Upload
jacqueline-oneal
View
116
Download
1
Embed Size (px)
Citation preview
A comprehensive deliverables of given case study (Movie_booking) Debugged Information of given php file and database
1. session_register() // function undefined in checklogin.php 2. myusername and mypassword // credentials does not pass through checklogin.php 3. mysql_fetch_object() // function not used in checklogin.php 4. There were no connectivity between select movie to the database in first.php i.e.
--Select movie--
5. $username = $_SESSION['myusername'];// function Undefined in first page in first.php 6. --Select City-- //there were undefined value. Value should
be; 7. --Select City-- // Table name ?>
8. $_SESSION variables, values of a variable that doesn't exist in schedule.php
9. $username = $_SESSION['myusername']; // function undefined in schedule.php 10. $username = $_SESSION['myusername']; // function not define in book.php
Vulnerability has been identified in given application: Vega Tool used
After debugging the source code of given file and database, performed the said tool and find the vulnerability as below;
http://localhost/Movie/main.php Medium Risk: Two has been Identified 1.Http trace support detected
Classification Configuration Error
Resource Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22
Method TRACE
Risk Medium
REQUEST
TRACE /
RESOURCE CONTENT
TRACE / HTTP/1.1 SQUEEM1SH: OSS1FR4GE Accept-Encoding: gzip,deflate Host: localhost Connection: Keep-Alive User-Agent: UserAgent
DISCUSSION
HTTP TRACE is an HTTP method that requests that the server echo the TRACE request back to the client. This includes headers that were sent along with the request. Support for HTTP TRACE can be abused in scenarios where a cross-site scripting vulnerability has been found, but cannot be exploited to retrieve cookie values because the target cookies are set with the HttpOnly flag. The HttpOnly flag instructs browsers not to permit access to the cookie by Javascript. If a cross-site scripting vulnerability is found, but the session cookie is set HttpOnly, support for HTTP TRACE will open an oppportunity for cookie theft. An attacker can use the cross-site scripting vulnerability to have the target user's browser issue a TRACE request to the server via
XMLHttpRequest (or a similar function) and then retrieve the cookie from the response, which will contain the request that was sent by the browser, including cookies.
IMPACT
Allowing HTTP TRACE can permit cross-site tracing. Attackers may be able to use cross-site tracing with cross-site scripting retrieve the value
of HttpOnly cookies.
REMEDIATION
For Apache based servers, the TraceEnable directive can be used to disable support for HTTP TRACE.
For IIS based servers, the EnableTraceMethod registry setting controls support for HTTP TRACE..
Code Disclosure 2. Possible source code disclosure
Classification Information
Resource /Movie/main.php
Risk Medium
REQUEST
GET /Movie/main.php
RESOURCE CONTENT
Possible PHP code:
DISCUSSION
Vega has detected fragments of text that match signatures of application source code. Application source code unintentedly visible to remote clients can be a security vulnerability. This can occur in applications using technologies such as PHP and JSP, which allow for code to be mixed with static presentation content. For example, in-line code is sometimes commented
using HTML comments, resulting in it being transmitted to remote clients. For an attacker, source code can reveal information about the nature of the application, such as its design or the use of third-party components. Sometimes sensitive information, such as a database connection string, can be included in source code.
IMPACT
Could result in disclosure of sensitive information to attackers. Source code fragments can include information about the design/structure of the
application, including use of third-party components. This information may not otherwise be easily known by an adversary. Sometimes source code also contains highly sensitive information, such as passwords
(database connection strings).
REMEDIATION
The developer should verify that the output detected by Vega is in fact application source code.
Low Risk: One identified
1. Directory Listing Detected
Classification Configuration Error
Resource /Movie/
Risk Low
REQUEST
GET /Movie/
RESOURCE CONTENT
Index of /Movie Index of /Movie
Resource Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22
Method TRACE
Risk Medium
REQUEST
TRACE /
RESOURCE CONTENT
TRACE / HTTP/1.1 SQUEEM1SH: OSS1FR4GE Accept-Encoding: gzip,deflate Host: localhost Connection: Keep-Alive User-Agent: UserAgent
DISCUSSION
HTTP TRACE is an HTTP method that requests that the server echo the TRACE request back to the client. This includes headers that were sent along with the request. Support for HTTP TRACE can be abused in scenarios where a cross-site scripting vulnerability has been found, but cannot be exploited to retrieve cookie values because the target cookies are set with the HttpOnly flag. The HttpOnly flag instructs browsers not to permit access to the cookie by Javascript. If a cross-site scripting vulnerability is found, but the session cookie is set HttpOnly, support for HTTP TRACE will open an oppportunity for cookie theft. An attacker can use the cross-site scripting vulnerability to have the target user's browser issue a TRACE request to the server via XMLHttpRequest (or a similar function) and then retrieve the cookie from the response, which will contain the request that was sent by the browser, including cookies.
IMPACT
Allowing HTTP TRACE can permit cross-site tracing. Attackers may be able to use cross-site tracing with cross-site scripting retrieve the value
of HttpOnly cookies.
REMEDIATION
For Apache based servers, the TraceEnable directive can be used to disable support for HTTP TRACE.
For IIS based servers, the EnableTraceMethod registry
2. Local Filesystem Paths Found
Classification Information
Resource /Movie/first.php
Risk Medium
REQUEST
GET /Movie/first.php
RESOURCE CONTENT
C:\xampp\htdocs\Movie\first.php
DISCUSSION
Vega has detected a possible absolute filesystem path (i.e. one that is not relative to the web root). This information is sensitive, as it may reveal things about the server environment to an attacker. Knowing filesystem layout can increase the chances of success for blind attacks. Full system paths are very often found in error output. This output should never be sent to clients on production systems. It should be redirected to another output channel (such as an error log) for analysis by developers and system administrators.
IMPACT
Vega has detected what may be absolute filesystem paths in scanned content. Disclosure of these paths reveals information about the filesystem layout. This information can be sensitive, its disclosure can increase the chances of success for
other attacks.
REMEDIATION
Absolute paths are often found in error output. Both the system administrators and developers should be made aware, as the problem
may be due to an application error or server misconfiguration. Error output containing sensitive information such as absolute system paths should not be
sent to remote clients on production servers. This output should be sent to another output stream, such as an error log.
3. Possible Source Code Disclosure-
Classification Information
Resource /Movie/first.php
Risk Medium
REQUEST
GET /Movie/first.php
RESOURCE CONTENT
Possible PHP code:
DISCUSSION
Vega has detected fragments of text that match signatures of application source code. Application source code unintentedly visible to remote clients can be a security vulnerability. This can occur in applications using technologies such as PHP and JSP, which allow for code to be mixed with static presentation content. For example, in-line code is sometimes commented using HTML comments, resulting in it being transmitted to remote clients. For an attacker, source code can reveal information about the nature of the application, such as its design or the use of third-party components. Sometimes sensitive information, such as a database connection string, can be included in source code.
IMPACT
Could result in disclosure of sensitive information to attackers. Source code fragments can include information about the design/structure of the
application, including use of third-party components. This information may not otherwise be easily known by an adversary. Sometimes source code also contains highly sensitive information, such as passwords
(database connection strings).
REMEDIATION
The developer should verify that the output detected by Vega is in fact application source code.
The cause should be determined, and the material removed or prevented from being output.
Low Risk: 1 indentified 1. Directory Listing Detected-
Classification Configuration Error
Resource /Movie/
Risk Low
REQUEST
GET /Movie/
RESOURCE CONTENT
Index of /Movie Index of /Movie NameLast modifiedSizeDescription
IMPACT
The server is outputting the contents of directories. This could expose files not meant for user retrieval (old htaccess files, backups, source
code). The directory listing may additionally provide useful information about the system layout
and characteristics, such as naming conventions used by the developers and administrators.
This information can increase the probability of success for blind attacks and brute force guessing.
REMEDIATION
For Apache, do one of the following: add "IndexIgnore *" to the directory's .htaccess file, or alternatively remove "Indexes" from the line "Options All Indexes FollowSymLinks MultiViews" in your Apache configuration file.
For lighttpd, change "dir-listing.activate = "enable"" to "dir-listing.activate = "disable"" in your lighttpd configuration file.
Info: Possible AJAX code detected
Classification Information
Resource /Movie/first.php
Risk Info
REQUEST
GET /Movie/first.php
RESOURCE CONTENT
function showmovie(str) { if (str=="") { document.getElementById("movie").innerHTML=""; return; } if (window.XMLHttpRequest) {// code for IE7+, Firefox, Chrome, Opera, Safari ...
DISCUSSION
AJAX (Asynchronous Javascript and XML) refers to a collection of technologies used to make the user experience of web applications more interactive. AJAX functionality often involves the asynchronous sending of requests and processing of their responses using Javascript, without requiring page reloads. The endpoints on the server side often accept parameters, making them injection points where vulnerabilities could exist.
IMPACT
Vega has detected content the use of AJAX, indicating the existence of possible injection points where vulnerabilities may exist.
The AJAX backend API should be manually inspected for vulnerabilities.
REMEDIATION
This is not a vulnerability. This alert is only to flag that code associated with use of AJAX has been detected in scanned content. Backend AJAX interfaces can expose possible vulnerabilities and manual inspection should be included in any comprehensive security assessment.
http://localhost /Movie/schedule.php
High Risk- 2 found 1. Session Cookie Without HttpOnly Flag
Classification Information
Resource /Movie/schedule.php
Risk High
REQUEST
GET /Movie/schedule.php
RESOURCE CONTENT
PHPSESSID=n0uan01hclpp8r9l14fos1eg66; path=/
DISCUSSION
Vega has detected that a session cookie may have been set without the HttpOnly flag. When this flag is not present, it is possible to access the cookie via client-side script code. The HttpOnly flag is a security measure that can help mitigate the risk of cross-site scripting attacks that target session cookies of the victim. If the HttpOnly flag is set and the browser supports this feature, attacker-supplied script code will not be able to access the cookie.
REMEDIATION
When creating the cookie in the code, set the HttpOnly flag to true.
2. Session Cookie Without Secure Flag
Classification Information
Resource /Movie/schedule.php
Risk High
REQUEST
GET /Movie/schedule.php
RESOURCE CONTENT
PHPSESSID=n0uan01hclpp8r9l14fos1eg66; path=/
DISCUSSION
Vega has detected that a known session cookie may have been set without the secure flag.
IMPACT
Cookies can be exposed to network eavesdroppers. Session cookies are authentication credentials; attackers who obtain them can get
unauthorized access to affected web applications.
REMEDIATION
When creating the cookie in the code, set the secure flag to true.
Medium Risk: 2 Identified 1. HTTP Trace Support Detected-
Classification Configuration Error
Resource Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22
Method TRACE
Risk Medium
REQUEST
TRACE /
RESOURCE CONTENT
TRACE / HTTP/1.1 SQUEEM1SH: OSS1FR4GE Accept-Encoding: gzip,deflate Host: localhost Connection: Keep-Alive User-Agent: UserAgent
DISCUSSION
HTTP TRACE is an HTTP method that requests that the server echo the TRACE request back to the client. This includes headers that were sent along with the request. Support for HTTP TRACE can be abused in scenarios where a cross-site scripting vulnerability has been found, but cannot be exploited to retrieve cookie values because the target cookies are set with the HttpOnly flag. The HttpOnly flag instructs browsers not to permit access to the cookie by Javascript. If a cross-site scripting vulnerability is found, but the session cookie is set HttpOnly, support for HTTP TRACE will open an oppportunity for cookie theft. An attacker can use the cross-site scripting vulnerability to have the target user's browser issue a TRACE request to the server via XMLHttpRequest (or a similar function) and then retrieve the cookie from the response, which will contain the request that was sent by the browser, including cookies.
IMPACT
Allowing HTTP TRACE can permit cross-site tracing. Attackers may be able to use cross-site tracing with cross-site scripting retrieve the value
of HttpOnly cookies.
REMEDIATION
For Apache based servers, the TraceEnable directive can be used to disable support for HTTP TRACE.
For IIS based servers, the EnableTraceMethod registry setting controls support for HTTP TRACE
2. Local File System Paths Found-
Classification Information
Resource /Movie/schedule.php
Risk Medium
REQUEST
GET /Movie/schedule.php
RESOURCE CONTENT
C:\xampp\htdocs\Movie\schedule.php
DISCUSSION
Vega has detected a possible absolute filesystem path (i.e. one that is not relative to the web root). This information is sensitive, as it may reveal things about the server environment to an attacker. Knowing filesystem layout can increase the chances of success for blind attacks. Full system paths are very often found in error output. This output should never be sent to clients on production systems. It should be redirected to another output channel (such as an error log) for analysis by developers and system administrators.
IMPACT
Vega has detected what may be absolute filesystem paths in scanned content. Disclosure of these paths reveals information about the filesystem layout. This information can be sensitive, its disclosure can increase the chances of success for
other attacks.
REMEDIATION
Absolute paths are often found in error output. Both the system administrators and developers should be made aware, as the problem
may be due to an application error or server misconfiguration. Error output containing sensitive information such as absolute system paths should not be
sent to remote clients on production servers.
This output should be sent to another output stream, such as an error log.
Low Risk: 1 Found Directory Listing Detected-
Classification Configuration Error
Resource /Movie/
Risk Low
REQUEST
GET /Movie/
RESOURCE CONTENT
Index of /Movie Index of /Movie NameLast modifiedSizeDescription
The server is outputting the contents of directories. This could expose files not meant for user retrieval (old htaccess files, backups, source
code). The directory listing may additionally provide useful information about the system layout
and characteristics, such as naming conventions used by the developers and administrators.
This information can increase the probability of success for blind attacks and brute force guessing.
REMEDIATION
For Apache, do one of the following: add "IndexIgnore *" to the directory's .htaccess file, or alternatively remove "Indexes" from the line "Options All Indexes FollowSymLinks MultiViews" in your Apache configuration file.
For lighttpd, change "dir-listing.activate = "enable"" to "dir-listing.activate = "disable"" in your lighttpd configuration file.
http://localhost /Movie/book.php
Medium Risk: 3 Found 1. HTTP Trace Support Detected
Classification Configuration Error
Resource Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22
Method TRACE
Risk Medium
REQUEST
TRACE /
RESOURCE CONTENT
TRACE / HTTP/1.1 SQUEEM1SH: OSS1FR4GE Accept-Encoding: gzip,deflate Host: localhost Connection: Keep-Alive
User-Agent: UserAgent
DISCUSSION
HTTP TRACE is an HTTP method that requests that the server echo the TRACE request back to the client. This includes headers that were sent along with the request. Support for HTTP TRACE can be abused in scenarios where a cross-site scripting vulnerability has been found, but cannot be exploited to retrieve cookie values because the target cookies are set with the HttpOnly flag. The HttpOnly flag instructs browsers not to permit access to the cookie by Javascript. If a cross-site scripting vulnerability is found, but the session cookie is set HttpOnly, support for HTTP TRACE will open an oppportunity for cookie theft. An attacker can use the cross-site scripting vulnerability to have the target user's browser issue a TRACE request to the server via XMLHttpRequest (or a similar function) and then retrieve the cookie from the response, which will contain the request that was sent by the browser, including cookies.
IMPACT
Allowing HTTP TRACE can permit cross-site tracing. Attackers may be able to use cross-site tracing with cross-site scripting retrieve the value
of HttpOnly cookies.
REMEDIATION
For Apache based servers, the TraceEnable directive can be used to disable support for HTTP TRACE.
For IIS based servers, the EnableTraceMethod registry setting controls support for HTTP TRACE..
2. Local Filesystem Paths Found
Classification Information
Resource /Movie/book.php
Risk Medium
REQUEST
GET /Movie/book.php
RESOURCE CONTENT
C:\xampp\htdocs\Movie\book.php
DISCUSSION
Vega has detected a possible absolute filesystem path (i.e. one that is not relative to the web root). This information is sensitive, as it may reveal things about the server environment to an attacker. Knowing filesystem layout can increase the chances of success for blind attacks. Full system paths are very often found in error output. This output should never be sent to clients on production systems. It should be redirected to another output channel (such as an error log) for analysis by developers and system administrators.
IMPACT
Vega has detected what may be absolute filesystem paths in scanned content. Disclosure of these paths reveals information about the filesystem layout. This information can be sensitive, its disclosure can increase the chances of success for
other attacks.
REMEDIATION
Absolute paths are often found in error output. Both the system administrators and developers should be made aware, as the problem
may be due to an application error or server misconfiguration. Error output containing sensitive information such as absolute system paths should not be
sent to remote clients on production servers. This output should be sent to another output stream, such as an error log.
3. Possible Source Code Disclosure
Classification Information
Resource /Movie/book.php
Risk Medium
REQUEST
GET /Movie/book.php
RESOURCE CONTENT
Possible PHP code:
session_start(); ?>
DISCUSSION
Vega has detected fragments of text that match signatures of application source code. Application source code unintentedly visible to remote clients can be a security vulnerability. This can occur in applications using technologies such as PHP and JSP, which allow for code to be mixed with static presentation content. For example, in-line code is sometimes commented using HTML comments, resulting in it being transmitted to remote clients. For an attacker, source code can reveal information about the nature of the application, such as its design or the use of third-party components. Sometimes sensitive information, such as a database connection string, can be included in source code.
IMPACT
Could result in disclosure of sensitive information to attackers. Source code fragments can include information about the design/structure of the
application, including use of third-party components. This information may not otherwise be easily known by an adversary. Sometimes source code also contains highly sensitive information, such as passwords
(database connection strings).
REMEDIATION
The developer should verify that the output detected by Vega is in fact application source code.
The cause should be determined, and the material removed or prevented from being output.
Low Risk: 1 Found 1. Directory Listing Detected
Classification Configuration Error
Resource /Movie/
Risk Low
REQUEST
GET /Movie/
RESOURCE CONTENT
Index of /Movie Index of /Movie NameLast modifiedSizeDescription
http://localhost /Movie/booked.php
Medium Risk: 2 Found 1. HTTP Trace Support Detected-
Classification Configuration Error
Resource Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22
Method TRACE
Risk Medium
REQUEST
TRACE /
RESOURCE CONTENT
TRACE / HTTP/1.1 SQUEEM1SH: OSS1FR4GE Accept-Encoding: gzip,deflate Host: localhost Connection: Keep-Alive User-Agent: UserAgent
DISCUSSION
HTTP TRACE is an HTTP method that requests that the server echo the TRACE request back to the client. This includes headers that were sent along with the request. Support for HTTP TRACE can be abused in scenarios where a cross-site scripting vulnerability has been found, but cannot be exploited to retrieve cookie values because the target cookies are set with the HttpOnly flag. The HttpOnly flag instructs browsers not to permit access to the cookie by Javascript. If a cross-site scripting vulnerability is found, but the session cookie is set HttpOnly, support for HTTP TRACE will open an oppportunity for cookie theft. An attacker can use the cross-site scripting vulnerability to have the target user's browser issue a TRACE request to the server via XMLHttpRequest (or a similar function) and then retrieve the cookie from the response, which will contain the request that was sent by the browser, including cookies.
IMPACT
Allowing HTTP TRACE can permit cross-site tracing. Attackers may be able to use cross-site tracing with cross-site scripting retrieve the value
of HttpOnly cookies.
REMEDIATION
For Apache based servers, the TraceEnable directive can be used to disable support for HTTP TRACE.
For IIS based servers, the EnableTraceMethod registry setting controls support for HTTP TRACE..
2. Possible Source Code Disclosure-
Classification Information
Resource /Movie/booked.php
Risk Medium
REQUEST
GET /Movie/booked.php
RESOURCE CONTENT
Possible PHP code:
DISCUSSION
Vega has detected fragments of text that match signatures of application source code. Application source code unintentedly visible to remote clients can be a security vulnerability. This can occur in applications using technologies such as PHP and JSP, which allow for code to be mixed with static presentation content. For example, in-line code is sometimes commented using HTML comments, resulting in it being transmitted to remote clients. For an attacker, source code can reveal information about the nature of the application, such as its design or the use of third-party components. Sometimes sensitive information, such as a database connection string, can be included in source code.
IMPACT
Could result in disclosure of sensitive information to attackers.
Source code fragments can include information about the design/structure of the application, including use of third-party components.
This information may not otherwise be easily known by an adversary. Sometimes source code also contains highly sensitive information, such as passwords
(database connection strings).
REMEDIATION
The developer should verify that the output detected by Vega is in fact application source code.
The cause should be determined, and the material removed or prevented from being output.
Low Risk: 1 found 1. Directory Listing Detected
Classification Configuration Error
Resource /Movie/
Risk Low
REQUEST
GET /Movie/
RESOURCE CONTENT
Index of /Movie Index of /Movie NameLast modifiedSizeDescription
Listing directory contents when no index file is present in a common misconfiguration. The directory contents can provide useful information to an attacker, especially if there are files that are not meant to be accessible, such as source code or backups. The directory listing may also provide useful information about the habits of the server administration and/or web developers, such as file naming convention, that could be used to increase the probable success of brute-force or other attacks.
IMPACT
The server is outputting the contents of directories. This could expose files not meant for user retrieval (old htaccess files, backups, source
code). The directory listing may additionally provide useful information about the system layout
and characteristics, such as naming conventions used by the developers and administrators.
This information can increase the probability of success for blind attacks and brute force guessing.
REMEDIATION
For Apache, do one of the following: add "IndexIgnore *" to the directory's .htaccess file, or alternatively remove "Indexes" from the line "Options All Indexes FollowSymLinks MultiViews" in your Apache configuration file.
For lighttpd, change "dir-listing.activate = "enable"" to "dir-listing.activate = "disable"" in your lighttpd configuration file.
Info:1 found 1. Character Set Not Specified
Classification Information
Resource /Movie/booked.php
Risk Info
REQUEST
GET /Movie/booked.php
RESOURCE CONTENT
/Movie/booked.php
DISCUSSION
Vega has detected that the resource has not specified a character set in the response. If the character set is not specified, the browser may make assumptions about the character set based on resource content. This may present a security concern if the affected resource contains dynamically-generated content that originates from users. In such a case, malicious users may potentially take advantage of how specific browsers interpret characters to cause malicious content to be rendered. For example, an attacker may be able to bypass a cross-site scripting filter by encoding their malicious payload in an alternate character set, which may be executed depending on how the browser interprets the encoded content.
REMEDIATION
Specify a well-defined character set (such as UTF-8) within the response header content-type or the response body.
Log details of tool used and observation
11:32:03 PM [INFO] (scanner) Starting crawling phase Publishing Alert: (vdirlist) [/Movie/] Publishing Alert: (vdirlist) [/Movie/] Publishing Alert: (vinfo-source) [/Movie/main.php] Publishing Alert: (vinfo-source) [/Movie/main.php] 11:32:11 PM [INFO] (scanner) Crawler finished 11:32:11 PM [INFO] (scanner) Scanner completed 11:32:11 PM [INFO] (scanner) Scanning module runtime statistics: 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.727 ms [worst: 1 ms @(/) ] for Path Disclosure 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for HTTP Authentication Over Unencrypted HTTP 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 1.636 ms [worst: 6 ms @(/Movie/) ] for Error Page Detection 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 2.000 ms [worst: 10 ms @(/Movie/) ] for Insecure Cross-Domain Policy 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 3.364 ms [worst: 14 ms @(/) ] for File Upload Detection 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for WSDL Detector 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.455 ms [worst: 5 ms @(/Movie/) ] for RSS/Atom/OPL Feed Detector 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.364 ms [worst: 1 ms @(/) ] for HTTP Header Checks 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.818 ms [worst: 2 ms @(/Movie/main.php) ] for Insecure Script Include 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/Movie/main.php) ] for Internal IP Addressess
11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Cookie Security Module 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 1.545 ms [worst: 4 ms @(/Movie/main.php) ] for Cleartext Password Over HTTP 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 4.182 ms [worst: 35 ms @(/Movie/main.php) ] for Source Code Disclosure Module 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.273 ms [worst: 1 ms @(/) ] for Character Set Not Specified 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for Empty Reponse Body Module 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.364 ms [worst: 2 ms @(/Movie/) ] for Unsafe Or Unrecognized Character Set 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 7.545 ms [worst: 29 ms @(/Movie/) ] for Interesting Meta Tag Detection 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Oracle Application Server Fingerprint Module 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 1.091 ms [worst: 2 ms @(/Movie/) ] for Form autocomplete 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for AJAX Detector 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Version Control String Detection 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 6.727 ms [worst: 56 ms @(/Movie/) ] for Directory Listing Detection 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for Cookie Scope Detection 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 1.000 ms [worst: 5 ms @(STATE: [GET /]) ] for Eval Code Injection 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /]) ] for XML Injection checks 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /]) ] for HTTP Header Injection checks 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Remote File Include Checks 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /Movie/main.php]) ] for Shell Injection Checks 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 7.000 ms [worst: 15 ms @(STATE: [GET /Movie/main.php]) ] for HTTP Trace Probes 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /]) ] for Blind SQL Injection Arithmetic Evaluation Differential Checks 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for URL Injection checks 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.400 ms [worst: 1 ms @(STATE: [GET /]) ] for Cross Domain Policy Auditor 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Local File Include Checks
11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Bash Environment Variable Blind OS Injection (CVE-2014-6271, CVE-2014-6278) Checks 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Blind SQL Text Injection Differential Checks 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for XSS Injection checks 11:32:46 PM [INFO] (scanner) Starting crawling phase Publishing Alert: (vdirlist) [/Movie/] Publishing Alert: (vdirlist) [/Movie/] Publishing Alert: (vinfo-paths) [/Movie/first.php] Publishing Alert: (vinfo-source) [/Movie/first.php] Publishing Alert: (vinfo-ajax) [/Movie/first.php] Publishing Alert: (vinfo-paths) [/Movie/first.php] Publishing Alert: (vinfo-source) [/Movie/first.php] Publishing Alert: (vinfo-ajax) [/Movie/first.php] Publishing Alert: (vinfo-paths) [/Movie/first.php] Publishing Alert: (vinfo-ajax) [/Movie/first.php] Publishing Alert: (vinfo-paths) [/Movie/first.php] Publishing Alert: (vinfo-source) [/Movie/first.php] Publishing Alert: (vinfo-ajax) [/Movie/first.php] 11:33:09 PM [INFO] (scanner) Crawler finished 11:33:09 PM [INFO] (scanner) Scanner completed 11:33:09 PM [INFO] (scanner) Scanning module runtime statistics: 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 7.091 ms [worst: 53 ms @(/Movie/first.php) ] for Path Disclosure 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for HTTP Authentication Over Unencrypted HTTP 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 1.273 ms [worst: 2 ms @(/Movie/) ] for Error Page Detection 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 1.545 ms [worst: 10 ms @(/Movie/) ] for Insecure Cross-Domain Policy 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.727 ms [worst: 1 ms @(/) ] for File Upload Detection 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for WSDL Detector 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.364 ms [worst: 1 ms @(/) ] for RSS/Atom/OPL Feed Detector 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for HTTP Header Checks 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.455 ms [worst: 1 ms @(/) ] for Insecure Script Include 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/Movie/first.php) ] for Internal IP Addressess 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Cookie Security Module
11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.909 ms [worst: 2 ms @(/Movie/first.php) ] for Cleartext Password Over HTTP 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 1.909 ms [worst: 9 ms @(/Movie/first.php) ] for Source Code Disclosure Module 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Character Set Not Specified 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Empty Reponse Body Module 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.182 ms [worst: 1 ms @(/) ] for Unsafe Or Unrecognized Character Set 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 5.364 ms [worst: 13 ms @(/Movie/first.php) ] for Interesting Meta Tag Detection 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Oracle Application Server Fingerprint Module 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.818 ms [worst: 1 ms @(/) ] for Form autocomplete 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 1.909 ms [worst: 11 ms @(/Movie/first.php) ] for AJAX Detector 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Version Control String Detection 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 2.818 ms [worst: 15 ms @(/Movie/) ] for Directory Listing Detection 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Cookie Scope Detection 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Eval Code Injection 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for XML Injection checks 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /Movie/first.php]) ] for HTTP Header Injection checks 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Remote File Include Checks 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Shell Injection Checks 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 20.400 ms [worst: 86 ms @(STATE: [GET /Movie/first.php]) ] for HTTP Trace Probes 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Blind SQL Injection Arithmetic Evaluation Differential Checks 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for URL Injection checks 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Cross Domain Policy Auditor 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /]) ] for Local File Include Checks
11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.400 ms [worst: 1 ms @(STATE: [GET /]) ] for Bash Environment Variable Blind OS Injection (CVE-2014-6271, CVE-2014-6278) Checks 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Blind SQL Text Injection Differential Checks 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for XSS Injection checks 11:35:45 PM [INFO] (scanner) Starting crawling phase Publishing Alert: (vdirlist) [/Movie/] Publishing Alert: (vdirlist) [/Movie/] Publishing Alert: (vinfo-paths) [/Movie/schedule.php] Publishing Alert: (vinfo-sessioncookie-secure) [/Movie/schedule.php] Publishing Alert: (vinfo-sessioncookie-httponly) [/Movie/schedule.php] Publishing Alert: (vinfo-paths) [/Movie/schedule.php] Publishing Alert: (vinfo-sessioncookie-secure) [/Movie/schedule.php] Publishing Alert: (vinfo-sessioncookie-httponly) [/Movie/schedule.php] Publishing Alert: (vinfo-paths) [/Movie/schedule.php] Publishing Alert: (vinfo-sessioncookie-secure) [/Movie/schedule.php] Publishing Alert: (vinfo-sessioncookie-httponly) [/Movie/schedule.php] Publishing Alert: (vinfo-paths) [/Movie/schedule.php] Publishing Alert: (vinfo-sessioncookie-secure) [/Movie/schedule.php] Publishing Alert: (vinfo-sessioncookie-httponly) [/Movie/schedule.php] 11:36:27 PM [INFO] (scanner) Crawler finished 11:36:27 PM [INFO] (scanner) Scanner completed 11:36:27 PM [INFO] (scanner) Scanning module runtime statistics: 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 4.000 ms [worst: 24 ms @(/Movie/schedule.php) ] for Path Disclosure 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for HTTP Authentication Over Unencrypted HTTP 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.909 ms [worst: 2 ms @(/Movie/) ] for Error Page Detection 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 1.455 ms [worst: 12 ms @(/Movie/) ] for Insecure Cross-Domain Policy 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.909 ms [worst: 2 ms @(/) ] for File Upload Detection 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/Movie/schedule.php) ] for WSDL Detector 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.182 ms [worst: 1 ms @(/) ] for RSS/Atom/OPL Feed Detector 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for HTTP Header Checks 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.636 ms [worst: 1 ms @(/) ] for Insecure Script Include 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Internal IP Addressess
11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 5.909 ms [worst: 41 ms @(/Movie/schedule.php) ] for Cookie Security Module 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.909 ms [worst: 2 ms @(/Movie/schedule.php) ] for Cleartext Password Over HTTP 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.273 ms [worst: 1 ms @(/) ] for Source Code Disclosure Module 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.182 ms [worst: 1 ms @(/Movie/) ] for Character Set Not Specified 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for Empty Reponse Body Module 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Unsafe Or Unrecognized Character Set 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 4.091 ms [worst: 9 ms @(/Movie/schedule.php) ] for Interesting Meta Tag Detection 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Oracle Application Server Fingerprint Module 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.727 ms [worst: 1 ms @(/) ] for Form autocomplete 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for AJAX Detector 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Version Control String Detection 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 2.182 ms [worst: 15 ms @(/Movie/) ] for Directory Listing Detection 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/Movie/schedule.php) ] for Cookie Scope Detection 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /Movie/schedule.php]) ] for Eval Code Injection 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /Movie/]) ] for XML Injection checks 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /]) ] for HTTP Header Injection checks 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Remote File Include Checks 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Shell Injection Checks 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 4.800 ms [worst: 6 ms @(STATE: [GET /]) ] for HTTP Trace Probes 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /]) ] for Blind SQL Injection Arithmetic Evaluation Differential Checks 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for URL Injection checks 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Cross Domain Policy Auditor 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Local File Include Checks
11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Bash Environment Variable Blind OS Injection (CVE-2014-6271, CVE-2014-6278) Checks 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Blind SQL Text Injection Differential Checks 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for XSS Injection checks 11:36:53 PM [INFO] (scanner) Starting crawling phase Publishing Alert: (vdirlist) [/Movie/] Publishing Alert: (vdirlist) [/Movie/] Publishing Alert: (vinfo-paths) [/Movie/book.php] Publishing Alert: (vinfo-source) [/Movie/book.php] Publishing Alert: (vinfo-paths) [/Movie/book.php] Publishing Alert: (vinfo-source) [/Movie/book.php] Publishing Alert: (vinfo-paths) [/Movie/book.php] Publishing Alert: (vinfo-source) [/Movie/book.php] Publishing Alert: (vinfo-paths) [/Movie/book.php] Publishing Alert: (vinfo-source) [/Movie/book.php] 11:37:16 PM [INFO] (scanner) Crawler finished 11:37:16 PM [INFO] (scanner) Scanner completed 11:37:16 PM [INFO] (scanner) Scanning module runtime statistics: 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 4.182 ms [worst: 26 ms @(/Movie/book.php) ] for Path Disclosure 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/Movie/book.php) ] for HTTP Authentication Over Unencrypted HTTP 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.909 ms [worst: 2 ms @(/Movie/) ] for Error Page Detection 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 1.545 ms [worst: 11 ms @(/Movie/) ] for Insecure Cross-Domain Policy 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 1.000 ms [worst: 3 ms @(/Movie/book.php) ] for File Upload Detection 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for WSDL Detector 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.364 ms [worst: 1 ms @(/) ] for RSS/Atom/OPL Feed Detector 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for HTTP Header Checks 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.727 ms [worst: 1 ms @(/) ] for Insecure Script Include 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Internal IP Addressess 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Cookie Security Module 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 1.000 ms [worst: 2 ms @(/Movie/book.php) ] for Cleartext Password Over HTTP
11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 2.091 ms [worst: 10 ms @(/Movie/book.php) ] for Source Code Disclosure Module 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for Character Set Not Specified 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Empty Reponse Body Module 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Unsafe Or Unrecognized Character Set 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 4.727 ms [worst: 11 ms @(/Movie/book.php) ] for Interesting Meta Tag Detection 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Oracle Application Server Fingerprint Module 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.818 ms [worst: 1 ms @(/) ] for Form autocomplete 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/Movie/book.php) ] for AJAX Detector 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Version Control String Detection 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 2.455 ms [worst: 14 ms @(/Movie/) ] for Directory Listing Detection 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Cookie Scope Detection 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /Movie/book.php]) ] for Eval Code Injection 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /Movie/]) ] for XML Injection checks 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /]) ] for HTTP Header Injection checks 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Remote File Include Checks 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Shell Injection Checks 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 5.000 ms [worst: 7 ms @(STATE: [GET /]) ] for HTTP Trace Probes 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Blind SQL Injection Arithmetic Evaluation Differential Checks 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for URL Injection checks 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.400 ms [worst: 1 ms @(STATE: [GET /]) ] for Cross Domain Policy Auditor 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Local File Include Checks 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Bash Environment Variable Blind OS Injection (CVE-2014-6271, CVE-2014-6278) Checks
11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /Movie/book.php]) ] for Blind SQL Text Injection Differential Checks 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for XSS Injection checks 11:38:11 PM [INFO] (scanner) Starting crawling phase Publishing Alert: (vdirlist) [/Movie/] Publishing Alert: (vdirlist) [/Movie/] Publishing Alert: (vinfo-source) [/Movie/booked.php] Publishing Alert: (vinfo-missing-charset) [/Movie/booked.php] Publishing Alert: (vinfo-source) [/Movie/booked.php] Publishing Alert: (vinfo-missing-charset) [/Movie/booked.php] Publishing Alert: (vinfo-missing-charset) [/Movie/booked.php] Publishing Alert: (vinfo-source) [/Movie/booked.php] Publishing Alert: (vinfo-missing-charset) [/Movie/booked.php] 11:38:34 PM [INFO] (scanner) Crawler finished 11:38:34 PM [INFO] (scanner) Scanner completed 11:38:34 PM [INFO] (scanner) Scanning module runtime statistics: 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.818 ms [worst: 1 ms @(/) ] for Path Disclosure 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for HTTP Authentication Over Unencrypted HTTP 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 1.000 ms [worst: 2 ms @(/Movie/) ] for Error Page Detection 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 1.091 ms [worst: 11 ms @(/Movie/) ] for Insecure Cross-Domain Policy 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.818 ms [worst: 1 ms @(/) ] for File Upload Detection 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/Movie/booked.php) ] for WSDL Detector 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.273 ms [worst: 1 ms @(/) ] for RSS/Atom/OPL Feed Detector 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for HTTP Header Checks 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.727 ms [worst: 1 ms @(/) ] for Insecure Script Include 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Internal IP Addressess 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Cookie Security Module 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.818 ms [worst: 1 ms @(/) ] for Cleartext Password Over HTTP 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 3.909 ms [worst: 24 ms @(/Movie/booked.php) ] for Source Code Disclosure Module 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 2.182 ms [worst: 16 ms @(/Movie/booked.php) ] for Character Set Not Specified
11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for Empty Reponse Body Module 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.182 ms [worst: 1 ms @(/Movie/) ] for Unsafe Or Unrecognized Character Set 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 4.182 ms [worst: 10 ms @(/Movie/booked.php) ] for Interesting Meta Tag Detection 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for Oracle Application Server Fingerprint Module 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.545 ms [worst: 1 ms @(/) ] for Form autocomplete 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/Movie/) ] for AJAX Detector 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/Movie/booked.php) ] for Version Control String Detection 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 2.727 ms [worst: 24 ms @(/Movie/) ] for Directory Listing Detection 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for Cookie Scope Detection 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Eval Code Injection 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for XML Injection checks 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /Movie/booked.php]) ] for HTTP Header Injection checks 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Remote File Include Checks 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Shell Injection Checks 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 5.400 ms [worst: 6 ms @(STATE: [GET /]) ] for HTTP Trace Probes 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Blind SQL Injection Arithmetic Evaluation Differential Checks 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for URL Injection checks 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Cross Domain Policy Auditor 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /Movie/]) ] for Local File Include Checks 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /]) ] for Bash Environment Variable Blind OS Injection (CVE-2014-6271, CVE-2014-6278) Checks 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /Movie/booked.php]) ] for Blind SQL Text Injection Differential Checks 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for XSS Injection checks