Mar 20 2334 CET

Contents1 Overview 2

11 Vulnerability Overview 212 Scanner Overview 3

121 Status for executed Scanners 313 Findings Checklist 4

131 FILEINCLUSION 4132 FINGERPRINTING 4133 PORTSCAN 4134 SQLINJECTION 4135 DESERIALIZATION 5136 XSS 5137 XXE 6138 COMMANDINJECTION 6139 FUZZER 61310 SSLTLS 7

2 Findings 1221 DESERIALIZATION 12

211 What is this 12212 Insecure Deserialization 12

22 FILEINCLUSION 13221 What is this 13222 Local File Inclusion 13

23 FINGERPRINTING 14231 What is this 14232 Fingerprint Web Application Framework 14233 Fingerprint Web Server 16

24 PORTSCAN 17241 What is this 17242 Portscanner 17

25 XSS 18251 What is this 18252 Cross-Site Scripting (XSS) 18

26 XXE 20261 What is this 20262 XXE 20

27 COMMANDINJECTION 21271 What is this 21272 Command Injection 21

28 FUZZER 22281 What is this 22282 Sensitive Data Exposure 22

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 10 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION 24291 What is this 24292 SQL Injection 24

210 SSLTLS 262101 What is this 262102 TLS Key Size 262103 SSL RC4 272104 SSL Protocol Version 282105 Certificate Revocation 292106 SSL LOGJAM Common Primes 302107 SSL Cipherlist LOW 312108 X-XSS-Protection Header 322109 SSL BEAST 3321010SSL Cipherlist AVERAGE 3421011X-Content-Type-Options Header 3521012SSL Insecure Algorithm 3621013Content-Security-Policy Header 3721014SSL Cipher Block Chaining TLS1 3821015X-Frame-Options Header 3921016SSL Cipherlist 3DES IDEA 4021017SSL SWEET32 4121018SSL Trust 4221019Referrer-Policy Header 4321020SSL Cipher Block Chaining SSL3 4421021Non Httponly Cookies 4521022SSL POODLE 4621023SSL Cipher Order 4721024TLS Configuration 4821025Missing HSTS 4921026Insecure Cookies 50

211 Appendix 512111 PHP 559 CVE Findings 512112 Apache 247 CVE Findings 51

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 11 of 54

DVWA - 24 Mar 20 2334 CET

2 Findings

21 DESERIALIZATION

211 What is thisInsecure Deserialization is an attack where a manipulated object is injected into the contextof the web application If the application is vulnerable the object is deserialized and executedwhich can result in SQL Injection Path Traversal Application Denial of Service and Remote CodeExecution

212 Insecure DeserializationSeverity

Base Score high (8110)

Impact medium (5910)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Insecure Deserialization allows an attacker to inject a manipulated object into the web applica-tion

Finding

bull Found insecure deserialization for method rdquogetrdquo with parameter rdquodatardquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesdeserializerdquo with payload rdquophpinfo()rdquo

How to fixDo not pass untrusted serialized objects to the unserialize function

Recommendationshttpswikicrashtest-securitycominsecure-deserialization

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 12 of 54

DVWA - 24 Mar 20 2334 CET

22 FILEINCLUSION

221 What is thisLocalremote file inclusion is a vulnerability which is caused by including files into the web ap-plication without validating which file is going to be included The attacker attempts to includearbitrary files from the webserverś hard drive to identify existing user accounts or passwordsIn some cases it is possible to include files from a remote server which is under control of theattacker This vulnerability can lead to exposing sensitive files on the webserver and could alsoresult in a remote code execution which would entirely compromise the target machine

222 Local File InclusionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Local file inclusion allows an attacker to include arbitrary local files into the website

Finding

bull Found file inclusion with method rdquogetrdquo for parameter rdquopagerdquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesfirdquo with payload rdquoetcpasswdrdquo

How to fixEvery user input has to be checked for malicious requests by the web application For examplethe files which are allowed to be included (whitelisted) are written into an array For every requestthe web application should check the whitelist if the required file is allowed for inclusion

Recommendationshttpswikicrashtest-securitycomfile-inclusion

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 13 of 54

DVWA - 24 Mar 20 2334 CET

23 FINGERPRINTING

231 What is thisThe responses a server sends to its client often contain more information then necessary Thissurplus of information makes it possible to draw conclusions about the servers software or usedprogramming languages It could reveal the version of the web application and the libraries inuse The analysis of these information is called fingerprinting Based on fingerprinting an at-tacker can get valuable input to plan and carry out his attack Without it an attacker is attackingblindly Whenever a special version of a server or a web application is vulnerable for an attackcrawlers search the web for traces of this version and start an attack if they found one So it islikely that someone gets attacked just because they leak these information and therefore showthat your application or server is vulnerable

232 Fingerprint Web Application FrameworkSeverity

Base Score high (7510)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The installed web application framework(s) offer information about their version This opensattackers the possibility to look for exploits specifically targetting the software running in itsexact version

Finding

bull Found PHP running in version 559 (3 connected CVE issues have been found The mostsevere vulnerability has a CVSS score of high (7510) See Appendix PHP 559 CVE Find-ings for a detailed list of the CVEs)

How to fixDepending on the used application there are multiple ways to remove version informationSome applications also share the information in multiple places which makes it harder to re-move it Common places for version information are the filename of included libraries likerdquojquery321minjsrdquo or the documentation within a file where the version number is stated withinthe first lines While some information is required to be left within these files as a part of thecopyright other information like the version number can be removed Other places could bethe footer of an application rdquopowered by Wordpress 491rdquo or meta-tags within the header of thewebsite Unlike servers most web applications cannot remove these information via a configfile and therefore need to be removed manually by editing the specific templates and files Moredetails on how to fix this problem can be found in the knowledge database (see Recommenda-tions)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 14 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomprevent-web-application-framework-information-leakage

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 15 of 54

DVWA - 24 Mar 20 2334 CET

233 Fingerprint Web ServerSeverity

Base Score medium (6810)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver publicly provides information about itself such as the name or version Thisopens attackers the possibility to look for exploits specifically targetting the webserver in itsexact version

Finding

bull The webserver is running Apache 247 (17 connected CVE issues have been found Themost severe vulnerability has a CVSS score of medium (6810) See Appendix Apache 247CVE Findings for a detailed list of the CVEs)

How to fixThe amount of information a server is sharing can be set in its configuration files Depending onthe used webserver the configuration file can be found on different locations (see Recommen-dations to find the exact location) In most cases it is sufficient to change one or two settingsto avoid publishing unnecessary information After saving the changes it is recommended torestart or reload the webserver to activate the changes

Recommendationshttpswikicrashtest-securitycomserver-version-fingerprinting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 16 of 54

DVWA - 24 Mar 20 2334 CET

24 PORTSCAN

241 What is thisA port is a kind of door on the server that can be used to connect to a specific service For awebserver the port 80 and port 443 which are for HTTPHTTPS are most likely open to servethe website to the users Other ports should be closed if they are not needed for any serviceThe portscanner tests the webserver with a SYN scan for a wide range of possibly open portsand reports them back If there are any other open ports except of port 80 and port 443 theyshould be blocked by the firewall if they are not needed

242 PortscannerSeverity

Base Score informational (010)

Impact informational (010)

Exploitability informational (010)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Unneeded open ports on the webserver opens a large attack surface to a malicious user Thiscan be used to find unmaintained and possibly vulnerable network services that can be targeted

Finding

bull Found open port rdquo80tcprdquo with service name rdquoApache httpdrdquobull Found open port rdquo443tcprdquo with service name rdquoApache httpdrdquo

How to fixUnnecessarily open ports can be closed by setting up a firewall and block connections to allports except of those that are needed by the server Furthermore services that are not neededshould be uninstalled

Recommendationshttpswikicrashtest-securitycominsecure-network-services-open-port-scanner

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 17 of 54

DVWA - 24 Mar 20 2334 CET

25 XSS

251 What is thisCross-site scripting (XSS) refers to exploiting a computer security vulnerability in web applica-tions by causing an attacker to infect web pages with client-side scripts that are invoked by otherusers In 2007 XSS accounted for about 80 of the exploited vulnerabilities in web applicationson cross-site scripting accounts The impact of XSS can be between a small nuisance and asignificant security risk depending on the sensitivity of the data With XSS an attacker can forexample bypass access controls steal client data or place external content like advertisementredirects or spam in an application Cross-site scripting provides the foundation for a variety ofother attacks such as session hijacking or session fixation

252 Cross-Site Scripting (XSS)Severity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cross-Site Scripting (XSS) allows an attacker to send malicious code to a different user

Finding

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_rThe parameter rsquonamersquo seems vulnerable for payload rsquoltsvg b2d54995-0dcd-4b11-aeaf-67cb770883f3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesdeserializeThe parameter rsquodatarsquo seems vulnerable for payload rsquoltsvg 3159c2ae-840b-425d-8d90-c2bdc0395f8c rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquomtxMessagersquo seems vulnerable for payload rsquoltsvg 11cb1881-5005-4361-8249-6a016f7c8f65 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquotxtNamersquo seems vulnerable for payload rsquoltsvg 94b36753-bbd7-413a-acff-d73b5ca88140 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotextrsquo seems vulnerable for payload rsquoltsvg 0b34a9ce-6ad4-4df3-91ff-891fb958a9a3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotitlersquo seems vulnerable for payload rsquoltsvg 4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 18 of 54

DVWA - 24 Mar 20 2334 CET

How to fixXSS can be prevented by sanitizing the users input before saving to a database or returning itback to the user In most cases the attacker injects JavaScript into the application By escapingthe rdquoltscriptgtrdquo tags this can be avoided More details on how to fix this problem can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomcross-site-scripting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 19 of 54

DVWA - 24 Mar 20 2334 CET

26 XXE

261 What is thisXXE is a vulnerability that arises if web applications handle XML documents from an untrustedsource without proper validation In order to exploit this vulnerability an attacker extends theXML document with a document type definition (DTD) that includes a external entity If thewebsite passes the XML document to the XML parser the external entity will be called in somecases This can lead to sensitive data exposure or even remote code execution

262 XXESeverity

Base Score critical (9410)

Impact medium (5510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

XXE allows an attacker to inject malicious XML documents into the website which is then exe-cuted This can lead to sensitive data disclosure or remote code execution

Finding

bull Found XXE in parameter rdquoxmlrdquo with method rdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquo encoding=rsquoutf-8rsquogtltDOCTYPEcreds [ltELEMENT user ANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

How to fixIf XML documents are communicated from an untrusted source the XML processor should beconfigured to disallow any declared document type definition (DTD) included in the XML docu-ment

Recommendationshttpswikicrashtest-securitycomxxe-processing

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 20 of 54

DVWA - 24 Mar 20 2334 CET

27 COMMANDINJECTION

271 What is thisCommand injection is a vulnerability which is caused if the web application executes data froman untrusted source without proper validation With this vulnerability an attacker can executeany available system command This can lead to a entirely compromised system

272 Command InjectionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Command injection allows an attacker to execute arbitrary system commands

Finding

bull Found command injection in parameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payload rdquo echo crashtest-security$((1212))rdquo

How to fixEvery user input has to be checked for malicious requests by the web application Untrusteduser input should not be passed to functions like rdquoexec()rdquo or rdquosystem()rdquo without a sanity check

Recommendationshttpswikicrashtest-securitycomcommand-injection

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 21 of 54

DVWA - 24 Mar 20 2334 CET

28 FUZZER

281 What is thisFuzzing or robustness testing fuzzy testing or negative testing is a software testing techniquethat uses random or pre-defined data as input of a program The random data can be usedto simulate the later use in which not only plausible data must be processed In this casethe Fuzzer is looking for publicly available default paths through which attackers could gainaccess to the system Those default paths may leak sensitive information or grant access tofunctionality which modifies the application

282 Sensitive Data ExposureSeverity

Base Score medium (5310)

Impact low (1410)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server grants access to a file or directory which might contain sensitive data This can eitherleak sensitive data itself or allow an attacker to use the provided information to prepare a furtherattack

Finding

bull Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URL withoutprior knowledge

bull Retrieved httpsdvwadevcrashtestcloudinstructionsphp by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on the URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 22 of 54

DVWA - 24 Mar 20 2334 CET

without prior knowledge

How to fixIn some cases it is completely OK to expose certain file paths as long as it is on purpose Whilethey can be exposed on purpose others may be unwillingly exposed These paths can either beprotected by Basic Auth (htaccess) or be removed as they might not be needed on a productionenvironment More details on how to avoid exposing unnecessary information can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsensitive-data-exposure

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 23 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 6: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedmedium Cross-Site Scripting (XSS) Found

possible XSS vulnerability on sitedvwadevcrashtestcloudvulnerabilitiesnosql Theparameter rsquotitlersquo seems vulnerable for payload rsquoltsvg4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

2 2

137 XXE

Severity Finding Noticed Fixed

critical XXE Found XXE in parameter rdquoxmlrdquo with methodrdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquoencoding=rsquoutf-8rsquogtltDOCTYPE creds [ltELEMENT userANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

2 2

138 COMMANDINJECTION

Severity Finding Noticed Fixed

critical Command Injection Found command injection in pa-rameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payloadrdquo echo crashtest-security$((1212))rdquo

2 2

139 FUZZER

Severity Finding Noticed Fixed

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on theURL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET requeston the URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on theURL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URLwithout prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URLwithout prior knowledge

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 6 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedmedium Sensitive Data Exposure Retrieved httpsdvwadev

crashtestcloudinstructionsphp by using a GET requeston the URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request onthe URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on theURL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request onthe URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on theURL without prior knowledge

2 2

1310 SSLTLS

Severity Finding Noticed Fixed

medium TLS Key Size The certificate key size is RSA 1024 bits 2 2

medium SSL RC4 The detected cipher uses the encryption algo-rithm RC4 which is vulnerable for various attacks

2 2

high SSL Protocol Version TLS 11 is offered by the serverThis version of TLS is deprecated You should use TLS12 or TLS 13

2 2

high SSL Protocol Version TLS 10 is offered by the serverThis version of TLS is deprecated You should use TLS12 or TLS 13

2 2

high SSL Protocol Version SSLv3 is offered by the serverSSLv3 is insecure and should not be used TLS 12 or TLS13 should be used instead

2 2

high Certificate Revocation Neither CRL nor OCSP URI pro-vided

2 2

low SSL LOGJAMCommonPrimes LOGJAM vulnerability de-tected CVE-2015-4000

2 2

high SSL Cipherlist LOW Low ciphers like DES RC2 RC4 areused by the server You should use a stronger cipher

2 2

medium X-XSS-Protection Header The X-XSS-Protection headeris not set for URL httpsdvwadevcrashtestcloud

2 2

medium SSLBEASTVULNERABLE ndash but also supports higher pro-tocols TLSv11 TLSv12 (likely mitigated)

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 7 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedlow SSL Cipherlist AVERAGE The server is configured to use

average ciphers like SEED + 128+256 Bit CBC ciphers(AES CAMELLIA and ARIA) which are deprecated

2 2

medium X-Content-Type-Options Header The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

2 2

medium SSL Insecure Algorithm Weak signature algorithm MD5is used You should use SHA-256 SHA-384 or SHA-512instead

2 2

medium Content-Security-Policy Header The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

2 2

medium SSL Cipher Block Chaining TLS1 BEAST TLS1 TheBEAST attack leverages weakness in the cipher blockchaining (CBC) which allows man in the middle attacks

2 2

medium X-Frame-OptionsHeader The X-Frame-Options header isnot set for URL httpsdvwadevcrashtestcloud

2 2

high SSL Cipherlist 3DES IDEA Cipher suits based on DES(Data Encryption Standard) and IDEA (International DataEncryption Algorithm) are not recommended for generaluse in TLS In TLS 12 and TLS 13 DES and IDEA are re-moved You should use TLS 12 or TLS 13

2 2

medium SSL SWEET32 64 bit block ciphers are used which arevulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

2 2

high SSL Trust There is no subject alt name definedBrowsers are complaining

2 2

high SSL Trust The CN or SAN in the certificate does notmatch the tested URL

2 2

medium Referrer-Policy Header The Referrer-Policy header is notset for URL httpsdvwadevcrashtestcloud

2 2

low SSL Cipher Block Chaining SSL3 BEAST SSL3 TheBEAST attack leverages weakness in the cipher blockchaining (CBC) which allows man in the middle attacks

2 2

medium Non Httponly Cookies The cookie with the name PH-PSESSID does not have the flag httponly set This mayleak sensitive information This was found on URL httpsdvwadevcrashtestcloud

2 2

low SSL POODLE The detected SSL version is vulnerable toSSL POODLE

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 8 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedmedium SSL Cipher Order There is no cipher order configured

There should be a cipher order from strongest to weakestto prevent clients from using weaker ciphers before tryingstronger ones first

2 2

medium TLS Configuration The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching cipherin list missing)) could not be found in the list of ciphersthat the server advertised

2 2

medium Missing HSTS HSTS is not offered by the server 2 2

medium Insecure Cookies The cookie with the name PHPSESSIDdoes not have the flag secure set This may leak sensi-tive information This was found on URL httpsdvwadevcrashtestcloud

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 9 of 54

DVWA - 24 Mar 20 2334 CET

Contents1 Overview 2

11 Vulnerability Overview 212 Scanner Overview 3

121 Status for executed Scanners 313 Findings Checklist 4

131 FILEINCLUSION 4132 FINGERPRINTING 4133 PORTSCAN 4134 SQLINJECTION 4135 DESERIALIZATION 5136 XSS 5137 XXE 6138 COMMANDINJECTION 6139 FUZZER 61310 SSLTLS 7

2 Findings 1221 DESERIALIZATION 12

211 What is this 12212 Insecure Deserialization 12

22 FILEINCLUSION 13221 What is this 13222 Local File Inclusion 13

23 FINGERPRINTING 14231 What is this 14232 Fingerprint Web Application Framework 14233 Fingerprint Web Server 16

24 PORTSCAN 17241 What is this 17242 Portscanner 17

25 XSS 18251 What is this 18252 Cross-Site Scripting (XSS) 18

26 XXE 20261 What is this 20262 XXE 20

27 COMMANDINJECTION 21271 What is this 21272 Command Injection 21

28 FUZZER 22281 What is this 22282 Sensitive Data Exposure 22

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 10 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION 24291 What is this 24292 SQL Injection 24

210 SSLTLS 262101 What is this 262102 TLS Key Size 262103 SSL RC4 272104 SSL Protocol Version 282105 Certificate Revocation 292106 SSL LOGJAM Common Primes 302107 SSL Cipherlist LOW 312108 X-XSS-Protection Header 322109 SSL BEAST 3321010SSL Cipherlist AVERAGE 3421011X-Content-Type-Options Header 3521012SSL Insecure Algorithm 3621013Content-Security-Policy Header 3721014SSL Cipher Block Chaining TLS1 3821015X-Frame-Options Header 3921016SSL Cipherlist 3DES IDEA 4021017SSL SWEET32 4121018SSL Trust 4221019Referrer-Policy Header 4321020SSL Cipher Block Chaining SSL3 4421021Non Httponly Cookies 4521022SSL POODLE 4621023SSL Cipher Order 4721024TLS Configuration 4821025Missing HSTS 4921026Insecure Cookies 50

211 Appendix 512111 PHP 559 CVE Findings 512112 Apache 247 CVE Findings 51

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 11 of 54

DVWA - 24 Mar 20 2334 CET

2 Findings

21 DESERIALIZATION

211 What is thisInsecure Deserialization is an attack where a manipulated object is injected into the contextof the web application If the application is vulnerable the object is deserialized and executedwhich can result in SQL Injection Path Traversal Application Denial of Service and Remote CodeExecution

212 Insecure DeserializationSeverity

Base Score high (8110)

Impact medium (5910)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Insecure Deserialization allows an attacker to inject a manipulated object into the web applica-tion

Finding

bull Found insecure deserialization for method rdquogetrdquo with parameter rdquodatardquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesdeserializerdquo with payload rdquophpinfo()rdquo

How to fixDo not pass untrusted serialized objects to the unserialize function

Recommendationshttpswikicrashtest-securitycominsecure-deserialization

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 12 of 54

DVWA - 24 Mar 20 2334 CET

22 FILEINCLUSION

221 What is thisLocalremote file inclusion is a vulnerability which is caused by including files into the web ap-plication without validating which file is going to be included The attacker attempts to includearbitrary files from the webserverś hard drive to identify existing user accounts or passwordsIn some cases it is possible to include files from a remote server which is under control of theattacker This vulnerability can lead to exposing sensitive files on the webserver and could alsoresult in a remote code execution which would entirely compromise the target machine

222 Local File InclusionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Local file inclusion allows an attacker to include arbitrary local files into the website

Finding

bull Found file inclusion with method rdquogetrdquo for parameter rdquopagerdquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesfirdquo with payload rdquoetcpasswdrdquo

How to fixEvery user input has to be checked for malicious requests by the web application For examplethe files which are allowed to be included (whitelisted) are written into an array For every requestthe web application should check the whitelist if the required file is allowed for inclusion

Recommendationshttpswikicrashtest-securitycomfile-inclusion

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 13 of 54

DVWA - 24 Mar 20 2334 CET

23 FINGERPRINTING

231 What is thisThe responses a server sends to its client often contain more information then necessary Thissurplus of information makes it possible to draw conclusions about the servers software or usedprogramming languages It could reveal the version of the web application and the libraries inuse The analysis of these information is called fingerprinting Based on fingerprinting an at-tacker can get valuable input to plan and carry out his attack Without it an attacker is attackingblindly Whenever a special version of a server or a web application is vulnerable for an attackcrawlers search the web for traces of this version and start an attack if they found one So it islikely that someone gets attacked just because they leak these information and therefore showthat your application or server is vulnerable

232 Fingerprint Web Application FrameworkSeverity

Base Score high (7510)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The installed web application framework(s) offer information about their version This opensattackers the possibility to look for exploits specifically targetting the software running in itsexact version

Finding

bull Found PHP running in version 559 (3 connected CVE issues have been found The mostsevere vulnerability has a CVSS score of high (7510) See Appendix PHP 559 CVE Find-ings for a detailed list of the CVEs)

How to fixDepending on the used application there are multiple ways to remove version informationSome applications also share the information in multiple places which makes it harder to re-move it Common places for version information are the filename of included libraries likerdquojquery321minjsrdquo or the documentation within a file where the version number is stated withinthe first lines While some information is required to be left within these files as a part of thecopyright other information like the version number can be removed Other places could bethe footer of an application rdquopowered by Wordpress 491rdquo or meta-tags within the header of thewebsite Unlike servers most web applications cannot remove these information via a configfile and therefore need to be removed manually by editing the specific templates and files Moredetails on how to fix this problem can be found in the knowledge database (see Recommenda-tions)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 14 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomprevent-web-application-framework-information-leakage

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 15 of 54

DVWA - 24 Mar 20 2334 CET

233 Fingerprint Web ServerSeverity

Base Score medium (6810)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver publicly provides information about itself such as the name or version Thisopens attackers the possibility to look for exploits specifically targetting the webserver in itsexact version

Finding

bull The webserver is running Apache 247 (17 connected CVE issues have been found Themost severe vulnerability has a CVSS score of medium (6810) See Appendix Apache 247CVE Findings for a detailed list of the CVEs)

How to fixThe amount of information a server is sharing can be set in its configuration files Depending onthe used webserver the configuration file can be found on different locations (see Recommen-dations to find the exact location) In most cases it is sufficient to change one or two settingsto avoid publishing unnecessary information After saving the changes it is recommended torestart or reload the webserver to activate the changes

Recommendationshttpswikicrashtest-securitycomserver-version-fingerprinting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 16 of 54

DVWA - 24 Mar 20 2334 CET

24 PORTSCAN

241 What is thisA port is a kind of door on the server that can be used to connect to a specific service For awebserver the port 80 and port 443 which are for HTTPHTTPS are most likely open to servethe website to the users Other ports should be closed if they are not needed for any serviceThe portscanner tests the webserver with a SYN scan for a wide range of possibly open portsand reports them back If there are any other open ports except of port 80 and port 443 theyshould be blocked by the firewall if they are not needed

242 PortscannerSeverity

Base Score informational (010)

Impact informational (010)

Exploitability informational (010)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Unneeded open ports on the webserver opens a large attack surface to a malicious user Thiscan be used to find unmaintained and possibly vulnerable network services that can be targeted

Finding

bull Found open port rdquo80tcprdquo with service name rdquoApache httpdrdquobull Found open port rdquo443tcprdquo with service name rdquoApache httpdrdquo

How to fixUnnecessarily open ports can be closed by setting up a firewall and block connections to allports except of those that are needed by the server Furthermore services that are not neededshould be uninstalled

Recommendationshttpswikicrashtest-securitycominsecure-network-services-open-port-scanner

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 17 of 54

DVWA - 24 Mar 20 2334 CET

25 XSS

251 What is thisCross-site scripting (XSS) refers to exploiting a computer security vulnerability in web applica-tions by causing an attacker to infect web pages with client-side scripts that are invoked by otherusers In 2007 XSS accounted for about 80 of the exploited vulnerabilities in web applicationson cross-site scripting accounts The impact of XSS can be between a small nuisance and asignificant security risk depending on the sensitivity of the data With XSS an attacker can forexample bypass access controls steal client data or place external content like advertisementredirects or spam in an application Cross-site scripting provides the foundation for a variety ofother attacks such as session hijacking or session fixation

252 Cross-Site Scripting (XSS)Severity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cross-Site Scripting (XSS) allows an attacker to send malicious code to a different user

Finding

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_rThe parameter rsquonamersquo seems vulnerable for payload rsquoltsvg b2d54995-0dcd-4b11-aeaf-67cb770883f3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesdeserializeThe parameter rsquodatarsquo seems vulnerable for payload rsquoltsvg 3159c2ae-840b-425d-8d90-c2bdc0395f8c rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquomtxMessagersquo seems vulnerable for payload rsquoltsvg 11cb1881-5005-4361-8249-6a016f7c8f65 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquotxtNamersquo seems vulnerable for payload rsquoltsvg 94b36753-bbd7-413a-acff-d73b5ca88140 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotextrsquo seems vulnerable for payload rsquoltsvg 0b34a9ce-6ad4-4df3-91ff-891fb958a9a3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotitlersquo seems vulnerable for payload rsquoltsvg 4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 18 of 54

DVWA - 24 Mar 20 2334 CET

How to fixXSS can be prevented by sanitizing the users input before saving to a database or returning itback to the user In most cases the attacker injects JavaScript into the application By escapingthe rdquoltscriptgtrdquo tags this can be avoided More details on how to fix this problem can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomcross-site-scripting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 19 of 54

DVWA - 24 Mar 20 2334 CET

26 XXE

261 What is thisXXE is a vulnerability that arises if web applications handle XML documents from an untrustedsource without proper validation In order to exploit this vulnerability an attacker extends theXML document with a document type definition (DTD) that includes a external entity If thewebsite passes the XML document to the XML parser the external entity will be called in somecases This can lead to sensitive data exposure or even remote code execution

262 XXESeverity

Base Score critical (9410)

Impact medium (5510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

XXE allows an attacker to inject malicious XML documents into the website which is then exe-cuted This can lead to sensitive data disclosure or remote code execution

Finding

bull Found XXE in parameter rdquoxmlrdquo with method rdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquo encoding=rsquoutf-8rsquogtltDOCTYPEcreds [ltELEMENT user ANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

How to fixIf XML documents are communicated from an untrusted source the XML processor should beconfigured to disallow any declared document type definition (DTD) included in the XML docu-ment

Recommendationshttpswikicrashtest-securitycomxxe-processing

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 20 of 54

DVWA - 24 Mar 20 2334 CET

27 COMMANDINJECTION

271 What is thisCommand injection is a vulnerability which is caused if the web application executes data froman untrusted source without proper validation With this vulnerability an attacker can executeany available system command This can lead to a entirely compromised system

272 Command InjectionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Command injection allows an attacker to execute arbitrary system commands

Finding

bull Found command injection in parameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payload rdquo echo crashtest-security$((1212))rdquo

How to fixEvery user input has to be checked for malicious requests by the web application Untrusteduser input should not be passed to functions like rdquoexec()rdquo or rdquosystem()rdquo without a sanity check

Recommendationshttpswikicrashtest-securitycomcommand-injection

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 21 of 54

DVWA - 24 Mar 20 2334 CET

28 FUZZER

281 What is thisFuzzing or robustness testing fuzzy testing or negative testing is a software testing techniquethat uses random or pre-defined data as input of a program The random data can be usedto simulate the later use in which not only plausible data must be processed In this casethe Fuzzer is looking for publicly available default paths through which attackers could gainaccess to the system Those default paths may leak sensitive information or grant access tofunctionality which modifies the application

282 Sensitive Data ExposureSeverity

Base Score medium (5310)

Impact low (1410)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server grants access to a file or directory which might contain sensitive data This can eitherleak sensitive data itself or allow an attacker to use the provided information to prepare a furtherattack

Finding

bull Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URL withoutprior knowledge

bull Retrieved httpsdvwadevcrashtestcloudinstructionsphp by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on the URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 22 of 54

DVWA - 24 Mar 20 2334 CET

without prior knowledge

How to fixIn some cases it is completely OK to expose certain file paths as long as it is on purpose Whilethey can be exposed on purpose others may be unwillingly exposed These paths can either beprotected by Basic Auth (htaccess) or be removed as they might not be needed on a productionenvironment More details on how to avoid exposing unnecessary information can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsensitive-data-exposure

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 23 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 7: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedmedium Sensitive Data Exposure Retrieved httpsdvwadev

crashtestcloudinstructionsphp by using a GET requeston the URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request onthe URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on theURL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request onthe URL without prior knowledge

2 2

medium Sensitive Data Exposure Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on theURL without prior knowledge

2 2

1310 SSLTLS

Severity Finding Noticed Fixed

medium TLS Key Size The certificate key size is RSA 1024 bits 2 2

medium SSL RC4 The detected cipher uses the encryption algo-rithm RC4 which is vulnerable for various attacks

2 2

high SSL Protocol Version TLS 11 is offered by the serverThis version of TLS is deprecated You should use TLS12 or TLS 13

2 2

high SSL Protocol Version TLS 10 is offered by the serverThis version of TLS is deprecated You should use TLS12 or TLS 13

2 2

high SSL Protocol Version SSLv3 is offered by the serverSSLv3 is insecure and should not be used TLS 12 or TLS13 should be used instead

2 2

high Certificate Revocation Neither CRL nor OCSP URI pro-vided

2 2

low SSL LOGJAMCommonPrimes LOGJAM vulnerability de-tected CVE-2015-4000

2 2

high SSL Cipherlist LOW Low ciphers like DES RC2 RC4 areused by the server You should use a stronger cipher

2 2

medium X-XSS-Protection Header The X-XSS-Protection headeris not set for URL httpsdvwadevcrashtestcloud

2 2

medium SSLBEASTVULNERABLE ndash but also supports higher pro-tocols TLSv11 TLSv12 (likely mitigated)

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 7 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedlow SSL Cipherlist AVERAGE The server is configured to use

average ciphers like SEED + 128+256 Bit CBC ciphers(AES CAMELLIA and ARIA) which are deprecated

2 2

medium X-Content-Type-Options Header The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

2 2

medium SSL Insecure Algorithm Weak signature algorithm MD5is used You should use SHA-256 SHA-384 or SHA-512instead

2 2

medium Content-Security-Policy Header The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

2 2

medium SSL Cipher Block Chaining TLS1 BEAST TLS1 TheBEAST attack leverages weakness in the cipher blockchaining (CBC) which allows man in the middle attacks

2 2

medium X-Frame-OptionsHeader The X-Frame-Options header isnot set for URL httpsdvwadevcrashtestcloud

2 2

high SSL Cipherlist 3DES IDEA Cipher suits based on DES(Data Encryption Standard) and IDEA (International DataEncryption Algorithm) are not recommended for generaluse in TLS In TLS 12 and TLS 13 DES and IDEA are re-moved You should use TLS 12 or TLS 13

2 2

medium SSL SWEET32 64 bit block ciphers are used which arevulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

2 2

high SSL Trust There is no subject alt name definedBrowsers are complaining

2 2

high SSL Trust The CN or SAN in the certificate does notmatch the tested URL

2 2

medium Referrer-Policy Header The Referrer-Policy header is notset for URL httpsdvwadevcrashtestcloud

2 2

low SSL Cipher Block Chaining SSL3 BEAST SSL3 TheBEAST attack leverages weakness in the cipher blockchaining (CBC) which allows man in the middle attacks

2 2

medium Non Httponly Cookies The cookie with the name PH-PSESSID does not have the flag httponly set This mayleak sensitive information This was found on URL httpsdvwadevcrashtestcloud

2 2

low SSL POODLE The detected SSL version is vulnerable toSSL POODLE

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 8 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedmedium SSL Cipher Order There is no cipher order configured

There should be a cipher order from strongest to weakestto prevent clients from using weaker ciphers before tryingstronger ones first

2 2

medium TLS Configuration The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching cipherin list missing)) could not be found in the list of ciphersthat the server advertised

2 2

medium Missing HSTS HSTS is not offered by the server 2 2

medium Insecure Cookies The cookie with the name PHPSESSIDdoes not have the flag secure set This may leak sensi-tive information This was found on URL httpsdvwadevcrashtestcloud

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 9 of 54

DVWA - 24 Mar 20 2334 CET

Contents1 Overview 2

11 Vulnerability Overview 212 Scanner Overview 3

121 Status for executed Scanners 313 Findings Checklist 4

131 FILEINCLUSION 4132 FINGERPRINTING 4133 PORTSCAN 4134 SQLINJECTION 4135 DESERIALIZATION 5136 XSS 5137 XXE 6138 COMMANDINJECTION 6139 FUZZER 61310 SSLTLS 7

2 Findings 1221 DESERIALIZATION 12

211 What is this 12212 Insecure Deserialization 12

22 FILEINCLUSION 13221 What is this 13222 Local File Inclusion 13

23 FINGERPRINTING 14231 What is this 14232 Fingerprint Web Application Framework 14233 Fingerprint Web Server 16

24 PORTSCAN 17241 What is this 17242 Portscanner 17

25 XSS 18251 What is this 18252 Cross-Site Scripting (XSS) 18

26 XXE 20261 What is this 20262 XXE 20

27 COMMANDINJECTION 21271 What is this 21272 Command Injection 21

28 FUZZER 22281 What is this 22282 Sensitive Data Exposure 22

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 10 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION 24291 What is this 24292 SQL Injection 24

210 SSLTLS 262101 What is this 262102 TLS Key Size 262103 SSL RC4 272104 SSL Protocol Version 282105 Certificate Revocation 292106 SSL LOGJAM Common Primes 302107 SSL Cipherlist LOW 312108 X-XSS-Protection Header 322109 SSL BEAST 3321010SSL Cipherlist AVERAGE 3421011X-Content-Type-Options Header 3521012SSL Insecure Algorithm 3621013Content-Security-Policy Header 3721014SSL Cipher Block Chaining TLS1 3821015X-Frame-Options Header 3921016SSL Cipherlist 3DES IDEA 4021017SSL SWEET32 4121018SSL Trust 4221019Referrer-Policy Header 4321020SSL Cipher Block Chaining SSL3 4421021Non Httponly Cookies 4521022SSL POODLE 4621023SSL Cipher Order 4721024TLS Configuration 4821025Missing HSTS 4921026Insecure Cookies 50

211 Appendix 512111 PHP 559 CVE Findings 512112 Apache 247 CVE Findings 51

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 11 of 54

DVWA - 24 Mar 20 2334 CET

2 Findings

21 DESERIALIZATION

211 What is thisInsecure Deserialization is an attack where a manipulated object is injected into the contextof the web application If the application is vulnerable the object is deserialized and executedwhich can result in SQL Injection Path Traversal Application Denial of Service and Remote CodeExecution

212 Insecure DeserializationSeverity

Base Score high (8110)

Impact medium (5910)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Insecure Deserialization allows an attacker to inject a manipulated object into the web applica-tion

Finding

bull Found insecure deserialization for method rdquogetrdquo with parameter rdquodatardquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesdeserializerdquo with payload rdquophpinfo()rdquo

How to fixDo not pass untrusted serialized objects to the unserialize function

Recommendationshttpswikicrashtest-securitycominsecure-deserialization

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 12 of 54

DVWA - 24 Mar 20 2334 CET

22 FILEINCLUSION

221 What is thisLocalremote file inclusion is a vulnerability which is caused by including files into the web ap-plication without validating which file is going to be included The attacker attempts to includearbitrary files from the webserverś hard drive to identify existing user accounts or passwordsIn some cases it is possible to include files from a remote server which is under control of theattacker This vulnerability can lead to exposing sensitive files on the webserver and could alsoresult in a remote code execution which would entirely compromise the target machine

222 Local File InclusionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Local file inclusion allows an attacker to include arbitrary local files into the website

Finding

bull Found file inclusion with method rdquogetrdquo for parameter rdquopagerdquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesfirdquo with payload rdquoetcpasswdrdquo

How to fixEvery user input has to be checked for malicious requests by the web application For examplethe files which are allowed to be included (whitelisted) are written into an array For every requestthe web application should check the whitelist if the required file is allowed for inclusion

Recommendationshttpswikicrashtest-securitycomfile-inclusion

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 13 of 54

DVWA - 24 Mar 20 2334 CET

23 FINGERPRINTING

231 What is thisThe responses a server sends to its client often contain more information then necessary Thissurplus of information makes it possible to draw conclusions about the servers software or usedprogramming languages It could reveal the version of the web application and the libraries inuse The analysis of these information is called fingerprinting Based on fingerprinting an at-tacker can get valuable input to plan and carry out his attack Without it an attacker is attackingblindly Whenever a special version of a server or a web application is vulnerable for an attackcrawlers search the web for traces of this version and start an attack if they found one So it islikely that someone gets attacked just because they leak these information and therefore showthat your application or server is vulnerable

232 Fingerprint Web Application FrameworkSeverity

Base Score high (7510)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The installed web application framework(s) offer information about their version This opensattackers the possibility to look for exploits specifically targetting the software running in itsexact version

Finding

bull Found PHP running in version 559 (3 connected CVE issues have been found The mostsevere vulnerability has a CVSS score of high (7510) See Appendix PHP 559 CVE Find-ings for a detailed list of the CVEs)

How to fixDepending on the used application there are multiple ways to remove version informationSome applications also share the information in multiple places which makes it harder to re-move it Common places for version information are the filename of included libraries likerdquojquery321minjsrdquo or the documentation within a file where the version number is stated withinthe first lines While some information is required to be left within these files as a part of thecopyright other information like the version number can be removed Other places could bethe footer of an application rdquopowered by Wordpress 491rdquo or meta-tags within the header of thewebsite Unlike servers most web applications cannot remove these information via a configfile and therefore need to be removed manually by editing the specific templates and files Moredetails on how to fix this problem can be found in the knowledge database (see Recommenda-tions)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 14 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomprevent-web-application-framework-information-leakage

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 15 of 54

DVWA - 24 Mar 20 2334 CET

233 Fingerprint Web ServerSeverity

Base Score medium (6810)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver publicly provides information about itself such as the name or version Thisopens attackers the possibility to look for exploits specifically targetting the webserver in itsexact version

Finding

bull The webserver is running Apache 247 (17 connected CVE issues have been found Themost severe vulnerability has a CVSS score of medium (6810) See Appendix Apache 247CVE Findings for a detailed list of the CVEs)

How to fixThe amount of information a server is sharing can be set in its configuration files Depending onthe used webserver the configuration file can be found on different locations (see Recommen-dations to find the exact location) In most cases it is sufficient to change one or two settingsto avoid publishing unnecessary information After saving the changes it is recommended torestart or reload the webserver to activate the changes

Recommendationshttpswikicrashtest-securitycomserver-version-fingerprinting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 16 of 54

DVWA - 24 Mar 20 2334 CET

24 PORTSCAN

241 What is thisA port is a kind of door on the server that can be used to connect to a specific service For awebserver the port 80 and port 443 which are for HTTPHTTPS are most likely open to servethe website to the users Other ports should be closed if they are not needed for any serviceThe portscanner tests the webserver with a SYN scan for a wide range of possibly open portsand reports them back If there are any other open ports except of port 80 and port 443 theyshould be blocked by the firewall if they are not needed

242 PortscannerSeverity

Base Score informational (010)

Impact informational (010)

Exploitability informational (010)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Unneeded open ports on the webserver opens a large attack surface to a malicious user Thiscan be used to find unmaintained and possibly vulnerable network services that can be targeted

Finding

bull Found open port rdquo80tcprdquo with service name rdquoApache httpdrdquobull Found open port rdquo443tcprdquo with service name rdquoApache httpdrdquo

How to fixUnnecessarily open ports can be closed by setting up a firewall and block connections to allports except of those that are needed by the server Furthermore services that are not neededshould be uninstalled

Recommendationshttpswikicrashtest-securitycominsecure-network-services-open-port-scanner

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 17 of 54

DVWA - 24 Mar 20 2334 CET

25 XSS

251 What is thisCross-site scripting (XSS) refers to exploiting a computer security vulnerability in web applica-tions by causing an attacker to infect web pages with client-side scripts that are invoked by otherusers In 2007 XSS accounted for about 80 of the exploited vulnerabilities in web applicationson cross-site scripting accounts The impact of XSS can be between a small nuisance and asignificant security risk depending on the sensitivity of the data With XSS an attacker can forexample bypass access controls steal client data or place external content like advertisementredirects or spam in an application Cross-site scripting provides the foundation for a variety ofother attacks such as session hijacking or session fixation

252 Cross-Site Scripting (XSS)Severity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cross-Site Scripting (XSS) allows an attacker to send malicious code to a different user

Finding

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_rThe parameter rsquonamersquo seems vulnerable for payload rsquoltsvg b2d54995-0dcd-4b11-aeaf-67cb770883f3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesdeserializeThe parameter rsquodatarsquo seems vulnerable for payload rsquoltsvg 3159c2ae-840b-425d-8d90-c2bdc0395f8c rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquomtxMessagersquo seems vulnerable for payload rsquoltsvg 11cb1881-5005-4361-8249-6a016f7c8f65 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquotxtNamersquo seems vulnerable for payload rsquoltsvg 94b36753-bbd7-413a-acff-d73b5ca88140 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotextrsquo seems vulnerable for payload rsquoltsvg 0b34a9ce-6ad4-4df3-91ff-891fb958a9a3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotitlersquo seems vulnerable for payload rsquoltsvg 4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 18 of 54

DVWA - 24 Mar 20 2334 CET

How to fixXSS can be prevented by sanitizing the users input before saving to a database or returning itback to the user In most cases the attacker injects JavaScript into the application By escapingthe rdquoltscriptgtrdquo tags this can be avoided More details on how to fix this problem can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomcross-site-scripting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 19 of 54

DVWA - 24 Mar 20 2334 CET

26 XXE

261 What is thisXXE is a vulnerability that arises if web applications handle XML documents from an untrustedsource without proper validation In order to exploit this vulnerability an attacker extends theXML document with a document type definition (DTD) that includes a external entity If thewebsite passes the XML document to the XML parser the external entity will be called in somecases This can lead to sensitive data exposure or even remote code execution

262 XXESeverity

Base Score critical (9410)

Impact medium (5510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

XXE allows an attacker to inject malicious XML documents into the website which is then exe-cuted This can lead to sensitive data disclosure or remote code execution

Finding

bull Found XXE in parameter rdquoxmlrdquo with method rdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquo encoding=rsquoutf-8rsquogtltDOCTYPEcreds [ltELEMENT user ANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

How to fixIf XML documents are communicated from an untrusted source the XML processor should beconfigured to disallow any declared document type definition (DTD) included in the XML docu-ment

Recommendationshttpswikicrashtest-securitycomxxe-processing

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 20 of 54

DVWA - 24 Mar 20 2334 CET

27 COMMANDINJECTION

271 What is thisCommand injection is a vulnerability which is caused if the web application executes data froman untrusted source without proper validation With this vulnerability an attacker can executeany available system command This can lead to a entirely compromised system

272 Command InjectionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Command injection allows an attacker to execute arbitrary system commands

Finding

bull Found command injection in parameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payload rdquo echo crashtest-security$((1212))rdquo

How to fixEvery user input has to be checked for malicious requests by the web application Untrusteduser input should not be passed to functions like rdquoexec()rdquo or rdquosystem()rdquo without a sanity check

Recommendationshttpswikicrashtest-securitycomcommand-injection

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 21 of 54

DVWA - 24 Mar 20 2334 CET

28 FUZZER

281 What is thisFuzzing or robustness testing fuzzy testing or negative testing is a software testing techniquethat uses random or pre-defined data as input of a program The random data can be usedto simulate the later use in which not only plausible data must be processed In this casethe Fuzzer is looking for publicly available default paths through which attackers could gainaccess to the system Those default paths may leak sensitive information or grant access tofunctionality which modifies the application

282 Sensitive Data ExposureSeverity

Base Score medium (5310)

Impact low (1410)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server grants access to a file or directory which might contain sensitive data This can eitherleak sensitive data itself or allow an attacker to use the provided information to prepare a furtherattack

Finding

bull Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URL withoutprior knowledge

bull Retrieved httpsdvwadevcrashtestcloudinstructionsphp by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on the URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 22 of 54

DVWA - 24 Mar 20 2334 CET

without prior knowledge

How to fixIn some cases it is completely OK to expose certain file paths as long as it is on purpose Whilethey can be exposed on purpose others may be unwillingly exposed These paths can either beprotected by Basic Auth (htaccess) or be removed as they might not be needed on a productionenvironment More details on how to avoid exposing unnecessary information can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsensitive-data-exposure

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 23 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 8: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedlow SSL Cipherlist AVERAGE The server is configured to use

average ciphers like SEED + 128+256 Bit CBC ciphers(AES CAMELLIA and ARIA) which are deprecated

2 2

medium X-Content-Type-Options Header The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

2 2

medium SSL Insecure Algorithm Weak signature algorithm MD5is used You should use SHA-256 SHA-384 or SHA-512instead

2 2

medium Content-Security-Policy Header The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

2 2

medium SSL Cipher Block Chaining TLS1 BEAST TLS1 TheBEAST attack leverages weakness in the cipher blockchaining (CBC) which allows man in the middle attacks

2 2

medium X-Frame-OptionsHeader The X-Frame-Options header isnot set for URL httpsdvwadevcrashtestcloud

2 2

high SSL Cipherlist 3DES IDEA Cipher suits based on DES(Data Encryption Standard) and IDEA (International DataEncryption Algorithm) are not recommended for generaluse in TLS In TLS 12 and TLS 13 DES and IDEA are re-moved You should use TLS 12 or TLS 13

2 2

medium SSL SWEET32 64 bit block ciphers are used which arevulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

2 2

high SSL Trust There is no subject alt name definedBrowsers are complaining

2 2

high SSL Trust The CN or SAN in the certificate does notmatch the tested URL

2 2

medium Referrer-Policy Header The Referrer-Policy header is notset for URL httpsdvwadevcrashtestcloud

2 2

low SSL Cipher Block Chaining SSL3 BEAST SSL3 TheBEAST attack leverages weakness in the cipher blockchaining (CBC) which allows man in the middle attacks

2 2

medium Non Httponly Cookies The cookie with the name PH-PSESSID does not have the flag httponly set This mayleak sensitive information This was found on URL httpsdvwadevcrashtestcloud

2 2

low SSL POODLE The detected SSL version is vulnerable toSSL POODLE

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 8 of 54

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedmedium SSL Cipher Order There is no cipher order configured

There should be a cipher order from strongest to weakestto prevent clients from using weaker ciphers before tryingstronger ones first

2 2

medium TLS Configuration The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching cipherin list missing)) could not be found in the list of ciphersthat the server advertised

2 2

medium Missing HSTS HSTS is not offered by the server 2 2

medium Insecure Cookies The cookie with the name PHPSESSIDdoes not have the flag secure set This may leak sensi-tive information This was found on URL httpsdvwadevcrashtestcloud

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 9 of 54

DVWA - 24 Mar 20 2334 CET

Contents1 Overview 2

11 Vulnerability Overview 212 Scanner Overview 3

121 Status for executed Scanners 313 Findings Checklist 4

131 FILEINCLUSION 4132 FINGERPRINTING 4133 PORTSCAN 4134 SQLINJECTION 4135 DESERIALIZATION 5136 XSS 5137 XXE 6138 COMMANDINJECTION 6139 FUZZER 61310 SSLTLS 7

2 Findings 1221 DESERIALIZATION 12

211 What is this 12212 Insecure Deserialization 12

22 FILEINCLUSION 13221 What is this 13222 Local File Inclusion 13

23 FINGERPRINTING 14231 What is this 14232 Fingerprint Web Application Framework 14233 Fingerprint Web Server 16

24 PORTSCAN 17241 What is this 17242 Portscanner 17

25 XSS 18251 What is this 18252 Cross-Site Scripting (XSS) 18

26 XXE 20261 What is this 20262 XXE 20

27 COMMANDINJECTION 21271 What is this 21272 Command Injection 21

28 FUZZER 22281 What is this 22282 Sensitive Data Exposure 22

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 10 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION 24291 What is this 24292 SQL Injection 24

210 SSLTLS 262101 What is this 262102 TLS Key Size 262103 SSL RC4 272104 SSL Protocol Version 282105 Certificate Revocation 292106 SSL LOGJAM Common Primes 302107 SSL Cipherlist LOW 312108 X-XSS-Protection Header 322109 SSL BEAST 3321010SSL Cipherlist AVERAGE 3421011X-Content-Type-Options Header 3521012SSL Insecure Algorithm 3621013Content-Security-Policy Header 3721014SSL Cipher Block Chaining TLS1 3821015X-Frame-Options Header 3921016SSL Cipherlist 3DES IDEA 4021017SSL SWEET32 4121018SSL Trust 4221019Referrer-Policy Header 4321020SSL Cipher Block Chaining SSL3 4421021Non Httponly Cookies 4521022SSL POODLE 4621023SSL Cipher Order 4721024TLS Configuration 4821025Missing HSTS 4921026Insecure Cookies 50

211 Appendix 512111 PHP 559 CVE Findings 512112 Apache 247 CVE Findings 51

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 11 of 54

DVWA - 24 Mar 20 2334 CET

2 Findings

21 DESERIALIZATION

211 What is thisInsecure Deserialization is an attack where a manipulated object is injected into the contextof the web application If the application is vulnerable the object is deserialized and executedwhich can result in SQL Injection Path Traversal Application Denial of Service and Remote CodeExecution

212 Insecure DeserializationSeverity

Base Score high (8110)

Impact medium (5910)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Insecure Deserialization allows an attacker to inject a manipulated object into the web applica-tion

Finding

bull Found insecure deserialization for method rdquogetrdquo with parameter rdquodatardquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesdeserializerdquo with payload rdquophpinfo()rdquo

How to fixDo not pass untrusted serialized objects to the unserialize function

Recommendationshttpswikicrashtest-securitycominsecure-deserialization

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 12 of 54

DVWA - 24 Mar 20 2334 CET

22 FILEINCLUSION

221 What is thisLocalremote file inclusion is a vulnerability which is caused by including files into the web ap-plication without validating which file is going to be included The attacker attempts to includearbitrary files from the webserverś hard drive to identify existing user accounts or passwordsIn some cases it is possible to include files from a remote server which is under control of theattacker This vulnerability can lead to exposing sensitive files on the webserver and could alsoresult in a remote code execution which would entirely compromise the target machine

222 Local File InclusionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Local file inclusion allows an attacker to include arbitrary local files into the website

Finding

bull Found file inclusion with method rdquogetrdquo for parameter rdquopagerdquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesfirdquo with payload rdquoetcpasswdrdquo

How to fixEvery user input has to be checked for malicious requests by the web application For examplethe files which are allowed to be included (whitelisted) are written into an array For every requestthe web application should check the whitelist if the required file is allowed for inclusion

Recommendationshttpswikicrashtest-securitycomfile-inclusion

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 13 of 54

DVWA - 24 Mar 20 2334 CET

23 FINGERPRINTING

231 What is thisThe responses a server sends to its client often contain more information then necessary Thissurplus of information makes it possible to draw conclusions about the servers software or usedprogramming languages It could reveal the version of the web application and the libraries inuse The analysis of these information is called fingerprinting Based on fingerprinting an at-tacker can get valuable input to plan and carry out his attack Without it an attacker is attackingblindly Whenever a special version of a server or a web application is vulnerable for an attackcrawlers search the web for traces of this version and start an attack if they found one So it islikely that someone gets attacked just because they leak these information and therefore showthat your application or server is vulnerable

232 Fingerprint Web Application FrameworkSeverity

Base Score high (7510)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The installed web application framework(s) offer information about their version This opensattackers the possibility to look for exploits specifically targetting the software running in itsexact version

Finding

bull Found PHP running in version 559 (3 connected CVE issues have been found The mostsevere vulnerability has a CVSS score of high (7510) See Appendix PHP 559 CVE Find-ings for a detailed list of the CVEs)

How to fixDepending on the used application there are multiple ways to remove version informationSome applications also share the information in multiple places which makes it harder to re-move it Common places for version information are the filename of included libraries likerdquojquery321minjsrdquo or the documentation within a file where the version number is stated withinthe first lines While some information is required to be left within these files as a part of thecopyright other information like the version number can be removed Other places could bethe footer of an application rdquopowered by Wordpress 491rdquo or meta-tags within the header of thewebsite Unlike servers most web applications cannot remove these information via a configfile and therefore need to be removed manually by editing the specific templates and files Moredetails on how to fix this problem can be found in the knowledge database (see Recommenda-tions)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 14 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomprevent-web-application-framework-information-leakage

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 15 of 54

DVWA - 24 Mar 20 2334 CET

233 Fingerprint Web ServerSeverity

Base Score medium (6810)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver publicly provides information about itself such as the name or version Thisopens attackers the possibility to look for exploits specifically targetting the webserver in itsexact version

Finding

bull The webserver is running Apache 247 (17 connected CVE issues have been found Themost severe vulnerability has a CVSS score of medium (6810) See Appendix Apache 247CVE Findings for a detailed list of the CVEs)

How to fixThe amount of information a server is sharing can be set in its configuration files Depending onthe used webserver the configuration file can be found on different locations (see Recommen-dations to find the exact location) In most cases it is sufficient to change one or two settingsto avoid publishing unnecessary information After saving the changes it is recommended torestart or reload the webserver to activate the changes

Recommendationshttpswikicrashtest-securitycomserver-version-fingerprinting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 16 of 54

DVWA - 24 Mar 20 2334 CET

24 PORTSCAN

241 What is thisA port is a kind of door on the server that can be used to connect to a specific service For awebserver the port 80 and port 443 which are for HTTPHTTPS are most likely open to servethe website to the users Other ports should be closed if they are not needed for any serviceThe portscanner tests the webserver with a SYN scan for a wide range of possibly open portsand reports them back If there are any other open ports except of port 80 and port 443 theyshould be blocked by the firewall if they are not needed

242 PortscannerSeverity

Base Score informational (010)

Impact informational (010)

Exploitability informational (010)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Unneeded open ports on the webserver opens a large attack surface to a malicious user Thiscan be used to find unmaintained and possibly vulnerable network services that can be targeted

Finding

bull Found open port rdquo80tcprdquo with service name rdquoApache httpdrdquobull Found open port rdquo443tcprdquo with service name rdquoApache httpdrdquo

How to fixUnnecessarily open ports can be closed by setting up a firewall and block connections to allports except of those that are needed by the server Furthermore services that are not neededshould be uninstalled

Recommendationshttpswikicrashtest-securitycominsecure-network-services-open-port-scanner

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 17 of 54

DVWA - 24 Mar 20 2334 CET

25 XSS

251 What is thisCross-site scripting (XSS) refers to exploiting a computer security vulnerability in web applica-tions by causing an attacker to infect web pages with client-side scripts that are invoked by otherusers In 2007 XSS accounted for about 80 of the exploited vulnerabilities in web applicationson cross-site scripting accounts The impact of XSS can be between a small nuisance and asignificant security risk depending on the sensitivity of the data With XSS an attacker can forexample bypass access controls steal client data or place external content like advertisementredirects or spam in an application Cross-site scripting provides the foundation for a variety ofother attacks such as session hijacking or session fixation

252 Cross-Site Scripting (XSS)Severity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cross-Site Scripting (XSS) allows an attacker to send malicious code to a different user

Finding

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_rThe parameter rsquonamersquo seems vulnerable for payload rsquoltsvg b2d54995-0dcd-4b11-aeaf-67cb770883f3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesdeserializeThe parameter rsquodatarsquo seems vulnerable for payload rsquoltsvg 3159c2ae-840b-425d-8d90-c2bdc0395f8c rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquomtxMessagersquo seems vulnerable for payload rsquoltsvg 11cb1881-5005-4361-8249-6a016f7c8f65 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquotxtNamersquo seems vulnerable for payload rsquoltsvg 94b36753-bbd7-413a-acff-d73b5ca88140 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotextrsquo seems vulnerable for payload rsquoltsvg 0b34a9ce-6ad4-4df3-91ff-891fb958a9a3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotitlersquo seems vulnerable for payload rsquoltsvg 4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 18 of 54

DVWA - 24 Mar 20 2334 CET

How to fixXSS can be prevented by sanitizing the users input before saving to a database or returning itback to the user In most cases the attacker injects JavaScript into the application By escapingthe rdquoltscriptgtrdquo tags this can be avoided More details on how to fix this problem can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomcross-site-scripting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 19 of 54

DVWA - 24 Mar 20 2334 CET

26 XXE

261 What is thisXXE is a vulnerability that arises if web applications handle XML documents from an untrustedsource without proper validation In order to exploit this vulnerability an attacker extends theXML document with a document type definition (DTD) that includes a external entity If thewebsite passes the XML document to the XML parser the external entity will be called in somecases This can lead to sensitive data exposure or even remote code execution

262 XXESeverity

Base Score critical (9410)

Impact medium (5510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

XXE allows an attacker to inject malicious XML documents into the website which is then exe-cuted This can lead to sensitive data disclosure or remote code execution

Finding

bull Found XXE in parameter rdquoxmlrdquo with method rdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquo encoding=rsquoutf-8rsquogtltDOCTYPEcreds [ltELEMENT user ANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

How to fixIf XML documents are communicated from an untrusted source the XML processor should beconfigured to disallow any declared document type definition (DTD) included in the XML docu-ment

Recommendationshttpswikicrashtest-securitycomxxe-processing

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 20 of 54

DVWA - 24 Mar 20 2334 CET

27 COMMANDINJECTION

271 What is thisCommand injection is a vulnerability which is caused if the web application executes data froman untrusted source without proper validation With this vulnerability an attacker can executeany available system command This can lead to a entirely compromised system

272 Command InjectionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Command injection allows an attacker to execute arbitrary system commands

Finding

bull Found command injection in parameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payload rdquo echo crashtest-security$((1212))rdquo

How to fixEvery user input has to be checked for malicious requests by the web application Untrusteduser input should not be passed to functions like rdquoexec()rdquo or rdquosystem()rdquo without a sanity check

Recommendationshttpswikicrashtest-securitycomcommand-injection

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 21 of 54

DVWA - 24 Mar 20 2334 CET

28 FUZZER

281 What is thisFuzzing or robustness testing fuzzy testing or negative testing is a software testing techniquethat uses random or pre-defined data as input of a program The random data can be usedto simulate the later use in which not only plausible data must be processed In this casethe Fuzzer is looking for publicly available default paths through which attackers could gainaccess to the system Those default paths may leak sensitive information or grant access tofunctionality which modifies the application

282 Sensitive Data ExposureSeverity

Base Score medium (5310)

Impact low (1410)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server grants access to a file or directory which might contain sensitive data This can eitherleak sensitive data itself or allow an attacker to use the provided information to prepare a furtherattack

Finding

bull Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URL withoutprior knowledge

bull Retrieved httpsdvwadevcrashtestcloudinstructionsphp by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on the URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 22 of 54

DVWA - 24 Mar 20 2334 CET

without prior knowledge

How to fixIn some cases it is completely OK to expose certain file paths as long as it is on purpose Whilethey can be exposed on purpose others may be unwillingly exposed These paths can either beprotected by Basic Auth (htaccess) or be removed as they might not be needed on a productionenvironment More details on how to avoid exposing unnecessary information can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsensitive-data-exposure

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 23 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 9: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

Severity Finding Noticed Fixedmedium SSL Cipher Order There is no cipher order configured

There should be a cipher order from strongest to weakestto prevent clients from using weaker ciphers before tryingstronger ones first

2 2

medium TLS Configuration The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching cipherin list missing)) could not be found in the list of ciphersthat the server advertised

2 2

medium Missing HSTS HSTS is not offered by the server 2 2

medium Insecure Cookies The cookie with the name PHPSESSIDdoes not have the flag secure set This may leak sensi-tive information This was found on URL httpsdvwadevcrashtestcloud

2 2

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 9 of 54

DVWA - 24 Mar 20 2334 CET

Contents1 Overview 2

11 Vulnerability Overview 212 Scanner Overview 3

121 Status for executed Scanners 313 Findings Checklist 4

131 FILEINCLUSION 4132 FINGERPRINTING 4133 PORTSCAN 4134 SQLINJECTION 4135 DESERIALIZATION 5136 XSS 5137 XXE 6138 COMMANDINJECTION 6139 FUZZER 61310 SSLTLS 7

2 Findings 1221 DESERIALIZATION 12

211 What is this 12212 Insecure Deserialization 12

22 FILEINCLUSION 13221 What is this 13222 Local File Inclusion 13

23 FINGERPRINTING 14231 What is this 14232 Fingerprint Web Application Framework 14233 Fingerprint Web Server 16

24 PORTSCAN 17241 What is this 17242 Portscanner 17

25 XSS 18251 What is this 18252 Cross-Site Scripting (XSS) 18

26 XXE 20261 What is this 20262 XXE 20

27 COMMANDINJECTION 21271 What is this 21272 Command Injection 21

28 FUZZER 22281 What is this 22282 Sensitive Data Exposure 22

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 10 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION 24291 What is this 24292 SQL Injection 24

210 SSLTLS 262101 What is this 262102 TLS Key Size 262103 SSL RC4 272104 SSL Protocol Version 282105 Certificate Revocation 292106 SSL LOGJAM Common Primes 302107 SSL Cipherlist LOW 312108 X-XSS-Protection Header 322109 SSL BEAST 3321010SSL Cipherlist AVERAGE 3421011X-Content-Type-Options Header 3521012SSL Insecure Algorithm 3621013Content-Security-Policy Header 3721014SSL Cipher Block Chaining TLS1 3821015X-Frame-Options Header 3921016SSL Cipherlist 3DES IDEA 4021017SSL SWEET32 4121018SSL Trust 4221019Referrer-Policy Header 4321020SSL Cipher Block Chaining SSL3 4421021Non Httponly Cookies 4521022SSL POODLE 4621023SSL Cipher Order 4721024TLS Configuration 4821025Missing HSTS 4921026Insecure Cookies 50

211 Appendix 512111 PHP 559 CVE Findings 512112 Apache 247 CVE Findings 51

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 11 of 54

DVWA - 24 Mar 20 2334 CET

2 Findings

21 DESERIALIZATION

211 What is thisInsecure Deserialization is an attack where a manipulated object is injected into the contextof the web application If the application is vulnerable the object is deserialized and executedwhich can result in SQL Injection Path Traversal Application Denial of Service and Remote CodeExecution

212 Insecure DeserializationSeverity

Base Score high (8110)

Impact medium (5910)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Insecure Deserialization allows an attacker to inject a manipulated object into the web applica-tion

Finding

bull Found insecure deserialization for method rdquogetrdquo with parameter rdquodatardquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesdeserializerdquo with payload rdquophpinfo()rdquo

How to fixDo not pass untrusted serialized objects to the unserialize function

Recommendationshttpswikicrashtest-securitycominsecure-deserialization

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 12 of 54

DVWA - 24 Mar 20 2334 CET

22 FILEINCLUSION

221 What is thisLocalremote file inclusion is a vulnerability which is caused by including files into the web ap-plication without validating which file is going to be included The attacker attempts to includearbitrary files from the webserverś hard drive to identify existing user accounts or passwordsIn some cases it is possible to include files from a remote server which is under control of theattacker This vulnerability can lead to exposing sensitive files on the webserver and could alsoresult in a remote code execution which would entirely compromise the target machine

222 Local File InclusionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Local file inclusion allows an attacker to include arbitrary local files into the website

Finding

bull Found file inclusion with method rdquogetrdquo for parameter rdquopagerdquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesfirdquo with payload rdquoetcpasswdrdquo

How to fixEvery user input has to be checked for malicious requests by the web application For examplethe files which are allowed to be included (whitelisted) are written into an array For every requestthe web application should check the whitelist if the required file is allowed for inclusion

Recommendationshttpswikicrashtest-securitycomfile-inclusion

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 13 of 54

DVWA - 24 Mar 20 2334 CET

23 FINGERPRINTING

231 What is thisThe responses a server sends to its client often contain more information then necessary Thissurplus of information makes it possible to draw conclusions about the servers software or usedprogramming languages It could reveal the version of the web application and the libraries inuse The analysis of these information is called fingerprinting Based on fingerprinting an at-tacker can get valuable input to plan and carry out his attack Without it an attacker is attackingblindly Whenever a special version of a server or a web application is vulnerable for an attackcrawlers search the web for traces of this version and start an attack if they found one So it islikely that someone gets attacked just because they leak these information and therefore showthat your application or server is vulnerable

232 Fingerprint Web Application FrameworkSeverity

Base Score high (7510)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The installed web application framework(s) offer information about their version This opensattackers the possibility to look for exploits specifically targetting the software running in itsexact version

Finding

bull Found PHP running in version 559 (3 connected CVE issues have been found The mostsevere vulnerability has a CVSS score of high (7510) See Appendix PHP 559 CVE Find-ings for a detailed list of the CVEs)

How to fixDepending on the used application there are multiple ways to remove version informationSome applications also share the information in multiple places which makes it harder to re-move it Common places for version information are the filename of included libraries likerdquojquery321minjsrdquo or the documentation within a file where the version number is stated withinthe first lines While some information is required to be left within these files as a part of thecopyright other information like the version number can be removed Other places could bethe footer of an application rdquopowered by Wordpress 491rdquo or meta-tags within the header of thewebsite Unlike servers most web applications cannot remove these information via a configfile and therefore need to be removed manually by editing the specific templates and files Moredetails on how to fix this problem can be found in the knowledge database (see Recommenda-tions)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 14 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomprevent-web-application-framework-information-leakage

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 15 of 54

DVWA - 24 Mar 20 2334 CET

233 Fingerprint Web ServerSeverity

Base Score medium (6810)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver publicly provides information about itself such as the name or version Thisopens attackers the possibility to look for exploits specifically targetting the webserver in itsexact version

Finding

bull The webserver is running Apache 247 (17 connected CVE issues have been found Themost severe vulnerability has a CVSS score of medium (6810) See Appendix Apache 247CVE Findings for a detailed list of the CVEs)

How to fixThe amount of information a server is sharing can be set in its configuration files Depending onthe used webserver the configuration file can be found on different locations (see Recommen-dations to find the exact location) In most cases it is sufficient to change one or two settingsto avoid publishing unnecessary information After saving the changes it is recommended torestart or reload the webserver to activate the changes

Recommendationshttpswikicrashtest-securitycomserver-version-fingerprinting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 16 of 54

DVWA - 24 Mar 20 2334 CET

24 PORTSCAN

241 What is thisA port is a kind of door on the server that can be used to connect to a specific service For awebserver the port 80 and port 443 which are for HTTPHTTPS are most likely open to servethe website to the users Other ports should be closed if they are not needed for any serviceThe portscanner tests the webserver with a SYN scan for a wide range of possibly open portsand reports them back If there are any other open ports except of port 80 and port 443 theyshould be blocked by the firewall if they are not needed

242 PortscannerSeverity

Base Score informational (010)

Impact informational (010)

Exploitability informational (010)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Unneeded open ports on the webserver opens a large attack surface to a malicious user Thiscan be used to find unmaintained and possibly vulnerable network services that can be targeted

Finding

bull Found open port rdquo80tcprdquo with service name rdquoApache httpdrdquobull Found open port rdquo443tcprdquo with service name rdquoApache httpdrdquo

How to fixUnnecessarily open ports can be closed by setting up a firewall and block connections to allports except of those that are needed by the server Furthermore services that are not neededshould be uninstalled

Recommendationshttpswikicrashtest-securitycominsecure-network-services-open-port-scanner

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 17 of 54

DVWA - 24 Mar 20 2334 CET

25 XSS

251 What is thisCross-site scripting (XSS) refers to exploiting a computer security vulnerability in web applica-tions by causing an attacker to infect web pages with client-side scripts that are invoked by otherusers In 2007 XSS accounted for about 80 of the exploited vulnerabilities in web applicationson cross-site scripting accounts The impact of XSS can be between a small nuisance and asignificant security risk depending on the sensitivity of the data With XSS an attacker can forexample bypass access controls steal client data or place external content like advertisementredirects or spam in an application Cross-site scripting provides the foundation for a variety ofother attacks such as session hijacking or session fixation

252 Cross-Site Scripting (XSS)Severity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cross-Site Scripting (XSS) allows an attacker to send malicious code to a different user

Finding

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_rThe parameter rsquonamersquo seems vulnerable for payload rsquoltsvg b2d54995-0dcd-4b11-aeaf-67cb770883f3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesdeserializeThe parameter rsquodatarsquo seems vulnerable for payload rsquoltsvg 3159c2ae-840b-425d-8d90-c2bdc0395f8c rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquomtxMessagersquo seems vulnerable for payload rsquoltsvg 11cb1881-5005-4361-8249-6a016f7c8f65 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquotxtNamersquo seems vulnerable for payload rsquoltsvg 94b36753-bbd7-413a-acff-d73b5ca88140 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotextrsquo seems vulnerable for payload rsquoltsvg 0b34a9ce-6ad4-4df3-91ff-891fb958a9a3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotitlersquo seems vulnerable for payload rsquoltsvg 4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 18 of 54

DVWA - 24 Mar 20 2334 CET

How to fixXSS can be prevented by sanitizing the users input before saving to a database or returning itback to the user In most cases the attacker injects JavaScript into the application By escapingthe rdquoltscriptgtrdquo tags this can be avoided More details on how to fix this problem can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomcross-site-scripting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 19 of 54

DVWA - 24 Mar 20 2334 CET

26 XXE

261 What is thisXXE is a vulnerability that arises if web applications handle XML documents from an untrustedsource without proper validation In order to exploit this vulnerability an attacker extends theXML document with a document type definition (DTD) that includes a external entity If thewebsite passes the XML document to the XML parser the external entity will be called in somecases This can lead to sensitive data exposure or even remote code execution

262 XXESeverity

Base Score critical (9410)

Impact medium (5510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

XXE allows an attacker to inject malicious XML documents into the website which is then exe-cuted This can lead to sensitive data disclosure or remote code execution

Finding

bull Found XXE in parameter rdquoxmlrdquo with method rdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquo encoding=rsquoutf-8rsquogtltDOCTYPEcreds [ltELEMENT user ANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

How to fixIf XML documents are communicated from an untrusted source the XML processor should beconfigured to disallow any declared document type definition (DTD) included in the XML docu-ment

Recommendationshttpswikicrashtest-securitycomxxe-processing

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 20 of 54

DVWA - 24 Mar 20 2334 CET

27 COMMANDINJECTION

271 What is thisCommand injection is a vulnerability which is caused if the web application executes data froman untrusted source without proper validation With this vulnerability an attacker can executeany available system command This can lead to a entirely compromised system

272 Command InjectionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Command injection allows an attacker to execute arbitrary system commands

Finding

bull Found command injection in parameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payload rdquo echo crashtest-security$((1212))rdquo

How to fixEvery user input has to be checked for malicious requests by the web application Untrusteduser input should not be passed to functions like rdquoexec()rdquo or rdquosystem()rdquo without a sanity check

Recommendationshttpswikicrashtest-securitycomcommand-injection

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 21 of 54

DVWA - 24 Mar 20 2334 CET

28 FUZZER

281 What is thisFuzzing or robustness testing fuzzy testing or negative testing is a software testing techniquethat uses random or pre-defined data as input of a program The random data can be usedto simulate the later use in which not only plausible data must be processed In this casethe Fuzzer is looking for publicly available default paths through which attackers could gainaccess to the system Those default paths may leak sensitive information or grant access tofunctionality which modifies the application

282 Sensitive Data ExposureSeverity

Base Score medium (5310)

Impact low (1410)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server grants access to a file or directory which might contain sensitive data This can eitherleak sensitive data itself or allow an attacker to use the provided information to prepare a furtherattack

Finding

bull Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URL withoutprior knowledge

bull Retrieved httpsdvwadevcrashtestcloudinstructionsphp by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on the URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 22 of 54

DVWA - 24 Mar 20 2334 CET

without prior knowledge

How to fixIn some cases it is completely OK to expose certain file paths as long as it is on purpose Whilethey can be exposed on purpose others may be unwillingly exposed These paths can either beprotected by Basic Auth (htaccess) or be removed as they might not be needed on a productionenvironment More details on how to avoid exposing unnecessary information can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsensitive-data-exposure

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 23 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 10: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

Contents1 Overview 2

11 Vulnerability Overview 212 Scanner Overview 3

121 Status for executed Scanners 313 Findings Checklist 4

131 FILEINCLUSION 4132 FINGERPRINTING 4133 PORTSCAN 4134 SQLINJECTION 4135 DESERIALIZATION 5136 XSS 5137 XXE 6138 COMMANDINJECTION 6139 FUZZER 61310 SSLTLS 7

2 Findings 1221 DESERIALIZATION 12

211 What is this 12212 Insecure Deserialization 12

22 FILEINCLUSION 13221 What is this 13222 Local File Inclusion 13

23 FINGERPRINTING 14231 What is this 14232 Fingerprint Web Application Framework 14233 Fingerprint Web Server 16

24 PORTSCAN 17241 What is this 17242 Portscanner 17

25 XSS 18251 What is this 18252 Cross-Site Scripting (XSS) 18

26 XXE 20261 What is this 20262 XXE 20

27 COMMANDINJECTION 21271 What is this 21272 Command Injection 21

28 FUZZER 22281 What is this 22282 Sensitive Data Exposure 22

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 10 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION 24291 What is this 24292 SQL Injection 24

210 SSLTLS 262101 What is this 262102 TLS Key Size 262103 SSL RC4 272104 SSL Protocol Version 282105 Certificate Revocation 292106 SSL LOGJAM Common Primes 302107 SSL Cipherlist LOW 312108 X-XSS-Protection Header 322109 SSL BEAST 3321010SSL Cipherlist AVERAGE 3421011X-Content-Type-Options Header 3521012SSL Insecure Algorithm 3621013Content-Security-Policy Header 3721014SSL Cipher Block Chaining TLS1 3821015X-Frame-Options Header 3921016SSL Cipherlist 3DES IDEA 4021017SSL SWEET32 4121018SSL Trust 4221019Referrer-Policy Header 4321020SSL Cipher Block Chaining SSL3 4421021Non Httponly Cookies 4521022SSL POODLE 4621023SSL Cipher Order 4721024TLS Configuration 4821025Missing HSTS 4921026Insecure Cookies 50

211 Appendix 512111 PHP 559 CVE Findings 512112 Apache 247 CVE Findings 51

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 11 of 54

DVWA - 24 Mar 20 2334 CET

2 Findings

21 DESERIALIZATION

211 What is thisInsecure Deserialization is an attack where a manipulated object is injected into the contextof the web application If the application is vulnerable the object is deserialized and executedwhich can result in SQL Injection Path Traversal Application Denial of Service and Remote CodeExecution

212 Insecure DeserializationSeverity

Base Score high (8110)

Impact medium (5910)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Insecure Deserialization allows an attacker to inject a manipulated object into the web applica-tion

Finding

bull Found insecure deserialization for method rdquogetrdquo with parameter rdquodatardquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesdeserializerdquo with payload rdquophpinfo()rdquo

How to fixDo not pass untrusted serialized objects to the unserialize function

Recommendationshttpswikicrashtest-securitycominsecure-deserialization

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 12 of 54

DVWA - 24 Mar 20 2334 CET

22 FILEINCLUSION

221 What is thisLocalremote file inclusion is a vulnerability which is caused by including files into the web ap-plication without validating which file is going to be included The attacker attempts to includearbitrary files from the webserverś hard drive to identify existing user accounts or passwordsIn some cases it is possible to include files from a remote server which is under control of theattacker This vulnerability can lead to exposing sensitive files on the webserver and could alsoresult in a remote code execution which would entirely compromise the target machine

222 Local File InclusionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Local file inclusion allows an attacker to include arbitrary local files into the website

Finding

bull Found file inclusion with method rdquogetrdquo for parameter rdquopagerdquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesfirdquo with payload rdquoetcpasswdrdquo

How to fixEvery user input has to be checked for malicious requests by the web application For examplethe files which are allowed to be included (whitelisted) are written into an array For every requestthe web application should check the whitelist if the required file is allowed for inclusion

Recommendationshttpswikicrashtest-securitycomfile-inclusion

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 13 of 54

DVWA - 24 Mar 20 2334 CET

23 FINGERPRINTING

231 What is thisThe responses a server sends to its client often contain more information then necessary Thissurplus of information makes it possible to draw conclusions about the servers software or usedprogramming languages It could reveal the version of the web application and the libraries inuse The analysis of these information is called fingerprinting Based on fingerprinting an at-tacker can get valuable input to plan and carry out his attack Without it an attacker is attackingblindly Whenever a special version of a server or a web application is vulnerable for an attackcrawlers search the web for traces of this version and start an attack if they found one So it islikely that someone gets attacked just because they leak these information and therefore showthat your application or server is vulnerable

232 Fingerprint Web Application FrameworkSeverity

Base Score high (7510)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The installed web application framework(s) offer information about their version This opensattackers the possibility to look for exploits specifically targetting the software running in itsexact version

Finding

bull Found PHP running in version 559 (3 connected CVE issues have been found The mostsevere vulnerability has a CVSS score of high (7510) See Appendix PHP 559 CVE Find-ings for a detailed list of the CVEs)

How to fixDepending on the used application there are multiple ways to remove version informationSome applications also share the information in multiple places which makes it harder to re-move it Common places for version information are the filename of included libraries likerdquojquery321minjsrdquo or the documentation within a file where the version number is stated withinthe first lines While some information is required to be left within these files as a part of thecopyright other information like the version number can be removed Other places could bethe footer of an application rdquopowered by Wordpress 491rdquo or meta-tags within the header of thewebsite Unlike servers most web applications cannot remove these information via a configfile and therefore need to be removed manually by editing the specific templates and files Moredetails on how to fix this problem can be found in the knowledge database (see Recommenda-tions)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 14 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomprevent-web-application-framework-information-leakage

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 15 of 54

DVWA - 24 Mar 20 2334 CET

233 Fingerprint Web ServerSeverity

Base Score medium (6810)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver publicly provides information about itself such as the name or version Thisopens attackers the possibility to look for exploits specifically targetting the webserver in itsexact version

Finding

bull The webserver is running Apache 247 (17 connected CVE issues have been found Themost severe vulnerability has a CVSS score of medium (6810) See Appendix Apache 247CVE Findings for a detailed list of the CVEs)

How to fixThe amount of information a server is sharing can be set in its configuration files Depending onthe used webserver the configuration file can be found on different locations (see Recommen-dations to find the exact location) In most cases it is sufficient to change one or two settingsto avoid publishing unnecessary information After saving the changes it is recommended torestart or reload the webserver to activate the changes

Recommendationshttpswikicrashtest-securitycomserver-version-fingerprinting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 16 of 54

DVWA - 24 Mar 20 2334 CET

24 PORTSCAN

241 What is thisA port is a kind of door on the server that can be used to connect to a specific service For awebserver the port 80 and port 443 which are for HTTPHTTPS are most likely open to servethe website to the users Other ports should be closed if they are not needed for any serviceThe portscanner tests the webserver with a SYN scan for a wide range of possibly open portsand reports them back If there are any other open ports except of port 80 and port 443 theyshould be blocked by the firewall if they are not needed

242 PortscannerSeverity

Base Score informational (010)

Impact informational (010)

Exploitability informational (010)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Unneeded open ports on the webserver opens a large attack surface to a malicious user Thiscan be used to find unmaintained and possibly vulnerable network services that can be targeted

Finding

bull Found open port rdquo80tcprdquo with service name rdquoApache httpdrdquobull Found open port rdquo443tcprdquo with service name rdquoApache httpdrdquo

How to fixUnnecessarily open ports can be closed by setting up a firewall and block connections to allports except of those that are needed by the server Furthermore services that are not neededshould be uninstalled

Recommendationshttpswikicrashtest-securitycominsecure-network-services-open-port-scanner

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 17 of 54

DVWA - 24 Mar 20 2334 CET

25 XSS

251 What is thisCross-site scripting (XSS) refers to exploiting a computer security vulnerability in web applica-tions by causing an attacker to infect web pages with client-side scripts that are invoked by otherusers In 2007 XSS accounted for about 80 of the exploited vulnerabilities in web applicationson cross-site scripting accounts The impact of XSS can be between a small nuisance and asignificant security risk depending on the sensitivity of the data With XSS an attacker can forexample bypass access controls steal client data or place external content like advertisementredirects or spam in an application Cross-site scripting provides the foundation for a variety ofother attacks such as session hijacking or session fixation

252 Cross-Site Scripting (XSS)Severity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cross-Site Scripting (XSS) allows an attacker to send malicious code to a different user

Finding

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_rThe parameter rsquonamersquo seems vulnerable for payload rsquoltsvg b2d54995-0dcd-4b11-aeaf-67cb770883f3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesdeserializeThe parameter rsquodatarsquo seems vulnerable for payload rsquoltsvg 3159c2ae-840b-425d-8d90-c2bdc0395f8c rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquomtxMessagersquo seems vulnerable for payload rsquoltsvg 11cb1881-5005-4361-8249-6a016f7c8f65 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquotxtNamersquo seems vulnerable for payload rsquoltsvg 94b36753-bbd7-413a-acff-d73b5ca88140 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotextrsquo seems vulnerable for payload rsquoltsvg 0b34a9ce-6ad4-4df3-91ff-891fb958a9a3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotitlersquo seems vulnerable for payload rsquoltsvg 4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 18 of 54

DVWA - 24 Mar 20 2334 CET

How to fixXSS can be prevented by sanitizing the users input before saving to a database or returning itback to the user In most cases the attacker injects JavaScript into the application By escapingthe rdquoltscriptgtrdquo tags this can be avoided More details on how to fix this problem can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomcross-site-scripting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 19 of 54

DVWA - 24 Mar 20 2334 CET

26 XXE

261 What is thisXXE is a vulnerability that arises if web applications handle XML documents from an untrustedsource without proper validation In order to exploit this vulnerability an attacker extends theXML document with a document type definition (DTD) that includes a external entity If thewebsite passes the XML document to the XML parser the external entity will be called in somecases This can lead to sensitive data exposure or even remote code execution

262 XXESeverity

Base Score critical (9410)

Impact medium (5510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

XXE allows an attacker to inject malicious XML documents into the website which is then exe-cuted This can lead to sensitive data disclosure or remote code execution

Finding

bull Found XXE in parameter rdquoxmlrdquo with method rdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquo encoding=rsquoutf-8rsquogtltDOCTYPEcreds [ltELEMENT user ANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

How to fixIf XML documents are communicated from an untrusted source the XML processor should beconfigured to disallow any declared document type definition (DTD) included in the XML docu-ment

Recommendationshttpswikicrashtest-securitycomxxe-processing

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 20 of 54

DVWA - 24 Mar 20 2334 CET

27 COMMANDINJECTION

271 What is thisCommand injection is a vulnerability which is caused if the web application executes data froman untrusted source without proper validation With this vulnerability an attacker can executeany available system command This can lead to a entirely compromised system

272 Command InjectionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Command injection allows an attacker to execute arbitrary system commands

Finding

bull Found command injection in parameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payload rdquo echo crashtest-security$((1212))rdquo

How to fixEvery user input has to be checked for malicious requests by the web application Untrusteduser input should not be passed to functions like rdquoexec()rdquo or rdquosystem()rdquo without a sanity check

Recommendationshttpswikicrashtest-securitycomcommand-injection

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 21 of 54

DVWA - 24 Mar 20 2334 CET

28 FUZZER

281 What is thisFuzzing or robustness testing fuzzy testing or negative testing is a software testing techniquethat uses random or pre-defined data as input of a program The random data can be usedto simulate the later use in which not only plausible data must be processed In this casethe Fuzzer is looking for publicly available default paths through which attackers could gainaccess to the system Those default paths may leak sensitive information or grant access tofunctionality which modifies the application

282 Sensitive Data ExposureSeverity

Base Score medium (5310)

Impact low (1410)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server grants access to a file or directory which might contain sensitive data This can eitherleak sensitive data itself or allow an attacker to use the provided information to prepare a furtherattack

Finding

bull Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URL withoutprior knowledge

bull Retrieved httpsdvwadevcrashtestcloudinstructionsphp by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on the URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 22 of 54

DVWA - 24 Mar 20 2334 CET

without prior knowledge

How to fixIn some cases it is completely OK to expose certain file paths as long as it is on purpose Whilethey can be exposed on purpose others may be unwillingly exposed These paths can either beprotected by Basic Auth (htaccess) or be removed as they might not be needed on a productionenvironment More details on how to avoid exposing unnecessary information can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsensitive-data-exposure

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 23 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 11: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION 24291 What is this 24292 SQL Injection 24

210 SSLTLS 262101 What is this 262102 TLS Key Size 262103 SSL RC4 272104 SSL Protocol Version 282105 Certificate Revocation 292106 SSL LOGJAM Common Primes 302107 SSL Cipherlist LOW 312108 X-XSS-Protection Header 322109 SSL BEAST 3321010SSL Cipherlist AVERAGE 3421011X-Content-Type-Options Header 3521012SSL Insecure Algorithm 3621013Content-Security-Policy Header 3721014SSL Cipher Block Chaining TLS1 3821015X-Frame-Options Header 3921016SSL Cipherlist 3DES IDEA 4021017SSL SWEET32 4121018SSL Trust 4221019Referrer-Policy Header 4321020SSL Cipher Block Chaining SSL3 4421021Non Httponly Cookies 4521022SSL POODLE 4621023SSL Cipher Order 4721024TLS Configuration 4821025Missing HSTS 4921026Insecure Cookies 50

211 Appendix 512111 PHP 559 CVE Findings 512112 Apache 247 CVE Findings 51

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 11 of 54

DVWA - 24 Mar 20 2334 CET

2 Findings

21 DESERIALIZATION

211 What is thisInsecure Deserialization is an attack where a manipulated object is injected into the contextof the web application If the application is vulnerable the object is deserialized and executedwhich can result in SQL Injection Path Traversal Application Denial of Service and Remote CodeExecution

212 Insecure DeserializationSeverity

Base Score high (8110)

Impact medium (5910)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Insecure Deserialization allows an attacker to inject a manipulated object into the web applica-tion

Finding

bull Found insecure deserialization for method rdquogetrdquo with parameter rdquodatardquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesdeserializerdquo with payload rdquophpinfo()rdquo

How to fixDo not pass untrusted serialized objects to the unserialize function

Recommendationshttpswikicrashtest-securitycominsecure-deserialization

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 12 of 54

DVWA - 24 Mar 20 2334 CET

22 FILEINCLUSION

221 What is thisLocalremote file inclusion is a vulnerability which is caused by including files into the web ap-plication without validating which file is going to be included The attacker attempts to includearbitrary files from the webserverś hard drive to identify existing user accounts or passwordsIn some cases it is possible to include files from a remote server which is under control of theattacker This vulnerability can lead to exposing sensitive files on the webserver and could alsoresult in a remote code execution which would entirely compromise the target machine

222 Local File InclusionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Local file inclusion allows an attacker to include arbitrary local files into the website

Finding

bull Found file inclusion with method rdquogetrdquo for parameter rdquopagerdquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesfirdquo with payload rdquoetcpasswdrdquo

How to fixEvery user input has to be checked for malicious requests by the web application For examplethe files which are allowed to be included (whitelisted) are written into an array For every requestthe web application should check the whitelist if the required file is allowed for inclusion

Recommendationshttpswikicrashtest-securitycomfile-inclusion

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 13 of 54

DVWA - 24 Mar 20 2334 CET

23 FINGERPRINTING

231 What is thisThe responses a server sends to its client often contain more information then necessary Thissurplus of information makes it possible to draw conclusions about the servers software or usedprogramming languages It could reveal the version of the web application and the libraries inuse The analysis of these information is called fingerprinting Based on fingerprinting an at-tacker can get valuable input to plan and carry out his attack Without it an attacker is attackingblindly Whenever a special version of a server or a web application is vulnerable for an attackcrawlers search the web for traces of this version and start an attack if they found one So it islikely that someone gets attacked just because they leak these information and therefore showthat your application or server is vulnerable

232 Fingerprint Web Application FrameworkSeverity

Base Score high (7510)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The installed web application framework(s) offer information about their version This opensattackers the possibility to look for exploits specifically targetting the software running in itsexact version

Finding

bull Found PHP running in version 559 (3 connected CVE issues have been found The mostsevere vulnerability has a CVSS score of high (7510) See Appendix PHP 559 CVE Find-ings for a detailed list of the CVEs)

How to fixDepending on the used application there are multiple ways to remove version informationSome applications also share the information in multiple places which makes it harder to re-move it Common places for version information are the filename of included libraries likerdquojquery321minjsrdquo or the documentation within a file where the version number is stated withinthe first lines While some information is required to be left within these files as a part of thecopyright other information like the version number can be removed Other places could bethe footer of an application rdquopowered by Wordpress 491rdquo or meta-tags within the header of thewebsite Unlike servers most web applications cannot remove these information via a configfile and therefore need to be removed manually by editing the specific templates and files Moredetails on how to fix this problem can be found in the knowledge database (see Recommenda-tions)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 14 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomprevent-web-application-framework-information-leakage

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 15 of 54

DVWA - 24 Mar 20 2334 CET

233 Fingerprint Web ServerSeverity

Base Score medium (6810)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver publicly provides information about itself such as the name or version Thisopens attackers the possibility to look for exploits specifically targetting the webserver in itsexact version

Finding

bull The webserver is running Apache 247 (17 connected CVE issues have been found Themost severe vulnerability has a CVSS score of medium (6810) See Appendix Apache 247CVE Findings for a detailed list of the CVEs)

How to fixThe amount of information a server is sharing can be set in its configuration files Depending onthe used webserver the configuration file can be found on different locations (see Recommen-dations to find the exact location) In most cases it is sufficient to change one or two settingsto avoid publishing unnecessary information After saving the changes it is recommended torestart or reload the webserver to activate the changes

Recommendationshttpswikicrashtest-securitycomserver-version-fingerprinting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 16 of 54

DVWA - 24 Mar 20 2334 CET

24 PORTSCAN

241 What is thisA port is a kind of door on the server that can be used to connect to a specific service For awebserver the port 80 and port 443 which are for HTTPHTTPS are most likely open to servethe website to the users Other ports should be closed if they are not needed for any serviceThe portscanner tests the webserver with a SYN scan for a wide range of possibly open portsand reports them back If there are any other open ports except of port 80 and port 443 theyshould be blocked by the firewall if they are not needed

242 PortscannerSeverity

Base Score informational (010)

Impact informational (010)

Exploitability informational (010)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Unneeded open ports on the webserver opens a large attack surface to a malicious user Thiscan be used to find unmaintained and possibly vulnerable network services that can be targeted

Finding

bull Found open port rdquo80tcprdquo with service name rdquoApache httpdrdquobull Found open port rdquo443tcprdquo with service name rdquoApache httpdrdquo

How to fixUnnecessarily open ports can be closed by setting up a firewall and block connections to allports except of those that are needed by the server Furthermore services that are not neededshould be uninstalled

Recommendationshttpswikicrashtest-securitycominsecure-network-services-open-port-scanner

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 17 of 54

DVWA - 24 Mar 20 2334 CET

25 XSS

251 What is thisCross-site scripting (XSS) refers to exploiting a computer security vulnerability in web applica-tions by causing an attacker to infect web pages with client-side scripts that are invoked by otherusers In 2007 XSS accounted for about 80 of the exploited vulnerabilities in web applicationson cross-site scripting accounts The impact of XSS can be between a small nuisance and asignificant security risk depending on the sensitivity of the data With XSS an attacker can forexample bypass access controls steal client data or place external content like advertisementredirects or spam in an application Cross-site scripting provides the foundation for a variety ofother attacks such as session hijacking or session fixation

252 Cross-Site Scripting (XSS)Severity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cross-Site Scripting (XSS) allows an attacker to send malicious code to a different user

Finding

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_rThe parameter rsquonamersquo seems vulnerable for payload rsquoltsvg b2d54995-0dcd-4b11-aeaf-67cb770883f3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesdeserializeThe parameter rsquodatarsquo seems vulnerable for payload rsquoltsvg 3159c2ae-840b-425d-8d90-c2bdc0395f8c rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquomtxMessagersquo seems vulnerable for payload rsquoltsvg 11cb1881-5005-4361-8249-6a016f7c8f65 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquotxtNamersquo seems vulnerable for payload rsquoltsvg 94b36753-bbd7-413a-acff-d73b5ca88140 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotextrsquo seems vulnerable for payload rsquoltsvg 0b34a9ce-6ad4-4df3-91ff-891fb958a9a3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotitlersquo seems vulnerable for payload rsquoltsvg 4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 18 of 54

DVWA - 24 Mar 20 2334 CET

How to fixXSS can be prevented by sanitizing the users input before saving to a database or returning itback to the user In most cases the attacker injects JavaScript into the application By escapingthe rdquoltscriptgtrdquo tags this can be avoided More details on how to fix this problem can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomcross-site-scripting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 19 of 54

DVWA - 24 Mar 20 2334 CET

26 XXE

261 What is thisXXE is a vulnerability that arises if web applications handle XML documents from an untrustedsource without proper validation In order to exploit this vulnerability an attacker extends theXML document with a document type definition (DTD) that includes a external entity If thewebsite passes the XML document to the XML parser the external entity will be called in somecases This can lead to sensitive data exposure or even remote code execution

262 XXESeverity

Base Score critical (9410)

Impact medium (5510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

XXE allows an attacker to inject malicious XML documents into the website which is then exe-cuted This can lead to sensitive data disclosure or remote code execution

Finding

bull Found XXE in parameter rdquoxmlrdquo with method rdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquo encoding=rsquoutf-8rsquogtltDOCTYPEcreds [ltELEMENT user ANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

How to fixIf XML documents are communicated from an untrusted source the XML processor should beconfigured to disallow any declared document type definition (DTD) included in the XML docu-ment

Recommendationshttpswikicrashtest-securitycomxxe-processing

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 20 of 54

DVWA - 24 Mar 20 2334 CET

27 COMMANDINJECTION

271 What is thisCommand injection is a vulnerability which is caused if the web application executes data froman untrusted source without proper validation With this vulnerability an attacker can executeany available system command This can lead to a entirely compromised system

272 Command InjectionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Command injection allows an attacker to execute arbitrary system commands

Finding

bull Found command injection in parameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payload rdquo echo crashtest-security$((1212))rdquo

How to fixEvery user input has to be checked for malicious requests by the web application Untrusteduser input should not be passed to functions like rdquoexec()rdquo or rdquosystem()rdquo without a sanity check

Recommendationshttpswikicrashtest-securitycomcommand-injection

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 21 of 54

DVWA - 24 Mar 20 2334 CET

28 FUZZER

281 What is thisFuzzing or robustness testing fuzzy testing or negative testing is a software testing techniquethat uses random or pre-defined data as input of a program The random data can be usedto simulate the later use in which not only plausible data must be processed In this casethe Fuzzer is looking for publicly available default paths through which attackers could gainaccess to the system Those default paths may leak sensitive information or grant access tofunctionality which modifies the application

282 Sensitive Data ExposureSeverity

Base Score medium (5310)

Impact low (1410)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server grants access to a file or directory which might contain sensitive data This can eitherleak sensitive data itself or allow an attacker to use the provided information to prepare a furtherattack

Finding

bull Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URL withoutprior knowledge

bull Retrieved httpsdvwadevcrashtestcloudinstructionsphp by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on the URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 22 of 54

DVWA - 24 Mar 20 2334 CET

without prior knowledge

How to fixIn some cases it is completely OK to expose certain file paths as long as it is on purpose Whilethey can be exposed on purpose others may be unwillingly exposed These paths can either beprotected by Basic Auth (htaccess) or be removed as they might not be needed on a productionenvironment More details on how to avoid exposing unnecessary information can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsensitive-data-exposure

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 23 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 12: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

2 Findings

21 DESERIALIZATION

211 What is thisInsecure Deserialization is an attack where a manipulated object is injected into the contextof the web application If the application is vulnerable the object is deserialized and executedwhich can result in SQL Injection Path Traversal Application Denial of Service and Remote CodeExecution

212 Insecure DeserializationSeverity

Base Score high (8110)

Impact medium (5910)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Insecure Deserialization allows an attacker to inject a manipulated object into the web applica-tion

Finding

bull Found insecure deserialization for method rdquogetrdquo with parameter rdquodatardquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesdeserializerdquo with payload rdquophpinfo()rdquo

How to fixDo not pass untrusted serialized objects to the unserialize function

Recommendationshttpswikicrashtest-securitycominsecure-deserialization

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 12 of 54

DVWA - 24 Mar 20 2334 CET

22 FILEINCLUSION

221 What is thisLocalremote file inclusion is a vulnerability which is caused by including files into the web ap-plication without validating which file is going to be included The attacker attempts to includearbitrary files from the webserverś hard drive to identify existing user accounts or passwordsIn some cases it is possible to include files from a remote server which is under control of theattacker This vulnerability can lead to exposing sensitive files on the webserver and could alsoresult in a remote code execution which would entirely compromise the target machine

222 Local File InclusionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Local file inclusion allows an attacker to include arbitrary local files into the website

Finding

bull Found file inclusion with method rdquogetrdquo for parameter rdquopagerdquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesfirdquo with payload rdquoetcpasswdrdquo

How to fixEvery user input has to be checked for malicious requests by the web application For examplethe files which are allowed to be included (whitelisted) are written into an array For every requestthe web application should check the whitelist if the required file is allowed for inclusion

Recommendationshttpswikicrashtest-securitycomfile-inclusion

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 13 of 54

DVWA - 24 Mar 20 2334 CET

23 FINGERPRINTING

231 What is thisThe responses a server sends to its client often contain more information then necessary Thissurplus of information makes it possible to draw conclusions about the servers software or usedprogramming languages It could reveal the version of the web application and the libraries inuse The analysis of these information is called fingerprinting Based on fingerprinting an at-tacker can get valuable input to plan and carry out his attack Without it an attacker is attackingblindly Whenever a special version of a server or a web application is vulnerable for an attackcrawlers search the web for traces of this version and start an attack if they found one So it islikely that someone gets attacked just because they leak these information and therefore showthat your application or server is vulnerable

232 Fingerprint Web Application FrameworkSeverity

Base Score high (7510)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The installed web application framework(s) offer information about their version This opensattackers the possibility to look for exploits specifically targetting the software running in itsexact version

Finding

bull Found PHP running in version 559 (3 connected CVE issues have been found The mostsevere vulnerability has a CVSS score of high (7510) See Appendix PHP 559 CVE Find-ings for a detailed list of the CVEs)

How to fixDepending on the used application there are multiple ways to remove version informationSome applications also share the information in multiple places which makes it harder to re-move it Common places for version information are the filename of included libraries likerdquojquery321minjsrdquo or the documentation within a file where the version number is stated withinthe first lines While some information is required to be left within these files as a part of thecopyright other information like the version number can be removed Other places could bethe footer of an application rdquopowered by Wordpress 491rdquo or meta-tags within the header of thewebsite Unlike servers most web applications cannot remove these information via a configfile and therefore need to be removed manually by editing the specific templates and files Moredetails on how to fix this problem can be found in the knowledge database (see Recommenda-tions)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 14 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomprevent-web-application-framework-information-leakage

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 15 of 54

DVWA - 24 Mar 20 2334 CET

233 Fingerprint Web ServerSeverity

Base Score medium (6810)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver publicly provides information about itself such as the name or version Thisopens attackers the possibility to look for exploits specifically targetting the webserver in itsexact version

Finding

bull The webserver is running Apache 247 (17 connected CVE issues have been found Themost severe vulnerability has a CVSS score of medium (6810) See Appendix Apache 247CVE Findings for a detailed list of the CVEs)

How to fixThe amount of information a server is sharing can be set in its configuration files Depending onthe used webserver the configuration file can be found on different locations (see Recommen-dations to find the exact location) In most cases it is sufficient to change one or two settingsto avoid publishing unnecessary information After saving the changes it is recommended torestart or reload the webserver to activate the changes

Recommendationshttpswikicrashtest-securitycomserver-version-fingerprinting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 16 of 54

DVWA - 24 Mar 20 2334 CET

24 PORTSCAN

241 What is thisA port is a kind of door on the server that can be used to connect to a specific service For awebserver the port 80 and port 443 which are for HTTPHTTPS are most likely open to servethe website to the users Other ports should be closed if they are not needed for any serviceThe portscanner tests the webserver with a SYN scan for a wide range of possibly open portsand reports them back If there are any other open ports except of port 80 and port 443 theyshould be blocked by the firewall if they are not needed

242 PortscannerSeverity

Base Score informational (010)

Impact informational (010)

Exploitability informational (010)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Unneeded open ports on the webserver opens a large attack surface to a malicious user Thiscan be used to find unmaintained and possibly vulnerable network services that can be targeted

Finding

bull Found open port rdquo80tcprdquo with service name rdquoApache httpdrdquobull Found open port rdquo443tcprdquo with service name rdquoApache httpdrdquo

How to fixUnnecessarily open ports can be closed by setting up a firewall and block connections to allports except of those that are needed by the server Furthermore services that are not neededshould be uninstalled

Recommendationshttpswikicrashtest-securitycominsecure-network-services-open-port-scanner

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 17 of 54

DVWA - 24 Mar 20 2334 CET

25 XSS

251 What is thisCross-site scripting (XSS) refers to exploiting a computer security vulnerability in web applica-tions by causing an attacker to infect web pages with client-side scripts that are invoked by otherusers In 2007 XSS accounted for about 80 of the exploited vulnerabilities in web applicationson cross-site scripting accounts The impact of XSS can be between a small nuisance and asignificant security risk depending on the sensitivity of the data With XSS an attacker can forexample bypass access controls steal client data or place external content like advertisementredirects or spam in an application Cross-site scripting provides the foundation for a variety ofother attacks such as session hijacking or session fixation

252 Cross-Site Scripting (XSS)Severity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cross-Site Scripting (XSS) allows an attacker to send malicious code to a different user

Finding

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_rThe parameter rsquonamersquo seems vulnerable for payload rsquoltsvg b2d54995-0dcd-4b11-aeaf-67cb770883f3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesdeserializeThe parameter rsquodatarsquo seems vulnerable for payload rsquoltsvg 3159c2ae-840b-425d-8d90-c2bdc0395f8c rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquomtxMessagersquo seems vulnerable for payload rsquoltsvg 11cb1881-5005-4361-8249-6a016f7c8f65 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquotxtNamersquo seems vulnerable for payload rsquoltsvg 94b36753-bbd7-413a-acff-d73b5ca88140 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotextrsquo seems vulnerable for payload rsquoltsvg 0b34a9ce-6ad4-4df3-91ff-891fb958a9a3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotitlersquo seems vulnerable for payload rsquoltsvg 4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 18 of 54

DVWA - 24 Mar 20 2334 CET

How to fixXSS can be prevented by sanitizing the users input before saving to a database or returning itback to the user In most cases the attacker injects JavaScript into the application By escapingthe rdquoltscriptgtrdquo tags this can be avoided More details on how to fix this problem can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomcross-site-scripting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 19 of 54

DVWA - 24 Mar 20 2334 CET

26 XXE

261 What is thisXXE is a vulnerability that arises if web applications handle XML documents from an untrustedsource without proper validation In order to exploit this vulnerability an attacker extends theXML document with a document type definition (DTD) that includes a external entity If thewebsite passes the XML document to the XML parser the external entity will be called in somecases This can lead to sensitive data exposure or even remote code execution

262 XXESeverity

Base Score critical (9410)

Impact medium (5510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

XXE allows an attacker to inject malicious XML documents into the website which is then exe-cuted This can lead to sensitive data disclosure or remote code execution

Finding

bull Found XXE in parameter rdquoxmlrdquo with method rdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquo encoding=rsquoutf-8rsquogtltDOCTYPEcreds [ltELEMENT user ANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

How to fixIf XML documents are communicated from an untrusted source the XML processor should beconfigured to disallow any declared document type definition (DTD) included in the XML docu-ment

Recommendationshttpswikicrashtest-securitycomxxe-processing

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 20 of 54

DVWA - 24 Mar 20 2334 CET

27 COMMANDINJECTION

271 What is thisCommand injection is a vulnerability which is caused if the web application executes data froman untrusted source without proper validation With this vulnerability an attacker can executeany available system command This can lead to a entirely compromised system

272 Command InjectionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Command injection allows an attacker to execute arbitrary system commands

Finding

bull Found command injection in parameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payload rdquo echo crashtest-security$((1212))rdquo

How to fixEvery user input has to be checked for malicious requests by the web application Untrusteduser input should not be passed to functions like rdquoexec()rdquo or rdquosystem()rdquo without a sanity check

Recommendationshttpswikicrashtest-securitycomcommand-injection

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 21 of 54

DVWA - 24 Mar 20 2334 CET

28 FUZZER

281 What is thisFuzzing or robustness testing fuzzy testing or negative testing is a software testing techniquethat uses random or pre-defined data as input of a program The random data can be usedto simulate the later use in which not only plausible data must be processed In this casethe Fuzzer is looking for publicly available default paths through which attackers could gainaccess to the system Those default paths may leak sensitive information or grant access tofunctionality which modifies the application

282 Sensitive Data ExposureSeverity

Base Score medium (5310)

Impact low (1410)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server grants access to a file or directory which might contain sensitive data This can eitherleak sensitive data itself or allow an attacker to use the provided information to prepare a furtherattack

Finding

bull Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URL withoutprior knowledge

bull Retrieved httpsdvwadevcrashtestcloudinstructionsphp by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on the URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 22 of 54

DVWA - 24 Mar 20 2334 CET

without prior knowledge

How to fixIn some cases it is completely OK to expose certain file paths as long as it is on purpose Whilethey can be exposed on purpose others may be unwillingly exposed These paths can either beprotected by Basic Auth (htaccess) or be removed as they might not be needed on a productionenvironment More details on how to avoid exposing unnecessary information can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsensitive-data-exposure

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 23 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 13: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

22 FILEINCLUSION

221 What is thisLocalremote file inclusion is a vulnerability which is caused by including files into the web ap-plication without validating which file is going to be included The attacker attempts to includearbitrary files from the webserverś hard drive to identify existing user accounts or passwordsIn some cases it is possible to include files from a remote server which is under control of theattacker This vulnerability can lead to exposing sensitive files on the webserver and could alsoresult in a remote code execution which would entirely compromise the target machine

222 Local File InclusionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Local file inclusion allows an attacker to include arbitrary local files into the website

Finding

bull Found file inclusion with method rdquogetrdquo for parameter rdquopagerdquo on rdquohttpsdvwadevcrashtestcloudvulnerabilitiesfirdquo with payload rdquoetcpasswdrdquo

How to fixEvery user input has to be checked for malicious requests by the web application For examplethe files which are allowed to be included (whitelisted) are written into an array For every requestthe web application should check the whitelist if the required file is allowed for inclusion

Recommendationshttpswikicrashtest-securitycomfile-inclusion

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 13 of 54

DVWA - 24 Mar 20 2334 CET

23 FINGERPRINTING

231 What is thisThe responses a server sends to its client often contain more information then necessary Thissurplus of information makes it possible to draw conclusions about the servers software or usedprogramming languages It could reveal the version of the web application and the libraries inuse The analysis of these information is called fingerprinting Based on fingerprinting an at-tacker can get valuable input to plan and carry out his attack Without it an attacker is attackingblindly Whenever a special version of a server or a web application is vulnerable for an attackcrawlers search the web for traces of this version and start an attack if they found one So it islikely that someone gets attacked just because they leak these information and therefore showthat your application or server is vulnerable

232 Fingerprint Web Application FrameworkSeverity

Base Score high (7510)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The installed web application framework(s) offer information about their version This opensattackers the possibility to look for exploits specifically targetting the software running in itsexact version

Finding

bull Found PHP running in version 559 (3 connected CVE issues have been found The mostsevere vulnerability has a CVSS score of high (7510) See Appendix PHP 559 CVE Find-ings for a detailed list of the CVEs)

How to fixDepending on the used application there are multiple ways to remove version informationSome applications also share the information in multiple places which makes it harder to re-move it Common places for version information are the filename of included libraries likerdquojquery321minjsrdquo or the documentation within a file where the version number is stated withinthe first lines While some information is required to be left within these files as a part of thecopyright other information like the version number can be removed Other places could bethe footer of an application rdquopowered by Wordpress 491rdquo or meta-tags within the header of thewebsite Unlike servers most web applications cannot remove these information via a configfile and therefore need to be removed manually by editing the specific templates and files Moredetails on how to fix this problem can be found in the knowledge database (see Recommenda-tions)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 14 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomprevent-web-application-framework-information-leakage

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 15 of 54

DVWA - 24 Mar 20 2334 CET

233 Fingerprint Web ServerSeverity

Base Score medium (6810)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver publicly provides information about itself such as the name or version Thisopens attackers the possibility to look for exploits specifically targetting the webserver in itsexact version

Finding

bull The webserver is running Apache 247 (17 connected CVE issues have been found Themost severe vulnerability has a CVSS score of medium (6810) See Appendix Apache 247CVE Findings for a detailed list of the CVEs)

How to fixThe amount of information a server is sharing can be set in its configuration files Depending onthe used webserver the configuration file can be found on different locations (see Recommen-dations to find the exact location) In most cases it is sufficient to change one or two settingsto avoid publishing unnecessary information After saving the changes it is recommended torestart or reload the webserver to activate the changes

Recommendationshttpswikicrashtest-securitycomserver-version-fingerprinting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 16 of 54

DVWA - 24 Mar 20 2334 CET

24 PORTSCAN

241 What is thisA port is a kind of door on the server that can be used to connect to a specific service For awebserver the port 80 and port 443 which are for HTTPHTTPS are most likely open to servethe website to the users Other ports should be closed if they are not needed for any serviceThe portscanner tests the webserver with a SYN scan for a wide range of possibly open portsand reports them back If there are any other open ports except of port 80 and port 443 theyshould be blocked by the firewall if they are not needed

242 PortscannerSeverity

Base Score informational (010)

Impact informational (010)

Exploitability informational (010)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Unneeded open ports on the webserver opens a large attack surface to a malicious user Thiscan be used to find unmaintained and possibly vulnerable network services that can be targeted

Finding

bull Found open port rdquo80tcprdquo with service name rdquoApache httpdrdquobull Found open port rdquo443tcprdquo with service name rdquoApache httpdrdquo

How to fixUnnecessarily open ports can be closed by setting up a firewall and block connections to allports except of those that are needed by the server Furthermore services that are not neededshould be uninstalled

Recommendationshttpswikicrashtest-securitycominsecure-network-services-open-port-scanner

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 17 of 54

DVWA - 24 Mar 20 2334 CET

25 XSS

251 What is thisCross-site scripting (XSS) refers to exploiting a computer security vulnerability in web applica-tions by causing an attacker to infect web pages with client-side scripts that are invoked by otherusers In 2007 XSS accounted for about 80 of the exploited vulnerabilities in web applicationson cross-site scripting accounts The impact of XSS can be between a small nuisance and asignificant security risk depending on the sensitivity of the data With XSS an attacker can forexample bypass access controls steal client data or place external content like advertisementredirects or spam in an application Cross-site scripting provides the foundation for a variety ofother attacks such as session hijacking or session fixation

252 Cross-Site Scripting (XSS)Severity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cross-Site Scripting (XSS) allows an attacker to send malicious code to a different user

Finding

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_rThe parameter rsquonamersquo seems vulnerable for payload rsquoltsvg b2d54995-0dcd-4b11-aeaf-67cb770883f3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesdeserializeThe parameter rsquodatarsquo seems vulnerable for payload rsquoltsvg 3159c2ae-840b-425d-8d90-c2bdc0395f8c rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquomtxMessagersquo seems vulnerable for payload rsquoltsvg 11cb1881-5005-4361-8249-6a016f7c8f65 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquotxtNamersquo seems vulnerable for payload rsquoltsvg 94b36753-bbd7-413a-acff-d73b5ca88140 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotextrsquo seems vulnerable for payload rsquoltsvg 0b34a9ce-6ad4-4df3-91ff-891fb958a9a3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotitlersquo seems vulnerable for payload rsquoltsvg 4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 18 of 54

DVWA - 24 Mar 20 2334 CET

How to fixXSS can be prevented by sanitizing the users input before saving to a database or returning itback to the user In most cases the attacker injects JavaScript into the application By escapingthe rdquoltscriptgtrdquo tags this can be avoided More details on how to fix this problem can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomcross-site-scripting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 19 of 54

DVWA - 24 Mar 20 2334 CET

26 XXE

261 What is thisXXE is a vulnerability that arises if web applications handle XML documents from an untrustedsource without proper validation In order to exploit this vulnerability an attacker extends theXML document with a document type definition (DTD) that includes a external entity If thewebsite passes the XML document to the XML parser the external entity will be called in somecases This can lead to sensitive data exposure or even remote code execution

262 XXESeverity

Base Score critical (9410)

Impact medium (5510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

XXE allows an attacker to inject malicious XML documents into the website which is then exe-cuted This can lead to sensitive data disclosure or remote code execution

Finding

bull Found XXE in parameter rdquoxmlrdquo with method rdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquo encoding=rsquoutf-8rsquogtltDOCTYPEcreds [ltELEMENT user ANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

How to fixIf XML documents are communicated from an untrusted source the XML processor should beconfigured to disallow any declared document type definition (DTD) included in the XML docu-ment

Recommendationshttpswikicrashtest-securitycomxxe-processing

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 20 of 54

DVWA - 24 Mar 20 2334 CET

27 COMMANDINJECTION

271 What is thisCommand injection is a vulnerability which is caused if the web application executes data froman untrusted source without proper validation With this vulnerability an attacker can executeany available system command This can lead to a entirely compromised system

272 Command InjectionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Command injection allows an attacker to execute arbitrary system commands

Finding

bull Found command injection in parameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payload rdquo echo crashtest-security$((1212))rdquo

How to fixEvery user input has to be checked for malicious requests by the web application Untrusteduser input should not be passed to functions like rdquoexec()rdquo or rdquosystem()rdquo without a sanity check

Recommendationshttpswikicrashtest-securitycomcommand-injection

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 21 of 54

DVWA - 24 Mar 20 2334 CET

28 FUZZER

281 What is thisFuzzing or robustness testing fuzzy testing or negative testing is a software testing techniquethat uses random or pre-defined data as input of a program The random data can be usedto simulate the later use in which not only plausible data must be processed In this casethe Fuzzer is looking for publicly available default paths through which attackers could gainaccess to the system Those default paths may leak sensitive information or grant access tofunctionality which modifies the application

282 Sensitive Data ExposureSeverity

Base Score medium (5310)

Impact low (1410)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server grants access to a file or directory which might contain sensitive data This can eitherleak sensitive data itself or allow an attacker to use the provided information to prepare a furtherattack

Finding

bull Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URL withoutprior knowledge

bull Retrieved httpsdvwadevcrashtestcloudinstructionsphp by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on the URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 22 of 54

DVWA - 24 Mar 20 2334 CET

without prior knowledge

How to fixIn some cases it is completely OK to expose certain file paths as long as it is on purpose Whilethey can be exposed on purpose others may be unwillingly exposed These paths can either beprotected by Basic Auth (htaccess) or be removed as they might not be needed on a productionenvironment More details on how to avoid exposing unnecessary information can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsensitive-data-exposure

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 23 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 14: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

23 FINGERPRINTING

231 What is thisThe responses a server sends to its client often contain more information then necessary Thissurplus of information makes it possible to draw conclusions about the servers software or usedprogramming languages It could reveal the version of the web application and the libraries inuse The analysis of these information is called fingerprinting Based on fingerprinting an at-tacker can get valuable input to plan and carry out his attack Without it an attacker is attackingblindly Whenever a special version of a server or a web application is vulnerable for an attackcrawlers search the web for traces of this version and start an attack if they found one So it islikely that someone gets attacked just because they leak these information and therefore showthat your application or server is vulnerable

232 Fingerprint Web Application FrameworkSeverity

Base Score high (7510)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The installed web application framework(s) offer information about their version This opensattackers the possibility to look for exploits specifically targetting the software running in itsexact version

Finding

bull Found PHP running in version 559 (3 connected CVE issues have been found The mostsevere vulnerability has a CVSS score of high (7510) See Appendix PHP 559 CVE Find-ings for a detailed list of the CVEs)

How to fixDepending on the used application there are multiple ways to remove version informationSome applications also share the information in multiple places which makes it harder to re-move it Common places for version information are the filename of included libraries likerdquojquery321minjsrdquo or the documentation within a file where the version number is stated withinthe first lines While some information is required to be left within these files as a part of thecopyright other information like the version number can be removed Other places could bethe footer of an application rdquopowered by Wordpress 491rdquo or meta-tags within the header of thewebsite Unlike servers most web applications cannot remove these information via a configfile and therefore need to be removed manually by editing the specific templates and files Moredetails on how to fix this problem can be found in the knowledge database (see Recommenda-tions)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 14 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomprevent-web-application-framework-information-leakage

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 15 of 54

DVWA - 24 Mar 20 2334 CET

233 Fingerprint Web ServerSeverity

Base Score medium (6810)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver publicly provides information about itself such as the name or version Thisopens attackers the possibility to look for exploits specifically targetting the webserver in itsexact version

Finding

bull The webserver is running Apache 247 (17 connected CVE issues have been found Themost severe vulnerability has a CVSS score of medium (6810) See Appendix Apache 247CVE Findings for a detailed list of the CVEs)

How to fixThe amount of information a server is sharing can be set in its configuration files Depending onthe used webserver the configuration file can be found on different locations (see Recommen-dations to find the exact location) In most cases it is sufficient to change one or two settingsto avoid publishing unnecessary information After saving the changes it is recommended torestart or reload the webserver to activate the changes

Recommendationshttpswikicrashtest-securitycomserver-version-fingerprinting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 16 of 54

DVWA - 24 Mar 20 2334 CET

24 PORTSCAN

241 What is thisA port is a kind of door on the server that can be used to connect to a specific service For awebserver the port 80 and port 443 which are for HTTPHTTPS are most likely open to servethe website to the users Other ports should be closed if they are not needed for any serviceThe portscanner tests the webserver with a SYN scan for a wide range of possibly open portsand reports them back If there are any other open ports except of port 80 and port 443 theyshould be blocked by the firewall if they are not needed

242 PortscannerSeverity

Base Score informational (010)

Impact informational (010)

Exploitability informational (010)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Unneeded open ports on the webserver opens a large attack surface to a malicious user Thiscan be used to find unmaintained and possibly vulnerable network services that can be targeted

Finding

bull Found open port rdquo80tcprdquo with service name rdquoApache httpdrdquobull Found open port rdquo443tcprdquo with service name rdquoApache httpdrdquo

How to fixUnnecessarily open ports can be closed by setting up a firewall and block connections to allports except of those that are needed by the server Furthermore services that are not neededshould be uninstalled

Recommendationshttpswikicrashtest-securitycominsecure-network-services-open-port-scanner

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 17 of 54

DVWA - 24 Mar 20 2334 CET

25 XSS

251 What is thisCross-site scripting (XSS) refers to exploiting a computer security vulnerability in web applica-tions by causing an attacker to infect web pages with client-side scripts that are invoked by otherusers In 2007 XSS accounted for about 80 of the exploited vulnerabilities in web applicationson cross-site scripting accounts The impact of XSS can be between a small nuisance and asignificant security risk depending on the sensitivity of the data With XSS an attacker can forexample bypass access controls steal client data or place external content like advertisementredirects or spam in an application Cross-site scripting provides the foundation for a variety ofother attacks such as session hijacking or session fixation

252 Cross-Site Scripting (XSS)Severity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cross-Site Scripting (XSS) allows an attacker to send malicious code to a different user

Finding

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_rThe parameter rsquonamersquo seems vulnerable for payload rsquoltsvg b2d54995-0dcd-4b11-aeaf-67cb770883f3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesdeserializeThe parameter rsquodatarsquo seems vulnerable for payload rsquoltsvg 3159c2ae-840b-425d-8d90-c2bdc0395f8c rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquomtxMessagersquo seems vulnerable for payload rsquoltsvg 11cb1881-5005-4361-8249-6a016f7c8f65 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquotxtNamersquo seems vulnerable for payload rsquoltsvg 94b36753-bbd7-413a-acff-d73b5ca88140 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotextrsquo seems vulnerable for payload rsquoltsvg 0b34a9ce-6ad4-4df3-91ff-891fb958a9a3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotitlersquo seems vulnerable for payload rsquoltsvg 4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 18 of 54

DVWA - 24 Mar 20 2334 CET

How to fixXSS can be prevented by sanitizing the users input before saving to a database or returning itback to the user In most cases the attacker injects JavaScript into the application By escapingthe rdquoltscriptgtrdquo tags this can be avoided More details on how to fix this problem can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomcross-site-scripting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 19 of 54

DVWA - 24 Mar 20 2334 CET

26 XXE

261 What is thisXXE is a vulnerability that arises if web applications handle XML documents from an untrustedsource without proper validation In order to exploit this vulnerability an attacker extends theXML document with a document type definition (DTD) that includes a external entity If thewebsite passes the XML document to the XML parser the external entity will be called in somecases This can lead to sensitive data exposure or even remote code execution

262 XXESeverity

Base Score critical (9410)

Impact medium (5510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

XXE allows an attacker to inject malicious XML documents into the website which is then exe-cuted This can lead to sensitive data disclosure or remote code execution

Finding

bull Found XXE in parameter rdquoxmlrdquo with method rdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquo encoding=rsquoutf-8rsquogtltDOCTYPEcreds [ltELEMENT user ANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

How to fixIf XML documents are communicated from an untrusted source the XML processor should beconfigured to disallow any declared document type definition (DTD) included in the XML docu-ment

Recommendationshttpswikicrashtest-securitycomxxe-processing

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 20 of 54

DVWA - 24 Mar 20 2334 CET

27 COMMANDINJECTION

271 What is thisCommand injection is a vulnerability which is caused if the web application executes data froman untrusted source without proper validation With this vulnerability an attacker can executeany available system command This can lead to a entirely compromised system

272 Command InjectionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Command injection allows an attacker to execute arbitrary system commands

Finding

bull Found command injection in parameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payload rdquo echo crashtest-security$((1212))rdquo

How to fixEvery user input has to be checked for malicious requests by the web application Untrusteduser input should not be passed to functions like rdquoexec()rdquo or rdquosystem()rdquo without a sanity check

Recommendationshttpswikicrashtest-securitycomcommand-injection

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 21 of 54

DVWA - 24 Mar 20 2334 CET

28 FUZZER

281 What is thisFuzzing or robustness testing fuzzy testing or negative testing is a software testing techniquethat uses random or pre-defined data as input of a program The random data can be usedto simulate the later use in which not only plausible data must be processed In this casethe Fuzzer is looking for publicly available default paths through which attackers could gainaccess to the system Those default paths may leak sensitive information or grant access tofunctionality which modifies the application

282 Sensitive Data ExposureSeverity

Base Score medium (5310)

Impact low (1410)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server grants access to a file or directory which might contain sensitive data This can eitherleak sensitive data itself or allow an attacker to use the provided information to prepare a furtherattack

Finding

bull Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URL withoutprior knowledge

bull Retrieved httpsdvwadevcrashtestcloudinstructionsphp by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on the URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 22 of 54

DVWA - 24 Mar 20 2334 CET

without prior knowledge

How to fixIn some cases it is completely OK to expose certain file paths as long as it is on purpose Whilethey can be exposed on purpose others may be unwillingly exposed These paths can either beprotected by Basic Auth (htaccess) or be removed as they might not be needed on a productionenvironment More details on how to avoid exposing unnecessary information can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsensitive-data-exposure

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 23 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 15: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomprevent-web-application-framework-information-leakage

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 15 of 54

DVWA - 24 Mar 20 2334 CET

233 Fingerprint Web ServerSeverity

Base Score medium (6810)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver publicly provides information about itself such as the name or version Thisopens attackers the possibility to look for exploits specifically targetting the webserver in itsexact version

Finding

bull The webserver is running Apache 247 (17 connected CVE issues have been found Themost severe vulnerability has a CVSS score of medium (6810) See Appendix Apache 247CVE Findings for a detailed list of the CVEs)

How to fixThe amount of information a server is sharing can be set in its configuration files Depending onthe used webserver the configuration file can be found on different locations (see Recommen-dations to find the exact location) In most cases it is sufficient to change one or two settingsto avoid publishing unnecessary information After saving the changes it is recommended torestart or reload the webserver to activate the changes

Recommendationshttpswikicrashtest-securitycomserver-version-fingerprinting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 16 of 54

DVWA - 24 Mar 20 2334 CET

24 PORTSCAN

241 What is thisA port is a kind of door on the server that can be used to connect to a specific service For awebserver the port 80 and port 443 which are for HTTPHTTPS are most likely open to servethe website to the users Other ports should be closed if they are not needed for any serviceThe portscanner tests the webserver with a SYN scan for a wide range of possibly open portsand reports them back If there are any other open ports except of port 80 and port 443 theyshould be blocked by the firewall if they are not needed

242 PortscannerSeverity

Base Score informational (010)

Impact informational (010)

Exploitability informational (010)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Unneeded open ports on the webserver opens a large attack surface to a malicious user Thiscan be used to find unmaintained and possibly vulnerable network services that can be targeted

Finding

bull Found open port rdquo80tcprdquo with service name rdquoApache httpdrdquobull Found open port rdquo443tcprdquo with service name rdquoApache httpdrdquo

How to fixUnnecessarily open ports can be closed by setting up a firewall and block connections to allports except of those that are needed by the server Furthermore services that are not neededshould be uninstalled

Recommendationshttpswikicrashtest-securitycominsecure-network-services-open-port-scanner

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 17 of 54

DVWA - 24 Mar 20 2334 CET

25 XSS

251 What is thisCross-site scripting (XSS) refers to exploiting a computer security vulnerability in web applica-tions by causing an attacker to infect web pages with client-side scripts that are invoked by otherusers In 2007 XSS accounted for about 80 of the exploited vulnerabilities in web applicationson cross-site scripting accounts The impact of XSS can be between a small nuisance and asignificant security risk depending on the sensitivity of the data With XSS an attacker can forexample bypass access controls steal client data or place external content like advertisementredirects or spam in an application Cross-site scripting provides the foundation for a variety ofother attacks such as session hijacking or session fixation

252 Cross-Site Scripting (XSS)Severity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cross-Site Scripting (XSS) allows an attacker to send malicious code to a different user

Finding

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_rThe parameter rsquonamersquo seems vulnerable for payload rsquoltsvg b2d54995-0dcd-4b11-aeaf-67cb770883f3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesdeserializeThe parameter rsquodatarsquo seems vulnerable for payload rsquoltsvg 3159c2ae-840b-425d-8d90-c2bdc0395f8c rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquomtxMessagersquo seems vulnerable for payload rsquoltsvg 11cb1881-5005-4361-8249-6a016f7c8f65 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquotxtNamersquo seems vulnerable for payload rsquoltsvg 94b36753-bbd7-413a-acff-d73b5ca88140 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotextrsquo seems vulnerable for payload rsquoltsvg 0b34a9ce-6ad4-4df3-91ff-891fb958a9a3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotitlersquo seems vulnerable for payload rsquoltsvg 4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 18 of 54

DVWA - 24 Mar 20 2334 CET

How to fixXSS can be prevented by sanitizing the users input before saving to a database or returning itback to the user In most cases the attacker injects JavaScript into the application By escapingthe rdquoltscriptgtrdquo tags this can be avoided More details on how to fix this problem can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomcross-site-scripting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 19 of 54

DVWA - 24 Mar 20 2334 CET

26 XXE

261 What is thisXXE is a vulnerability that arises if web applications handle XML documents from an untrustedsource without proper validation In order to exploit this vulnerability an attacker extends theXML document with a document type definition (DTD) that includes a external entity If thewebsite passes the XML document to the XML parser the external entity will be called in somecases This can lead to sensitive data exposure or even remote code execution

262 XXESeverity

Base Score critical (9410)

Impact medium (5510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

XXE allows an attacker to inject malicious XML documents into the website which is then exe-cuted This can lead to sensitive data disclosure or remote code execution

Finding

bull Found XXE in parameter rdquoxmlrdquo with method rdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquo encoding=rsquoutf-8rsquogtltDOCTYPEcreds [ltELEMENT user ANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

How to fixIf XML documents are communicated from an untrusted source the XML processor should beconfigured to disallow any declared document type definition (DTD) included in the XML docu-ment

Recommendationshttpswikicrashtest-securitycomxxe-processing

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 20 of 54

DVWA - 24 Mar 20 2334 CET

27 COMMANDINJECTION

271 What is thisCommand injection is a vulnerability which is caused if the web application executes data froman untrusted source without proper validation With this vulnerability an attacker can executeany available system command This can lead to a entirely compromised system

272 Command InjectionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Command injection allows an attacker to execute arbitrary system commands

Finding

bull Found command injection in parameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payload rdquo echo crashtest-security$((1212))rdquo

How to fixEvery user input has to be checked for malicious requests by the web application Untrusteduser input should not be passed to functions like rdquoexec()rdquo or rdquosystem()rdquo without a sanity check

Recommendationshttpswikicrashtest-securitycomcommand-injection

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 21 of 54

DVWA - 24 Mar 20 2334 CET

28 FUZZER

281 What is thisFuzzing or robustness testing fuzzy testing or negative testing is a software testing techniquethat uses random or pre-defined data as input of a program The random data can be usedto simulate the later use in which not only plausible data must be processed In this casethe Fuzzer is looking for publicly available default paths through which attackers could gainaccess to the system Those default paths may leak sensitive information or grant access tofunctionality which modifies the application

282 Sensitive Data ExposureSeverity

Base Score medium (5310)

Impact low (1410)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server grants access to a file or directory which might contain sensitive data This can eitherleak sensitive data itself or allow an attacker to use the provided information to prepare a furtherattack

Finding

bull Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URL withoutprior knowledge

bull Retrieved httpsdvwadevcrashtestcloudinstructionsphp by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on the URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 22 of 54

DVWA - 24 Mar 20 2334 CET

without prior knowledge

How to fixIn some cases it is completely OK to expose certain file paths as long as it is on purpose Whilethey can be exposed on purpose others may be unwillingly exposed These paths can either beprotected by Basic Auth (htaccess) or be removed as they might not be needed on a productionenvironment More details on how to avoid exposing unnecessary information can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsensitive-data-exposure

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 23 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 16: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

233 Fingerprint Web ServerSeverity

Base Score medium (6810)

Impact -

Exploitability -

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver publicly provides information about itself such as the name or version Thisopens attackers the possibility to look for exploits specifically targetting the webserver in itsexact version

Finding

bull The webserver is running Apache 247 (17 connected CVE issues have been found Themost severe vulnerability has a CVSS score of medium (6810) See Appendix Apache 247CVE Findings for a detailed list of the CVEs)

How to fixThe amount of information a server is sharing can be set in its configuration files Depending onthe used webserver the configuration file can be found on different locations (see Recommen-dations to find the exact location) In most cases it is sufficient to change one or two settingsto avoid publishing unnecessary information After saving the changes it is recommended torestart or reload the webserver to activate the changes

Recommendationshttpswikicrashtest-securitycomserver-version-fingerprinting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 16 of 54

DVWA - 24 Mar 20 2334 CET

24 PORTSCAN

241 What is thisA port is a kind of door on the server that can be used to connect to a specific service For awebserver the port 80 and port 443 which are for HTTPHTTPS are most likely open to servethe website to the users Other ports should be closed if they are not needed for any serviceThe portscanner tests the webserver with a SYN scan for a wide range of possibly open portsand reports them back If there are any other open ports except of port 80 and port 443 theyshould be blocked by the firewall if they are not needed

242 PortscannerSeverity

Base Score informational (010)

Impact informational (010)

Exploitability informational (010)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Unneeded open ports on the webserver opens a large attack surface to a malicious user Thiscan be used to find unmaintained and possibly vulnerable network services that can be targeted

Finding

bull Found open port rdquo80tcprdquo with service name rdquoApache httpdrdquobull Found open port rdquo443tcprdquo with service name rdquoApache httpdrdquo

How to fixUnnecessarily open ports can be closed by setting up a firewall and block connections to allports except of those that are needed by the server Furthermore services that are not neededshould be uninstalled

Recommendationshttpswikicrashtest-securitycominsecure-network-services-open-port-scanner

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 17 of 54

DVWA - 24 Mar 20 2334 CET

25 XSS

251 What is thisCross-site scripting (XSS) refers to exploiting a computer security vulnerability in web applica-tions by causing an attacker to infect web pages with client-side scripts that are invoked by otherusers In 2007 XSS accounted for about 80 of the exploited vulnerabilities in web applicationson cross-site scripting accounts The impact of XSS can be between a small nuisance and asignificant security risk depending on the sensitivity of the data With XSS an attacker can forexample bypass access controls steal client data or place external content like advertisementredirects or spam in an application Cross-site scripting provides the foundation for a variety ofother attacks such as session hijacking or session fixation

252 Cross-Site Scripting (XSS)Severity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cross-Site Scripting (XSS) allows an attacker to send malicious code to a different user

Finding

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_rThe parameter rsquonamersquo seems vulnerable for payload rsquoltsvg b2d54995-0dcd-4b11-aeaf-67cb770883f3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesdeserializeThe parameter rsquodatarsquo seems vulnerable for payload rsquoltsvg 3159c2ae-840b-425d-8d90-c2bdc0395f8c rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquomtxMessagersquo seems vulnerable for payload rsquoltsvg 11cb1881-5005-4361-8249-6a016f7c8f65 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquotxtNamersquo seems vulnerable for payload rsquoltsvg 94b36753-bbd7-413a-acff-d73b5ca88140 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotextrsquo seems vulnerable for payload rsquoltsvg 0b34a9ce-6ad4-4df3-91ff-891fb958a9a3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotitlersquo seems vulnerable for payload rsquoltsvg 4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 18 of 54

DVWA - 24 Mar 20 2334 CET

How to fixXSS can be prevented by sanitizing the users input before saving to a database or returning itback to the user In most cases the attacker injects JavaScript into the application By escapingthe rdquoltscriptgtrdquo tags this can be avoided More details on how to fix this problem can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomcross-site-scripting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 19 of 54

DVWA - 24 Mar 20 2334 CET

26 XXE

261 What is thisXXE is a vulnerability that arises if web applications handle XML documents from an untrustedsource without proper validation In order to exploit this vulnerability an attacker extends theXML document with a document type definition (DTD) that includes a external entity If thewebsite passes the XML document to the XML parser the external entity will be called in somecases This can lead to sensitive data exposure or even remote code execution

262 XXESeverity

Base Score critical (9410)

Impact medium (5510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

XXE allows an attacker to inject malicious XML documents into the website which is then exe-cuted This can lead to sensitive data disclosure or remote code execution

Finding

bull Found XXE in parameter rdquoxmlrdquo with method rdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquo encoding=rsquoutf-8rsquogtltDOCTYPEcreds [ltELEMENT user ANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

How to fixIf XML documents are communicated from an untrusted source the XML processor should beconfigured to disallow any declared document type definition (DTD) included in the XML docu-ment

Recommendationshttpswikicrashtest-securitycomxxe-processing

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 20 of 54

DVWA - 24 Mar 20 2334 CET

27 COMMANDINJECTION

271 What is thisCommand injection is a vulnerability which is caused if the web application executes data froman untrusted source without proper validation With this vulnerability an attacker can executeany available system command This can lead to a entirely compromised system

272 Command InjectionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Command injection allows an attacker to execute arbitrary system commands

Finding

bull Found command injection in parameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payload rdquo echo crashtest-security$((1212))rdquo

How to fixEvery user input has to be checked for malicious requests by the web application Untrusteduser input should not be passed to functions like rdquoexec()rdquo or rdquosystem()rdquo without a sanity check

Recommendationshttpswikicrashtest-securitycomcommand-injection

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 21 of 54

DVWA - 24 Mar 20 2334 CET

28 FUZZER

281 What is thisFuzzing or robustness testing fuzzy testing or negative testing is a software testing techniquethat uses random or pre-defined data as input of a program The random data can be usedto simulate the later use in which not only plausible data must be processed In this casethe Fuzzer is looking for publicly available default paths through which attackers could gainaccess to the system Those default paths may leak sensitive information or grant access tofunctionality which modifies the application

282 Sensitive Data ExposureSeverity

Base Score medium (5310)

Impact low (1410)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server grants access to a file or directory which might contain sensitive data This can eitherleak sensitive data itself or allow an attacker to use the provided information to prepare a furtherattack

Finding

bull Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URL withoutprior knowledge

bull Retrieved httpsdvwadevcrashtestcloudinstructionsphp by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on the URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 22 of 54

DVWA - 24 Mar 20 2334 CET

without prior knowledge

How to fixIn some cases it is completely OK to expose certain file paths as long as it is on purpose Whilethey can be exposed on purpose others may be unwillingly exposed These paths can either beprotected by Basic Auth (htaccess) or be removed as they might not be needed on a productionenvironment More details on how to avoid exposing unnecessary information can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsensitive-data-exposure

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 23 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 17: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

24 PORTSCAN

241 What is thisA port is a kind of door on the server that can be used to connect to a specific service For awebserver the port 80 and port 443 which are for HTTPHTTPS are most likely open to servethe website to the users Other ports should be closed if they are not needed for any serviceThe portscanner tests the webserver with a SYN scan for a wide range of possibly open portsand reports them back If there are any other open ports except of port 80 and port 443 theyshould be blocked by the firewall if they are not needed

242 PortscannerSeverity

Base Score informational (010)

Impact informational (010)

Exploitability informational (010)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Unneeded open ports on the webserver opens a large attack surface to a malicious user Thiscan be used to find unmaintained and possibly vulnerable network services that can be targeted

Finding

bull Found open port rdquo80tcprdquo with service name rdquoApache httpdrdquobull Found open port rdquo443tcprdquo with service name rdquoApache httpdrdquo

How to fixUnnecessarily open ports can be closed by setting up a firewall and block connections to allports except of those that are needed by the server Furthermore services that are not neededshould be uninstalled

Recommendationshttpswikicrashtest-securitycominsecure-network-services-open-port-scanner

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 17 of 54

DVWA - 24 Mar 20 2334 CET

25 XSS

251 What is thisCross-site scripting (XSS) refers to exploiting a computer security vulnerability in web applica-tions by causing an attacker to infect web pages with client-side scripts that are invoked by otherusers In 2007 XSS accounted for about 80 of the exploited vulnerabilities in web applicationson cross-site scripting accounts The impact of XSS can be between a small nuisance and asignificant security risk depending on the sensitivity of the data With XSS an attacker can forexample bypass access controls steal client data or place external content like advertisementredirects or spam in an application Cross-site scripting provides the foundation for a variety ofother attacks such as session hijacking or session fixation

252 Cross-Site Scripting (XSS)Severity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cross-Site Scripting (XSS) allows an attacker to send malicious code to a different user

Finding

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_rThe parameter rsquonamersquo seems vulnerable for payload rsquoltsvg b2d54995-0dcd-4b11-aeaf-67cb770883f3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesdeserializeThe parameter rsquodatarsquo seems vulnerable for payload rsquoltsvg 3159c2ae-840b-425d-8d90-c2bdc0395f8c rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquomtxMessagersquo seems vulnerable for payload rsquoltsvg 11cb1881-5005-4361-8249-6a016f7c8f65 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquotxtNamersquo seems vulnerable for payload rsquoltsvg 94b36753-bbd7-413a-acff-d73b5ca88140 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotextrsquo seems vulnerable for payload rsquoltsvg 0b34a9ce-6ad4-4df3-91ff-891fb958a9a3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotitlersquo seems vulnerable for payload rsquoltsvg 4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 18 of 54

DVWA - 24 Mar 20 2334 CET

How to fixXSS can be prevented by sanitizing the users input before saving to a database or returning itback to the user In most cases the attacker injects JavaScript into the application By escapingthe rdquoltscriptgtrdquo tags this can be avoided More details on how to fix this problem can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomcross-site-scripting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 19 of 54

DVWA - 24 Mar 20 2334 CET

26 XXE

261 What is thisXXE is a vulnerability that arises if web applications handle XML documents from an untrustedsource without proper validation In order to exploit this vulnerability an attacker extends theXML document with a document type definition (DTD) that includes a external entity If thewebsite passes the XML document to the XML parser the external entity will be called in somecases This can lead to sensitive data exposure or even remote code execution

262 XXESeverity

Base Score critical (9410)

Impact medium (5510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

XXE allows an attacker to inject malicious XML documents into the website which is then exe-cuted This can lead to sensitive data disclosure or remote code execution

Finding

bull Found XXE in parameter rdquoxmlrdquo with method rdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquo encoding=rsquoutf-8rsquogtltDOCTYPEcreds [ltELEMENT user ANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

How to fixIf XML documents are communicated from an untrusted source the XML processor should beconfigured to disallow any declared document type definition (DTD) included in the XML docu-ment

Recommendationshttpswikicrashtest-securitycomxxe-processing

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 20 of 54

DVWA - 24 Mar 20 2334 CET

27 COMMANDINJECTION

271 What is thisCommand injection is a vulnerability which is caused if the web application executes data froman untrusted source without proper validation With this vulnerability an attacker can executeany available system command This can lead to a entirely compromised system

272 Command InjectionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Command injection allows an attacker to execute arbitrary system commands

Finding

bull Found command injection in parameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payload rdquo echo crashtest-security$((1212))rdquo

How to fixEvery user input has to be checked for malicious requests by the web application Untrusteduser input should not be passed to functions like rdquoexec()rdquo or rdquosystem()rdquo without a sanity check

Recommendationshttpswikicrashtest-securitycomcommand-injection

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 21 of 54

DVWA - 24 Mar 20 2334 CET

28 FUZZER

281 What is thisFuzzing or robustness testing fuzzy testing or negative testing is a software testing techniquethat uses random or pre-defined data as input of a program The random data can be usedto simulate the later use in which not only plausible data must be processed In this casethe Fuzzer is looking for publicly available default paths through which attackers could gainaccess to the system Those default paths may leak sensitive information or grant access tofunctionality which modifies the application

282 Sensitive Data ExposureSeverity

Base Score medium (5310)

Impact low (1410)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server grants access to a file or directory which might contain sensitive data This can eitherleak sensitive data itself or allow an attacker to use the provided information to prepare a furtherattack

Finding

bull Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URL withoutprior knowledge

bull Retrieved httpsdvwadevcrashtestcloudinstructionsphp by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on the URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 22 of 54

DVWA - 24 Mar 20 2334 CET

without prior knowledge

How to fixIn some cases it is completely OK to expose certain file paths as long as it is on purpose Whilethey can be exposed on purpose others may be unwillingly exposed These paths can either beprotected by Basic Auth (htaccess) or be removed as they might not be needed on a productionenvironment More details on how to avoid exposing unnecessary information can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsensitive-data-exposure

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 23 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 18: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

25 XSS

251 What is thisCross-site scripting (XSS) refers to exploiting a computer security vulnerability in web applica-tions by causing an attacker to infect web pages with client-side scripts that are invoked by otherusers In 2007 XSS accounted for about 80 of the exploited vulnerabilities in web applicationson cross-site scripting accounts The impact of XSS can be between a small nuisance and asignificant security risk depending on the sensitivity of the data With XSS an attacker can forexample bypass access controls steal client data or place external content like advertisementredirects or spam in an application Cross-site scripting provides the foundation for a variety ofother attacks such as session hijacking or session fixation

252 Cross-Site Scripting (XSS)Severity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cross-Site Scripting (XSS) allows an attacker to send malicious code to a different user

Finding

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_rThe parameter rsquonamersquo seems vulnerable for payload rsquoltsvg b2d54995-0dcd-4b11-aeaf-67cb770883f3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesdeserializeThe parameter rsquodatarsquo seems vulnerable for payload rsquoltsvg 3159c2ae-840b-425d-8d90-c2bdc0395f8c rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquomtxMessagersquo seems vulnerable for payload rsquoltsvg 11cb1881-5005-4361-8249-6a016f7c8f65 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesxss_sThe parameter rsquotxtNamersquo seems vulnerable for payload rsquoltsvg 94b36753-bbd7-413a-acff-d73b5ca88140 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotextrsquo seems vulnerable for payload rsquoltsvg 0b34a9ce-6ad4-4df3-91ff-891fb958a9a3 rdquoonsgtrsquo

bull Found possible XSS vulnerability on site dvwadevcrashtestcloudvulnerabilitiesnosqlThe parameter rsquotitlersquo seems vulnerable for payload rsquoltsvg 4f43f3fb-9679-492d-af98-0080e716adf6 rdquoonsgtrsquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 18 of 54

DVWA - 24 Mar 20 2334 CET

How to fixXSS can be prevented by sanitizing the users input before saving to a database or returning itback to the user In most cases the attacker injects JavaScript into the application By escapingthe rdquoltscriptgtrdquo tags this can be avoided More details on how to fix this problem can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomcross-site-scripting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 19 of 54

DVWA - 24 Mar 20 2334 CET

26 XXE

261 What is thisXXE is a vulnerability that arises if web applications handle XML documents from an untrustedsource without proper validation In order to exploit this vulnerability an attacker extends theXML document with a document type definition (DTD) that includes a external entity If thewebsite passes the XML document to the XML parser the external entity will be called in somecases This can lead to sensitive data exposure or even remote code execution

262 XXESeverity

Base Score critical (9410)

Impact medium (5510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

XXE allows an attacker to inject malicious XML documents into the website which is then exe-cuted This can lead to sensitive data disclosure or remote code execution

Finding

bull Found XXE in parameter rdquoxmlrdquo with method rdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquo encoding=rsquoutf-8rsquogtltDOCTYPEcreds [ltELEMENT user ANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

How to fixIf XML documents are communicated from an untrusted source the XML processor should beconfigured to disallow any declared document type definition (DTD) included in the XML docu-ment

Recommendationshttpswikicrashtest-securitycomxxe-processing

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 20 of 54

DVWA - 24 Mar 20 2334 CET

27 COMMANDINJECTION

271 What is thisCommand injection is a vulnerability which is caused if the web application executes data froman untrusted source without proper validation With this vulnerability an attacker can executeany available system command This can lead to a entirely compromised system

272 Command InjectionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Command injection allows an attacker to execute arbitrary system commands

Finding

bull Found command injection in parameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payload rdquo echo crashtest-security$((1212))rdquo

How to fixEvery user input has to be checked for malicious requests by the web application Untrusteduser input should not be passed to functions like rdquoexec()rdquo or rdquosystem()rdquo without a sanity check

Recommendationshttpswikicrashtest-securitycomcommand-injection

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 21 of 54

DVWA - 24 Mar 20 2334 CET

28 FUZZER

281 What is thisFuzzing or robustness testing fuzzy testing or negative testing is a software testing techniquethat uses random or pre-defined data as input of a program The random data can be usedto simulate the later use in which not only plausible data must be processed In this casethe Fuzzer is looking for publicly available default paths through which attackers could gainaccess to the system Those default paths may leak sensitive information or grant access tofunctionality which modifies the application

282 Sensitive Data ExposureSeverity

Base Score medium (5310)

Impact low (1410)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server grants access to a file or directory which might contain sensitive data This can eitherleak sensitive data itself or allow an attacker to use the provided information to prepare a furtherattack

Finding

bull Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URL withoutprior knowledge

bull Retrieved httpsdvwadevcrashtestcloudinstructionsphp by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on the URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 22 of 54

DVWA - 24 Mar 20 2334 CET

without prior knowledge

How to fixIn some cases it is completely OK to expose certain file paths as long as it is on purpose Whilethey can be exposed on purpose others may be unwillingly exposed These paths can either beprotected by Basic Auth (htaccess) or be removed as they might not be needed on a productionenvironment More details on how to avoid exposing unnecessary information can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsensitive-data-exposure

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 23 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 19: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

How to fixXSS can be prevented by sanitizing the users input before saving to a database or returning itback to the user In most cases the attacker injects JavaScript into the application By escapingthe rdquoltscriptgtrdquo tags this can be avoided More details on how to fix this problem can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomcross-site-scripting

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 19 of 54

DVWA - 24 Mar 20 2334 CET

26 XXE

261 What is thisXXE is a vulnerability that arises if web applications handle XML documents from an untrustedsource without proper validation In order to exploit this vulnerability an attacker extends theXML document with a document type definition (DTD) that includes a external entity If thewebsite passes the XML document to the XML parser the external entity will be called in somecases This can lead to sensitive data exposure or even remote code execution

262 XXESeverity

Base Score critical (9410)

Impact medium (5510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

XXE allows an attacker to inject malicious XML documents into the website which is then exe-cuted This can lead to sensitive data disclosure or remote code execution

Finding

bull Found XXE in parameter rdquoxmlrdquo with method rdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquo encoding=rsquoutf-8rsquogtltDOCTYPEcreds [ltELEMENT user ANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

How to fixIf XML documents are communicated from an untrusted source the XML processor should beconfigured to disallow any declared document type definition (DTD) included in the XML docu-ment

Recommendationshttpswikicrashtest-securitycomxxe-processing

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 20 of 54

DVWA - 24 Mar 20 2334 CET

27 COMMANDINJECTION

271 What is thisCommand injection is a vulnerability which is caused if the web application executes data froman untrusted source without proper validation With this vulnerability an attacker can executeany available system command This can lead to a entirely compromised system

272 Command InjectionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Command injection allows an attacker to execute arbitrary system commands

Finding

bull Found command injection in parameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payload rdquo echo crashtest-security$((1212))rdquo

How to fixEvery user input has to be checked for malicious requests by the web application Untrusteduser input should not be passed to functions like rdquoexec()rdquo or rdquosystem()rdquo without a sanity check

Recommendationshttpswikicrashtest-securitycomcommand-injection

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 21 of 54

DVWA - 24 Mar 20 2334 CET

28 FUZZER

281 What is thisFuzzing or robustness testing fuzzy testing or negative testing is a software testing techniquethat uses random or pre-defined data as input of a program The random data can be usedto simulate the later use in which not only plausible data must be processed In this casethe Fuzzer is looking for publicly available default paths through which attackers could gainaccess to the system Those default paths may leak sensitive information or grant access tofunctionality which modifies the application

282 Sensitive Data ExposureSeverity

Base Score medium (5310)

Impact low (1410)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server grants access to a file or directory which might contain sensitive data This can eitherleak sensitive data itself or allow an attacker to use the provided information to prepare a furtherattack

Finding

bull Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URL withoutprior knowledge

bull Retrieved httpsdvwadevcrashtestcloudinstructionsphp by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on the URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 22 of 54

DVWA - 24 Mar 20 2334 CET

without prior knowledge

How to fixIn some cases it is completely OK to expose certain file paths as long as it is on purpose Whilethey can be exposed on purpose others may be unwillingly exposed These paths can either beprotected by Basic Auth (htaccess) or be removed as they might not be needed on a productionenvironment More details on how to avoid exposing unnecessary information can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsensitive-data-exposure

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 23 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 20: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

26 XXE

261 What is thisXXE is a vulnerability that arises if web applications handle XML documents from an untrustedsource without proper validation In order to exploit this vulnerability an attacker extends theXML document with a document type definition (DTD) that includes a external entity If thewebsite passes the XML document to the XML parser the external entity will be called in somecases This can lead to sensitive data exposure or even remote code execution

262 XXESeverity

Base Score critical (9410)

Impact medium (5510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

XXE allows an attacker to inject malicious XML documents into the website which is then exe-cuted This can lead to sensitive data disclosure or remote code execution

Finding

bull Found XXE in parameter rdquoxmlrdquo with method rdquogetrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesxxerdquo with payload rdquoltxml version=rsquo10rsquo encoding=rsquoutf-8rsquogtltDOCTYPEcreds [ltELEMENT user ANY gtltELEMENT pass ANY gtltENTITY user SYSTEMrsquofileetcpasswdrsquogt]gtltcredsgtltusergt26userltusergtltpassgt26userltpassgtltcredsgtrdquo

How to fixIf XML documents are communicated from an untrusted source the XML processor should beconfigured to disallow any declared document type definition (DTD) included in the XML docu-ment

Recommendationshttpswikicrashtest-securitycomxxe-processing

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 20 of 54

DVWA - 24 Mar 20 2334 CET

27 COMMANDINJECTION

271 What is thisCommand injection is a vulnerability which is caused if the web application executes data froman untrusted source without proper validation With this vulnerability an attacker can executeany available system command This can lead to a entirely compromised system

272 Command InjectionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Command injection allows an attacker to execute arbitrary system commands

Finding

bull Found command injection in parameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payload rdquo echo crashtest-security$((1212))rdquo

How to fixEvery user input has to be checked for malicious requests by the web application Untrusteduser input should not be passed to functions like rdquoexec()rdquo or rdquosystem()rdquo without a sanity check

Recommendationshttpswikicrashtest-securitycomcommand-injection

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 21 of 54

DVWA - 24 Mar 20 2334 CET

28 FUZZER

281 What is thisFuzzing or robustness testing fuzzy testing or negative testing is a software testing techniquethat uses random or pre-defined data as input of a program The random data can be usedto simulate the later use in which not only plausible data must be processed In this casethe Fuzzer is looking for publicly available default paths through which attackers could gainaccess to the system Those default paths may leak sensitive information or grant access tofunctionality which modifies the application

282 Sensitive Data ExposureSeverity

Base Score medium (5310)

Impact low (1410)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server grants access to a file or directory which might contain sensitive data This can eitherleak sensitive data itself or allow an attacker to use the provided information to prepare a furtherattack

Finding

bull Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URL withoutprior knowledge

bull Retrieved httpsdvwadevcrashtestcloudinstructionsphp by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on the URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 22 of 54

DVWA - 24 Mar 20 2334 CET

without prior knowledge

How to fixIn some cases it is completely OK to expose certain file paths as long as it is on purpose Whilethey can be exposed on purpose others may be unwillingly exposed These paths can either beprotected by Basic Auth (htaccess) or be removed as they might not be needed on a productionenvironment More details on how to avoid exposing unnecessary information can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsensitive-data-exposure

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 23 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 21: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

27 COMMANDINJECTION

271 What is thisCommand injection is a vulnerability which is caused if the web application executes data froman untrusted source without proper validation With this vulnerability an attacker can executeany available system command This can lead to a entirely compromised system

272 Command InjectionSeverity

Base Score critical (9810)

Impact medium (5910)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Command injection allows an attacker to execute arbitrary system commands

Finding

bull Found command injection in parameter rdquoiprdquo with method rdquopostrdquo for URL rdquohttpsdvwadevcrashtestcloudvulnerabilitiesexecrdquo with payload rdquo echo crashtest-security$((1212))rdquo

How to fixEvery user input has to be checked for malicious requests by the web application Untrusteduser input should not be passed to functions like rdquoexec()rdquo or rdquosystem()rdquo without a sanity check

Recommendationshttpswikicrashtest-securitycomcommand-injection

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 21 of 54

DVWA - 24 Mar 20 2334 CET

28 FUZZER

281 What is thisFuzzing or robustness testing fuzzy testing or negative testing is a software testing techniquethat uses random or pre-defined data as input of a program The random data can be usedto simulate the later use in which not only plausible data must be processed In this casethe Fuzzer is looking for publicly available default paths through which attackers could gainaccess to the system Those default paths may leak sensitive information or grant access tofunctionality which modifies the application

282 Sensitive Data ExposureSeverity

Base Score medium (5310)

Impact low (1410)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server grants access to a file or directory which might contain sensitive data This can eitherleak sensitive data itself or allow an attacker to use the provided information to prepare a furtherattack

Finding

bull Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URL withoutprior knowledge

bull Retrieved httpsdvwadevcrashtestcloudinstructionsphp by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on the URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 22 of 54

DVWA - 24 Mar 20 2334 CET

without prior knowledge

How to fixIn some cases it is completely OK to expose certain file paths as long as it is on purpose Whilethey can be exposed on purpose others may be unwillingly exposed These paths can either beprotected by Basic Auth (htaccess) or be removed as they might not be needed on a productionenvironment More details on how to avoid exposing unnecessary information can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsensitive-data-exposure

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 23 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 22: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

28 FUZZER

281 What is thisFuzzing or robustness testing fuzzy testing or negative testing is a software testing techniquethat uses random or pre-defined data as input of a program The random data can be usedto simulate the later use in which not only plausible data must be processed In this casethe Fuzzer is looking for publicly available default paths through which attackers could gainaccess to the system Those default paths may leak sensitive information or grant access tofunctionality which modifies the application

282 Sensitive Data ExposureSeverity

Base Score medium (5310)

Impact low (1410)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server grants access to a file or directory which might contain sensitive data This can eitherleak sensitive data itself or allow an attacker to use the provided information to prepare a furtherattack

Finding

bull Retrieved httpsdvwadevcrashtestcloudaboutphp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudCHANGELOGmd by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudconfig by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestclouddocs by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudgit by using a GET request on the URL withoutprior knowledge

bull Retrieved httpsdvwadevcrashtestcloudinstructionsphp by using a GET request on theURL without prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpinfophp by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudphpini by using a GET request on the URL with-out prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudREADMEmd by using a GET request on the URLwithout prior knowledge

bull Retrieved httpsdvwadevcrashtestcloudsetupphp by using a GET request on the URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 22 of 54

DVWA - 24 Mar 20 2334 CET

without prior knowledge

How to fixIn some cases it is completely OK to expose certain file paths as long as it is on purpose Whilethey can be exposed on purpose others may be unwillingly exposed These paths can either beprotected by Basic Auth (htaccess) or be removed as they might not be needed on a productionenvironment More details on how to avoid exposing unnecessary information can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsensitive-data-exposure

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 23 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 23: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

without prior knowledge

How to fixIn some cases it is completely OK to expose certain file paths as long as it is on purpose Whilethey can be exposed on purpose others may be unwillingly exposed These paths can either beprotected by Basic Auth (htaccess) or be removed as they might not be needed on a productionenvironment More details on how to avoid exposing unnecessary information can be found inthe knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsensitive-data-exposure

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 23 of 54

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 24: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

29 SQLINJECTION

291 What is thisSQL injection refers to the exploitation of a SQL database vulnerability caused by the lack ofmasking or validation of meta-characters in user input The attacker attempts to inject his owndatabase commands through the application which has access to the database As the requestis not validated correctly the inserted code changes the original SQL commands and thereforealters the results in favor of the attacker With a successful attack the attacker is able to spyon data modify it or delete it altogether and gain control over the server For this to work theattacker has different ways to breach the system For example it is possible to find a way intothe system via response time or error messages

292 SQL InjectionSeverity

Base Score critical (9110)

Impact medium (5210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Your application is vulnerable for an SQL injection This allows an attacker to run SQL code inyour database so that he may retrieve change or delete data from your database

Finding

bull Found boolean-based blind sqlinjection for parameter id (GET) on httpsdvwadevcrashtestcloudvulnerabilitiessqli with payload Submit=Submitampid=xyzrsquo AND 8968=(SE-LECT (CASE WHEN (8968=8968) THEN 8968 ELSE (SELECT 7909 UNION SELECT 5090)END))ndash mFLn

bull Found boolean-based blind sqlinjection for parameter username (GET)on httpsdvwadevcrashtestcloudvulnerabilitiesbrute with payload Lo-gin=Loginamppassword=Crashtest123ampusername=xyzrsquo AND 5434=5434 AND rsquobYyErsquo=rsquobYyE

How to fixThe simple answer is Sanitize the users input before sending it to the database Sanitizing in-cludes escaping all potentially harmful characters to not let them effect the resulting SQL queryThere are multiple ways to do so and most common frameworks also support ways to simplifythis step One possible solutions is to use Object-relational mapping libraries to take care of thesanitizing In case direct SQL queries are required it is recommended to use so called rdquopreparedstatementsrdquo These are queries containing placeholders for the users input and while bindingthe input in the query the users data will be escaped More details on how to use these methodscan be found in the knowledge database (see Recommendations)

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 24 of 54

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 25: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

Recommendationshttpswikicrashtest-securitycomsql-injections

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 25 of 54

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 26: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

210 SSLTLS

2101 What is thisTransport Layer Security (TLS) more widely known by its predecessor Secure Sockets Layer(SSL) is a hybrid encryption protocol for secure data transmission over the Internet It encryptsthe communication between server and client The most obvious part of it is HTTPS with whichproviders can secure all communications between their servers and web browsers This en-sures that valuable information like usernames passwords and credit card information cannotbe stolen by someone analyzing the network traffic The ldquoSrdquo in HTTPS stands for SSL For secureconnection with HTTPS a certificate is needed Those certificates offer different levels of secu-rity and have a fixed start- and expiration-date To ensure a secure connection webservers mustuse well configured certificates With some misconfigured certificates it is possible to bypassthe encryption others may be blocked by web browsers because they are outdated or unknown

2102 TLS Key SizeSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The security of a TLS connection heavily depends on the used keysize The server offers akeysize which will result in a weak encryption

Finding

bull The certificate key size is RSA 1024 bits

How to fixThe used TLS connection key is too small and therefore can be easily broken This can be solvedby choosing a certificate with a larger key size More details on which certificates to choose canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomincrease-tls-key-size

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 26 of 54

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 27: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

2103 SSL RC4Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server supports RC4 (Rivest Cipher 4) which is a cipher stream that is considered insecuredue to multiple known vulnerabilities

Finding

bull The detected cipher uses the encryption algorithm RC4 which is vulnerable for various at-tacks

How to fixrdquoRivest Cipher 4rdquo is considered insecure as there are multiple known vulnerabilities for it It isrecommended to replace the cipher with a strong encryption algorithm More details on whichciphers to choose can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-rc4

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 27 of 54

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 28: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

2104 SSL Protocol VersionSeverity

Base Score high (8210)

Impact medium (4210)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

A SSLTLS version offered by the server is outdated The deprecated versions contain weakimplementations that cannot be considered as secure anymore Please use TLS 12 or TLS 13instead

Finding

bull TLS 11 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull TLS 10 is offered by the server This version of TLS is deprecated You should use TLS 12or TLS 13

bull SSLv3 is offered by the server SSLv3 is insecure and should not be used TLS 12 or TLS 13should be used instead

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 28 of 54

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 29: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

2105 Certificate RevocationSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegraty of a server certificate

Finding

bull Neither CRL nor OCSP URI provided

How to fixThe webserver is badly configured regarding revoked certificates Certificate Revocation Lists(CRLs) and the Online Certificate Status Protocol (OCSP) make sure that users can verify theintegrity of a server certificate If the certificate is compromised these techniques allow the userrespectively the used certificate authority (CA) to revoke the compromised certificate Thereforeone can issue a new (valid) certificate and the compromised certificate (used by an attacker)will produce warnings when a user accesses their website OCSP is the newer method to revokecertificates as it allows certificate authorities to revoke certificates much faster without theneed to update complete revocation lists potentially containing thousands of certificates Moredetails on how to enable OCSP can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomrenew-tls-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 29 of 54

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 30: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

2106 SSL LOGJAM Common PrimesSeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for LOGJAM a security vulnerability against a Diffie-Hellman key ex-change using 512 to 1024 bit keys The algorithm uses in most cases the same pregeneratedprime numbers which makes it way easier (and cheaper) to crack such an encryption

Finding

bull LOGJAM vulnerability detected CVE-2015-4000

How to fixLOGJAM attacks can be prevented by using strong ciphers and avoiding weak primes Moredetails on what ciphers are considered strong can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-logjam

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 30 of 54

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 31: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

2107 SSL Cipherlist LOWSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support low Ciphers like rdquoLOWDESRC2RC4rdquo This means that anattacker can make use of an insecure SSLTLS connection

Finding

bull Low ciphers like DES RC2 RC4 are used by the server You should use a stronger cipher

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 31 of 54

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 32: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

2108 X-XSS-Protection HeaderSeverity

Base Score medium (6110)

Impact low (2710)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-XSS-Protection header tells the browser how it should handle detected XSS attacks Ifthis header is not configured correctly XSS attacks may not be blocked despite being detectedby the browser

Finding

bull The X-XSS-Protection header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-XSS-Protection header as rsquo1rsquo or rsquo1 mode=blockrsquo to make sure that XSS attacksdetected by the browser are sanitized or blocked

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 32 of 54

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 33: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

2109 SSL BEASTSeverity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for BEAST (Browser Exploit Against SSLTLS) attacks By using weak-nesses in cipher block chaining an attacker can use a Man-In-The-Middle attacks to decrypt andobtain authentication tokens

Finding

bull VULNERABLE ndash but also supports higher protocols TLSv11 TLSv12 (likely mitigated)

How to fixBEAST attacks can be prevented by ensuring that neither SSLv3 nor TLSv1 are used More de-tails on how to fix this problem can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-beast

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 33 of 54

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 34: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

21010 SSL Cipherlist AVERAGESeverity

Base Score low (3710)

Impact low (1410)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support average Ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) This means that an attacker can make use of an insecure SSLTLS con-nection

Finding

bull The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AESCAMELLIA and ARIA) which are deprecated

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 34 of 54

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 35: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

21011 X-Content-Type-Options HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Content-Type-Options prevents the browser from trying to detect MIME-types on down-loaded files This protects against attacks in cases where a malicious file is offered with anunsuspicious MIME-type

Finding

bull The X-Content-Type-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the X-Content-Type-Options header to rsquonosniffrsquo in order to prevent the browser from detectingMIME-types based on file content

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 35 of 54

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 36: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

21012 SSL Insecure AlgorithmSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The used encryption algorithm has severe security issues

Finding

bull Weak signature algorithm MD5 is used You should use SHA-256 SHA-384 or SHA-512 in-stead

How to fixOne of the used encryption algorithms has severe security issues and needs to be replaced witha newer algorithm More details on which cipher suites have strong encryption algorithms canbe found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomdisable-ssl-insecure-algorithm

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 36 of 54

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 37: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

21013 Content-Security-Policy HeaderSeverity

Base Score medium (6510)

Impact low (2510)

Exploitability low (3910)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Content-Security-Policy header tells the browser which domains are whitelisted to downloadfurther resources such as scripts images or stylesheets from This can prevent various XSS andother Cross-Site-Scripting attacks

Finding

bull The Content-Security-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the Content-Security-Policy header in a way that it only allows loading resources fromtrusted resources such as rsquoselfrsquo Do not include rsquounsafe-evalrsquo or rsquounsafe-evalrsquo in order to preventdirect injections into the website

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 37 of 54

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 38: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

21014 SSL Cipher Block Chaining TLS1Severity

Base Score medium (4310)

Impact low (2910)

Exploitability high (8610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with TLS V1 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST TLS1 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 38 of 54

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 39: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

21015 X-Frame-Options HeaderSeverity

Base Score medium (6510)

Impact low (3610)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X-Frame-Options header declares whether this site may be embedded as a frame into otherwebsites If this header is not configured correctly your application can be embedded into thirdparty websites which makes it vulnerable for clickjacking attacks

Finding

bull The X-Frame-Options header is not set for URL httpsdvwadevcrashtestcloud

How to fixConfigure the X-Frame-Options header as rsquodenyrsquo to prevent it to be embedded at all The valuesrsquosameoriginrsquo or rsquoallow-from DOMAINrsquo can be used to allow it to be embedded on certain websiteswhile forbidding embedding on other websites

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 39 of 54

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 40: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

21016 SSL Cipherlist 3DES IDEASeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is configured to support 3DES and IDEA Ciphers like rdquo3DESIDEArdquo This means thatan attacker can make use of an insecure SSLTLS connection

Finding

bull Cipher suits based on DES (Data Encryption Standard) and IDEA (International Data Encryp-tion Algorithm) are not recommended for general use in TLS In TLS 12 and TLS 13 DESand IDEA are removed You should use TLS 12 or TLS 13

How to fixThe list of supported HTTPS ciphers includes insecure ciphers This means that an attackercan make use of in insecure SSLTLS connection In the SSLTLS configuration the allowedciphers and their order should be set to match secure values More details on how to set thesevalues can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 40 of 54

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 41: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

21017 SSL SWEET32Severity

Base Score medium (5910)

Impact low (3610)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server uses short block sizes which makes it vulnerable to hit the same hash for multipleinputs By observing the data for a longer period of time an attacker can recover secure HTTPcookies

Finding

bull 64 bit block ciphers are used which are vulnerable to SWEET32 birthday attack 3DES ciphersshould be disabled

How to fixSWEET32 attacks can be prevented by using cipher suites with large block sizes More detailson what block sizes are considered large enough can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-sweet32

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 41 of 54

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 42: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

21018 SSL TrustSeverity

Base Score high (7410)

Impact medium (5210)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The X509 certificate issued for this domain cannot be trusted Clients such as browsers willshow warnings or not be able to connect if they cannot trust the certificate Trust issues arise ifthe common name in the certificate does not match the webserver domain or if the certificateis self-signed

Finding

bull There is no subject alt name defined Browsers are complainingbull The CN or SAN in the certificate does not match the tested URL

How to fixThe issued certificate is not consistent with the domain that delivered the certificate To issuea trusted certificate the certificate needs to contain the correct information for the web appli-cation such as the domain name as common name of the certificate The certificate must besigned by a certificate authority (CA) that the usersrsquo browser trust The webserver has then tobe configured to present the certificate on incoming https requests Guides on how to generateand use a trusted certificate can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomconfigure-trusted-certificates

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 42 of 54

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 43: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

21019 Referrer-Policy HeaderSeverity

Base Score medium (4310)

Impact low (1410)

Exploitability low (2810)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The Referrer-Policy header defines how much information about the referrer is sent when theuser clicks on a link A misconfiguration or missing header may leak sensitive information tothird party websites that are visited by the click on a link

Finding

bull The Referrer-Policy header is not set for URL httpsdvwadevcrashtestcloud

How to fixSet the Referrer-Policy header to a secure value such as rsquostrict-origin-when-cross-originrsquo to over-write the Referer header with your domain instead of the full path when clicking on external linksand keep the Referer for internal links but only when the connection is not downgraded fromHTTPS to HTTP

Recommendationshttpswikicrashtest-securitycomenable-security-headers

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 43 of 54

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 44: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

21020 SSL Cipher Block Chaining SSL3Severity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver is configured to allow connections encrypted with SSL V3 in Cipher Block Chain-ing Mode (CBC) Connections using this settings contain predictable information that allow anattacker to break the encryption using the BEAST attack

Finding

bull BEAST SSL3 The BEAST attack leverages weakness in the cipher block chaining (CBC)which allows man in the middle attacks

How to fixThe webserver is using a deprecated SSLTLS version and needs to be updated The webserverneeds to be configured to use strong and trusted certificates In addition they need to be config-ured to use the newest version of SSL and TLS as well as strong cipher suites More details onhow to configure these certificates can be found in the knowledge database (see Recommen-dations)More details on how to fix this problem can be found in the knowledge database (seeRecommendations)

Recommendationshttpswikicrashtest-securitycomdisable-deprecated-ssl-protocol-versions

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 44 of 54

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 45: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

21021 Non Httponly CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attack an attacker is able to read these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag httponly set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 45 of 54

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 46: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

21022 SSL POODLESeverity

Base Score low (3110)

Impact low (1410)

Exploitability low (1610)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The server is vulnerable for POODLE (Padding Oracle On Downgraded Legacy Encryption) at-tacks With the Man-In-The-Middle attack using the SSL 30 Fallback an attacker can exposedata of encrypted connections

Finding

bull The detected SSL version is vulnerable to SSL POODLE

How to fixPOODLE attacks can be prevented by ensuring that TLS_FALLBACK_SCSV is enabled and a se-cure TLS configuration is used More details on how to enable TLS_FALLBACK_SCSV and whichconfigurations are secure can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomprevent-ssl-poodle

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 46 of 54

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 47: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

21023 SSL Cipher OrderSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of an insecure SSLTLS connection

Finding

bull There is no cipher order configured There should be a cipher order from strongest to weak-est to prevent clients from using weaker ciphers before trying stronger ones first

How to fixThere is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipherThis means that an attacker can make use of in insecure SSLTLS connection In the SSLTLSconfiguration the allowed ciphers and their order should be set to match secure values Moredetails on how to set these values can be found in the knowledge database (see Recommenda-tions)

Recommendationshttpswikicrashtest-securitycomconfigure-ssl-cipher-order

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 47 of 54

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 48: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

21024 TLS ConfigurationSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

There is a misconfiguration with your SSLTLS configuration SSLTLS is responsible for en-crypting traffic between your web application and a userrsquos browser to prevent eavesdropping

Finding

bull The cipher that got negotiated (DHE-RSA-AES256-SHA256 1024 bit DH (cbc) (matching ci-pher in list missing)) could not be found in the list of ciphers that the server advertised

How to fixThe webserver needs to be configured to use strong and trusted certificates In addition theyneed to be configured to use the newest version of SSL and TLS as well as strong cipher suitesMore details on how to configure these certificates can be found in the knowledge database(see Recommendations)

Recommendationshttpswikicrashtest-securitycomsecure-tls-configuration

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 48 of 54

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 49: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

21025 Missing HSTSSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

The webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections which prevents downgrade attacks to an insecure HTTP connection

Finding

bull HSTS is not offered by the server

How to fixThe webserver does not offer HTTP Strict Transport Security (HSTS) HSTS enforces HTTPSconnections This prevents downgrade attacks to an insecure HTTP connection Dependingon the used SSL certificate and the webserver certain configurations have to be changed Moredetails on how to enable HSTS can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-hsts

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 49 of 54

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 50: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

21026 Insecure CookiesSeverity

Base Score medium (4810)

Impact low (2510)

Exploitability low (2210)

All values are based on the Common Vulnerability Scoring Schema v3

Description

Cookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies

Finding

bull The cookie with the name PHPSESSID does not have the flag secure set This may leaksensitive information This was found on URL httpsdvwadevcrashtestcloud

How to fixCookies that are not marked as secure can be transferred via an unencrypted connection Aman-in-the-middle attack can be used to get the contents of these cookies Cookies that are notmarked as http-only can be read by local scripts In case of an Cross-Site-Scripting (XSS) attackan attacker is able to read these cookies Depending on the cookie content think of enablingboth settings for all cookies This is especially important for session cookies More details onhow to set these two settings can be found in the knowledge database (see Recommendations)

Recommendationshttpswikicrashtest-securitycomenable-secure-cookies

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 50 of 54

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 51: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

211 Appendix

2111 PHP 559 CVE Findings

PHP 559

high CVE-2016-4072 The Phar extension in PHP before 5534 56x before5620 and 7x before 705 allows remote attackers to execute arbitrarycode via a crafted filename as demonstrated by mishandling of char-acters by the phar_analyze_path function in extpharpharc

high CVE-2016-4073 Multiple integer overflows in the mbfl_strcut functionin extmbstringlibmbflmbflmbfilterc in PHP before 5534 56x be-fore 5620 and 7x before 705 allow remote attackers to cause a de-nial of service (application crash) or possibly execute arbitrary code viaa crafted mb_strcut call

high CVE-2014-0185 sapifpmfpmfpm_unixc in the FastCGI ProcessManager (FPM) in PHP before 5428 and 55x before 5512 uses 0666permissions for the UNIX socket which allows local users to gain privi-leges via a crafted FastCGI client

2112 Apache 247 CVE Findings

Apache 247

medium CVE-2018-1312 In Apache httpd 220 to 2429 when generating anHTTP Digest authentication challenge the nonce sent to prevent replyattacks was not correctly generated using a pseudo-random seed In acluster of servers using a common Digest authentication configurationHTTP requests could be replayed across servers by an attacker withoutdetection

medium CVE-2014-8109 mod_luac in the mod_lua module in the Apache HTTPServer 23x and 24x through 2410 does not support an httpd configu-ration in which the same Lua authorization provider is used with differentarguments within different contexts which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging multiple Require directives as demonstrated by a configura-tion that specifies authorization for one group to access a certain direc-tory and authorization for a second group to access a second directory

medium CVE-2015-3185 The ap_some_auth_required function in serverre-questc in the Apache HTTP Server 24x before 2414 does not considerthat a Require directive may be associated with an authorization settingrather than an authentication setting which allows remote attackers tobypass intended access restrictions in opportunistic circumstances byleveraging the presence of a module that relies on the 22 API behavior

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 51 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 52: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2016-0736 In Apache HTTP Server versions 240 to 2423

mod_session_crypto was encrypting its datacookie using the con-figured ciphers with possibly either CBC or ECB modes of operation(AES256-CBC by default) hence no selectable or builtin authenticatedencryption This made it vulnerable to padding oracle attacks particu-larly with CBC

medium CVE-2016-2161 In Apache HTTP Server versions 240 to 2423 mali-cious input to mod_auth_digest can cause the server to crash and eachinstance continues to crash even for subsequently valid requests

medium CVE-2017-15715 In Apache httpd 240 to 2429 the expression speci-fied in ltFilesMatchgt could match rsquo$rsquo to a newline character in a maliciousfilename rather than matching only the end of the filename This couldbe exploited in environments where uploads of some files are are exter-nally blocked but only by matching the trailing portion of the filename

low CVE-2018-1283 In Apache httpd 240 to 2429 when mod_session isconfigured to forward its session data to CGI applications (SessionEnvon not the default) a remote user may influence their content by us-ing a rdquoSessionrdquo header This comes from the rdquoHTTP_SESSIONrdquo variablename used by mod_session to forward its data to CGIs since the prefixrdquoHTTP_rdquo is also used by the Apache HTTP Server to pass HTTP headerfields per CGI specifications

medium CVE-2018-17199 In Apache HTTP Server 24 release 2437 andprior mod_session checks the session expiry time before decod-ing the session This causes session expiry time to be ignored formod_session_cookie sessions since the expiry time is loaded when thesession is decoded

medium CVE-2019-0217 In Apache HTTP Server 24 release 2438 and priora race condition in mod_auth_digest when running in a threaded servercould allow a user with valid credentials to authenticate using anotherusername bypassing configured access control restrictions

medium CVE-2019-0220 A vulnerability was found in Apache HTTP Server 240to 2438 When the path component of a request URL contains mul-tiple consecutive slashes (rsquorsquo) directives such as LocationMatch andRewriteRule must account for duplicates in regular expressions whileother aspects of the servers processing will implicitly collapse them

medium CVE-2019-10092 In Apache HTTP Server 240-2439 a limited cross-site scripting issue was reported affecting the mod_proxy error pageAn attacker could cause the link on the error page to be malformed andinstead point to a page of their choice This would only be exploitablewhere a server was set up with proxying enabled but was misconfiguredin such a way that the Proxy Error page was displayed

medium CVE-2019-10098 In Apache HTTP server 240 to 2439 Redirects con-figured with mod_rewrite that were intended to be self-referential mightbe fooled by encoded newlines and redirect instead to an unexpectedURL within the request URL

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 52 of 54

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 53: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

DVWA - 24 Mar 20 2334 CET

Apache 247medium CVE-2015-3184 mod_authz_svn in Apache Subversion 17x before

1721 and 18x before 1814 when using Apache httpd 24x does notproperly restrict anonymous access which allows remote anonymoususers to read hidden files via the path name

medium CVE-2016-8743 Apache HTTP Server in all releases prior to 2232 and2425 was liberal in the whitespace accepted from requests and sent inresponse lines and headers Accepting these different behaviors repre-sented a security concern when httpd participates in any chain of proxiesor interacts with back-end application servers either through mod_proxyor using conventional CGI mechanisms and may result in request smug-gling response splitting and cache pollution

medium CVE-2017-15710 In Apache httpd 2023 to 2065 220 to 2234 and240 to 2429 mod_authnz_ldap if configured with AuthLDAPCharset-Config uses the Accept-Language header value to lookup the rightcharset encoding when verifying the userrsquos credentials If the headervalue is not present in the charset conversion table a fallback mecha-nism is used to truncate it to a two characters value to allow a quickretry (for example rsquoen-USrsquo is truncated to rsquoenrsquo) A header value of lessthan two characters forces an out of bound write of one NUL byte to amemory location that is not part of the string In the worst case quiteunlikely the process would crash which could be used as a Denial ofService attack In the more likely case this memory is already reservedfor future use and the issue has no effect at all

medium CVE-2014-3523 Memory leak in the winnt_accept function inservermpmwinntchildc in the WinNT MPM in the Apache HTTPServer 24x before 2410 on Windows when the default AcceptFilter isenabled allows remote attackers to cause a denial of service (memoryconsumption) via crafted requests

medium CVE-2014-0117 The mod_proxy module in the Apache HTTP Server24x before 2410 when a reverse proxy is enabled allows remote at-tackers to cause a denial of service (child-process crash) via a craftedHTTP Connection header Per vendor advisory httphttpdapacheorgsecurityvulnerabilities_24html rdquoA flaw was found in mod_proxy in httpdversions 246 to 249rdquo

Crashtest Security GmbHLeopoldstr 21 80802 Muumlnchen Germanyhttpscrashtest-securitycom

Page 53 of 54

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings
Page 54: WEBVULNERABILITY SCANNING REPORT · Boolean-based blind SQL Injection Time-based blind SQL Injection Error-based SQL Injection UNION query-based SQL Injection Stacked queries SQL

Crashtest Security is a German IT security company specialized in automated web application security testing The fully automated penetration test lets developers discover vulnerabilities in real-time and supports the remediation through an integrated knowledge base

CONTACT USCrashtest Security GmbHLeopoldstr 2180802 Muumlnchen+49 (0) 89 215 41 665

  • Overview
    • Vulnerability Overview
    • Scanner Overview
      • Status for executed Scanners
        • Findings Checklist
          • FILEINCLUSION
          • FINGERPRINTING
          • PORTSCAN
          • SQLINJECTION
          • DESERIALIZATION
          • XSS
          • XXE
          • COMMANDINJECTION
          • FUZZER
          • SSLTLS
              • Findings
                • DESERIALIZATION
                  • What is this
                  • Insecure Deserialization
                    • FILEINCLUSION
                      • What is this
                      • Local File Inclusion
                        • FINGERPRINTING
                          • What is this
                          • Fingerprint Web Application Framework
                          • Fingerprint Web Server
                            • PORTSCAN
                              • What is this
                              • Portscanner
                                • XSS
                                  • What is this
                                  • Cross-Site Scripting (XSS)
                                    • XXE
                                      • What is this
                                      • XXE
                                        • COMMANDINJECTION
                                          • What is this
                                          • Command Injection
                                            • FUZZER
                                              • What is this
                                              • Sensitive Data Exposure
                                                • SQLINJECTION
                                                  • What is this
                                                  • SQL Injection
                                                    • SSLTLS
                                                      • What is this
                                                      • TLS Key Size
                                                      • SSL RC4
                                                      • SSL Protocol Version
                                                      • Certificate Revocation
                                                      • SSL LOGJAM Common Primes
                                                      • SSL Cipherlist LOW
                                                      • X-XSS-Protection Header
                                                      • SSL BEAST
                                                      • SSL Cipherlist AVERAGE
                                                      • X-Content-Type-Options Header
                                                      • SSL Insecure Algorithm
                                                      • Content-Security-Policy Header
                                                      • SSL Cipher Block Chaining TLS1
                                                      • X-Frame-Options Header
                                                      • SSL Cipherlist 3DES IDEA
                                                      • SSL SWEET32
                                                      • SSL Trust
                                                      • Referrer-Policy Header
                                                      • SSL Cipher Block Chaining SSL3
                                                      • Non Httponly Cookies
                                                      • SSL POODLE
                                                      • SSL Cipher Order
                                                      • TLS Configuration
                                                      • Missing HSTS
                                                      • Insecure Cookies
                                                        • Appendix
                                                          • PHP 559 CVE Findings
                                                          • Apache 247 CVE Findings

Time-Based Blind SQL Injection using Heavy Queries · Using this parameter code is ... (ascii(substring(@s, @byte, 1)) & ... Time-Based Blind SQL Injection using heavy queries & Marathon

Time-Based Blind SQL Injection using Heavy Queries · Using this parameter code is ... (ascii(substring(@s, @byte, 1)) & ... Time-Based Blind SQL Injection using heavy queries & Marathon

Documents
Mutation Based SQL Injection Test Cases Generation for the

Mutation Based SQL Injection Test Cases Generation for the

Documents
Preventing SQL Injection Attack Based on Machine … · Preventing SQL Injection Attack Based on Machine Learning *1Eun Hong Cheon, 1Zhongyue Huang, 2Yon Sik Lee 1Department of Computer

Preventing SQL Injection Attack Based on Machine … · Preventing SQL Injection Attack Based on Machine Learning *1Eun Hong Cheon, 1Zhongyue Huang, 2Yon Sik Lee 1Department of Computer

Documents
Injection sql

Injection sql

Education
SQL INJECTION CPSC 4670. Topics 1. What are injection attacks? 2. How SQL Injection Works 3. Exploiting SQL Injection Bugs 4. Mitigating SQL Injection

SQL INJECTION CPSC 4670. Topics 1. What are injection attacks? 2. How SQL Injection Works 3. Exploiting SQL Injection Bugs 4. Mitigating SQL Injection

Documents
Time-Based Blind SQL Injection using Heavy Queries - Defcon

Time-Based Blind SQL Injection using Heavy Queries - Defcon

Documents
Eine Präsentation von Benedikt Streitwieser und …uhl/PScrypt16...•Blind SQL Injection: •Content-based Blind SQL Injection •Time-based Blind SQL Injection •SQL Injection

Eine Präsentation von Benedikt Streitwieser und …uhl/PScrypt16...•Blind SQL Injection: •Content-based Blind SQL Injection •Time-based Blind SQL Injection •SQL Injection

Documents
Seminário PHP Injection/ SQL Injection

Seminário PHP Injection/ SQL Injection

Technology
Injecting SQLite database based application · (ica-lab.db). Database is having 2 tables. i) Info ii) Users . Exploitation 1. Union based SQL Injection: - Union based SQL Injection

Injecting SQLite database based application · (ica-lab.db). Database is having 2 tables. i) Info ii) Users . Exploitation 1. Union based SQL Injection: - Union based SQL Injection

Documents
WHAT IS SQL INJECTION? ANATOMY OF A SQL INJECTION

WHAT IS SQL INJECTION? ANATOMY OF A SQL INJECTION

Documents
Seculabs eBook - SQL Injection Error Based - Manually

Seculabs eBook - SQL Injection Error Based - Manually

Documents
SQL Injection Finalv1 - Virtual Security Operations Center · 2014-08-25 · POPULAR TYPES OF SQL INJECTION ATTACKS ... SQL Injection Attack: SQL Operator Detected SQL Injection Bypass/Probing

SQL Injection Finalv1 - Virtual Security Operations Center · 2014-08-25 · POPULAR TYPES OF SQL INJECTION ATTACKS ... SQL Injection Attack: SQL Operator Detected SQL Injection Bypass/Probing

Documents
SQL Injection & Soul Injection attacks

SQL Injection & Soul Injection attacks

Documents
Time-Based Blind SQL Injection using Heavy Queries

Time-Based Blind SQL Injection using Heavy Queries

Technology
Time based CAPTCHA protected SQL injection through SOAP-webservice

Time based CAPTCHA protected SQL injection through SOAP-webservice

Technology
Time based SQL Injection

Time based SQL Injection

Documents
CSE 127: Computer Security SQL Injection · the database. SQL Injection ... Databases parses user input as code. SQL Injection SQL Injection: Inserting SQL fragment into query sent

CSE 127: Computer Security SQL Injection · the database. SQL Injection ... Databases parses user input as code. SQL Injection SQL Injection: Inserting SQL fragment into query sent

Documents
1 SQL INJECTION & COUNTERMEASURES. Outline Introduce SQL Injection SQL Injection Attack Types Prevention of SQL Injection Attack (Countermeasures) 2

1 SQL INJECTION & COUNTERMEASURES. Outline Introduce SQL Injection SQL Injection Attack Types Prevention of SQL Injection Attack (Countermeasures) 2

Documents
SQL Injection

SQL Injection

Technology
11 Years 700+ · 2% ASP.NET Debug Feature Enabled 2% DOM-Based Cross Site Scripting Vulnerability 1% SQL Injection Vulnerability 1% OS Command Injection SQL Injection CRITICAL 91%

11 Years 700+ · 2% ASP.NET Debug Feature Enabled 2% DOM-Based Cross Site Scripting Vulnerability 1% SQL Injection Vulnerability 1% OS Command Injection SQL Injection CRITICAL 91%

Documents
SQL INJECTION - web.bilecik.edu.trweb.bilecik.edu.tr/.../files/2018/06/Mehmet-TUNCER-Sql-injection.pdf · 1 SQL Injection Saldırılarına Giriş SQL Injection saldırısı, web uygulamalarının

SQL INJECTION - web.bilecik.edu.trweb.bilecik.edu.tr/.../files/2018/06/Mehmet-TUNCER-Sql-injection.pdf · 1 SQL Injection Saldırılarına Giriş SQL Injection saldırısı, web uygulamalarının

Documents
SQL Injection от А до Я - ptsecurity.com · SQL Injection –Базовые знания Эксплуатацию SQL Injection разделяют в зависимости

SQL Injection от А до Я - ptsecurity.com · SQL Injection –Базовые знания Эксплуатацию SQL Injection разделяют в зависимости

Documents
Velhas falhas, novas técnicas- Error Based SQL Injection

Velhas falhas, novas técnicas- Error Based SQL Injection

Documents
SQL Injection Homograph Attack Cross-Site Scripting · SQL Injection Homograph Attack Cross-Site Scripting Applicazioni di Rete – M. Ribaudo - DISI SQL Injection “SQL Injection

SQL Injection Homograph Attack Cross-Site Scripting · SQL Injection Homograph Attack Cross-Site Scripting Applicazioni di Rete – M. Ribaudo - DISI SQL Injection “SQL Injection

Documents
BIGINT Overflow Error Based SQL Injection

BIGINT Overflow Error Based SQL Injection

Documents