N-Stalker Web Application

Security Technical Report

Web Application Security Report

(196.203.190.22)

1. Scan Session Summary

1. Scan Statistics by Severity Level

2. Scan Statistics by Vulnerability Type

3. Web Application Information

URL

196.203.190.22

Confidential report - must not be disclosed without prior authorization

N-Stalker Web Application Security - Page 1 of

N-Stalker Web Application

Security Technical Report
Port
Protocol
SSLCipher
Server-Type
Detected-Type
Server-Side Technologies Detected
Number of sub-hosts involved

80
HTTP
N/A
Apache/2.2.15 (Red Hat)
Caucho Resin
N/A

4. Scan Statistics
Avg Response Time
Avg Response Size
Total Scan Time
Number of Spidered Links
Number of Cookies
Number of Javascript objects
Number of HTML Comments
Number of e-mails
Number of Broken Pages
Number of hidden fields
Number of Objects Leaked

4430
275
311 mins (18690 secs)
0
0
0
0
0
0
0
0

5. Policy Details
Policy Name
Policy Details

Complete Pen-test Assessment

Audit & Pen-test Assessment

Applied Rules
Web Resources Spider and Analysis
Server Vulnerabilities Assessment
Directory Brute-force Discovery
File & Directory Exposure Attacks
Cross-site Scripting Attacks
SQL Injection Attacks
Memory Fault Attacks
Parameter Tampering Attacks
Signature-based HTTP Attacks
Information Leakage Search
Protocol Compliance Check

2. Web Site Structure

1. Published Directories
Confidential report - must not be disclosed without prior authorization
N-Stalker Web Application Security - Page 2 of

N-Stalker Web Application

Security Technical Report
Path

Status

3. Application Objects
1. Cookies
Cookie

2. E-mails
E-mail

Count

3. Broken Pages
Page

Reference

4. Hidden Fields
Field name & value

URL & Post Data

5. Information Leakage
Name

Value

6. Web Forms

4. Vulnerabilities
1. Web Server Exposure
Oracle Single Sign-On Login Page Authentication Credential Disclosure Vulnerability
CVE : CVE-2007BID : 24215
OSVDB : 37050
High Level
3304
Target Server : http://196.203.190.22:80/
URL : /
Comments
It has been reported that Oracle Single Sign-On login form is prone to an authentication
credential disclosure vulnerability that that may allow remote attackers to disclose

Confidential report - must not be disclosed without prior authorization

N-Stalker Web Application Security - Page 3 of

N-Stalker Web Application

Security Technical Report
authentication credentials such as username and passwords of vulnerable users. Workaround:
The p_submit_url value in the customized login page can be hard-coded. This will mitigate this
issue since it will not be an input value to the page anymore. The p_submit_url URL value in
the 902 SSO server is in the following format:
http(s)://sso_host:port/pls/orasso/orasso.wwsso_app_admin.ls_login Vulnerable versions
includes: Oracle IAS 9.0.3.1 (and previous), Oracle HTTP Server 9.2.0 (and previous).
Solution
Please, download the latest version.
References
http://httpd.apache.org/download.cgi
http://www.kb.cert.org/vuls/id/395412
http://httpd.apache.org/docs/2.2/new_features_2_2.html

Possible Insecure HTTP Method found

Information Level CVE : MAP-NOMATCH BID : None
OSVDB : None
Target Server : http://196.203.190.22:80/
URL : PROPFIND (http://196.203.190.22:80/)
Comments
An insecure HTTP method has been detected as available in the Web Server side and may be
exploited under certain conditions.
Although it may varies accordingly to the situation, HTTP methods others than GET, POST
and HEAD are not common and should be evaluated before being made public available on
production-level Web Servers.
Some problems may arise because of information leakage problem such as TRACE method
(that may reveal internal private HTTP Headers) or may be used for client-side credentials
stealing attacks. Other methods such as PROPFIND and WebDav-based methods may allow
for arbitrary file uploading and should not be available under normal conditions.
This issue can be considered an Insecure Configuration Management as described in OWASP
Top10 Web Application Vulnerabilities, Section A10: "Web server and application server
configurations play a key role in the security of a web application. These servers are
responsible for serving content and invoking applications that generate content. In addition,
many application servers provide a number of services that web applications can use,
including data storage, directory services, mail, messaging, and more. Failure to manage the
proper configuration of your servers can lead to a wide variety of security problems."
Solution
IT staff must act with an effective Web server hardening control and also establish an effective
Production Planning and Control program to avoid insecure configuration scenario.
Undesired HTTP method can be easily removed from most Web Server Platforms. See more
information below. Microsoft IIS users are advised to use URLscan.
References
http://www.kb.cert.org/vuls/id/867593
http://www.microsoft.com/technet/security/tools/urlscan.mspx
http://www.owasp.org/documentation/topten/a10.html

Possible Insecure HTTP Method found

Information Level CVE : MAP-NOMATCH BID : None

OSVDB : None

Confidential report - must not be disclosed without prior authorization

N-Stalker Web Application Security - Page 4 of

N-Stalker Web Application

Security Technical Report
Target Server : http://196.203.190.22:80/
URL : OPTIONS (http://196.203.190.22:80/)
Comments
An insecure HTTP method has been detected as available in the Web Server side and may be
exploited under certain conditions.
Although it may varies accordingly to the situation, HTTP methods others than GET, POST
and HEAD are not common and should be evaluated before being made public available on
production-level Web Servers.
Some problems may arise because of information leakage problem such as TRACE method
(that may reveal internal private HTTP Headers) or may be used for client-side credentials
stealing attacks. Other methods such as PROPFIND and WebDav-based methods may allow
for arbitrary file uploading and should not be available under normal conditions.
This issue can be considered an Insecure Configuration Management as described in OWASP
Top10 Web Application Vulnerabilities, Section A10: "Web server and application server
configurations play a key role in the security of a web application. These servers are
responsible for serving content and invoking applications that generate content. In addition,
many application servers provide a number of services that web applications can use,
including data storage, directory services, mail, messaging, and more. Failure to manage the
proper configuration of your servers can lead to a wide variety of security problems."
Solution
IT staff must act with an effective Web server hardening control and also establish an effective
Production Planning and Control program to avoid insecure configuration scenario.
Undesired HTTP method can be easily removed from most Web Server Platforms. See more
information below. Microsoft IIS users are advised to use URLscan.
References
http://www.kb.cert.org/vuls/id/867593
http://www.microsoft.com/technet/security/tools/urlscan.mspx
http://www.owasp.org/documentation/topten/a10.html

Possible Insecure HTTP Method found

Information Level CVE : MAP-NOMATCH BID : None
OSVDB : None
Target Server : http://196.203.190.22:80/
URL : DELETE (http://196.203.190.22:80/)
Comments
An insecure HTTP method has been detected as available in the Web Server side and may be
exploited under certain conditions.
Although it may varies accordingly to the situation, HTTP methods others than GET, POST
and HEAD are not common and should be evaluated before being made public available on
production-level Web Servers.
Some problems may arise because of information leakage problem such as TRACE method
(that may reveal internal private HTTP Headers) or may be used for client-side credentials
stealing attacks. Other methods such as PROPFIND and WebDav-based methods may allow
for arbitrary file uploading and should not be available under normal conditions.
This issue can be considered an Insecure Configuration Management as described in OWASP

Confidential report - must not be disclosed without prior authorization

N-Stalker Web Application Security - Page 5 of

N-Stalker Web Application

Security Technical Report
Top10 Web Application Vulnerabilities, Section A10: "Web server and application server
configurations play a key role in the security of a web application. These servers are
responsible for serving content and invoking applications that generate content. In addition,
many application servers provide a number of services that web applications can use, including
data storage, directory services, mail, messaging, and more. Failure to manage the proper
configuration of your servers can lead to a wide variety of security problems."
Solution
IT staff must act with an effective Web server hardening control and also establish an effective
Production Planning and Control program to avoid insecure configuration scenario.
Undesired HTTP method can be easily removed from most Web Server Platforms. See more
information below. Microsoft IIS users are advised to use URLscan.
References
http://www.kb.cert.org/vuls/id/867593
http://www.microsoft.com/technet/security/tools/urlscan.mspx
http://www.owasp.org/documentation/topten/a10.html

Possible Insecure HTTP Method found

Information Level CVE : MAP-NOMATCH BID : None
OSVDB : None
Target Server : http://196.203.190.22:80/
URL : PROPPATCH (http://196.203.190.22:80/)
Comments
An insecure HTTP method has been detected as available in the Web Server side and may be
exploited under certain conditions.
Although it may varies accordingly to the situation, HTTP methods others than GET, POST
and HEAD are not common and should be evaluated before being made public available on
production-level Web Servers.
Some problems may arise because of information leakage problem such as TRACE method
(that may reveal internal private HTTP Headers) or may be used for client-side credentials
stealing attacks. Other methods such as PROPFIND and WebDav-based methods may allow
for arbitrary file uploading and should not be available under normal conditions.
This issue can be considered an Insecure Configuration Management as described in OWASP
Top10 Web Application Vulnerabilities, Section A10: "Web server and application server
configurations play a key role in the security of a web application. These servers are
responsible for serving content and invoking applications that generate content. In addition,
many application servers provide a number of services that web applications can use,
including data storage, directory services, mail, messaging, and more. Failure to manage the
proper configuration of your servers can lead to a wide variety of security problems."
Solution
IT staff must act with an effective Web server hardening control and also establish an effective
Production Planning and Control program to avoid insecure configuration scenario.
Undesired HTTP method can be easily removed from most Web Server Platforms. See more
information below. Microsoft IIS users are advised to use URLscan.
References
http://www.kb.cert.org/vuls/id/867593
http://www.microsoft.com/technet/security/tools/urlscan.mspx
http://www.owasp.org/documentation/topten/a10.html

Confidential report - must not be disclosed without prior authorization

N-Stalker Web Application Security - Page 6 of

N-Stalker Web Application

Security Technical Report

Possible Insecure HTTP Method found

Information Level CVE : MAP-NOMATCH BID : None
OSVDB : None
Target Server : http://196.203.190.22:80/
URL : MKCOL (http://196.203.190.22:80/)
Comments
An insecure HTTP method has been detected as available in the Web Server side and may be
exploited under certain conditions.
Although it may varies accordingly to the situation, HTTP methods others than GET, POST
and HEAD are not common and should be evaluated before being made public available on
production-level Web Servers.
Some problems may arise because of information leakage problem such as TRACE method
(that may reveal internal private HTTP Headers) or may be used for client-side credentials
stealing attacks. Other methods such as PROPFIND and WebDav-based methods may allow
for arbitrary file uploading and should not be available under normal conditions.
This issue can be considered an Insecure Configuration Management as described in OWASP
Top10 Web Application Vulnerabilities, Section A10: "Web server and application server
configurations play a key role in the security of a web application. These servers are
responsible for serving content and invoking applications that generate content. In addition,
many application servers provide a number of services that web applications can use,
including data storage, directory services, mail, messaging, and more. Failure to manage the
proper configuration of your servers can lead to a wide variety of security problems."
Solution
IT staff must act with an effective Web server hardening control and also establish an effective
Production Planning and Control program to avoid insecure configuration scenario.
Undesired HTTP method can be easily removed from most Web Server Platforms. See more
information below. Microsoft IIS users are advised to use URLscan.
References
http://www.kb.cert.org/vuls/id/867593
http://www.microsoft.com/technet/security/tools/urlscan.mspx
http://www.owasp.org/documentation/topten/a10.html

Possible Insecure HTTP Method found

Information Level CVE : MAP-NOMATCH BID : None
OSVDB : None
Target Server : http://196.203.190.22:80/
URL : COPY (http://196.203.190.22:80/)
Comments
An insecure HTTP method has been detected as available in the Web Server side and may be
exploited under certain conditions.
Although it may varies accordingly to the situation, HTTP methods others than GET, POST
and HEAD are not common and should be evaluated before being made public available on
production-level Web Servers.
Some problems may arise because of information leakage problem such as TRACE method
(that may reveal internal private HTTP Headers) or may be used for client-side credentials
Confidential report - must not be disclosed without prior authorization
N-Stalker Web Application Security - Page 7 of

N-Stalker Web Application

Security Technical Report
stealing attacks. Other methods such as PROPFIND and WebDav-based methods may allow
for arbitrary file uploading and should not be available under normal conditions.
This issue can be considered an Insecure Configuration Management as described in OWASP
Top10 Web Application Vulnerabilities, Section A10: "Web server and application server
configurations play a key role in the security of a web application. These servers are
responsible for serving content and invoking applications that generate content. In addition,
many application servers provide a number of services that web applications can use, including
data storage, directory services, mail, messaging, and more. Failure to manage the proper
configuration of your servers can lead to a wide variety of security problems."
Solution
IT staff must act with an effective Web server hardening control and also establish an effective
Production Planning and Control program to avoid insecure configuration scenario.
Undesired HTTP method can be easily removed from most Web Server Platforms. See more
information below. Microsoft IIS users are advised to use URLscan.
References
http://www.kb.cert.org/vuls/id/867593
http://www.microsoft.com/technet/security/tools/urlscan.mspx
http://www.owasp.org/documentation/topten/a10.html

Possible Insecure HTTP Method found

Information Level CVE : MAP-NOMATCH BID : None
OSVDB : None
Target Server : http://196.203.190.22:80/
URL : MOVE (http://196.203.190.22:80/)
Comments
An insecure HTTP method has been detected as available in the Web Server side and may be
exploited under certain conditions.
Although it may varies accordingly to the situation, HTTP methods others than GET, POST
and HEAD are not common and should be evaluated before being made public available on
production-level Web Servers.
Some problems may arise because of information leakage problem such as TRACE method
(that may reveal internal private HTTP Headers) or may be used for client-side credentials
stealing attacks. Other methods such as PROPFIND and WebDav-based methods may allow
for arbitrary file uploading and should not be available under normal conditions.
This issue can be considered an Insecure Configuration Management as described in OWASP
Top10 Web Application Vulnerabilities, Section A10: "Web server and application server
configurations play a key role in the security of a web application. These servers are
responsible for serving content and invoking applications that generate content. In addition,
many application servers provide a number of services that web applications can use,
including data storage, directory services, mail, messaging, and more. Failure to manage the
proper configuration of your servers can lead to a wide variety of security problems."
Solution
IT staff must act with an effective Web server hardening control and also establish an effective
Production Planning and Control program to avoid insecure configuration scenario.
Undesired HTTP method can be easily removed from most Web Server Platforms. See more
information below. Microsoft IIS users are advised to use URLscan.
References
Confidential report - must not be disclosed without prior authorization
N-Stalker Web Application Security - Page 8 of

N-Stalker Web Application

Security Technical Report
http://www.kb.cert.org/vuls/id/867593
http://www.microsoft.com/technet/security/tools/urlscan.mspx
http://www.owasp.org/documentation/topten/a10.html

Possible Insecure HTTP Method found

Information Level CVE : MAP-NOMATCH BID : None
OSVDB : None
Target Server : http://196.203.190.22:80/
URL : LOCK (http://196.203.190.22:80/)
Comments
An insecure HTTP method has been detected as available in the Web Server side and may be
exploited under certain conditions.
Although it may varies accordingly to the situation, HTTP methods others than GET, POST
and HEAD are not common and should be evaluated before being made public available on
production-level Web Servers.
Some problems may arise because of information leakage problem such as TRACE method
(that may reveal internal private HTTP Headers) or may be used for client-side credentials
stealing attacks. Other methods such as PROPFIND and WebDav-based methods may allow
for arbitrary file uploading and should not be available under normal conditions.
This issue can be considered an Insecure Configuration Management as described in OWASP
Top10 Web Application Vulnerabilities, Section A10: "Web server and application server
configurations play a key role in the security of a web application. These servers are
responsible for serving content and invoking applications that generate content. In addition,
many application servers provide a number of services that web applications can use,
including data storage, directory services, mail, messaging, and more. Failure to manage the
proper configuration of your servers can lead to a wide variety of security problems."
Solution
IT staff must act with an effective Web server hardening control and also establish an effective
Production Planning and Control program to avoid insecure configuration scenario.
Undesired HTTP method can be easily removed from most Web Server Platforms. See more
information below. Microsoft IIS users are advised to use URLscan.
References
http://www.kb.cert.org/vuls/id/867593
http://www.microsoft.com/technet/security/tools/urlscan.mspx
http://www.owasp.org/documentation/topten/a10.html

Possible Insecure HTTP Method found

Information Level CVE : MAP-NOMATCH BID : None
OSVDB : None
Target Server : http://196.203.190.22:80/
URL : UNLOCK (http://196.203.190.22:80/)
Comments
An insecure HTTP method has been detected as available in the Web Server side and may be
exploited under certain conditions.
Although it may varies accordingly to the situation, HTTP methods others than GET, POST
and HEAD are not common and should be evaluated before being made public available on

Confidential report - must not be disclosed without prior authorization

N-Stalker Web Application Security - Page 9 of

N-Stalker Web Application

Security Technical Report
production-level Web Servers.
Some problems may arise because of information leakage problem such as TRACE method
(that may reveal internal private HTTP Headers) or may be used for client-side credentials
stealing attacks. Other methods such as PROPFIND and WebDav-based methods may allow
for arbitrary file uploading and should not be available under normal conditions.
This issue can be considered an Insecure Configuration Management as described in OWASP
Top10 Web Application Vulnerabilities, Section A10: "Web server and application server
configurations play a key role in the security of a web application. These servers are
responsible for serving content and invoking applications that generate content. In addition,
many application servers provide a number of services that web applications can use, including
data storage, directory services, mail, messaging, and more. Failure to manage the proper
configuration of your servers can lead to a wide variety of security problems."
Solution
IT staff must act with an effective Web server hardening control and also establish an effective
Production Planning and Control program to avoid insecure configuration scenario.
Undesired HTTP method can be easily removed from most Web Server Platforms. See more
information below. Microsoft IIS users are advised to use URLscan.
References
http://www.kb.cert.org/vuls/id/867593
http://www.microsoft.com/technet/security/tools/urlscan.mspx
http://www.owasp.org/documentation/topten/a10.html

Possible Insecure HTTP Method found

Information Level CVE : MAP-NOMATCH BID : None
OSVDB : None
Target Server : http://196.203.190.22:80/
URL : LINK (http://196.203.190.22:80/)
Comments
An insecure HTTP method has been detected as available in the Web Server side and may be
exploited under certain conditions.
Although it may varies accordingly to the situation, HTTP methods others than GET, POST
and HEAD are not common and should be evaluated before being made public available on
production-level Web Servers.
Some problems may arise because of information leakage problem such as TRACE method
(that may reveal internal private HTTP Headers) or may be used for client-side credentials
stealing attacks. Other methods such as PROPFIND and WebDav-based methods may allow
for arbitrary file uploading and should not be available under normal conditions.
This issue can be considered an Insecure Configuration Management as described in OWASP
Top10 Web Application Vulnerabilities, Section A10: "Web server and application server
configurations play a key role in the security of a web application. These servers are
responsible for serving content and invoking applications that generate content. In addition,
many application servers provide a number of services that web applications can use,
including data storage, directory services, mail, messaging, and more. Failure to manage the
proper configuration of your servers can lead to a wide variety of security problems."
Solution
IT staff must act with an effective Web server hardening control and also establish an effective
Production Planning and Control program to avoid insecure configuration scenario.
Confidential report - must not be disclosed without prior authorization
N-Stalker Web Application Security - Page 10 of

N-Stalker Web Application

Security Technical Report
Undesired HTTP method can be easily removed from most Web Server Platforms. See more
information below. Microsoft IIS users are advised to use URLscan.
References
http://www.kb.cert.org/vuls/id/867593
http://www.microsoft.com/technet/security/tools/urlscan.mspx
http://www.owasp.org/documentation/topten/a10.html

Possible Insecure HTTP Method found

Information Level CVE : MAP-NOMATCH BID : None
OSVDB : None
Target Server : http://196.203.190.22:80/
URL : UNLINK (http://196.203.190.22:80/)
Comments
An insecure HTTP method has been detected as available in the Web Server side and may be
exploited under certain conditions.
Although it may varies accordingly to the situation, HTTP methods others than GET, POST
and HEAD are not common and should be evaluated before being made public available on
production-level Web Servers.
Some problems may arise because of information leakage problem such as TRACE method
(that may reveal internal private HTTP Headers) or may be used for client-side credentials
stealing attacks. Other methods such as PROPFIND and WebDav-based methods may allow
for arbitrary file uploading and should not be available under normal conditions.
This issue can be considered an Insecure Configuration Management as described in OWASP
Top10 Web Application Vulnerabilities, Section A10: "Web server and application server
configurations play a key role in the security of a web application. These servers are
responsible for serving content and invoking applications that generate content. In addition,
many application servers provide a number of services that web applications can use,
including data storage, directory services, mail, messaging, and more. Failure to manage the
proper configuration of your servers can lead to a wide variety of security problems."
Solution
IT staff must act with an effective Web server hardening control and also establish an effective
Production Planning and Control program to avoid insecure configuration scenario.
Undesired HTTP method can be easily removed from most Web Server Platforms. See more
information below. Microsoft IIS users are advised to use URLscan.
References
http://www.kb.cert.org/vuls/id/867593
http://www.microsoft.com/technet/security/tools/urlscan.mspx
http://www.owasp.org/documentation/topten/a10.html

2. Custom Design Errors

No vulnerabilities.

3. Web Signature Attacks

Confidential report - must not be disclosed without prior authorization

N-Stalker Web Application Security - Page 11 of

N-Stalker Web Application

Security Technical Report
Oracle Single Sign-On Login Page Authentication Credential Disclosure Vulnerability
CVE : CVE-2007BID : 24215
OSVDB : 37050
High Level
3304
Target Server : http://196.203.190.22:80/
URL : /
Comments
It has been reported that Oracle Single Sign-On login form is prone to an authentication
credential disclosure vulnerability that that may allow remote attackers to disclose
authentication credentials such as username and passwords of vulnerable users. Workaround:
The p_submit_url value in the customized login page can be hard-coded. This will mitigate this
issue since it will not be an input value to the page anymore. The p_submit_url URL value in
the 902 SSO server is in the following format:
http(s)://sso_host:port/pls/orasso/orasso.wwsso_app_admin.ls_login Vulnerable versions
includes: Oracle IAS 9.0.3.1 (and previous), Oracle HTTP Server 9.2.0 (and previous).
Solution
Please, download the latest version.
References
http://httpd.apache.org/download.cgi
http://www.kb.cert.org/vuls/id/395412
http://httpd.apache.org/docs/2.2/new_features_2_2.html

Oracle Single Sign-On Login Page Authentication Credential Disclosure Vulnerability

High Level
CVE : 0
BID : 10009
OSVDB : 0
Target Server : http://196.203.190.22:80/
URL : /pls/orasso/orasso.wwsso_app_admin.ls_login
Comments
It has been reported that Oracle Single Sign-On login form is prone to an authentication
credential disclosure vulnerability that that may allow remote attackers to disclose
authentication credentials such as username and passwords of vulnerable users. Workaround:
The p_submit_url value in the customized login page can be hard-coded. This will mitigate this
issue since it will not be an input value to the page anymore. The p_submit_url URL value in
the 902 SSO server is in the following format:
http(s)://sso_host:port/pls/orasso/orasso.wwsso_app_admin.ls_login Vulnerable versions
includes: Oracle IAS 9.0.3.1 (and previous), Oracle HTTP Server 9.2.0 (and previous).
Solution
No solution available.
References
No external references available.

4. Confidentiality Exposure
No vulnerabilities.

5. Cookie Exposure
No vulnerabilities.

6. File & Directory Exposure

Confidential report - must not be disclosed without prior authorization
N-Stalker Web Application Security - Page 12 of

N-Stalker Web Application

Security Technical Report
No vulnerabilities.

7. Custom Content Inspection

No vulnerabilities.

Confidential report - must not be disclosed without prior authorization

N-Stalker Web Application Security - Page 13 of