Web Application Vulnerability & Security Checks
Netsparker is able to detect all of the below issues automatically in web applications.To afford your web application the maximum degree of protection, Netsparker checks for numerous vulnerabilities and deviations from security best practice. Our active security research team is constantly at work to ensure that this list stays ahead of the game. The below is a list of vulnerability classes. For more details about every individual security check of Netsparker refer to the list of all security checks.
Netsparker can detect various forms of SQL Injection vulnerability, including Error Based, Blind and Time Based SQL Injections. The SQL Injection engine is very comprehensive and can detect Blind SQL Injections even in complicated queries.
After identification of the vulnerability, Netsparker will carry out extra checks to determine if the database user used by the application has admin privileges. In this case Netsparker will report a separate issue called “Admin User DB Connection”.
- Error Based SQL Injections
- Boolean SQL Injections
- Blind (Time Based) SQL Injections
XSS (Cross-site Scripting)
Netsparker identifies Permanent/Stored and Reflective Cross-site Scripting. Cross-site Scripting issues can be identified in parameters or in the URL.
Netsparker carries out several different attacks to bypass known and custom weak protection.
XSS (Cross-site Scripting) via Remote File Injection
XSS (Cross-site Scripting) in URLs
Netsparker also detects Cross-site Scripting issues in URLs. This type of attack is common in websites using URL Rewrite and PHP.
Netsparker detects client scripts that are susceptible to DOM based cross-site scripting vulnerability.
Read DOM XSS Explained for more detailed and technical information about this vulnerability.
Netsparker detects pages that are susceptible to Command Injection vulnerabilities, whereby input data is interpreted as an operating system command.
This type of vulnerability can allow an attacker to gain full access over the server and the web application. For more information read What is the Command Injection Vulnerability?
Blind Command Injection
Netsparker detects pages that are susceptible to Blind Command Injection, whereby input data is interpreted as an operating system command but it can’t be directly identified from the output of the page. Netsparker will identify Blind Command Injections by carrying out several requests and analyze the time differences.
This type of vulnerability can allow an attacker to gain full access over the server and the web application.
Local File Inclusions & Arbitrary File Reading
Netsparker detects Local File Inclusion and Arbitrary File Reading issues; It detects if an attacker can access files and source code from the server on both Windows and *nix systems. It carries out advanced checks, uses process directories, Null byte injection attacks, dynamic file extension replacements and many other methods to bypass weak filters and blacklistings.
In addition, it checks if the Local File Inclusion can be used for executing remote commands by injecting code into log files.
Netsparker has exploitation features for the Local File Inclusion vulnerability.
Remote File Inclusions
Netsparker detects if the application is vulnerable to Remote File Inclusions which allow an attacker to inject a remote file and execute code on the server.
Netsparker carries out several dynamic requests, and tries to bypass many weaknesses and blacklistings.
Remote Code Injection / Evaluation
Netsparker detects if the application evaluates/executes given code within itself by using dangerous calls such as eval().
This type of vulnerability can allow an attacker to execute code on the server.
CRLF / HTTP Header Injection / Response Splitting
Netsparker detects CRLF injection issues that can cause serious problems in web applications, such as leading to Cross-site Scripting and session hijacking attacks.
Read the CRLF Injection and HTTP Response Splitting article for more detailed and technical information on this web application vulnerability and how to prevent it.
Netsparker detects if a web page is being redirected to another web page via a user controllable input. An attacker might exploit this vulnerability to redirect users to other malicious web sites which are used for phishing and similar attacks.
Netsparker detects the use of Frame Injection on a web page. Frame Injection occurs when a frame on a vulnerable web page displays another web page via a user controllable input. An attacker might exploit this vulnerability to redirect users to other malicious web sites which are used for phishing and similar attacks.
Database User Has Admin Privileges
Netsparker detects if the web application is accessing its backend database via a user account with administrative privileges. This vulnerability increases the potential exposure in the event of an SQL Injection attack and introduces a range of serious consequential issues, including:
- allowing full and unrestricted access to the database server
- the ability to obtain a reverse shell and execute commands on the underlying OS
- the possibility of escalating privileges and gaining administrator access to the OS
Vulnerability Database (Inferred vulnerabilities)
When Netsparker detects version disclosure in a web application or infrastructure component, it uses the disclosed version information to reference an embedded database of known vulnerabilities, to identify all security vulnerabilities that were known to be present in the identified version. This provides a rich insight into the vulnerabilities present in supported web applications, including known vulnerabilities that cannot ordinarily be detected or confirmed by automated scanning.
Netsparker’s vulnerability database is maintained and developed on an ongoing basis. The applications currently represented in the database include Apache, Tomcat, SQL Server and MySQL.
ASP.NET ViewState Vulnerabilities
Netsparker analyses ViewState related issues in ASP.NET pages.
ViewState is not Signed
Netsparker reports a new issue if the ViewState in the page is not signed. In this case an attacker might modify the content of the ViewState and subvert the logic of the application, or carry out other attacks by changing the ViewState.
ViewState is not Encrypted
Netsparker reports a vulnerability if the ViewState in the page is not encrypted. In this case an attacker can read the data within the ViewState by simply decoding it. This might leak sensitive information to the attacker.
Web Backdoor Identified
Netsparker detects the presence of web backdoors on the target web server. This may indicate that the web server has been successfully attacked on a previous occasion.
TRACE / TRACK Method Support Enabled
Netsparker checks and determines if the TRACE / TRACK HTTP Methods are supported, and enabled, by the web server.
XSS Protection Disabled
Netsparker detects if a web application issues an HTTP request that disables Internet Explorer’s built-in XSS Protection feature.
ASP.NET Debugging Enabled
Netsparker detects if ASP.NET Debugging is enabled.
ASP.NET Trace Enabled
Netsparker detects if ASP.NET Tracing is enabled and accessible.
An attacker can use ASP.NET Tracing output to access active users’ sessions, and gather information about the application and its structure.
Backup Files Accessible
Netsparker tries to find backup and temporary files on the target website by using crawled file names and other well-known names.
Netsparker determines if this problem can lead to source code disclosure issues.
Apache Server-Status and Apache Server-Info pages Accessible
Netsparker detects if the Apache Server-Status or Server-Info pages are publicly accessible.
Apache Server-Status and Server-Info can be used by attackers to gain more information about the target system and will help them to find hidden URLs and currently visited URLs.
Hidden Resources Accessible
Netsparker looks for hidden files and directories in the target website.
- Test files
- Management files and directories
- Known vulnerable files / scripts
Crossdomain.xml File Vulnerable
Netsparker detects and analyses crossdomain.xml files for problems such as open access policy issues.
With this type of vulnerability, an attacker needs to attack an authenticated user of the website to exploit this problem successfully. The attacker is then able to read authenticated users’ private messages or carry out actions as the attacked user. If the Crossdomain.xml file has an open policy, the attacker can bypass any CSRF protection (nonce / CSRF tokens).
Robots.txt File Vulnerable
Netsparker detects and parses links in Robots.txt files. If it identifies a potentially critical URL listed in the Robots.txt it will report the problem, together with details.
Google Sitemap Vulnerable
Netsparker detects and parses Google Sitemap files to increase coverage and inform the user that the sitemap file is accessible (in order to confirm that this is the intended configuration).
Silverlight Client Access Policy File Vulnerable
Netsparker detects the presence of the Silverlight Open Policy file (clientaccesspolicy.xml), which allows other Silverlight client services to make HTTP requests to the target server. It could potentially be used for accessing one time tokens and CSRF nonces to bypass CSRF restrictions.
CVS, GIT and SVN Information and Source Code Disclosure
Netsparker detects files disclosed by source code versioning systems such as CVS, GIT and SVN. An attacker might exploit this problem to gain access to the source code of the application, or might retrieve configuration and/or other important files.
PHPInfo() Pages Accessible and PHPInfo() Disclosure in other Pages
Netsparker attempts to find forgotten phpinfo files in the system. It also reports the PHPinfo() output in all crawled pages.
Information disclosed from PHPInfo() might help attackers gain more information about the target system.
Sensitive Files Accessible
Netsparker maintains a target list of known files names that are used by a variety of web applications and are susceptible to attack. It systematically probes for these files and, if found, attempts to attack their known vulnerabilities.
Redirect Response BODY Is Too Large
Netsparker detects HTTP redirect responses that also contain body content. This generally indicates that, after redirection, the server did not abort generation of the redirecting page in the intended manner. This can lead to authentication bypass if the redirection mechanism is being used to restrict access to a private page that requires authentication.
Redirect Response BODY Has Two Responses
Netsparker detects HTTP redirects that include two responses. This generally indicates that, after redirection, the server did not abort generation of the redirecting page in the intended manner. This can lead to authentication bypass if the redirection mechanism is being used to restrict access to a private page that requires authentication.
Insecure Authentication Scheme Used Over HTTP
Netsparker detects if the application is configured to use Basic, Digest or NTLM authentication over HTTP. These authentication schemes are considered to be sufficiently secure if they are used over HTTPS. Using them over HTTP can result in a variety of consequential issues, including:
- information leakage
- the possibility to lock or brute force user accounts
- transmission of user credentials on a clear-text form
Password Transmitted over HTTP
Netsparker identifies if the website sends passwords over HTTP.
An attacker sitting between the user and the website might carry out a MITM (Man in the middle) or sniffing attack to capture the user’s password.
Password Form Served over HTTP
Netsparker determines if a login form is served over HTTP when the target of the form is HTTPS.
Many developers might not be aware that this is a security issue; therefore Netsparker provides a detailed report for this problem to ensure that the issue is correctly addressed by developers.
Authentication Obtained by Brute Forcing
Netsparker maintains a user-configurable word list and uses it to attempt brute force bypassing of Basic, NTLM and Digest Authentication schemes, reporting a corresponding vulnerability when a brute force attempt succeeds.
Basic Authentication Obtained over HTTP
Netsparker detects if the application is using Basic Authentication over HTTP, which sends user credentials in plain text and exposes the risk that an attacker can intercept network traffic and steal them.
Netsparker detects the use of weak usernames and passwords to access web resources. Depending on the nature of the password-protected resource, an attacker might exploit this to access the contents of the resource or to access password protected administrative mechanisms, potentially allowing full control of the application.
E-mail Address Disclosure
Netsparker identifies email addresses exposed in the website. This can help users to identify email address-related information exposed on the internet to help you reduce the potential for spam.
Internal IP Disclosure
Netsparker identifies internal IP Disclosure issues where a system exposes its internal network IP address.
Netsparker detects if directory listing is enabled in the web server.
Directory listing can allow attackers to see all files on the system and can help them to download sensitive files or gain more information about the target system.
Netsparker determines if the target application is disclosing version information.
A version disclosure can leak information about the internals of the application that might include sensitive data or many several vulnerability of that version.
Internal Path Disclosure
Netsparker determines if an application discloses internal paths related to the application or the configuration.
This generally indicates a programming error in the application and can help an attacker to gain more information about the internals of the system. An attacker can use this information while crafting an exploit for another identified vulnerability.
Access Denied Resources
Netsparker reports an information issue when access is denied to the requested resources.
This can help the user to determine the design of the application and possible resources that exist in the web server but are not publicly available.
MS Office Information Disclosure
Netsparker detects if pages served by the web application were generated using Microsoft Office. Such pages contain embedded user information and can be used for social engineering attacks.
Auto Complete Enabled
Netsparker determines if Auto Complete is left Enabled in sensitive form fields such as Credit Card number fields.
An attacker who can access the user’s computer can access these cached auto-complete datasets via the browser. This is especially critical if the website is accessed from public computers.
MySQL Username Disclosure
Netsparker detects if an application error message contains a MySQL user name. This information might be used as part of an attack on the database server.
Default Page Identified
Netsparker detects the presence of the default installation page on Apache, IIS 6, IIS 7 and several other systems. This issue is reported for information only.
Cookies are not marked as Secure
Netsparker reports an issue if it finds cookies that are not marked as “Secure” in HTTPS websites.
Not marking cookies as “Secure” can allow attackers to steal the cookies over an HTTP connection and use those cookies to log in to the application.
Cookies are not marked as HTTPOnly
Netsparker reports an issue if it finds cookies that are not marked as HTTPOnly.
“HTTPOnly” should be considered as a defence in depth feature and should be used where possible.
Stack Trace Disclosure
Netsparker determines if the target application is disclosing stack trace information.
A stack trace can leak information about the internals of the application that might include sensitive data or application logic-related clues.
Programming Error Message Disclosure
Netsparker provokes the target website to produce error messages and then reports on the outcome. These errors have no direct security impact; Most of the time they indicate a programming error, quality issue, or a potential vulnerability in the application.
Many of these types of errors also leak information about the logic or the implementation of the application which can help an attacker to identify or exploit weaknesses in the application.
Database Error Message Disclosure
Netsparker provokes and reports database error messages leaked by the website. If the problem is related to SQL Injection, a separate issue will be raised by Netsparker, otherwise the user is informed that the application is exposing database error messages which are potentially related to programming errors or possibly other problems regarding database connectivity.
Application Source Code Disclosure
Netsparker provokes the web server to disclose source code where possible, and detects whether the source code disclosure is due to a configuration problem, a security issue, or due to a programming error where revealing comments are left in the code.
An attacker can access hard coded passwords and might gain information about the logic of the application (and the system) by reading the disclosed source code.