Application Security Scan for quid-dev-sync.cadol.es

Meta-data

This report contains the application security scan results for the w3af scan of the quid-dev-sync.cadol.es which finished 15.04.2019

Configured target URLs

  • https://quid-dev-sync.cadol.es/login

Enabled plugins

  • audit
    • file_upload
    • os_commanding
    • lfi
    • blind_sqli
    • sqli
    • dav
    • eval
    • rfi
  • infrastructure
    • allowed_methods
    • server_header
  • grep
  • evasion
  • crawl
    • web_spider
  • auth
    • detailed
  • bruteforce
  • output
    • html_file
    • console
  • mangle

Server header

INFO

Summary

The server header for the remote web server is: "nginx/1.10.3 (Ubuntu)". This information was found in the request with id 28.

HTTP proof

GET https://quid-dev-sync.cadol.es/login HTTP/1.1
Accept-encoding: gzip, deflate
Accept: */*
User-agent: w3af.org
Host: quid-dev-sync.cadol.es
Cookie: quid_sync=MTU1NTM1MjM5Nnwxa2ZEUDdUdmd4YnNSMFJsRkJ6d0FjTTlLdFVaTm5SeU5IQzFvUVNuWnh1RWs2bllEc25QTzE5dWNDQWVfN3pvVFgwSWl1NHV1a2NUN0lkcnZ0T2FERVcxZE9EYmtseHJ3Q2VEaUJyX3pScmdfb1hZdE4ybWF2cTBYVklva2w5QlZQdz18TXiAblvgNn75j8ki3zz4no_1jtW6rjREpPmO9H5-uzE=
Authorization: Basic ZWZzOnF1aWRkZXYyMDE5
HTTP/1.1 200 OK
content-length: 585
content-encoding: gzip
set-cookie: quid_sync=MTU1NTM1MjM5NnxNbjJLSVRVcUtLd3FUMnN1OUQwazFkc3RyT3FPX1Izbks4MHp3ZG9oWmRscWJBOUpzallNSnl4ZDJfVlROZXQwWFpmSXBQbU9OcjZROC15VkVPVVRPNFlyM3ZRdlFrRDRBRjJjVVMyTFlDWlhHQ2k1Q3ZULTRKMlM0akUyR3BnNUNPRT18YKydkxi11UB8j6ONxtW3h3lddmW2WBIdDi22lslK7lc=; Path=/; Expires=Wed, 15 May 2019 18:19:56 GMT; Max-Age=2592000
server: nginx/1.10.3 (Ubuntu)
connection: keep-alive
date: Mon, 15 Apr 2019 18:19:56 GMT
x-frame-options: SAMEORIGIN, SAMEORIGIN
content-type: text/html; charset=utf-8





<!DOCTYPE html>
<html lang="fr">
  <head>
    
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    
    <title>Authentification - Quid</title>
    
  <link rel="stylesheet" href="/css/sync-app.css">

  </head>
  <body>
    
  
<section class="hero is-fullheight login">
  <div class="hero-body">
    <div class="container">
      <div class="column is-4 is-offset-4">
        
  <div class="flash has-margin-top-small"></div>

        <div class="has-text-centered has-margin-top-small">
          <div class="box">
            <figure class="avatar">
              <img src="/img/logo-efs.svg" width="128" height="128">
            </figure>
            <form method="POST">
              <div class="field">
                <div class="control">
                  <input class="input is-normal"
                    name="email" type="email" 
                    placeholder="Votre adresse courriel" autofocus="">
                </div>
              </div>
              <div class="field">
              <div class="control">
                <input class="input is-normal" 
                  name="password" type="password" 
                  placeholder="Votre mot de passe">
              </div>
              </div>
              <button class="button is-block is-info is-normal is-fullwidth">S'identifier</button>
            </form>
          </div>
        </div>
      </div>
    </div>
  </div>
</section>


    
  </body>
</html>

Allowed HTTP methods

INFO

Summary

The URL "https://quid-dev-sync.cadol.es/" has the following enabled HTTP methods: *, GET. This information was found in the requests with ids 27, 174 and 179.


Description

There are a number of HTTP methods that can be used on a webserver (OPTIONS, HEAD, GET, POST, PUT, DELETE etc.). Each of these methods perform a different function and each have an associated level of risk when their use is permitted on the webserver.

A client can use the OPTIONS method within a request to query a server to determine which methods are allowed.

Cyber-criminals will almost always perform this simple test as it will give a very quick indication of any high-risk methods being permitted by the server. The tool discovered that several methods are supported by the server.

Fix

It is recommended that a whitelisting approach be taken to explicitly permit the HTTP methods required by the application and block all others.

Typically the only HTTP methods required for most applications are GET and POST. All other methods perform actions that are rarely required or perform actions that are inherently risky. These risky methods (such as PUT, DELETE, etc) should be protected by strict limitations, such as ensuring that the channel is secure (SSL/TLS enabled) and only authorised and trusted clients are permitted to use them.

References

HTTP proof

OPTIONS https://quid-dev-sync.cadol.es/ HTTP/1.1
Accept-encoding: gzip, deflate
Accept: */*
User-agent: w3af.org
Host: quid-dev-sync.cadol.es
Cookie: quid_sync=MTU1NTM1MjM5Nnwxa2ZEUDdUdmd4YnNSMFJsRkJ6d0FjTTlLdFVaTm5SeU5IQzFvUVNuWnh1RWs2bllEc25QTzE5dWNDQWVfN3pvVFgwSWl1NHV1a2NUN0lkcnZ0T2FERVcxZE9EYmtseHJ3Q2VEaUJyX3pScmdfb1hZdE4ybWF2cTBYVklva2w5QlZQdz18TXiAblvgNn75j8ki3zz4no_1jtW6rjREpPmO9H5-uzE=
Authorization: Basic ZWZzOnF1aWRkZXYyMDE5
HTTP/1.1 405 Method Not Allowed
date: Mon, 15 Apr 2019 18:19:56 GMT
content-length: 0
connection: keep-alive
server: nginx/1.10.3 (Ubuntu)
GET https://quid-dev-sync.cadol.es/ HTTP/1.1
Accept-encoding: gzip, deflate
Accept: */*
User-agent: w3af.org
Host: quid-dev-sync.cadol.es
Cookie: quid_sync=MTU1NTM1MjQwMnx0OW0zb2t1a3F0M1hOSFI0S3V2TFhhRG9wZ1RxMWZaUzlmdTZzSGMyTzV1aXVEZ0Jwakt1Z3FBSVdmSnh6Mkt6XzRfTmdzLTlPTzRlZ056eW9ncTlCRElDTndBaGpmV3kyQW9LQlFzVnN1XzMyWDdMei1BVkJQcFo0cUJpTDV1eWowRT18EoBy_faVfRRNOYwAG3u6kGEw2hAnDTWn_6SsTFVd_-E=
Authorization: Basic ZWZzOnF1aWRkZXYyMDE5
HTTP/1.1 303 See Other
content-length: 68
content-encoding: gzip
server: nginx/1.10.3 (Ubuntu)
connection: keep-alive
location: /surveys/overview
date: Mon, 15 Apr 2019 18:20:02 GMT
x-frame-options: SAMEORIGIN, SAMEORIGIN
content-type: text/html; charset=utf-8

<a href="/surveys/overview">See Other</a>.
* https://quid-dev-sync.cadol.es/ HTTP/1.1
Accept-encoding: gzip, deflate
Accept: */*
User-agent: w3af.org
Host: quid-dev-sync.cadol.es
Cookie: quid_sync=MTU1NTM1MjQwMXwyWjloNmtlcVA2WHFTU1VpNVhEY0xOOGJMYnA5U2dpakFrVzlYNnI2ekY0WmVPVEx1ZlJLdGlMVlhrb21sUHpJUFMxa1p6RkpXbFVIWkVGQWdZc1VMS3Z0MDVYMFZDb3M2Y3pzZ3pXbkRnODlMTXZ1dzFLRTM5MWhxdE84NElvUzloeFAwR080dWwxa0lieExZWjJSaHREQWpwNEdzek1mVkJQOEFQLXZiUjZkS3dFVS1rUTNQVHJXVVJ0MUxkX1hVT0p4MGFMNzBWTDBFSDlnd01YSlpoN0dhSzNHUTRXaDBjal9fOUdESTdBWjNSQVRYbmpBdEs0LV9OZlBBaEFQQl9fT2tVWC0yVW55SW12R1hvSWI5NENqNzh3Wm92UnhORUJCMEZZYjBjSldIU0tjY1pHdUh6c3daUTIxX0xJcFNFWjBtTTI3NWNzNjRmVERLSWUzQXQ5ay13SS1VWWhPXzVEUWZ2dEhJbjZJZkRNanRpQjhTeGpQNDJiSUstdy1DU1UxQ25wc2xxZGFLVUY4dElOQU9vWmRQdXUwZlkxUlp2cTBmYUhHWkE3am9oYjVJbGZ4U0k5M3BpY0hoOHlZOWVOd1F4eTVQNDRQX3lSbC1ETkZDdktidDdiVjA1ak9xTG9BZVhTSEZIQkEySVhUTFJhRy1zMHMtR09JZndXdUFfMmJiUjJ2RnlVcm1ZWlMtcUFmN1ZJPXw4gdJc3OeP2rbnQuqmjJmH_UqN_hmOjAyXwl4vWXmTUw==
Authorization: Basic ZWZzOnF1aWRkZXYyMDE5
HTTP/1.1 400 Bad Request
date: Mon, 15 Apr 2019 18:20:02 GMT
content-length: 182
content-type: text/html
connection: close
server: nginx/1.10.3 (Ubuntu)

<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.10.3 (Ubuntu)</center>
</body>
</html>

Omitted server header

INFO

Summary

The remote HTTP Server omitted the "server" header in its response. This information was found in the request with id 912.

HTTP proof

None
None

URLs found during application scan

Scan log

Timestamp Log level Message
Mon Apr 15 18:19:55 2019 error Can't login into web application as admin@quid.local
Mon Apr 15 18:19:57 2019 error audit.rfi plugin needs to be correctly configured to use. Please set valid values for local address (eg. 10.5.2.5) and port (eg. 44449), or use the official w3af site as the target server for remote inclusions. The configuration error is: "Listen address and port need to be configured"
Mon Apr 15 18:20:39 2019 error The server_header plugin got an error while requesting "https://quid-dev-sync.cadol.es/surveys/f70c64f0-d5e2-4794-b967-db668f196322/edit/0". Exception: "HTTP timeout error". Generated 204 "No Content" response (id:912)