Comprehensive New Https PHP

Comprehensive Report
Acunetix Threat Level 3

One or more high-severity type vulnerabilities have been
HIGH discovered by the scanner. A malicious user can exploit these
vulnerabilities and compromise the backend database and/or
deface your website.
Scan Detail
Target https://sais-hglp.saludzona5.gob.ec/login.php
Scan Type Full Scan
Start Time May 7, 2024, 10:43:27 AM GMT-5
Scan Duration 13 minutes
Requests 26976
Average Response Time 48ms
Maximum Response Time 26208ms
1
1 1 2 5
High Medium Low Informational
Severity Vulnerabilities Instances
High 1 1
Medium 1 1
Low 2 2
Informational 2 5
Total 6 9
2
Informational
Instances
Content Security Policy Misconfiguration 4
Outdated JavaScript libraries 1
Low Severity
Instances
Cookies with missing, inconsistent or contrad… 1
Cookies without Secure flag set 1
Medium Severity
Instances
Vulnerable JavaScript libraries 1
High Severity
Instances
SQL injection 1
3
Impacts
SEVERITY IMPACT
High 1 SQL injection
Medium 1 Vulnerable JavaScript libraries
Low 1 Cookies with missing, inconsistent or contradictory properties
Low 1 Cookies without Secure flag set
Informational 4 Content Security Policy Misconfiguration
Informational 1 Outdated JavaScript libraries
4
SQL injection
SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL
statements that control a web application's database server.
Impact
An attacker can use SQL injection to bypass a web application's authentication and authorization
mechanisms and retrieve the contents of an entire database. SQLi can also be used to add, modify and
delete records in a database, affecting data integrity. Under the right circumstances, SQLi can also be used
by an attacker to execute OS commands, which may then be used to escalate an attack even further.
https://sais-hglp.saludzona5.gob.ec/wf_recuperar_clave.php Verified
POST (multipart) input txt_correo was set to 0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z
Tests performed:
0'XOR(if(now()=sysdate(),sleep(15),0))XOR'Z => 14.954

Original value: 1
Request
POST /wf_recuperar_clave.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw
X-Requested-With: XMLHttpRequest
Referer: https://sais-hglp.saludzona5.gob.ec/login.php
Cookie: SAISSESSION=6n361lvdp6jhucn52e2h2vnh22
Content-Length: 236
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/108.0.0.0 Safari/537.36
Host: sais-hglp.saludzona5.gob.ec
Connection: Keep-alive
5
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="hola"
hola=ACEPTAR
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="txt_correo"
0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z
------------YWJkMTQzNDcw--
Recommendation
Use parameterized queries when dealing with SQL queries that contain user input. Parameterized queries
allow the database to understand which parts of the SQL query should be considered as user input,
therefore solving SQL injection.
Description
In order for an SQL injection attack to take place, the vulnerable website needs to directly include user
input within an SQL statement. An attacker can then insert a payload that will be included as part of the
SQL query and run against the database server.
The following server-side pseudo-code is used to authenticate users to the web application.
# Define POST variables
uname = request.POST['username']
passwd = request.POST['password']
# SQL query vulnerable to SQLi

sql = "SELECT id FROM users WHERE username='" + uname + "' AND password='" + passwd
+ "'"
# Execute the SQL statement

database.execute(sql)
The above script is a simple example of authenticating a user with a username and a password against a
database with a table named users, and a username and password column.
The above script is vulnerable to SQL injection because an attacker could submit malicious input in such a
way that would alter the SQL statement being executed by the database server.
A simple example of an SQL injection payload could be something as simple as setting the password field
to password' OR 1=1.
This would result in the following SQL query being run against the database server.
SELECT id FROM users WHERE username='username' AND password='password' OR 1=1'
An attacker can also comment out the rest of the SQL statement to control the execution of the SQL query
further.
-- MySQL, MSSQL, Oracle, PostgreSQL, SQLite
' OR '1'='1' --
6
' OR '1'='1' /*
-- MySQL
' OR '1'='1' #
-- Access (using null characters)
' OR '1'='1' %00
' OR '1'='1' %16
Once the query executes, the result is returned to the application to be processed, resulting in an
authentication bypass. In the event of authentication bypass being possible, the application will most
likely log the attacker in with the first account from the query result — the first account in a database is
usually of an administrative user.
What's the worst an attacker can do with SQL?
SQL is a programming language designed for managing data stored in an RDBMS, therefore SQL can be
used to access, modify and delete data. Furthermore, in specific cases, an RDBMS could also run
commands on the operating system from an SQL statement.
Keeping the above in mind, when considering the following, it's easier to understand how lucrative a
successful SQL injection attack can be for an attacker.
An attacker can use SQL injection to bypass authentication or even impersonate specific users.
One of SQL's primary functions is to select data based on a query and output the result of that query. An
SQL injection vulnerability could allow the complete disclosure of data residing on a database server.
Since web applications use SQL to alter data within a database, an attacker could use SQL injection to
alter data stored in a database. Altering data affects data integrity and could cause repudiation issues, for
instance, issues such as voiding transactions, altering balances and other records.
SQL is used to delete records from a database. An attacker could use an SQL injection vulnerability to
delete data from a database. Even if an appropriate backup strategy is employed, deletion of data could
affect an application's availability until the database is restored.
Some database servers are configured (intentional or otherwise) to allow arbitrary execution of operating
system commands on the database server. Given the right conditions, an attacker could use SQL injection
as the initial vector in an attack of an internal network that sits behind a firewall.
Preventing SQL injection using parameterized queries
SQL injection is one of the most widely spread and most damaging web application vulnerabilities.
Fortunately, both the programming languages, as well as the RDBMSs themselves have evolved to provide
web application developers with a way to safely query the database — parameterized SQL queries.
Parameterized queries are simple to write and understand while forcing a developer to define the entire
SQL statement before hand, using placeholders for the actual variables within that statement. A developer
would then pass in each parameter to the query after the SQL statement is defined, allowing the database
to be able to distinguish between the SQL command and data inputted by a user. If SQL commands are
7
inputted by an attacker, the parameterized query would treat the input as a string as opposed to an SQL
command.
Application developers should avoid sanitizing their input by means of escaping or removing special
characters (several encoding tricks an attacker could leverage to bypass such protections) and stick to
using parameterized queries in order to avoid SQL injection vulnerabilities.
References
SQL Injection (SQLi) - Acunetix

https://www.acunetix.com/websitesecurity/sql-injection/
Types of SQL Injection (SQLi) - Acunetix

https://www.acunetix.com/websitesecurity/sql-injection2/
Prevent SQL injection vulnerabilities in PHP applications and fix them - Acunetix
https://www.acunetix.com/blog/articles/prevent-sql-injection-vulnerabilities-in-php-applications/
SQL Injection - OWASP
https://www.owasp.org/index.php/SQL_Injection
Bobby Tables: A guide to preventing SQL injection
https://bobby-tables.com/
SQL Injection Cheet Sheets - Pentestmonkey
http://pentestmonkey.net/category/cheat-sheet/sql-injection
Vulnerable JavaScript libraries

You are using one or more vulnerable JavaScript libraries. One or more vulnerabilities were reported for
this version of the library. Consult Attack details and Web References for more information about the
affected library and the vulnerabilities that were reported.
Impact
Consult References for more information.
https://sais-hglp.saludzona5.gob.ec/ Verified
jQuery 1.10.2
URL: https://sais-hglp.saludzona5.gob.ec/js/jquery-1.10.2.js
Detection method: The library's name and version were determined based on the file's name, and contents.
Acunetix verified the library version and the associated vulnerabilities with the file's unique syntax
8
fingerprint, which matched the syntax fingerprint expected by Acunetix.
CVE-ID: CVE-2015-9251, CVE-2020-11022, CVE-2020-11023
Description: Possible Cross Site Scripting via third-party text/javascript responses / In jQuery versions
greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it -
to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted
code. This problem is patched in jQuery 3.5.0. / In jQuery versions greater than or equal to 1.0.3 and before
3.5.0, passing HTML containing option elements from untrusted sources - even after sanitizing it - to one of
jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This
problem is patched in jQuery 3.5.0.
References:
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
https://mksben.l0.cm/2020/05/jquery3.5.0-xss.html
https://jquery.com/upgrade-guide/3.5/
https://api.jquery.com/jQuery.htmlPrefilter/
https://www.cvedetails.com/cve/CVE-2020-11022/
https://github.com/advisories/GHSA-gxr4-xjj5-5px2
https://www.cvedetails.com/cve/CVE-2020-11023/
https://github.com/advisories/GHSA-jpcq-cgw6-v4j6
Request
GET /js/jquery-1.10.2.js HTTP/1.1
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 9cb9be218a1b025f08e4bd920b27a72a
Acunetix-Aspect-ScanID: 8673812620515224479
Acunetix-Aspect-Queries: filelist;packages;aspectalerts;routes
Referer: https://sais-hglp.saludzona5.gob.ec/wf_recuperar_clave.php
Recommendation
Upgrade to the latest version.
Cookies with missing, inconsistent or contradictory

properties
9
At least one of the following cookies properties causes the cookie to be invalid or incompatible with either
a different property of the same cookie, of with the environment the cookie is being used in. Although this
is not a vulnerability in itself, it will likely lead to unexpected behavior by the application, which in turn
may cause secondary security issues.
Impact
Cookies will not be stored, or submitted, by web browsers.
List of cookies with missing, inconsistent or contradictory properties:
https://sais-hglp.saludzona5.gob.ec/login.php
Cookie was set with:
Set-Cookie: SAISSESSION=6n361lvdp6jhucn52e2h2vnh22; path=/; HttpOnly
This cookie has the following issues:
- Cookie without SameSite attribute.

When cookies lack the SameSite attribute, Web browsers may apply different and
sometimes unexpected defaults. It is therefore recommended to add a SameSite
attribute with an appropriate value of either "Strict", "Lax", or "None".
Request
GET /login.php HTTP/1.1
Recommendation
Ensure that the cookies configuration complies with the applicable standards.
10
References
MDN | Set-Cookie
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
Securing cookies with cookie prefixes

https://www.sjoerdlangkemper.nl/2017/02/09/cookie-prefixes/
Cookies: HTTP State Management Mechanism

https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05
SameSite Updates - The Chromium Projects

https://www.chromium.org/updates/same-site
draft-west-first-party-cookies-07: Same-site Cookies

https://tools.ietf.org/html/draft-west-first-party-cookies-07
Cookies without Secure flag set

One or more cookies does not have the Secure flag set. When a cookie is set with the Secure flag, it
instructs the browser that the cookie can only be accessed over secure SSL/TLS channels. This is an
important security protection for session cookies.
Impact
Cookies could be sent over unencrypted channels.
Cookies without Secure flag set:
https://sais-hglp.saludzona5.gob.ec/login.php
Set-Cookie: SAISSESSION=6n361lvdp6jhucn52e2h2vnh22; path=/; HttpOnly
Request
GET /login.php HTTP/1.1
11
Recommendation
If possible, you should set the Secure flag for these cookies.
Content Security Policy Misconfiguration

Acunetix evaluated the scan target's Content Security Policies, checked for misconfigurations and
potentially unintended side-effects of otherwise valid configurations, and offers the following suggestions
on how to change existing policies for improved security and maximum compatibility.
Impact
An Unsafe Content Security Policy (CSP) Directive in Use

First observed on: https://sais-hglp.saludzona5.gob.ec/login.php
CSP Value: default-src 'self' data: blob: *.google.com *.gstatic.com; style-src 'self' 'unsafe-inline'
*.google.com *.googleapis.com; script-src 'self' 'unsafe-inline' *.googleapis.com *.google.com; report-uri
https://sais-hglp.saludzona5.gob.ec/repor-csp.php
CSP Source: header
Summary: Acunetix detected that one of following CSP directives is used: unsafe-eval, unsafe-inline. By
using unsafe-eval, you allow the use of string evaluation functions like eval. By using unsafe-inline, you
allow the execution of inline scripts, which almost defeats the purpose of CSP. When this is allowed, it's very
easy to successfully exploit a Cross-site Scripting vulnerability on your website.
Impact: An attacker can bypass CSP and exploit a Cross-site Scripting vulnerability successfully.
Remediation: If possible remove unsafe-eval and unsafe-inline from your CSP directives.
References:
N/A
Request
12
POST /login.php HTTP/1.1
Content-Length: 429
accept: */*
accept-language: en-US
content-type: multipart/form-data; boundary=----WebKitFormBoundaryjCyxIfDjj1DBhLB5
cookie: SAISSESSION=6n361lvdp6jhucn52e2h2vnh22; SAISSESSION=6n361lvdp6jhucn52e2h2vnh22
origin: https://sais-hglp.saludzona5.gob.ec
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Connection: keep-alive
------WebKitFormBoundaryjCyxIfDjj1DBhLB5
Content-Disposition: form-data; name="csrf"
5788c04c0b87ab78b4c38f44bc65e0580c43325c72a0df7c97b5a1b94af46ef8
Content-Disposition: form-data; name="inpusuario"
testing@example.com
Content-Disposition: form-data; name="inppassword"
u]H[ww6KrA9F.x-F
------WebKitFormBoundaryjCyxIfDjj1DBhLB5--
default-src Used in Content Security Policy (CSP)

CSP Source: header
Summary: Acunetix detected that you used default-src in CSP directive. It is important to know that default-
src cannot be used as a fallback for the functions below: base-uri, form-action, frame-ancestors, plugin-
types, report-uri, sandbox
Impact: N/A
Remediation: N/A
References:
N/A
Request
13
Content-Length: 429
accept: */*
testing@example.com
u]H[ww6KrA9F.x-F
Wildcard Detected in Domain Portion of Content Security Policy (CSP) Directive

CSP Source: header
Summary: Acunetix detected that wildcard was used in domain portion of a CSP directive.
Impact: This means you trust all of the subdomains of this domain, if this is the case there is no impact.
Remediation: If you trust all of the subdomains and if this is necessary then you do not need to take any
actions. However if this is not the case replace the wildcard with the only subdomain that you trust.
References:
N/A
Request
14
Content-Length: 429
accept: */*
testing@example.com
u]H[ww6KrA9F.x-F
data: Used in a Content Security Policy (CSP) Directive

CSP Source: header
Summary: Acunetix detected data: use in a CSP directive.
Impact: An attacker can bypass CSP and exploit a Cross-site Scripting vulnerability successfully by using
data: protocol.
Remediation: Remove data: sources from your CSP directives.
References:
N/A
Request
15
Content-Length: 429
accept: */*
testing@example.com
u]H[ww6KrA9F.x-F
Recommendation
See alert details for available remediation advice.
References
Using Content Security Policy (CSP) to Secure Web Applications

https://www.invicti.com/blog/web-security/content-security-policy/
The dangers of incorrect CSP implementations

https://www.invicti.com/blog/web-security/negative-impact-incorrect-csp-implementations/
Leverage Browser Security Features to Secure Your Website

https://www.invicti.com/blog/web-security/leverage-browser-security-features-secure-website/
Outdated JavaScript libraries
16
You are using an outdated version of one or more JavaScript libraries. A more recent version is available.
Although your version was not found to be affected by any security vulnerabilities, it is recommended to
keep libraries up to date.
Impact
https://sais-hglp.saludzona5.gob.ec/ Confidence: 95%
bootstrap.js 3.3.7
URL: https://sais-hglp.saludzona5.gob.ec/js/bootstrap.min.js
Detection method: The library's name and version were determined based on the file's contents.
References:
https://github.com/twbs/bootstrap/releases
Request
GET /js/bootstrap.min.js HTTP/1.1
Referer: https://sais-hglp.saludzona5.gob.ec/wf_recuperar_clave.php
Recommendation
Upgrade to the latest version.
17
Coverage
https://sais-hglp.saludzona5.gob.ec
api
config.php
config
css
bootstrap
css
bootstrap.min.css
fonts
glyphicons-halflings-regular.eot%20
#fragments
iefix
images
adminlte.min.css
bootstrap.css
Imagenes
images
js
images
modules
themes
bootstrap.min.css
bootstrap.min.js
jquery-1.10.2.js
login.js
php
resources
temp
tmp
upload
img_sistema
18
login.php
Inputs
POST csrf, inpusuario, inppassword
POST csrf, iniciar, inppassword, inpusuario
wf_recuperar_clave.php
Inputs
POST hola, txt_correo
19

Comprehensive New Https PHP

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Comprehensive New Https PHP

Uploaded by

Copyright:

Available Formats

Comprehensive Report

Acunetix Threat Level 3

Severity Vulnerabilities Instances

High 1 SQL injection

Medium 1 Vulnerable JavaScript libraries

Low 1 Cookies with missing, inconsistent or contradictory properties

Low 1 Cookies without Secure flag set

Informational 4 Content Security Policy Misconfiguration

Informational 1 Outdated JavaScript libraries

POST (multipart) input txt_correo was set to 0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z

0'XOR(if(now()=sysdate(),sleep(15),0))XOR'Z => 14.954

# SQL query vulnerable to SQLi

# Execute the SQL statement

What's the worst an attacker can do with SQL?

Preventing SQL injection using parameterized queries

SQL Injection (SQLi) - Acunetix

Types of SQL Injection (SQLi) - Acunetix

Vulnerable JavaScript libraries

Cookies with missing, inconsistent or contradictory

List of cookies with missing, inconsistent or contradictory properties:

Cookie was set with:

Set-Cookie: SAISSESSION=6n361lvdp6jhucn52e2h2vnh22; path=/; HttpOnly

This cookie has the following issues:

- Cookie without SameSite attribute.

Securing cookies with cookie prefixes

Cookies: HTTP State Management Mechanism

SameSite Updates - The Chromium Projects

draft-west-first-party-cookies-07: Same-site Cookies

Cookies without Secure flag set

Cookies without Secure flag set:

Set-Cookie: SAISSESSION=6n361lvdp6jhucn52e2h2vnh22; path=/; HttpOnly

Content Security Policy Misconfiguration

An Unsafe Content Security Policy (CSP) Directive in Use

default-src Used in Content Security Policy (CSP)

Wildcard Detected in Domain Portion of Content Security Policy (CSP) Directive

data: Used in a Content Security Policy (CSP) Directive

Using Content Security Policy (CSP) to Secure Web Applications

The dangers of incorrect CSP implementations

Leverage Browser Security Features to Secure Your Website

Outdated JavaScript libraries

https://sais-hglp.saludzona5.gob.ec/ Confidence: 95%

POST csrf, iniciar, inppassword, inpusuario

You might also like