ZAP Scanning Report

Summary of Alerts

Risk LevelNumber of Alerts
High7
Medium219
Low2484
Informational558

Alert Detail

High (Warning)Cross Site Scripting (Reflected)

Description

Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.

When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.

There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.

Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.

Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.

URL
http://hackazon.webscantest.com/search?searchString=%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctitle%3E&id=
Parameter
searchString
Attack
</title><script>alert(1);</script><title>

Solution

Phase: Architecture and Design

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.

Phases: Implementation; Architecture and Design

Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.

Consult the XSS Prevention Cheat Sheet for more details on the types of encoding and escaping that are needed.

Phase: Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.

Phase: Implementation

For every web page that is generated, use and specify a character encoding such as ISO-8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different encoding by guessing which encoding is actually being used by the web page. This can cause the web browser to treat certain sequences as special, opening up the client to subtle XSS attacks. See CWE-116 for more mitigations related to encoding/escaping.

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."

Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.

Reference

http://projects.webappsec.org/Cross-Site-Scripting

http://cwe.mitre.org/data/definitions/79.html

CWE Id

79

WASC Id

8

High (Warning)Cross Site Scripting (Reflected)

Description

Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.

When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.

There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.

Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.

Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.

URL
http://hackazon.webscantest.com/search?searchString=ZAP&id=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E
Parameter
id
Attack
"><script>alert(1);</script>

Solution

Phase: Architecture and Design

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.

Phases: Implementation; Architecture and Design

Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.

Consult the XSS Prevention Cheat Sheet for more details on the types of encoding and escaping that are needed.

Phase: Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.

Phase: Implementation

For every web page that is generated, use and specify a character encoding such as ISO-8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different encoding by guessing which encoding is actually being used by the web page. This can cause the web browser to treat certain sequences as special, opening up the client to subtle XSS attacks. See CWE-116 for more mitigations related to encoding/escaping.

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."

Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.

Reference

http://projects.webappsec.org/Cross-Site-Scripting

http://cwe.mitre.org/data/definitions/79.html

CWE Id

79

WASC Id

8

High (Warning)Cross Site Scripting (Reflected)

Description

Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.

When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.

There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.

Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.

Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.

URL
http://hackazon.webscantest.com/search/page/?searchString=%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctitle%3E&brands=&price=&id=&page=18&quality=
Parameter
searchString
Attack
</title><script>alert(1);</script><title>

Solution

Phase: Architecture and Design

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.

Phases: Implementation; Architecture and Design

Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.

Consult the XSS Prevention Cheat Sheet for more details on the types of encoding and escaping that are needed.

Phase: Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.

Phase: Implementation

For every web page that is generated, use and specify a character encoding such as ISO-8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different encoding by guessing which encoding is actually being used by the web page. This can cause the web browser to treat certain sequences as special, opening up the client to subtle XSS attacks. See CWE-116 for more mitigations related to encoding/escaping.

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."

Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.

Reference

http://projects.webappsec.org/Cross-Site-Scripting

http://cwe.mitre.org/data/definitions/79.html

CWE Id

79

WASC Id

8

High (Warning)Cross Site Scripting (Reflected)

Description

Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.

When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.

There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.

Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.

Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.

URL
http://hackazon.webscantest.com/search/page/?searchString=&brands=&price=javascript%3Aalert%281%29%3B&id=&page=18&quality=
Parameter
price
Attack
javascript:alert(1);

Solution

Phase: Architecture and Design

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.

Phases: Implementation; Architecture and Design

Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.

Consult the XSS Prevention Cheat Sheet for more details on the types of encoding and escaping that are needed.

Phase: Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.

Phase: Implementation

For every web page that is generated, use and specify a character encoding such as ISO-8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different encoding by guessing which encoding is actually being used by the web page. This can cause the web browser to treat certain sequences as special, opening up the client to subtle XSS attacks. See CWE-116 for more mitigations related to encoding/escaping.

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."

Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.

Reference

http://projects.webappsec.org/Cross-Site-Scripting

http://cwe.mitre.org/data/definitions/79.html

CWE Id

79

WASC Id

8

High (Warning)Cross Site Scripting (Reflected)

Description

Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.

When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.

There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.

Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.

Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.

URL
http://hackazon.webscantest.com/search/page/?searchString=&brands=&price=&id=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&page=18&quality=
Parameter
id
Attack
"><script>alert(1);</script>

Solution

Phase: Architecture and Design

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.

Phases: Implementation; Architecture and Design

Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.

Consult the XSS Prevention Cheat Sheet for more details on the types of encoding and escaping that are needed.

Phase: Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.

Phase: Implementation

For every web page that is generated, use and specify a character encoding such as ISO-8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different encoding by guessing which encoding is actually being used by the web page. This can cause the web browser to treat certain sequences as special, opening up the client to subtle XSS attacks. See CWE-116 for more mitigations related to encoding/escaping.

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."

Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.

Reference

http://projects.webappsec.org/Cross-Site-Scripting

http://cwe.mitre.org/data/definitions/79.html

CWE Id

79

WASC Id

8

High (Warning)SQL Injection

Description

SQL injection may be possible

URL
http://hackazon.webscantest.com/search?searchString=ZAP&id=%27+AND+%271%27%3D%271%27+--+
Parameter
id
Attack
' OR '1'='1' --
Other information
The page results were successfully manipulated using the boolean conditions [' AND '1'='1' -- ] and [' OR '1'='1' -- ] The parameter value being modified was stripped from the HTML output for the purposes of the comparison Data was NOT returned for the original parameter. The vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter

Solution

Do not trust client side input, even if there is client side validation in place.

In general, type check all data on the server side.

If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'

If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.

If database Stored Procedures can be used, use them.

Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!

Do not create dynamic SQL queries using simple string concatenation.

Escape all data received from the client.

Apply a 'whitelist' of allowed characters, or a 'blacklist' of disallowed characters in user input.

Apply the privilege of least privilege by using the least privileged database user possible.

In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.

Grant the minimum database access that is necessary for the application.

Reference

https://www.owasp.org/index.php/Top_10_2010-A1

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

CWE Id

89

WASC Id

19

High (Warning)SQL Injection

Description

SQL injection may be possible

URL
http://hackazon.webscantest.com/wishlist/view%25
Parameter
view
Attack
view%
Other information
The page results were successfully manipulated using the boolean conditions [view%] and [viewXYZABCDEFGHIJ] The parameter value being modified was NOT stripped from the HTML output for the purposes of the comparison Data was returned for the original parameter. The vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter

Solution

Do not trust client side input, even if there is client side validation in place.

In general, type check all data on the server side.

If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'

If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.

If database Stored Procedures can be used, use them.

Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!

Do not create dynamic SQL queries using simple string concatenation.

Escape all data received from the client.

Apply a 'whitelist' of allowed characters, or a 'blacklist' of disallowed characters in user input.

Apply the privilege of least privilege by using the least privileged database user possible.

In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.

Grant the minimum database access that is necessary for the application.

Reference

https://www.owasp.org/index.php/Top_10_2010-A1

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

CWE Id

89

WASC Id

19

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/contact
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/faq
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/register
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/bestprice
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/review/send
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/cart/add
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/password
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fwishlist
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D101
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D81
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D72
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D108
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D48
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D156
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D131
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D53
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D67
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D37
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D158
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D42
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D122
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D144
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D11
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D18
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D172
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D35
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D45
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D113
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D206
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D130
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D209
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D116
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D207
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D202
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D197
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D208
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D210
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D198
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D199
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D200
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D201
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D203
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D204
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D205
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D196
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D195
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D190
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D185
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D187
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D186
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D189
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D188
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D192
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D193
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D194
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D175
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D191
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D180
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D170
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D165
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D160
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D182
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D181
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D183
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D184
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D176
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D177
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D178
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D179
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D171
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D173
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D174
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D167
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D166
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D169
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D168
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D161
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D162
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D164
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D155
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D150
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D145
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D163
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D140
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D157
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D135
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D159
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D151
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D152
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D153
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D154
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D146
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D147
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D148
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D149
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D141
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D142
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D143
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D136
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D137
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D138
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D139
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D125
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D120
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D115
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D110
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D132
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D133
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D134
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D127
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D126
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D128
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D129
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D123
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D121
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D124
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D117
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D119
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D118
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D112
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D111
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D114
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D100
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D95
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D90
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D85
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D106
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D107
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D109
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D103
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D102
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D105
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D104
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D96
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D97
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D98
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D99
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D92
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D94
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D93
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D87
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D86
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D88
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D91
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D89
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D66
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D56
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D46
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D36
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D78
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D76
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D79
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D80
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D82
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D77
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D83
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D84
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D69
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D68
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D71
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D70
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D74
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D73
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D75
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D58
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D57
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D47
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D49
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D50
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D59
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D51
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D52
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D54
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D55
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D60
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D61
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D62
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D63
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D64
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D65
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D26
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D31
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D38
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D40
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D41
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D43
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D44
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D39
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D32
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D34
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D27
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D28
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D29
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D33
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D30
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D21
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D16
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D6
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D1
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D22
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D23
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D24
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D25
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D17
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D19
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D20
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D12
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D13
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D15
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D14
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D7
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D8
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D10
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D9
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D2
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D3
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D4
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Medium (Warning)Application Error disclosure

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.The alert could be a false positive if the error message is found inside a documentation page.

URL
http://hackazon.webscantest.com/user/login?return_url=%2Fproduct%2Fview%3Fid%3D5
Parameter
N/A
Attack
HTTP 500 Internal server error

Solution

Review the source code of this page

Reference

CWE Id

200

WASC Id

13

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/css/star-rating.min.css
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/css/star-rating.min.css

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/css/ekko-lightbox.css
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/css/ekko-lightbox.css

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/ladda.min.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/ladda.min.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/jquery.dump.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/jquery.dump.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/css/subcategory.css
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/css/subcategory.css

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/modern-business.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/modern-business.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/ladda.jquery.min.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/ladda.jquery.min.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/css/nivo-slider.css
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/css/nivo-slider.css

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/css/bootstrapValidator.css
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/css/bootstrapValidator.css

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/css/nivo-themes/bar/bar.css
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/css/nivo-themes/bar/bar.css

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/css/nivo-themes/light/light.css
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/css/nivo-themes/light/light.css

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/css/modern-business.css
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/css/modern-business.css

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/bootstrap.file-input.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/bootstrap.file-input.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/jquery.modern-blink.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/jquery.modern-blink.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/spin.min.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/spin.min.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/respond.min.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/respond.min.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/css/ladda-themeless.min.css
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/css/ladda-themeless.min.css

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/jquery.validate.min.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/jquery.validate.min.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/json3.min.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/json3.min.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/koExternalTemplateEngine_all.min.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/koExternalTemplateEngine_all.min.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/bootstrap.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/bootstrap.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/tools.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/tools.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/knockout.localStorage.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/knockout.localStorage.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/amf/services.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/amf/services.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/jquery-migrate-1.2.1.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/jquery-migrate-1.2.1.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/ekko-lightbox.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/ekko-lightbox.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/star-rating.min.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/star-rating.min.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/font-awesome/css/font-awesome.min.css
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/font-awesome/css/font-awesome.min.css

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/knockout-2.2.1.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/knockout-2.2.1.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/jquery.nivo.slider.pack.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/jquery.nivo.slider.pack.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/site.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/site.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/jquery.inputmask.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/jquery.inputmask.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/bootstrapValidator.min.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/bootstrapValidator.min.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/jquery-1.10.2.js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/jquery-1.10.2.js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/css/bootstrap.css
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/css/bootstrap.css

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/css/sidebar.css
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/css/sidebar.css

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/css/site.css
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/css/site.css

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/css
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/css

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://hackazon.webscantest.com/
Parameter
PHPSESSID
Attack
rtlk2298aasuo2nim42esd8ne6; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/css/nivo-themes/bar
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/css/nivo-themes/bar

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/css/nivo-themes
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/css/nivo-themes

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/css/nivo-themes/light
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/css/nivo-themes/light

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/font-awesome
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/font-awesome

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/font-awesome/css
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/font-awesome/css

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/images
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/images

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/js/amf
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/js/amf

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/products_pictures
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/products_pictures

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://hackazon.webscantest.com/css/?css
Parameter
PHPSESSID
Attack
a94stgs3kcm9fvdb5p44r4vkp3; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/css/?css
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/css/?css

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://hackazon.webscantest.com/contact
Parameter
PHPSESSID
Attack
5638kjlfetqn60vk41hht3jn31; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/contact
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/contact

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://hackazon.webscantest.com/faq
Parameter
PHPSESSID
Attack
p4nbqv3vbk2j8af6j61j7nt5q6; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/faq
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/faq

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://hackazon.webscantest.com/cart/view
Parameter
PHPSESSID
Attack
fqkjpoq3f84v5ekep512egnue3; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/cart/view
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/cart/view

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://hackazon.webscantest.com/wishlist/
Parameter
PHPSESSID
Attack
n9c5kcsm6a51o6iqj6pvplrlo4; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/wishlist/
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/wishlist/

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Low (Warning)Cookie set without HttpOnly flag

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

URL
http://hackazon.webscantest.com/category/view?id=49
Parameter
PHPSESSID
Attack
8q72l59qrr66nutjbno02krq95; path=/

Solution

Ensure that the HttpOnly flag is set for all cookies.

Reference

www.owasp.org/index.php/HttpOnly

WASC Id

13

Low (Warning)Web Browser XSS Protection Not Enabled

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URL
http://hackazon.webscantest.com/category/view?id=49
Other information
The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id

933

WASC Id

14

Low (Warning)X-Content-Type-Options header missing

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URL
http://hackazon.webscantest.com/category/view?id=49

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference