DAST Vulnerability Scan of Webgoat

Joseph Wagner CSOL 560

Professor Moore
University of San Diego
Introduction

When developing an application, it is important to understand the vulnerabilities that may exist as
well as a clear path for remediation. During different stages of development all the way up to production
the code and application needs to be testing in a variety of ways. As a follow up to the previous scans
using a SAST tool, this paper will cover a comprehensive scan using a DAST tool called Qualys. Though
these scans do test for vulnerabilities that may seem similar in nature, fundamentally SAST should be
used on earlier stage application development code while DAST should be used for live and active
applications. “They find different types of vulnerabilities, and they’re most effective in different phases
of the software development life cycle. SAST should be performed early and often against all files
containing source code. DAST should be performed on a running application in an environment similar to
production. So the best approach is to include both SAST and DAST in your application security testing
program.” (Phadke, 2021)
It should never be an either-or scenario for SAST vs DAST but instead the question should be what the
appropriate timing of use for is both tools. This paper will show the various vulnerabilities found in
Webgoat and the remediation paths recommended. When using a DAST like Qualys it is important to run
these on a regular basis to ensure that with updates or changes to the application that new vulnerabilities
do not arise. In the real world, organizations would be running this on applications that are live or about
to go live to look for vulnerabilities to fix before full production. For the purposes of this paper Webgoat
was used because of the way it was built to be full of bugs and issues as a learning tool for the cyber
security community.
Webgoat was created by OWASP as a deliberately vulnerable application to be used for learning
and educational purposes. It is free to the public to test with and to help understand the type of
vulnerabilities that exist. OWASP has created a list of the top 10 vulnerabilities and put them into
Webgoat. It also helps benchmark different tools as they often will yield different results when looking at
Webgoat. This can be important for organizations who are trying to pick the best tools for their
organization’s security. It is advised to use Webgoat with a machine that is running in a virtual
environment sandbox as it will make whatever machine incredibly vulnerable to outside attacks. It can be
loaded on any type of machine, but it is best for security to run it on a machine that is used solely for the
purpose of security testing and learning in case it does run into any security issues.
When looking for a good DAST tool there are many options on the market. Some are free and
open source but very limited in their scans and capabilities. Most options to gather the best reports are
paid and typically expensive for an enterprise license which will offer the most comprehensive scans and
best reports. “DAST is extremely good at finding externally visible issues and vulnerabilities. This
includes a number of security risks from OWASP’s top ten, such as cross-site scripting, injection errors
like SQL injection or command injection, path traversal, and insecure server configuration. One of
DAST’s advantages is its ability to identify runtime problems, which is something SAST can’t do in its
static state. DAST is excellent at finding server configuration and authentication problems, as well as
flaws that are only visible when a known user logs in.” Qualys was able to discover 79 vulnerabilities on
Webgoat and produce a thorough report as to what these issues were and the best steps for remediation.
Veracode also had a similar DAST product at an enterprise level as well as a few others that in theory
would do the same thing. All mapped to OWASP and will perform external scans on live applications vs
looking at source code like a SAST would do.
In this report are the top highlighted pages from the Qualys scan that show the breakdown of
vulnerabilities by category, a few of the top vulnerabilities and remediation paths. The entire report is
over 200 pages, so this format makes it more digestible for a not so technical audience.
 Scan Report
14 Oct 2021

Vulnerabilities of all selected scans are consolidated into one report so that you can view their evolution.

Target and Filters

Scans (1) Web Application Vulnerability Scan3 - Webgoat - 2021-10-14
Web Applications (1) Webgoat

Security Risk
Vulnerabilities Sensitive Information
Summary Contents Gathered

79 0 29

Findings by Severity
Vulnerabilities by Group

OWASP Top 10 2017 Vulnerabilities

Sensitive Information
Scan Date Level 5 Level 4 Level 3 Level 2 Level 1
Contents Gathered

-Web Application Vulnerability Scan3 14 Oct 2021 1 8 33 11 26 0 29

Webgoat - 2021-10-14 13:08
GMT-0800
Results(108)

Vulnerability (79)
Cross-Site Scripting (15)

150084 Unencoded characters (15)

 150084 Unencoded characters
URL: http://135.180.1.139:8080/WebGoat/CrossSiteScripting/attack5a?
QTY1=1%26QTY2=1%26QTY3=1%26field1=4128%203214%200002%201999%26QTY4=1%20%3Cscript%3E_q_q%3Drandom(J5nyurE8)%3C%2Fscript%3E
%26fi eld2=111%26SUBMIT=UpdateCart
Finding # 14647624(420811267) Severity Potential Vulnerability - Level 1
Unique # b41643a9-e663-45bb-acb4-a8faddbf1291
Group Cross-Site Scripting Detection Date 14 Oct 2021 13:08 GMT-0800
CWE CWE-79
OWASP A7 Cross-Site Scripting (XSS)
WASC WASC-22 IMPROPER OUTPUT HANDLING

CVSS V3 Base - CVSS V3 Temporal- CVSS V3 Attack Vector -

Details

Threat
The web application reflects potentially dangerous characters such as single quotes, double quotes, and angle brackets. These characters are commonly used
for HTML injection attacks such as cross-site scripting (XSS).

Impact
No exploit was determined for these reflected characters. The input parameter should be manually analyzed to verify that no other characters can be injected that
would lead to an HTML injection (XSS) vulnerability.

Solution
Review the reflected characters to ensure that they are properly handled as defined by the web application's coding practice. Typical solutions are to apply HTML
encoding or percent encoding to the characters depending on where they are placed in the HTML. For example, a double quote might be encoded as " when
displayed in a text node, but as %22 when placed in the value of an href attribute.

Detection Information

Parameter It has been detected by exploiting the parameter QTY4 of the form located in URL http://135.180.1.139:8080/WebGoat/start.mvc#lesson/
CrossSiteScripting.lesson
The payloads section will display a list of tests that show how the param could have been exploited to collect the information
Authentication In order to detect this vulnerability, the scan required authentication to be enabled.
Access Path Here is the path followed by the scanner to reach the exploitable URL:

http://135.180.1.139:8080/WebGoat/
http://135.180.1.139:8080/WebGoat/login
http://135.180.1.139:8080/WebGoat/start.mvc#lesson/WebGoatIntroduction.lesson
http://135.180.1.139:8080/WebGoat/start.mvc#lesson/CrossSiteScripting.lesson

Payloads
 #1 Request
GET http://135.180.1.139:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1& amp;QTY3=1&field1=4128%203214%200002%201999&QTY4=z--%3E%3Cqss9u2945o3%3E
&field2=111&SUBMIT=UpdateCart
Referer: http://135.180.1.139:8080/WebGoat/
Cookie: JSESSIONID=DcuZARuVRUb780PAOm0oKFwP78hOKnupjGRfuqgK; Host:
135.180.1.139:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15
Accept: */*
Content-Length: 111
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability
requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.

#1 Response
comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.
Response content-type: application/json

g.springframework.web.method.annotation.MethodArgumentTypeMismatchException: Failed to convert value of type 'java.lang.String' to required type 'java.lang.Integer'; nested exception is
java.lang.NumberFormatException: For input string: \"z--><qss9u2945o3>\"\n\tat
org.springframework.web.method.annotation.AbstractNamedValueMethodArgumentResolver.resolveArgument(AbstractNamedValueMethodArgumentResolver.java:133)\n\tat
org.springframework.web.method.support.HandlerMethodArgumentResolverComposite.r

* The reflected string on the response webpage indicates that the vulnerability test was successful
 150084 Unencoded characters
URL: http://135.180.1.139:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1%26QTY2=1%26QTY3=1%20%3Cscript%3E_q_q%3Drandom(3ve5yh29)%3C
%2Fscript%3E%26field1=4128%203214%200002%201999%26QTY4=1%26fi eld2=111%26SUBMIT=UpdateCart
Finding # 14647626(420811268) Severity Potential Vulnerability - Level 1
Unique # 8b863531-892a-4b2a-b665-ef71ab56c636
Group Cross-Site Scripting Detection Date 14 Oct 2021 13:08 GMT-0800
CWE CWE-79
OWASP A7 Cross-Site Scripting (XSS)
WASC WASC-22 IMPROPER OUTPUT HANDLING

CVSS V3 Base - CVSS V3 Temporal- CVSS V3 Attack Vector -

Details

Threat
The web application reflects potentially dangerous characters such as single quotes, double quotes, and angle brackets. These characters are commonly used
for HTML injection attacks such as cross-site scripting (XSS).

Impact
No exploit was determined for these reflected characters. The input parameter should be manually analyzed to verify that no other characters can be injected that
would lead to an HTML injection (XSS) vulnerability.

Solution
Review the reflected characters to ensure that they are properly handled as defined by the web application's coding practice. Typical solutions are to apply HTML
encoding or percent encoding to the characters depending on where they are placed in the HTML. For example, a double quote might be encoded as " when
displayed in a text node, but as %22 when placed in the value of an href attribute.

Detection Information

Parameter It has been detected by exploiting the parameter QTY3 of the form located in URL http://135.180.1.139:8080/WebGoat/start.mvc#lesson/
CrossSiteScripting.lesson
The payloads section will display a list of tests that show how the param could have been exploited to collect the information
Authentication In order to detect this vulnerability, the scan required authentication to be enabled.
Access Path Here is the path followed by the scanner to reach the exploitable URL:

http://135.180.1.139:8080/WebGoat/
http://135.180.1.139:8080/WebGoat/login
http://135.180.1.139:8080/WebGoat/start.mvc#lesson/WebGoatIntroduction.lesson
http://135.180.1.139:8080/WebGoat/start.mvc#lesson/CrossSiteScripting.lesson

Payloads
 #1 Request
GET http://135.180.1.139:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1& amp;QTY3=z--%3E%3CqssGSm50y15%3E&field1=4128%203214%200002%201999&QTY4=1
&field2=111&SUBMIT=UpdateCart
Referer: http://135.180.1.139:8080/WebGoat/
Cookie: JSESSIONID=DcuZARuVRUb780PAOm0oKFwP78hOKnupjGRfuqgK; Host:
135.180.1.139:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15
Accept: */*
Content-Length: 111
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability
requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.

#1 Response
comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.
Response content-type: application/json

g.springframework.web.method.annotation.MethodArgumentTypeMismatchException: Failed to convert value of type 'java.lang.String' to required type 'java.lang.Integer'; nested exception is
java.lang.NumberFormatException: For input string: \"z--><qssGSm50y15>\"\n\tat
org.springframework.web.method.annotation.AbstractNamedValueMethodArgumentResolver.resolveArgument(AbstractNamedValueMethodArgumentResolver.java:133)\n\tat
org.springframework.web.method.support.HandlerMethodArgumentResolverComposite.r

* The reflected string on the response webpage indicates that the vulnerability test was successful
 150084 Unencoded characters
URL: http://135.180.1.139:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1%20%3Cscript%3E_q_q%3Drandom(Zf1pOD8e)%3C%2Fscript%3E
%26QTY2=1%26QTY3=1%26field1=4128%203214%200002%201999%26QTY4=1%26fi eld2=111%26SUBMIT=UpdateCart
Finding # 14647628(420811269) Severity Potential Vulnerability - Level 1
Unique # 655b7057-7bae-4852-b721-47756b87c6b4
Group Cross-Site Scripting Detection Date 14 Oct 2021 13:08 GMT-0800
CWE CWE-79
OWASP A7 Cross-Site Scripting (XSS)
WASC WASC-22 IMPROPER OUTPUT HANDLING

CVSS V3 Base - CVSS V3 Temporal- CVSS V3 Attack Vector -

Details

Threat
The web application reflects potentially dangerous characters such as single quotes, double quotes, and angle brackets. These characters are commonly used
for HTML injection attacks such as cross-site scripting (XSS).

Impact
No exploit was determined for these reflected characters. The input parameter should be manually analyzed to verify that no other characters can be injected that
would lead to an HTML injection (XSS) vulnerability.

Solution
Review the reflected characters to ensure that they are properly handled as defined by the web application's coding practice. Typical solutions are to apply HTML
encoding or percent encoding to the characters depending on where they are placed in the HTML. For example, a double quote might be encoded as " when
displayed in a text node, but as %22 when placed in the value of an href attribute.

Detection Information

Parameter It has been detected by exploiting the parameter QTY1 of the form located in URL http://135.180.1.139:8080/WebGoat/start.mvc#lesson/
CrossSiteScripting.lesson
The payloads section will display a list of tests that show how the param could have been exploited to collect the information
Authentication In order to detect this vulnerability, the scan required authentication to be enabled.
Access Path Here is the path followed by the scanner to reach the exploitable URL:

http://135.180.1.139:8080/WebGoat/
http://135.180.1.139:8080/WebGoat/login
http://135.180.1.139:8080/WebGoat/start.mvc#lesson/WebGoatIntroduction.lesson
http://135.180.1.139:8080/WebGoat/start.mvc#lesson/CrossSiteScripting.lesson

Payloads
 #1 Request
GET http://135.180.1.139:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=%22%3E%3Cqssi qASJ400%3E&QTY2=1&QTY3=1&field1=4128%203214%200002%201999&QTY4=1
&field2=111&SUBMIT=UpdateCart
Referer: http://135.180.1.139:8080/WebGoat/
Cookie: JSESSIONID=DcuZARuVRUb780PAOm0oKFwP78hOKnupjGRfuqgK; Host:
135.180.1.139:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15
Accept: */*
Content-Length: 111
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability
requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.

#1 Response
comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.
Response content-type: application/json

rg.springframework.web.method.annotation.MethodArgumentTypeMismatchException: Failed to convert value of type 'java.lang.String' to required type 'java.lang.Integer'; nested exception is
java.lang.NumberFormatException: For input string: \"\"><qssiqASJ400>\"\n\tat
org.springframework.web.method.annotation.AbstractNamedValueMethodArgumentResolver.resolveArgument(AbstractNamedValueMethodArgumentResolver.java:133)\n\tat
org.springframework.web.method.support.HandlerMethodArgumentResolverComposite.r

* The reflected string on the response webpage indicates that the vulnerability test was successful
 150084 Unencoded characters
URL: http://135.180.1.139:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1%26QTY2=1%20%3Cscript%3E_q_q%3Drandom(vpGPt26M)%3C%2Fscript%3E
%26QTY3=1%26field1=4128%203214%200002%201999%26QTY4=1%26fi eld2=111%26SUBMIT=UpdateCart
Finding # 14647630(420811270) Severity Potential Vulnerability - Level 1
Unique # 0f03bc19-20aa-4637-92eb-db41ae5cb7e8
Group Cross-Site Scripting Detection Date 14 Oct 2021 13:08 GMT-0800
CWE CWE-79
OWASP A7 Cross-Site Scripting (XSS)
WASC WASC-22 IMPROPER OUTPUT HANDLING

CVSS V3 Base - CVSS V3 Temporal- CVSS V3 Attack Vector -

Details

Threat
The web application reflects potentially dangerous characters such as single quotes, double quotes, and angle brackets. These characters are commonly used
for HTML injection attacks such as cross-site scripting (XSS).

Impact
No exploit was determined for these reflected characters. The input parameter should be manually analyzed to verify that no other characters can be injected that
would lead to an HTML injection (XSS) vulnerability.

Solution
Review the reflected characters to ensure that they are properly handled as defined by the web application's coding practice. Typical solutions are to apply HTML
encoding or percent encoding to the characters depending on where they are placed in the HTML. For example, a double quote might be encoded as " when
displayed in a text node, but as %22 when placed in the value of an href attribute.

Detection Information

Parameter It has been detected by exploiting the parameter QTY2 of the form located in URL http://135.180.1.139:8080/WebGoat/start.mvc#lesson/
CrossSiteScripting.lesson
The payloads section will display a list of tests that show how the param could have been exploited to collect the information
Authentication In order to detect this vulnerability, the scan required authentication to be enabled.
Access Path Here is the path followed by the scanner to reach the exploitable URL:

http://135.180.1.139:8080/WebGoat/
http://135.180.1.139:8080/WebGoat/login
http://135.180.1.139:8080/WebGoat/start.mvc#lesson/WebGoatIntroduction.lesson
http://135.180.1.139:8080/WebGoat/start.mvc#lesson/CrossSiteScripting.lesson

Payloads
 #1 Request
GET http://135.180.1.139:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1% 20%3Cscript%3E_q_q%3Drandom(vpGPt26M)%3C%2Fscript%3E&QTY3=1&field1=4128%
203214%200002%201999&QTY4=1&field2=111&SUBMIT=UpdateCart
Referer: http://135.180.1.139:8080/WebGoat/
Cookie: JSESSIONID=DcuZARuVRUb780PAOm0oKFwP78hOKnupjGRfuqgK; Host:
135.180.1.139:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15
Accept: */*
Content-Length: 142
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability
requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.

#1 Response
comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.
Response content-type: application/json

ramework.web.method.annotation.MethodArgumentTypeMismatchException: Failed to convert value of type 'java.lang.String' to required type 'java.lang.Integer'; nested exception is
java.lang.NumberFormatException: For input string: \"1<script>_q_q=random(vpGPt26M)</script>\"\n\tat
org.springframework.web.method.annotation.AbstractNamedValueMethodArgumentResolver.resolveArgument(AbstractNamedValueMethodArgumentResolver.java:133)\n\tat
org.springframework.web.method.support.HandlerMethodArgumentResolv

* The reflected string on the response webpage indicates that the vulnerability test was successful
 150084 Unencoded characters
URL: http://135.180.1.139:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1%26QTY2=1%26QTY3=1%26field1=z--%3E%3CqssQa395rJ5%3E
%26QTY4=1%26field2=111%26SUBMIT=UpdateCart
Finding # 14647632(420811271) Severity Potential Vulnerability - Level 1
Unique # 5e22de57-3df3-4363-a283-55ac1fc7ab6f
Group Cross-Site Scripting Detection Date 14 Oct 2021 13:08 GMT-0800
CWE CWE-79
OWASP A7 Cross-Site Scripting (XSS)
WASC WASC-22 IMPROPER OUTPUT HANDLING

CVSS V3 Base - CVSS V3 Temporal- CVSS V3 Attack Vector -

Details

Threat
The web application reflects potentially dangerous characters such as single quotes, double quotes, and angle brackets. These characters are commonly used
for HTML injection attacks such as cross-site scripting (XSS).

Impact
No exploit was determined for these reflected characters. The input parameter should be manually analyzed to verify that no other characters can be injected that
would lead to an HTML injection (XSS) vulnerability.

Solution
Review the reflected characters to ensure that they are properly handled as defined by the web application's coding practice. Typical solutions are to apply HTML
encoding or percent encoding to the characters depending on where they are placed in the HTML. For example, a double quote might be encoded as " when
displayed in a text node, but as %22 when placed in the value of an href attribute.

Detection Information

Parameter It has been detected by exploiting the parameter field1 of the form located in URL http://135.180.1.139:8080/WebGoat/start.mvc#lesson/
CrossSiteScripting.lesson
The payloads section will display a list of tests that show how the param could have been exploited to collect the information
Authentication In order to detect this vulnerability, the scan required authentication to be enabled.
Access Path Here is the path followed by the scanner to reach the exploitable URL:

http://135.180.1.139:8080/WebGoat/
http://135.180.1.139:8080/WebGoat/login
http://135.180.1.139:8080/WebGoat/start.mvc#lesson/WebGoatIntroduction.lesson
http://135.180.1.139:8080/WebGoat/start.mvc#lesson/CrossSiteScripting.lesson

Payloads
 #1 Request
GET http://135.180.1.139:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1& amp;QTY3=1&field1=4128%203214%200002%201999%22'%3E%3Cqss0XnQ60XP%3E&QTY4
=1&field2=111&SUBMIT=UpdateCart
Referer: http://135.180.1.139:8080/WebGoat/
Cookie: JSESSIONID=DcuZARuVRUb780PAOm0oKFwP78hOKnupjGRfuqgK; Host:
135.180.1.139:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15
Accept: */*
Content-Length: 113
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability
requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.

#1 Response
comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.
Response content-type: application/json

want to see this specific JavaScript (in case you are trying to do something more fancy).",
"output" : "Thank you for shopping at WebGoat. <br \\/>You're support is appreciated<hr \\/><p>We have charged credit card:4128 3214 0002 1999\\\"'><qss0XnQ60XP><br \\/>--------------------<br \
\/> $1997.96"
}

Scan Details
Severity Levels
Confirmed Vulnerabilities
Vulnerabilities (QIDs) are design flaws, programming errors, or mis-configurations that make your web application and web application platform
susceptible to malicious attacks. Depending on the level of the security risk, the successful exploitation of a vulnerability can vary from the
disclosure of information to a complete compromise of the web application and/or the web application platform. Even if the web application isn't
fully compromised, an exploited vulnerability could still lead to the web application being used to launch attacks against users of the site.

Minimal Basic information disclosure (e.g. web server type, programming language) might enable intruders to
discover other vulnerabilities, but lack of this information does not make the vulnerability harder to
find.
Medium Intruders may be able to collect sensitive information about the application platform, such as the
precise version of software used. With this information, intruders can easily exploit known
vulnerabilities specific to software versions. Other types of sensitive information might disclose a
few
lines of source code or hidden directories.
Serious Vulnerabilities at this level typically disclose security-related information that could result in misuse or
an exploit. Examples include source code disclosure or transmitting authentication credentials over
non- encrypted channels.
Critical Intruders can exploit the vulnerability to gain highly sensitive content or affect other users of the
web application. Examples include certain types of cross-site scripting and SQL injection attacks.
Urgent Intruders can exploit the vulnerability to compromise the web application's data store, obtain
information from other users' accounts, or obtain command execution on a host in the web application's
architecture.
Potential Vulnerabilities
Potential Vulnerabilities indicate that the scanner observed a weakness or error that is commonly used to attack a web application, and the
scanner was unable to confirm if the weakness or error could be exploited. Where possible, the QID's description and results section include
information and hints for following-up with manual analysis. For example, the exploitability of a QID may be influenced by characteristics that
the scanner cannot confirm, such as the web application's network architecture, or the test to confirm exploitability requires more intrusive
testing than the scanner is designed to conduct.

Minimal Presence of this vulnerability is indicative of basic information disclosure (e.g. web server type,
programming language) and might enable intruders to discover other vulnerabilities. For example in this
scenario, information such as web server type, programming language, passwords or file path
references can be disclosed.
 Medium Presence of this vulnerability is indicative of basic information disclosure (e.g. web server type,
programming language) and might enable intruders to discover other vulnerabilities. For example
version of software or session data can be disclosed, which could be used to exploit.
Serious Presence of this vulnerability might give access to security-related information to intruders who are
bound to misuse or exploit. Examples of what could happen if this vulnerability was exploited
include bringing down the server or causing hindrance to the regular service.
Critical Presence of this vulnerability might give intruders the ability to gain highly sensitive content or affect
other users of the web application.
Urgent Presence of this vulnerability might enable intruders to compromise the web application's data store,
obtain information from other users' accounts, or obtain command execution on a host in the web
application's architecture. For example in this scenario, the web application users can potentially be
targeted if the application is exploited.
Sensitive Content
Sensitive content may be detected based on known patterns (credit card numbers, social security numbers) or custom patterns (strings, regular
expressions), depending on the option profile used. Intruders may gain access to sensitive content that could result in misuse or other exploits.

Minimal Sensitive content was found in the web server response. During our scan of the site form(s) were
found with field(s) for credit card number or social security number. This information disclosure could
result
in a confidentiality breach and could be a target for intruders. For this reason we recommend caution.

Medium Sensitive content was found in the web server response. Specifically our service found a certain
sensitive content pattern (defined in the option profile). This information disclosure could result in a
confidentiality breach and could be a target for intruders. For this reason we recommend caution

Serious Sensitive content was found in the web server response - a valid social security number or credit card
information. This infomation disclosure could result in a confidentiality breach, and it gives intruders
access to valid sensitive content that could be misused.
Information Gathered
Information Gathered issues (QIDs) include visible information about the web application's platform, code, or architecture. It may also include
information about users of the web application.

Minimal Intruders may be able to retrieve sensitive information related to the web application platform.

Medium Intruders may be able to retrieve sensitive information related to internal functionality or business logic
of the web application.
Serious Intruders may be able to detect highly sensitive data, such as personally identifiable information (PII)
about other users of the web application.
 References

Peterson, J. (2021, October 14). Dynamic Application Security Testing: Dast Basics. WhiteSource.
Retrieved October 25, 2021, from https://www.whitesourcesoftware.com/resources/blog/dast-
dynamic-application-security-testing/.

Phadke, A. (2021, July 28). Sast vs. Dast: What's the difference?: Synopsys. Software Integrity Blog.
Retrieved October 25, 2021, from https://www.synopsys.com/blogs/software-security/sast-vs-dast-
difference/.