Report

Reflected Cross-site Scripting

The application was found vulnerable to Reflected Cross-site Scripting (XSS).

XSS is a type of web application security vulnerability, which allows code injection by malicious web users into the web pages viewed by other users.

Reflected Cross-site Scripting is a type of XSS where the injected code is reflected off the web server. This kind of XSS is short-lived and requires a phishing vector to be delivered to the victim.

Impact

An attacker may be able steal personal data, hijack sessions and perform phishing attacks by forcing a user's browser to execute a malicious JavaScript payload.

Solution

Sanitise all user-supplied input before using it as part of dynamically generated pages and data. Be cautious of meta character that can be used to build tags and attributes.

Details

request: GET http://hackazon.webscantest.com/search?searchString=%22%3E%3CEpHmH%3E HTTP/1.1

Open Cross Domain Policy

A cross domain policy file with an explicit open policy was found.

A Cross Domain Policy File is used to enforce the same origin policy in modern web applications (especially Flash and Silverlight based) by preventing some types of content from being accessed or modified from another domain via the client (a browser or a plugin). An open cross-domain is the vulnerability, which occur when the policy file explicitly allows every external domain.

Impact

An attacker may build his own application capable of interact in the same sandboxed environment as the target application. This provides attackers with unrestricted access to session information and other sensitive data.

Solution

Explicitly declare allowed domains in the cross-domain policy file.

Details

url: http://hackazon.webscantest.com/crossdomain.xml