Scribd Logo
Upload

Welcome to Scribd!

  • Security Report For Security Test 1 2021-12-09 01 - 57 - 24

    Uploaded by

    Pankaj Thakur
    7 views7 pages
    The security test report found 13 issues across 15 scans. The scans identified 1 issue related to sensitive files exposure and 12 issues related to improper handling of non-standard HTTP methods like PURGE, COPY, UNLOCK, etc. The report provides details of each issue including the endpoint tested, request details, response, identified alerts, and suggested action points.

    Original Description:

    Original Title

    Security Report for Security Test 1 2021-12-09 01_57_24

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The security test report found 13 issues across 15 scans. The scans identified 1 issue related to sensitive files exposure and 12 issues related to improper handling of non-standard HTTP methods like PURGE, COPY, UNLOCK, etc. The report provides details of each issue including the endpoint tested, request details, response, identified alerts, and suggested action points.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views7 pages

    Security Report For Security Test 1 2021-12-09 01 - 57 - 24

    Uploaded by

    Pankaj Thakur
    The security test report found 13 issues across 15 scans. The scans identified 1 issue related to sensitive files exposure and 12 issues related to improper handling of non-standard HTTP methods like PURGE, COPY, UNLOCK, etc. The report provides details of each issue including the endpoint tested, request details, response, identified alerts, and suggested action points.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    Issues report for Security Test 1

    in Project 2/Security Test Suite 1/https://psd2-xs2a.dzbank.de TestCase

    Summary
    Started at 2021-12-09 01:57:24

    Time taken 00:22:22.579

    Total scans performed: 15

    Issues found: 13

    Total Issues
    Scan Issues Found In Test Steps
    Found
    Sensitive Files
    POST 1 1
    Exposure
    HTTP Method
    POST 12 12
    Fuzzing

    Detailed Info
    Issues are grouped by Security scan.

    Sensitive Files Exposure

    A Sensitive File Security Scan looks for files that tend to contain very sensitive information. It will
    generate an alert if it can download one of these files.

    If such files are found, you usually need to either remove them from your system or restrict access to
    them.

    Scan Sensitive Files Exposure


    Severity ERROR
    Endpoint https://psd2-xs2a.dzbank.de/wp-admin/wp-login.php
    Request GET https://psd2-xs2a.dzbank.de/wp-admin/wp-login.php HTTP/1.1
    Test Step POST
    Modified
    Name Value
    Parameters
    path /wp-admin/
    wp-login.php

    Response No content
    Alerts Sensitive Files Exposure: Status code extraction error!
    Action Points You probably need to either remove the file /wp-admin/wp-login.php, or restrict access
    to it
    CWE-ID CWE-219
    Issue Number #1

    HTTP Method Fuzzing

    An HTTP Method Fuzzing Scan attempts to use other HTTP verbs (methods) than those defined in
    an API. For instance, if you have defined GET and POST, it will send requests using the DELETE
    and PUT verbs, expecting an appropriate HTTP error response and reporting alerts if it doesn't
    receive it.

    Sometimes, unexpected HTTP verbs can overwrite data on a server or get data that shouldn't be
    revealed to clients.

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://psd2-xs2a.dzbank.de/
    Request PURGE https://psd2-xs2a.dzbank.de/ HTTP/1.1
    Test Step POST
    Modified
    Name Value
    Parameters
    method PURGE

    Response Content-type: text/html; charset=iso-8859-1


    Content length: 218
    Full response:
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302
    Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a
    href="https://psd2-xs2a.dzbank.de/store/">here</a>.</p> </body></html>

    Alerts Valid HTTP Status Codes: Response status code: 302 is not in acceptable list of status codes
    Action Points You should check if the HTTP method PURGE should really be allowed for this resource.
    Issue Number #2

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://psd2-xs2a.dzbank.de/
    Request COPY https://psd2-xs2a.dzbank.de/ HTTP/1.1
    Test Step POST
    Modified
    Name Value
    Parameters
    method COPY

    Response Content-type: text/html; charset=iso-8859-1


    Content length: 218
    Full response:
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302
    Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a
    href="https://psd2-xs2a.dzbank.de/store/">here</a>.</p> </body></html>

    Alerts Valid HTTP Status Codes: Response status code: 302 is not in acceptable list of status codes
    Action Points You should check if the HTTP method COPY should really be allowed for this resource.
    Issue Number #3

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://psd2-xs2a.dzbank.de/
    Request UNLOCK https://psd2-xs2a.dzbank.de/ HTTP/1.1
    Test Step POST
    Modified
    Name Value
    Parameters
    method UNLOCK

    Response Content-type: text/html; charset=iso-8859-1


    Content length: 218
    Full response:
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302
    Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a
    href="https://psd2-xs2a.dzbank.de/store/">here</a>.</p> </body></html>

    Alerts Valid HTTP Status Codes: Response status code: 302 is not in acceptable list of status codes
    Action Points You should check if the HTTP method UNLOCK should really be allowed for this resource.
    Issue Number #4

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://psd2-xs2a.dzbank.de/
    Request LOCK https://psd2-xs2a.dzbank.de/ HTTP/1.1
    Test Step POST
    Modified
    Name Value
    Parameters
    method LOCK

    Response Content-type: text/html; charset=iso-8859-1


    Content length: 218
    Full response:
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302
    Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a
    href="https://psd2-xs2a.dzbank.de/store/">here</a>.</p> </body></html>

    Alerts Valid HTTP Status Codes: Response status code: 302 is not in acceptable list of status codes
    Action Points You should check if the HTTP method LOCK should really be allowed for this resource.
    Issue Number #5

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://psd2-xs2a.dzbank.de/
    Request PROPFIND https://psd2-xs2a.dzbank.de/ HTTP/1.1
    Test Step POST
    Modified
    Name Value
    Parameters
    method PROPFIND

    Response Content-type: text/html; charset=iso-8859-1


    Content length: 218
    Full response:
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302
    Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a
    href="https://psd2-xs2a.dzbank.de/store/">here</a>.</p> </body></html>

    Alerts Valid HTTP Status Codes: Response status code: 302 is not in acceptable list of status codes
    Action Points You should check if the HTTP method PROPFIND should really be allowed for this resource.
    Issue Number #6

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://psd2-xs2a.dzbank.de/
    Request PATCH https://psd2-xs2a.dzbank.de/ HTTP/1.1
    Test Step POST
    Modified
    Name Value
    Parameters
    method PATCH

    Response Content-type: text/html; charset=iso-8859-1


    Content length: 218
    Full response:
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302
    Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a
    href="https://psd2-xs2a.dzbank.de/store/">here</a>.</p> </body></html>

    Alerts Valid HTTP Status Codes: Response status code: 302 is not in acceptable list of status codes
    Action Points You should check if the HTTP method PATCH should really be allowed for this resource.
    Issue Number #7

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://psd2-xs2a.dzbank.de/
    Request TRACE https://psd2-xs2a.dzbank.de/ HTTP/1.1
    Test Step POST
    Modified
    Name Value
    Parameters
    method TRACE

    Response Content-type: text/html; charset=iso-8859-1


    Content length: 218
    Full response:
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302
    Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a
    href="https://psd2-xs2a.dzbank.de/store/">here</a>.</p> </body></html>

    Alerts Valid HTTP Status Codes: Response status code: 302 is not in acceptable list of status codes
    Action Points You should check if the HTTP method TRACE should really be allowed for this resource.
    Issue Number #8

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://psd2-xs2a.dzbank.de/
    Request OPTIONS https://psd2-xs2a.dzbank.de/ HTTP/1.1
    Test Step POST
    Modified
    Name Value
    Parameters
    method OPTIONS

    Response Content-type: text/html; charset=iso-8859-1


    Content length: 218
    Full response:
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302
    Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a
    href="https://psd2-xs2a.dzbank.de/store/">here</a>.</p> </body></html>

    Alerts Valid HTTP Status Codes: Response status code: 302 is not in acceptable list of status codes
    Action Points You should check if the HTTP method OPTIONS should really be allowed for this resource.
    Issue Number #9

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://psd2-xs2a.dzbank.de/
    Request HEAD https://psd2-xs2a.dzbank.de/ HTTP/1.1
    Test Step POST
    Modified
    Name Value
    Parameters
    method HEAD

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 302 is not in acceptable list of status codes
    Action Points You should check if the HTTP method HEAD should really be allowed for this resource.
    Issue Number #10

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://psd2-xs2a.dzbank.de/
    Request DELETE https://psd2-xs2a.dzbank.de/ HTTP/1.1
    Test Step POST
    Modified Name Value
    Parameters
    method DELETE

    Response Content-type: text/html; charset=iso-8859-1


    Content length: 218
    Full response:
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302
    Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a
    href="https://psd2-xs2a.dzbank.de/store/">here</a>.</p> </body></html>

    Alerts Valid HTTP Status Codes: Response status code: 302 is not in acceptable list of status codes
    Action Points You should check if the HTTP method DELETE should really be allowed for this resource.
    Issue Number #11

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://psd2-xs2a.dzbank.de/
    Request PUT https://psd2-xs2a.dzbank.de/ HTTP/1.1
    Test Step POST
    Modified
    Name Value
    Parameters
    method PUT

    Response Content-type: text/html; charset=iso-8859-1


    Content length: 218
    Full response:
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302
    Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a
    href="https://psd2-xs2a.dzbank.de/store/">here</a>.</p> </body></html>

    Alerts Valid HTTP Status Codes: Response status code: 302 is not in acceptable list of status codes
    Action Points You should check if the HTTP method PUT should really be allowed for this resource.
    Issue Number #12

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://psd2-xs2a.dzbank.de/
    Request GET https://psd2-xs2a.dzbank.de/ HTTP/1.1
    Test Step POST
    Modified
    Name Value
    Parameters
    method GET

    Response Content-type: text/html; charset=iso-8859-1


    Content length: 218
    Full response:
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302
    Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a
    href="https://psd2-xs2a.dzbank.de/store/">here</a>.</p> </body></html>

    Alerts Valid HTTP Status Codes: Response status code: 302 is not in acceptable list of status codes
    Action Points You should check if the HTTP method GET should really be allowed for this resource.
    Issue Number #13

    You might also like