BlueDog's Home

Risk Rating Standards#

Severely Unsafe System

• A system with one or more severe vulnerabilities, or more than three high-risk vulnerabilities.

High-Risk Unsafe System

• A system with one or more high-risk vulnerabilities, or more than five medium-risk vulnerabilities.

Medium-Risk Unsafe System

• A system with one or more medium-risk vulnerabilities, or more than five low-risk vulnerabilities.

Low-Risk Unsafe System

• A system with no medium or high-risk vulnerabilities, but with more than five low-risk vulnerabilities.

Safe System

• A system with no medium or high-risk vulnerabilities, and with five or fewer low-risk vulnerabilities.

Vulnerability Rating Criteria#

Severe Vulnerabilities

1. Vulnerabilities that directly gain access to business server permissions or important data, including but not limited to command execution, webshell uploads, code execution, and SQL injection to obtain large amounts of important data.
2. Logic vulnerabilities that severely affect system business and data security, including but not limited to arbitrary account password reset or change vulnerabilities, arbitrary account fund consumption, systems easily exploited, severe privilege escalation vulnerabilities, unauthorized access to backend management systems, and serious sensitive information leaks.
3. Vulnerabilities that directly lead to denial of service for core business, including remote denial of service vulnerabilities that directly cause online core applications, systems, and servers to be unable to continue providing services.

High-Risk Vulnerabilities

1. Sensitive information leakage vulnerabilities, including but not limited to source code archive leaks, SQL injection, privilege escalation, or direct access to large amounts of user and employee information.
2. Account brute-force cracking vulnerabilities.
3. Vulnerabilities that allow remote access to client and server permissions, including but not limited to SSRF, remote buffer overflow, stored XSS, and XSS that can obtain cookies and other sensitive information.

Medium-Risk Vulnerabilities

1. Ordinary information leakage, including but not limited to SQL injection that does not involve sensitive data, limited impact on data volume or sensitivity, and information leakage of source code or system logs.
2. Vulnerabilities that require victim interaction or other preconditions to obtain user identity information, including but not limited to JSON Hijacking containing user and website sensitive data, CSRF for important operations (such as payment operations, posting information, or modifying sensitive personal account information), and reflected XSS.
3. Ordinary logic flaws and privilege escalation vulnerabilities.

Low-Risk Vulnerabilities

1. Minor information leakage, including but not limited to path, SVN information leakage, PHPinfo, exceptions, and debugging information containing a small number of sensitive fields, logs, and configurations.
2. Vulnerabilities with limited application scenarios and hard-to-exploit security vulnerabilities, including but not limited to limited reflective or self XSS, SMS/email bombing, URL redirection, and CSRF for sensitive operations.

Security Control Recommendations#

Authentication

• For systems with weak passwords, it is necessary to urge users to change their passwords while enhancing their security awareness, or to use policies to enforce password length and complexity.
• For services with weak or empty passwords, key services should strengthen password strength, and encrypted transmission methods should be used. For services that can be disabled, it is recommended to close them for security purposes or restrict access to specified IP ranges.
• For systems or services with CAPTCHA functionality, protection cannot be limited to the frontend; secondary detection must be performed in the backend to ensure both frontend and backend are fortified.
• Different systems and hosts should adopt different passwords with strong complexity according to password rules.
• Conduct inspections on various services in the internal and external networks for weak password phenomena.

Application

• Configure servers to access via HTTPS and encrypt communications.
• Decrease privileges for all middleware to avoid using high-privilege accounts like administrators to start services.
• It is recommended to use security products such as WAF, host security, and situational awareness.
• For requests involving unique user information after user login, verify ownership each time, and add random parameters to sensitive information pages to prevent browser caching of content.
• For applications using Oracle database services, it is recommended to update to the latest version promptly and install the latest patches. For details, see Oracle's official security announcements at https://www.oracle.com/security-alerts/.
• For applications with Struts2 middleware, administrators should pay attention to Apache's official security announcements at https://cwiki.apache.org/confluence/display/WW/Security+Bulletins.
• For applications with Harbor services, administrators should pay attention to the official security announcements at https://github.com/goharbor/harbor/security/advisories.
• For applications with Jira services, administrators should pay attention to Atlassian's official security announcements at https://jira.atlassian.com/browse/JRASERVER-69858?filter=13085.
• For applications with WebLogic middleware, it is recommended to update to the latest version promptly and install the latest patches. For details, see Oracle's official security announcements at https://www.oracle.com/security-alerts/.
• For applications with Shiro middleware, administrators should pay attention to Apache's official security announcements at https://issues.apache.org/jira/projects/SHIRO/issues.
• For applications with Solr middleware, administrators should pay attention to Apache's official security announcements at https://issues.apache.org/jira/projects/SOLR/issues.
• For applications with Jenkins services, administrators should pay attention to the official security announcements at https://jenkins.io/security/advisories/.
• For applications with Tomcat middleware, administrators should pay attention to Apache's official security announcements at http://tomcat.apache.org/security.html.
• For applications with Zhiyuan services, administrators should pay attention to the official security announcements at http://service.seeyon.com/patchtools/tp.html#/patchList?type=%E5%AE%89%E5%85%A8%E8%A1%A5%E4%B8%81&id=1.
• For applications with Fanwei services, administrators should pay attention to the official security update announcements at https://www.weaver.com.cn/cs/securityDownload.html#.
• For applications with Tongda services, administrators should pay attention to Tongda's official security announcements and download updates in a timely manner at https://www.tongda2000.com/download/p2019.php?F=&K=.
• For applications with Lanling services, administrators should pay attention to the official updates at http://www.landray.com.cn/.
• For applications with Yonyou services, administrators should pay attention to Yonyou's official security announcements and download updates in a timely manner at http://fwq.yonyou.com/up_service/index.php?r=public/serv&ciId=594806863904A9D8.
• For applications with Kingdee services, administrators should pay attention to Kingdee's official security announcements and download updates in a timely manner at http://www.buykingdee.com/download/download.php?lang=cn&class2=123.
• For applications with Jinhe services, administrators should pay attention to Jinhe's official security announcements and download updates in a timely manner at http://www.jinher.com/Service/index/id/169.
• For applications with JBOSS middleware, administrators should pay attention to JBOSS's official security announcements and download updates in a timely manner at http://jbossas.jboss.org/downloads/.
• https://github.com/advisories

Host

• Reasonably configure security groups to avoid unnecessary ports and services being open to the outside.
• It is recommended to conduct regular penetration testing, host & WEB vulnerability scanning.
• For Windows host vulnerability protection, administrators should pay attention to Microsoft's official security announcements at https://portal.msrc.microsoft.com/zh-cn/security-guidance.
• For UNIX host vulnerability protection, administrators should pay attention to the official security announcements of the respective distribution versions:
  • RedHat system official security announcements: https://access.redhat.com/errata/#/
  • CentOS system official security announcements: https://lists.centos.org/pipermail/centos-announce/
  • SUSE system official security announcements: https://www.suse.com/support/update/
  • Ubuntu system official security announcements: https://ubuntu.com/security/notices
  • Debian system official security announcements: https://www.debian.org/security/
  • Arch system official security announcements: https://security.archlinux.org/
  • Fedora system official security announcements: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/
  • Gentoo system official security announcements: https://security.gentoo.org/glsa/
  • FreeBSD system official security announcements: http://vuxml.freebsd.org/freebsd/
  • Slackware system official security announcements: http://www.slackware.com/security/
  • OpenSUSE system official security announcements: https://lists.opensuse.org/opensuse-security-announce/

APP

• https://source.android.com/security/bulletin

Code

• Strictly distinguish between code and data, and take restriction or filtering measures at any position where user input or interaction exists.
• When uploading files, perform legality checks on file attributes on the server side, check document types (such as file extensions, file header information checks, etc.) and sizes (image checks for length, width, and pixels, etc.) in a whitelist manner.
• During development, prioritize using the latest stable versions of the corresponding framework libraries and pay attention to the security patches released by the corresponding official libraries in a timely manner.
• According to the organizational structure of enterprise software security management, organize and assign roles based on the professional level of enterprise security-related personnel to form a security team and establish documentation.

Authentication#

Weak Passwords/Empty Passwords#

Weak Passwords in Web Backend Systems

Vulnerability Rating Recommendation: High

Vulnerability Type: Authentication Flaw

• Details

  Due to weak passwords in user accounts on the website, attackers can easily log into the website using weak passwords, leading to further attacks, such as uploading webshells and obtaining sensitive data. Additionally, attackers can log into the website management backend using weak passwords to perform any administrator operations.

• Harm Caused

  Attackers can directly enter the application system or management system using this vulnerability, leading to tampering and deletion of systems, web pages, and data, illegally obtaining system and user data, and potentially causing server compromise.

• Remediation Recommendations

  • User Level

    1. Do not use common weak passwords as passwords.
    2. Do not use the same password across multiple systems or social accounts.
    3. Change passwords regularly.
    4. It is recommended to use random values or randomly generated strings as system passwords.

  • System Level

    1. Increase human verification mechanisms and limit IP access attempts.
    2. Add graphical CAPTCHA to the login interface on the server side and ensure it is destroyed after use.
    3. Force users to change default passwords upon first login or use a strategy for user-defined initial passwords.
    4. Limit login attempts on the server side; if a single IP exceeds the threshold within a certain time, ban it for 30 minutes.
    5. Limit login attempts on the server side; if a single user's password exceeds the threshold for incorrect attempts within a certain time, ban it for 20 minutes.
    6. Enforce strong password policies for password-related actions such as changing passwords and adding accounts (uppercase and lowercase letters + numbers + special characters + 8 characters or more).
    7. Improve password policies; the best practice for information security password policies is at least 8 characters, including at least 3 of the following: numbers, uppercase letters, lowercase letters, and special characters.

FTP Weak Passwords

Vulnerability Rating Recommendation: High, downgrade to Medium if no actual exploitation point

Vulnerability Type: Authentication Flaw

• Details

  During penetration testing, it was found that the remote FTP Server allows login with weak password combinations.

• Harm Caused

  This may allow attackers to upload malicious files or download sensitive files.

• Remediation Recommendations

  1. Do not use common weak passwords as passwords.
  2. Change passwords regularly.
  3. Update FTP services to the latest version promptly.
  4. Use a whitelist approach to only allow authorized host IPs to access this port, preventing the vulnerability from being maliciously exploited.

FTP Anonymous Login

Vulnerability Rating Recommendation: High, downgrade to Medium if no actual exploitation point

Vulnerability Type: Access Control Flaw

• Details

  During penetration testing, it was found that the target host's open FTP service allows anonymous user login.

• Harm Caused

  Hackers can directly log into the FTP service using weak passwords or anonymous login vulnerabilities to upload malicious files, thereby gaining system permissions and potentially causing data leakage.

• Remediation Recommendations

  1. Disable anonymous access.
  2. Do not use common weak passwords as passwords.
  3. Change passwords regularly.
  4. Update FTP services to the latest version promptly.
  5. Use a whitelist approach to only allow authorized host IPs to access this port, preventing the vulnerability from being maliciously exploited.

SSH Weak Passwords

Vulnerability Rating Recommendation: High

Vulnerability Type: Authentication Flaw

• Details

  The SSH weak password vulnerability refers to the password length or complexity of Linux system passwords being too short or insufficient, such as containing only numbers or only letters, making weak passwords easy to crack. Attackers can use weak passwords to directly log into the SSH server, read or even modify website code, or cause server compromise.

• Harm Caused

  After successfully brute-forcing the login, attackers can fully control the machine, and even low-privilege accounts can escalate privileges for further damage.

• Remediation Recommendations

  1. Change passwords and increase password complexity, such as including uppercase and lowercase letters, numbers, and special characters.
  2. Change default passwords to avoid them being guessed.
  3. Specify a robust password policy, such as requiring password changes every 30 days, and passwords must not match historical passwords.
  4. Use a whitelist approach to only allow authorized host IPs to access this port, preventing the vulnerability from being maliciously exploited.

Database Weak Passwords

Vulnerability Rating Recommendation: High

Vulnerability Type: Authentication Flaw

• Details

  The database weak password vulnerability refers to the password length or complexity of the database administrator account being too short or insufficient, containing only numbers or only letters, making weak passwords easy to crack. Once obtained by attackers, they can directly log into the database system, read or even modify files on the server, or cause server compromise.

• Harm Caused

  Attackers can directly manipulate the database and even escalate privileges to gain server permissions.

• Remediation Recommendations

  1. Change passwords and increase password complexity, such as including uppercase and lowercase letters, numbers, and special characters.
  2. Change default passwords to avoid them being guessed.
  3. Specify a robust password policy, such as requiring password changes every 30 days, and passwords must not match historical passwords.
  4. Use a whitelist approach to only allow authorized host IPs to access this port, preventing the vulnerability from being maliciously exploited.

XXX Weak Passwords/Empty Passwords

Vulnerability Rating Recommendation: High, downgrade to Medium if no actual exploitation point

Vulnerability Type: Authentication Flaw

• Details

  During penetration testing, it was found that the target server has a weak password issue for the XXX service.

• Harm Caused

  After successfully brute-forcing the login, attackers can fully control the machine, and even low-privilege accounts can escalate privileges for further damage.

  Or

  After successfully brute-forcing the login, attackers can fully control the target database, allowing them to steal or tamper with data.

• Remediation Recommendations

  1. Accounts should not use weak passwords; it is recommended that password strength be 8 characters or more, with a mix of uppercase, lowercase, and numbers.
  2. Only allow whitelisted IPs to log in.

XXX Backend Without Security Authentication

Vulnerability Rating Recommendation: High, downgrade to Medium if no actual exploitation point

Vulnerability Type: Access Control Flaw

• Details

  During penetration testing, it was found that the target XXX service has no security authentication.

• Harm Caused

  Attackers can directly enter the application system or management system using this vulnerability, leading to tampering and deletion of systems, web pages, and data, illegally obtaining system and user data, and potentially causing server compromise.

• Remediation Recommendations

  • User Level
    1. Do not use common weak passwords as passwords.
    2. Do not use the same password across multiple systems or social accounts.
    3. Change passwords regularly.
    4. It is recommended to use random values or randomly generated strings as system passwords.
  • System Level
    1. Force users to change default passwords after the first login.
    2. Enforce strong password policies for password-related actions such as changing passwords and adding accounts (uppercase and lowercase letters + numbers + special characters + 8 characters or more).
    3. Add graphical CAPTCHA to the login interface on the server side and ensure it is destroyed after use.
    4. Limit login attempts on the server side; if a single IP exceeds the threshold within a certain time, ban it for 30 minutes.
    5. Limit login attempts on the server side; if a single user's password exceeds the threshold for incorrect attempts within a certain time, ban it for 20 minutes.

Authentication Flaws#

Logical Universal Key

Vulnerability Rating Recommendation: High

Vulnerability Type: Access Control Flaw

• Details

  On the backend login page, the backend SQL statement filtering is not strict, allowing attackers to send specific data packets to log into the backend directly.

• Harm Caused

  Attackers can directly enter the application system or management system using this vulnerability, leading to tampering and deletion of systems, web pages, and data, illegally obtaining system and user data, and potentially causing server compromise.

• Remediation Recommendations

  1. Securely filter user-submitted parameters, escaping special characters (such as (,)*&……%# etc.) and performing safe encoding conversions.
  2. Encrypt user-submitted parameters before comparing them with the stored ciphertext in the database.

Bypassing Frontend Restrictions to Log In

Vulnerability Rating Recommendation: High

Vulnerability Type: Access Control Flaw

• Details

  During login interception, modifying the return value to change it to 200 allows bypassing frontend restrictions to log into the target user account.

• Harm Caused

  This means that it is not necessary to know the user's password to bypass authentication restrictions and log into the user account, leading to serious risks such as user information leakage and illegal operations on user accounts.

• Remediation Recommendations

  1. Delegate identity verification to the backend.
  2. Implement login restrictions.
  3. Do not use common weak passwords as passwords.
  4. Do not use the same password across multiple systems or social accounts.

Brute Force Risk

Vulnerability Rating Recommendation: Low, downgrade to Information if no actual exploitation point

Vulnerability Type: Brute Force

• Details

  Due to the lack of relevant human verification mechanisms on the login page, such as no CAPTCHA, or CAPTCHA that can be reused, and no login error attempt limits, attackers can brute force user login accounts and passwords.

  Or

  On the backend login page, clear error messages during login allow attackers to determine whether a username exists, enabling brute force attacks on that username.

  Or

  On the backend login page, clear error messages during login and no access control for failed logins allow attackers to continuously brute force login passwords.

• Harm Caused

  Attackers can perform slow brute force attacks on known usernames, further brute forcing passwords to gain access to the backend.

• Remediation Recommendations

  1. Add human verification mechanisms.
  2. Modify error messages to strengthen logical authentication.
  3. For management systems, configure allowed IP ranges for login users.
  4. If a certain IP exceeds the set threshold for login attempts, lock the IP.
  5. CAPTCHA must be validated on the server side; all client-side validations are insecure.
  6. If a user's login attempts exceed the set threshold, lock the account (there is a risk of malicious login locking the account).
  7. Limit login attempts; use either remote IP or username to lock; if there are more than 3 failed attempts within 5 minutes, lock for 1-3 hours.

CAPTCHA Bypass

Vulnerability Rating Recommendation: Low, downgrade to Information if no actual exploitation point

Vulnerability Type: Access Control Flaw

• Details

  On the backend login page, the CAPTCHA is only validated on the frontend, allowing attackers to bypass it during account brute force attempts.

  Or

  On the backend login page, the CAPTCHA is only validated once, allowing attackers to intercept the first packet to bypass and perform account brute force.

• Harm Caused

  By bypassing the CAPTCHA, attackers significantly reduce the difficulty of brute forcing the backend.

• Remediation Recommendations

  1. CAPTCHA should be randomly generated on the backend, and its content should not appear in the client's webpage source code or response data packets.
  2. CAPTCHA should have background interference, with elements that include color, position, and quantity that change randomly.
  3. CAPTCHA should be validated on the backend and should become invalid after use.
  4. CAPTCHA needs to be submitted to the backend for validation along with request parameters in different scenarios, prioritizing CAPTCHA validation.

SMS Verification Code Can Be Brute Forced

Vulnerability Rating Recommendation: Situational; 4-digit codes are High Risk, 6-digit codes are Medium Risk

Vulnerability Type: Access Control Flaw

• Details

  On the user registration page, due to the lack of limits on SMS verification code validation attempts, attackers can brute force the verification code content through dictionary attacks, leading to user account access.

• Harm Caused

  Attackers can repeatedly validate the SMS verification code, gaining access to the backend after successful brute forcing.

• Remediation Recommendations:

  1. Add limits on SMS verification code attempts, performing single-instance checks on the backend.
  2. For the same phone number, do not allow resending the verification code within 60 seconds, and limit total sends to no more than 5 times within 24 hours.
  3. Add IP restrictions; for example, if a certain IP sends the verification code 3 times within an hour, prohibit that IP from sending verification codes for 6 hours.

JWT Token Fixation

Vulnerability Rating Recommendation: High

Vulnerability Type: Authentication Flaw

• Details

  After logging out, users can still access the application by adding a JWT token. Even if the password is changed, the original JWT token can still be used to access the application, which should be generated based on time and the account's password.

• Harm Caused

  Attackers can directly enter the application system or management system using this vulnerability, leading to tampering and deletion of systems, web pages, and data, illegally obtaining system and user data, and potentially causing server compromise.

• Remediation Recommendations

  1. JWT tokens should have a lifespan and automatically expire after a timeout.
  2. Refresh the JWT token after detecting sensitive operations on the user account (such as password changes).

B/S#

Common Vulnerabilities#

Arbitrary Command/Code Execution Vulnerability

Vulnerability Rating Recommendation: High

Vulnerability Type: Code Execution

• Details

  Arbitrary command/code execution vulnerabilities are usually caused by applications concatenating system commands on the server. Attackers can submit maliciously crafted parameters to disrupt the command statement structure, thereby executing malicious commands.

• Harm Caused

  Attackers can execute arbitrary commands on the server by exploiting concatenation, pipe symbols, wildcards, and other bypass methods, writing backdoors, thereby compromising the server and gaining server permissions, directly leading to server compromise.

• Remediation Recommendations

  1. When calling shell commands at the code level, escape special characters in the command line (such as |, &, ;, etc.) to prevent the execution of other illegal commands.
  2. Perform whitelist validation or use regular expressions for filtering based on business logic.
  3. In PHP, use escapeshellarg and escapeshellcmd to escape corresponding sensitive characters.
  4. For sensitive command execution functions, ensure parameter validation and legality checks, or directly disable such functions in the configuration file to prevent users from directly controlling parameters of eval, system, exec, shell_exec, etc.

Arbitrary File Upload Vulnerability

Vulnerability Rating Recommendation: High

Vulnerability Type: File Upload

• Details

  During the code audit process, it was found that the target site has a file upload vulnerability. The application system does not perform legality checks on the file types, formats, and contents uploaded by users, allowing attackers to upload malicious script files (such as .php, .jsp, .asp, etc.) or unexpected format files like HTML files, SHTML files, etc. Attackers can also use directory traversal characters or control the upload directory to upload files directly to the web directory or any directory, potentially leading to the execution of any malicious script file on the remote server, thereby directly obtaining application system permissions.

• Harm Caused

  1. Uploading malicious script files to the server and executing the malicious code within those files by accessing them.
  2. Attackers can use directory traversal to upload php, config, etc., overwriting existing system files to tamper with system files or even gain system permissions.
  3. Attackers can upload html, shtm, etc., and write illegal gambling or phishing SEO pages or write malicious js files to illegally obtain user information.

• Remediation Recommendations

  • Code Level
    • The server should use a whitelist approach to validate file extensions; using a blacklist approach is not recommended as it may allow attackers to exploit file characteristics, system characteristics, and incomplete blacklists to bypass attacks.
    • The server should rename uploaded files to prevent directory traversal from controlling the upload directory.
    • The server should use system functions to determine whether the file type and content are valid, such as PHP's getimagesize.
    • Do not echo the relative path of uploaded files or display the path.
    • Limit file upload types and sizes, ensuring that uploaded files are correctly returned.
  • Other Levels
    • It is recommended to use OSS static storage servers to store user-uploaded files.
    • Set directory permission restrictions, prohibiting execution permissions on upload directories.
    • Ensure that the versions of Nginx, Apache, IIS, and other containers used do not have parsing vulnerabilities.
    • Ensure that the versions of third-party processing software, such as FFmpeg, ImageMagick, etc., do not have known vulnerabilities.
    • Ensure that uploaded files are stored in a secure path; if necessary, uploaded files can be stored on a remote server outside the web server.

Specific Language Vulnerabilities#

PHP#

PHP Deserialization

Vulnerability Rating Recommendation: High

Vulnerability Type: Code Execution

• Details:

  During the code audit process, it was found that the program does not check the user input deserialization string, allowing the deserialization process to be maliciously controlled, leading to arbitrary code execution vulnerabilities and gaining server permissions.

• Harm Caused:

  Attackers can construct malicious information, and the server may execute commands parsed from this malicious code, potentially leading to information leakage or direct control of the host server.

• Remediation Recommendations:

  1. Strictly filter and check incoming objects.
  2. Check for user-controllable parameters in file read/write, command, or code execution functions during the deserialization process.

Testing Items#

Weak Password Combination Brute Force Testing

• Details:

  During penetration testing, weak password combination brute force testing was performed on the target system/login page using the TOP1000 weak password combination dictionary.

• Test Results:

  After testing, no weak password combinations were found on the target system/login page.

Sensitive File Directory Brute Force Testing

• Details:

  During penetration testing, directory scanning and sensitive file scanning were performed on the target URL using the TOP5000 common path dictionary and TOP1000 backup file dictionary.

• Test Results:

  After testing, no sensitive file directories were found on the target.

Arbitrary File Upload Testing

• Details:

  During penetration testing, arbitrary file upload vulnerability testing was performed on the target editor upload page.

• Test Results:

  Testing with multiple executable file extensions showed that uploads failed, and no file upload vulnerabilities were found.

RDP Brute Force Testing

• Details:

  During penetration testing, it was found that the target host had RDP services enabled, and brute force testing was performed on the target service using the TOP1000 weak password combinations.

• Test Results:

  After testing, no weak password combinations were found on the target RDP service.

Struts2 Vulnerability Testing

• Details:

  During penetration testing, tools were used to test the target website for Apache Struts2 framework vulnerabilities.

• Test Results:

  Testing with penetration testing tools showed that no Apache Struts2 framework vulnerabilities were found on the target website.

XSS Vulnerability Testing

• Details:

  During penetration testing, XSS vulnerability testing was performed on the target website. If successful, attackers could steal user cookie information and log into the backend to obtain sensitive user data.

• Test Results:

  Testing with TOP10000 XSS vulnerability codes showed that no XSS vulnerabilities were found on the target.

SQL Injection Testing

• Details:

  During penetration testing, it was found that the target had a search function, and SQL injection testing was performed on the target search interface. This vulnerability could retrieve all data from the database and even gain host permissions.

• Test Results:

  After testing, no successful injections were found, and no SQL injection vulnerabilities were detected on the target.

Oracle Remote Data Poisoning Vulnerability Testing

• Details:

  Remote data poisoning vulnerability testing was performed on the target Oracle database. This vulnerability can remotely obtain Oracle's memory information, and if data in memory can be obtained, it indicates the presence of a vulnerability, which can then be used to brute force Oracle's SID.

• Test Results:

  After testing, the target was found not to have the Oracle remote data poisoning vulnerability.

TLS Security Reliability Testing

• Details:

  The TLS security reliability of the target was scanned, testing for common TLS vulnerabilities and the level of support for encryption authentication methods.

• Test Results:

  After testing, no exploitable medium or high-risk vulnerabilities were found.

URL Redirection Vulnerability Testing

• Details:

  During penetration testing, URL redirection vulnerability testing was performed on the target website, generating a URL redirection dictionary using common Top100 redirection parameters.

• Test Results:

  Validation of a large number of generated redirection results from the dictionary showed that no URL redirection vulnerabilities were found on the target.

CORS Vulnerability Testing

• Details:

  During penetration testing, CORS vulnerability testing was performed on the target.

• Test Results:

  After testing, no successful exploitation was found, and no CORS vulnerabilities were detected on the target.

XXX Unauthorized Access Vulnerability Testing

• Details:

  During penetration testing, unauthorized access vulnerability testing was performed on the target XXX service. If successful, this vulnerability would allow access to the target service management page without authentication, and would have some operational data permissions, potentially leaking data information.

• Test Results:

  After testing, the vulnerability could not be successfully exploited, and no XXX unauthorized access vulnerabilities were found on the target.

JQuery XSS Testing

• Details:

  During penetration testing, it was found that the target site had a JQuery framework library, and the referenced jQuery version might have XSS vulnerabilities.

• Test Results:

  Testing with the jQuery XSS testing template showed that no XSS vulnerabilities were found in the target site's jQuery framework library.

Apache Log4j Testing

• Details:

  During penetration testing, testing was performed on the target for the Apache Log4j remote code execution vulnerability.

• Test Results:

  After testing, no successful exploitation was found, and no Apache Log4j remote code execution vulnerabilities were detected on the target.

WADL/SOAP Interface Fuzz Testing

• Details:

  During penetration testing, fuzz testing was performed on the exposed WADL/SOAP interfaces of the target to detect potential XXE, SQL injection, and other vulnerabilities.

• Test Results:

  After testing, no successful exploitation was found, and no potential injection vulnerabilities were detected in the target WADL/SOAP interfaces.

Miscellaneous#

Plaintext Password Transmission

Vulnerability Rating Recommendation: Low

Vulnerability Type: Information Leakage

• Details:

  During the user login process, plaintext is used to transmit user login information. If the user suffers a man-in-the-middle attack, the attacker can directly obtain the user's login account, leading to further penetration.

• Harm Caused:

  Transmitting user account passwords in plaintext poses risks of man-in-the-middle attacks and password theft.

• Remediation Recommendations:

  1. User login information should be transmitted using encryption, such as securely hashing passwords before transmission using secure algorithms, including irreversible hash algorithms with salt (4 or more random numbers generated by the server); secure symmetric encryption algorithms like AES (128, 192, 256 bits), ensuring client key security; asymmetric encryption algorithms like RSA (not less than 1024 bits), SM2, etc.
  2. Use HTTPS to ensure secure transmission.

Low jQuery Version with XSS Vulnerability Risk

Vulnerability Rating Recommendation: Low

Vulnerability Type: Version Vulnerability

• Details:

  During penetration testing, it was found that the target site has a jQuery framework library, and the referenced jQuery version may have XSS vulnerabilities.

• Harm Caused:

  The target website uses a vulnerable jQuery library, where the regular expression used to filter user input data in jQuery has defects, potentially leading to cross-site scripting attacks via location.hash. Attackers can exploit this vulnerability to perform XSS, cookie hijacking, and other attacks.

• Remediation Recommendations:

  1. Update jQuery to version 3.5.0 or higher.
  2. Use global XSS filtering to clean user input HTML.

Missing Content-Security-Policy Header

Vulnerability Rating Recommendation: Low

Vulnerability Type: Misconfiguration

• Details:

  The remote web application does not set the Content-Security-Policy response header.

• Harm Caused:

  The absence of the Content-Security-Policy response header makes the target URL more susceptible to cross-site scripting attacks.

• Remediation Recommendations:

  The following response header should be set on all pages of the web application: Content-Security-Policy: default-src 'self'.

Missing X-Content-Type-Options Header

Vulnerability Rating Recommendation: Low

Vulnerability Type: Misconfiguration

• Details:

  The X-Content-Type-Options HTTP message header acts as a hint, used by the server to prompt the client to adhere to the MIME type set in the Content-Type header and not modify it. The remote web application does not set the X-Content-Options response header, disabling the client's MIME type sniffing behavior.

• Harm Caused:

  The absence of the X-Content-Type-Options response header makes the target URL more susceptible to cross-site scripting attacks.

• Remediation Recommendations:

  The following response header should be set on all pages of the web application: X-Content-Type-Options: nosniff, which will reject responses with incorrect MIME types for script and stylesheet elements. This is a security feature that helps prevent attacks based on MIME type confusion.

Missing X-Frame-Options Header

Vulnerability Rating Recommendation: Low

Vulnerability Type: Misconfiguration

• Details:

  The remote web application does not set the X-Frame-Options response header. Microsoft has proposed X-Frame-Options as a method to mitigate clickjacking attacks, and it has been implemented in Chrome and Safari.

• Harm Caused:

  Attackers can use a transparent, invisible iframe to overlay the target webpage, tricking users into performing actions on that webpage. By adjusting the position of the iframe, users can be induced to click on functional buttons, leading to hijacking.

• Remediation Recommendations:

  Modify the web server configuration to add the X-Frame-Options response header. Assign one of the following three values:
  (1) DENY: Cannot be embedded in any iframe or frame.
  (2) SAMEORIGIN: The page can only be embedded in iframes or frames from the same site.
  (3) ALLOW-FROM uri: Can only be embedded in frames from specified domains.
  This can also be added in code; for example, in PHP:
  header('X-Frame-Options: deny');

Missing X-XSS-Protection Header

Vulnerability Rating Recommendation: Low

Vulnerability Type: Misconfiguration

• Details:

  The remote web application does not set the X-XSS-Protection response header. The X-XSS-Protection response header is a feature of Internet Explorer, Chrome, and Safari that stops loading the page when cross-site scripting (XSS) is detected.

• Harm Caused:

  The absence of the X-XSS-Protection response header makes the target URL more susceptible to cross-site scripting attacks.

• Remediation Recommendations:

  The following response header should be set on all pages of the web application: X-XSS-Protection: 1; mode=block.

Enabled Dangerous Methods

Vulnerability Rating Recommendation: Low

Vulnerability Type: Misconfiguration

• Details:

  The target server has enabled unsafe transmission methods, such as PUT, TRACE, DELETE, MOVE, etc. These methods indicate that WebDAV may be used on the server. Since the DAV method allows clients to manipulate files on the server, such as uploading, modifying, and deleting related files, if not properly configured, unauthorized users may exploit it to modify files on the server.

• Harm Caused:

  Malicious attackers may use these methods to modify any files on the server, leading to data loss, system damage, and other consequences.

• Remediation Recommendations:

  Properly configured web servers should not allow any user to use dangerous methods to modify files on the server. Therefore, it is recommended to:

  1. If absolutely necessary, configure these HTTP methods to operate only on specified directories that should not contain important files.
  2. If not necessary, disable unsafe transmission methods and only enable POST and GET methods.
  3. If the server does not use WebDAV, it can be directly disabled, or strict access permissions can be configured for the directories that allow WebDAV, such as authentication methods and required usernames and passwords.

• Reference Link:

  • https://www.pentestpartners.com/security-blog/vulnerabilities-that-arent-cross-site-tracing-xst/