SlideShare a Scribd company logo

CoreAPI Scan Finds 3 Issues Including XSS

M
Martin Nwachukwu
1 of 8
Download to read offline
PAGE 1 OF 8 CoreAPI Scan Report Project Name CoreAPI Scan Start Friday, October 14, 2016 10:49:19 AM Preset OWASP TOP 10 - 2013 Scan Time 00h:01m:30s Lines Of Code Scanned 4324 Files Scanned 59 Report Creation Time Friday, October 14, 2016 10:50:52 AM Online Results https://cxprivatecloud.checkmarx.net/CxWebClient/ViewerMain.aspx?scanid=100 3378&projectid=2461 Team eprocessconsulting.com-879 Checkmarx Version 8.2.0 Scan Type Full Source Origin LocalPath Density 7/10000 (Vulnerabilities/LOC) Visibility Public Filter Settings Severity Included: High, Medium, Low, Information Excluded: None Result State Included: Confirmed, Not Exploitable, To Verify, Urgent, Proposed Not Exploitable Excluded: None Assigned to Included: All Categories Included: Uncategorized All Custom All PCI DSS v3.1 All OWASP Top 10 2013 All Excluded: Uncategorized None Custom None PCI DSS v3.1 None OWASP Top 10 2013 None Results Limit A limit was not defined Selected Queries Selected queries are listed in Result Summary
PAGE 2 OF 8 Result Summary Most Vulnerable Files High Medium Low 403.html encdec.py collect_errors.py Top 5 Vulnerabilities
PAGE 3 OF 8 Scan Summary - OWASP Top 10 2013 Further details and elaboration about vulnerabilities and risks can be found at: OWASP Top 10 2013 Category Threat Agent Attack Vectors Weakness Prevalence Weakness Detectability Technical Impact Buisness Impact Issues Found Best Fix Locations A1-Injection* EXTERNAL, INTERNAL, ADMIN USERS EASY COMMON AVERAGE SEVERE ALL DATA 0 0 A2-Broken Authentication and Session Management EXTERNAL, INTERNAL USERS AVERAGE WIDESPREAD AVERAGE SEVERE AFFECTED DATA AND FUNCTIONS 0 0 A3-Cross-Site Scripting (XSS) EXTERNAL, INTERNAL, ADMIN USERS AVERAGE VERY WIDESPREAD EASY MODERATE AFFECTED DATA AND SYSTEM 1 1 A4-Insecure Direct Object References SYSTEM USERS EASY COMMON EASY MODERATE EXPOSED DATA 0 0 A5-Security Misconfiguration EXTERNAL, INTERNAL, ADMIN USERS EASY COMMON EASY MODERATE ALL DATA AND SYSTEM 2 2 A6-Sensitive Data Exposure EXTERNAL, INTERNAL, ADMIN USERS, USERS BROWSERS DIFFICULT UNCOMMON AVERAGE SEVERE EXPOSED DATA 0 0 A7-Missing Function Level Access Control EXTERNAL, INTERNAL USERS EASY COMMON AVERAGE MODERATE EXPOSED DATA AND FUNCTIONS 0 0 A8-Cross-Site Request Forgery (CSRF) USERS BROWSERS AVERAGE COMMON EASY MODERATE AFFECTED DATA AND FUNCTIONS 0 0 A9-Using Components with Known Vulnerabilities EXTERNAL USERS, AUTOMATED TOOLS AVERAGE WIDESPREAD DIFFICULT MODERATE AFFECTED DATA AND FUNCTIONS 0 0 A10-Unvalidated Redirects and Forwards USERS BROWSERS AVERAGE WIDESPREAD DIFFICULT MODERATE AFFECTED DATA AND FUNCTIONS 0 0 * Project scan results do not include all relevant queries. Presets andor Filters should be changed to include all relevant standard queries.
PAGE 4 OF 8 Scan Summary - PCI DSS v3.1 Further details and elaboration about vulnerabilities and risks can be found at: PCI DSS v3.1 Category Issues Found Best Fix Locations PCI DSS (3.1) - 6.5.1 - Injection flaws - particularly SQL injection* 0 0 PCI DSS (3.1) - 6.5.2 - Buffer overflows* 0 0 PCI DSS (3.1) - 6.5.3 - Insecure cryptographic storage* 1 1 PCI DSS (3.1) - 6.5.4 - Insecure communications 0 0 PCI DSS (3.1) - 6.5.5 - Improper error handling 0 0 PCI DSS (3.1) - 6.5.7 - Cross-site scripting (XSS) 0 0 PCI DSS (3.1) - 6.5.8 - Improper access control* 0 0 PCI DSS (3.1) - 6.5.9 - Cross-site request forgery 0 0 PCI DSS (3.1) - 6.5.10 - Broken authentication and session management* 0 0 * Project scan results do not include all relevant queries. Presets andor Filters should be changed to include all relevant standard queries.
PAGE 5 OF 8 Scan Summary - Custom Category Issues Found Best Fix Locations Must audit 0 0 Check 0 0 Optional 0 0
PAGE 6 OF 8 Results Distribution By Status First scan of the project High Medium Low Information Total New Issues 0 2 1 0 3 Recurrent Issues 0 0 0 0 0 Total 0 2 1 0 3 Fixed Issues 0 0 0 0 0 New Scan Previous Scan Results Distribution By State High Medium Low Information Total Confirmed 0 0 0 0 0 Not Exploitable 0 0 0 0 0 To Verify 0 2 1 0 3 Urgent 0 0 0 0 0 Proposed Not Exploitable 0 0 0 0 0 Total 0 2 1 0 3 Result Summary Vulnerability Type Occurrences Severity Client Cross Frame Scripting Attack 1 Medium Insecure Randomness 1 Medium Information Exposure Through an Error Message 1 Low
PAGE 7 OF 8 10 Most Vulnerable Files High and Medium Vulnerabilities File Name Issues Found /gcore/modelate/statics/templates/errors/403.html 1 /gcore/modelate/encdec.py 1
PAGE 8 OF 8 Scanned Languages Language Hash Number Change Date JavaScript 1154355430294493 8/28/2016 VbScript 7089180910237385 6/30/2015 Python 1188881843184334 10/9/2016

Recommended

Skyfall flisol-campinas-2013
Skyfall flisol-campinas-2013Skyfall flisol-campinas-2013
Skyfall flisol-campinas-2013Mauro Risonho de Paula Assumpcao
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksYossi Sassi
 
Leveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of BotnetsLeveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of BotnetsDiogo Mónica
 
網路攻擊與封包分析- Wireshark
網路攻擊與封包分析- Wireshark網路攻擊與封包分析- Wireshark
網路攻擊與封包分析- WiresharkJulia Yu-Chin Cheng
 
Getting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerGetting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerVMware Tanzu
 
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Denis Kolegov
 
JWTs and JOSE in a flash
JWTs and JOSE in a flashJWTs and JOSE in a flash
JWTs and JOSE in a flashEvan J Johnson (Not a CISSP)
 
Modulo I: Introduccion
Modulo I: IntroduccionModulo I: Introduccion
Modulo I: IntroduccionColegio Universitario de Caracas
 

Recommended

Skyfall flisol-campinas-2013
Skyfall flisol-campinas-2013Skyfall flisol-campinas-2013
Skyfall flisol-campinas-2013Mauro Risonho de Paula Assumpcao
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksYossi Sassi
 
Leveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of BotnetsLeveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of BotnetsDiogo Mónica
 
網路攻擊與封包分析- Wireshark
網路攻擊與封包分析- Wireshark網路攻擊與封包分析- Wireshark
網路攻擊與封包分析- WiresharkJulia Yu-Chin Cheng
 
Getting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerGetting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerVMware Tanzu
 
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Denis Kolegov
 
JWTs and JOSE in a flash
JWTs and JOSE in a flashJWTs and JOSE in a flash
JWTs and JOSE in a flashEvan J Johnson (Not a CISSP)
 
Modulo I: Introduccion
Modulo I: IntroduccionModulo I: Introduccion
Modulo I: IntroduccionColegio Universitario de Caracas
 
Lascosasbonitasdelavida
LascosasbonitasdelavidaLascosasbonitasdelavida
Lascosasbonitasdelavidayolis0223
 
Estudo químico e biológico de derivados da tiazolidina 2,4-diona duplicata[1]
Estudo químico e biológico de derivados da tiazolidina 2,4-diona duplicata[1]Estudo químico e biológico de derivados da tiazolidina 2,4-diona duplicata[1]
Estudo químico e biológico de derivados da tiazolidina 2,4-diona duplicata[1]João Filho
 
Mecenazgo
MecenazgoMecenazgo
Mecenazgo252728
 
reham_cv (1)
reham_cv (1)reham_cv (1)
reham_cv (1)reham mohamed
 
Tarea 1 teresa alameda_martín
Tarea 1 teresa alameda_martínTarea 1 teresa alameda_martín
Tarea 1 teresa alameda_martínalamedamar
 
Evidencia1 modulo 1
Evidencia1 modulo 1Evidencia1 modulo 1
Evidencia1 modulo 1chido10
 
cv-rojan-bajracharya1
cv-rojan-bajracharya1cv-rojan-bajracharya1
cv-rojan-bajracharya1Rojan Bajracharya
 
Taller word 2
Taller word 2Taller word 2
Taller word 2rigoberto89
 
Trabajo de biología tema 3
Trabajo de biología tema 3Trabajo de biología tema 3
Trabajo de biología tema 3pgp3
 
Memoria Foro Estatal de Jóvenes Inmigrantes
Memoria Foro Estatal de Jóvenes InmigrantesMemoria Foro Estatal de Jóvenes Inmigrantes
Memoria Foro Estatal de Jóvenes InmigrantesGiro Comunicación
 
Trabajo de imagenes
Trabajo de imagenesTrabajo de imagenes
Trabajo de imagenesmargotbernardino
 
COMO CREAR UN BLOG
COMO CREAR UN BLOGCOMO CREAR UN BLOG
COMO CREAR UN BLOGCirculo de Viajes Universal
 
Mi proyecto de vida blogger
Mi proyecto de vida bloggerMi proyecto de vida blogger
Mi proyecto de vida bloggercristianblogger
 
Raina_comm151Ipdf
Raina_comm151IpdfRaina_comm151Ipdf
Raina_comm151IpdfAkshara Raina
 
Mapa Mental "Fases de Desarrollo de una App"
Mapa Mental "Fases de Desarrollo de una App"Mapa Mental "Fases de Desarrollo de una App"
Mapa Mental "Fases de Desarrollo de una App"jesus rivas
 
CARACTERISTICAS DEL DOCENTE
CARACTERISTICAS DEL DOCENTECARACTERISTICAS DEL DOCENTE
CARACTERISTICAS DEL DOCENTEKaty Gaybor Guerrero
 
Configurar Outlook Express
Configurar Outlook ExpressConfigurar Outlook Express
Configurar Outlook ExpressAbserver
 
Tanushree 15428BIF025
Tanushree 15428BIF025Tanushree 15428BIF025
Tanushree 15428BIF025Tanu shree
 
Latest achmad noviar CV with photo
Latest achmad noviar CV with photoLatest achmad noviar CV with photo
Latest achmad noviar CV with photoachmad noviar
 
Modal asing luar negri
Modal asing luar negriModal asing luar negri
Modal asing luar negriabdul ajid
 
PCI 3.0 and penetration testing
PCI 3.0 and penetration testingPCI 3.0 and penetration testing
PCI 3.0 and penetration testingMarcus Dempsey
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!EC-Council
 

More Related Content

Viewers also liked

Lascosasbonitasdelavida
LascosasbonitasdelavidaLascosasbonitasdelavida
Lascosasbonitasdelavidayolis0223
 
Estudo químico e biológico de derivados da tiazolidina 2,4-diona duplicata[1]
Estudo químico e biológico de derivados da tiazolidina 2,4-diona duplicata[1]Estudo químico e biológico de derivados da tiazolidina 2,4-diona duplicata[1]
Estudo químico e biológico de derivados da tiazolidina 2,4-diona duplicata[1]João Filho
 
Mecenazgo
MecenazgoMecenazgo
Mecenazgo252728
 
Tarea 1 teresa alameda_martín
Tarea 1 teresa alameda_martínTarea 1 teresa alameda_martín
Tarea 1 teresa alameda_martínalamedamar
 
Evidencia1 modulo 1
Evidencia1 modulo 1Evidencia1 modulo 1
Evidencia1 modulo 1chido10
 
Trabajo de biología tema 3
Trabajo de biología tema 3Trabajo de biología tema 3
Trabajo de biología tema 3pgp3
 
Memoria Foro Estatal de Jóvenes Inmigrantes
Memoria Foro Estatal de Jóvenes InmigrantesMemoria Foro Estatal de Jóvenes Inmigrantes
Memoria Foro Estatal de Jóvenes InmigrantesGiro Comunicación
 
Mi proyecto de vida blogger
Mi proyecto de vida bloggerMi proyecto de vida blogger
Mi proyecto de vida bloggercristianblogger
 
Mapa Mental "Fases de Desarrollo de una App"
Mapa Mental "Fases de Desarrollo de una App"Mapa Mental "Fases de Desarrollo de una App"
Mapa Mental "Fases de Desarrollo de una App"jesus rivas
 
Configurar Outlook Express
Configurar Outlook ExpressConfigurar Outlook Express
Configurar Outlook ExpressAbserver
 
Tanushree 15428BIF025
Tanushree 15428BIF025Tanushree 15428BIF025
Tanushree 15428BIF025Tanu shree
 
Latest achmad noviar CV with photo
Latest achmad noviar CV with photoLatest achmad noviar CV with photo
Latest achmad noviar CV with photoachmad noviar
 
Modal asing luar negri
Modal asing luar negriModal asing luar negri
Modal asing luar negriabdul ajid
 

Viewers also liked (20)

Lascosasbonitasdelavida
LascosasbonitasdelavidaLascosasbonitasdelavida
Lascosasbonitasdelavida
 
Estudo químico e biológico de derivados da tiazolidina 2,4-diona duplicata[1]
Estudo químico e biológico de derivados da tiazolidina 2,4-diona duplicata[1]Estudo químico e biológico de derivados da tiazolidina 2,4-diona duplicata[1]
Estudo químico e biológico de derivados da tiazolidina 2,4-diona duplicata[1]
 
Mecenazgo
MecenazgoMecenazgo
Mecenazgo
 
reham_cv (1)
reham_cv (1)reham_cv (1)
reham_cv (1)
 
Tarea 1 teresa alameda_martín
Tarea 1 teresa alameda_martínTarea 1 teresa alameda_martín
Tarea 1 teresa alameda_martín
 
Evidencia1 modulo 1
Evidencia1 modulo 1Evidencia1 modulo 1
Evidencia1 modulo 1
 
cv-rojan-bajracharya1
cv-rojan-bajracharya1cv-rojan-bajracharya1
cv-rojan-bajracharya1
 
Taller word 2
Taller word 2Taller word 2
Taller word 2
 
Trabajo de biología tema 3
Trabajo de biología tema 3Trabajo de biología tema 3
Trabajo de biología tema 3
 
Memoria Foro Estatal de Jóvenes Inmigrantes
Memoria Foro Estatal de Jóvenes InmigrantesMemoria Foro Estatal de Jóvenes Inmigrantes
Memoria Foro Estatal de Jóvenes Inmigrantes
 
Trabajo de imagenes
Trabajo de imagenesTrabajo de imagenes
Trabajo de imagenes
 
COMO CREAR UN BLOG
COMO CREAR UN BLOGCOMO CREAR UN BLOG
COMO CREAR UN BLOG
 
Mi proyecto de vida blogger
Mi proyecto de vida bloggerMi proyecto de vida blogger
Mi proyecto de vida blogger
 
Raina_comm151Ipdf
Raina_comm151IpdfRaina_comm151Ipdf
Raina_comm151Ipdf
 
Mapa Mental "Fases de Desarrollo de una App"
Mapa Mental "Fases de Desarrollo de una App"Mapa Mental "Fases de Desarrollo de una App"
Mapa Mental "Fases de Desarrollo de una App"
 
CARACTERISTICAS DEL DOCENTE
CARACTERISTICAS DEL DOCENTECARACTERISTICAS DEL DOCENTE
CARACTERISTICAS DEL DOCENTE
 
Configurar Outlook Express
Configurar Outlook ExpressConfigurar Outlook Express
Configurar Outlook Express
 
Tanushree 15428BIF025
Tanushree 15428BIF025Tanushree 15428BIF025
Tanushree 15428BIF025
 
Latest achmad noviar CV with photo
Latest achmad noviar CV with photoLatest achmad noviar CV with photo
Latest achmad noviar CV with photo
 
Modal asing luar negri
Modal asing luar negriModal asing luar negri
Modal asing luar negri
 

Similar to CoreAPI Scan Finds 3 Issues Including XSS

PCI 3.0 and penetration testing
PCI 3.0 and penetration testingPCI 3.0 and penetration testing
PCI 3.0 and penetration testingMarcus Dempsey
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!EC-Council
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalPriyanka Aash
 
Splunk App for Stream
Splunk App for StreamSplunk App for Stream
Splunk App for StreamSplunk
 
(In) Security graph database in real world
(In) Security graph database in real world (In) Security graph database in real world
(In) Security graph database in real world Miguel Hernández Boza
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream csching
 
Securing your Software Delivery Pipelines with a slight shift to the left.
Securing your Software Delivery Pipelines with a slight shift to the left.Securing your Software Delivery Pipelines with a slight shift to the left.
Securing your Software Delivery Pipelines with a slight shift to the left.Melissa Kaulfuss
 
XNAT Case Study: DIAN QC Uploader
XNAT Case Study: DIAN QC UploaderXNAT Case Study: DIAN QC Uploader
XNAT Case Study: DIAN QC UploaderJohn Paulett
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
 
Sumo Logic Cert Jam - Security & Compliance
Sumo Logic Cert Jam - Security & ComplianceSumo Logic Cert Jam - Security & Compliance
Sumo Logic Cert Jam - Security & ComplianceSumo Logic
 
Model driven telemetry
Model driven telemetryModel driven telemetry
Model driven telemetryCisco Canada
 
securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdf
securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdfsecuring-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdf
securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdfMelissa Kaulfuss
 
Real-Time Communication Testing Evolution with WebRTC
Real-Time Communication Testing Evolution with WebRTCReal-Time Communication Testing Evolution with WebRTC
Real-Time Communication Testing Evolution with WebRTCAlexandre Gouaillard
 
How I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWHow I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWSounil Yu
 
DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webFelipe Prado
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseSecurity Innovation
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Manich Koomsusi
 
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrSplunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrGeorg Knon
 

Similar to CoreAPI Scan Finds 3 Issues Including XSS (20)

PCI 3.0 and penetration testing
PCI 3.0 and penetration testingPCI 3.0 and penetration testing
PCI 3.0 and penetration testing
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable Final
 
Splunk App for Stream
Splunk App for StreamSplunk App for Stream
Splunk App for Stream
 
(In) Security graph database in real world
(In) Security graph database in real world (In) Security graph database in real world
(In) Security graph database in real world
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream
 
Securing your Software Delivery Pipelines with a slight shift to the left.
Securing your Software Delivery Pipelines with a slight shift to the left.Securing your Software Delivery Pipelines with a slight shift to the left.
Securing your Software Delivery Pipelines with a slight shift to the left.
 
XNAT Case Study: DIAN QC Uploader
XNAT Case Study: DIAN QC UploaderXNAT Case Study: DIAN QC Uploader
XNAT Case Study: DIAN QC Uploader
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014
 
Brisk WebApp penetration tester
Brisk WebApp penetration testerBrisk WebApp penetration tester
Brisk WebApp penetration tester
 
Sumo Logic Cert Jam - Security & Compliance
Sumo Logic Cert Jam - Security & ComplianceSumo Logic Cert Jam - Security & Compliance
Sumo Logic Cert Jam - Security & Compliance
 
Model driven telemetry
Model driven telemetryModel driven telemetry
Model driven telemetry
 
securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdf
securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdfsecuring-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdf
securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdf
 
Real-Time Communication Testing Evolution with WebRTC
Real-Time Communication Testing Evolution with WebRTCReal-Time Communication Testing Evolution with WebRTC
Real-Time Communication Testing Evolution with WebRTC
 
How I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWHow I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKW
 
DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot web
 
Novinky QualysGuard 2010
Novinky QualysGuard 2010Novinky QualysGuard 2010
Novinky QualysGuard 2010
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the Chase
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
 
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrSplunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
 

CoreAPI Scan Finds 3 Issues Including XSS

  • 1. PAGE 1 OF 8 CoreAPI Scan Report Project Name CoreAPI Scan Start Friday, October 14, 2016 10:49:19 AM Preset OWASP TOP 10 - 2013 Scan Time 00h:01m:30s Lines Of Code Scanned 4324 Files Scanned 59 Report Creation Time Friday, October 14, 2016 10:50:52 AM Online Results https://cxprivatecloud.checkmarx.net/CxWebClient/ViewerMain.aspx?scanid=100 3378&projectid=2461 Team eprocessconsulting.com-879 Checkmarx Version 8.2.0 Scan Type Full Source Origin LocalPath Density 7/10000 (Vulnerabilities/LOC) Visibility Public Filter Settings Severity Included: High, Medium, Low, Information Excluded: None Result State Included: Confirmed, Not Exploitable, To Verify, Urgent, Proposed Not Exploitable Excluded: None Assigned to Included: All Categories Included: Uncategorized All Custom All PCI DSS v3.1 All OWASP Top 10 2013 All Excluded: Uncategorized None Custom None PCI DSS v3.1 None OWASP Top 10 2013 None Results Limit A limit was not defined Selected Queries Selected queries are listed in Result Summary
  • 2. PAGE 2 OF 8 Result Summary Most Vulnerable Files High Medium Low 403.html encdec.py collect_errors.py Top 5 Vulnerabilities
  • 3. PAGE 3 OF 8 Scan Summary - OWASP Top 10 2013 Further details and elaboration about vulnerabilities and risks can be found at: OWASP Top 10 2013 Category Threat Agent Attack Vectors Weakness Prevalence Weakness Detectability Technical Impact Buisness Impact Issues Found Best Fix Locations A1-Injection* EXTERNAL, INTERNAL, ADMIN USERS EASY COMMON AVERAGE SEVERE ALL DATA 0 0 A2-Broken Authentication and Session Management EXTERNAL, INTERNAL USERS AVERAGE WIDESPREAD AVERAGE SEVERE AFFECTED DATA AND FUNCTIONS 0 0 A3-Cross-Site Scripting (XSS) EXTERNAL, INTERNAL, ADMIN USERS AVERAGE VERY WIDESPREAD EASY MODERATE AFFECTED DATA AND SYSTEM 1 1 A4-Insecure Direct Object References SYSTEM USERS EASY COMMON EASY MODERATE EXPOSED DATA 0 0 A5-Security Misconfiguration EXTERNAL, INTERNAL, ADMIN USERS EASY COMMON EASY MODERATE ALL DATA AND SYSTEM 2 2 A6-Sensitive Data Exposure EXTERNAL, INTERNAL, ADMIN USERS, USERS BROWSERS DIFFICULT UNCOMMON AVERAGE SEVERE EXPOSED DATA 0 0 A7-Missing Function Level Access Control EXTERNAL, INTERNAL USERS EASY COMMON AVERAGE MODERATE EXPOSED DATA AND FUNCTIONS 0 0 A8-Cross-Site Request Forgery (CSRF) USERS BROWSERS AVERAGE COMMON EASY MODERATE AFFECTED DATA AND FUNCTIONS 0 0 A9-Using Components with Known Vulnerabilities EXTERNAL USERS, AUTOMATED TOOLS AVERAGE WIDESPREAD DIFFICULT MODERATE AFFECTED DATA AND FUNCTIONS 0 0 A10-Unvalidated Redirects and Forwards USERS BROWSERS AVERAGE WIDESPREAD DIFFICULT MODERATE AFFECTED DATA AND FUNCTIONS 0 0 * Project scan results do not include all relevant queries. Presets andor Filters should be changed to include all relevant standard queries.
  • 4. PAGE 4 OF 8 Scan Summary - PCI DSS v3.1 Further details and elaboration about vulnerabilities and risks can be found at: PCI DSS v3.1 Category Issues Found Best Fix Locations PCI DSS (3.1) - 6.5.1 - Injection flaws - particularly SQL injection* 0 0 PCI DSS (3.1) - 6.5.2 - Buffer overflows* 0 0 PCI DSS (3.1) - 6.5.3 - Insecure cryptographic storage* 1 1 PCI DSS (3.1) - 6.5.4 - Insecure communications 0 0 PCI DSS (3.1) - 6.5.5 - Improper error handling 0 0 PCI DSS (3.1) - 6.5.7 - Cross-site scripting (XSS) 0 0 PCI DSS (3.1) - 6.5.8 - Improper access control* 0 0 PCI DSS (3.1) - 6.5.9 - Cross-site request forgery 0 0 PCI DSS (3.1) - 6.5.10 - Broken authentication and session management* 0 0 * Project scan results do not include all relevant queries. Presets andor Filters should be changed to include all relevant standard queries.
  • 5. PAGE 5 OF 8 Scan Summary - Custom Category Issues Found Best Fix Locations Must audit 0 0 Check 0 0 Optional 0 0
  • 6. PAGE 6 OF 8 Results Distribution By Status First scan of the project High Medium Low Information Total New Issues 0 2 1 0 3 Recurrent Issues 0 0 0 0 0 Total 0 2 1 0 3 Fixed Issues 0 0 0 0 0 New Scan Previous Scan Results Distribution By State High Medium Low Information Total Confirmed 0 0 0 0 0 Not Exploitable 0 0 0 0 0 To Verify 0 2 1 0 3 Urgent 0 0 0 0 0 Proposed Not Exploitable 0 0 0 0 0 Total 0 2 1 0 3 Result Summary Vulnerability Type Occurrences Severity Client Cross Frame Scripting Attack 1 Medium Insecure Randomness 1 Medium Information Exposure Through an Error Message 1 Low
  • 7. PAGE 7 OF 8 10 Most Vulnerable Files High and Medium Vulnerabilities File Name Issues Found /gcore/modelate/statics/templates/errors/403.html 1 /gcore/modelate/encdec.py 1
  • 8. PAGE 8 OF 8 Scanned Languages Language Hash Number Change Date JavaScript 1154355430294493 8/28/2016 VbScript 7089180910237385 6/30/2015 Python 1188881843184334 10/9/2016