Dashboard
Report Graph
clientid:1000
scan_id:005
client_name:CyberLab Inc
client_email:info@cyberlabs.tech
client_web_ip:http://vulcan.skillspar.com:8240
final_score:-210
status:Vulnerability level below minimal threshold ,urgent attention required
status_color:#f70535
Low_vuln:6
Medium_vuln:8
High_vuln:6
Critical_vuln:0
low_per:30
medium_per:40
high_per:30
critical_per:0.
Threatent:59
Alertness:35
General_User_Conduct_per:6
alert:SQL Injection
CVE:NULL
severity:High
uri:http://vulcan.skillspar.com:8240
description:
SQL injection may be possible
solution:Do not trust client side input, even if there is client side validation in place. In general, type check all data on the server side.If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.If database Stored Procedures can be used, use them.Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!Do not create dynamic SQL queries using simple string concatenation.Escape all data received from the client.Apply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input.Apply the privilege of least privilege by using the least privileged database user possible.In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.Grant the minimum database access that is necessary for the application.Threatend Graph
clientid:1000
scan_id:005
client_web_ip:http://vulcan.skillspar.com:8240
system_defense:Xcigence has detected Your system does not have any WAF or System defense
system_defense_description:Your existing security controls are vulnerable to malicious web traffic and application-layer attacks — such as DDoS, SQL injection, cookie manipulation, cross-site scripting (XSS) , cross-site forgery and file inclusion
databreach:This feature is disable in this package
databreach_description:his feature is disable in this package
threat1:SQL InjectionSQL InjectionSQL InjectionSQL Injection
threat1_description:
SQL injection may be possible
SQL injection may be possible
SQL injection may be possible
SQL injection may be possible
threat1_attackcomplexity:Low
threat1_confidentialityimpact:Low
threat1_geolocation:Russia
threat2:Cross Site ScriptingCross Site Scripting
threat2_description:
Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.
When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.
There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.
Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.
Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.
Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.
When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.
There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.
Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.
Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.
threat2_attackcomplexity:Low
threat2_confidentialityimpact:High
threat2_geolocation:India
threat3:Vulnerable JS Library
threat3_description:
The identified library bootstrap, version 3.3.7 is vulnerable.
threat3_attackcomplexity:Low
threat3_confidentialityimpact:High
threat3_geolocation:Asia
threat4:X-Frame-Options Header Not SetX-Frame-Options Header Not Set
threat4_description:
The identified library bootstrap, version 3.3.7 is vulnerable.
The identified library bootstrap, version 3.3.7 is vulnerable.
threat4_attackcomplexity:Low
threat4_confidentialityimpact:High
threat4_geolocation:Brazil
threat5:X-Content-Type-Options Header MissingX-Content-Type-Options Header Missing
threat5_description:
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
threat5_attackcomplexity:Low
threat5_confidentialityimpact:High
threat5_geolocation:China
Weekly Sales
$ 15,0000
Increased by 60%
Weekly Orders
45,6334
Decreased by 10%