Scribd Logo
Upload

Welcome to Scribd!

  • Security Report For Security Test 1 2021-12-09 06 - 32 - 20

    Uploaded by

    Pankaj Thakur
    11 views10 pages
    The security test report found 27 issues across 82 scans of an application. The issues were found using HTTP method fuzzing and involved unexpected 200 status code responses to requests using uncommon HTTP methods like COPY, UNLOCK, and PATCH. The report provides details of each issue found, including the request, response, identified problem, and suggested next steps to address each problem.

    Original Description:

    Original Title

    Security Report for Security Test 1 2021-12-09 06_32_20

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The security test report found 27 issues across 82 scans of an application. The issues were found using HTTP method fuzzing and involved unexpected 200 status code responses to requests using uncommon HTTP methods like COPY, UNLOCK, and PATCH. The report provides details of each issue found, including the request, response, identified problem, and suggested next steps to address each problem.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    11 views10 pages

    Security Report For Security Test 1 2021-12-09 06 - 32 - 20

    Uploaded by

    Pankaj Thakur
    The security test report found 27 issues across 82 scans of an application. The issues were found using HTTP method fuzzing and involved unexpected 200 status code responses to requests using uncommon HTTP methods like COPY, UNLOCK, and PATCH. The report provides details of each issue found, including the request, response, identified problem, and suggested next steps to address each problem.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 10

    Issues report for Security Test 1

    in Project 1/Security Test Suite 1/https://vfviaslywebb.dzbank.de TestCase

    Summary
    Started at 2021-12-09 06:32:20

    Time taken 00:00:30.317

    Total scans performed: 82

    Issues found: 27

    Total Issues
    Scan Issues Found In Test Steps
    Found
    PURGE 9
    HTTP Method
    POST 9 27
    Fuzzing
    GET 9

    Detailed Info
    Issues are grouped by Security scan.

    HTTP Method Fuzzing

    An HTTP Method Fuzzing Scan attempts to use other HTTP verbs (methods) than those defined in
    an API. For instance, if you have defined GET and POST, it will send requests using the DELETE
    and PUT verbs, expecting an appropriate HTTP error response and reporting alerts if it doesn't
    receive it.

    Sometimes, unexpected HTTP verbs can overwrite data on a server or get data that shouldn't be
    revealed to clients.

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request COPY https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step GET
    Modified
    Name Value
    Parameters
    method COPY

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method COPY should really be allowed for this resource.
    Issue Number #1

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request UNLOCK https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step GET
    Modified
    Name Value
    Parameters
    method UNLOCK

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method UNLOCK should really be allowed for this resource.
    Issue Number #2

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request LOCK https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step GET
    Modified
    Name Value
    Parameters
    method LOCK

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method LOCK should really be allowed for this resource.
    Issue Number #3

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request PROPFIND https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step GET
    Modified
    Name Value
    Parameters
    method PROPFIND

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method PROPFIND should really be allowed for this resource.
    Issue Number #4
    Scan HTTP Method Fuzzing
    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request PATCH https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step GET
    Modified
    Name Value
    Parameters
    method PATCH

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method PATCH should really be allowed for this resource.
    Issue Number #5

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request OPTIONS https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step GET
    Modified
    Name Value
    Parameters
    method OPTIONS

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method OPTIONS should really be allowed for this resource.
    Issue Number #6

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request HEAD https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step GET
    Modified
    Name Value
    Parameters
    method HEAD

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method HEAD should really be allowed for this resource.
    Issue Number #7

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request DELETE https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step GET
    Modified
    Name Value
    Parameters
    method DELETE

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method DELETE should really be allowed for this resource.
    Issue Number #8

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request PUT https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step GET
    Modified
    Name Value
    Parameters
    method PUT

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method PUT should really be allowed for this resource.
    Issue Number #9

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request COPY https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step POST
    Modified
    Name Value
    Parameters
    method COPY

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method COPY should really be allowed for this resource.
    Issue Number #10

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request UNLOCK https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step POST
    Modified
    Name Value
    Parameters
    method UNLOCK

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method UNLOCK should really be allowed for this resource.
    Issue Number #11

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request LOCK https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step POST
    Modified
    Name Value
    Parameters
    method LOCK

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method LOCK should really be allowed for this resource.
    Issue Number #12

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request PROPFIND https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step POST
    Modified
    Name Value
    Parameters
    method PROPFIND

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method PROPFIND should really be allowed for this resource.
    Issue Number #13

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request PATCH https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step POST
    Modified
    Name Value
    Parameters
    method PATCH
    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method PATCH should really be allowed for this resource.
    Issue Number #14

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request OPTIONS https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step POST
    Modified
    Name Value
    Parameters
    method OPTIONS

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method OPTIONS should really be allowed for this resource.
    Issue Number #15

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request HEAD https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step POST
    Modified
    Name Value
    Parameters
    method HEAD

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method HEAD should really be allowed for this resource.
    Issue Number #16

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request DELETE https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step POST
    Modified
    Name Value
    Parameters
    method DELETE

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method DELETE should really be allowed for this resource.
    Issue Number #17

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request PUT https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step POST
    Modified
    Name Value
    Parameters
    method PUT

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method PUT should really be allowed for this resource.
    Issue Number #18

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request COPY https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step PURGE
    Modified
    Name Value
    Parameters
    method COPY

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method COPY should really be allowed for this resource.
    Issue Number #19

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request UNLOCK https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step PURGE
    Modified
    Name Value
    Parameters
    method UNLOCK

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method UNLOCK should really be allowed for this resource.
    Issue Number #20
    Scan HTTP Method Fuzzing
    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request LOCK https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step PURGE
    Modified
    Name Value
    Parameters
    method LOCK

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method LOCK should really be allowed for this resource.
    Issue Number #21

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request PROPFIND https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step PURGE
    Modified
    Name Value
    Parameters
    method PROPFIND

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method PROPFIND should really be allowed for this resource.
    Issue Number #22

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request PATCH https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step PURGE
    Modified
    Name Value
    Parameters
    method PATCH

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method PATCH should really be allowed for this resource.
    Issue Number #23

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request OPTIONS https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step PURGE
    Modified
    Name Value
    Parameters
    method OPTIONS

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method OPTIONS should really be allowed for this resource.
    Issue Number #24

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request HEAD https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step PURGE
    Modified
    Name Value
    Parameters
    method HEAD

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method HEAD should really be allowed for this resource.
    Issue Number #25

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request DELETE https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step PURGE
    Modified
    Name Value
    Parameters
    method DELETE

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method DELETE should really be allowed for this resource.
    Issue Number #26

    Scan HTTP Method Fuzzing


    Severity WARNING
    Endpoint https://vfviaslywebb.dzbank.de/
    Request PUT https://vfviaslywebb.dzbank.de/ HTTP/1.1
    Test Step PURGE
    Modified
    Name Value
    Parameters method PUT

    Response No content
    Alerts Valid HTTP Status Codes: Response status code: 200 is not in acceptable list of status codes
    Action Points You should check if the HTTP method PUT should really be allowed for this resource.
    Issue Number #27

    You might also like