-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathOWASP_WSTG_ASVS_en.json
2168 lines (2168 loc) · 255 KB
/
OWASP_WSTG_ASVS_en.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
[
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Information Gathering",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage"
],
"locale": "en",
"title": "Disclosure of sensitive information indexed in web search engines or other public sources",
"vulnType": "OWASP WSTG",
"description": "<p>Search engines can be used to perform recognition of web sites and applications. There are direct and indirect elements to search engine discovery and recognition: direct methods are related with searching the indexes and associated content of caches, while indirect methods are related with learning sensitive information about the layout and configuration by searching in forums, newsgroups, and websites.</p><p>By using search engines such as Google, DuckDuckGo or Bing it is possible to find potentially sensitive information such as:</p><ul><li><p>Network diagrams and configurations.</p></li><li><p>Archived messages and emails from administrators or other key personnel.</p></li><li><p>Login procedures and username formats.</p></li><li><p>User names, passwords and private keys.</p></li><li><p>Configuration files from third parties or cloud services.</p></li><li><p>Content of revealing error messages.</p></li><li><p>Development versions, tests, user acceptance tests (UAT) and test versions of the applications.</p></li></ul>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li></ul>",
"remediation": "<p>Before publishing an application, it is essential to consider the sensitivity of the data exposed in it in order to prevent accidental disclosures of sensitive information.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Information Gathering",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server",
"https://cwe.mitre.org/data/definitions/200.html",
"https://wiki.owasp.org/index.php/Testing_for_Web_Application_Fingerprint_(OWASP-IG-004)"
],
"locale": "en",
"title": "Disclosure of sensitive information in HTTP headers",
"vulnType": "OWASP WSTG",
"description": "<p>This situation occurs when the application reveals the type and/or version of an internal component being used by revealing information in the HTTP protocol headers. Through this information, the operating system, one of its services (web, mail, file transfer...), or one of its components (PHP, mod_proxy, WebDAV...) can be revealed.</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li></ul>",
"remediation": "<p>To prevent this kind of information disclosure, it is necessary to conceal the information displayed in the protocol headers.To prevent this kind of information disclosure, it is necessary to conceal the information displayed in the protocol headers.</p><p>A fix, which is typically an update to it or the application of a specific patch, is typically necessary to fix the published vulnerabilities of the detected components and requires adhering to the recommendations of the maker of the vulnerable software to resolve the vulnerabilities.</p><p>It would be necessary to decide whether to stop offering the service until a solution was found or take the chance of doing so even in the absence of a published solution.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Information Gathering",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework"
],
"locale": "en",
"title": "Disclosure of sensitive information in application cookies",
"vulnType": "OWASP WSTG",
"description": "<p>The configuration of the cookies exposes sensitive information in both the cookie's pre-established name and its content, which leads to this vulnerability. For instance, a cookie with the name of the software it was created with.</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li></ul>",
"remediation": "<p>To prevent this kind of information disclosure, it is necessary to either hide the data displayed in the cookies or alter their name or content.</p><p>In order to fix the publicly disclosed vulnerabilities of the detected components, it is typically necessary to follow the manufacturer's recommendations for resolving the vulnerabilities, a solution which typically entails an update of the software or the application of a particular patch.</p><p>It would be necessary to decide whether to stop offering the service until a solution was found or take the chance of doing so even in the absence of a published solution.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Information Gathering",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/03-Review_Webserver_Metafiles_for_Information_Leakage",
"https://cwe.mitre.org/data/definitions/200.html",
"https://developers.google.com/search/docs/advanced/robots/intro"
],
"locale": "en",
"title": "Disclosure of sensitive information in the 'robots.txt' file",
"vulnType": "OWASP WSTG",
"description": "<p>Some programs use spider bots to automatically browse websites in an effort to index them. Any user can access the \"robots.txt\" file, which is used to specify directories and resources that the administrator wants to be indexed and those that he or she does not. The configuration of this file needs to be handled with extra caution because it may reveal which resources are sensitive.</p><p>The \"robots.txt\" file contains sensitive resources that could be used by an attacker to launch more sophisticated and precise attacks using the data gathered.</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li></ul>",
"remediation": "<p>The 'robots.txt' file shouldn't be used as a method of restricting access to the application's insecure areas. Beyond their protection from spider-type robots, access to these sections must be properly controlled against potential attacks.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Information Gathering",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/03-Review_Webserver_Metafiles_for_Information_Leakage",
"https://cwe.mitre.org/data/definitions/200.html"
],
"locale": "en",
"title": "Disclosure of sensitive information in the 'sitemap.xml' file",
"vulnType": "OWASP WSTG",
"description": "<p>A developer or organization can provide details about the resources available in the application and their connections in the \"sitemap.xml\" file.</p><p>The \"sitemap.xml\" file contains sensitive resources that can be used by an attacker to launch more advanced and precise attacks using the data they have gathered.</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li></ul>",
"remediation": "<p>It is advised to delete any sensitive data from the \"sitemap.xml\" file that is not required for the application's development.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Information Gathering",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/03-Review_Webserver_Metafiles_for_Information_Leakage",
"https://cwe.mitre.org/data/definitions/200.html"
],
"locale": "en",
"title": "Disclosure of sensitive information in the 'security.txt' file",
"vulnType": "OWASP WSTG",
"description": "<p>A proposed standard allows web pages to specify security policies and contact information in the \"security.txt\" file.</p><p>The \"security.txt\" file contains sensitive information that could be used by an attacker to launch more sophisticated and precise attacks using the data gathered.</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li></ul>",
"remediation": "<p>It is advised to delete all private data from the \"security.txt\" file that is not required for the application's development.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Information Gathering",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/03-Review_Webserver_Metafiles_for_Information_Leakage",
"https://cwe.mitre.org/data/definitions/200.html"
],
"locale": "en",
"title": "Disclosure of sensitive information in the 'humans.txt' file",
"vulnType": "OWASP WSTG",
"description": "<p>The \"humans.txt\" file is a project to learn more about the people who create a website.</p><p>The \"humans.txt\" file contains sensitive information that could be used by an attacker to launch more sophisticated and precise attacks using the data gathered.</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li></ul>",
"remediation": "<p>It is advised to delete all private data from the \"humans.txt\" file that isn't necessary for the application's development.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Information Gathering",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Webpage_Content_for_Information_Leakage",
"https://cwe.mitre.org/data/definitions/540.html"
],
"locale": "en",
"title": "Disclosure of sensitive information in the source code",
"vulnType": "OWASP WSTG",
"description": "<p>This situation arises when analyzing a file that has been uploaded to a web server reveals server-related information that can be used to plan new attacks, such as the type and version of applications being used, components or extensions that are in use, credentials...</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li></ul>",
"remediation": "<p>To prevent sensitive information leaks, the HTML source code that the server sends must be modified.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Information Gathering",
"details": [
{
"references": [
"https://cwe.mitre.org/data/definitions/497.html"
],
"locale": "en",
"title": "Disclosure of sensitive information because debug mode is enabled",
"vulnType": "OWASP WSTG",
"description": "<p>It is occasionally possible to display technical data or trade secrets within the application by using a \"enabling debug parameter.\" As a result, the attacker increases the size of his attack surface by learning more about how the application works. Enabling the debug flag might occasionally even result in code execution attacks (older versions of werkzeug)</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li></ul>",
"remediation": "<p>Production applications shouldn't ever generate internal information like stack traces and error messages unless they directly commit it to a log that the end user cannot see. Before being written to the log file, all error message text should be HTML entity encoded to prevent potential cross-site scripting attacks against the log viewer.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Information Gathering",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Webpage_Content_for_Information_Leakage",
"https://cwe.mitre.org/data/definitions/200.html"
],
"locale": "en",
"title": "Disclosure of sensitive information (generic)",
"vulnType": "OWASP WSTG",
"description": "<p>A password, for example, is a sensitive piece of information that can be valuable on its own or be used to launch other, more serious attacks (such as obtaining an uncontrolled error message). Error message content can be used by an attacker to support the launch of a different, more focused attack. An attempt to exploit a directory enumeration or path traversal flaw, for instance, might reveal the complete path to the installed application.</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li></ul>",
"remediation": "<p>Create \"safe\" areas within the system where trust boundaries can be clearly defined. Allow no sensitive information to cross the lines of trust, and exercise extreme caution whenever interacting with a compartment outside of a secure area.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Information Gathering",
"details": [
{
"references": [
"https://cwe.mitre.org/data/definitions/200.html",
"https://cwe.mitre.org/data/definitions/359.html"
],
"locale": "en",
"title": "Disclosure of credentials (credentials leak)",
"vulnType": "OWASP WSTG",
"description": "<p>It has been possible to verify and check the existence of files containing sensitive information, such as valid credentials for accessing other systems, at a variety of endpoints. There is no need for any kind of cookie or earlier authentication system to access these credentials.</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li></ul>",
"remediation": "<p>Regardless of the software these user credentials are used for, it is never advised to expose sensitive files that expose user credentials.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"category": "Information Gathering",
"details": [
{
"references": [
"https://cwe.mitre.org/data/definitions/798.html"
],
"locale": "en",
"title": "Use of Hard-coded Credentials",
"vulnType": "OWASP WSTG",
"description": "<p>For its own internal data encryption, outbound communication with external components, and inbound authentication, the software has hard-coded credentials, such as a password or cryptographic key. Hard-coded credentials frequently produce a sizable security gap that enables an attacker to get around the authentication settings that the software administrator has set up.</p>",
"observation": "<ul><li><p>Access Control: Bypass Protection Mechanism: If hard-coded passwords are used, it is almost certain that malicious users will gain access to the account in question.</p></li><li><p>Access Control: Execute Unauthorized Code or Commands: This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.</p></li></ul>",
"remediation": "<p>Instead of static API secrets and keys, use session tokens.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Information Gathering",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Webpage_Content_for_Information_Leakage",
"https://cwe.mitre.org/data/definitions/200.html",
"https://capec.mitre.org/data/definitions/118.html"
],
"locale": "en",
"title": "Disclosure of sensitive information in the metadata of files available in the application",
"vulnType": "OWASP WSTG",
"description": "<p>The term \"metadata\" refers to information about a document that is primarily descriptive in nature. Information about administration and management may also be included.</p><p>The collection of data that characterizes or defines a particular piece of information that they are linked to is known as metadata. By enhancing the information they are linked to, metadata make a computer's interpretation of that information much more thorough and enhance document retrieval.</p><p>Through its metadata, they have been found to have been used to extract sensitive information.</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li></ul>",
"remediation": "<p>It is advised that all files available in the application should have their metadata removed before being made accessible to the network in order to address this vulnerability.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Information Gathering",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server",
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/04-Enumerate_Applications_on_Webserver",
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework"
],
"locale": "en",
"title": "Disclosure of sensitive information in default content",
"vulnType": "OWASP WSTG",
"description": "<p>This occurs when default files are left open after the installation of a service or application. Due to the type of information they divulge, such as the type and version of the Web server being used, the existence of default files on a Web server poses a threat.</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li></ul>",
"remediation": "<p>In order to fix it, all default files that are not required for the server's operation must be removed, including the default pages that were installed after the server.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"category": "Information Gathering",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/04-Enumerate_Applications_on_Webserver",
"https://cwe.mitre.org/data/definitions/538.html",
"https://www.owasp.org/index.php/Full_Path_Disclosure"
],
"locale": "en",
"title": "Disclosure of internal server paths and directories",
"vulnType": "OWASP WSTG",
"description": "<p>This fact arises whenever the absolute path of a web server or an application hosted on it can be determined using any mechanism, such as by sending an error message, tracking the sending of parameters, etc.</p><p>The server's absolute directory, where the web content is stored, can be found.</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li></ul>",
"remediation": "<p>Depending on the kind of flaw that led to the disclosure, the best course of action will vary. If it was obtained following an error message, it is essential to swap out these server error messages with a generic message that merely reports an abnormal situation without going into further detail regarding its cause. It is necessary to alter the application logic so that only relative paths are displayed or not at all if that path has been made public by an application parameter.</p><p>It is advised to swap out the server error messages for a generic message that simply states that something is abnormal without going into further detail as to why.</p><p>The configuration file must be used in order to accomplish this.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"category": "Information Gathering",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/04-Enumerate_Applications_on_Webserver",
"https://cwe.mitre.org/data/definitions/548.html"
],
"locale": "en",
"title": "Directory listing",
"vulnType": "OWASP WSTG",
"description": "<p>Directory listing is a feature that, when enabled, causes web servers to list the contents of a directory when no index file (eg index.php or index.html) is present. Therefore, if a request is made to a directory where directory listing is enabled, and there is no index file, even if there are files from a web application, the web server sends a directory listing as a response.</p><p>When this happens there is a data leakage problem, and attackers can use this data to build other attacks, including direct hit vulnerabilities like XSS. This can be useful in development environments but is not a good practice for production servers.</p><p>The fact that a web server allows listing a directory has several security implications:</p><ul><li><p>Allows users to download certain files or access certain directories that would not otherwise be possible.</p></li><li><p>It can display information that helps an attacker find out technical details about the web server.</p></li><li><p>Shows all the contents of the directory, without discriminating between files that can be public, and those that should remain private.</p></li></ul><p>This is often accidental, as a default web server displays a directory listing in case the index file is invalid or does not exist.</p>",
"observation": "<ul><li><p>Confidentiality: Read Files or Directories: Exposing the contents of a directory can lead to an attacker gaining access to source code or providing useful information for the attacker to devise exploits, such as creation times of files or any information that may be encoded in file names. The directory listing may also compromise private or confidential data.</p></li></ul>",
"remediation": "<p>Configure properly. The web servers, whether NGINX, Apache, or IIS, must be set up so that neither the directory listing nor user navigation through the paths is permitted.For instance, on an Apache web server, you need to create an.htaccess file in the appropriate application directory to disable directory listing. The following lines can be added to the httpd.conf file or swapped out for the ones already there:</p><p><Directory /{YOUR DIRECTORY}>Options FollowSymLinks</Directory></p><p>As you can see from the sample code above, in order to safely disable the directory listing feature on an Apache web server, you must remove the Indexes and MultiViews statements.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"category": "SSL/TLS encryption",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/04-Enumerate_Applications_on_Webserver",
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_Transport_Layer_Security",
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption",
"https://cwe.mitre.org/data/definitions/311.html",
"https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html",
"https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html",
"https://wiki.owasp.org/index.php/Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)"
],
"locale": "en",
"title": "Absence of SSL/TLS encryption",
"vulnType": "OWASP WSTG",
"description": "<p>Instead of the HTTPs protocol, HTTP is used to communicate with the web server. To stop an attacker from reading or altering the data sent between the client and server, it must be encrypted and protected. The most common method for doing this is through HTTPS, which substitutes the Secure Socket Layer (SSL) protocol for the Transport Layer Security (TLS) protocol. By displaying a trusted digital certificate, the server can use TLS to show the client that it is connected to the right server.</p><p>Over the years, a large number of cryptographic weaknesses have been identified in the SSL and TLS protocols, as well as in the ciphers they use. In addition, many of the implementations of these protocols have also had serious vulnerabilities. Therefore, it is important to check that sites are not only implementing TLS, but that they are doing so in a secure manner.</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: An attacker may be able to decrypt the data using brute force attacks.</p></li></ul>",
"remediation": "<p>The web server must be configured in order to support HTTPs. Additionally, it is practical to use the HSTS header and switch all HTTP requests to the HTTPs protocol.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"category": "SSL/TLS encryption",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_Transport_Layer_Security",
"https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/03-Testing_for_Sensitive_Information_Sent_via_Unencrypted_Channels",
"https://cwe.mitre.org/data/definitions/16.html",
"https://cwe.mitre.org/data/definitions/319.html",
"https://capec.mitre.org/data/definitions/117.html"
],
"locale": "en",
"title": "Mixed content",
"vulnType": "OWASP WSTG",
"description": "<p>Content uploaded using the HTTP protocol is used by the web application, which uses the HTTPs protocol. Since any data uploaded via HTTP can be intercepted and altered by an attacker, this practice is regarded as being insufficient.</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li></ul>",
"remediation": "<p>The web server must be configured in order to support HTTPs. Additionally, it is practical to use the HSTS header and switch all HTTP requests to the HTTPs protocol.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"category": "SSL/TLS encryption",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption",
"https://cwe.mitre.org/data/definitions/310.html",
"https://cwe.mitre.org/data/definitions/327.html"
],
"locale": "en",
"title": "Weak Encryption algorithms",
"vulnType": "OWASP WSTG",
"description": "<p>Numerous flaws in the web server's configuration of the SSL/TLS service could lead to insecure communication between the client and the server.</p><p>The encryption algorithms used by the SSL/TLS service running on the server are regarded as being weak or having known vulnerabilities.</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li><li><p>Access Control: Modify Application Data: An attacker can trick a user into performing actions that are masked and hidden from the user's view. The impact varies widely, depending on the functionality of the underlying application. For example, in a social media application, clickjacking could be used to trik the user into changing privacy settings.</p></li></ul>",
"remediation": "<p>Allow only TLS connections with encryption that is regarded as secure in versions 1.2 or 1.3.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"category": "SSL/TLS encryption",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_Transport_Layer_Security",
"https://cwe.mitre.org/data/definitions/326.html"
],
"locale": "en",
"title": "Use of Obsolete SSL/TLS Protocol Versions",
"vulnType": "OWASP WSTG",
"description": "<p>To stop an attacker from reading or altering the data sent between the client and server, it must be encrypted and protected. The most popular method for doing this is HTTPS, which substitutes the outdated Secure Socket Layer (SSL) protocol with the Transport Layer Security (TLS) protocol. By displaying a trusted digital certificate, the server can use TLS to show the client that it is connected to the right server.</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li></ul>",
"remediation": "<p>On the web server, insecure variants of the SSL/TLS protocol must be disabled.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"category": "SSL/TLS encryption",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_Transport_Layer_Security"
],
"locale": "en",
"title": "Secure Client-Initiated Renegotiation",
"vulnType": "OWASP WSTG",
"description": "<p>On the server side compared to the client side, more resources are used during SSL/TLS connection negotiation. In the event that the server permits the client to request a connection renegotiation, an attacker might take advantage of this feature to send out numerous negotiation requests, using up server resources and possibly resulting in a denial of service (DoS).</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li></ul>",
"remediation": "<p>To address the vulnerability, it is advised to apply the most recent patch. It is essential to update to version 0.9.8l or later on systems running OpenSSL. On the other hand, it is also possible to disable the client's initiation of renegotiation as a mitigation without the need for an update.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"category": "SSL/TLS encryption",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_Transport_Layer_Security",
"https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption",
"https://cwe.mitre.org/data/definitions/16.html"
],
"locale": "en",
"title": "Untrusted Digital Certificate",
"vulnType": "OWASP WSTG",
"description": "<p>The server's digital certificate is insecure and unreliable due to some incorrect parameters, which increases the risk of confidentiality or dependability to the system.</p>",
"observation": "<ul><li><p>Other: Technical Impact: Varies by Context</p></li></ul>",
"remediation": "<p>It is advised to create a digital certificate that browsers recognize as reliable (issued by a recognized authority, within the validity period and with the common name of the certificate equal to the name of the Web site offering the services).</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"category": "SSL/TLS encryption",
"details": [
{
"references": [
"https://cwe.mitre.org/data/definitions/299.html"
],
"locale": "en",
"title": "Improper check for certificate revocation (OCSP Stapling)",
"vulnType": "OWASP WSTG",
"description": "<p>To stop man-in-the-middle attacks on users of your applications, you should always be able to quickly recall these certificates whenever your certificate authority loses trust.</p>",
"observation": "<ul><li><p>Access Control: Gain Privileges or Assume Identity: Trust may be assigned to an entity who is not who it claims to be.</p></li><li><p>Other: Other: Data from an untrusted (and possibly malicious) source may be integrated.</p></li><li><p>Confidentiality: Read Application Data: Data may be disclosed to an entity impersonating a trusted entity, resulting in information disclosure.</p></li></ul>",
"remediation": "<p>The keyset file on the secure signing computer, which is also where the signed and unsigned copies of the zone are stored, contains the trust anchor for the given zone. The signing procedure includes an automatic creation of this file.</p><p>A certificate revocation list (CRL) is a list, created and signed by a certificate authority (CA), which contains serial numbers of certificates that have been issued by that CA and are currently revoked. In addition to the serial number of the revoked certifications, the CRL also contains the reason for revocation for each certificate and the time the certificate was revoked. The serial number for each revoked certificate is kept in the CAs database and published in the CRL until the certificate expires.</p><p>The CRL entry for the revoked certificate is deleted once it has expired, and the CA is then free to delete the certificate from its database. The revoked certificate typically remains in the CRL for one publication period following the expiration of the certificate. You should always have access to this knowledge so that you can act quickly.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "SSL/TLS encryption",
"details": [
{
"references": [
"https://cwe.mitre.org/data/definitions/299.html"
],
"locale": "en",
"title": "CA certificates",
"vulnType": "OWASP WSTG",
"description": "<p>An organization that issues digital certificates is known as a certificate authority (CA) in the field of cryptography. A digital certificate attests to the named subject of the certificate's ownership of a public key. A CA can occasionally fail and be removed from the browser. If your application uses a certificate issued by this CA, this will result in untrusted TLS connections.</p><p>An identity certificate that is signed by the same entity whose identity it certifies is known as a self-signed certificate. This phrase has nothing to do with who or what was responsible for carrying out the signing process. A self-signed certificate is one that was signed using a private key that belongs to the issuer.</p><p>In typical public key infrastructure (PKI) arrangements, a digital signature from a certificate authority (CA) attests that a particular public key certificate is valid. Each CA has one or more root keys; and the certificates associated with those public keys are \"\"trust anchors\"\" that use a special type of self-signed certificates. Establishing trust of the CA root certificate is dependent upon procedures beyond checking its digital signature.</p>",
"observation": "<ul><li><p>Access Control: Gain Privileges or Assume Identity: Trust may be assigned to an entity who is not who it claims to be.</p></li><li><p>Other: Other: Data from an untrusted (and possibly malicious) source may be integrated.</p></li><li><p>Confidentiality: Read Application Data: Data may be disclosed to an entity impersonating a trusted entity, resulting in information disclosure.</p></li></ul>",
"remediation": "<p>Install a trusted certificate from a reputable root CA on the server.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"category": "Configuration and Deploy Management",
"details": [
{
"references": [
"https://cwe.mitre.org/data/definitions/306.html"
],
"locale": "en",
"title": "Ensure overall security",
"vulnType": "OWASP WSTG",
"description": "<p>Due to the fact that it receives a lot of attention during development, the primary authentication mechanism is frequently a good hardened functionality. This is typically not the case, though, for secondary authentication mechanisms like password-forget features or other alternate routes that could result in successful application authentication.</p>",
"observation": "<ul><li><p>Other: Other: Exposing critical functionality essentially provides an attacker with the privilege level of that functionality. The consequences will depend on the associated functionality, but they can range from reading or modifying sensitive data, access to administrative or other privileged functionality, or possibly even execution of arbitrary code.</p></li></ul>",
"remediation": "<p>Make sure that all account identity authentication features (like update profile, forgotten password, disabled/lost token, help desk, or IVR) that could allow you to regain access to your account are at least as secure against hacking as the main authentication method.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Configuration and Deploy Management",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/01-Test_Network_Infrastructure_Configuration",
"https://cwe.mitre.org/data/definitions/477.html"
],
"locale": "en",
"title": "Outdated OS version (Known associated vulnerabilities)",
"vulnType": "OWASP WSTG",
"description": "<p>When the operating system version of the server running the application can be determined, this problem occurs.</p><p>Any type of information pertaining to the technology that underpins the web application should always be kept secret in order to hinder or outright prevent that once this information is known, targeted attacks against this software can be planned.</p>",
"observation": "<ul><li><p>Other: Quality Degradation: The attacker is using a function that is no updated</p></li></ul>",
"remediation": "<p>Updating the operating system to the most recent version is advised.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Configuration and Deploy Management",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/01-Test_Network_Infrastructure_Configuration",
"https://cwe.mitre.org/data/definitions/477.html"
],
"locale": "en",
"title": "Outdated dependencies and libraries",
"vulnType": "OWASP WSTG",
"description": "<p>Security researchers report and store vulnerabilities they find in libraries, modules, frameworks, platforms, or operating systems in the CVE list. Given that the list is available to everyone, it provides access for any attacker aiming to compromise an outdated web application.</p>",
"observation": "<ul><li><p>Other: Reduce Maintainability: The attacker could find vulnerabilities of outdated components and use those to exploit new attack vectors.</p></li></ul>",
"remediation": "<p>The main piece of advice is to always use the most recent dependencies and libraries that the manufacturer offers. Additionally, it is strongly advised to use tools like OWASP dependency check when running the application's libraries and modules through the SDLC. This program scans imported libraries and modules for known CVEs.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Configuration and Deploy Management",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/05-Enumerate_Infrastructure_and_Application_Admin_Interfaces",
"https://cwe.mitre.org/data/definitions/16.html"
],
"locale": "en",
"title": "Identification of management panels",
"vulnType": "OWASP WSTG",
"description": "<p>It is not advised for the administration panels or authentication panels for various applications to be publicly accessible on the internet. Therefore, it would be convenient to restrict access to the administration or authentication panels to VPN (Virtual Private Network) connections whenever possible.</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li></ul>",
"remediation": "<p>It is advised to use VPNs to connect to the organization's resources instead of opening administration or authentication panels to the Internet.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Configuration and Deploy Management",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/05-Enumerate_Infrastructure_and_Application_Admin_Interfaces",
"https://cwe.mitre.org/data/definitions/16.html"
],
"locale": "en",
"title": "Server configuration not hardened",
"vulnType": "OWASP WSTG",
"description": "<p>Any part of the application stack, including the network services, platform, web server, application server, database, frameworks, custom code, pre-installed virtual machines, containers, or storage, is susceptible to security misconfiguration.</p><p>Attackers frequently gain unauthorized access to certain system data or functionality thanks to such flaws. Such flaws can occasionally compromise the entire system. The application and data protection requirements determine the business impact.</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li></ul>",
"remediation": "<p>Implementing secure installation procedures, such as:</p><ul><li><p>A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Development, QA, and production environments should all be configured identically, with different credentials used in each environment. This process should be automated to minimize the effort required to setup a new secure environment.</p></li><li><p>A minimal platform without any unnecessary features, components, documentation, and samples. Remove or do not install unused features and frameworks.</p></li><li><p>A task to review and update the configurations appropriate to all security notes, updates and patches as part of the patch management process. In particular, review cloud storage permissions.</p></li><li><p>A segmented application architecture that provides effective, secure separation between components or tenants, with segmentation, containerization, or cloud security groups (ACLs).</p></li><li><p>Sending security directives to clients, e.g. Security Headers.</p></li><li><p>An automated process to verify the effectiveness of the configurations and settings in all environments.</p></li></ul>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Configuration and Deploy Management",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/02-Test_Application_Platform_Configuration",
"https://cwe.mitre.org/data/definitions/532.html"
],
"locale": "en",
"title": "Sensitive information in accessible logs",
"vulnType": "OWASP WSTG",
"description": "<p>A log is a record of the activities taking place within the networks and systems of an organization. Logs are made up of log entries, and each entry in a log contains details about a specific event that has taken place in a system or network.</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li></ul>",
"remediation": "<p>It is recommended to keep logs in a separate location and not on the web server itself. This also facilitates the aggregation of logs from different sources that refer to the same application (such as those from a web server farm) and also facilitates log analysis (which can be CPU intensive) without affecting the server itself. </p><p>It is also recommended to implement a log rotation ensuring that:</p><ul><li><p>Logs are kept for the time defined in the security policy, no more and no less.</p></li><li><p>Logs are compressed once rotated (this is a convenience, as it will mean that more logs will be stored for the same available disk space).</p></li><li><p>The file system permissions of rotated log files are the same (or stricter) than those of the log files themselves. For example, web servers will need to write to the logs they use, but they do not actually need to write to the rotated logs, which means that the file permissions can be changed at rotation time to prevent the web server process from modifying them.</p></li><li><p>Some servers may rotate logs when they reach a certain size. If this happens, make sure that an attacker cannot force log rotation to hide his or her trail.</p></li></ul><p>Finally, implement access control so that the event log information is never visible to end users and analyze the logs periodically, for example based on error messages:</p><ul><li><p>Error messages 40x (not found). A large number of them coming from the same source could indicate that a CGI scanning tool is being used against the web server.</p></li><li><p>50x (server error) messages. These can be an indication that an attacker is abusing parts of the application that fail unexpectedly. For example, the early stages of a SQL injection attack will produce these error messages when the SQL query is not well constructed and its execution fails in the back end database.</p></li></ul><p>Statistics or log analysis should not be generated, or stored, on the same server that produces the logs. Otherwise, an attacker could, through a web server vulnerability or improper configuration, access them and retrieve information similar to that which would be revealed by the log files themselves.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Configuration and Deploy Management",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information",
"https://cwe.mitre.org/data/definitions/200.html",
"https://cwe.mitre.org/data/definitions/530.html"
],
"locale": "en",
"title": "Backup file identification",
"vulnType": "OWASP WSTG",
"description": "<p>Files that are unrelated to the application but are created as a result of editing application files, after making backups while in use, or by leaving outdated or unreferenced files in the web tree are a significant source of vulnerability. On-the-fly editing and other administrative tasks on production web servers may unintentionally leave backup copies that were created automatically by the editor as they were being edited or by the administrator as they were compressing a group of files to create a backup.</p><p>Editing files may leave automatic backup copies of type .bak, .sav, .old, or ~. The web server does not have by default defined an interpretation for this type of files, so the result is usually either to display their contents or to proceed to download them.</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li></ul>",
"remediation": "<p>To remove the risk, it is necessary to delete the discovered backup file. It is necessary to routinely search the server for files with the extensions.bak,.bac,.sav,.old,.BAK,.BAC,.SAV,.OLD,.tar,.gz, and.tgz and remove them from the server in order to fix this type of defect generally.In order to avoid having the file downloaded or the contents of the file displayed by the browser, it is also advised to configure the web server to be able to understand these extensions.If the document root is on a file system that makes use of this technology, file system snapshots shouldn't be accessible via the web. Configure your web server to deny access to such directories, for example, in Apache a location directive like this should be used:</p><p><Location ~ \".snapshot\">Order deny,allowDeny from all</Location></p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Configuration and Deploy Management",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods",
"https://cwe.mitre.org/data/definitions/16.html"
],
"locale": "en",
"title": "Insecure HTTP methods enabled",
"vulnType": "OWASP WSTG",
"description": "<p>A variety of techniques are available through HTTP to carry out operations on the web server (the HTTP 1.1 standard refers to them as methods, but they are also commonly described as verbs). Although GET and POST are by far the most popular ways to access data from a web server, HTTP also supports a number of additional, less well-known ways. If the web server is configured incorrectly, some of these could be used maliciously.</p>",
"observation": "<ul><li><p>Other: Technical Impact: Varies by Context</p></li></ul>",
"remediation": "<p>The methods that were determined to be superfluous in the server configuration must be deactivated.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Configuration and Deploy Management",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-Test_HTTP_Strict_Transport_Security",
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/12-Test_for_Content_Security_Policy",
"https://cwe.mitre.org/data/definitions/16.html",
"https://cwe.mitre.org/data/definitions/693.html",
"https://wiki.owasp.org/index.php/OWASP_Secure_Headers_Project",
"https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration"
],
"locale": "en",
"title": "Lack of security HTTP headers",
"vulnType": "OWASP WSTG",
"description": "<p>Security headers are implemented as HTTP response headers that limit the potential for client-side vulnerability exploitation by instructing the browser how to behave in specific circumstances. The full security configuration needed to establish a secure connection with the client is not present in server responses.</p>",
"observation": "<ul><li><p>Access Control: Bypass Protection Mechanism: Access control checks for specific user data or functionality can be bypassed.</p></li></ul>",
"remediation": "<p>Implementation of all security HTTP headers in server responses is recommended. The recommended values are:</p><ul><li><p>Strict-Transport-Security (HSTS): max-age=31536000; includeSubDomains.</p></li><li><p>Content-Security-Policy: default-src https: 'self'.</p></li><li><p>X-XSS-Protection:1</p></li><li><p>X-Frame-Options: 'DENY' (if not possible, 'SAMEORIGIN').</p></li><li><p>X-Content-Type-Options: nosniff.</p></li><li><p>Cache-Control: no-store.</p></li><li><p>Referrer-Policy: 'no-referrer' (or 'same-origin').</p></li><li><p>Permissions-Policy: Define the minimum allowed functions and deny the others.</p></li></ul>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Configuration and Deploy Management",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-Test_HTTP_Strict_Transport_Security",
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/12-Test_for_Content_Security_Policy",
"https://cwe.mitre.org/data/definitions/16.html",
"https://cwe.mitre.org/data/definitions/693.html",
"https://wiki.owasp.org/index.php/OWASP_Secure_Headers_Project",
"https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration"
],
"locale": "en",
"title": "Absence of HSTS (HTTP Strict Transport Security) header",
"vulnType": "OWASP WSTG",
"description": "<p>The \"strict transport security\" (HSTS) HTTP header is used to thwart attempts to intercept communications, cookies, etc. This mechanism allows a web server to declare that only secure HTTP connections—HTTP over TLS/SSL—are permitted for browser communication.</p>",
"observation": "<ul><li><p>Access Control: Gain Privileges or Assume Identity: An attacker could gain unauthorized access to the system by retrieving legitimate user's authentication credentials</p></li></ul>",
"remediation": "<p>Define the HTTP Strict-Transport-Security header, which instructs the client browser to automatically redirect requests received via the HTTP protocol to the HTTPS secure protocol rather than using or forcing an insecure protocol.</p><p><Strict-Transport-Security: max-age=60000; includeSubDomains></p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Configuration and Deploy Management",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-Test_HTTP_Strict_Transport_Security",
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/12-Test_for_Content_Security_Policy",
"https://cwe.mitre.org/data/definitions/16.html",
"https://cwe.mitre.org/data/definitions/693.html",
"https://wiki.owasp.org/index.php/OWASP_Secure_Headers_Project",
"https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration"
],
"locale": "en",
"title": "Absence of X-Frame-Options header",
"vulnType": "OWASP WSTG",
"description": "<p>A user is tricked into using functionality on a hidden website by clicking on some other content on a bogus website using the Clickjacking vulnerability. The method is based on embedding a hidden button or link, for instance, within an iframe, on an actionable, visible web page (or pages). The user's anticipated decoy web page's content is overlaid by the iframe.</p>",
"observation": "<ul><li><p>Access Control: Gain Privileges or Assume Identity: An attacker could gain privileges by modifying or reading critical data directly, or by accessing insufficiently-protected, privileged functionality.</p></li></ul>",
"remediation": "<p>The X-Frame-Options header is supported by most contemporary web browsers. It is advised to set the web server up so that this header is enabled for all web pages. The SAMEORIGIN option should be used if the page is anticipated to contain only code from the server.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Configuration and Deploy Management",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-Test_HTTP_Strict_Transport_Security",
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/12-Test_for_Content_Security_Policy",
"https://cwe.mitre.org/data/definitions/16.html",
"https://cwe.mitre.org/data/definitions/693.html",
"https://wiki.owasp.org/index.php/OWASP_Secure_Headers_Project",
"https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration"
],
"locale": "en",
"title": "Absence of Content Security Policy (CSP) header",
"vulnType": "OWASP WSTG",
"description": "<p>An HTTP response header that increases security is called Content-Security-Policy. With the help of this header, you can limit the resources that the browser can load, including JavaScript, CSS, and more.</p>",
"observation": "<ul><li><p>Access Control: Gain Privileges or Assume Identity: An attacker could gain privileges by modifying or reading critical data directly, or by accessing insufficiently-protected, privileged functionality.</p></li><li><p>Access Control: Bypass Protection Mechanism: Access control checks for specific user data or functionality can be bypassed.</p></li><li><p>Confidentiality: Read Application Data: Data may be disclosed to an entity impersonating a trusted entity, resulting in information disclosure.</p></li><li><p>Access Control: Modify Application Data: An attacker can trick a user into performing actions that are masked and hidden from the user's view. The impact varies widely, depending on the functionality of the underlying application. For example, in a social media application, clickjacking could be used to trik the user into changing privacy settings.</p></li></ul>",
"remediation": "<p>By including the Content-Security-Policy header in the HTTP response headers, which tells the browser to apply the desired policies, you can enable CSP on a website. </p><p>Content-Security-Policy: script-src https://example.com:*;></p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Configuration and Deploy Management",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-Test_HTTP_Strict_Transport_Security",
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/12-Test_for_Content_Security_Policy",
"https://cwe.mitre.org/data/definitions/16.html",
"https://cwe.mitre.org/data/definitions/693.html",
"https://wiki.owasp.org/index.php/OWASP_Secure_Headers_Project",
"https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration"
],
"locale": "en",
"title": "Absence of Cache Control header",
"vulnType": "OWASP WSTG",
"description": "<p>Directives for caching mechanisms are specified in the HTTP Cache-Control header.</p>",
"observation": "<ul><li><p>Access Control: Bypass Protection Mechanism: Access control checks for specific user data or functionality can be bypassed.</p></li></ul>",
"remediation": "<p>Create a Cache-Control header on your web server with the necessary instructions. The Pragma header value should be no-cache and the Cache-Control value should be no-cache, no-store if the page contains sensitive information.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Configuration and Deploy Management",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-Test_HTTP_Strict_Transport_Security",
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/12-Test_for_Content_Security_Policy",
"https://cwe.mitre.org/data/definitions/16.html",
"https://cwe.mitre.org/data/definitions/693.html",
"https://wiki.owasp.org/index.php/OWASP_Secure_Headers_Project",
"https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration"
],
"locale": "en",
"title": "Absence of Pragma header",
"vulnType": "OWASP WSTG",
"description": "<p>The Pragma header is an implementation-specific header that can impact the request-response chain in a number of ways. When the HTTP/1.1 Cache-Control header is not yet present, it is used for backward compatibility with earlier HTTP/1.0 cache versions.</p>",
"observation": "<ul><li><p>Access Control: Bypass Protection Mechanism: Access control checks for specific user data or functionality can be bypassed.</p></li></ul>",
"remediation": "<p>The Cache-Control header is the ideal way to specify a caching policy when at least HTTP/1.1 is used in server responses. The header for Pragma can be removed.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Configuration and Deploy Management",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-Test_HTTP_Strict_Transport_Security",
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/12-Test_for_Content_Security_Policy",
"https://cwe.mitre.org/data/definitions/16.html",
"https://cwe.mitre.org/data/definitions/693.html",
"https://wiki.owasp.org/index.php/OWASP_Secure_Headers_Project",
"https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration"
],
"locale": "en",
"title": "Absence of Feature Policy header",
"vulnType": "OWASP WSTG",
"description": "<p>Web developers can selectively enable, disable, and alter the behavior of specific APIs and web features in the browser by using the header Feature-Policy. Note that this header has been divided into a Permissions-Policy and a Document-Policy, and that it will be regarded as deprecated once all impacted features have been eliminated from the Feature-Policy.</p>",
"observation": "<ul><li><p>Access Control: Bypass Protection Mechanism: Access control checks for specific user data or functionality can be bypassed.</p></li></ul>",
"remediation": "<p>Below is an example of how to add the Feature-Policy header to web server responses: </p><p><Feature-Policy: vibrate 'self'; usermedia *; sync-xhr 'self' https://example.com></p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Configuration and Deploy Management",
"details": [
{
"references": [
"https://cwe.mitre.org/data/definitions/116.html"
],
"locale": "en",
"title": "Absence of Referrer Policy header",
"vulnType": "OWASP WSTG",
"description": "<p>Requests made from a document, and for navigations away from that document are associated with a Referer header. While the header can be suppressed for links with the noreferrer link type, authors might wish to control the Referer header more directly for a number of reasons:</p><ul><li><p>Privacy: a social networking site has a profile page for each of its users, and users add hyperlinks from their profile page to their favorite bands.The social networking site might not wish to leak the user’s profile URL to the band web sites when other users follow those hyperlinks (because the profile URLs might reveal the identity of the owner of the profile).Some social networking sites, however, might wish to inform the band web sites that the links originated from the social networking site but not reveal which specific user’s profile contained the links.</p></li><li><p>Security: a web application uses HTTPS and a URL based session identifier. The web application might wish to link to HTTPS resources on other web sites without leaking the user’s session identifier in the URL. Alternatively, a web application may use URLs which themselves grant some capability. Controlling the referrer can help prevent these capability URLs from leaking via referrer headers.</p></li></ul><p>Note that there are other ways for capability URLs to leak, and controlling the referrer is not enough to control all those potential leaks.</p><ul><li><p>Trackback: a blog hosted over HTTPS might wish to link to a blog hosted over HTTP and receive trackback links.</p></li></ul>",
"observation": "<ul><li><p>Access Control: Bypass Protection Mechanism: Access control checks for specific user data or functionality can be bypassed.</p></li></ul>",
"remediation": "<p>Referrer Policy How much referrer data, which is transmitted via the Referer header, should be included with requests is controlled by the HTTP header. The Referer header has a lot of good intentions, but it also has unfavorable effects on user security and privacy. The following values ought to be configured in the policy:</p><p>Referrer-Policy: no-referrerReferrer-Policy: same-origin</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Configuration and Deploy Management",
"details": [
{
"references": [
"https://cwe.mitre.org/data/definitions/116.html"
],
"locale": "en",
"title": "Absence of X-Content-Type-Options header",
"vulnType": "OWASP WSTG",
"description": "<p>In order to safeguard against Reflective File Download and other types of injections, certain API callbacks must have security headers that are properly configured.</p><p>Additionally, confirm whether user input is reflected in the API response and whether it is dynamic. If so, in order to stop XSS and same origin method execution attacks, you must validate and encode the input.</p>",
"observation": "<ul><li><p>Access Control: Bypass Protection Mechanism: Access control checks for specific user data or functionality can be bypassed.</p></li></ul>",
"remediation": "<p>Sanitize your API's input; escaping is insufficient in this case; they should only permit alphanumeric. Make sure that X-Content-Type-Options are present in every API response. to stop the browser from interpreting files as something other than what the content type has declared, use nosniff (this helps prevent XSS if the page is interpreted as html or js).</p><p>Add</p><p>Content-Disposition: attachment; filename=\"filename.extension\"</p><p>with extension corresponding the file extension and contenttype, on APIs that are not going to be rendered</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Configuration and Deploy Management",
"details": [
{
"references": [
"https://cwe.mitre.org/data/definitions/524.html"
],
"locale": "en",
"title": "Anti-Caching header (Server-side)",
"vulnType": "OWASP WSTG",
"description": "<p>Anti-caching headers prevents sensitive data from being stored on reverse proxies, load balancers and application cache modules. By not implementing this headers correctly, sensitive information may be stored within the cache of these modules and may be exposed.Let's see two examples of improperly configured headers:Cache-Control: max-age=315360000, public: the response may be stored by any cacheCache-Control: private: the response may be stored by a browser's cache</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li></ul>",
"remediation": "<p>This vulnerability will be reduced if the anti-caching headers are properly implemented. An appropriately used anti-caching header will resemble:</p><p>Cache-Control: no-storePragma: no-cache (only for backwards compatibility with HTTP/1.0 clients)</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Configuration and Deploy Management",
"details": [
{
"references": [
"https://cwe.mitre.org/data/definitions/173.html"
],
"locale": "en",
"title": "Unsafe Content-Type header within the response",
"vulnType": "OWASP WSTG",
"description": "<p>Setting the proper content headers is crucial for strengthening the security of your applications because it lowers your exposure to drive-by download attacks and websites hosting user-uploaded content that, due to clever naming, MS Internet Explorer may mistake for executable or dynamic HTML files, creating security flaws.</p>",
"observation": "<ul><li><p>Access Control: Bypass Protection Mechanism: Access control checks for specific user data or functionality can be bypassed.</p></li></ul>",
"remediation": "<p>An example of a safe Content-type header would be:</p><p>Content-Type: text/html; charset=UTF8Content-Type: application/json;</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"category": "Configuration and Deploy Management",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission",
"https://cwe.mitre.org/data/definitions/732.html"
],
"locale": "en",
"title": "Excessive file and directory permissions",
"vulnType": "OWASP WSTG",
"description": "<p>Giving a resource a permission setting that allows access to a larger group of users than necessary runs the risk of exposing sensitive data or allowing unauthorized individuals to change the resource. When the resource is connected to program configuration, execution, or sensitive user data, this is especially risky.</p><p>A clear example is an execution file that may be executed by unauthorized users. Another example is that account information or the value of a token to access an API (increasingly common in today's web services or microservices) may be stored in a configuration file whose permissions are set by default to be readable by everyone from the installation. This sensitive data can be exposed by malicious internal users or by a remote attacker who has compromised the service with other vulnerabilities, but has low privileges.</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The injected code could access restricted data / files.</p></li><li><p>Confidentiality: Read Files or Directories: An attacker could read sensitive data, either by reading the data directly from a data store that is not properly restricted, or by accessing insufficiently-protected, privileged functionality to read the data.</p></li></ul>",
"remediation": "<p>Setting file and directory permissions correctly will help to address this vulnerability by preventing unauthorized users from needlessly accessing vital resources.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"category": "Configuration and Deploy Management",
"details": [
{
"references": [
"https://cwe.mitre.org/data/definitions/770.html"
],
"locale": "en",
"title": "Allocation of Resources Without Limits or Throttling",
"vulnType": "OWASP WSTG",
"description": "<p>In contravention of the intended security policy for that actor, the software allocates a reusable resource or set of resources on the actor's behalf without imposing any limitations on the size or quantity of resources that can be allocated.</p>",
"observation": "<ul><li><p>Availability: DoS: Resource Consumption (Other): When allocating resources without limits, an attacker could prevent other systems, applications, or processes from accessing the same type of resource.</p></li></ul>",
"remediation": "<p>Requirements</p><ul><li><p>Clearly specify the minimum and maximum expectations for capabilities, and dictate which behaviours are acceptable when resource allocation reaches limits.</p></li></ul><p>Architecture and Design- Limit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid 410.- Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place, and it will help the administrator to identify who is committing the abuse. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.- Ensure that protocols have specific limits of scale placed on them.- For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid 602: Client-Side Enforcement of Server-Side Security. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.</p><p>Implementation- Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, \"boat\" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colours such as \"red\" or \"blue.\"- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"category": "Identity Management",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account",
"https://cwe.mitre.org/data/definitions/203.html",
"https://cwe.mitre.org/data/definitions/204.html",
"https://cwe.mitre.org/data/definitions/200.html"
],
"locale": "en",
"title": "Account (users) enumeration",
"vulnType": "OWASP WSTG",
"description": "<p>Due to configuration errors or intentional design choices, web applications frequently make it clear whether a username already exists on the system. For instance, when incorrect credentials are sent, the resulting message can sometimes indicate whether the username already exists in the system or whether the password was entered incorrectly. An attacker can use the information they have collected to compile a user list for the system. By employing a brute force attack or a default username and password attack, for instance, this information can be used to attack the web application.</p>",
"observation": "<ul><li><p>Confidentiality: Read Application Data: The attacker may be able to read sensitive information</p></li><li><p>Access Control: Bypass Protection Mechanism: Access control checks for specific user data or functionality can be bypassed.</p></li></ul>",
"remediation": "<p>There are several recommendations to avoid this type of vulnerabilities. The best solution is to apply some or all of them as appropriate:</p><ul><li><p>Avoid using any public data (alias, email, etc.) as username to authenticate in the application. This data should be private and only known by the user.</p></li><li><p>During the development phase, optimize the user authentication process to avoid \"high\" response times during authentication.</p></li><li><p>Do not use informative messages that aid in guessing the existence of user names.</p></li><li><p>Avoid different behaviors in the web application depending on the existence of usernames.</p></li><li><p>Delegate the generation of usernames to the web application. The generator used should be completely random and never sequential since it would be predictable.</p></li></ul>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"category": "Identity Management",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/02-Test_User_Registration_Process",
"https://cwe.mitre.org/data/definitions/287.html"
],
"locale": "en",
"title": "Insecure user registration process",
"vulnType": "OWASP WSTG",
"description": "<p>The provision of system access to users is automated (or partially automated) by some web applications' user registration process. Depending on the system's security requirements, the identity requirements for access can range from positive identification to none at all. Due to the size of their user bases, many public applications completely automate the registration and provisioning processes. A hacker could use this vulnerability to control other user accounts, for example, if best practices are not followed when automating the registration process.</p>",
"observation": "<ul><li><p>Access Control: Execute Unauthorized Code or Commands: This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.</p></li></ul>",
"remediation": "<p>It is advised to put in place identification and verification requirements that are in line with the security requirements of the data that the credentials are protecting.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"category": "Identity Management",
"details": [
{
"references": [
"https://cwe.mitre.org/data/definitions/384.html"
],
"locale": "en",
"title": "The login functionality should always generate a new session id",
"vulnType": "OWASP WSTG",
"description": "<p>A new session cookie should be created by the application each time a user is successfully authenticated.</p>",
"observation": "<ul><li><p>Access Control: Gain Privileges or Assume Identity: The application does not invalidate any existing session identifier and gives an attacker the opportunity to steal authenticated sessions.</p></li></ul>",
"remediation": "<p>After a successful login, the login functionality should always create (and use) a new session ID. This is done to stop an attacker from attacking your users using a session fixation attack.Some frameworks, such as.net applications, do not let you change the session ID when you log in. You could add an extra random cookie with a strong token on login whenever this issue arises and store the value in a session variable.</p><p>Now that authentication depends on more than just the session ID and the random cookie cannot be predicted or fixed by an attacker, you can compare the cookie value with the session variable to prevent session fixation.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"category": "Authentication",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/02-Testing_for_Default_Credentials",
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy",
"https://cwe.mitre.org/data/definitions/521.html"
],
"locale": "en",
"title": "Weaknesses in password policy",
"vulnType": "OWASP WSTG",
"description": "<p>All of the security features incorporated into the technological infrastructure can be exposed by a lax password policy. Without utilizing any other vulnerabilities, guessing a password would grant access to legitimate systems. It frequently occurs in the domains of large organizations, where the administrator's users with higher privileges are completely forgotten in favor of the regular users with restricted access to which a strict password policy is applied. In other words, in contrast to a user with limited privileges, an administrator user can use a password that is deemed weak. To make it simple for new users to connect, many services come with default usernames and passwords at first. The crucial step of changing this information is frequently overlooked, leaving the system accessible using what are known as the default credentials.</p>",
"observation": "<ul><li><p>Access Control: Gain Privileges or Assume Identity: As passwords age, the probability that they are compromised grows.</p></li><li><p>Access Control: Gain Privileges or Assume Identity: An attacker could easily guess user passwords and gain access user accounts.</p></li></ul>",
"remediation": "<p>Establish a strong password policy that requires the user to:</p><ul><li><p>A minimum password length of 8 charactersUse all character types, including capital and lowercase letters, numbers, and special characters.</p></li><li><p>Making use of an effective encryption algorithm like AES-128 or SHA-256</p></li><li><p>Check to see if the blank password is prohibited.</p></li><li><p>Steer clear of using the user identifier (or any subset of it) as a password.- Regularly force the change.</p></li><li><p>Prevent users from using previous passwords.</p></li></ul>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"category": "Authentication",
"details": [
{
"references": [
"https://cwe.mitre.org/data/definitions/263.html"
],
"locale": "en",
"title": "No password rotation policy",
"vulnType": "OWASP WSTG",
"description": "<p>Some policies require users to change passwords periodically, often every 90 or 180 days.</p><p>The benefit of password expiration, however, is debatable. Systems that implement such policies sometimes prevent users from picking a password too close to a previous selection.</p><p>This policy can often backfire. Some users find it hard to devise \"good\" passwords that are also easy to remember, so if people are required to choose many passwords because they have to change them often, they end up using much weaker passwords; the policy also encourages users to write passwords down. Also, if the policy prevents a user from repeating a recent password, this requires that there is a database in existence of everyone's recent passwords (or their hashes) instead of having the old ones erased from memory. Finally, users may change their password repeatedly within a few minutes, and then change back to the one they really want to use, circumventing the password change policy altogether.</p>",
"observation": "<ul><li><p>Access Control: Gain Privileges or Assume Identity: As passwords age, the probability that they are compromised grows.</p></li></ul>",
"remediation": "<p>Only when the application's enforced password strength is no longer strong enough to withstand brute force attacks due to an increase in computing power can users be made to update their passwords.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"category": "Authentication",
"details": [
{
"references": [
"https://cwe.mitre.org/data/definitions/620.html"
],
"locale": "en",
"title": "Permit password change",
"vulnType": "OWASP WSTG",
"description": "<p>Users ought to have the option of changing their password whenever necessary. Consider, for instance, the situation where they frequently use the same password across different applications. Users must immediately update their login information in each application they have registered for if their password is compromised. Therefore, there is a chance that a user's account could be compromised if the application does not give him access to a password update feature.</p>",
"observation": "<ul><li><p>Access Control: Bypass Protection Mechanism: Access control checks for specific user data or functionality can be bypassed.</p></li><li><p>Access Control: Gain Privileges or Assume Identity: As passwords age, the probability that they are compromised grows.</p></li></ul>",
"remediation": "<p>Applications should offer a feature that enables the user to modify their own password.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Authentication",
"details": [
{
"references": [
"https://cwe.mitre.org/data/definitions/521.html"
],
"locale": "en",
"title": "Verify breached passwords",
"vulnType": "OWASP WSTG",
"description": "<p>Over the years, breaches have resulted in the release of numerous databases containing stolen credentials. Users are subject to dictionary attacks if they select compromised passwords.</p>",
"observation": "<ul><li><p>Access Control: Gain Privileges or Assume Identity: An attacker could easily guess user passwords and gain access user accounts.</p></li></ul>",
"remediation": "<p>Check that passwords entered during account creation, login, and password changes are compared to a list of passwords that have been compromised. The application must require the user to re-enter a password that hasn't already been compromised if the password they chose has already been compromised.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"category": "Authentication",
"details": [
{
"references": [
"https://cwe.mitre.org/data/definitions/330.html"
],
"locale": "en",
"title": "Secrets should be secure random generated",
"vulnType": "OWASP WSTG",
"description": "<p>Passwords, API tokens, and secret keys must be generated dynamically. These tokens can become predictable and be used by attackers to compromise user accounts whenever they are not generated dynamically.</p>",
"observation": "<ul><li><p>Other: Other: When a protection mechanism relies on random values to restrict access to a sensitive resource, such as a session ID or a seed for generating a cryptographic key, then the resource being protected could be accessed by guessing the ID or key</p></li><li><p>Other: Other: If software relies on unique, unguessable IDs to identify a resource, an attacker might be able to guess an ID for a resource that is owned by another user. The attacker could then read the resource, or pre-create a resource with the same ID to prevent the legitimate program from properly sending the resource to the intended user. For example, a product might maintain session information in a file whose name is based on a username. An attacker could pre-create this file for a victim user, then set the permissions so that the application cannot generate the session for the victim, preventing the victim from using the application.</p></li><li><p>Access Control: Gain Privileges or Assume Identity: When an authorization or authentication mechanism relies on random values to restrict access to restricted functionality, such as a session ID or a seed for generating a cryptographic key, then an attacker may access the restricted functionality by guessing the ID or key.</p></li></ul>",
"remediation": "<p>These values must be dynamically generated and only valid once when it comes to API tokens and secret keys.The secret token should be cryptographically \"random secure,\" have at least 120 bits of effective entropy, be salted with a special and randomly generated 32-bit value, and hashed using a recognized hashing (one-way) function.</p><p>Instead of giving a user a password that is dynamically generated, passwords should be created by the user themselves. In order to activate his account and create a password of his own, the user should be given a one-time link with a cryptographically random token via email or SMS.</p>"
}
]
},
{
"cvssv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"category": "Authentication",
"details": [
{
"references": [
"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/03-Testing_for_Weak_Lock_Out_Mechanism",
"https://cwe.mitre.org/data/definitions/804.html",
"https://cwe.mitre.org/data/definitions/645.html",
"https://cwe.mitre.org/data/definitions/1216.html",
"https://cwe.mitre.org/data/definitions/307.html"
],
"locale": "en",
"title": "Weaknesses in protection against brute force attacks",
"vulnType": "OWASP WSTG",
"description": "<p>A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works. If your web site requires user authentication, you are a good target for a brute-force attack. </p><p>An attacker can always discover a password through a brute-force attack, but the downside is that it could take years to find it. Depending on the password's length and complexity, there could be trillions of possible combinations. To speed things up a bit, a brute-force attack could start with dictionary words or slightly modified dictionary words because most people will use those rather than a completely random password. These attacks are called dictionary attacks or hybrid brute-force attacks. Brute-force attacks put user accounts at risk and flood your site with unnecessary traffic.</p>",