Error in Code of Movie File

A comprehensive deliverables of given case study (Movie_booking) Debugged Information of given php file and database

1. session_register() // function undefined in checklogin.php 2. myusername and mypassword // credentials does not pass through checklogin.php 3. mysql_fetch_object() // function not used in checklogin.php 4. There were no connectivity between select movie to the database in first.php i.e.

--Select movie--

5. $username = $_SESSION['myusername'];// function Undefined in first page in first.php 6. --Select City-- //there were undefined value. Value should

be; 7. --Select City-- // Table name ?>

8. $_SESSION variables, values of a variable that doesn't exist in schedule.php

9. $username = $_SESSION['myusername']; // function undefined in schedule.php 10. $username = $_SESSION['myusername']; // function not define in book.php

Vulnerability has been identified in given application: Vega Tool used

After debugging the source code of given file and database, performed the said tool and find the vulnerability as below;

http://localhost/Movie/main.php Medium Risk: Two has been Identified 1.Http trace support detected

Classification Configuration Error

Resource Apache/2.4.7 (Win32) OpenSSL/0.9.8y PHP/5.4.22

Method TRACE

Risk Medium

REQUEST

TRACE /

RESOURCE CONTENT

TRACE / HTTP/1.1 SQUEEM1SH: OSS1FR4GE Accept-Encoding: gzip,deflate Host: localhost Connection: Keep-Alive User-Agent: UserAgent

DISCUSSION

HTTP TRACE is an HTTP method that requests that the server echo the TRACE request back to the client. This includes headers that were sent along with the request. Support for HTTP TRACE can be abused in scenarios where a cross-site scripting vulnerability has been found, but cannot be exploited to retrieve cookie values because the target cookies are set with the HttpOnly flag. The HttpOnly flag instructs browsers not to permit access to the cookie by Javascript. If a cross-site scripting vulnerability is found, but the session cookie is set HttpOnly, support for HTTP TRACE will open an oppportunity for cookie theft. An attacker can use the cross-site scripting vulnerability to have the target user's browser issue a TRACE request to the server via

XMLHttpRequest (or a similar function) and then retrieve the cookie from the response, which will contain the request that was sent by the browser, including cookies.

IMPACT

Allowing HTTP TRACE can permit cross-site tracing. Attackers may be able to use cross-site tracing with cross-site scripting retrieve the value

of HttpOnly cookies.

REMEDIATION

For Apache based servers, the TraceEnable directive can be used to disable support for HTTP TRACE.

For IIS based servers, the EnableTraceMethod registry setting controls support for HTTP TRACE..

Code Disclosure 2. Possible source code disclosure

Classification Information

Resource /Movie/main.php

Risk Medium

REQUEST

GET /Movie/main.php

RESOURCE CONTENT

Possible PHP code:

DISCUSSION

Vega has detected fragments of text that match signatures of application source code. Application source code unintentedly visible to remote clients can be a security vulnerability. This can occur in applications using technologies such as PHP and JSP, which allow for code to be mixed with static presentation content. For example, in-line code is sometimes commented

using HTML comments, resulting in it being transmitted to remote clients. For an attacker, source code can reveal information about the nature of the application, such as its design or the use of third-party components. Sometimes sensitive information, such as a database connection string, can be included in source code.

IMPACT

Could result in disclosure of sensitive information to attackers. Source code fragments can include information about the design/structure of the

application, including use of third-party components. This information may not otherwise be easily known by an adversary. Sometimes source code also contains highly sensitive information, such as passwords

(database connection strings).

REMEDIATION

The developer should verify that the output detected by Vega is in fact application source code.

Low Risk: One identified

1. Directory Listing Detected


Resource /Movie/

Risk Low

REQUEST

GET /Movie/

RESOURCE CONTENT

Index of /Movie Index of /Movie

NameLast modifiedSizeDescription


Method TRACE

Risk Medium

REQUEST

TRACE /

RESOURCE CONTENT


DISCUSSION

HTTP TRACE is an HTTP method that requests that the server echo the TRACE request back to the client. This includes headers that were sent along with the request. Support for HTTP TRACE can be abused in scenarios where a cross-site scripting vulnerability has been found, but cannot be exploited to retrieve cookie values because the target cookies are set with the HttpOnly flag. The HttpOnly flag instructs browsers not to permit access to the cookie by Javascript. If a cross-site scripting vulnerability is found, but the session cookie is set HttpOnly, support for HTTP TRACE will open an oppportunity for cookie theft. An attacker can use the cross-site scripting vulnerability to have the target user's browser issue a TRACE request to the server via XMLHttpRequest (or a similar function) and then retrieve the cookie from the response, which will contain the request that was sent by the browser, including cookies.

IMPACT



REMEDIATION


For IIS based servers, the EnableTraceMethod registry

2. Local Filesystem Paths Found


Resource /Movie/first.php

Risk Medium

REQUEST

GET /Movie/first.php

RESOURCE CONTENT

C:\xampp\htdocs\Movie\first.php

DISCUSSION

Vega has detected a possible absolute filesystem path (i.e. one that is not relative to the web root). This information is sensitive, as it may reveal things about the server environment to an attacker. Knowing filesystem layout can increase the chances of success for blind attacks. Full system paths are very often found in error output. This output should never be sent to clients on production systems. It should be redirected to another output channel (such as an error log) for analysis by developers and system administrators.

IMPACT

Vega has detected what may be absolute filesystem paths in scanned content. Disclosure of these paths reveals information about the filesystem layout. This information can be sensitive, its disclosure can increase the chances of success for

other attacks.

REMEDIATION

Absolute paths are often found in error output. Both the system administrators and developers should be made aware, as the problem

may be due to an application error or server misconfiguration. Error output containing sensitive information such as absolute system paths should not be

sent to remote clients on production servers. This output should be sent to another output stream, such as an error log.

3. Possible Source Code Disclosure-



Risk Medium

REQUEST


RESOURCE CONTENT

Possible PHP code:

DISCUSSION

Vega has detected fragments of text that match signatures of application source code. Application source code unintentedly visible to remote clients can be a security vulnerability. This can occur in applications using technologies such as PHP and JSP, which allow for code to be mixed with static presentation content. For example, in-line code is sometimes commented using HTML comments, resulting in it being transmitted to remote clients. For an attacker, source code can reveal information about the nature of the application, such as its design or the use of third-party components. Sometimes sensitive information, such as a database connection string, can be included in source code.

IMPACT




REMEDIATION


The cause should be determined, and the material removed or prevented from being output.

Low Risk: 1 indentified 1. Directory Listing Detected-


Resource /Movie/

Risk Low

REQUEST

GET /Movie/

RESOURCE CONTENT

Index of /Movie Index of /Movie NameLast modifiedSizeDescription

IMPACT

The server is outputting the contents of directories. This could expose files not meant for user retrieval (old htaccess files, backups, source

code). The directory listing may additionally provide useful information about the system layout

and characteristics, such as naming conventions used by the developers and administrators.

This information can increase the probability of success for blind attacks and brute force guessing.

REMEDIATION

For Apache, do one of the following: add "IndexIgnore *" to the directory's .htaccess file, or alternatively remove "Indexes" from the line "Options All Indexes FollowSymLinks MultiViews" in your Apache configuration file.

For lighttpd, change "dir-listing.activate = "enable"" to "dir-listing.activate = "disable"" in your lighttpd configuration file.

Info: Possible AJAX code detected



Risk Info

REQUEST


RESOURCE CONTENT

function showmovie(str) { if (str=="") { document.getElementById("movie").innerHTML=""; return; } if (window.XMLHttpRequest) {// code for IE7+, Firefox, Chrome, Opera, Safari ...

DISCUSSION

AJAX (Asynchronous Javascript and XML) refers to a collection of technologies used to make the user experience of web applications more interactive. AJAX functionality often involves the asynchronous sending of requests and processing of their responses using Javascript, without requiring page reloads. The endpoints on the server side often accept parameters, making them injection points where vulnerabilities could exist.

IMPACT

Vega has detected content the use of AJAX, indicating the existence of possible injection points where vulnerabilities may exist.

The AJAX backend API should be manually inspected for vulnerabilities.

REMEDIATION

This is not a vulnerability. This alert is only to flag that code associated with use of AJAX has been detected in scanned content. Backend AJAX interfaces can expose possible vulnerabilities and manual inspection should be included in any comprehensive security assessment.

http://localhost /Movie/schedule.php

High Risk- 2 found 1. Session Cookie Without HttpOnly Flag


Resource /Movie/schedule.php

Risk High

REQUEST

GET /Movie/schedule.php

RESOURCE CONTENT

PHPSESSID=n0uan01hclpp8r9l14fos1eg66; path=/

DISCUSSION

Vega has detected that a session cookie may have been set without the HttpOnly flag. When this flag is not present, it is possible to access the cookie via client-side script code. The HttpOnly flag is a security measure that can help mitigate the risk of cross-site scripting attacks that target session cookies of the victim. If the HttpOnly flag is set and the browser supports this feature, attacker-supplied script code will not be able to access the cookie.

REMEDIATION

When creating the cookie in the code, set the HttpOnly flag to true.

2. Session Cookie Without Secure Flag



Risk High

REQUEST


RESOURCE CONTENT

PHPSESSID=n0uan01hclpp8r9l14fos1eg66; path=/

DISCUSSION

Vega has detected that a known session cookie may have been set without the secure flag.

IMPACT

Cookies can be exposed to network eavesdroppers. Session cookies are authentication credentials; attackers who obtain them can get

unauthorized access to affected web applications.

REMEDIATION

When creating the cookie in the code, set the secure flag to true.

Medium Risk: 2 Identified 1. HTTP Trace Support Detected-



Method TRACE

Risk Medium

REQUEST

TRACE /

RESOURCE CONTENT


DISCUSSION


IMPACT



REMEDIATION


For IIS based servers, the EnableTraceMethod registry setting controls support for HTTP TRACE

2. Local File System Paths Found-



Risk Medium

REQUEST


RESOURCE CONTENT

C:\xampp\htdocs\Movie\schedule.php

DISCUSSION


IMPACT


other attacks.

REMEDIATION



sent to remote clients on production servers.

This output should be sent to another output stream, such as an error log.

Low Risk: 1 Found Directory Listing Detected-


Resource /Movie/

Risk Low

REQUEST

GET /Movie/

RESOURCE CONTENT






REMEDIATION



http://localhost /Movie/book.php

Medium Risk: 3 Found 1. HTTP Trace Support Detected



Method TRACE

Risk Medium

REQUEST

TRACE /

RESOURCE CONTENT

TRACE / HTTP/1.1 SQUEEM1SH: OSS1FR4GE Accept-Encoding: gzip,deflate Host: localhost Connection: Keep-Alive

User-Agent: UserAgent

DISCUSSION


IMPACT



REMEDIATION



2. Local Filesystem Paths Found


Resource /Movie/book.php

Risk Medium

REQUEST

GET /Movie/book.php

RESOURCE CONTENT

C:\xampp\htdocs\Movie\book.php

DISCUSSION


IMPACT


other attacks.

REMEDIATION



sent to remote clients on production servers. This output should be sent to another output stream, such as an error log.

3. Possible Source Code Disclosure


Resource /Movie/book.php

Risk Medium

REQUEST

GET /Movie/book.php

RESOURCE CONTENT

Possible PHP code:

session_start(); ?>

DISCUSSION


IMPACT




REMEDIATION



Low Risk: 1 Found 1. Directory Listing Detected


Resource /Movie/

Risk Low

REQUEST

GET /Movie/

RESOURCE CONTENT


http://localhost /Movie/booked.php

Medium Risk: 2 Found 1. HTTP Trace Support Detected-



Method TRACE

Risk Medium

REQUEST

TRACE /

RESOURCE CONTENT


DISCUSSION


IMPACT



REMEDIATION



2. Possible Source Code Disclosure-


Resource /Movie/booked.php

Risk Medium

REQUEST

GET /Movie/booked.php

RESOURCE CONTENT

Possible PHP code:

DISCUSSION


IMPACT

Could result in disclosure of sensitive information to attackers.

Source code fragments can include information about the design/structure of the application, including use of third-party components.

This information may not otherwise be easily known by an adversary. Sometimes source code also contains highly sensitive information, such as passwords


REMEDIATION



Low Risk: 1 found 1. Directory Listing Detected


Resource /Movie/

Risk Low

REQUEST

GET /Movie/

RESOURCE CONTENT


Listing directory contents when no index file is present in a common misconfiguration. The directory contents can provide useful information to an attacker, especially if there are files that are not meant to be accessible, such as source code or backups. The directory listing may also provide useful information about the habits of the server administration and/or web developers, such as file naming convention, that could be used to increase the probable success of brute-force or other attacks.

IMPACT





REMEDIATION



Info:1 found 1. Character Set Not Specified


Resource /Movie/booked.php

Risk Info

REQUEST

GET /Movie/booked.php

RESOURCE CONTENT

/Movie/booked.php

DISCUSSION

Vega has detected that the resource has not specified a character set in the response. If the character set is not specified, the browser may make assumptions about the character set based on resource content. This may present a security concern if the affected resource contains dynamically-generated content that originates from users. In such a case, malicious users may potentially take advantage of how specific browsers interpret characters to cause malicious content to be rendered. For example, an attacker may be able to bypass a cross-site scripting filter by encoding their malicious payload in an alternate character set, which may be executed depending on how the browser interprets the encoded content.

REMEDIATION

Specify a well-defined character set (such as UTF-8) within the response header content-type or the response body.

Log details of tool used and observation

11:32:03 PM [INFO] (scanner) Starting crawling phase Publishing Alert: (vdirlist) [/Movie/] Publishing Alert: (vdirlist) [/Movie/] Publishing Alert: (vinfo-source) [/Movie/main.php] Publishing Alert: (vinfo-source) [/Movie/main.php] 11:32:11 PM [INFO] (scanner) Crawler finished 11:32:11 PM [INFO] (scanner) Scanner completed 11:32:11 PM [INFO] (scanner) Scanning module runtime statistics: 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.727 ms [worst: 1 ms @(/) ] for Path Disclosure 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for HTTP Authentication Over Unencrypted HTTP 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 1.636 ms [worst: 6 ms @(/Movie/) ] for Error Page Detection 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 2.000 ms [worst: 10 ms @(/Movie/) ] for Insecure Cross-Domain Policy 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 3.364 ms [worst: 14 ms @(/) ] for File Upload Detection 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for WSDL Detector 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.455 ms [worst: 5 ms @(/Movie/) ] for RSS/Atom/OPL Feed Detector 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.364 ms [worst: 1 ms @(/) ] for HTTP Header Checks 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.818 ms [worst: 2 ms @(/Movie/main.php) ] for Insecure Script Include 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/Movie/main.php) ] for Internal IP Addressess

11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Cookie Security Module 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 1.545 ms [worst: 4 ms @(/Movie/main.php) ] for Cleartext Password Over HTTP 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 4.182 ms [worst: 35 ms @(/Movie/main.php) ] for Source Code Disclosure Module 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.273 ms [worst: 1 ms @(/) ] for Character Set Not Specified 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for Empty Reponse Body Module 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.364 ms [worst: 2 ms @(/Movie/) ] for Unsafe Or Unrecognized Character Set 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 7.545 ms [worst: 29 ms @(/Movie/) ] for Interesting Meta Tag Detection 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Oracle Application Server Fingerprint Module 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 1.091 ms [worst: 2 ms @(/Movie/) ] for Form autocomplete 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for AJAX Detector 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Version Control String Detection 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 6.727 ms [worst: 56 ms @(/Movie/) ] for Directory Listing Detection 11:32:11 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for Cookie Scope Detection 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 1.000 ms [worst: 5 ms @(STATE: [GET /]) ] for Eval Code Injection 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /]) ] for XML Injection checks 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /]) ] for HTTP Header Injection checks 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Remote File Include Checks 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /Movie/main.php]) ] for Shell Injection Checks 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 7.000 ms [worst: 15 ms @(STATE: [GET /Movie/main.php]) ] for HTTP Trace Probes 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /]) ] for Blind SQL Injection Arithmetic Evaluation Differential Checks 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for URL Injection checks 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.400 ms [worst: 1 ms @(STATE: [GET /]) ] for Cross Domain Policy Auditor 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Local File Include Checks

11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Bash Environment Variable Blind OS Injection (CVE-2014-6271, CVE-2014-6278) Checks 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Blind SQL Text Injection Differential Checks 11:32:11 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for XSS Injection checks 11:32:46 PM [INFO] (scanner) Starting crawling phase Publishing Alert: (vdirlist) [/Movie/] Publishing Alert: (vdirlist) [/Movie/] Publishing Alert: (vinfo-paths) [/Movie/first.php] Publishing Alert: (vinfo-source) [/Movie/first.php] Publishing Alert: (vinfo-ajax) [/Movie/first.php] Publishing Alert: (vinfo-paths) [/Movie/first.php] Publishing Alert: (vinfo-source) [/Movie/first.php] Publishing Alert: (vinfo-ajax) [/Movie/first.php] Publishing Alert: (vinfo-paths) [/Movie/first.php] Publishing Alert: (vinfo-ajax) [/Movie/first.php] Publishing Alert: (vinfo-paths) [/Movie/first.php] Publishing Alert: (vinfo-source) [/Movie/first.php] Publishing Alert: (vinfo-ajax) [/Movie/first.php] 11:33:09 PM [INFO] (scanner) Crawler finished 11:33:09 PM [INFO] (scanner) Scanner completed 11:33:09 PM [INFO] (scanner) Scanning module runtime statistics: 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 7.091 ms [worst: 53 ms @(/Movie/first.php) ] for Path Disclosure 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for HTTP Authentication Over Unencrypted HTTP 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 1.273 ms [worst: 2 ms @(/Movie/) ] for Error Page Detection 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 1.545 ms [worst: 10 ms @(/Movie/) ] for Insecure Cross-Domain Policy 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.727 ms [worst: 1 ms @(/) ] for File Upload Detection 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for WSDL Detector 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.364 ms [worst: 1 ms @(/) ] for RSS/Atom/OPL Feed Detector 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for HTTP Header Checks 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.455 ms [worst: 1 ms @(/) ] for Insecure Script Include 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/Movie/first.php) ] for Internal IP Addressess 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Cookie Security Module

11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.909 ms [worst: 2 ms @(/Movie/first.php) ] for Cleartext Password Over HTTP 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 1.909 ms [worst: 9 ms @(/Movie/first.php) ] for Source Code Disclosure Module 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Character Set Not Specified 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Empty Reponse Body Module 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.182 ms [worst: 1 ms @(/) ] for Unsafe Or Unrecognized Character Set 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 5.364 ms [worst: 13 ms @(/Movie/first.php) ] for Interesting Meta Tag Detection 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Oracle Application Server Fingerprint Module 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.818 ms [worst: 1 ms @(/) ] for Form autocomplete 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 1.909 ms [worst: 11 ms @(/Movie/first.php) ] for AJAX Detector 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Version Control String Detection 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 2.818 ms [worst: 15 ms @(/Movie/) ] for Directory Listing Detection 11:33:09 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Cookie Scope Detection 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Eval Code Injection 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for XML Injection checks 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /Movie/first.php]) ] for HTTP Header Injection checks 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Remote File Include Checks 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Shell Injection Checks 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 20.400 ms [worst: 86 ms @(STATE: [GET /Movie/first.php]) ] for HTTP Trace Probes 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Blind SQL Injection Arithmetic Evaluation Differential Checks 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for URL Injection checks 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Cross Domain Policy Auditor 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /]) ] for Local File Include Checks

11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.400 ms [worst: 1 ms @(STATE: [GET /]) ] for Bash Environment Variable Blind OS Injection (CVE-2014-6271, CVE-2014-6278) Checks 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Blind SQL Text Injection Differential Checks 11:33:09 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for XSS Injection checks 11:35:45 PM [INFO] (scanner) Starting crawling phase Publishing Alert: (vdirlist) [/Movie/] Publishing Alert: (vdirlist) [/Movie/] Publishing Alert: (vinfo-paths) [/Movie/schedule.php] Publishing Alert: (vinfo-sessioncookie-secure) [/Movie/schedule.php] Publishing Alert: (vinfo-sessioncookie-httponly) [/Movie/schedule.php] Publishing Alert: (vinfo-paths) [/Movie/schedule.php] Publishing Alert: (vinfo-sessioncookie-secure) [/Movie/schedule.php] Publishing Alert: (vinfo-sessioncookie-httponly) [/Movie/schedule.php] Publishing Alert: (vinfo-paths) [/Movie/schedule.php] Publishing Alert: (vinfo-sessioncookie-secure) [/Movie/schedule.php] Publishing Alert: (vinfo-sessioncookie-httponly) [/Movie/schedule.php] Publishing Alert: (vinfo-paths) [/Movie/schedule.php] Publishing Alert: (vinfo-sessioncookie-secure) [/Movie/schedule.php] Publishing Alert: (vinfo-sessioncookie-httponly) [/Movie/schedule.php] 11:36:27 PM [INFO] (scanner) Crawler finished 11:36:27 PM [INFO] (scanner) Scanner completed 11:36:27 PM [INFO] (scanner) Scanning module runtime statistics: 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 4.000 ms [worst: 24 ms @(/Movie/schedule.php) ] for Path Disclosure 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for HTTP Authentication Over Unencrypted HTTP 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.909 ms [worst: 2 ms @(/Movie/) ] for Error Page Detection 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 1.455 ms [worst: 12 ms @(/Movie/) ] for Insecure Cross-Domain Policy 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.909 ms [worst: 2 ms @(/) ] for File Upload Detection 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/Movie/schedule.php) ] for WSDL Detector 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.182 ms [worst: 1 ms @(/) ] for RSS/Atom/OPL Feed Detector 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for HTTP Header Checks 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.636 ms [worst: 1 ms @(/) ] for Insecure Script Include 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Internal IP Addressess

11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 5.909 ms [worst: 41 ms @(/Movie/schedule.php) ] for Cookie Security Module 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.909 ms [worst: 2 ms @(/Movie/schedule.php) ] for Cleartext Password Over HTTP 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.273 ms [worst: 1 ms @(/) ] for Source Code Disclosure Module 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.182 ms [worst: 1 ms @(/Movie/) ] for Character Set Not Specified 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for Empty Reponse Body Module 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Unsafe Or Unrecognized Character Set 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 4.091 ms [worst: 9 ms @(/Movie/schedule.php) ] for Interesting Meta Tag Detection 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Oracle Application Server Fingerprint Module 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.727 ms [worst: 1 ms @(/) ] for Form autocomplete 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for AJAX Detector 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Version Control String Detection 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 2.182 ms [worst: 15 ms @(/Movie/) ] for Directory Listing Detection 11:36:27 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/Movie/schedule.php) ] for Cookie Scope Detection 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /Movie/schedule.php]) ] for Eval Code Injection 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /Movie/]) ] for XML Injection checks 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /]) ] for HTTP Header Injection checks 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Remote File Include Checks 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Shell Injection Checks 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 4.800 ms [worst: 6 ms @(STATE: [GET /]) ] for HTTP Trace Probes 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /]) ] for Blind SQL Injection Arithmetic Evaluation Differential Checks 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for URL Injection checks 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Cross Domain Policy Auditor 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Local File Include Checks

11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Bash Environment Variable Blind OS Injection (CVE-2014-6271, CVE-2014-6278) Checks 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Blind SQL Text Injection Differential Checks 11:36:27 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for XSS Injection checks 11:36:53 PM [INFO] (scanner) Starting crawling phase Publishing Alert: (vdirlist) [/Movie/] Publishing Alert: (vdirlist) [/Movie/] Publishing Alert: (vinfo-paths) [/Movie/book.php] Publishing Alert: (vinfo-source) [/Movie/book.php] Publishing Alert: (vinfo-paths) [/Movie/book.php] Publishing Alert: (vinfo-source) [/Movie/book.php] Publishing Alert: (vinfo-paths) [/Movie/book.php] Publishing Alert: (vinfo-source) [/Movie/book.php] Publishing Alert: (vinfo-paths) [/Movie/book.php] Publishing Alert: (vinfo-source) [/Movie/book.php] 11:37:16 PM [INFO] (scanner) Crawler finished 11:37:16 PM [INFO] (scanner) Scanner completed 11:37:16 PM [INFO] (scanner) Scanning module runtime statistics: 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 4.182 ms [worst: 26 ms @(/Movie/book.php) ] for Path Disclosure 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/Movie/book.php) ] for HTTP Authentication Over Unencrypted HTTP 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.909 ms [worst: 2 ms @(/Movie/) ] for Error Page Detection 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 1.545 ms [worst: 11 ms @(/Movie/) ] for Insecure Cross-Domain Policy 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 1.000 ms [worst: 3 ms @(/Movie/book.php) ] for File Upload Detection 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for WSDL Detector 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.364 ms [worst: 1 ms @(/) ] for RSS/Atom/OPL Feed Detector 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for HTTP Header Checks 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.727 ms [worst: 1 ms @(/) ] for Insecure Script Include 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Internal IP Addressess 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Cookie Security Module 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 1.000 ms [worst: 2 ms @(/Movie/book.php) ] for Cleartext Password Over HTTP

11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 2.091 ms [worst: 10 ms @(/Movie/book.php) ] for Source Code Disclosure Module 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for Character Set Not Specified 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Empty Reponse Body Module 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Unsafe Or Unrecognized Character Set 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 4.727 ms [worst: 11 ms @(/Movie/book.php) ] for Interesting Meta Tag Detection 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Oracle Application Server Fingerprint Module 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.818 ms [worst: 1 ms @(/) ] for Form autocomplete 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/Movie/book.php) ] for AJAX Detector 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Version Control String Detection 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 2.455 ms [worst: 14 ms @(/Movie/) ] for Directory Listing Detection 11:37:16 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Cookie Scope Detection 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /Movie/book.php]) ] for Eval Code Injection 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /Movie/]) ] for XML Injection checks 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /]) ] for HTTP Header Injection checks 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Remote File Include Checks 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Shell Injection Checks 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 5.000 ms [worst: 7 ms @(STATE: [GET /]) ] for HTTP Trace Probes 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Blind SQL Injection Arithmetic Evaluation Differential Checks 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for URL Injection checks 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.400 ms [worst: 1 ms @(STATE: [GET /]) ] for Cross Domain Policy Auditor 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Local File Include Checks 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Bash Environment Variable Blind OS Injection (CVE-2014-6271, CVE-2014-6278) Checks

11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /Movie/book.php]) ] for Blind SQL Text Injection Differential Checks 11:37:16 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for XSS Injection checks 11:38:11 PM [INFO] (scanner) Starting crawling phase Publishing Alert: (vdirlist) [/Movie/] Publishing Alert: (vdirlist) [/Movie/] Publishing Alert: (vinfo-source) [/Movie/booked.php] Publishing Alert: (vinfo-missing-charset) [/Movie/booked.php] Publishing Alert: (vinfo-source) [/Movie/booked.php] Publishing Alert: (vinfo-missing-charset) [/Movie/booked.php] Publishing Alert: (vinfo-missing-charset) [/Movie/booked.php] Publishing Alert: (vinfo-source) [/Movie/booked.php] Publishing Alert: (vinfo-missing-charset) [/Movie/booked.php] 11:38:34 PM [INFO] (scanner) Crawler finished 11:38:34 PM [INFO] (scanner) Scanner completed 11:38:34 PM [INFO] (scanner) Scanning module runtime statistics: 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.818 ms [worst: 1 ms @(/) ] for Path Disclosure 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for HTTP Authentication Over Unencrypted HTTP 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 1.000 ms [worst: 2 ms @(/Movie/) ] for Error Page Detection 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 1.091 ms [worst: 11 ms @(/Movie/) ] for Insecure Cross-Domain Policy 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.818 ms [worst: 1 ms @(/) ] for File Upload Detection 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/Movie/booked.php) ] for WSDL Detector 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.273 ms [worst: 1 ms @(/) ] for RSS/Atom/OPL Feed Detector 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for HTTP Header Checks 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.727 ms [worst: 1 ms @(/) ] for Insecure Script Include 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Internal IP Addressess 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.000 ms [worst: 0 ms @(/) ] for Cookie Security Module 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.818 ms [worst: 1 ms @(/) ] for Cleartext Password Over HTTP 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 3.909 ms [worst: 24 ms @(/Movie/booked.php) ] for Source Code Disclosure Module 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 2.182 ms [worst: 16 ms @(/Movie/booked.php) ] for Character Set Not Specified

11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for Empty Reponse Body Module 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.182 ms [worst: 1 ms @(/Movie/) ] for Unsafe Or Unrecognized Character Set 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 4.182 ms [worst: 10 ms @(/Movie/booked.php) ] for Interesting Meta Tag Detection 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for Oracle Application Server Fingerprint Module 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.545 ms [worst: 1 ms @(/) ] for Form autocomplete 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/Movie/) ] for AJAX Detector 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/Movie/booked.php) ] for Version Control String Detection 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 2.727 ms [worst: 24 ms @(/Movie/) ] for Directory Listing Detection 11:38:34 PM [INFO] (scanner) Invocations: 11 Average: 0.091 ms [worst: 1 ms @(/) ] for Cookie Scope Detection 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Eval Code Injection 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for XML Injection checks 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /Movie/booked.php]) ] for HTTP Header Injection checks 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Remote File Include Checks 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Shell Injection Checks 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 5.400 ms [worst: 6 ms @(STATE: [GET /]) ] for HTTP Trace Probes 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Blind SQL Injection Arithmetic Evaluation Differential Checks 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for URL Injection checks 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for Cross Domain Policy Auditor 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /Movie/]) ] for Local File Include Checks 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /]) ] for Bash Environment Variable Blind OS Injection (CVE-2014-6271, CVE-2014-6278) Checks 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.200 ms [worst: 1 ms @(STATE: [GET /Movie/booked.php]) ] for Blind SQL Text Injection Differential Checks 11:38:34 PM [INFO] (scanner) Invocations: 5 Average: 0.000 ms [worst: 0 ms @(STATE: [GET /]) ] for XSS Injection checks

Documents

Error in Code of Movie File