'
:version: 0.3.5
:shortname: csrf
:vector:
:class: Arachni::Element::Form
:type: :form
:url: http://testhtml5.vulnweb.com/
:source: |-
First Name
Last Name
Email Address
Subject
Choose One:
General Customer Service
Suggestions
Product Support
Message
Send
:inputs:
message: ''
firstName: ''
lastName: ''
address: ''
subject: na
butonul: ''
:default_inputs:
message: ''
firstName: ''
lastName: ''
address: ''
subject: na
butonul: ''
:action: http://testhtml5.vulnweb.com/contact
:method: :post
:affected_input_name:
:page:
:body: "
\n
\n \n\n\n\n\n \n SecurityTweets - HTML5
test website for Acunetix Web Vulnerability Scanner\n \n \n \n\n \n \n \n \n\n \n\n
\ \n\n\n\n\n
\n
\n
\n \n \n \n
\ \n\n \n
\
\n Vulnerable
HTML5 test website for Acunetix
Web Vulnerability Scanner.\n\n\n
\n \n Login\n
\ \n\n\n\n\n\n
\n
\n
\n
\
\n \n
Views\n
Website\n
Acunetix\n\n\n\n
\n
\n
\n
\n
\n First
Name\n \n Last Name\n \n
\ Email Address\n \n Subject\n
\ \n Choose One:\n General Customer Service\n Suggestions\n Product
Support\n\n\n
\n
\ Message\n \n\n\n
\ Send\n\n\n\n
\\n\n\n\n
\ \n\n
\n
unknown is coming from unknown
and has visited this page 4 times.\n\n\n \n
\
© Acunetix Ltd. 2013\n\n\n\n\n\n\n
\n \n
\
\n ��\n
Login\n
\\n
\n
\n
\ \n Username\n
\n
\ \n\n\n\n
\
\n \n
\ Password\n
\
\n \n
\\n\n\n
\n
\ Forgot Pwd?\n
\\n\n\n
\n Login\n Close\n\n
\\n\n\n\n\n\n
\n\n\n
\n\n\n
\n\n\n\n\n\n
\n\n\n
\n\n
\n
\n\n\n
\n\n\n
\n\n\n
\n\n\n\n\n\n"
:dom:
:url: http://testhtml5.vulnweb.com/#/contact
:transitions:
- :element: :page
:event: :load
:options:
:url: http://testhtml5.vulnweb.com/
:cookies: {}
:time: 1.063490473
- :element: http://testhtml5.vulnweb.com/
:event: :request
:options: {}
:time: 0.000726783
- :element: http://bxss.s3.amazonaws.com/ad.js
:event: :request
:options: {}
:time: 0.526492435
- :element: http://testhtml5.vulnweb.com/ajax/popular?offset=0
:event: :request
:options: {}
:time: 0.226042078
- :element:
:tag_name: :a
:attributes:
href: "#/contact"
data-arachni-id: "-1678787584"
:event: :click
:options: {}
:time: 1.172838548
:digest:
:data_flow_sinks: []
:execution_flow_sinks: []
:referring_page:
:body: "
\n
\n \n\n\n\n\n \n SecurityTweets - HTML5
test website for Acunetix Web Vulnerability Scanner\n \n \n \n\n \n \n \n \n\n \n\n
\ \n\n\n\n\n
\n
\n
\n \n \n \n
\ \n\n \n
\
\n Vulnerable
HTML5 test website for Acunetix
Web Vulnerability Scanner.\n\n\n
\n \n Login\n
\ \n\n\n\n\n\n
\n
\n
\n
\
\n \n
Views\n
Website\n
Acunetix\n\n\n\n
\n
\n
\n
\n
\n First
Name\n \n Last Name\n \n
\ Email Address\n \n Subject\n
\ \n Choose One:\n General Customer Service\n Suggestions\n Product
Support\n\n\n
\n
\ Message\n \n\n\n
\ Send\n\n\n\n
\\n\n\n\n
\ \n\n
\n
unknown is coming from unknown
and has visited this page 4 times.\n\n\n \n
\
© Acunetix Ltd. 2013\n\n\n\n\n\n\n
\n \n
\
\n ��\n
Login\n
\\n
\n
\n
\ \n Username\n
\n
\ \n\n\n\n
\
\n \n
\ Password\n
\
\n \n
\\n\n\n
\n
\ Forgot Pwd?\n
\\n\n\n
\n Login\n Close\n\n
\\n\n\n\n\n\n
\n\n\n
\n\n\n
\n\n\n\n\n\n
\n\n\n
\n\n
\n
\n\n\n
\n\n\n
\n\n\n
\n\n\n\n\n\n"
:dom:
:url: http://testhtml5.vulnweb.com/#/contact
:transitions:
- :element: :page
:event: :load
:options:
:url: http://testhtml5.vulnweb.com/
:cookies: {}
:time: 1.063490473
- :element: http://testhtml5.vulnweb.com/
:event: :request
:options: {}
:time: 0.000726783
- :element: http://bxss.s3.amazonaws.com/ad.js
:event: :request
:options: {}
:time: 0.526492435
- :element: http://testhtml5.vulnweb.com/ajax/popular?offset=0
:event: :request
:options: {}
:time: 0.226042078
- :element:
:tag_name: :a
:attributes:
href: "#/contact"
data-arachni-id: "-1678787584"
:event: :click
:options: {}
:time: 1.172838548
:digest:
:data_flow_sinks: []
:execution_flow_sinks: []
:remarks: {}
:trusted: true
:proof: |-
First Name
Last Name
Email Address
Subject
Choose One:
General Customer Service
Suggestions
Product Support
Message
Send
:cwe_url: http://cwe.mitre.org/data/definitions/352.html
:digest: 889065924
:response:
:url: http://testhtml5.vulnweb.com/
:code: 200
:ip_address: 176.28.50.165
:headers:
Server: nginx/1.4.1
Date: Thu, 01 Oct 2015 14:36:39 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: "*"
Content-Encoding: gzip
Content-Length: '10075'
:headers_string: "HTTP/1.1 200 OK\r\nServer: nginx/1.4.1\r\nDate: Thu, 01 Oct
2015 14:36:39 GMT\r\nContent-Type: text/html; charset=utf-8\r\nTransfer-Encoding:
chunked\r\nConnection: keep-alive\r\nAccess-Control-Allow-Origin: *\r\nContent-Encoding:
gzip\r\n\r\n"
:body: "
\n
\n \n\n\n\n\n \n SecurityTweets
- HTML5 test website for Acunetix Web Vulnerability Scanner\n \n \n \n\n
\ \n \n \n \n\n \n\n
\ \n\n\n\n\n
\n
\n
\n
\ \n \n
\ \n \n
\\n \n
\
\n Vulnerable
HTML5 test website for Acunetix Web Vulnerability
Scanner.\n\n\n
\n
\ \n Login\n \n\n\n
\\n\n\n
\n
\n
\
\n
\n
\ \n
Views\n
\
Website\n
Acunetix\n\n\n\n
\
\n
\n
\n\n\n
\\n\n \n\n
\n
\n\n\n
\ \n
© Acunetix Ltd. 2013\n
\\n\n\n\n\n\n
\n \n
\n ��\n
Login\n\n
\n
\
\n \n
\ Username\n
\
\n \n
\\n\n\n
\n
\ \n Password\n
\n
\ \n\n\n\n
\\n
\n Login\n
\ Close\n
\\n\n\n\n\n\n\n
\n\n\n
\n\n\n
\n\n\n\n\n\n
\n\n\n
\n\n\n
\n\n\n
\n\n\n
\n\n\n
\n\n\n\n\n\n"
:time: 0.183232
:total_time: 0.183232
:return_code: :ok
:return_message: No error
:request:
:url: http://testhtml5.vulnweb.com/
:parameters: {}
:headers:
User-Agent: Arachni/v1.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip
Accept-Language: en-US,*
Host: testhtml5.vulnweb.com
:headers_string: "GET http://testhtml5.vulnweb.com/ HTTP/1.1\r\nUser-Agent: Arachni/v1.3\r\nAccept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nX-Arachni-Browser-Auth:
0e378a6498d4810f4de69f3b0981fa12\r\nConnection: Keep-Alive\r\nAccept-Encoding:
gzip\r\nAccept-Language: en-US,*\r\nHost: testhtml5.vulnweb.com\r\n"
:effective_body:
:body:
:method: :get
- :name: Unvalidated DOM redirect
:description: |2
Web applications occasionally use DOM input values to store the address of the
page to which the client will be redirected -- for example:
`yoursite.com/#/?redirect=www.yoursite.com/404.asp`
An unvalidated redirect occurs when the client is able to modify the affected
parameter value and thus control the location of the redirection.
For example, the following URL `yoursite.com/#/?redirect=www.anothersite.com`
will redirect to `www.anothersite.com`.
Cyber-criminals will abuse these vulnerabilities in social engineering attacks
to get users to unknowingly visit malicious web sites.
Arachni has discovered that the web page does not validate the parameter value prior
to redirecting the client to the injected value.
:references:
OWASP Top 10 2010: https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards
:tags:
- unvalidated
- redirect
- dom
- injection
:cwe: 819
:severity: :high
:remedy_guidance: |2
The application should ensure that the supplied value for a redirect is permitted.
This can be achieved by performing whitelisting on the parameter value.
The whitelist should contain a list of pages or sites that the application is
permitted to redirect users to. If the supplied value does not match any value
in the whitelist then the server should redirect to a standard error page.
:check:
:name: Unvalidated DOM redirect
:description: |2
Injects URLs and checks the browser URL to determine whether the attack was successful.
:elements:
- :link_dom
- :form_dom
- :cookie_dom
- :ui_form_dom
:author: Tasos "Zapotek" Laskos :version: 0.1.2
:shortname: unvalidated_redirect_dom
:vector:
:class: Arachni::Element::Link::DOM
:type: :link_dom
:url: http://testhtml5.vulnweb.com/
:source: 'The First JavaScript Misdirection Contest
: javahacker.com'
:affected_input_name: url
:affected_input_value: http://www.88fc8f0ec9141866cb14f3125be901b4.com/
:seed: http://www.88fc8f0ec9141866cb14f3125be901b4.com/
:inputs:
url: http://www.88fc8f0ec9141866cb14f3125be901b4.com/
:default_inputs:
url: http://javahacker.com/the-first-javascript-misdirection-contest/
:action: http://testhtml5.vulnweb.com/
:method: :get
:page:
:body: ''
:dom:
:url: http://www.88fc8f0ec9141866cb14f3125be901b4.com/
:transitions:
- :element: :page
:event: :load
:options:
:url: http://testhtml5.vulnweb.com/#/redir?url=http://www.88fc8f0ec9141866cb14f3125be901b4.com/
:cookies: {}
:time: 0.47153375
:digest:
:data_flow_sinks: []
:execution_flow_sinks: []
:referring_page:
:body: "
\n
\n \n\n\n\n\n \n SecurityTweets - HTML5
test website for Acunetix Web Vulnerability Scanner\n \n \n \n\n \n \n \n \n\n \n\n
\ \n\n\n\n\n
\n
\n
\n \n \n \n
\ \n\n \n
\
\n Vulnerable
HTML5 test website for Acunetix
Web Vulnerability Scanner.\n\n\n
\n \n Login\n
\ \n\n\n\n\n\n
\n
\n
\n
\
\n \n
Views\n
Website\n
Acunetix\n\n\n\n
\n
\n
\n Loading ...\n \n\n
\n
\n
\ \n\n\n
\n
Page\n 0\n
\\n\n\n
\n
Filtering for host\n
\\n\n\n
\n
\n
\n
\
\n
\n
\
\n\n\n\n
\
\n
\n
\ \n \n
\ \n\n
\\n The First JavaScript Misdirection Contest
: javahacker.com\n\n \n\n
\n
4 tweets from\n \n
\ @irsdl\n
\\n
\ @WisecWisec\n
\\n
\ @adam_baldwin\n
\\n
\ @seecurity\n
\\n\n\n\n
\
\n @irsdl
\n RT @peterjaric: The
winner of the JavaScript Misdirection Contest:\n@aymericbeaumet!\n\nCheck out
all entries at http://t.co/r38tRSqfo3 http:/…
\n\n
\\n\n
\n
\n
\n
\
\n
\n
\
\n\n\n\n
\
\n
\n
\ \n \n
\ \n\n
\\n This New Campaign Wants To Help Surveillance
Agents Quit NSA or GCHQ | WIRED\n\n \n\n
\n
2 tweets from\n \n @stefant\n
\\n\n\n\n
\
\n @titanous
\n RT @csoghoian: This
is excellent. http://t.co/L1YY4g87OI http://t.co/wQ5XsgFYWD
\n\n
\\n\n
\n
\n
\n
\
\n
\n
\
\n\n\n\n
\
\n
\n
\ \n \n
\ \n\n
\\n An interesting detail about Control Flow
Guard | Bromium Labs\n\n \n\n
\n
2 tweets from\n \n
\ @ABazhaniuk\n
\\n
\ @matrosov\n
\\n\n\n\n
\
\n @ABazhaniuk
\n RT @ClausHoumann:
An interesting detail about Control Flow Guard http://t.co/XIuaRMABnH
\n
\\n\n\n
\n
\
\n
\n
\
\n
\n
\
\n\n\n\n
\
\n
\n
\ \n \n
\ \n\n
\\n Are you still using TrueCrypt? Beware of
these 2 critical flaws!Security Affairs\n\n \n\n
\n
2 tweets from\n \n @stamparm\n
\\n\n\n\n
\
\n @seecurity
\n RT @HenkvanRoest:
\"Are you still using TrueCrypt? Beware of these 2 critical flaws!\" http://t.co/gWMlyvog24
#security #feedly
\n\n\n\n
\n
\n
\n
\n
\n
\n\n\n\n
\n
\n
\ \n \n
\ \n\n
\\n untitled\n\n \n\n
\
\n
2 tweets
from\n \n @roo7break\n
\\n\n\n\n
\
\n @vegoshin
\n Advanced Threat
Tactics – Course and Notes http://t.co/zx2C8gN6LT
\n\n
\\n\n\n\n\n
\\n\n\n\n
\ \n\n
\n
unknown is coming from unknown
and has visited this page 1 times.\n\n\n \n
\
© Acunetix Ltd. 2013\n\n\n\n\n\n\n
\n \n
\
\n ��\n
Login\n
\\n
\n
\n
\ \n Username\n
\n
\ \n\n\n\n
\
\n \n
\ Password\n
\
\n \n
\\n\n\n
\n
\ Forgot Pwd?\n
\\n\n\n
\n Login\n Close\n\n
\\n\n\n\n\n\n
\n\n\n
\n\n\n
\n\n\n\n\n\n
\n\n\n
\n\n
\n
\n\n\n
\n\n\n
\n\n\n
\n\n\n\n\n\n"
:dom:
:url: http://testhtml5.vulnweb.com/#/popular
:transitions:
- :element: :page
:event: :load
:options:
:url: http://testhtml5.vulnweb.com/
:cookies: {}
:time: 1.063490473
- :element: http://testhtml5.vulnweb.com/
:event: :request
:options: {}
:time: 0.000726783
- :element: http://bxss.s3.amazonaws.com/ad.js
:event: :request
:options: {}
:time: 0.526492435
- :element: http://testhtml5.vulnweb.com/ajax/popular?offset=0
:event: :request
:options: {}
:time: 0.226042078
:digest:
:data_flow_sinks: []
:execution_flow_sinks: []
:remarks: {}
:trusted: true
:cwe_url: http://cwe.mitre.org/data/definitions/819.html
:digest: 707201679
:response:
:url: http://www.88fc8f0ec9141866cb14f3125be901b4.com/
:code: 0
:headers: {}
:body: ''
:time: 0.0
:request:
:url: http://www.88fc8f0ec9141866cb14f3125be901b4.com/
:parameters: {}
:headers: {}
:headers_string:
:effective_body:
:body:
:method: :get
- :name: Cross-Site Scripting (XSS)
:description: |2
Client-side scripts are used extensively by modern web applications.
They perform from simple functions (such as the formatting of text) up to full
manipulation of client-side data and Operating System interaction.
Cross Site Scripting (XSS) allows clients to inject scripts into a request and
have the server return the script to the client in the response. This occurs
because the application is taking untrusted data (in this example, from the client)
and reusing it without performing any validation or sanitisation.
If the injected script is returned immediately this is known as reflected XSS.
If the injected script is stored by the server and returned to any client visiting
the affected page, then this is known as persistent XSS (also stored XSS).
Arachni has discovered that it is possible to insert script content directly into
HTML element content.
:references:
ha.ckers: http://ha.ckers.org/xss.html
Secunia: http://secunia.com/advisories/9716/
WASC: http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting
OWASP: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
:tags:
- xss
- regexp
- injection
- script
:cwe: 79
:severity: :high
:remedy_guidance: |2
To remedy XSS vulnerabilities, it is important to never use untrusted or unfiltered
data within the code of a HTML page.
Untrusted data can originate not only form the client but potentially a third
party or previously uploaded file etc.
Filtering of untrusted data typically involves converting special characters to
their HTML entity encoded counterparts (however, other methods do exist, see references).
These special characters include:
* `&`
* ``
* `"`
* `'`
* `/`
An example of HTML entity encoding is converting ` '
:version: 0.4.4
:shortname: xss
:vector:
:class: Arachni::Element::Link
:type: :link
:url: http://testhtml5.vulnweb.com/
:source:
:affected_input_name: id
:affected_input_value: 24e47eb911c4d9526f32bf4f7db3e47b-->\n \n \n \n \n \n\n\n\n\n
\n
\n
\n
\ \n \n
\ \n \n
\\n \n
\
\n HTML5 test
website for Acunetix Web Vulnerability Scanner.\n\n\n
\\n\n\n
\n
\n
\
\n
\n
\ \n
Action\n
\
Acunetix\n\n\n\n
\
\n
\n \n
\ Your report was submitted, thanks. \n \n\n\n
\\n\n \n\n \n
© Acunetix
Ltd. 2013\n\n\n\n\n\n\n\n\n\n\n\n\n