0% found this document useful (0 votes)

43 views142 pages

We Blog SC1

The WeBlogSC1 scan report details a security assessment conducted on March 30, 2025, covering 1,760 lines of code across 26 files, with a density of 8 vulnerabilities per 100 lines of code. The report highlights various vulnerabilities categorized under OWASP Top 10 and PCI DSS standards, with specific issues found in areas such as injection flaws, cross-site scripting, and broken access control. The overall scan results indicate a need for improved security measures and further verification of vulnerabilities identified.

Uploaded by

Nguyễn Huỳnh Sơn

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

43 views142 pages

We Blog SC1

Uploaded by

Nguyễn Huỳnh Sơn

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 142

WeBlogSC1 Scan Report

Project Name WeBlogSC1

Scan Start Sunday, March 30, 2025 3:28:58 PM
Preset Checkmarx Default
Scan Time 00h:00m:37s
Lines Of Code Scanned 1760
Files Scanned 26
Report Creation Time Sunday, March 30, 2025 3:50:55 PM
http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&proje
Online Results
ctid=9
Team CxServer
Checkmarx Version 9.5
Scan Type Full
Source Origin LocalPath
Density 8/100 (Vulnerabilities/LOC)
Visibility Public

Filter Settings
Severity
Included: High, Medium, Low, Information
Excluded: None
Result State
Included: To Verify, Not Exploitable, Confirmed, Urgent, Proposed Not Exploitable
Excluded: None
Assigned to
Included: All
Categories
Included:
Uncategorized All
PCI DSS v3.1 All
OWASP Top 10 All
2013
FISMA 2014 All
NIST SP 800-53 All
OWASP Top 10 All
2017
OWASP Mobile Top All
10 2016
OWASP Top 10 API All
OWASP Top 10 All
2010
ASD STIG 4.10 All
Custom All
CWE top 25 All
MOIS(KISA) Secure All
Coding 2021

PAGE 1 OF 142
OWASP ASVS All
OWASP Top 10 All
2021
PCI DSS v3.2.1 All
SANS top 25 All
Excluded:
Uncategorized None
PCI DSS v3.1 None
OWASP Top 10 None
2013
FISMA 2014 None
NIST SP 800-53 None
OWASP Top 10 None
2017
OWASP Mobile Top None
10 2016
OWASP Top 10 API None
OWASP Top 10 None
2010
ASD STIG 4.10 None
Custom None
CWE top 25 None
MOIS(KISA) Secure None
Coding 2021
OWASP ASVS None
OWASP Top 10 None
2021
PCI DSS v3.2.1 None
SANS top 25 None
Results Limit
Results limit per query was set to 50
Selected Queries
Selected queries are listed in Result Summary

PAGE 2 OF 142
Result Summary Most Vulnerable Files

process_order.php
subscription.php
High
Medium orders.php
Low
subscriptions.php
register.php

Top 5 Vulnerabilities

PAGE 3 OF 142
Scan Summary - OWASP Top 10 2017
Further details and elaboration about vulnerabilities and risks can be found at: OWASP Top 10 2017

Threat Weakness Weakness Technical Business Issues Best Fix

Category Exploitability
Agent Prevalence Detectability Impact Impact Found Locations
App. App.
A1-Injection* EASY COMMON EASY SEVERE 5 3
Specific Specific

A2-Broken App. App.

EASY COMMON AVERAGE SEVERE 0 0
Authentication* Specific Specific

A3-Sensitive App. App.

AVERAGE WIDESPREAD AVERAGE SEVERE 5 1
Data Exposure* Specific Specific

A4-XML External App. App.

AVERAGE COMMON EASY SEVERE 0 0
Entities (XXE) Specific Specific

A5-Broken App. App.

AVERAGE COMMON AVERAGE SEVERE 7 3
Access Control* Specific Specific

A6-Security
App. App.
Misconfiguration EASY WIDESPREAD EASY MODERATE 27 27
Specific Specific
*

A7-Cross-Site
App. App.
Scripting EASY WIDESPREAD EASY MODERATE 22 16
Specific Specific
(XSS)*

A8-Insecure App. App.

DIFFICULT COMMON AVERAGE SEVERE 0 0
Deserialization Specific Specific

A9-Using
Components App. App.
AVERAGE WIDESPREAD AVERAGE MODERATE 0 0
with Known Specific Specific
Vulnerabilities*

A10-Insufficient
App. App.
Logging & AVERAGE WIDESPREAD DIFFICULT MODERATE 0 0
Specific Specific
Monitoring

* Project scan results do not include all relevant queries. Presets and\or Filters should be changed to include all relevant
standard queries.

PAGE 4 OF 142
Scan Summary - OWASP Top 10 2021

Issues Best Fix

Category
Found Locations
A1-Broken Access Control* 17 8

A2-Cryptographic Failures* 0 0

A3-Injection* 24 17

A4-Insecure Design* 83 83

A5-Security Misconfiguration* 0 0

A6-Vulnerable and Outdated Components 0 0

A7-Identification and Authentication Failures* 1 1

A8-Software and Data Integrity Failures* 7 7

A9-Security Logging and Monitoring Failures* 0 0

A10-Server-Side Request Forgery 0 0

* Project scan results do not include all relevant queries. Presets and\or Filters should be changed to include all relevant
standard queries.

PAGE 5 OF 142
Scan Summary - PCI DSS v3.2.1

Issues Best Fix

Category
Found Locations
PCI DSS (3.2.1) - 6.5.1 - Injection flaws - particularly SQL injection 3 2

PCI DSS (3.2.1) - 6.5.2 - Buffer overflows* 0 0

PCI DSS (3.2.1) - 6.5.3 - Insecure cryptographic storage 0 0

PCI DSS (3.2.1) - 6.5.4 - Insecure communications 0 0

PCI DSS (3.2.1) - 6.5.5 - Improper error handling* 55 55

PCI DSS (3.2.1) - 6.5.7 - Cross-site scripting (XSS)* 22 16

PCI DSS (3.2.1) - 6.5.8 - Improper access control* 22 13

PCI DSS (3.2.1) - 6.5.9 - Cross-site request forgery* 2 2

PCI DSS (3.2.1) - 6.5.10 - Broken authentication and session management* 0 0

* Project scan results do not include all relevant queries. Presets and\or Filters should be changed to include all relevant
standard queries.

PAGE 6 OF 142
Scan Summary - FISMA 2014

Issues Best Fix

Category Description
Found Locations
Organizations must limit information system
access to authorized users, processes acting
on behalf of authorized users, or devices
Access Control 1 1
(including other information systems) and to
the types of transactions and functions that
authorized users are permitted to exercise.

Organizations must: (i) create, protect, and

retain information system audit records to
the extent needed to enable the monitoring,
analysis, investigation, and reporting of
unlawful, unauthorized, or inappropriate
Audit And Accountability* 0 0
information system activity; and (ii) ensure
that the actions of individual information
system users can be uniquely traced to those
users so they can be held accountable for
their actions.

Organizations must: (i) establish and

maintain baseline configurations and
inventories of organizational information
systems (including hardware, software,
firmware, and documentation) throughout
Configuration Management 3 2
the respective system development life
cycles; and (ii) establish and enforce security
configuration settings for information
technology products employed in
organizational information systems.

Organizations must identify information

system users, processes acting on behalf of
users, or devices and authenticate (or verify)
Identification And Authentication* 5 1
the identities of those users, processes, or
devices, as a prerequisite to allowing access
to organizational information systems.

Organizations must: (i) protect information

system media, both paper and digital; (ii)
limit access to information on information
Media Protection* 0 0
system media to authorized users; and (iii)
sanitize or destroy information system media
before disposal or release for reuse.

Organizations must: (i) monitor, control, and

protect organizational communications (i.e.,
information transmitted or received by
organizational information systems) at the
external boundaries and key internal
System And Communications Protection boundaries of the information systems; and 0 0
(ii) employ architectural designs, software
development techniques, and systems
engineering principles that promote effective
information security within organizational
information systems.

Organizations must: (i) identify, report, and

correct information and information system
flaws in a timely manner; (ii) provide
protection from malicious code at appropriate
System And Information Integrity* 24 17
locations within organizational information
systems; and (iii) monitor information
system security alerts and advisories and
take appropriate actions in response.

* Project scan results do not include all relevant queries. Presets and\or Filters should be changed to include all relevant
standard queries.

PAGE 7 OF 142
Scan Summary - NIST SP 800-53

Issues Best Fix

Category
Found Locations
AC-12 Session Termination (P2) 0 0

AC-3 Access Enforcement (P1) 0 0

AC-4 Information Flow Enforcement (P1) 0 0

AC-6 Least Privilege (P1) 0 0

AU-9 Protection of Audit Information (P1)* 0 0

CM-6 Configuration Settings (P2) 0 0

IA-5 Authenticator Management (P1) 0 0

IA-6 Authenticator Feedback (P2) 0 0

IA-8 Identification and Authentication (Non-Organizational Users) (P1) 0 0

SC-12 Cryptographic Key Establishment and Management (P1) 0 0

SC-13 Cryptographic Protection (P1) 0 0

SC-17 Public Key Infrastructure Certificates (P1) 0 0

SC-18 Mobile Code (P2) 7 7

SC-23 Session Authenticity (P1)* 2 2

SC-28 Protection of Information at Rest (P1)* 0 0

SC-4 Information in Shared Resources (P1) 5 1

SC-5 Denial of Service Protection (P1)* 55 55

SC-8 Transmission Confidentiality and Integrity (P1) 0 0

SI-10 Information Input Validation (P1)* 6 4

SI-11 Error Handling (P2)* 0 0

SI-15 Information Output Filtering (P0)* 22 16

SI-16 Memory Protection (P1)* 0 0

* Project scan results do not include all relevant queries. Presets and\or Filters should be changed to include all relevant
standard queries.

PAGE 8 OF 142
Scan Summary - OWASP Mobile Top 10 2016

Issues Best Fix

Category Description
Found Locations
This category covers misuse of a platform
feature or failure to use platform security
controls. It might include Android intents,
platform permissions, misuse of TouchID, the
M1-Improper Platform Usage 0 0
Keychain, or some other security control that
is part of the mobile operating system. There
are several ways that mobile apps can
experience this risk.

This category covers insecure data storage

M2-Insecure Data Storage 0 0
and unintended data leakage.

This category covers poor handshaking,

incorrect SSL versions, weak negotiation,
M3-Insecure Communication 0 0
cleartext communication of sensitive assets,
etc.

This category captures notions of

authenticating the end user or bad session
management. This can include:
-Failing to identify the user at all when that
M4-Insecure Authentication 0 0
should be required
-Failure to maintain the user's identity when
it is required
-Weaknesses in session management

The code applies cryptography to a sensitive

information asset. However, the
cryptography is insufficient in some way.
Note that anything and everything related to
M5-Insufficient Cryptography TLS or SSL goes in M3. Also, if the app fails 0 0
to use cryptography at all when it should,
that probably belongs in M2. This category is
for issues where cryptography was
attempted, but it wasnt done correctly.

This is a category to capture any failures in

authorization (e.g., authorization decisions in
the client side, forced browsing, etc.). It is
distinct from authentication issues (e.g.,
device enrolment, user identification, etc.).
If the app does not authenticate users at all
M6-Insecure Authorization 0 0
in a situation where it should (e.g., granting
anonymous access to some resource or
service when authenticated and authorized
access is required), then that is an
authentication failure not an authorization
failure.

This category is the catch-all for code-level

implementation problems in the mobile
client. That's distinct from server-side coding
mistakes. This would capture things like
M7-Client Code Quality 0 0
buffer overflows, format string vulnerabilities,
and various other code-level mistakes where
the solution is to rewrite some code that's
running on the mobile device.

This category covers binary patching, local

resource modification, method hooking,
method swizzling, and dynamic memory
modification. Once the application is
M8-Code Tampering delivered to the mobile device, the code and 0 0
data resources are resident there. An
attacker can either directly modify the code,
change the contents of memory dynamically,
change or replace the system APIs that the

PAGE 9 OF 142
application uses, or modify the application's
data and resources. This can provide the
attacker a direct method of subverting the
intended use of the software for personal or
monetary gain.

This category includes analysis of the final

core binary to determine its source code,
libraries, algorithms, and other assets.
Software such as IDA Pro, Hopper, otool, and
other binary inspection tools give the
M9-Reverse Engineering attacker insight into the inner workings of the 0 0
application. This may be used to exploit other
nascent vulnerabilities in the application, as
well as revealing information about back end
servers, cryptographic constants and ciphers,
and intellectual property.

Often, developers include hidden backdoor

functionality or other internal development
security controls that are not intended to be
released into a production environment. For
M10-Extraneous Functionality 0 0
example, a developer may accidentally
include a password as a comment in a hybrid
app. Another example includes disabling of 2-
factor authentication during testing.

PAGE 10 OF 142
Scan Summary - Custom

Issues Best Fix

Category
Found Locations
Must audit 0 0

Check 0 0

Optional 0 0

PAGE 11 OF 142
Scan Summary - ASD STIG 4.10

Issues Best Fix

Category
Found Locations
APSC-DV-000640 - CAT II The application must provide audit record generation capability
0 0
for the renewal of session IDs.

APSC-DV-000650 - CAT II The application must not write sensitive data into the application
0 0
logs.

APSC-DV-000660 - CAT II The application must provide audit record generation capability
0 0
for session timeouts.

APSC-DV-000670 - CAT II The application must record a time stamp indicating when the
0 0
event occurred.

APSC-DV-000680 - CAT II The application must provide audit record generation capability
0 0
for HTTP headers including User-Agent, Referer, GET, and POST.

APSC-DV-000690 - CAT II The application must provide audit record generation capability
0 0
for connecting system IP addresses.

APSC-DV-000700 - CAT II The application must record the username or user ID of the user
0 0
associated with the event.

APSC-DV-000710 - CAT II The application must generate audit records when

0 0
successful/unsuccessful attempts to grant privileges occur.

APSC-DV-000720 - CAT II The application must generate audit records when

0 0
successful/unsuccessful attempts to access security objects occur.

APSC-DV-000730 - CAT II The application must generate audit records when

0 0
successful/unsuccessful attempts to access security levels occur.

APSC-DV-000740 - CAT II The application must generate audit records when

successful/unsuccessful attempts to access categories of information (e.g., classification 0 0
levels) occur.

APSC-DV-000750 - CAT II The application must generate audit records when

0 0
successful/unsuccessful attempts to modify privileges occur.

APSC-DV-000760 - CAT II The application must generate audit records when

0 0
successful/unsuccessful attempts to modify security objects occur.

APSC-DV-000770 - CAT II The application must generate audit records when

0 0
successful/unsuccessful attempts to modify security levels occur.

APSC-DV-000780 - CAT II The application must generate audit records when

successful/unsuccessful attempts to modify categories of information (e.g., classification 0 0
levels) occur.

APSC-DV-000790 - CAT II The application must generate audit records when

0 0
successful/unsuccessful attempts to delete privileges occur.

APSC-DV-000800 - CAT II The application must generate audit records when

0 0
successful/unsuccessful attempts to delete security levels occur.

APSC-DV-000810 - CAT II The application must generate audit records when

0 0
successful/unsuccessful attempts to delete application database security objects occur.

APSC-DV-000820 - CAT II The application must generate audit records when

successful/unsuccessful attempts to delete categories of information (e.g., classification 0 0
levels) occur.

APSC-DV-000830 - CAT II The application must generate audit records when

0 0
successful/unsuccessful logon attempts occur.

APSC-DV-000840 - CAT II The application must generate audit records for privileged
0 0
activities or other system-level access.

APSC-DV-000850 - CAT II The application must generate audit records showing starting and
0 0
ending time for user access to the system.

APSC-DV-000860 - CAT II The application must generate audit records when

0 0
successful/unsuccessful accesses to objects occur.

PAGE 12 OF 142
APSC-DV-000870 - CAT II The application must generate audit records for all direct access
0 0
to the information system.

APSC-DV-000880 - CAT II The application must generate audit records for all account
0 0
creations, modifications, disabling, and termination events.

APSC-DV-000910 - CAT II The application must initiate session auditing upon startup. 0 0

APSC-DV-000940 - CAT II The application must log application shutdown events. 0 0

APSC-DV-000950 - CAT II The application must log destination IP addresses. 0 0

APSC-DV-000960 - CAT II The application must log user actions involving access to data. 0 0

APSC-DV-000970 - CAT II The application must log user actions involving changes to data. 0 0

APSC-DV-000980 - CAT II The application must produce audit records containing

0 0
information to establish when (date and time) the events occurred.

APSC-DV-000990 - CAT II The application must produce audit records containing enough
information to establish which component, feature or function of the application triggered 0 0
the audit event.

APSC-DV-001000 - CAT II When using centralized logging; the application must include a
0 0
unique identifier in order to distinguish itself from other application logs.

APSC-DV-001010 - CAT II The application must produce audit records that contain
0 0
information to establish the outcome of the events.

APSC-DV-001020 - CAT II The application must generate audit records containing

information that establishes the identity of any individual or process associated with the 0 0
event.

APSC-DV-001030 - CAT II The application must generate audit records containing the full-
0 0
text recording of privileged commands or the individual identities of group account users.

APSC-DV-001040 - CAT II The application must implement transaction recovery logs when
0 0
transaction based.

APSC-DV-001050 - CAT II The application must provide centralized management and

configuration of the content to be captured in audit records generated by all application 0 0
components.

APSC-DV-001070 - CAT II The application must off-load audit records onto a different
0 0
system or media than the system being audited.

APSC-DV-001080 - CAT II The application must be configured to write application logs to a

0 0
centralized log repository.

APSC-DV-001090 - CAT II The application must provide an immediate warning to the SA

and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of 0 0
repository maximum audit record storage capacity.

APSC-DV-001100 - CAT II Applications categorized as having a moderate or high impact

must provide an immediate real-time alert to the SA and ISSO (at a minimum) for all audit 0 0
failure events.

APSC-DV-001110 - CAT II The application must alert the ISSO and SA (at a minimum) in
0 0
the event of an audit processing failure.

APSC-DV-001120 - CAT II The application must shut down by default upon audit failure
0 0
(unless availability is an overriding concern).

APSC-DV-001130 - CAT II The application must provide the capability to centrally review
0 0
and analyze audit records from multiple components within the system.

APSC-DV-001140 - CAT II The application must provide the capability to filter audit records
0 0
for events of interest based upon organization-defined criteria.

APSC-DV-001150 - CAT II The application must provide an audit reduction capability that
0 0
supports on-demand reporting requirements.

APSC-DV-001160 - CAT II The application must provide an audit reduction capability that
0 0
supports on-demand audit review and analysis.

APSC-DV-001170 - CAT II The application must provide an audit reduction capability that
0 0
supports after-the-fact investigations of security incidents.

APSC-DV-001180 - CAT II The application must provide a report generation capability that
0 0
supports on-demand audit review and analysis.

APSC-DV-001190 - CAT II The application must provide a report generation capability that 0 0

PAGE 13 OF 142
supports on-demand reporting requirements.

APSC-DV-001200 - CAT II The application must provide a report generation capability that
0 0
supports after-the-fact investigations of security incidents.

APSC-DV-001210 - CAT II The application must provide an audit reduction capability that
0 0
does not alter original content or time ordering of audit records.

APSC-DV-001220 - CAT II The application must provide a report generation capability that
0 0
does not alter original content or time ordering of audit records.

APSC-DV-001250 - CAT II The applications must use internal system clocks to generate
0 0
time stamps for audit records.

APSC-DV-001260 - CAT II The application must record time stamps for audit records that
0 0
can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).

APSC-DV-001270 - CAT II The application must record time stamps for audit records that
0 0
meet a granularity of one second for a minimum degree of precision.

APSC-DV-001280 - CAT II The application must protect audit information from any type of
0 0
unauthorized read access.

APSC-DV-001290 - CAT II The application must protect audit information from unauthorized
0 0
modification.

APSC-DV-001300 - CAT II The application must protect audit information from unauthorized
0 0
deletion.

APSC-DV-001310 - CAT II The application must protect audit tools from unauthorized
0 0
access.

APSC-DV-001320 - CAT II The application must protect audit tools from unauthorized
0 0
modification.

APSC-DV-001330 - CAT II The application must protect audit tools from unauthorized
0 0
deletion.

APSC-DV-001340 - CAT II The application must back up audit records at least every seven
days onto a different system or system component than the system or component being 0 0
audited.

APSC-DV-001570 - CAT II The application must electronically verify Personal Identity

0 0
Verification (PIV) credentials.

APSC-DV-001350 - CAT II The application must use cryptographic mechanisms to protect

0 0
the integrity of audit information.

APSC-DV-001360 - CAT II Application audit tools must be cryptographically hashed. 0 0

APSC-DV-001370 - CAT II The integrity of the audit tools must be validated by checking the
0 0
files for changes in the cryptographic hash value.

APSC-DV-001390 - CAT II The application must prohibit user installation of software without
0 0
explicit privileged status.

APSC-DV-001410 - CAT II The application must enforce access restrictions associated with
0 0
changes to application configuration.

APSC-DV-001420 - CAT II The application must audit who makes configuration changes to
0 0
the application.

APSC-DV-001430 - CAT II The application must have the capability to prevent the
installation of patches, service packs, or application components without verification the
0 0
software component has been digitally signed using a certificate that is recognized and
approved by the orga

APSC-DV-001440 - CAT II The applications must limit privileges to change the software
0 0
resident within software libraries.

APSC-DV-001460 - CAT II An application vulnerability assessment must be conducted. 0 0

APSC-DV-001480 - CAT II The application must prevent program execution in accordance

with organization-defined policies regarding software program usage and restrictions, and/or 0 0
rules authorizing the terms and conditions of software program usage.

APSC-DV-001490 - CAT II The application must employ a deny-all, permit-by-exception

0 0
(whitelist) policy to allow the execution of authorized software programs.

APSC-DV-001500 - CAT II The application must be configured to disable non-essential

0 0
capabilities.

PAGE 14 OF 142
APSC-DV-001510 - CAT II The application must be configured to use only functions, ports,
0 0
and protocols permitted to it in the PPSM CAL.

APSC-DV-001520 - CAT II The application must require users to reauthenticate when

0 0
organization-defined circumstances or situations require reauthentication.

APSC-DV-001530 - CAT II The application must require devices to reauthenticate when

0 0
organization-defined circumstances or situations requiring reauthentication.

APSC-DV-001540 - CAT I The application must uniquely identify and authenticate

0 0
organizational users (or processes acting on behalf of organizational users).

APSC-DV-001550 - CAT II The application must use multifactor (Alt. Token) authentication
0 0
for network access to privileged accounts.

APSC-DV-001560 - CAT II The application must accept Personal Identity Verification (PIV)
0 0
credentials.

APSC-DV-001580 - CAT II The application must use multifactor (e.g., CAC, Alt. Token)
0 0
authentication for network access to non-privileged accounts.

APSC-DV-001590 - CAT II The application must use multifactor (Alt. Token) authentication
0 0
for local access to privileged accounts.

APSC-DV-001600 - CAT II The application must use multifactor (e.g., CAC, Alt. Token)
0 0
authentication for local access to non-privileged accounts.

APSC-DV-001610 - CAT II The application must ensure users are authenticated with an
0 0
individual authenticator prior to using a group authenticator.

APSC-DV-001620 - CAT II The application must implement replay-resistant authentication

0 0
mechanisms for network access to privileged accounts.

APSC-DV-001630 - CAT II The application must implement replay-resistant authentication

0 0
mechanisms for network access to non-privileged accounts.

APSC-DV-001640 - CAT II The application must utilize mutual authentication when endpoint
0 0
device non-repudiation protections are required by DoD policy or by the data owner.

APSC-DV-001650 - CAT II The application must authenticate all network connected endpoint
0 0
devices before establishing any connection.

APSC-DV-001660 - CAT II Service-Oriented Applications handling non-releasable data must

0 0
authenticate endpoint devices via mutual SSL/TLS.

APSC-DV-001670 - CAT II The application must disable device identifiers after 35 days of
0 0
inactivity unless a cryptographic certificate is used for authentication.

APSC-DV-001680 - CAT I The application must enforce a minimum 15-character password

0 0
length.*

APSC-DV-001690 - CAT II The application must enforce password complexity by requiring

0 0
that at least one upper-case character be used.

APSC-DV-001700 - CAT II The application must enforce password complexity by requiring

0 0
that at least one lower-case character be used.

APSC-DV-001710 - CAT II The application must enforce password complexity by requiring

0 0
that at least one numeric character be used.

APSC-DV-001720 - CAT II The application must enforce password complexity by requiring

0 0
that at least one special character be used.

APSC-DV-001730 - CAT II The application must require the change of at least 8 of the total
0 0
number of characters when passwords are changed.

APSC-DV-001740 - CAT I The application must only store cryptographic representations of

0 0
passwords.*

APSC-DV-001850 - CAT I The application must not display passwords/PINs as clear text. 0 0

APSC-DV-001750 - CAT I The application must transmit only cryptographically-protected

0 0
passwords.

APSC-DV-001760 - CAT II The application must enforce 24 hours/1 day as the minimum
0 0
password lifetime.

APSC-DV-001770 - CAT II The application must enforce a 60-day maximum password

0 0
lifetime restriction.

APSC-DV-001780 - CAT II The application must prohibit password reuse for a minimum of
0 0
five generations.

PAGE 15 OF 142
APSC-DV-001790 - CAT II The application must allow the use of a temporary password for
0 0
system logons with an immediate change to a permanent password.

APSC-DV-001795 - CAT II The application password must not be changeable by users other
0 0
than the administrator or the user with which the password is associated.

APSC-DV-001800 - CAT II The application must terminate existing user sessions upon
0 0
account deletion.

APSC-DV-001820 - CAT I The application, when using PKI-based authentication, must

0 0
enforce authorized access to the corresponding private key.

APSC-DV-001830 - CAT II The application must map the authenticated identity to the
0 0
individual user or group account for PKI-based authentication.

APSC-DV-001870 - CAT II The application must uniquely identify and authenticate non-
0 0
organizational users (or processes acting on behalf of non-organizational users).

APSC-DV-001810 - CAT I The application, when utilizing PKI-based authentication, must

validate certificates by constructing a certification path (which includes status information) 0 0
to an accepted trust anchor.

APSC-DV-001840 - CAT II The application, for PKI-based authentication, must implement a

local cache of revocation data to support path discovery and validation in case of the 0 0
inability to access revocation information via the network.

APSC-DV-001860 - CAT II The application must use mechanisms meeting the requirements
of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and 0 0
guidance for authentication to a cryptographic module.

APSC-DV-001880 - CAT II The application must accept Personal Identity Verification (PIV)
0 0
credentials from other federal agencies.

APSC-DV-001890 - CAT II The application must electronically verify Personal Identity

0 0
Verification (PIV) credentials from other federal agencies.

APSC-DV-002050 - CAT II Applications making SAML assertions must use FIPS-approved

0 0
random numbers in the generation of SessionIndex in the SAML element AuthnStatement.

APSC-DV-001900 - CAT II The application must accept FICAM-approved third-party

0 0
credentials.

APSC-DV-001910 - CAT II The application must conform to FICAM-issued profiles. 0 0

APSC-DV-001930 - CAT II Applications used for non-local maintenance sessions must audit
0 0
non-local maintenance and diagnostic sessions for organization-defined auditable events.

APSC-DV-000310 - CAT III The application must have a process, feature or function that
0 0
prevents removal or disabling of emergency accounts.

APSC-DV-001940 - CAT II Applications used for non-local maintenance sessions must

implement cryptographic mechanisms to protect the integrity of non-local maintenance and 0 0
diagnostic communications.

APSC-DV-001950 - CAT II Applications used for non-local maintenance sessions must

implement cryptographic mechanisms to protect the confidentiality of non-local maintenance 0 0
and diagnostic communications.

APSC-DV-001960 - CAT II Applications used for non-local maintenance sessions must verify
0 0
remote disconnection at the termination of non-local maintenance and diagnostic sessions.

APSC-DV-001970 - CAT II The application must employ strong authenticators in the

0 0
establishment of non-local maintenance and diagnostic sessions.

APSC-DV-001980 - CAT II The application must terminate all sessions and network
0 0
connections when non-local maintenance is completed.

APSC-DV-001995 - CAT II The application must not be vulnerable to race conditions. 0 0

APSC-DV-002000 - CAT II The application must terminate all network connections

0 0
associated with a communications session at the end of the session.

APSC-DV-002010 - CAT II The application must implement NSA-approved cryptography to

protect classified information in accordance with applicable federal laws, Executive Orders, 0 0
directives, policies, regulations, and standards.

APSC-DV-002020 - CAT II The application must utilize FIPS-validated cryptographic modules

0 0
when signing application components.

APSC-DV-002030 - CAT II The application must utilize FIPS-validated cryptographic modules

0 0
when generating cryptographic hashes.

PAGE 16 OF 142
APSC-DV-002040 - CAT II The application must utilize FIPS-validated cryptographic modules
0 0
when protecting unclassified information that requires cryptographic protection.

APSC-DV-002150 - CAT II The application user interface must be either physically or

0 0
logically separated from data storage and management interfaces.

APSC-DV-002210 - CAT II The application must set the HTTPOnly flag on session cookies. 0 0

APSC-DV-002220 - CAT II The application must set the secure flag on session cookies. 0 0

APSC-DV-002230 - CAT I The application must not expose session IDs. 0 0

APSC-DV-002240 - CAT I The application must destroy the session ID value and/or cookie
0 0
on logoff or browser close.

APSC-DV-002250 - CAT II Applications must use system-generated session identifiers that

0 0
protect against session fixation.

APSC-DV-002260 - CAT II Applications must validate session identifiers. 0 0

APSC-DV-002270 - CAT II Applications must not use URL embedded session IDs. 0 0

APSC-DV-002280 - CAT II The application must not re-use or recycle session IDs. 0 0

APSC-DV-002290 - CAT II The application must use the Federal Information Processing
Standard (FIPS) 140-2-validated cryptographic modules and random number generator if
0 0
the application implements encryption, key exchange, digital signature, and hash
functionality.*

APSC-DV-002300 - CAT II The application must only allow the use of DoD-approved
0 0
certificate authorities for verification of the establishment of protected sessions.

APSC-DV-002310 - CAT I The application must fail to a secure state if system initialization
0 0
fails, shutdown fails, or aborts fail.

APSC-DV-002320 - CAT II In the event of a system failure, applications must preserve any
information necessary to determine cause of failure and any information necessary to return 0 0
to operations with least disruption to mission processes.

APSC-DV-002330 - CAT II The application must protect the confidentiality and integrity of
6 2
stored information when required by DoD policy or the information owner.

APSC-DV-002340 - CAT II The application must implement approved cryptographic

mechanisms to prevent unauthorized modification of organization-defined information at 0 0
rest on organization-defined information system components.

APSC-DV-002350 - CAT II The application must use appropriate cryptography in order to

0 0
protect stored DoD information when required by the information owner or DoD policy.

APSC-DV-002360 - CAT II The application must isolate security functions from non-security
0 0
functions.

APSC-DV-002370 - CAT II The application must maintain a separate execution domain for
0 0
each executing process.

APSC-DV-002380 - CAT II Applications must prevent unauthorized and unintended

0 0
information transfer via shared system resources.

APSC-DV-002390 - CAT II XML-based applications must mitigate DoS attacks by using XML
0 0
filters, parser options, or gateways.

APSC-DV-002400 - CAT II The application must restrict the ability to launch Denial of
0 0
Service (DoS) attacks against itself or other information systems.*

APSC-DV-002410 - CAT II The web service design must include redundancy mechanisms
0 0
when used with high-availability systems.

APSC-DV-002420 - CAT II An XML firewall function must be deployed to protect web

0 0
services when exposed to untrusted networks.

APSC-DV-002610 - CAT II The application must remove organization-defined software

0 0
components after updated versions have been installed.

APSC-DV-002440 - CAT I The application must protect the confidentiality and integrity of
0 0
transmitted information.

APSC-DV-002450 - CAT II The application must implement cryptographic mechanisms to

prevent unauthorized disclosure of information and/or detect changes to information during
0 0
transmission unless otherwise protected by alternative physical safeguards, such as, at a
minimum, a Prot

APSC-DV-002460 - CAT II The application must maintain the confidentiality and integrity of 0 0

PAGE 17 OF 142
information during preparation for transmission.

APSC-DV-002470 - CAT II The application must maintain the confidentiality and integrity of
0 0
information during reception.

APSC-DV-002480 - CAT II The application must not disclose unnecessary information to

0 0
users.

APSC-DV-002485 - CAT I The application must not store sensitive information in hidden
0 0
fields.

APSC-DV-002490 - CAT I The application must protect from Cross-Site Scripting (XSS)
22 16
vulnerabilities.*

APSC-DV-002500 - CAT II The application must protect from Cross-Site Request Forgery
2 2
(CSRF) vulnerabilities.*

APSC-DV-002510 - CAT I The application must protect from command injection. 0 0

APSC-DV-002520 - CAT II The application must protect from canonical representation

0 0
vulnerabilities.

APSC-DV-002530 - CAT II The application must validate all input.* 0 0

APSC-DV-002540 - CAT I The application must not be vulnerable to SQL Injection.* 2 1

APSC-DV-002550 - CAT I The application must not be vulnerable to XML-oriented attacks. 0 0

APSC-DV-002560 - CAT I The application must not be subject to input handling

2 2
vulnerabilities.*

APSC-DV-002570 - CAT II The application must generate error messages that provide
information necessary for corrective actions without revealing information that could be 55 55
exploited by adversaries.

APSC-DV-002580 - CAT II The application must reveal error messages only to the ISSO,
0 0
ISSM, or SA.

APSC-DV-002590 - CAT I The application must not be vulnerable to overflow attacks. 0 0

APSC-DV-002630 - CAT II Security-relevant software updates and patches must be kept up

0 0
to date.

APSC-DV-002760 - CAT II The application performing organization-defined security

0 0
functions must verify correct operation of security functions.

APSC-DV-002900 - CAT II The ISSO must ensure application audit trails are retained for at
least 1 year for applications without SAMI data, and 5 years for applications including SAMI 0 0
data.

APSC-DV-002770 - CAT II The application must perform verification of the correct operation
of security functions: upon system startup and/or restart; upon command by a user with 0 0
privileged access; and/or every 30 days.

APSC-DV-002780 - CAT III The application must notify the ISSO and ISSM of failed security
0 0
verification tests.

APSC-DV-002870 - CAT II Unsigned Category 1A mobile code must not be used in the
0 0
application in accordance with DoD policy.

APSC-DV-002880 - CAT II The ISSO must ensure an account management process is

implemented, verifying only authorized users can gain access to the application, and 0 0
individual accounts designated as inactive, suspended, or terminated are promptly removed.

APSC-DV-002890 - CAT I Application web servers must be on a separate network segment

from the application and database servers if it is a tiered application operating in the DoD 0 0
DMZ.

APSC-DV-002910 - CAT II The ISSO must review audit trails periodically based on system
0 0
documentation recommendations or immediately upon system security events.

APSC-DV-002920 - CAT II The ISSO must report all suspected violations of IA policies in
0 0
accordance with DoD information system IA procedures.

APSC-DV-002930 - CAT II The ISSO must ensure active vulnerability testing is performed. 0 0

APSC-DV-002980 - CAT II New IP addresses, data services, and associated ports used by
the application must be submitted to the appropriate approving authority for the
0 0
organization, which in turn will be submitted through the DoD Ports, Protocols, and Services
Management (DoD PPS

APSC-DV-002950 - CAT II Execution flow diagrams and design documents must be created 0 0

PAGE 18 OF 142
to show how deadlock and recursion issues in web services are being mitigated.

APSC-DV-002960 - CAT II The designer must ensure the application does not store
0 0
configuration and control files in the same directory as user data.

APSC-DV-002970 - CAT II The ISSO must ensure if a DoD STIG or NSA guide is not
0 0
available, a third-party product will be configured by following available guidance.

APSC-DV-002990 - CAT II The application must be registered with the DoD Ports and
0 0
Protocols Database.

APSC-DV-002995 - CAT II The Configuration Management (CM) repository must be properly

0 0
patched and STIG compliant.

APSC-DV-003000 - CAT II Access privileges to the Configuration Management (CM)

0 0
repository must be reviewed every three months.

APSC-DV-003010 - CAT II A Software Configuration Management (SCM) plan describing the

configuration control and change management process of application objects developed by
0 0
the organization and the roles and responsibilities of the organization must be created and
maintained.

APSC-DV-003020 - CAT II A Configuration Control Board (CCB) that meets at least every
release cycle, for managing the Configuration Management (CM) process must be 0 0
established.

APSC-DV-003030 - CAT II The application services and interfaces must be compatible with
0 0
and ready for IPv6 networks.

APSC-DV-003040 - CAT II The application must not be hosted on a general purpose

0 0
machine if the application is designated as critical or high availability by the ISSO.

APSC-DV-003050 - CAT II A disaster recovery/continuity plan must exist in accordance with

0 0
DoD policy based on the applications availability requirements.

APSC-DV-003060 - CAT II Recovery procedures and technical system features must exist so
recovery is performed in a secure and verifiable manner. The ISSO will document 0 0
circumstances inhibiting a trusted recovery.

APSC-DV-003070 - CAT II Data backup must be performed at required intervals in

0 0
accordance with DoD policy.

APSC-DV-003080 - CAT II Back-up copies of the application software or source code must
0 0
be stored in a fire-rated container or stored separately (offsite).

APSC-DV-003090 - CAT II Procedures must be in place to assure the appropriate physical

0 0
and technical protection of the backup and restoration of the application.

APSC-DV-003100 - CAT II The application must use encryption to implement key exchange
0 0
and authenticate endpoints prior to establishing a communication channel for key exchange.

APSC-DV-003110 - CAT I The application must not contain embedded authentication data. 0 0

APSC-DV-003120 - CAT I The application must have the capability to mark

0 0
sensitive/classified output when required.

APSC-DV-003130 - CAT III Prior to each release of the application, updates to system, or
0 0
applying patches; tests plans and procedures must be created and executed.

APSC-DV-003150 - CAT II At least one tester must be designated to test for security flaws
0 0
in addition to functional testing.

APSC-DV-003140 - CAT II Application files must be cryptographically hashed prior to

0 0
deploying to DoD operational networks.

APSC-DV-003160 - CAT III Test procedures must be created and at least annually executed
to ensure system initialization, shutdown, and aborts are configured to verify the system 0 0
remains in a secure state.

APSC-DV-003170 - CAT II An application code review must be performed on the application. 0 0

APSC-DV-003180 - CAT III Code coverage statistics must be maintained for each release of
0 0
the application.

APSC-DV-003190 - CAT II Flaws found during a code review must be tracked in a defect
0 0
tracking system.

APSC-DV-003200 - CAT II The changes to the application must be assessed for IA and
0 0
accreditation impact prior to implementation.

APSC-DV-003210 - CAT II Security flaws must be fixed or addressed in the project plan. 0 0

PAGE 19 OF 142
APSC-DV-003215 - CAT III The application development team must follow a set of coding
0 0
standards.

APSC-DV-003220 - CAT III The designer must create and update the Design Document for
0 0
each release of the application.

APSC-DV-003230 - CAT II Threat models must be documented and reviewed for each
application release and updated as required by design and functionality changes or when 0 0
new threats are discovered.

APSC-DV-003235 - CAT II The application must not be subject to error handling

0 0
vulnerabilities.*

APSC-DV-003250 - CAT I The application must be decommissioned when maintenance or

0 0
support is no longer available.

APSC-DV-003236 - CAT II The application development team must provide an application

0 0
incident response plan.

APSC-DV-003240 - CAT I All products must be supported by the vendor or the development
0 0
team.

APSC-DV-003260 - CAT III Procedures must be in place to notify users when an application
0 0
is decommissioned.

APSC-DV-003270 - CAT II Unnecessary built-in application accounts must be disabled. 0 0

APSC-DV-003280 - CAT I Default passwords must be changed. 0 0

APSC-DV-003330 - CAT II The system must alert an administrator when low resource
0 0
conditions are encountered.

APSC-DV-003285 - CAT II An Application Configuration Guide must be created and included

0 0
with the application.

APSC-DV-003290 - CAT II If the application contains classified data, a Security Classification

0 0
Guide must exist containing data elements and their classification.

APSC-DV-003300 - CAT II The designer must ensure uncategorized or emerging mobile

3 2
code is not used in applications.

APSC-DV-003310 - CAT II Production database exports must have database administration

0 0
credentials and sensitive data removed before releasing the export.

APSC-DV-003320 - CAT II Protections against DoS attacks must be implemented. 0 0

APSC-DV-003340 - CAT III At least one application administrator must be registered to

0 0
receive update notifications, or security alerts, when automated alerts are available.

APSC-DV-003360 - CAT III The application must generate audit records when concurrent
0 0
logons from different workstations occur.

APSC-DV-003345 - CAT III The application must provide notifications or alerts when product
0 0
update and security related patches are available.

APSC-DV-003350 - CAT II Connections between the DoD enclave and the Internet or other
0 0
public or commercial wide area networks must require a DMZ.

APSC-DV-003400 - CAT II The Program Manager must verify all levels of program
management, designers, developers, and testers receive annual security training pertaining 0 0
to their job function.

APSC-DV-000010 - CAT II The application must provide a capability to limit the number of
0 0
logon sessions per user.

APSC-DV-000060 - CAT II The application must clear temporary storage and cookies when
0 0
the session is terminated.

APSC-DV-000070 - CAT II The application must automatically terminate the non-privileged

0 0
user session and log off non-privileged users after a 15 minute idle time period has elapsed.

APSC-DV-000080 - CAT II The application must automatically terminate the admin user
0 0
session and log off admin users after a 10 minute idle time period is exceeded.

APSC-DV-000090 - CAT II Applications requiring user access authentication must provide a

0 0
logoff capability for user initiated communication session.

APSC-DV-000100 - CAT III The application must display an explicit logoff message to users
0 0
indicating the reliable termination of authenticated communications sessions.

APSC-DV-000110 - CAT II The application must associate organization-defined types of

0 0
security attributes having organization-defined security attribute values with information in

PAGE 20 OF 142
storage.

APSC-DV-000120 - CAT II The application must associate organization-defined types of

security attributes having organization-defined security attribute values with information in 0 0
process.

APSC-DV-000130 - CAT II The application must associate organization-defined types of

security attributes having organization-defined security attribute values with information in 0 0
transmission.

APSC-DV-000160 - CAT II The application must implement DoD-approved encryption to

0 0
protect the confidentiality of remote access sessions.

APSC-DV-000170 - CAT II The application must implement cryptographic mechanisms to

0 0
protect the integrity of remote access sessions.

APSC-DV-000190 - CAT I Messages protected with WS_Security must use time stamps with
0 0
creation and expiration times.

APSC-DV-000180 - CAT II Applications with SOAP messages requiring integrity must include
the following message elements:-Message ID-Service Request-Timestamp-SAML Assertion 0 0
(optionally included in messages) and all elements of the message must be digitally signed.

APSC-DV-000200 - CAT I Validity periods must be verified on all application messages using
0 0
WS-Security or SAML assertions.

APSC-DV-000210 - CAT II The application must ensure each unique asserting party provides
0 0
unique assertion ID references for each SAML assertion.

APSC-DV-000220 - CAT II The application must ensure encrypted assertions, or equivalent

confidentiality protections are used when assertion data is passed through an intermediary, 0 0
and confidentiality of the assertion data is required when passing through the intermediary.

APSC-DV-000230 - CAT I The application must use the NotOnOrAfter condition when using
0 0
the SubjectConfirmation element in a SAML assertion.

APSC-DV-000240 - CAT I The application must use both the NotBefore and NotOnOrAfter
0 0
elements or OneTimeUse element when using the Conditions element in a SAML assertion.

APSC-DV-000250 - CAT II The application must ensure if a OneTimeUse element is used in

an assertion, there is only one of the same used in the Conditions element portion of an 0 0
assertion.

APSC-DV-000260 - CAT II The application must ensure messages are encrypted when the
0 0
SessionIndex is tied to privacy data.

APSC-DV-000290 - CAT II Shared/group account credentials must be terminated when

0 0
members leave the group.

APSC-DV-000280 - CAT II The application must provide automated mechanisms for

0 0
supporting account management functions.

APSC-DV-000300 - CAT II The application must automatically remove or disable temporary

0 0
user accounts 72 hours after account creation.

APSC-DV-000320 - CAT III The application must automatically disable accounts after a 35
0 0
day period of account inactivity.

APSC-DV-000330 - CAT II Unnecessary application accounts must be disabled, or deleted. 0 0

APSC-DV-000420 - CAT II The application must automatically audit account enabling

0 0
actions.

APSC-DV-000340 - CAT II The application must automatically audit account creation. 0 0

APSC-DV-000350 - CAT II The application must automatically audit account modification. 0 0

APSC-DV-000360 - CAT II The application must automatically audit account disabling

0 0
actions.

APSC-DV-000370 - CAT II The application must automatically audit account removal

0 0
actions.

APSC-DV-000380 - CAT III The application must notify System Administrators and
0 0
Information System Security Officers when accounts are created.

APSC-DV-000390 - CAT III The application must notify System Administrators and
0 0
Information System Security Officers when accounts are modified.

APSC-DV-000400 - CAT III The application must notify System Administrators and
0 0
Information System Security Officers of account disabling actions.

PAGE 21 OF 142
APSC-DV-000410 - CAT III The application must notify System Administrators and
0 0
Information System Security Officers of account removal actions.

APSC-DV-000430 - CAT III The application must notify System Administrators and
0 0
Information System Security Officers of account enabling actions.

APSC-DV-000440 - CAT II Application data protection requirements must be identified and

0 0
documented.

APSC-DV-000520 - CAT II The application must audit the execution of privileged functions. 0 0

APSC-DV-000450 - CAT II The application must utilize organization-defined data mining

detection techniques for organization-defined data storage objects to adequately detect data 0 0
mining attempts.

APSC-DV-000460 - CAT I The application must enforce approved authorizations for logical
access to information and system resources in accordance with applicable access control 0 0
policies.

APSC-DV-000470 - CAT II The application must enforce organization-defined discretionary

0 0
access control policies over defined subjects and objects.

APSC-DV-000480 - CAT II The application must enforce approved authorizations for

controlling the flow of information within the system based on organization-defined 0 0
information flow control policies.

APSC-DV-000490 - CAT II The application must enforce approved authorizations for

controlling the flow of information between interconnected systems based on organization- 0 0
defined information flow control policies.

APSC-DV-000500 - CAT II The application must prevent non-privileged users from executing
privileged functions to include disabling, circumventing, or altering implemented security 0 0
safeguards/countermeasures.

APSC-DV-000510 - CAT I The application must execute without excessive account

0 0
permissions.

APSC-DV-000530 - CAT I The application must enforce the limit of three consecutive invalid
0 0
logon attempts by a user during a 15 minute time period.

APSC-DV-000560 - CAT III The application must retain the Standard Mandatory DoD Notice
and Consent Banner on the screen until users acknowledge the usage conditions and take 0 0
explicit actions to log on for further access.

APSC-DV-000540 - CAT II The application administrator must follow an approved process to

0 0
unlock locked user accounts.

APSC-DV-000550 - CAT III The application must display the Standard Mandatory DoD
0 0
Notice and Consent Banner before granting access to the application.

APSC-DV-000570 - CAT III The publicly accessible application must display the Standard
0 0
Mandatory DoD Notice and Consent Banner before granting access to the application.

APSC-DV-000580 - CAT III The application must display the time and date of the users last
0 0
successful logon.

APSC-DV-000630 - CAT II The application must provide audit record generation capability
0 0
for the destruction of session IDs.

APSC-DV-000590 - CAT II The application must protect against an individual (or process
acting on behalf of an individual) falsely denying having performed organization-defined 0 0
actions to be covered by non-repudiation.

APSC-DV-000600 - CAT II For applications providing audit record aggregation, the

application must compile audit records from organization-defined information system
0 0
components into a system-wide audit trail that is time-correlated with an organization-
defined level of tolerance

APSC-DV-000610 - CAT II The application must provide the capability for organization-
identified individuals or roles to change the auditing to be performed on all application
0 0
components, based on all selectable event criteria within organization-defined time
thresholds.

APSC-DV-000620 - CAT II The application must provide audit record generation capability
0 0
for the creation of session IDs.

* Project scan results do not include all relevant queries. Presets and\or Filters should be changed to include all relevant
standard queries.

PAGE 22 OF 142
Scan Summary - MOIS(KISA) Secure Coding 2021

Issues Best Fix

Category
Found Locations
MOIS(KISA) API misuse* 0 0

MOIS(KISA) Code error 0 0

MOIS(KISA) Encapsulation* 0 0

MOIS(KISA) Error processing* 55 55

MOIS(KISA) Security Functions* 6 2

MOIS(KISA) Time and status 0 0

MOIS(KISA) Verification and representation of input data* 71 59

* Project scan results do not include all relevant queries. Presets and\or Filters should be changed to include all relevant
standard queries.

PAGE 23 OF 142
Scan Summary - SANS top 25

Issues Best Fix

Category
Found Locations
SANS top 25* 75 59

* Project scan results do not include all relevant queries. Presets and\or Filters should be changed to include all relevant
standard queries.

PAGE 24 OF 142
Scan Summary - CWE top 25

Issues Best Fix

Category
Found Locations
CWE top 25* 75 59

* Project scan results do not include all relevant queries. Presets and\or Filters should be changed to include all relevant
standard queries.

PAGE 25 OF 142
Scan Summary - OWASP ASVS

Issues Best Fix

Category
Found Locations
V01 Architecture, Design and Threat Modeling* 1 1

V02 Authentication* 0 0

V03 Session Management 0 0

V04 Access Control 0 0

V05 Validation, Sanitization and Encoding* 60 53

V06 Stored Cryptography* 0 0

V07 Error Handling and Logging* 0 0

V08 Data Protection 0 0

V09 Communication 0 0

V10 Malicious Code* 5 1

V11 Business Logic* 0 0

V12 Files and Resources* 9 4

V13 API and Web Service* 2 2

V14 Configuration* 56 56

* Project scan results do not include all relevant queries. Presets and\or Filters should be changed to include all relevant
standard queries.

PAGE 26 OF 142
Scan Summary - PCI DSS v3.1
Further details and elaboration about vulnerabilities and risks can be found at: PCI DSS v3.1

Issues Best Fix

Category
Found Locations
PCI DSS (3.1) - 6.5.1 - Injection flaws - particularly SQL injection 0 0

PCI DSS (3.1) - 6.5.2 - Buffer overflows 0 0

PCI DSS (3.1) - 6.5.3 - Insecure cryptographic storage 0 0

PCI DSS (3.1) - 6.5.4 - Insecure communications 0 0

PCI DSS (3.1) - 6.5.5 - Improper error handling 0 0

PCI DSS (3.1) - 6.5.7 - Cross-site scripting (XSS) 0 0

PCI DSS (3.1) - 6.5.8 - Improper access control 0 0

PCI DSS (3.1) - 6.5.9 - Cross-site request forgery 0 0

PCI DSS (3.1) - 6.5.10 - Broken authentication and session management 0 0

PAGE 27 OF 142
Scan Summary - OWASP Top 10 2013
Further details and elaboration about vulnerabilities and risks can be found at: OWASP Top 10 2013

Threat Attack Weakness Weakness Technical Business Issues Best Fix

Category
Agent Vectors Prevalence Detectability Impact Impact Found Locations
EXTERNAL,
INTERNAL,
A1-Injection* EASY COMMON AVERAGE SEVERE ALL DATA 2 1
ADMIN
USERS

A2-Broken
EXTERNAL, AFFECTED
Authentication
INTERNAL AVERAGE WIDESPREAD AVERAGE SEVERE DATA AND 0 0
and Session
USERS FUNCTIONS
Management*

EXTERNAL,
A3-Cross-Site AFFECTED
INTERNAL, VERY
Scripting AVERAGE EASY MODERATE DATA AND 22 16
ADMIN WIDESPREAD
(XSS)* SYSTEM
USERS

A4-Insecure
SYSTEM EXPOSED
Direct Object EASY COMMON EASY MODERATE 7 3
USERS DATA
References*

EXTERNAL,
A5-Security ALL DATA
INTERNAL,
Misconfiguration EASY COMMON EASY MODERATE AND 0 0
ADMIN
* SYSTEM
USERS

EXTERNAL,
INTERNAL,
A6-Sensitive ADMIN EXPOSED
DIFFICULT UNCOMMON AVERAGE SEVERE 5 1
Data Exposure* USERS, DATA
USERS
BROWSERS

A7-Missing EXTERNAL, EXPOSED

Function Level INTERNAL EASY COMMON AVERAGE MODERATE DATA AND 0 0
Access Control* USERS FUNCTIONS

A8-Cross-Site AFFECTED
USERS
Request Forgery AVERAGE COMMON EASY MODERATE DATA AND 2 2
BROWSERS
(CSRF)* FUNCTIONS

A9-Using EXTERNAL
AFFECTED
Components USERS,
AVERAGE WIDESPREAD DIFFICULT MODERATE DATA AND 0 0
with Known AUTOMATED
FUNCTIONS
Vulnerabilities* TOOLS

A10-Unvalidated AFFECTED
USERS
Redirects and AVERAGE WIDESPREAD DIFFICULT MODERATE DATA AND 1 1
BROWSERS
Forwards FUNCTIONS

* Project scan results do not include all relevant queries. Presets and\or Filters should be changed to include all relevant
standard queries.

PAGE 28 OF 142
Scan Summary - OWASP Top 10 API

Issues Best Fix

Category
Found Locations
API1-Broken Object Level Authorization 0 0

API2-Broken Authentication 0 0

API3-Excessive Data Exposure 0 0

API4-Lack of Resources and Rate Limiting 0 0

API5-Broken Function Level Authorization* 0 0

API6-Mass Assignment 0 0

API7-Security Misconfiguration 0 0

API8-Injection 0 0

API9-Improper Assets Management 0 0

API10-Insufficient Logging and Monitoring 0 0

* Project scan results do not include all relevant queries. Presets and\or Filters should be changed to include all relevant
standard queries.

PAGE 29 OF 142
Scan Summary - OWASP Top 10 2010

Issues Best Fix

Category
Found Locations
A1-Injection 0 0

A2-Cross-Site Scripting (XSS)* 0 0

A3-Broken Authentication and Session Management* 0 0

A4-Insecure Direct Object References 0 0

A5-Cross-Site Request Forgery (CSRF) 0 0

A6-Security Misconfiguration 0 0

A7-Insecure Cryptographic Storage* 0 0

A8-Failure to Restrict URL Access 0 0

A9-Insufficient Transport Layer Protection 0 0

A10-Unvalidated Redirects and Forwards 0 0

* Project scan results do not include all relevant queries. Presets and\or Filters should be changed to include all relevant
standard queries.

PAGE 30 OF 142
Results Distribution By Status First scan of the project

High Medium Low Information Total

New Issues 27 43 70 0 140

Recurrent Issues 0 0 0 0 0

Total 27 43 70 0 140

Fixed Issues 0 0 0 0 0

New Scan
Previous Scan

Results Distribution By State

High Medium Low Information Total
To Verify 27 43 70 0 140
Not Exploitable 0 0 0 0 0
Confirmed 0 0 0 0 0
Urgent 0 0 0 0 0
Proposed Not
0 0 0 0 0
Exploitable
Total 27 43 70 0 140

Result Summary
Vulnerability Type Occurrences Severity
Stored XSS 19 High
File Manipulation 3 High
Reflected XSS All Clients 2 High
Second Order SQL Injection 2 High
Client DOM Stored XSS 1 High
Inappropriate Encoding for Output Context 27 Medium
Path Traversal 6 Medium

PAGE 31 OF 142
Privacy Violation 5 Medium
CSRF 2 Medium
Missing HSTS Header 1 Medium
Open Redirect 1 Medium
Parameter Tampering 1 Medium
Improper Exception Handling 55 Low
Client Hardcoded Domain 7 Low
Possible Flow Control 7 Low
Potential Clickjacking on Legacy Browsers 1 Low

10 Most Vulnerable Files

High and Medium Vulnerabilities

File Name Issues Found

WeBlog-main/subscription.php 13
WeBlog-main/admin/orders.php 8
WeBlog-main/admin/subscriptions.php 8
WeBlog-main/auth/register.php 7
WeBlog-main/author.php 7
WeBlog-main/admin/posts.php 7
WeBlog-main/index.php 4
WeBlog-main/actions/create_post.php 3
WeBlog-main/post.php 3
WeBlog-main/order.php 3

PAGE 32 OF 142
Scan Results Details

Stored XSS
Query Path:
PHP\Cx\PHP High Risk\Stored XSS Version:1

Categories
OWASP Top 10 2013: A3-Cross-Site Scripting (XSS)
FISMA 2014: System And Information Integrity
NIST SP 800-53: SI-15 Information Output Filtering (P0)
OWASP Top 10 2017: A7-Cross-Site Scripting (XSS)
ASD STIG 4.10: APSC-DV-002490 - CAT I The application must protect from Cross-Site
Scripting (XSS) vulnerabilities.
CWE top 25: CWE top 25
MOIS(KISA) Secure Coding 2021: MOIS(KISA) Verification and representation of input data
OWASP ASVS: V05 Validation, Sanitization and Encoding
OWASP Top 10 2021: A3-Injection
PCI DSS v3.2.1: PCI DSS (3.2.1) - 6.5.7 - Cross-site scripting (XSS)
SANS top 25: SANS top 25

Description
Stored XSS\Path 1:
Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=41
Status New
Detection Date 3/30/2025 3:29:35 PM

The application's <?php embeds untrusted data in the generated output with echo, at line 1 of
WeBlog-main/admin/orders.php. This untrusted data is embedded straight into the output
without proper sanitization or encoding, enabling an attacker to inject malicious code into the
output.
The attacker would be able to alter the returned web page by saving malicious data in a data-
store ahead of time. The attacker's modified data is then read from the database by the <?php
method with mysqli_fetch_assoc, at line 1 of WeBlog-main/admin/orders.php. This untrusted
data then flows through the code straight to the output web page, without sanitization.
This can enable a Stored Cross-Site Scripting (XSS) attack.
Source Destination
File WeBlog-main/admin/orders.php WeBlog-main/admin/orders.php
Line 48 63
Object mysqli_fetch_assoc echo

Code Snippet
File Name WeBlog-main/admin/orders.php
Method <?php

PAGE 33 OF 142
....
48. <?php while ($row = mysqli_fetch_assoc($result)) { ?>
....
63. <input type="hidden" name="order_id" value="<?php echo $row['id'];
?>">

Stored XSS\Path 2:
Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=45
Status New
Detection Date 3/30/2025 3:29:35 PM

Code Snippet
File Name WeBlog-main/admin/orders.php
Method <?php
....
48. <?php while ($row = mysqli_fetch_assoc($result)) { ?>
....
64. <input type="hidden" name="username" value="<?php echo
$row['username']; ?>">

Stored XSS\Path 3:
Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=48
Status New
Detection Date 3/30/2025 3:29:35 PM

PAGE 34 OF 142
method with mysqli_fetch_assoc, at line 1 of WeBlog-main/subscription.php. This untrusted
data then flows through the code straight to the output web page, without sanitization.
This can enable a Stored Cross-Site Scripting (XSS) attack.
Source Destination
File WeBlog-main/subscription.php WeBlog-main/subscription.php
Line 53 59
Object mysqli_fetch_assoc echo

Code Snippet
File Name WeBlog-main/subscription.php
Method <?php
....
53. <?php while ($plan = mysqli_fetch_assoc($plans_result)): ?>
....
59. <a href="order.php?plan_id=<?php echo $plan['id']; ?>" class="btn
btn-outline-success w-100">Subscribe</a>

Stored XSS\Path 4:
Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=50
Status New
Detection Date 3/30/2025 3:29:35 PM

The application's <?php embeds untrusted data in the generated output with echo, at line 1 of
WeBlog-main/subscription.php. This untrusted data is embedded straight into the output
without proper sanitization or encoding, enabling an attacker to inject malicious code into the
output.
The attacker would be able to alter the returned web page by saving malicious data in a data-
store ahead of time. The attacker's modified data is then read from the database by the <?php
method with mysqli_fetch_assoc, at line 1 of WeBlog-main/subscription.php. This untrusted
data then flows through the code straight to the output web page, without sanitization.
This can enable a Stored Cross-Site Scripting (XSS) attack.
Source Destination
File WeBlog-main/subscription.php WeBlog-main/subscription.php
Line 53 58
Object mysqli_fetch_assoc echo

Code Snippet
File Name WeBlog-main/subscription.php
Method <?php
....
53. <?php while ($plan = mysqli_fetch_assoc($plans_result)): ?>
....
58. <p class="card-text">Duration: <?php echo $plan['duration']; ?>
days</p>

PAGE 35 OF 142
Stored XSS\Path 5:
Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=51
Status New
Detection Date 3/30/2025 3:29:35 PM

The application's <link rel="stylesheet" href="assets/css/post.css"> embeds untrusted data in

the generated output with echo, at line 1 of WeBlog-main/post.php. This untrusted data is
embedded straight into the output without proper sanitization or encoding, enabling an attacker
to inject malicious code into the output.
The attacker would be able to alter the returned web page by saving malicious data in a data-
store ahead of time. The attacker's modified data is then read from the database by the <link
rel="stylesheet" href="assets/css/post.css"> method with fetch_assoc, at line 1 of WeBlog-
main/post.php. This untrusted data then flows through the code straight to the output web
page, without sanitization.
This can enable a Stored Cross-Site Scripting (XSS) attack.
Source Destination
File WeBlog-main/post.php WeBlog-main/post.php
Line 68 71
Object fetch_assoc echo

Code Snippet
File Name WeBlog-main/post.php
Method <link rel="stylesheet" href="assets/css/post.css">
....
68. while ($cmt = $result->fetch_assoc()) {
....
71. <img src="<?= $cmt['avatar_path'] ?>" alt="avatar" class="comment-
avatar">

Stored XSS\Path 6:
Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=53
Status New
Detection Date 3/30/2025 3:29:35 PM

The application's 'includes/header.php'; embeds untrusted data in the generated output with
echo, at line 1 of WeBlog-main/message.php. This untrusted data is embedded straight into the
output without proper sanitization or encoding, enabling an attacker to inject malicious code
into the output.
The attacker would be able to alter the returned web page by saving malicious data in a data-
store ahead of time. The attacker's modified data is then read from the database by the
'includes/header.php'; method with fetch_assoc, at line 1 of WeBlog-main/message.php. This
untrusted data then flows through the code straight to the output web page, without
sanitization.
This can enable a Stored Cross-Site Scripting (XSS) attack.
Source Destination

PAGE 36 OF 142
File WeBlog-main/message.php WeBlog-main/message.php
Line 35 36
Object fetch_assoc echo

Code Snippet
File Name WeBlog-main/message.php
Method <?php include 'includes/header.php';
....
35. while ($msg = $result->fetch_assoc()) {
36. echo "<div class='message'>

Stored XSS\Path 7:
Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=54
Status New
Detection Date 3/30/2025 3:29:35 PM

The application's <?php embeds untrusted data in the generated output with echo, at line 1 of
WeBlog-main/author.php. This untrusted data is embedded straight into the output without
proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
The attacker would be able to alter the returned web page by saving malicious data in a data-
store ahead of time. The attacker's modified data is then read from the database by the <?php
method with fetch_assoc, at line 1 of WeBlog-main/author.php. This untrusted data then flows
through the code straight to the output web page, without sanitization.
This can enable a Stored Cross-Site Scripting (XSS) attack.
Source Destination
File WeBlog-main/author.php WeBlog-main/author.php
Line 73 80
Object fetch_assoc echo

Code Snippet
File Name WeBlog-main/author.php
Method <?php
....
73. <?php while ($post = $posts->fetch_assoc()) { ?>
....
80. • Views: <?php echo $post['views']; ?>

Stored XSS\Path 8:
Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=55
Status New
Detection Date 3/30/2025 3:29:35 PM

PAGE 37 OF 142
The application's <?php embeds untrusted data in the generated output with echo, at line 1 of
WeBlog-main/author.php. This untrusted data is embedded straight into the output without
proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
The attacker would be able to alter the returned web page by saving malicious data in a data-
store ahead of time. The attacker's modified data is then read from the database by the <?php
method with fetch_assoc, at line 1 of WeBlog-main/author.php. This untrusted data then flows
through the code straight to the output web page, without sanitization.
This can enable a Stored Cross-Site Scripting (XSS) attack.
Source Destination
File WeBlog-main/author.php WeBlog-main/author.php
Line 73 75
Object fetch_assoc echo

Code Snippet
File Name WeBlog-main/author.php
Method <?php
....
73. <?php while ($post = $posts->fetch_assoc()) { ?>
....
75. <a href="post.php?id=<?php echo $post['id']; ?>">

Stored XSS\Path 9:
Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=56
Status New
Detection Date 3/30/2025 3:29:35 PM

The application's <?php embeds untrusted data in the generated output with echo, at line 1 of
WeBlog-main/index.php. This untrusted data is embedded straight into the output without
proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
The attacker would be able to alter the returned web page by saving malicious data in a data-
store ahead of time. The attacker's modified data is then read from the database by the <?php
method with fetch_assoc, at line 1 of WeBlog-main/index.php. This untrusted data then flows
through the code straight to the output web page, without sanitization.
This can enable a Stored Cross-Site Scripting (XSS) attack.
Source Destination
File WeBlog-main/index.php WeBlog-main/index.php
Line 26 28
Object fetch_assoc echo

Code Snippet
File Name WeBlog-main/index.php
Method <?php

PAGE 38 OF 142
....
26. while ($author = $authorResult->fetch_assoc()) {
....
28. echo "<li><a
href='author.php?id={$author['id']}'>{$authorName}</a></li>";

Stored XSS\Path 10:

Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=57
Status New
Detection Date 3/30/2025 3:29:35 PM

Code Snippet
File Name WeBlog-main/subscription.php
Method <?php
....
78. <?php while ($subscription =
mysqli_fetch_assoc($subscription_result)): ?>
....
81. <td><?php echo $subscription['start_date']; ?></td>

Stored XSS\Path 11:

Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=58
Status New
Detection Date 3/30/2025 3:29:35 PM

PAGE 39 OF 142
method with mysqli_fetch_assoc, at line 1 of WeBlog-main/subscription.php. This untrusted
data then flows through the code straight to the output web page, without sanitization.
This can enable a Stored Cross-Site Scripting (XSS) attack.
Source Destination
File WeBlog-main/subscription.php WeBlog-main/subscription.php
Line 78 82
Object mysqli_fetch_assoc echo

Code Snippet
File Name WeBlog-main/subscription.php
Method <?php
....
78. <?php while ($subscription =
mysqli_fetch_assoc($subscription_result)): ?>
....
82. <td><?php echo $subscription['end_date']; ?></td>

Stored XSS\Path 12:

Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=59
Status New
Detection Date 3/30/2025 3:29:35 PM

The application's <link rel="stylesheet" href="assets/css/post.css"> embeds untrusted data in

Code Snippet
File Name WeBlog-main/post.php
Method <link rel="stylesheet" href="assets/css/post.css">
....
23. ")->fetch_assoc();
....
53. <span class="post-views"><?= $post['views'] ?> views</span>

PAGE 40 OF 142
Stored XSS\Path 13:
Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=60
Status New
Detection Date 3/30/2025 3:29:35 PM

The application's <link rel="stylesheet" href="assets/css/post.css"> embeds untrusted data in

Code Snippet
File Name WeBlog-main/post.php
Method <link rel="stylesheet" href="assets/css/post.css">
....
23. ")->fetch_assoc();
....
50. <img src="<?= $post['avatar_path'] ?>" alt="avatar" class="post-
avatar">

Stored XSS\Path 14:

Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=61
Status New
Detection Date 3/30/2025 3:29:35 PM

PAGE 41 OF 142
Line 129 131
Object fetch_assoc echo

Code Snippet
File Name WeBlog-main/index.php
Method <?php
....
129. while ($pop = $popular->fetch_assoc()) {
....
131. echo "<li><a
href='post.php?id={$pop['id']}'>{$popTitle}</a></li>";

Stored XSS\Path 15:

Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=63
Status New
Detection Date 3/30/2025 3:29:35 PM

The application's <?php embeds untrusted data in the generated output with echo, at line 1 of
WeBlog-main/admin/posts.php. This untrusted data is embedded straight into the output
without proper sanitization or encoding, enabling an attacker to inject malicious code into the
output.
The attacker would be able to alter the returned web page by saving malicious data in a data-
store ahead of time. The attacker's modified data is then read from the database by the <?php
method with mysqli_fetch_assoc, at line 1 of WeBlog-main/admin/posts.php. This untrusted
data then flows through the code straight to the output web page, without sanitization.
This can enable a Stored Cross-Site Scripting (XSS) attack.
Source Destination
File WeBlog-main/admin/posts.php WeBlog-main/admin/posts.php
Line 37 50
Object mysqli_fetch_assoc echo

Code Snippet
File Name WeBlog-main/admin/posts.php
Method <?php
....
37. <?php while ($row = mysqli_fetch_assoc($result)) { ?>
....
50. <a href="delete_post.php?id=<?php echo $row['id']; ?>" class="btn
btn-danger btn-sm" onclick="return confirm('Are you sure?');">Delete</a>

Stored XSS\Path 16:

Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=65
Status New

PAGE 42 OF 142
Detection Date 3/30/2025 3:29:35 PM

The application's <?php embeds untrusted data in the generated output with echo, at line 1 of
WeBlog-main/order.php. This untrusted data is embedded straight into the output without
proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
The attacker would be able to alter the returned web page by saving malicious data in a data-
store ahead of time. The attacker's modified data is then read from the database by the <?php
method with mysqli_fetch_assoc, at line 1 of WeBlog-main/order.php. This untrusted data then
flows through the code straight to the output web page, without sanitization.
This can enable a Stored Cross-Site Scripting (XSS) attack.
Source Destination
File WeBlog-main/order.php WeBlog-main/order.php
Line 16 39
Object mysqli_fetch_assoc echo

Code Snippet
File Name WeBlog-main/order.php
Method <?php
....
16. $plan = mysqli_fetch_assoc($plan_result);
....
39. <p class="text-center">Duration: <?php echo $plan['duration']; ?>
days</p>

Stored XSS\Path 17:

Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=66
Status New
Detection Date 3/30/2025 3:29:35 PM

Code Snippet
File Name WeBlog-main/subscription.php
Method <?php

PAGE 43 OF 142
....
107. <?php while ($order = mysqli_fetch_assoc($orders_result)): ?>
....
111. <td><?php echo $order['created_at']; ?></td>

Stored XSS\Path 18:

Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=67
Status New
Detection Date 3/30/2025 3:29:35 PM

Code Snippet
File Name WeBlog-main/subscription.php
Method <?php
....
107. <?php while ($order = mysqli_fetch_assoc($orders_result)): ?>
....
109. <td><?php echo $order['id']; ?></td>

Stored XSS\Path 19:

Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=68
Status New
Detection Date 3/30/2025 3:29:35 PM

PAGE 44 OF 142
This can enable a Stored Cross-Site Scripting (XSS) attack.
Source Destination
File WeBlog-main/index.php WeBlog-main/index.php
Line 88 92
Object fetch_assoc echo

Code Snippet
File Name WeBlog-main/index.php
Method <?php
....
88. while ($post = $result->fetch_assoc()) {
....
92. echo "

File Manipulation
Query Path:
PHP\Cx\PHP High Risk\File Manipulation Version:1

Categories
FISMA 2014: Configuration Management
NIST SP 800-53: SI-10 Information Input Validation (P1)
OWASP Top 10 2017: A1-Injection
ASD STIG 4.10: APSC-DV-003300 - CAT II The designer must ensure uncategorized or
emerging mobile code is not used in applications.
CWE top 25: CWE top 25
MOIS(KISA) Secure Coding 2021: MOIS(KISA) Verification and representation of input data
OWASP ASVS: V12 Files and Resources
OWASP Top 10 2021: A1-Broken Access Control
PCI DSS v3.2.1: PCI DSS (3.2.1) - 6.5.8 - Improper access control
SANS top 25: SANS top 25

Description
File Manipulation\Path 1:
Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=11
Status New
Detection Date 3/30/2025 3:29:35 PM

The input obtained via <?php in the file WeBlog-main/auth/register.php at line 1 is used to
determine the location of a file to be written into by <?php in the file WeBlog-
main/auth/register.php at line 1, potentially allowing an attacker to alter or corrupt the
contents of that file, or create a new file altogether.
Source Destination
File WeBlog-main/auth/register.php WeBlog-main/auth/register.php
Line 7 37
Object _POST thumbnail_folder

PAGE 45 OF 142
Code Snippet
File Name WeBlog-main/auth/register.php
Method <?php
....
7. $username = trim($_POST['username']);
....
37. mkdir($thumbnail_folder, 0777, true);

File Manipulation\Path 2:
Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=13
Status New
Detection Date 3/30/2025 3:29:35 PM

Code Snippet
File Name WeBlog-main/auth/register.php
Method <?php
....
7. $username = trim($_POST['username']);
....
34. mkdir($user_folder, 0777, true);

File Manipulation\Path 3:
Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=15
Status New
Detection Date 3/30/2025 3:29:35 PM

The input obtained via <?php in the file WeBlog-main/actions/create_post.php at line 1 is used
to determine the location of a file to be written into by <?php in the file WeBlog-
main/actions/create_post.php at line 1, potentially allowing an attacker to alter or corrupt the
contents of that file, or create a new file altogether.
Source Destination
File WeBlog-main/actions/create_post.php WeBlog-main/actions/create_post.php
Line 43 46

PAGE 46 OF 142
Object _FILES target_file

Code Snippet
File Name WeBlog-main/actions/create_post.php
Method <?php
....
43. $file_extension = pathinfo($_FILES["thumbnail"]["name"],
PATHINFO_EXTENSION);
....
46. if (move_uploaded_file($_FILES["thumbnail"]["tmp_name"],
$target_file)) {

Reflected XSS All Clients

Query Path:
PHP\Cx\PHP High Risk\Reflected XSS All Clients Version:1

Description
Reflected XSS All Clients\Path 1:
Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=2
Status New
Detection Date 3/30/2025 3:29:35 PM

The application's <?php embeds untrusted data in the generated output with echo, at line 1 of
WeBlog-main/actions/send_message.php. This untrusted data is embedded straight into the
output without proper sanitization or encoding, enabling an attacker to inject malicious code
into the output.
The attacker would be able to alter the returned web page by simply providing modified data in
the user input _POST, which is read by the <?php method at line 1 of WeBlog-
main/actions/send_message.php. This input then flows through the code straight to the output
web page, without sanitization.
This can enable a Reflected Cross-Site Scripting (XSS) attack.
Source Destination
File WeBlog-main/actions/send_message.php WeBlog-main/actions/send_message.php
Line 6 23
Object _POST echo

PAGE 47 OF 142
Code Snippet
File Name WeBlog-main/actions/send_message.php
Method <?php
....
6. $receiver_username = $_POST['username'];
....
23. echo "<p class='success'>Message sent to
<b>$receiver_username</b>!</p>";

Reflected XSS All Clients\Path 2:

Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=4
Status New
Detection Date 3/30/2025 3:29:35 PM

The application's <?php embeds untrusted data in the generated output with echo, at line 1 of
WeBlog-main/actions/create_post.php. This untrusted data is embedded straight into the
output without proper sanitization or encoding, enabling an attacker to inject malicious code
into the output.
The attacker would be able to alter the returned web page by simply providing modified data in
the user input _FILES, which is read by the <?php method at line 1 of WeBlog-
main/actions/create_post.php. This input then flows through the code straight to the output
web page, without sanitization.
This can enable a Reflected Cross-Site Scripting (XSS) attack.
Source Destination
File WeBlog-main/actions/create_post.php WeBlog-main/actions/create_post.php
Line 43 47
Object _FILES echo

Code Snippet
File Name WeBlog-main/actions/create_post.php
Method <?php
....
43. $file_extension = pathinfo($_FILES["thumbnail"]["name"],
PATHINFO_EXTENSION);
....
47. echo "File uploaded successfully: $target_file<br>";

Second Order SQL Injection

Query Path:
PHP\Cx\PHP High Risk\Second Order SQL Injection Version:1

Categories
OWASP Top 10 2013: A1-Injection
FISMA 2014: System And Information Integrity
NIST SP 800-53: SI-10 Information Input Validation (P1)
OWASP Top 10 2017: A1-Injection

PAGE 48 OF 142
ASD STIG 4.10: APSC-DV-002540 - CAT I The application must not be vulnerable to SQL
Injection.
CWE top 25: CWE top 25
MOIS(KISA) Secure Coding 2021: MOIS(KISA) Verification and representation of input data
OWASP ASVS: V05 Validation, Sanitization and Encoding
OWASP Top 10 2021: A3-Injection
PCI DSS v3.2.1: PCI DSS (3.2.1) - 6.5.1 - Injection flaws - particularly SQL injection
SANS top 25: SANS top 25

Description
Second Order SQL Injection\Path 1:
Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=29
Status New
Detection Date 3/30/2025 3:29:35 PM

Method <?php at line 1 of WeBlog-main/subscription.php gets database data from the

_SESSION_user_id element. This element’s value then flows through the code without being
properly sanitized or validated, and is eventually used in a database query in method <?php at
line 1 of WeBlog-main/subscription.php. This may enable an Second-Order SQL Injection
attack.
Source Destination
File WeBlog-main/subscription.php WeBlog-main/subscription.php
Line 10 22
Object _SESSION_user_id mysqli_query

Code Snippet
File Name WeBlog-main/subscription.php
Method <?php
....
10. $user_id = $_SESSION['user_id'];
....
22. $subscription_result = mysqli_query($conn, $subscription_query);

Second Order SQL Injection\Path 2:

Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=32
Status New
Detection Date 3/30/2025 3:29:35 PM

Method <?php at line 1 of WeBlog-main/subscription.php gets database data from the

PAGE 49 OF 142
Line 10 30
Object _SESSION_user_id mysqli_query

Code Snippet
File Name WeBlog-main/subscription.php
Method <?php
....
10. $user_id = $_SESSION['user_id'];
....
30. $orders_result = mysqli_query($conn, $orders_query);

Client DOM Stored XSS

Query Path:
JavaScript\Cx\JavaScript High Risk\Client DOM Stored XSS Version:1

Categories
OWASP Top 10 2013: A3-Cross-Site Scripting (XSS)
FISMA 2014: Access Control
NIST SP 800-53: SI-15 Information Output Filtering (P0)
OWASP Top 10 2017: A7-Cross-Site Scripting (XSS)
ASD STIG 4.10: APSC-DV-002490 - CAT I The application must protect from Cross-Site
Scripting (XSS) vulnerabilities.
CWE top 25: CWE top 25
MOIS(KISA) Secure Coding 2021: MOIS(KISA) Verification and representation of input data
OWASP ASVS: V05 Validation, Sanitization and Encoding
OWASP Top 10 2021: A3-Injection
PCI DSS v3.2.1: PCI DSS (3.2.1) - 6.5.7 - Cross-site scripting (XSS)
SANS top 25: SANS top 25

Description
Client DOM Stored XSS\Path 1:
Severity High
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=1
Status New
Detection Date 3/30/2025 3:29:35 PM

The application's function embeds untrusted data in the generated output with html, at line 11
of WeBlog-main/assets/js/main.js. This untrusted data is embedded straight into the output
without proper sanitization or encoding, enabling an attacker to inject malicious code into the
output.
Source Destination
File WeBlog-main/assets/js/main.js WeBlog-main/assets/js/main.js
Line 11 12
Object response html

Code Snippet
File Name WeBlog-main/assets/js/main.js
Method success: function (response) {

PAGE 50 OF 142
....
11. success: function (response) {
12. $("#messageStatus").html(response);

Inappropriate Encoding for Output Context

Query Path:
PHP\Cx\PHP Medium Threat\Inappropriate Encoding for Output Context Version:1

Categories
OWASP Top 10 2017: A6-Security Misconfiguration
CWE top 25: CWE top 25
MOIS(KISA) Secure Coding 2021: MOIS(KISA) Verification and representation of input data
OWASP ASVS: V05 Validation, Sanitization and Encoding
OWASP Top 10 2021: A4-Insecure Design
SANS top 25: SANS top 25

Description
Inappropriate Encoding for Output Context\Path 1:
Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=3
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-main/index.php, to encode

user input which was received earlier. However, encoding function is faulty and does not encode
all input properly. The application then sends the partially encoded input, to the response web
page that is output back to the client. This may enable a Cross-Site-Scripting attack.
Source Destination
File WeBlog-main/index.php WeBlog-main/index.php
Line 55 55
Object htmlspecialchars echo

Code Snippet
File Name WeBlog-main/index.php
Method <?php
....
55. echo "<h2 class='section-title'><i class='fas fa-search'></i>
Search results for: <em>" . htmlspecialchars($q) . "</em></h2>";

Inappropriate Encoding for Output Context\Path 2:

Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=5
Status New
Detection Date 3/30/2025 3:29:35 PM

PAGE 51 OF 142
The application uses htmlspecialchars function, at line 1 of WeBlog-
main/admin/subscriptions.php, to encode user input which was received earlier. However,
encoding function is faulty and does not encode all input properly. The application then sends
the partially encoded input, to the response web page that is output back to the client. This
may enable a Cross-Site-Scripting attack.
Source Destination
File WeBlog-main/admin/subscriptions.php WeBlog-main/admin/subscriptions.php
Line 54 54
Object htmlspecialchars echo

Code Snippet
File Name WeBlog-main/admin/subscriptions.php
Method <?php
....
54. <td><?php echo htmlspecialchars($row['start_date']); ?></td>

Inappropriate Encoding for Output Context\Path 3:

Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=6
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-

main/admin/subscriptions.php, to encode user input which was received earlier. However,
encoding function is faulty and does not encode all input properly. The application then sends
the partially encoded input, to the response web page that is output back to the client. This
may enable a Cross-Site-Scripting attack.
Source Destination
File WeBlog-main/admin/subscriptions.php WeBlog-main/admin/subscriptions.php
Line 55 55
Object htmlspecialchars echo

Code Snippet
File Name WeBlog-main/admin/subscriptions.php
Method <?php
....
55. <td><?php echo htmlspecialchars($row['end_date']); ?></td>

Inappropriate Encoding for Output Context\Path 4:

Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=7
Status New
Detection Date 3/30/2025 3:29:35 PM

PAGE 52 OF 142
The application uses htmlspecialchars function, at line 1 of WeBlog-
main/admin/subscriptions.php, to encode user input which was received earlier. However,
encoding function is faulty and does not encode all input properly. The application then sends
the partially encoded input, to the response web page that is output back to the client. This
may enable a Cross-Site-Scripting attack.
Source Destination
File WeBlog-main/admin/subscriptions.php WeBlog-main/admin/subscriptions.php
Line 57 57
Object htmlspecialchars echo

Code Snippet
File Name WeBlog-main/admin/subscriptions.php
Method <?php
....
57. <span class="status-<?php echo
htmlspecialchars(strtolower($row['status'])); ?>">

Inappropriate Encoding for Output Context\Path 5:

Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=8
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-

Code Snippet
File Name WeBlog-main/admin/subscriptions.php
Method <?php
....
58. <?php echo htmlspecialchars($row['status']); ?>

Inappropriate Encoding for Output Context\Path 6:

Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=9

PAGE 53 OF 142
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-main/subscription.php, to

encode user input which was received earlier. However, encoding function is faulty and does not
encode all input properly. The application then sends the partially encoded input, to the
response web page that is output back to the client. This may enable a Cross-Site-Scripting
attack.
Source Destination
File WeBlog-main/subscription.php WeBlog-main/subscription.php
Line 114 114
Object htmlspecialchars echo

Code Snippet
File Name WeBlog-main/subscription.php
Method <?php
....
114. <?php echo htmlspecialchars($order['status']); ?>

Inappropriate Encoding for Output Context\Path 7:

Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=10
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-

Code Snippet
File Name WeBlog-main/admin/subscriptions.php
Method <?php
....
51. <td><?php echo htmlspecialchars($row['username']); ?></td>

Inappropriate Encoding for Output Context\Path 8:

Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&

PAGE 54 OF 142
pathid=12
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-

Code Snippet
File Name WeBlog-main/admin/subscriptions.php
Method <?php
....
52. <td><?php echo htmlspecialchars($row['plan']); ?></td>

Inappropriate Encoding for Output Context\Path 9:

Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=14
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-

Code Snippet
File Name WeBlog-main/admin/subscriptions.php
Method <?php
....
53. <td><?php echo htmlspecialchars($row['price']); ?></td>

Inappropriate Encoding for Output Context\Path 10:

Severity Medium
Result State To Verify

PAGE 55 OF 142
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=16
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-main/admin/posts.php, to

encode user input which was received earlier. However, encoding function is faulty and does not
encode all input properly. The application then sends the partially encoded input, to the
response web page that is output back to the client. This may enable a Cross-Site-Scripting
attack.
Source Destination
File WeBlog-main/admin/posts.php WeBlog-main/admin/posts.php
Line 42 42
Object htmlspecialchars echo

Code Snippet
File Name WeBlog-main/admin/posts.php
Method <?php
....
42. <td><?php echo htmlspecialchars($row['created_at']); ?></td>

Inappropriate Encoding for Output Context\Path 11:

Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=17
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-main/admin/posts.php, to

encode user input which was received earlier. However, encoding function is faulty and does not
encode all input properly. The application then sends the partially encoded input, to the
response web page that is output back to the client. This may enable a Cross-Site-Scripting
attack.
Source Destination
File WeBlog-main/admin/posts.php WeBlog-main/admin/posts.php
Line 43 43
Object htmlspecialchars echo

Code Snippet
File Name WeBlog-main/admin/posts.php
Method <?php
....
43. <td><?php echo htmlspecialchars($row['views']); ?></td>

Inappropriate Encoding for Output Context\Path 12:

Severity Medium

PAGE 56 OF 142
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=18
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-main/admin/posts.php, to

encode user input which was received earlier. However, encoding function is faulty and does not
encode all input properly. The application then sends the partially encoded input, to the
response web page that is output back to the client. This may enable a Cross-Site-Scripting
attack.
Source Destination
File WeBlog-main/admin/posts.php WeBlog-main/admin/posts.php
Line 44 44
Object htmlspecialchars echo

Code Snippet
File Name WeBlog-main/admin/posts.php
Method <?php
....
44. <td><?php echo htmlspecialchars($row['comment_count']); ?></td>

Inappropriate Encoding for Output Context\Path 13:

Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=19
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-main/subscription.php, to

Code Snippet
File Name WeBlog-main/subscription.php
Method <?php
....
85. <?php echo htmlspecialchars($subscription['status']); ?>

Inappropriate Encoding for Output Context\Path 14:

PAGE 57 OF 142
Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=20
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-main/admin/orders.php, to

encode user input which was received earlier. However, encoding function is faulty and does not
encode all input properly. The application then sends the partially encoded input, to the
response web page that is output back to the client. This may enable a Cross-Site-Scripting
attack.
Source Destination
File WeBlog-main/admin/orders.php WeBlog-main/admin/orders.php
Line 50 50
Object htmlspecialchars echo

Code Snippet
File Name WeBlog-main/admin/orders.php
Method <?php
....
50. <td><?php echo htmlspecialchars($row['id']); ?></td>

Inappropriate Encoding for Output Context\Path 15:

Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=21
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-main/admin/orders.php, to

encode user input which was received earlier. However, encoding function is faulty and does not
encode all input properly. The application then sends the partially encoded input, to the
response web page that is output back to the client. This may enable a Cross-Site-Scripting
attack.
Source Destination
File WeBlog-main/admin/orders.php WeBlog-main/admin/orders.php
Line 54 54
Object htmlspecialchars echo

Code Snippet
File Name WeBlog-main/admin/orders.php
Method <?php
....
54. <span class="status-<?php echo
htmlspecialchars(strtolower($row['status'])); ?>">

PAGE 58 OF 142
Inappropriate Encoding for Output Context\Path 16:
Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=22
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-main/subscription.php, to

Code Snippet
File Name WeBlog-main/subscription.php
Method <?php
....
56. <h5 class="card-title text-success fw-bold"><?php echo
htmlspecialchars($plan['name']); ?></h5>

Inappropriate Encoding for Output Context\Path 17:

Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=23
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-main/subscription.php, to

Code Snippet
File Name WeBlog-main/subscription.php
Method <?php

PAGE 59 OF 142
....
80. <td><?php echo htmlspecialchars($subscription['name']); ?></td>

Inappropriate Encoding for Output Context\Path 18:

Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=26
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-main/admin/orders.php, to

encode user input which was received earlier. However, encoding function is faulty and does not
encode all input properly. The application then sends the partially encoded input, to the
response web page that is output back to the client. This may enable a Cross-Site-Scripting
attack.
Source Destination
File WeBlog-main/admin/orders.php WeBlog-main/admin/orders.php
Line 51 51
Object htmlspecialchars echo

Code Snippet
File Name WeBlog-main/admin/orders.php
Method <?php
....
51. <td><?php echo htmlspecialchars($row['username']); ?></td>

Inappropriate Encoding for Output Context\Path 19:

Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=28
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-main/order.php, to encode

user input which was received earlier. However, encoding function is faulty and does not encode
all input properly. The application then sends the partially encoded input, to the response web
page that is output back to the client. This may enable a Cross-Site-Scripting attack.
Source Destination
File WeBlog-main/order.php WeBlog-main/order.php
Line 37 37
Object htmlspecialchars echo

Code Snippet
File Name WeBlog-main/order.php
Method <?php

PAGE 60 OF 142
....
37. <h4 class="text-success text-center">Plan: <?php echo
htmlspecialchars($plan['name']); ?></h4>

Inappropriate Encoding for Output Context\Path 20:

Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=30
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-

Code Snippet
File Name WeBlog-main/admin/subscriptions.php
Method <?php
....
50. <td><?php echo htmlspecialchars($row['id']); ?></td>

Inappropriate Encoding for Output Context\Path 21:

Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=33
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-main/admin/posts.php, to

encode user input which was received earlier. However, encoding function is faulty and does not
encode all input properly. The application then sends the partially encoded input, to the
response web page that is output back to the client. This may enable a Cross-Site-Scripting
attack.
Source Destination
File WeBlog-main/admin/posts.php WeBlog-main/admin/posts.php
Line 39 39
Object htmlspecialchars echo

Code Snippet

PAGE 61 OF 142
File Name WeBlog-main/admin/posts.php
Method <?php
....
39. <td><?php echo htmlspecialchars($row['id']); ?></td>

Inappropriate Encoding for Output Context\Path 22:

Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=36
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-main/admin/posts.php, to

encode user input which was received earlier. However, encoding function is faulty and does not
encode all input properly. The application then sends the partially encoded input, to the
response web page that is output back to the client. This may enable a Cross-Site-Scripting
attack.
Source Destination
File WeBlog-main/admin/posts.php WeBlog-main/admin/posts.php
Line 40 40
Object htmlspecialchars echo

Code Snippet
File Name WeBlog-main/admin/posts.php
Method <?php
....
40. <td><?php echo htmlspecialchars($row['title']); ?></td>

Inappropriate Encoding for Output Context\Path 23:

Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=37
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-main/admin/posts.php, to

encode user input which was received earlier. However, encoding function is faulty and does not
encode all input properly. The application then sends the partially encoded input, to the
response web page that is output back to the client. This may enable a Cross-Site-Scripting
attack.
Source Destination
File WeBlog-main/admin/posts.php WeBlog-main/admin/posts.php
Line 41 41
Object htmlspecialchars echo

PAGE 62 OF 142
Code Snippet
File Name WeBlog-main/admin/posts.php
Method <?php
....
41. <td><?php echo htmlspecialchars($row['username']); ?></td>

Inappropriate Encoding for Output Context\Path 24:

Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=38
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-main/admin/orders.php, to

encode user input which was received earlier. However, encoding function is faulty and does not
encode all input properly. The application then sends the partially encoded input, to the
response web page that is output back to the client. This may enable a Cross-Site-Scripting
attack.
Source Destination
File WeBlog-main/admin/orders.php WeBlog-main/admin/orders.php
Line 58 58
Object htmlspecialchars echo

Code Snippet
File Name WeBlog-main/admin/orders.php
Method <?php
....
58. <td><?php echo htmlspecialchars($row['payment_method']); ?></td>

Inappropriate Encoding for Output Context\Path 25:

Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=39
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-main/admin/orders.php, to

encode user input which was received earlier. However, encoding function is faulty and does not
encode all input properly. The application then sends the partially encoded input, to the
response web page that is output back to the client. This may enable a Cross-Site-Scripting
attack.
Source Destination
File WeBlog-main/admin/orders.php WeBlog-main/admin/orders.php
Line 59 59
Object htmlspecialchars echo

PAGE 63 OF 142
Code Snippet
File Name WeBlog-main/admin/orders.php
Method <?php
....
59. <td><?php echo htmlspecialchars($row['created_at']); ?></td>

Inappropriate Encoding for Output Context\Path 26:

Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=40
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-main/subscription.php, to

Code Snippet
File Name WeBlog-main/subscription.php
Method <?php
....
110. <td><?php echo htmlspecialchars($order['plan_name']); ?></td>

Inappropriate Encoding for Output Context\Path 27:

Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=42
Status New
Detection Date 3/30/2025 3:29:35 PM

The application uses htmlspecialchars function, at line 1 of WeBlog-main/admin/orders.php, to

encode user input which was received earlier. However, encoding function is faulty and does not
encode all input properly. The application then sends the partially encoded input, to the
response web page that is output back to the client. This may enable a Cross-Site-Scripting
attack.
Source Destination
File WeBlog-main/admin/orders.php WeBlog-main/admin/orders.php
Line 55 55

PAGE 64 OF 142
Object htmlspecialchars echo

Code Snippet
File Name WeBlog-main/admin/orders.php
Method <?php
....
55. <?php echo htmlspecialchars($row['status']); ?>

Path Traversal
Query Path:
PHP\Cx\PHP Medium Threat\Path Traversal Version:1

Categories
OWASP Top 10 2013: A4-Insecure Direct Object References
OWASP Top 10 2017: A5-Broken Access Control
CWE top 25: CWE top 25
MOIS(KISA) Secure Coding 2021: MOIS(KISA) Verification and representation of input data
OWASP ASVS: V12 Files and Resources
OWASP Top 10 2021: A1-Broken Access Control
PCI DSS v3.2.1: PCI DSS (3.2.1) - 6.5.8 - Improper access control
SANS top 25: SANS top 25

Description
Path Traversal\Path 1:
Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=24
Status New
Detection Date 3/30/2025 3:29:35 PM

Method <?php at line 1 of WeBlog-main/auth/register.php gets dynamic data from the _POST
element. This element’s value then flows through the code and is eventually used in a file path
for local disk access in <?php at line 1 of WeBlog-main/auth/register.php. This may cause a
Path Traversal vulnerability.
Because of the way PHP wrappers work a specially crafted input from the _POST element at line
1 of WeBlog-main/auth/register.php can flow to <?php at line 1 of WeBlog-
main/auth/register.php and cause an RCE, SSRF, filter bypass or another critical vulnerability.
Source Destination
File WeBlog-main/auth/register.php WeBlog-main/auth/register.php
Line 7 36
Object _POST thumbnail_folder

Code Snippet
File Name WeBlog-main/auth/register.php
Method <?php

PAGE 65 OF 142
....
7. $username = trim($_POST['username']);
....
36. if (!file_exists($thumbnail_folder)) {

Path Traversal\Path 2:
Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=25
Status New
Detection Date 3/30/2025 3:29:35 PM

Code Snippet
File Name WeBlog-main/auth/register.php
Method <?php
....
7. $username = trim($_POST['username']);
....
33. if (!file_exists($user_folder)) {

Path Traversal\Path 3:
Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=27
Status New
Detection Date 3/30/2025 3:29:35 PM

PAGE 66 OF 142
File WeBlog-main/auth/register.php WeBlog-main/auth/register.php
Line 7 37
Object _POST thumbnail_folder

Code Snippet
File Name WeBlog-main/auth/register.php
Method <?php
....
7. $username = trim($_POST['username']);
....
37. mkdir($thumbnail_folder, 0777, true);

Path Traversal\Path 4:
Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=31
Status New
Detection Date 3/30/2025 3:29:35 PM

Code Snippet
File Name WeBlog-main/auth/register.php
Method <?php
....
7. $username = trim($_POST['username']);
....
34. mkdir($user_folder, 0777, true);

Path Traversal\Path 5:
Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=34
Status New
Detection Date 3/30/2025 3:29:35 PM

PAGE 67 OF 142
Method <?php at line 1 of WeBlog-main/actions/create_post.php gets dynamic data from the
_FILES element. This element’s value then flows through the code and is eventually used in a
file path for local disk access in <?php at line 1 of WeBlog-main/actions/create_post.php. This
may cause a Path Traversal vulnerability.
Because of the way PHP wrappers work a specially crafted input from the _FILES element at
line 1 of WeBlog-main/actions/create_post.php can flow to <?php at line 1 of WeBlog-
main/actions/create_post.php and cause an RCE, SSRF, filter bypass or another critical
vulnerability.
Source Destination
File WeBlog-main/actions/create_post.php WeBlog-main/actions/create_post.php
Line 43 46
Object _FILES target_file

Path Traversal\Path 6:
Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=35
Status New
Detection Date 3/30/2025 3:29:35 PM

Code Snippet
File Name WeBlog-main/auth/register.php
Method <?php

PAGE 68 OF 142
....
7. $username = trim($_POST['username']);
....
41. copy("../assets/images/default_ava.png",
"$user_folder/default_ava.png");

Privacy Violation
Query Path:
PHP\Cx\PHP Medium Threat\Privacy Violation Version:1

Categories
OWASP Top 10 2013: A6-Sensitive Data Exposure
FISMA 2014: Identification And Authentication
NIST SP 800-53: SC-4 Information in Shared Resources (P1)
OWASP Top 10 2017: A3-Sensitive Data Exposure
ASD STIG 4.10: APSC-DV-002330 - CAT II The application must protect the confidentiality and
integrity of stored information when required by DoD policy or the information owner.
CWE top 25: CWE top 25
MOIS(KISA) Secure Coding 2021: MOIS(KISA) Security Functions
OWASP ASVS: V10 Malicious Code
OWASP Top 10 2021: A1-Broken Access Control
PCI DSS v3.2.1: PCI DSS (3.2.1) - 6.5.8 - Improper access control
SANS top 25: SANS top 25

Description
Privacy Violation\Path 1:
Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=43
Status New
Detection Date 3/30/2025 3:29:35 PM

Method <?php at line 1 of WeBlog-main/author.php sends user information outside the

application. This may constitute a Privacy Violation.
Source Destination
File WeBlog-main/author.php WeBlog-main/author.php
Line 8 42
Object authorId header

Code Snippet
File Name WeBlog-main/author.php
Method <?php
....
8. $authorId = (int)$_GET['id'];
....
42. header("Location: author.php?id=" . $authorId);

Privacy Violation\Path 2:
Severity Medium

PAGE 69 OF 142
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=44
Status New
Detection Date 3/30/2025 3:29:35 PM

Method <?php at line 1 of WeBlog-main/author.php sends user information outside the

application. This may constitute a Privacy Violation.
Source Destination
File WeBlog-main/author.php WeBlog-main/author.php
Line 8 75
Object authorId echo

Code Snippet
File Name WeBlog-main/author.php
Method <?php
....
8. $authorId = (int)$_GET['id'];
....
75. <a href="post.php?id=<?php echo $post['id']; ?>">

Privacy Violation\Path 3:
Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=46
Status New
Detection Date 3/30/2025 3:29:35 PM

Method <?php at line 1 of WeBlog-main/author.php sends user information outside the

application. This may constitute a Privacy Violation.
Source Destination
File WeBlog-main/author.php WeBlog-main/author.php
Line 8 80
Object authorId echo

Code Snippet
File Name WeBlog-main/author.php
Method <?php
....
8. $authorId = (int)$_GET['id'];
....
80. • Views: <?php echo $post['views']; ?>

Privacy Violation\Path 4:
Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&

PAGE 70 OF 142
pathid=47
Status New
Detection Date 3/30/2025 3:29:35 PM

Method <?php at line 1 of WeBlog-main/author.php sends user information outside the

application. This may constitute a Privacy Violation.
Source Destination
File WeBlog-main/author.php WeBlog-main/author.php
Line 8 76
Object authorId echo

Code Snippet
File Name WeBlog-main/author.php
Method <?php
....
8. $authorId = (int)$_GET['id'];
....
76. <?php echo htmlspecialchars($post['title']); ?>

Privacy Violation\Path 5:
Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=49
Status New
Detection Date 3/30/2025 3:29:35 PM

Method <?php at line 1 of WeBlog-main/author.php sends user information outside the

application. This may constitute a Privacy Violation.
Source Destination
File WeBlog-main/author.php WeBlog-main/author.php
Line 8 79
Object authorId echo

Code Snippet
File Name WeBlog-main/author.php
Method <?php
....
8. $authorId = (int)$_GET['id'];
....
79. • <?php echo date("M d, Y", strtotime($post['created_at'])); ?>

CSRF
Query Path:
PHP\Cx\PHP Medium Threat\CSRF Version:1

Method <?php at line 1 of WeBlog-main/actions/process_order.php gets a parameter from a

user request from _POST. This parameter value flows through the code and is eventually used
to access application state altering functionality. This may enable Cross-Site Request Forgery
(CSRF).
Source Destination
File WeBlog-main/actions/process_order.php WeBlog-main/actions/process_order.php
Line 6 47
Object _POST mysqli_stmt_bind_param

Code Snippet
File Name WeBlog-main/actions/process_order.php
Method <?php
....
6. $order_id = intval($_POST['order_id']);
....
47. mysqli_stmt_bind_param($stmt, "ii", $status_id, $order_id);

CSRF\Path 2:
Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=64
Status New
Detection Date 3/30/2025 3:29:35 PM

Method <?php at line 1 of WeBlog-main/actions/create_order.php gets a parameter from a user

request from _POST. This parameter value flows through the code and is eventually used to
access application state altering functionality. This may enable Cross-Site Request Forgery
(CSRF).
Source Destination
File WeBlog-main/actions/create_order.php WeBlog-main/actions/create_order.php

PAGE 72 OF 142
Line 12 36
Object _POST mysqli_stmt_bind_param

Code Snippet
File Name WeBlog-main/actions/create_order.php
Method <?php
....
12. $plan_id = isset($_POST['plan_id']) ? intval($_POST['plan_id']) :
0;
....
36. mysqli_stmt_bind_param($stmt, "iiis", $user_id, $plan_id,
$status_id, $payment_method);

Parameter Tampering
Query Path:
PHP\Cx\PHP Medium Threat\Parameter Tampering Version:1

Categories
OWASP Top 10 2013: A4-Insecure Direct Object References
OWASP Top 10 2017: A5-Broken Access Control
ASD STIG 4.10: APSC-DV-002560 - CAT I The application must not be subject to input handling
vulnerabilities.
MOIS(KISA) Secure Coding 2021: MOIS(KISA) Security Functions
OWASP ASVS: V01 Architecture, Design and Threat Modeling
OWASP Top 10 2021: A4-Insecure Design
PCI DSS v3.2.1: PCI DSS (3.2.1) - 6.5.1 - Injection flaws - particularly SQL injection

Description
Parameter Tampering\Path 1:
Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=52
Status New
Detection Date 3/30/2025 3:29:35 PM

Method <?php at line 1 of WeBlog-main/order.php gets user input from element _GET. This
input is later concatenated by the application directly into a string variable containing SQL
commands, without being validated. This string is then used in method <?php to query the
database mysqli_query, at line 1 of WeBlog-main/order.php, without any additional filtering by
the database. This could allow the user to tamper with the filter parameter.
Source Destination
File WeBlog-main/order.php WeBlog-main/order.php
Line 13 15
Object _GET mysqli_query

Code Snippet
File Name WeBlog-main/order.php
Method <?php

PAGE 73 OF 142
....
13. $plan_id = isset($_GET['plan_id']) ? (int)$_GET['plan_id'] : 0;
....
15. $plan_result = mysqli_query($conn, $plan_query);

Missing HSTS Header

Query Path:
PHP\Cx\PHP Medium Threat\Missing HSTS Header Version:1

Categories
OWASP ASVS: V14 Configuration
OWASP Top 10 2021: A7-Identification and Authentication Failures

Description
Missing HSTS Header\Path 1:
Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=69
Status New
Detection Date 3/30/2025 3:29:35 PM

The web-application does not define an HSTS header, leaving it vulnerable to attack.
Source Destination
File WeBlog-main/actions/comment.php WeBlog-main/actions/comment.php
Line 1 1
Object $NS_comment_570111d0 $NS_comment_570111d0

Code Snippet
File Name WeBlog-main/actions/comment.php
Method <?php
....
1. <?php

Open Redirect
Query Path:
PHP\Cx\PHP Medium Threat\Open Redirect Version:1

Categories
OWASP Top 10 2013: A10-Unvalidated Redirects and Forwards
FISMA 2014: System And Information Integrity
NIST SP 800-53: SI-10 Information Input Validation (P1)
ASD STIG 4.10: APSC-DV-002560 - CAT I The application must not be subject to input handling
vulnerabilities.
MOIS(KISA) Secure Coding 2021: MOIS(KISA) Verification and representation of input data
OWASP ASVS: V05 Validation, Sanitization and Encoding
OWASP Top 10 2021: A1-Broken Access Control
PCI DSS v3.2.1: PCI DSS (3.2.1) - 6.5.8 - Improper access control

Description

PAGE 74 OF 142
Open Redirect\Path 1:
Severity Medium
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=115
Status New
Detection Date 3/30/2025 3:29:35 PM

The potentially tainted value provided by _POST in WeBlog-main/actions/comment.php at line 1

is used as a destination URL by header in WeBlog-main/actions/comment.php at line 1,
potentially allowing attackers to perform an open redirection.
Source Destination
File WeBlog-main/actions/comment.php WeBlog-main/actions/comment.php
Line 13 27
Object _POST header

Code Snippet
File Name WeBlog-main/actions/comment.php
Method <?php
....
13. $post_id = $_POST['post_id'];
....
27. header("Location: " . BASE_URL . "/post.php?id=$post_id");

Improper Exception Handling

Query Path:
PHP\Cx\Php Low Visibility\Improper Exception Handling Version:1

Categories
NIST SP 800-53: SC-5 Denial of Service Protection (P1)
ASD STIG 4.10: APSC-DV-002570 - CAT II The application must generate error messages that
provide information necessary for corrective actions without revealing information that could be
exploited by adversaries.
MOIS(KISA) Secure Coding 2021: MOIS(KISA) Error processing
OWASP ASVS: V14 Configuration
OWASP Top 10 2021: A4-Insecure Design
PCI DSS v3.2.1: PCI DSS (3.2.1) - 6.5.5 - Improper error handling

Description
Improper Exception Handling\Path 1:
Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=70
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/create_order.php performs an operation

that could be expected to throw an exception, and is not properly wrapped in a try-catch block.
This constitutes Improper Exception Handling.
Source Destination

PAGE 75 OF 142
File WeBlog-main/actions/create_order.php WeBlog-main/actions/create_order.php
Line 22 22
Object mysqli_query mysqli_query

Code Snippet
File Name WeBlog-main/actions/create_order.php
Method <?php
....
22. $status_result = mysqli_query($conn, $status_query);

Improper Exception Handling\Path 2:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=71
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/create_order.php performs an operation

that could be expected to throw an exception, and is not properly wrapped in a try-catch block.
This constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/actions/create_order.php WeBlog-main/actions/create_order.php
Line 33 33
Object mysqli_prepare mysqli_prepare

Code Snippet
File Name WeBlog-main/actions/create_order.php
Method <?php
....
33. $stmt = mysqli_prepare($conn, $insert_order);

Improper Exception Handling\Path 3:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=72
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/create_order.php performs an operation

PAGE 76 OF 142
Object mysqli_stmt_bind_param mysqli_stmt_bind_param

Code Snippet
File Name WeBlog-main/actions/create_order.php
Method <?php
....
36. mysqli_stmt_bind_param($stmt, "iiis", $user_id, $plan_id,
$status_id, $payment_method);

Improper Exception Handling\Path 4:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=73
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/create_order.php performs an operation

Code Snippet
File Name WeBlog-main/actions/create_order.php
Method <?php
....
37. if (mysqli_stmt_execute($stmt)) {

Improper Exception Handling\Path 5:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=74
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/process_order.php performs an operation

that could be expected to throw an exception, and is not properly wrapped in a try-catch block.
This constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/actions/process_order.php WeBlog-main/actions/process_order.php
Line 15 15
Object mysqli_prepare mysqli_prepare

PAGE 77 OF 142
Code Snippet
File Name WeBlog-main/actions/process_order.php
Method <?php
....
15. $stmt = mysqli_prepare($conn, $query);

Improper Exception Handling\Path 6:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=75
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/process_order.php performs an operation

that could be expected to throw an exception, and is not properly wrapped in a try-catch block.
This constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/actions/process_order.php WeBlog-main/actions/process_order.php
Line 18 18
Object mysqli_stmt_bind_param mysqli_stmt_bind_param

Code Snippet
File Name WeBlog-main/actions/process_order.php
Method <?php
....
18. mysqli_stmt_bind_param($stmt, "i", $order_id);

Improper Exception Handling\Path 7:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=76
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/process_order.php performs an operation

that could be expected to throw an exception, and is not properly wrapped in a try-catch block.
This constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/actions/process_order.php WeBlog-main/actions/process_order.php
Line 19 19
Object mysqli_stmt_execute mysqli_stmt_execute

Code Snippet
File Name WeBlog-main/actions/process_order.php

PAGE 78 OF 142
Method <?php
....
19. mysqli_stmt_execute($stmt);

Improper Exception Handling\Path 8:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=77
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/process_order.php performs an operation

that could be expected to throw an exception, and is not properly wrapped in a try-catch block.
This constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/actions/process_order.php WeBlog-main/actions/process_order.php
Line 32 32
Object mysqli_query mysqli_query

Code Snippet
File Name WeBlog-main/actions/process_order.php
Method <?php
....
32. $status_result = mysqli_query($conn, $status_query);

Improper Exception Handling\Path 9:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=78
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/process_order.php performs an operation

that could be expected to throw an exception, and is not properly wrapped in a try-catch block.
This constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/actions/process_order.php WeBlog-main/actions/process_order.php
Line 44 44
Object mysqli_prepare mysqli_prepare

Code Snippet
File Name WeBlog-main/actions/process_order.php
Method <?php

PAGE 79 OF 142
....
44. $stmt = mysqli_prepare($conn, $update_order);

Improper Exception Handling\Path 10:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=79
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/process_order.php performs an operation

that could be expected to throw an exception, and is not properly wrapped in a try-catch block.
This constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/actions/process_order.php WeBlog-main/actions/process_order.php
Line 47 47
Object mysqli_stmt_bind_param mysqli_stmt_bind_param

Code Snippet
File Name WeBlog-main/actions/process_order.php
Method <?php
....
47. mysqli_stmt_bind_param($stmt, "ii", $status_id, $order_id);

Improper Exception Handling\Path 11:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=80
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/process_order.php performs an operation

that could be expected to throw an exception, and is not properly wrapped in a try-catch block.
This constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/actions/process_order.php WeBlog-main/actions/process_order.php
Line 48 48
Object mysqli_stmt_execute mysqli_stmt_execute

Code Snippet
File Name WeBlog-main/actions/process_order.php
Method <?php

PAGE 80 OF 142
....
48. mysqli_stmt_execute($stmt);

Improper Exception Handling\Path 12:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=81
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/process_order.php performs an operation

that could be expected to throw an exception, and is not properly wrapped in a try-catch block.
This constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/actions/process_order.php WeBlog-main/actions/process_order.php
Line 58 58
Object mysqli_prepare mysqli_prepare

Code Snippet
File Name WeBlog-main/actions/process_order.php
Method <?php
....
58. $stmt = mysqli_prepare($conn, $insert_subscription);

Improper Exception Handling\Path 13:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=82
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/process_order.php performs an operation

that could be expected to throw an exception, and is not properly wrapped in a try-catch block.
This constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/actions/process_order.php WeBlog-main/actions/process_order.php
Line 61 61
Object mysqli_stmt_bind_param mysqli_stmt_bind_param

Code Snippet
File Name WeBlog-main/actions/process_order.php
Method <?php

PAGE 81 OF 142
....
61. mysqli_stmt_bind_param($stmt, "ii", $user_id, $plan_id);

Improper Exception Handling\Path 14:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=83
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/process_order.php performs an operation

that could be expected to throw an exception, and is not properly wrapped in a try-catch block.
This constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/actions/process_order.php WeBlog-main/actions/process_order.php
Line 62 62
Object mysqli_stmt_execute mysqli_stmt_execute

Code Snippet
File Name WeBlog-main/actions/process_order.php
Method <?php
....
62. mysqli_stmt_execute($stmt);

Improper Exception Handling\Path 15:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=84
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/process_order.php performs an operation

that could be expected to throw an exception, and is not properly wrapped in a try-catch block.
This constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/actions/process_order.php WeBlog-main/actions/process_order.php
Line 72 72
Object mysqli_prepare mysqli_prepare

Code Snippet
File Name WeBlog-main/actions/process_order.php
Method <?php

PAGE 82 OF 142
....
72. $stmt = mysqli_prepare($conn, $update_role);

Improper Exception Handling\Path 16:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=85
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/process_order.php performs an operation

that could be expected to throw an exception, and is not properly wrapped in a try-catch block.
This constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/actions/process_order.php WeBlog-main/actions/process_order.php
Line 75 75
Object mysqli_stmt_bind_param mysqli_stmt_bind_param

Code Snippet
File Name WeBlog-main/actions/process_order.php
Method <?php
....
75. mysqli_stmt_bind_param($stmt, "i", $user_id);

Improper Exception Handling\Path 17:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=86
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/process_order.php performs an operation

that could be expected to throw an exception, and is not properly wrapped in a try-catch block.
This constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/actions/process_order.php WeBlog-main/actions/process_order.php
Line 76 76
Object mysqli_stmt_execute mysqli_stmt_execute

Code Snippet
File Name WeBlog-main/actions/process_order.php
Method <?php

PAGE 83 OF 142
....
76. mysqli_stmt_execute($stmt);

Improper Exception Handling\Path 18:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=87
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/admin/orders.php performs an operation that

could be expected to throw an exception, and is not properly wrapped in a try-catch block. This
constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/admin/orders.php WeBlog-main/admin/orders.php
Line 22 22
Object mysqli_query mysqli_query

Code Snippet
File Name WeBlog-main/admin/orders.php
Method <?php
....
22. $result = mysqli_query($conn, $query);

Improper Exception Handling\Path 19:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=88
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/admin/posts.php performs an operation that could

be expected to throw an exception, and is not properly wrapped in a try-catch block. This
constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/admin/posts.php WeBlog-main/admin/posts.php
Line 11 11
Object mysqli_query mysqli_query

Code Snippet
File Name WeBlog-main/admin/posts.php
Method <?php

PAGE 84 OF 142
....
11. $result = mysqli_query($conn, $query);

Improper Exception Handling\Path 20:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=89
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/admin/subscriptions.php performs an operation

that could be expected to throw an exception, and is not properly wrapped in a try-catch block.
This constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/admin/subscriptions.php WeBlog-main/admin/subscriptions.php
Line 8 8
Object mysqli_query mysqli_query

Code Snippet
File Name WeBlog-main/admin/subscriptions.php
Method <?php
....
8. $result = mysqli_query($conn, "

Improper Exception Handling\Path 21:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=90
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/order.php performs an operation that could be

expected to throw an exception, and is not properly wrapped in a try-catch block. This
constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/order.php WeBlog-main/order.php
Line 15 15
Object mysqli_query mysqli_query

Code Snippet
File Name WeBlog-main/order.php
Method <?php

PAGE 85 OF 142
....
15. $plan_result = mysqli_query($conn, $plan_query);

Improper Exception Handling\Path 22:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=91
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/subscription.php performs an operation that could

be expected to throw an exception, and is not properly wrapped in a try-catch block. This
constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/subscription.php WeBlog-main/subscription.php
Line 14 14
Object mysqli_query mysqli_query

Code Snippet
File Name WeBlog-main/subscription.php
Method <?php
....
14. $plans_result = mysqli_query($conn, $plans_query);

Improper Exception Handling\Path 23:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=92
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/subscription.php performs an operation that could

Code Snippet
File Name WeBlog-main/subscription.php
Method <?php

PAGE 86 OF 142
....
22. $subscription_result = mysqli_query($conn, $subscription_query);

Improper Exception Handling\Path 24:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=93
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/subscription.php performs an operation that could

Code Snippet
File Name WeBlog-main/subscription.php
Method <?php
....
30. $orders_result = mysqli_query($conn, $orders_query);

Improper Exception Handling\Path 25:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=94
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/index.php performs an operation that could be

expected to throw an exception, and is not properly wrapped in a try-catch block. This
constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/index.php WeBlog-main/index.php
Line 23 23
Object execute execute

Code Snippet
File Name WeBlog-main/index.php
Method <?php

PAGE 87 OF 142
....
23. $stmt->execute();

Improper Exception Handling\Path 26:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=95
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/comment.php performs an operation that

could be expected to throw an exception, and is not properly wrapped in a try-catch block. This
constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/actions/comment.php WeBlog-main/actions/comment.php
Line 26 26
Object execute execute

Code Snippet
File Name WeBlog-main/actions/comment.php
Method <?php
....
26. if ($stmt->execute()) {

Improper Exception Handling\Path 27:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=96
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/send_message.php performs an operation

that could be expected to throw an exception, and is not properly wrapped in a try-catch block.
This constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/actions/send_message.php WeBlog-main/actions/send_message.php
Line 13 13
Object execute execute

Code Snippet
File Name WeBlog-main/actions/send_message.php
Method <?php

PAGE 88 OF 142
....
13. $stmt->execute();

Improper Exception Handling\Path 28:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=97
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/auth/register.php performs an operation that

could be expected to throw an exception, and is not properly wrapped in a try-catch block. This
constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/auth/register.php WeBlog-main/auth/register.php
Line 14 14
Object execute execute

Code Snippet
File Name WeBlog-main/auth/register.php
Method <?php
....
14. $stmt->execute();

Improper Exception Handling\Path 29:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=98
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/auth/login.php performs an operation that could

be expected to throw an exception, and is not properly wrapped in a try-catch block. This
constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/auth/login.php WeBlog-main/auth/login.php
Line 18 18
Object execute execute

Code Snippet
File Name WeBlog-main/auth/login.php
Method <?php

PAGE 89 OF 142
....
18. $stmt->execute();

Improper Exception Handling\Path 30:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=99
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/index.php performs an operation that could be

Code Snippet
File Name WeBlog-main/index.php
Method <?php
....
83. $stmt->execute();

Improper Exception Handling\Path 31:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=101
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/author.php performs an operation that could be

expected to throw an exception, and is not properly wrapped in a try-catch block. This
constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/author.php WeBlog-main/author.php
Line 40 40
Object execute execute

Code Snippet
File Name WeBlog-main/author.php
Method <?php

PAGE 90 OF 142
....
40. $stmt->execute();

Improper Exception Handling\Path 32:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=103
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/index.php performs an operation that could be

Code Snippet
File Name WeBlog-main/index.php
Method <?php
....
48. $stmt->execute();

Improper Exception Handling\Path 33:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=106
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/send_message.php performs an operation

that could be expected to throw an exception, and is not properly wrapped in a try-catch block.
This constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/actions/send_message.php WeBlog-main/actions/send_message.php
Line 22 22
Object execute execute

Code Snippet
File Name WeBlog-main/actions/send_message.php
Method <?php

PAGE 91 OF 142
....
22. if ($stmt->execute()) {

Improper Exception Handling\Path 34:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=108
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/author.php performs an operation that could be

Code Snippet
File Name WeBlog-main/author.php
Method <?php
....
12. $stmt->execute();

Improper Exception Handling\Path 35:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=110
Status New
Detection Date 3/30/2025 3:29:35 PM

The method 'includes/header.php'; at line 1 of WeBlog-main/message.php performs an

operation that could be expected to throw an exception, and is not properly wrapped in a try-
catch block. This constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/message.php WeBlog-main/message.php
Line 32 32
Object execute execute

Code Snippet
File Name WeBlog-main/message.php
Method <?php include 'includes/header.php';

PAGE 92 OF 142
....
32. $stmt->execute();

Improper Exception Handling\Path 36:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=112
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/admin/users.php performs an operation that could

be expected to throw an exception, and is not properly wrapped in a try-catch block. This
constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/admin/users.php WeBlog-main/admin/users.php
Line 24 24
Object execute execute

Code Snippet
File Name WeBlog-main/admin/users.php
Method <?php
....
24. $stmt->execute();

Improper Exception Handling\Path 37:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=113
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/create_post.php performs an operation

that could be expected to throw an exception, and is not properly wrapped in a try-catch block.
This constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/actions/create_post.php WeBlog-main/actions/create_post.php
Line 55 55
Object execute execute

Code Snippet
File Name WeBlog-main/actions/create_post.php
Method <?php

PAGE 93 OF 142
....
55. if ($stmt->execute()) {

Improper Exception Handling\Path 38:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=114
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/auth/register.php performs an operation that

could be expected to throw an exception, and is not properly wrapped in a try-catch block. This
constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/auth/register.php WeBlog-main/auth/register.php
Line 28 28
Object execute execute

Code Snippet
File Name WeBlog-main/auth/register.php
Method <?php
....
28. if ($stmt->execute()) {

Improper Exception Handling\Path 39:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=116
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/create_post.php performs an operation

that could be expected to throw an exception, and is not properly wrapped in a try-catch block.
This constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/actions/create_post.php WeBlog-main/actions/create_post.php
Line 25 25
Object execute execute

Code Snippet
File Name WeBlog-main/actions/create_post.php
Method <?php

PAGE 94 OF 142
....
25. if (!$stmt->execute()) {

Improper Exception Handling\Path 40:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=117
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/create_order.php performs an operation

Code Snippet
File Name WeBlog-main/actions/create_order.php
Method <?php
....
24. if ($status_row = mysqli_fetch_assoc($status_result)) {

Improper Exception Handling\Path 41:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=118
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/process_order.php performs an operation

that could be expected to throw an exception, and is not properly wrapped in a try-catch block.
This constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/actions/process_order.php WeBlog-main/actions/process_order.php
Line 34 34
Object mysqli_fetch_assoc mysqli_fetch_assoc

Code Snippet
File Name WeBlog-main/actions/process_order.php
Method <?php

PAGE 95 OF 142
....
34. if ($status_row = mysqli_fetch_assoc($status_result)) {

Improper Exception Handling\Path 42:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=120
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/admin/orders.php performs an operation that

Code Snippet
File Name WeBlog-main/admin/orders.php
Method <?php
....
48. <?php while ($row = mysqli_fetch_assoc($result)) { ?>

Improper Exception Handling\Path 43:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=121
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/admin/posts.php performs an operation that could

Code Snippet
File Name WeBlog-main/admin/posts.php
Method <?php

PAGE 96 OF 142
....
37. <?php while ($row = mysqli_fetch_assoc($result)) { ?>

Improper Exception Handling\Path 44:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=122
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/admin/subscriptions.php performs an operation

that could be expected to throw an exception, and is not properly wrapped in a try-catch block.
This constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/admin/subscriptions.php WeBlog-main/admin/subscriptions.php
Line 48 48
Object mysqli_fetch_assoc mysqli_fetch_assoc

Code Snippet
File Name WeBlog-main/admin/subscriptions.php
Method <?php
....
48. <?php while ($row = mysqli_fetch_assoc($result)) { ?>

Improper Exception Handling\Path 45:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=124
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/order.php performs an operation that could be

Code Snippet
File Name WeBlog-main/order.php
Method <?php

PAGE 97 OF 142
....
16. $plan = mysqli_fetch_assoc($plan_result);

Improper Exception Handling\Path 46:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=125
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/subscription.php performs an operation that could

Code Snippet
File Name WeBlog-main/subscription.php
Method <?php
....
53. <?php while ($plan = mysqli_fetch_assoc($plans_result)): ?>

Improper Exception Handling\Path 47:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=127
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/subscription.php performs an operation that could

Code Snippet
File Name WeBlog-main/subscription.php
Method <?php

PAGE 98 OF 142
....
78. <?php while ($subscription =
mysqli_fetch_assoc($subscription_result)): ?>

Improper Exception Handling\Path 48:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=128
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/subscription.php performs an operation that could

Code Snippet
File Name WeBlog-main/subscription.php
Method <?php
....
107. <?php while ($order = mysqli_fetch_assoc($orders_result)): ?>

Improper Exception Handling\Path 49:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=130
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/create_order.php performs an operation

Code Snippet
File Name WeBlog-main/actions/create_order.php
Method <?php

PAGE 99 OF 142
....
44. mysqli_stmt_close($stmt);

Improper Exception Handling\Path 50:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=132
Status New
Detection Date 3/30/2025 3:29:35 PM

The method <?php at line 1 of WeBlog-main/actions/process_order.php performs an operation

that could be expected to throw an exception, and is not properly wrapped in a try-catch block.
This constitutes Improper Exception Handling.
Source Destination
File WeBlog-main/actions/process_order.php WeBlog-main/actions/process_order.php
Line 20 20
Object mysqli_stmt_bind_result mysqli_stmt_bind_result

Code Snippet
File Name WeBlog-main/actions/process_order.php
Method <?php
....
20. mysqli_stmt_bind_result($stmt, $user_id, $plan_id);

Client Hardcoded Domain

Query Path:
JavaScript\Cx\JavaScript Low Visibility\Client Hardcoded Domain Version:1

Categories
NIST SP 800-53: SC-18 Mobile Code (P2)
CWE top 25: CWE top 25
MOIS(KISA) Secure Coding 2021: MOIS(KISA) Verification and representation of input data
OWASP ASVS: V05 Validation, Sanitization and Encoding
OWASP Top 10 2021: A8-Software and Data Integrity Failures
SANS top 25: SANS top 25

Description
Client Hardcoded Domain\Path 1:
Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=100
Status New
Detection Date 3/30/2025 3:29:35 PM

The JavaScript file imported in

"https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bundle.min.js" in WeBlog-
main/admin/index.php at line 101 is from a remote domain, which may allow attackers to
replace its contents with malicious code.

PAGE 100 OF 142

Source Destination
File WeBlog-main/admin/index.php WeBlog-main/admin/index.php
Line 101 101
Object "https://cdn.jsdelivr.net/npm/bootstrap "https://cdn.jsdelivr.net/npm/bootstrap
@5.3.0/dist/js/bootstrap.bundle.min.js" @5.3.0/dist/js/bootstrap.bundle.min.js"

Code Snippet
File Name WeBlog-main/admin/index.php
Method <script
src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bundle.min.
js"></script>
....
101. <script
src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bund
le.min.js"></script>

Client Hardcoded Domain\Path 2:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=102
Status New
Detection Date 3/30/2025 3:29:35 PM

The JavaScript file imported in

"https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bundle.min.js" in WeBlog-
main/admin/orders.php at line 80 is from a remote domain, which may allow attackers to
replace its contents with malicious code.
Source Destination
File WeBlog-main/admin/orders.php WeBlog-main/admin/orders.php
Line 80 80
Object "https://cdn.jsdelivr.net/npm/bootstrap "https://cdn.jsdelivr.net/npm/bootstrap
@5.3.0/dist/js/bootstrap.bundle.min.js" @5.3.0/dist/js/bootstrap.bundle.min.js"

Code Snippet
File Name WeBlog-main/admin/orders.php
Method <script
src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bundle.min.
js"></script>
....
80. <script
src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bund
le.min.js"></script>

Client Hardcoded Domain\Path 3:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&

PAGE 101 OF 142

pathid=104
Status New
Detection Date 3/30/2025 3:29:35 PM

The JavaScript file imported in

"https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bundle.min.js" in WeBlog-
main/admin/posts.php at line 59 is from a remote domain, which may allow attackers to
replace its contents with malicious code.
Source Destination
File WeBlog-main/admin/posts.php WeBlog-main/admin/posts.php
Line 59 59
Object "https://cdn.jsdelivr.net/npm/bootstrap "https://cdn.jsdelivr.net/npm/bootstrap
@5.3.0/dist/js/bootstrap.bundle.min.js" @5.3.0/dist/js/bootstrap.bundle.min.js"

Code Snippet
File Name WeBlog-main/admin/posts.php
Method <script
src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bundle.min.
js"></script>
....
59. <script
src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bund
le.min.js"></script>

Client Hardcoded Domain\Path 4:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=105
Status New
Detection Date 3/30/2025 3:29:35 PM

The JavaScript file imported in

"https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bundle.min.js" in WeBlog-
main/admin/subscriptions.php at line 68 is from a remote domain, which may allow attackers to
replace its contents with malicious code.
Source Destination
File WeBlog-main/admin/subscriptions.php WeBlog-main/admin/subscriptions.php
Line 68 68
Object "https://cdn.jsdelivr.net/npm/bootstrap "https://cdn.jsdelivr.net/npm/bootstrap
@5.3.0/dist/js/bootstrap.bundle.min.js" @5.3.0/dist/js/bootstrap.bundle.min.js"

Code Snippet
File Name WeBlog-main/admin/subscriptions.php
Method <script
src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bundle.min.
js"></script>

PAGE 102 OF 142

....
68. <script
src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bund
le.min.js"></script>

Client Hardcoded Domain\Path 5:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=107
Status New
Detection Date 3/30/2025 3:29:35 PM

The JavaScript file imported in

"https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bundle.min.js" in WeBlog-
main/admin/users.php at line 72 is from a remote domain, which may allow attackers to
replace its contents with malicious code.
Source Destination
File WeBlog-main/admin/users.php WeBlog-main/admin/users.php
Line 72 72
Object "https://cdn.jsdelivr.net/npm/bootstrap "https://cdn.jsdelivr.net/npm/bootstrap
@5.3.0/dist/js/bootstrap.bundle.min.js" @5.3.0/dist/js/bootstrap.bundle.min.js"

Code Snippet
File Name WeBlog-main/admin/users.php
Method <script
src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bundle.min.
js"></script>
....
72. <script
src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bund
le.min.js"></script>

Client Hardcoded Domain\Path 6:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=109
Status New
Detection Date 3/30/2025 3:29:35 PM

The JavaScript file imported in "https://code.jquery.com/jquery-3.6.0.min.js" in WeBlog-

main/message.php at line 62 is from a remote domain, which may allow attackers to replace its
contents with malicious code.
Source Destination
File WeBlog-main/message.php WeBlog-main/message.php
Line 62 62
Object "https://code.jquery.com/jquery- "https://code.jquery.com/jquery-

PAGE 103 OF 142

3.6.0.min.js" 3.6.0.min.js"

Code Snippet
File Name WeBlog-main/message.php
Method <script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>
....
62. <script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>

Client Hardcoded Domain\Path 7:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=111
Status New
Detection Date 3/30/2025 3:29:35 PM

The JavaScript file imported in "https://code.jquery.com/jquery-3.6.0.min.js" in WeBlog-

main/post.php at line 140 is from a remote domain, which may allow attackers to replace its
contents with malicious code.
Source Destination
File WeBlog-main/post.php WeBlog-main/post.php
Line 140 140
Object "https://code.jquery.com/jquery- "https://code.jquery.com/jquery-
3.6.0.min.js" 3.6.0.min.js"

Code Snippet
File Name WeBlog-main/post.php
Method <script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>
....
140. <script src="https://code.jquery.com/jquery-
3.6.0.min.js"></script>

Possible Flow Control

Query Path:
PHP\Cx\Php Low Visibility\Possible Flow Control Version:1

Categories
PCI DSS v3.2.1: PCI DSS (3.2.1) - 6.5.8 - Improper access control

Description
Possible Flow Control\Path 1:
Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=119
Status New
Detection Date 3/30/2025 3:29:36 PM

PAGE 104 OF 142

Possible flow control was found in line 1 in file WeBlog-main/actions/create_order.php. This
may be used by an attacker to control program's flow and have unexpected behavior.
Source Destination
File WeBlog-main/actions/create_order.php WeBlog-main/actions/create_order.php
Line 4 4
Object _SERVER _SERVER

Code Snippet
File Name WeBlog-main/actions/create_order.php
Method <?php
....
4. if ($_SERVER["REQUEST_METHOD"] === "POST") {

Possible Flow Control\Path 2:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=123
Status New
Detection Date 3/30/2025 3:29:36 PM

Possible flow control was found in line 1 in file WeBlog-main/actions/create_post.php. This may
be used by an attacker to control program's flow and have unexpected behavior.
Source Destination
File WeBlog-main/actions/create_post.php WeBlog-main/actions/create_post.php
Line 4 4
Object _SERVER _SERVER

Code Snippet
File Name WeBlog-main/actions/create_post.php
Method <?php
....
4. if ($_SERVER["REQUEST_METHOD"] == "POST") {

Possible Flow Control\Path 3:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=126
Status New
Detection Date 3/30/2025 3:29:36 PM

Possible flow control was found in line 1 in file WeBlog-main/actions/send_message.php. This

may be used by an attacker to control program's flow and have unexpected behavior.
Source Destination
File WeBlog-main/actions/send_message.php WeBlog-main/actions/send_message.php

PAGE 105 OF 142

Line 4 4
Object _SERVER _SERVER

Code Snippet
File Name WeBlog-main/actions/send_message.php
Method <?php
....
4. if ($_SERVER['REQUEST_METHOD'] == 'POST') {

Possible Flow Control\Path 4:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=129
Status New
Detection Date 3/30/2025 3:29:36 PM

Possible flow control was found in line 1 in file WeBlog-main/auth/login.php. This may be used
by an attacker to control program's flow and have unexpected behavior.
Source Destination
File WeBlog-main/auth/login.php WeBlog-main/auth/login.php
Line 7 7
Object _SERVER _SERVER

Code Snippet
File Name WeBlog-main/auth/login.php
Method <?php
....
7. if ($_SERVER['REQUEST_METHOD'] == 'POST') {

Possible Flow Control\Path 5:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=131
Status New
Detection Date 3/30/2025 3:29:36 PM

Possible flow control was found in line 1 in file WeBlog-main/auth/register.php. This may be
used by an attacker to control program's flow and have unexpected behavior.
Source Destination
File WeBlog-main/auth/register.php WeBlog-main/auth/register.php
Line 6 6
Object _SERVER _SERVER

PAGE 106 OF 142

Code Snippet
File Name WeBlog-main/auth/register.php
Method <?php
....
6. if ($_SERVER['REQUEST_METHOD'] == 'POST') {

Possible Flow Control\Path 6:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=133
Status New
Detection Date 3/30/2025 3:29:36 PM

Possible flow control was found in line 1 in file WeBlog-main/actions/process_order.php. This

may be used by an attacker to control program's flow and have unexpected behavior.
Source Destination
File WeBlog-main/actions/process_order.php WeBlog-main/actions/process_order.php
Line 5 5
Object _SERVER _SERVER

Code Snippet
File Name WeBlog-main/actions/process_order.php
Method <?php
....
5. if ($_SERVER["REQUEST_METHOD"] === "POST" &&
isset($_POST['accept_order'])) {

Possible Flow Control\Path 7:

Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=135
Status New
Detection Date 3/30/2025 3:29:36 PM

Possible flow control was found in line 1 in file WeBlog-main/author.php. This may be used by
an attacker to control program's flow and have unexpected behavior.
Source Destination
File WeBlog-main/author.php WeBlog-main/author.php
Line 29 29
Object _SERVER _SERVER

Code Snippet
File Name WeBlog-main/author.php
Method <?php

PAGE 107 OF 142

....
29. if ($_SERVER['REQUEST_METHOD'] === 'POST' &&
isset($_FILES['avatar']) && $userId === $authorId) {

Potential Clickjacking on Legacy Browsers

Query Path:
JavaScript\Cx\JavaScript Low Visibility\Potential Clickjacking on Legacy Browsers Version:1

Categories
ASD STIG 4.10: APSC-DV-002330 - CAT II The application must protect the confidentiality and
integrity of stored information when required by DoD policy or the information owner.
CWE top 25: CWE top 25
MOIS(KISA) Secure Coding 2021: MOIS(KISA) Verification and representation of input data
OWASP ASVS: V05 Validation, Sanitization and Encoding
SANS top 25: SANS top 25

Description
Potential Clickjacking on Legacy Browsers\Path 1:
Severity Low
Result State To Verify
Online Results http://VOSTRO/CxWebClient/ViewerMain.aspx?scanid=1000008&projectid=9&
pathid=140
Status New
Detection Date 3/30/2025 3:29:36 PM

The application does not protect the web page WeBlog-main/admin/index.php from clickjacking
attacks in legacy browsers, by using framebusting scripts.
Source Destination
File WeBlog-main/admin/index.php WeBlog-main/admin/index.php
Line 1 1
Object CxJSNS_31f60e1d CxJSNS_31f60e1d

Code Snippet
File Name WeBlog-main/admin/index.php
Method <?php
....
1. <?php

Client DOM Stored XSS

Risk
What might happen
A successful XSS exploit would allow an attacker to rewrite web pages and insert malicious scripts which
would alter the intended output. This could include HTML fragments, CSS styling rules, arbitrary
JavaScript, or references to third party code. An attacker could use this to steal users' passwords, collect
personal data such as credit card details, provide false information, or run malware. From the victim’s
point of view, this is performed by the genuine website, and the victim would blame the site for incurred
damage.
An additional risk with DOM XSS is that, unlike reflected or stored XSS, tainted values do not have to go
through the server. Since the server is not involved in sanitization of these inputs, server-side validation
is not likely to not be aware XSS attacks have been occurring, and any server-side security solutions,
such as a WAF, are likely to be ineffective in DOM XSS mitigation.

PAGE 108 OF 142

Cause
How does it happen
The application creates web pages that include untrusted data, whether from user input, the application’s
database, or from other external sources. The untrusted data is embedded directly in the page's HTML,
causing the browser to display it as part of the web page. If the input includes HTML fragments or
JavaScript, these are displayed too, and the user cannot tell that this is not the intended page. The
vulnerability is the result of directly embedding arbitrary data without first encoding it in a format that
would prevent the browser from treating it like HTML or code instead of plain text.
When a DOM XSS occurs, it is the client-side code itself that manipulates the local web-page's DOM,
extracting data from some client-based storage, introducing potentially malicious content.

General Recommendations
How to avoid it
 Fully encode all dynamic data, regardless of source, before embedding it in output.
 Encoding should be context-sensitive. For example:
o HTML encoding for HTML content
o HTML Attribute encoding for data output to attribute values
o JavaScript encoding for server-generated JavaScript
 It is recommended to use the platform-provided encoding functionality, or known security libraries
for encoding output.
 Implement a Content Security Policy (CSP) with explicit whitelists for the application's resources
only.
 As an extra layer of protection, validate all untrusted data, regardless of source (note this is not a
replacement for encoding). Validation should be based on a whitelist: accept only data fitting a
specified structure, rather than reject bad patterns. Check for:
o Data type
o Size
o Range
o Format
o Expected values
 In the Content-Type HTTP response header, explicitly define character encoding (charset) for the
entire page.
 Set the HTTPOnly flag on the session cookie for "Defense in Depth", to prevent any successful XSS
exploits from stealing the cookie.

Source Code Examples

JavaScript
Stored DOM XSS in img Attribute

var imgsrc = localStorage.get("imgsrc");

document.write('<img id="myImage" src=' + imgsrc +' ></img>'); // // If the local storage
value "imgsrc" is set to "1 onerror=alert(1)" will result in an alert prompt, demonstrating
XSS

Use Javascript to Construct DOM Elements, Rather Than Manually Concatenating Values

var imgsrc = localStorage.get("imgsrc");

PAGE 109 OF 142

var myImg = document.createElement("IMG");
myImg.src = imgsrc;
someDiv.append(myImg);

Stored DOM XSS When Using "eval()" to Parse JSON in Javascript

var val = localStorage.get("val");

var json = `[{"val": "${val}"}]`;
var obj = eval(json); // If the local storage value "val" is set to ","a":alert(1),"b":" will
result in an alert prompt, demonstrating XSS

Replacing "eval()" with "JSON.parse()" to Avoid XSS

var val = localStorage.get("val");

var json = `[{"val": "${val}"}]`;
var obj = JSON.parse(json); // JSON.parse() does not eval JS code

DOM XSS in iFrame "src" Attribute

var iframeLocation = localStorage.get("iframeLocation");

document.getElementById("myFrame").src = iframeLocation; // If the local storage value
"iframeLocation" is set to "javascript:alert(1)" will result in an alert prompt,
demonstrating XSS. This is also vulnerable to open redirection.

Prepending iFrame "src" Attribute to Prevent Malicious URI Schemes

var iframeLocation = localStorage.get("iframeLocation");

document.getElementById("myFrame").src = "/example/"+iframeLocation; // Prepending
iframeLocation prevents changing the URI scheme to "javascript:", mitigating XSS

PAGE 110 OF 142

Reflected XSS All Clients
Risk
What might happen
A successful XSS exploit would allow an attacker to rewrite web pages and insert malicious scripts which
would alter the intended output. This could include HTML fragments, CSS styling rules, arbitrary
JavaScript, or references to third party code. An attacker could use this to steal users' passwords, collect
personal data such as credit card details, provide false information, or run malware. From the victim’s
point of view, this is performed by the genuine website, and the victim would blame the site for incurred
damage.
The attacker could use social engineering to cause the user to send the website modified input, which will
be returned in the requested web page.

Cause
How does it happen
The application creates web pages that include untrusted data, whether from user input, the application’s
database, or from other external sources. The untrusted data is embedded directly in the page's HTML,
causing the browser to display it as part of the web page. If the input includes HTML fragments or
JavaScript, these are displayed too, and the user cannot tell that this is not the intended page. The
vulnerability is the result of directly embedding arbitrary data without first encoding it in a format that
would prevent the browser from treating it like HTML or code instead of plain text.
Note that an attacker can exploit this vulnerability either by modifying the URL, or by submitting
malicious data in the user input or other request fields.

Source Code Examples

PAGE 111 OF 142

PHP
Outputting Unsanitized Inputs into HTML Results in XSS

if (isset($_GET['name'])) {
echo "<h1>Welcome," . $_GET['name'] . "!</h1>";
}

Insecure Use of "htmlspecialchars" Without a Secure Flag

if (isset($_GET['name'])) {
//The payload "name='; alert(1); //" will result in XSS, as "htmlspecialchars" does not
sanitize apostrophes
echo "<script> var name = '" . htmlspecialchars($_GET['name']) . "';</script>\r\n";
}

Insecure Use of "htmlspecialchars" With "ENT_QUOTES" Flag

if (isset($_GET['name'])) {
//The payload "name=`; alert(1); //" will result in XSS, as "htmlspecialchars", even in
this mode, does not sanitize backticks
//ENT_QUOTES flag encodes "&<>'
echo "<script> var name = `" . htmlspecialchars($_GET['name'], ENT_QUOTES, 'UTF-8') .
"`;</script>";
}

Secure Use of "htmlspecialchars" With "ENT_QUOTES" Flag

if (isset($_GET['name'])) {
//ENT_QUOTES flag sanitizes apostrophe
echo "<script> var name = '" . htmlspecialchars($_GET['name'], ENT_QUOTES, 'UTF-8') .
"';</script>";
}

Insecure Use of "htmlspecialchars" With "ENT_COMPAT" Flag

if (isset($_GET['name'])) {
//ENT_COMPAT flag encodes "&<>
//The payload "name='; alert(1); //" will result in XSS, as "htmlspecialchars", even in
this mode, does not sanitize apostrophe
echo "<script> var name = '" . htmlspecialchars($_GET['name'], ENT_COMPAT, 'UTF-8') .
"';</script>";
}

Secure Use of "htmlspecialchars" With "ENT_COMPAT" Flag

if (isset($_GET['name'])) {

PAGE 112 OF 142

//ENT_COMPAT flag sanitize quotation marks
echo "<script> var name = \"" . htmlspecialchars($_GET['name'], ENT_COMPAT, 'UTF-8') .
"\";</script>";
}

PAGE 113 OF 142

File Manipulation
Risk
What might happen
If an attacker can affect arbitrary files of their choice, they may overwrite or corrupt sensitive files,
potentially resulting in denial of service. If an attacker is also able to choose the content being written,
they may be able to inject code into arbitrary files, potentially resulting in malicious code execution.

Cause
How does it happen
A user provided input is used to determine which file is to be written into, potentially allowing them to
affect or manipulate arbitrary files' contents.

General Recommendations
How to avoid it
Consider using a static solution for files to whom writing is allowed, such as a list of verified writable files
or a different file storage solution, such as a database. If absolutely required, limit writing destination to
a single folder by correctly sanitizing user provided inputs to set a filename, and programmatically set the
destination folder. Consider supplementing this with a check to ensure whether a file exists or not, per
business requirements of application code.

Source Code Examples

PHP
File Write Location Determined Solely By User Inputs, Potentially Leading to Remote Code
Execution

if (isset($_GET['logname']) && isset($_GET['action'])) {

$action = str_replace(array("\n", "\r"), '',$_GET['action']); // Remove line breaks
$filename = $_GET['logname']; // An attacker can provide a 'logname' that is under the
webroot, creating a file that would be served by the server
$file = fopen($filename,'a');
fwrite($file, $action." was performed successfully.".PHP_EOL); // An attacker can set
$action to "<?php passthru($_GET['c']); ?>", resulting in a basic shell
}

File Write Location Determined Restricted by Code

if (isset($_GET['logname']) && isset($_GET['action'])) {

$action = str_replace(array("\n", "\r"), '',$_GET['action']); // Remove line breaks
$filename = "/var/log/application/".basename($_GET['logname']); // Can create arbitrary
log files, but restricted to a particular folder on the system.
$file = fopen($filename,'a');
fwrite($file, $action." was performed successfully.".PHP_EOL);
}

PAGE 114 OF 142

Second Order SQL Injection
Risk
What might happen
An attacker could directly access all of the system's data. The attacker would be able to steal any
sensitive information stored by the system (such as personal user details or credit cards), and possibly
change or erase existing data.

Cause
How does it happen
The application communicates with its database by sending a textual SQL query. The application creates
the query by simply concatenating strings including data obtained from the database. Since that data
may have been previously obtained from user input, and is neither checked for data type validity nor
subsequently sanitized, the data could contain SQL commands that would be interpreted as such by the
database.

General Recommendations
How to avoid it
1. Validate all data, regardless of source. Validation should be based on a whitelist: accept only data
fitting a specified structure, rather than reject bad patterns. Check for:
o Data type
o Size
o Range
o Format
o Expected values
2. Instead of concatenating strings:
o Use secure database components such as stored procedures, parameterized queries, and
object bindings (for commands and parameters).
o An even better solution is to use an ORM library, such as EntityFramework, Hibernate, or
iBatis.
3. Restrict access to database objects and functionality, according to the Principle of Least Privilege.

Source Code Examples

C#
The application creates an SQL query using data obtained from a database

public class SecondOrderSQLInjection

{
public void foo(SqlConnection connection, SqlDataAdapter DA)
{
DataSet DS = new DataSet();
DA.Fill(ref DS, "UserName");
SqlCommand command = new SqlCommand("SELECT * FROM Customers " + "WHERE
UserName = " + DS[0]["UserName"].ToString(), connection);
command.ExecuteNonQuery();
}
}

The data obtained from the database is checked for potentially malicious characters

PAGE 115 OF 142

class SecondOrderSQLInjectionFixed
{
public void foo(SqlConnection connection, SqlDataAdapter DA)
{
DataSet DS = new DataSet();
DA.Fill(ref DS, "UserName");
string userName = DS[0]["UserName"].ToString().Replace("'", "");
SqlCommand command = new SqlCommand("SELECT * FROM Customers " + "WHERE
UserName = " + userName, connection);
command.ExecuteNonQuery();
}
}

CSharp
The application creates an SQL query using data obtained from a database

public class SecondOrderSQLInjection

The data obtained from the database is checked for potentially malicious characters

Java
The application creates an SQL query using data obtained from a database

public class Second_Order_SQL_Injection {

PAGE 116 OF 142

" + userName;
stmt.executeUpdate(newSqlStm);
} catch (Exception e) {
e.printStackTrace();
}
}
}

The data obtained from the database is checked for potentially malicious characters

public class Second_Order_SQL_Injection_Fixed {

public static void sql(Connection con, String sqlStm) {
try {
Statement stmt = con.createStatement();
ResultSet rs = stmt.executeQuery(sqlStm);
String userName = rs.getString("USER_NAME");
userName = userName.replaceAll("'", "");
String newSqlStm = "Update USER set PASSWORD = '1234' where userName like
" + userName;
stmt.executeUpdate(newSqlStm);
} catch (Exception e) {
e.printStackTrace();
}
}
}

PAGE 117 OF 142

Stored XSS
Risk
What might happen
A successful XSS exploit would allow an attacker to rewrite web pages and insert malicious scripts which
would alter the intended output. This could include HTML fragments, CSS styling rules, arbitrary
JavaScript, or references to third party code. An attacker could use this to steal users' passwords, collect
personal data such as credit card details, provide false information, or run malware. From the victim’s
point of view, this is performed by the genuine website, and the victim would blame the site for incurred
damage.
An attacker could use legitimate access to the application to submit modified data to the application’s
data-store. This would then be used to construct the returned web page, triggering the attack.

Cause
How does it happen
The application creates web pages that include untrusted data, whether from user input, the application’s
database, or from other external sources. The untrusted data is embedded directly in the page's HTML,
causing the browser to display it as part of the web page. If the input includes HTML fragments or
JavaScript, these are displayed too, and the user cannot tell that this is not the intended page. The
vulnerability is the result of directly embedding arbitrary data without first encoding it in a format that
would prevent the browser from treating it like HTML or code instead of plain text.
In order to exploit this vulnerability, an attacker would load the malicious payload into the data-store,
typically via regular forms on other web pages. Afterwards, the application reads this data from the data-
store, and embeds it within the web page as displayed for another user.

Source Code Examples

PAGE 118 OF 142

PHP
Outputting Unsanitized Database Values into HTML Results in XSS

$pstmt = $con->prepare("SELECT name,address FROM users WHERE id = ?");

$pstmt -> bind_param("i", $userID);
$pstmt -> execute();
$pstmt -> bind_result($name,$address);
$pstmt -> fetch();
// If $address is set to "<script>alert(1)</script>", stored XSS will occur
echo "<div>" . $address . "</div>";

Insecure Use of "htmlspecialchars" Without a Secure Flag

$pstmt = $con->prepare("SELECT name,address FROM users WHERE id = ?");

$pstmt -> bind_param("i", $userID);
$pstmt -> execute();
$pstmt -> bind_result($name,$address);
$pstmt -> fetch();
// If $address is set to "';alert(1);//", stored XSS will occur
echo "<script> var address = '" . htmlspecialchars($address) . "';</script>\r\n";

Insecure Use of "htmlspecialchars" With "ENT_QUOTES" Flag

$pstmt = $con->prepare("SELECT name,address FROM users WHERE id = ?");

$pstmt -> bind_param("i", $userID);
$pstmt -> execute();
$pstmt -> bind_result($name,$address);
$pstmt -> fetch();
// If $address is set to "`;alert(1);//", even in this mode stored XSS will occur,
ENT_QUOTES does not sanitize backticks
// ENT_QUOTES flag encodes "&<>'
echo "<script> var address = `" . htmlspecialchars($address, ENT_QUOTES, 'UTF-8') .
"`;</script>\r\n";

Secure Use of "htmlspecialchars" With "ENT_QUOTES" Flag

$pstmt = $con->prepare("SELECT name,address FROM users WHERE id = ?");

$pstmt -> bind_param("i", $userID);
$pstmt -> execute();
$pstmt -> bind_result($name,$address);
$pstmt -> fetch();
//ENT_QUOTES flag sanitizes apostrophe
echo "<script> var address = '" . htmlspecialchars($address, ENT_QUOTES, 'UTF-8') .
"';</script>\r\n";

Insecure Use of "htmlspecialchars" With "ENT_COMPAT" Flag

$pstmt = $con->prepare("SELECT name,address FROM users WHERE id = ?");

$pstmt -> bind_param("i", $userID);
$pstmt -> execute();

PAGE 119 OF 142

$pstmt -> bind_result($name,$address);
$pstmt -> fetch();
// If $address is set to "`;alert(1);//", even in this mode stored XSS will occur,
ENT_QUOTES does not sanitize apostrophe
// ENT_COMPAT flag encodes "&<>
echo "<script> var address = '" . htmlspecialchars($address, ENT_COMPAT, 'UTF-8') .
"';</script>\r\n";

Secure Use of "htmlspecialchars" With "ENT_COMPAT" Flag

$pstmt = $con->prepare("SELECT name,address FROM users WHERE id = ?");

$pstmt -> bind_param("i", $userID);
$pstmt -> execute();
$pstmt -> bind_result($name,$address);
$pstmt -> fetch();
//ENT_COMPAT flag sanitize quotation marks
echo "<script> var address = \"" . htmlspecialchars($address, ENT_COMPAT, 'UTF-8') .
"\";</script>\r\n";

PAGE 120 OF 142

Inappropriate Encoding for Output Context
Risk
What might happen
In some situations, using the faulty encoding functions can lead to Cross-Site Scripting (XSS). This would
enable an attacker to steal the user's password, request the user’s credit card information, provide false
information, or run malware. From the victim’s point of view, this is the original website, and the victim
would blame the site for incurred damage.

Cause
How does it happen
The application creates web pages that include data from previous user input. The user input is
embedded directly in the page's HTML, causing the browser to display it as part of the web page. This
input is first encoded into HTML before being embedded.
However, the encoding function does not include the "ENT_QUOTES" and "ENT_HTML5" flags, and thus
embedded apostrophes, backticks (`) and backslashes are not properly encoded. If the input is output in
a context where apostrophes or backticks are significant, such as HTML attribute values or JavaScript, the
encoding would not suffice and the unencoded input would be treated identically to the context. If two
parameters are reflected in the same line, and that line is Javascript, the first parameter can be ended
with backslash, escaping the quoted enclosure, and the following parameter could contain an XSS
payload. Thus, and attacker would be able to embed content in the page as if it were the original source
page.

General Recommendations
How to avoid it
Generic Guidance:
 Validate all input, regardless of source. Validation should be based on a whitelist: accept only data
fitting a specified structure, rather than reject bad patterns.
 Check for:
o Data type
o Size
o Range
o Format
o Expected values
 Fully encode all dynamic data before embedding it in output.
 Encoding should be context-sensitive. For example:
o HTML encoding for HTML content
o HTML Attribute encoding for data output to attribute values
o JavaScript encoding for server-generated JavaScript
 Prefer using functions built-in to the language or platform.
 In the Content-Type HTTP response header, explicitly define character encoding (charset) for the
entire page.
 Set the httpOnly flag on the session cookie, to prevent XSS exploits from stealing the cookie.
Specific Recommendations:
 When calling htmlentities() or htmlspecialchars(), always set the $flags parameter to
ENT_HTML5 | ENT_QUOTES
 Since PHP 8.1 the default configuration when calling htmlentities() or htmlspecialchars()
already includes the ENT_QUOTES flag, thus sanitizing the missing dangerous characters.

Source Code Examples

PHP
Unencoded Quotes in Attribute Value (PHP < 8.1)

PAGE 121 OF 142

<?php

$item = htmlEntities($_GET['item']);

print "<input value='$item'>";

When Setting a Flag That Does Not Sanitize All Of The Dangerous Characters The Code Is Still
Vulnerable (PHP >= 8.1)

<?php

$item = htmlEntities($_GET['item'], ENT_COMPAT);

print "<input value='$item'>";

Quotes Encoded for Attributes (PHP < 8.1)

<?php

$item = htmlEntities($_GET['item'], ENT_HTML5 | ENT_QUOTES);

print "<input value='$item'>";

Default Configuration Already Includes The ENT_QUOTES Flag (PHP >= 8.1)

<?php

$item = htmlEntities($_GET['item']);

print "<input value='$item'>";

PAGE 122 OF 142

Path Traversal
Risk
What might happen
An attacker could define arbitrary file path for the application to use, potentially leading to:
 Stealing sensitive files, such as configuration or system files
 Overwriting files such as program binaries, configuration files, or system files
 Deleting critical files, causing denial of service (DoS).
In addition to common path traversal issues - allowing attackers to provide absolute paths in PHP is often
more severe, due to PHP protocol wrappers and how they work. Protocol wrappers allow various protocols
to be acted on using the same functions (e.g. filegetcontents, file_exists) using various schemes (e.g.
file://, phar://, http://). This will often lead to unexpected behavior, dependening on
implementation and PHP configuration. For example, if an attacker can control a value passed to a file
path call they may be able to:
 Perform remote code execution (RCE) with phar:// deserialization attacks
 Perform server-side request forgery (SSRF) with http://
 Filter bypass with php://filter and data://

Cause
How does it happen
The application uses user input in the file path for accessing files on the application server’s local disk.

General Recommendations
How to avoid it
1. Ideally, avoid depending on dynamic data for file selection.
2. Validate all input, regardless of source. Validation should be based on a whitelist: accept only data
fitting a specified structure, rather than reject bad patterns. Check for:
o Data type
o Size
o Range
o Format
o Expected values
3. Accept dynamic data only for the filename, not for the path and folders.
4. Ensure that file path is fully canonicalized.
5. Explicitly limit the application to use a designated folder that is separate from the applications
binary folder.
6. Restrict the privileges of the application’s OS user to necessary files and folders. The application
should not be able to write to the application binary folder, and should not read anything outside
of the application folder and data folder.

Source Code Examples

PHP
Absolute Path Traversal in "filename" Parameter

if (isset($_GET['filename'])) {
$filename = $_GET['filename'];
if (is_readable($filename)) {
$fp = fopen($filename, 'rb');
fpassthru ($fp);
}
else {
// return 404

PAGE 123 OF 142

}
} else {
// return 404
}

Relative Path Traversal in "filename" Parameter

if (isset($_GET['filename'])) {
$filename = "public_files/".$_GET['filename'];
if (is_readable($filename)) {
$fp = fopen($filename, 'rb');
fpassthru ($fp);
}
else {
// return 404
}
} else {
// return 404
}

Absolute Path Traversal in "filename" Parameter Leading to Possible SSRF

<?php
/**

* Filename supplied as an HTTP GET request parameter

*/
if(isset($_GET["filename"])) {
$content = file_get_contents($_GET["filename"]); // Possible sink as the user can supply a
filename with "http://", causing SSRF
// display $content
}
?>

Path Traversal Mitigated by Utilizing Basename

if (isset($_GET['filename'])) {
$filename = "public_files/".basename($_GET['filename']);
if (is_readable($filename)) {
$fp = fopen($filename, 'rb');
fpassthru ($fp);
}
else {
// return 404
}
} else {
// return 404
}

PAGE 124 OF 142

Privacy Violation
Risk
What might happen
A user’s personal information could be stolen by a malicious programmer, or an attacker that intercepts
the data.

Cause
How does it happen
The application sends user information, such as passwords, account information, or credit card numbers,
outside the application, such as writing it to a local text or log file or sending it to an external web
service.

General Recommendations
How to avoid it
1. Personal data should be removed before writing to logs or other files.
2. Review the need and justification of sending personal data to remote web services.

Source Code Examples

C#
The user's password is written to the screen

class PrivacyViolation
{
static void foo(string insert_sql)
{
string password = "unsafe_password";
insert_sql = insert_sql.Replace("$password", password);
System.Console.WriteLine(insert_sql);
}
}

the user's password is MD5 coded before being written to the screen

class PrivacyViolationFixed
{
static void foo(string insert_sql)
{
string password = "unsafe_password";
MD5 md5Hash = System.Security.Cryptography.MD5.Create();
byte[] data = md5Hash.ComputeHash(Encoding.UTF8.GetBytes(password));
StringBuilder md5Password = new StringBuilder();

for (int i = 0; i < data.Length; i++)

{
md5Password.Append(data[i].ToString("x2"));
}
insert_sql = insert_sql.Replace("$password", md5Password.ToString());
System.Console.WriteLine(insert_sql);
}
}

PAGE 125 OF 142

CSharp
The user's password is written to the screen

class PrivacyViolation
{
static void CreateUser(string username, string password)
{
AddUser(username, password);
System.Console.WriteLine(password);
}
}

PAGE 126 OF 142

Parameter Tampering
Risk
What might happen
A malicious user could access other users’ information. By requesting information directly, such as by an
account number, authorization may be bypassed and the attacker could steal confidential or restricted
information (for example, a bank account balance), using a direct object reference.

Cause
How does it happen
The application provides user information without filtering by user ID. For example, it may provide
information solely by a submitted account ID. The application concatenates the user input directly into
the SQL query string, without any additional filtering. The application also does not perform any
validation on the input, nor constrain it to a pre-computed list of acceptable values.

General Recommendations
How to avoid it
Generic Guidance:
 Enforce authorization checks before providing any access to sensitive data, including the specific
object reference.
 Explicitly block access to any unauthorized data, especially to other users’ data.
 If possible, avoid allowing the user to request arbitrary data by simply sending a record ID. For
example, instead of having the user send an account ID, the application should look up the
account ID for the current authenticated user session.
Specific Mitigation:
 Do not concatenate user input directly into SQL queries.
 Include a user-specific identifier as a filter in the WHERE clause of the SQL query.
 Map the user input to an indirect reference, e.g. via a prepared list of allowable values.

Source Code Examples

Java
Unfiltered Direct Object Reference

public ResultSet getAccountInfo(request req) {

int accountId = Integer.parseInt(req.getParameter("accountId"));

string sql = "select * from [Accounts] where [AccountId] = "

+ accountId.toString();

Statement stmt = conn.createStatement();

ResultSet accountRS = stmt.executeQuery(sql);

return accountRS;
}

Record References are Now Filtered and Indirect

public ResultSet getAccountInfo(request req) {

int accountIndex = Integer.parseInt(req.getParameter("accountIndex"));

PAGE 127 OF 142

int realAccountId = userAccountList.get(accountIndex);

int userId = req.getSession().getAttribute("userId");

string sql = "select * from [Accounts] where [AccountId] = "

+ realAccountId.toString()
+ " and [UserId] = " + userId.toString();

Statement stmt = conn.createStatement();

ResultSet accountRS = stmt.executeQuery(sql);

return accountRS;
}

PAGE 128 OF 142

CSRF
Risk
What might happen
An attacker could cause the victim to perform any action for which the victim is authorized, such as
transferring funds from the victim’s account to the attacker’s. The action will be logged as being
performed by the victim, in the context of their account, and potentially without their knowledge that this
action has occurred.

Cause
How does it happen
The application performs some action that modifies database contents, based purely on HTTP request
content, and does not require per-request renewed authentication (such as transaction authentication or
a synchronizer token), instead relying solely on session authentication. This means that an attacker could
use social engineering to cause a victim to browse to a link which contains a transaction request to the
vulnerable application, submitting that request from the user's browser. Once the application receives the
request, it would trust the victim’s session, and would perform the action. This type of attack is known as
Cross-Site Request Forgery (CSRF).
A Cross-Site Request Forgery attack relies on the trust between a server and an authenticated client. By
only validating the session, the server ensures that a request has emerged from a client's web-browser.
However, any website may submit GET and POST requests to other websites, to which the browser will
automatically add the session token if it is in a cookie. This cross-site request can then be trusted as
arriving from the user's browser, but does not validate that it was their intent was to make this request.

General Recommendations
How to avoid it
Mitigating CSRF requires an additional layer of authentication that is built into the request validation
mechanism. This mechanism would attach an additional token that only applies to the given user; this
token would be available within the user's web-page, but will not be attached automatically to a request
from a different website (e.g. not stored in a cookie). Since the token is not automatically attached to the
request, and is not available to the attacker, and is required by the server to process the request, it
would be completely impossible for the attacker to fill in a valid cross-site form that contains this token.
Many platforms offer built-in CSRF mitigation functionality which should be used, and perform this type of
token management under the hood. Alternatively, use a known or trusted library which adds this
functionality.
If implementing CSRF protection is required, this protection should adhere to the following rules:
 Any state altering form (Create, Update, Delete operations) should enforce CSRF protection, by
adding an CSRF token to every state altering form submission on the client.
 An CSRF token should be generated, and be unique per-user per-session (and, preferably, per
request).
 The CSRF token should be inserted into the client side form, and be submitted to the server as
part of the form request. For example, it could be a hidden field in an HTML form, or a custom
header added by a Javascript request.
 The CSRF token in the request body or custom header must then be verified as belonging to the
current user by the server, before a request is authorized and processed as valid.

Source Code Examples

C#
HttpRequest content is used in a database query without any validation of that content

public class XSRF

PAGE 129 OF 142

{
public void foo(SqliteConnection connection, HttpRequest Request)
{
string input = Request.QueryString["user"];
string sql = "insert into Comments(comment) values ('" + input + "');";
connection.Open();
MySqlCommand command = new MySqlCommand(sql, connection);
command.ExecuteNonQuery();
}
}

The HttpRequest content is validated using AntiXsrfTokenKey

public class XSRFFixed

{
public void foo(SqliteConnection connection, AntiXsrf AntiXsrfTokenKey, HttpRequest
Request)
{
string input = AntiXsrfTokenKey.Validate(Request.QueryString["user"]);
string sql = "insert into Comments(comment) values ('" + input + "');";
connection.Open();
MySqlCommand command = new MySqlCommand(sql, connection);
command.ExecuteNonQuery();
}
}

CSharp
The HttpRequest content is validated using AntiXsrfTokenKey

public class CSRFFixed

{
public void foo(SqliteConnection connection, AntiXsrf AntiXsrfTokenKey, HttpRequest
Request)
{
string input = AntiXsrfTokenKey.Validate(Request.QueryString["user"]);
string sql = "insert into Comments(comment) values (@user)";
MySqlCommand cmd = new MySqlCommand(sql, connection);
cmd.Parameters.AddwithValue(@user, input);
connection.Open();
SqlDataReader reader = cmd.ExecuteReader();
}

HttpRequest content is used in a database query without any validation of that content

public class CSRF

{
public void foo(SqliteConnection connection, HttpRequest Request)

PAGE 130 OF 142

{
string input = Request.QueryString["user"];
string sql = "insert into Comments(comment) values (@user)";
MySqlCommand cmd = new MySqlCommand(sql, connection);
cmd.Parameters.AddwithValue(@user, input);
connection.Open();
SqlDataReader reader = cmd.ExecuteReader();
}
}

PAGE 131 OF 142

Missing HSTS Header
Risk
What might happen
Failure to set an HSTS header and provide it with a reasonable "max-age" value of at least one year may
leave users vulnerable to Man-in-the-Middle attacks.

Cause
How does it happen
Many users browse to websites by simply typing the domain name into the address bar, without the
protocol prefix. The browser will automatically assume that the user's intended protocol is HTTP, instead
of the encrypted HTTPS protocol.
When this initial request is made, an attacker can perform a Man-in-the-Middle attack and manipulate it
to redirect users to a malicious web-site of the attacker's choosing. To protect the user from such an
occurence, the HTTP Strict Transport Security (HSTS) header instructs the user's browser to disallow use
of an unsecure HTTP connection to the the domain associated with the HSTS header.
Once a browser that supports the HSTS feature has visited a web-site and the header was set, it will no
longer allow communicating with the domain over an HTTP connection.
Once an HSTS header was issued for a specific website, the browser is also instructed to prevent users
from manually overriding and accepting an untrusted SSL certificate for as long as the "max-age" value
still applies. The recommended "max-age" value is for at least one year in seconds, or 31536000.

General Recommendations
How to avoid it
 Before setting the HSTS header - consider the implications it may have:
o Forcing HTTPS will prevent any future use of HTTP, which could hinder some testing
o Disabling HSTS is not trivial, as once it is disabled on the site, it must also be disabled on
the browser
 Set the HSTS header either explicitly within application code, or using web-server configurations.
 Ensure the "max-age" value for HSTS headers is set to 31536000 to ensure HSTS is strictly
enforced for at least one year.
 Include the "includeSubDomains" to maximize HSTS coverage, and ensure HSTS is enforced on all
sub-domains under the current domain
o Note that this may prevent secure browser access to any sub-domains that utilize HTTP;
however, use of HTTP is very severe and highly discouraged, even for websites that do not
contain any sensitive information, as their contents can still be tampered via Man-in-the-
Middle attacks to phish users under the HTTP domain.
 Once HSTS has been enforced, submit the web-application's address to an HSTS preload list - this
will ensure that, even if a client is accessing the web-application for the first time (implying HSTS
has not yet been set by the web-application), a browser that respects the HSTS preload list would
still treat the web-application as if it had already issued an HSTS header. Note that this requires
the server to have a trusted SSL certificate, and issue an HSTS header with a maxAge of 1 year
(31536000)
 Note that this query is designed to return one result per application. This means that if more than
one vulnerable response without an HSTS header is identified, only the first identified instance of
this issue will be highlighted as a result. If a misconfigured instance of HSTS is identified (has a
short lifespan, or is missing the "includeSubDomains" flag), that result will be flagged. Since HSTS
is required to be enforced across the entire application to be considered a secure deployment of
HSTS functionality, fixing this issue only where the query highlights this result is likely to produce
subsequent results in other sections of the application; therefore, when adding this header via
code, ensure it is uniformly deployed across the entire application. If this header is added via
configuration, ensure that this configuration applies to the entire application.
 Note that misconfigured HSTS headers that do not contain the recommended max-age value of at
least one year or the "includeSubDomains" flag will still return a result for a missing HSTS header.

PAGE 132 OF 142

Source Code Examples

PHP
Setting the HSTS Header via Code in PHP

header("Strict-Transport-Security: max-age=31536000; includeSubDomains");

PAGE 133 OF 142

Open Redirect
Risk
What might happen
An attacker could use social engineering to get a victim to click a link to the application, so that the user
will be immediately redirected to another site of the attacker's choice. An attacker can then craft a
destination website to fool the victim; for example - they may craft a phishing website with an identical
looking UI as the previous website's login page, and with a similar looking URL, convincing the user to
submit their access credentials in the attacker's website. Another example would be a phishing website
with an identical UI as that of a popular payment service, convincing the user to submit their payment
information.

Cause
How does it happen
The application redirects the user’s browser to a URL provided by a tainted input, without first ensuring
that URL leads to a trusted destination, and without warning users that they are being redirected outside
of the current site. An attacker could use social engineering to get a victim to click a link to the
application with a parameter defining another site to which the application will redirect the user’s
browser. Since the user may not be aware of the redirection, they may be under the misconception that
the website they are currently browsing can be trusted.

General Recommendations
How to avoid it
1. Ideally, do not allow arbitrary URLs for redirection. Instead, create a mapping from user-provided
parameter values to legitimate URLs.
2. If it is necessary to allow arbitrary URLs:
o For URLs inside the application site, first filter and encode the user-provided parameter,
and then either:
 Create a white-list of allowed URLs inside the application
 Use variables as a relative URL as an absolute one, by prefixing it with the
application site domain - this will ensure all redirection will occur inside the domain
o For URLs outside the application (if necessary), either:
 White-list redirection to allowed external domains by first filtering URLs with trusted
prefixes. Prefixes must be tested up to the third slash [/] -
scheme://my.trusted.domain.com/, to prevent evasion. For example, if the third
slash [/] is not validated and scheme://my.trusted.domain.com is trusted, the URL
scheme://my.trusted.domain.com.evildomain.com would be valid under this filter,
but the domain actually being browsed is evildomain.com, not domain.com.
 For fully dynamic open redirection, use an intermediate disclaimer page to provide
users with a clear warning that they are leaving the site.

Source Code Examples

C#
Avoid redirecting to arbitrary URLs, instead map the parameter to a list of static URLs.

Response.Redirect(getUrlById(targetUrlId));

PAGE 134 OF 142

Java
Avoid redirecting to arbitrary URLs, instead map the parameter to a list of static URLs.

Response.Redirect(getUrlById(targetUrlId));

Apex
Open Redirection

String redirsite = ApexPages.currentPage().getParameters().get('redirlocation');

PageReference pageRef;
if(redirsite != null)
{
pageRef = new PageReference(redirsite);
pageRef.setRedirect(true);
return pageRef;
}
pageRef = ApexPages.currentPage();
return pageRef;

Mitigating Open Redirection with Domain Name Prefix

String redirsite = ApexPages.currentPage().getParameters().get('redirlocation');

PageReference pageRef;
if(redirsite != null)
{
pageRef = new PageReference('http://domain.com/page.jsp?' + redirsite);
pageRef.setRedirect(true);
return pageRef;
}
pageRef = ApexPages.currentPage();
return pageRef;

CSharp
Avoid redirecting to arbitrary URLs, instead map the parameter to a list of static URLs.

Response.Redirect(getUrlById(targetUrlId));

PAGE 135 OF 142

Improper Exception Handling
Risk
What might happen
An attacker could maliciously cause an exception that could crash the application, potentially resulting in
a denial of service (DoS) or unexpected behavior under certain erroneous conditions. Exceptions may
also occur without any malicious intervention, resulting in general instability.

Cause
How does it happen
The application performs some operation, such as database or file access, that could throw an exception.
Since the application is not designed to properly handle the exception, the application could crash.

General Recommendations
How to avoid it
Any method that could cause an exception should be wrapped in a try-catch block that:
 Explicitly handles expected exceptions
 Includes a default solution to explicitly handle unexpected exceptions

Source Code Examples

C#
Always catch exceptions explicitly.

try
{
// Database access or other potentially dangerous function
}
catch (SqlException ex)
{
// Handle exception
}
catch (Exception ex)
{
// Default handler for unexpected exceptions
}

CSharp
Always catch exceptions explicitly.

try
{
// Database access or other potentially dangerous function
}
catch (SqlException ex)
{
// Handle exception

PAGE 136 OF 142

}
catch (Exception ex)
{
// Default handler for unexpected exceptions
}

Java
Always catch exceptions explicitly.

try
{
// Database access or other potentially dangerous function
}
catch (SQLException ex)
{
// Handle exception
}
catch (Exception ex)
{
// Default handler for unexpected exceptions
}

PAGE 137 OF 142

Client Hardcoded Domain
Risk
What might happen
An externally imported Javascript file may leave users vulnerable to attack - if the Javascript's host is
compromised, if communications with the host are intercepted or if the host itself is not trustworthy, then
the contents of the Javascript file may change to have malicious code, which could result in a Cross-Site
Scripting (XSS) attack.

Cause
How does it happen
Javascript files can be imported dynamically from remote hosts when they are embedded into HTML.
However, this reliance on a remote host for these scripts may diminish security, as web-application's
users are only ever as secure as the remote host serving these Javascript files.

General Recommendations
How to avoid it
Where possible, host all script files locally, rather than remotely. Ensure that locally hosted 3rd party
script files are constantly updated and maintained.

Source Code Examples

JavaScript
Remote Importation of A Script File

<script src="https://example.com/scripts/jquery.js" />

Local Importation of A Script File

<script src="/scripts/jquery.js" />

PAGE 138 OF 142

Possible Flow Control
Risk
What might happen
An attacker with the ability of controling program's flow might control the output of the program and
result with an unexpected output.

Cause
How does it happen
This will occur when variables from user input are used in control flow decisions.

General Recommendations
How to avoid it
User input should not be taken into consideration as part of program's control flow.

Source Code Examples

Java
User input affects the while loop

boolean public login(user){

while(user){
//do something
}
return true;
}

User input does not affects the while loop

boolean isAdmin = false;

boolean public login(user){

boolean isAdmin = isAuthorized(user);
while(isAdmin){
// do something
}
return true;
}

PAGE 139 OF 142

Potential Clickjacking on Legacy Browsers
Risk
What might happen
Clickjacking attacks allow an attacker to "hijack" a user's mouse clicks on a webpage, by invisibly framing
the application, and superimposing it in front of a bogus site. When the user is convinced to click on the
bogus website, e.g. on a link or a button, the user's mouse is actually clicking on the target webpage,
despite being invisible.
This could allow the attacker to craft an overlay that, when clicked, would lead the user to perform
undesirable actions in the vulnerable application, e.g. enabling the user's webcam, deleting all the
user's records, changing the user's settings, or causing clickfraud.

Cause
How does it happen
The root cause of vulnerability to a clickjacking attack, is that the application's web pages can be loaded
into a frame of another website. The application does not implement a proper frame-busting script, that
would prevent the page from being loaded into another frame. Note that there are many types of
simplistic redirection scripts that still leave the application vulnerable to clickjacking techniques, and
should not be used.
When dealing with modern browsers, applications mitigate this vulnerability by issuing appropriate
Content-Security-Policy or X-Frame-Options headers to indicate to the browser to disallow framing.
However, many legacy browsers do not support this feature, and require a more manual approach by
implementing a mitigation in Javascript. To ensure legacy support, a framebusting script is required.

General Recommendations
How to avoid it
Generic Guidance:
 Define and implement a a Content Security Policy (CSP) on the server side, including a frame-
ancestors directive. Enforce the CSP on all relevant webpages.
 If certain webpages are required to be loaded into a frame, define a specific, whitelisted target
URL.
 Alternatively, return a "X-Frame-Options" header on all HTTP responses. If it is necessary to allow
a particular webpage to be loaded into a frame, define a specific, whitelisted target URL.
 For legacy support, implement framebusting code using Javascript and CSS to ensure that, if a
page is framed, it is never displayed, and attempt to navigate into the frame to prevent attack.
Even if navigation fails, the page is not displayed and is therefore not interactive, mitigating
potential clickjacking attacks.
Specific Recommendations:
 Implement a proper framebuster script on the client, that is not vulnerable to frame-buster-
busting attacks.
o Code should first disable the UI, such that even if frame-busting is successfully evaded, the
UI cannot be clicked. This can be done by setting the CSS value of the "display" attribute
to "none" on either the "body" or "html" tags. This is done because, if a frame attempts to
redirect and become the parent, the malicious parent can still prevent redirection via
various techniques.
o Code should then determine whether no framing occurs by comparing self === top; if the
result is true, can the UI be enabled. If it is false, attempt to navigate away from the
framing page by setting the top.location attribute to self.location.

Source Code Examples

JavaScript
Clickjackable Webpage

PAGE 140 OF 142

<html>
<body>
<button onclick="clicked();">
Click here if you love ducks
</button>
</body>
</html>

Bustable Framebuster

<html>
<head>
<script>
if ( window.self.location != window.top.location ) {
window.top.location = window.self.location;
}
</script>
</head>

<body>
<button onclick="clicked();">
Click here if you love ducks
</button>
</body>
</html>

Proper Framebusterbusterbusting

<html>
<head>
<style> html {display : none; } </style>
<script>
if ( self === top ) {
document.documentElement.style.display = 'block';
}
else {
top.location = self.location;
}
</script>
</head>

<body>
<button onclick="clicked();">
Click here if you love ducks
</button>
</body>
</html>

PAGE 141 OF 142

Scanned Languages
Language Hash Number Change Date

JavaScript 5769995998009338 3/21/2025

PHP 8095286707926652 3/21/2025

PLSQL 4873116881329330 3/21/2025

Common 0431464171237111 3/21/2025

PAGE 142 OF 142

Pentest Last Exam
No ratings yet
Pentest Last Exam
87 pages
Esp Firmware
No ratings yet
Esp Firmware
64 pages
JMS Github 1
No ratings yet
JMS Github 1
258 pages
DevOps Security Scan Report
No ratings yet
DevOps Security Scan Report
42 pages
Bot Central
No ratings yet
Bot Central
249 pages
ExamenPractico Security Scan Report
No ratings yet
ExamenPractico Security Scan Report
32 pages
JMS Sample Report
No ratings yet
JMS Sample Report
299 pages
MDSTrinity SMT
No ratings yet
MDSTrinity SMT
84 pages
ASWS Repair Order Security Scan Report
No ratings yet
ASWS Repair Order Security Scan Report
153 pages
IWAM Module 1
No ratings yet
IWAM Module 1
60 pages
IWAM Module 1
No ratings yet
IWAM Module 1
46 pages
Example Information Security Plan ISP
100% (1)
Example Information Security Plan ISP
30 pages
Session 03
No ratings yet
Session 03
9 pages
Chapter Objectives: Ethical Hacking and Intrusion Detection/ Forensics
No ratings yet
Chapter Objectives: Ethical Hacking and Intrusion Detection/ Forensics
34 pages
IT Security
No ratings yet
IT Security
65 pages
15-Computer Privacy and Security Principles
No ratings yet
15-Computer Privacy and Security Principles
33 pages
SIM Module 1
No ratings yet
SIM Module 1
44 pages
Computer Security I
No ratings yet
Computer Security I
59 pages
Security Audit Course Project
No ratings yet
Security Audit Course Project
6 pages
CISA Exam Prep Domain 5 - 2019
100% (2)
CISA Exam Prep Domain 5 - 2019
175 pages
Cs205 Mid Term Question
No ratings yet
Cs205 Mid Term Question
17 pages
CH01 CompSec2e
No ratings yet
CH01 CompSec2e
32 pages
Information Asset Protection Guide
No ratings yet
Information Asset Protection Guide
89 pages
SEC+ 601 Slides
No ratings yet
SEC+ 601 Slides
416 pages
Lecture 4
No ratings yet
Lecture 4
18 pages
Cybersecurity Frameworks Guide
100% (1)
Cybersecurity Frameworks Guide
38 pages
IT Security & Audit Controls
No ratings yet
IT Security & Audit Controls
49 pages
02 Overview
No ratings yet
02 Overview
25 pages
Key Tables, Charts and Flows For SSCP - CISSP
No ratings yet
Key Tables, Charts and Flows For SSCP - CISSP
45 pages
FITSI-DC - Continuous Monitoring
No ratings yet
FITSI-DC - Continuous Monitoring
52 pages
Computer Security (Chapter-1)
No ratings yet
Computer Security (Chapter-1)
43 pages
IAS Chapter 1 Edited
No ratings yet
IAS Chapter 1 Edited
36 pages
Example Cybersecurity Standardized Operating Procedures 23 NYCRR 500
No ratings yet
Example Cybersecurity Standardized Operating Procedures 23 NYCRR 500
29 pages
Chapter 16 IT Controls Part II Security and Access
No ratings yet
Chapter 16 IT Controls Part II Security and Access
41 pages
IS Week 1
No ratings yet
IS Week 1
35 pages
IT Security E&A-Lecture 1 - Students - Ver
No ratings yet
IT Security E&A-Lecture 1 - Students - Ver
69 pages
Auditing in CIS Environment DISCUSSION 13
No ratings yet
Auditing in CIS Environment DISCUSSION 13
7 pages
SecurityX Comparison 005 004
No ratings yet
SecurityX Comparison 005 004
38 pages
Chapter 2IS Handout
No ratings yet
Chapter 2IS Handout
13 pages
Final Report of IT Security
100% (1)
Final Report of IT Security
13 pages
VAPT General Questions
No ratings yet
VAPT General Questions
9 pages
cs0-003 Lesson 05
No ratings yet
cs0-003 Lesson 05
50 pages
Security Part I Auditing Operating Systems and Networks
No ratings yet
Security Part I Auditing Operating Systems and Networks
35 pages
Exam Summary SIO
No ratings yet
Exam Summary SIO
10 pages
Chapter 5. Security at Different Layers
No ratings yet
Chapter 5. Security at Different Layers
49 pages
Cissp d7 Slides
No ratings yet
Cissp d7 Slides
117 pages
Lecture 2 - Intro To Information Security Auditing
No ratings yet
Lecture 2 - Intro To Information Security Auditing
8 pages
Chap 01
No ratings yet
Chap 01
31 pages
Chapter 1-Introduction To Computer Security
No ratings yet
Chapter 1-Introduction To Computer Security
40 pages
Course: Information Security Management in E-Governance
No ratings yet
Course: Information Security Management in E-Governance
53 pages
Day 5 - Implementing Vulnerability Scanning Methods
No ratings yet
Day 5 - Implementing Vulnerability Scanning Methods
125 pages
CISSP Training for Security Pros
No ratings yet
CISSP Training for Security Pros
60 pages
1 InfoSec+Risk MGMT
No ratings yet
1 InfoSec+Risk MGMT
145 pages
3 Lines of Defence - IT Audit
No ratings yet
3 Lines of Defence - IT Audit
29 pages
Cissp Notes
No ratings yet
Cissp Notes
83 pages
Lecture 01 - Introduction To Information Security
No ratings yet
Lecture 01 - Introduction To Information Security
22 pages
Study Note Midterm
No ratings yet
Study Note Midterm
7 pages
CST610 - DFC610 Reading and Resource List
No ratings yet
CST610 - DFC610 Reading and Resource List
12 pages
PDF Standar Operasional Prosedur Kids Amp Baby Spa - Compress
No ratings yet
PDF Standar Operasional Prosedur Kids Amp Baby Spa - Compress
34 pages
Threat Hunting in Cybersecurity
No ratings yet
Threat Hunting in Cybersecurity
19 pages
Cybersecurity Presentation
No ratings yet
Cybersecurity Presentation
13 pages
Cybersecurity: Past, Present and Future: Shahid Alam, PHD
No ratings yet
Cybersecurity: Past, Present and Future: Shahid Alam, PHD
123 pages
Honeypot
No ratings yet
Honeypot
23 pages
Computer Security Principles and Practice 3rd Edition Stallings Fast Access
No ratings yet
Computer Security Principles and Practice 3rd Edition Stallings Fast Access
327 pages
Esij Setsrw Mca Saec05
No ratings yet
Esij Setsrw Mca Saec05
4 pages
Unit Iii - System Hacking-Notes (Q&a)
No ratings yet
Unit Iii - System Hacking-Notes (Q&a)
19 pages
Cyber Security in Power System
No ratings yet
Cyber Security in Power System
5 pages
Comprehensive IDPS Security Guide
No ratings yet
Comprehensive IDPS Security Guide
29 pages
Firewall Configuration & Security Analysis
No ratings yet
Firewall Configuration & Security Analysis
4 pages
Pentest Final Task
No ratings yet
Pentest Final Task
18 pages
IT Security Policy - WORKSTATION
No ratings yet
IT Security Policy - WORKSTATION
4 pages
Elimination of Harmful Language Initiative IT Community
No ratings yet
Elimination of Harmful Language Initiative IT Community
13 pages
Untitled Document
No ratings yet
Untitled Document
7 pages
Final Poster
No ratings yet
Final Poster
1 page
Latest Thesis Topics in Network Security
100% (1)
Latest Thesis Topics in Network Security
6 pages
Jenkings Security
No ratings yet
Jenkings Security
2 pages
Cortex XSIAM - The AI-Driven Security Operations Platform
No ratings yet
Cortex XSIAM - The AI-Driven Security Operations Platform
6 pages
OWASP Testing Checklist
No ratings yet
OWASP Testing Checklist
1 page
Cyber Security Reference Guide
No ratings yet
Cyber Security Reference Guide
14 pages
Presentaion On Hacking
No ratings yet
Presentaion On Hacking
23 pages
Using Honeypots Network Intrusion Detection
No ratings yet
Using Honeypots Network Intrusion Detection
26 pages
hgzy.org
No ratings yet
hgzy.org
9 pages
ICTNWK546 Project Portfolio Tilak Adhikari
50% (2)
ICTNWK546 Project Portfolio Tilak Adhikari
12 pages
Course Context and Overview (100 Words) :: Course Outcomes (Cos) : The Outcomes of This Course Are
No ratings yet
Course Context and Overview (100 Words) :: Course Outcomes (Cos) : The Outcomes of This Course Are
3 pages
Eh Unit 3
No ratings yet
Eh Unit 3
77 pages
Onboard Safety & Cybersecurity Guide
No ratings yet
Onboard Safety & Cybersecurity Guide
100 pages
FortiGate 7.4 Administrator Study Guide-Online-201-400
No ratings yet
FortiGate 7.4 Administrator Study Guide-Online-201-400
200 pages
Lecture 5
No ratings yet
Lecture 5
40 pages