diff --git a/Makefile b/Makefile index 25be194..6410bda 100644 --- a/Makefile +++ b/Makefile @@ -15,6 +15,7 @@ interactive-w3af: -e HTTPS_PROXY=$(HTTPS_PROXY) \ -e http_proxy=$(http_proxy) \ -e https_proxy=$(https_proxy) \ + -v "$(PWD)/resources/com/cadoles/w3af/audit.w3af.tmpl:/home/w3af/w3af/audit.w3af.tmpl:ro" \ jenkins-w3af:latest \ /bin/sh diff --git a/reports/report.html b/reports/report.html new file mode 100644 index 0000000..0a10086 --- /dev/null +++ b/reports/report.html @@ -0,0 +1,606 @@ + + +
+ + + +Application Security Scan for quid-dev-sync.cadol.es
+ +This report contains the application security scan results + for the w3af scan of the quid-dev-sync.cadol.es which finished + 15.04.2019
+The server header for the remote web server is: "nginx/1.10.3 (Ubuntu)". This information was found in the request with id 28.
+ +GET https://quid-dev-sync.cadol.es/login HTTP/1.1 +Accept-encoding: gzip, deflate +Accept: */* +User-agent: w3af.org +Host: quid-dev-sync.cadol.es +Cookie: quid_sync=MTU1NTM1MjM5Nnwxa2ZEUDdUdmd4YnNSMFJsRkJ6d0FjTTlLdFVaTm5SeU5IQzFvUVNuWnh1RWs2bllEc25QTzE5dWNDQWVfN3pvVFgwSWl1NHV1a2NUN0lkcnZ0T2FERVcxZE9EYmtseHJ3Q2VEaUJyX3pScmdfb1hZdE4ybWF2cTBYVklva2w5QlZQdz18TXiAblvgNn75j8ki3zz4no_1jtW6rjREpPmO9H5-uzE= +Authorization: Basic ZWZzOnF1aWRkZXYyMDE5+
HTTP/1.1 200 OK +content-length: 585 +content-encoding: gzip +set-cookie: quid_sync=MTU1NTM1MjM5NnxNbjJLSVRVcUtLd3FUMnN1OUQwazFkc3RyT3FPX1Izbks4MHp3ZG9oWmRscWJBOUpzallNSnl4ZDJfVlROZXQwWFpmSXBQbU9OcjZROC15VkVPVVRPNFlyM3ZRdlFrRDRBRjJjVVMyTFlDWlhHQ2k1Q3ZULTRKMlM0akUyR3BnNUNPRT18YKydkxi11UB8j6ONxtW3h3lddmW2WBIdDi22lslK7lc=; Path=/; Expires=Wed, 15 May 2019 18:19:56 GMT; Max-Age=2592000 +server: nginx/1.10.3 (Ubuntu) +connection: keep-alive +date: Mon, 15 Apr 2019 18:19:56 GMT +x-frame-options: SAMEORIGIN, SAMEORIGIN +content-type: text/html; charset=utf-8 + + + + + +<!DOCTYPE html> +<html lang="fr"> + <head> + + <meta charset="utf-8"> + <meta name="viewport" content="width=device-width, initial-scale=1"> + + <title>Authentification - Quid</title> + + <link rel="stylesheet" href="/css/sync-app.css"> + + </head> + <body> + + +<section class="hero is-fullheight login"> + <div class="hero-body"> + <div class="container"> + <div class="column is-4 is-offset-4"> + + <div class="flash has-margin-top-small"></div> + + <div class="has-text-centered has-margin-top-small"> + <div class="box"> + <figure class="avatar"> + <img src="/img/logo-efs.svg" width="128" height="128"> + </figure> + <form method="POST"> + <div class="field"> + <div class="control"> + <input class="input is-normal" + name="email" type="email" + placeholder="Votre adresse courriel" autofocus=""> + </div> + </div> + <div class="field"> + <div class="control"> + <input class="input is-normal" + name="password" type="password" + placeholder="Votre mot de passe"> + </div> + </div> + <button class="button is-block is-info is-normal is-fullwidth">S'identifier</button> + </form> + </div> + </div> + </div> + </div> + </div> +</section> + + + + </body> +</html>+
The URL "https://quid-dev-sync.cadol.es/" has the following enabled HTTP methods: *, GET. This information was found in the requests with ids 27, 174 and 179.
+ +There are a number of HTTP methods that can be used on a webserver
+(OPTIONS
, HEAD
, GET
, POST
, PUT
, DELETE
etc.). Each of
+these methods perform a different function and each have an associated
+level of risk when their use is permitted on the webserver.
A client
+can use the OPTIONS
method within a request to query a server to
+determine which methods are allowed.
Cyber-criminals will almost +always perform this simple test as it will give a very quick +indication of any high-risk methods being permitted by the server. +The tool discovered that several methods are supported by the server.
+It is recommended that a whitelisting approach be taken to explicitly +permit the HTTP methods required by the application and block all +others.
+Typically the only HTTP methods required for most
+applications are GET
and POST
. All other methods perform actions
+that are rarely required or perform actions that are inherently risky.
+These risky methods (such as PUT
, DELETE
, etc) should be protected
+by strict limitations, such as ensuring that the channel is secure
+(SSL/TLS enabled) and only authorised and trusted clients are
+permitted to use them.
OPTIONS https://quid-dev-sync.cadol.es/ HTTP/1.1 +Accept-encoding: gzip, deflate +Accept: */* +User-agent: w3af.org +Host: quid-dev-sync.cadol.es +Cookie: quid_sync=MTU1NTM1MjM5Nnwxa2ZEUDdUdmd4YnNSMFJsRkJ6d0FjTTlLdFVaTm5SeU5IQzFvUVNuWnh1RWs2bllEc25QTzE5dWNDQWVfN3pvVFgwSWl1NHV1a2NUN0lkcnZ0T2FERVcxZE9EYmtseHJ3Q2VEaUJyX3pScmdfb1hZdE4ybWF2cTBYVklva2w5QlZQdz18TXiAblvgNn75j8ki3zz4no_1jtW6rjREpPmO9H5-uzE= +Authorization: Basic ZWZzOnF1aWRkZXYyMDE5+
HTTP/1.1 405 Method Not Allowed +date: Mon, 15 Apr 2019 18:19:56 GMT +content-length: 0 +connection: keep-alive +server: nginx/1.10.3 (Ubuntu)+
GET https://quid-dev-sync.cadol.es/ HTTP/1.1 +Accept-encoding: gzip, deflate +Accept: */* +User-agent: w3af.org +Host: quid-dev-sync.cadol.es +Cookie: quid_sync=MTU1NTM1MjQwMnx0OW0zb2t1a3F0M1hOSFI0S3V2TFhhRG9wZ1RxMWZaUzlmdTZzSGMyTzV1aXVEZ0Jwakt1Z3FBSVdmSnh6Mkt6XzRfTmdzLTlPTzRlZ056eW9ncTlCRElDTndBaGpmV3kyQW9LQlFzVnN1XzMyWDdMei1BVkJQcFo0cUJpTDV1eWowRT18EoBy_faVfRRNOYwAG3u6kGEw2hAnDTWn_6SsTFVd_-E= +Authorization: Basic ZWZzOnF1aWRkZXYyMDE5+
HTTP/1.1 303 See Other +content-length: 68 +content-encoding: gzip +server: nginx/1.10.3 (Ubuntu) +connection: keep-alive +location: /surveys/overview +date: Mon, 15 Apr 2019 18:20:02 GMT +x-frame-options: SAMEORIGIN, SAMEORIGIN +content-type: text/html; charset=utf-8 + +<a href="/surveys/overview">See Other</a>.+
* https://quid-dev-sync.cadol.es/ HTTP/1.1 +Accept-encoding: gzip, deflate +Accept: */* +User-agent: w3af.org +Host: quid-dev-sync.cadol.es +Cookie: quid_sync=MTU1NTM1MjQwMXwyWjloNmtlcVA2WHFTU1VpNVhEY0xOOGJMYnA5U2dpakFrVzlYNnI2ekY0WmVPVEx1ZlJLdGlMVlhrb21sUHpJUFMxa1p6RkpXbFVIWkVGQWdZc1VMS3Z0MDVYMFZDb3M2Y3pzZ3pXbkRnODlMTXZ1dzFLRTM5MWhxdE84NElvUzloeFAwR080dWwxa0lieExZWjJSaHREQWpwNEdzek1mVkJQOEFQLXZiUjZkS3dFVS1rUTNQVHJXVVJ0MUxkX1hVT0p4MGFMNzBWTDBFSDlnd01YSlpoN0dhSzNHUTRXaDBjal9fOUdESTdBWjNSQVRYbmpBdEs0LV9OZlBBaEFQQl9fT2tVWC0yVW55SW12R1hvSWI5NENqNzh3Wm92UnhORUJCMEZZYjBjSldIU0tjY1pHdUh6c3daUTIxX0xJcFNFWjBtTTI3NWNzNjRmVERLSWUzQXQ5ay13SS1VWWhPXzVEUWZ2dEhJbjZJZkRNanRpQjhTeGpQNDJiSUstdy1DU1UxQ25wc2xxZGFLVUY4dElOQU9vWmRQdXUwZlkxUlp2cTBmYUhHWkE3am9oYjVJbGZ4U0k5M3BpY0hoOHlZOWVOd1F4eTVQNDRQX3lSbC1ETkZDdktidDdiVjA1ak9xTG9BZVhTSEZIQkEySVhUTFJhRy1zMHMtR09JZndXdUFfMmJiUjJ2RnlVcm1ZWlMtcUFmN1ZJPXw4gdJc3OeP2rbnQuqmjJmH_UqN_hmOjAyXwl4vWXmTUw== +Authorization: Basic ZWZzOnF1aWRkZXYyMDE5+
HTTP/1.1 400 Bad Request +date: Mon, 15 Apr 2019 18:20:02 GMT +content-length: 182 +content-type: text/html +connection: close +server: nginx/1.10.3 (Ubuntu) + +<html> +<head><title>400 Bad Request</title></head> +<body bgcolor="white"> +<center><h1>400 Bad Request</h1></center> +<hr><center>nginx/1.10.3 (Ubuntu)</center> +</body> +</html>+
The remote HTTP Server omitted the "server" header in its response. This information was found in the request with id 912.
+ +None+
None+
URLs found during application scan
+ +Scan log
+ +Timestamp | +Log level | +Message | +
---|---|---|
Mon Apr 15 18:19:55 2019 | +error | +Can't login into web application as admin@quid.local | +
Mon Apr 15 18:19:57 2019 | +error | +audit.rfi plugin needs to be correctly configured to use. Please set valid values for local address (eg. 10.5.2.5) and port (eg. 44449), or use the official w3af site as the target server for remote inclusions. The configuration error is: "Listen address and port need to be configured" | +
Mon Apr 15 18:20:39 2019 | +error | +The server_header plugin got an error while requesting "https://quid-dev-sync.cadol.es/surveys/f70c64f0-d5e2-4794-b967-db668f196322/edit/0". Exception: "HTTP timeout error". Generated 204 "No Content" response (id:912) | +