Web Vulnerability Report

Start Time:2015-06-24 13:31:57

Scanning Duration:3 minutes 10 seconds

Target Site
Vulnerability Content
+WebDav Security Configurations (1)
+Clickjacking (1)
Information Content
+Web Server Type and Version History Vulnerability (1)
Target Site
Start URL: http://www.cs.psu.ac.th/
Web Server: Microsoft-IIS/6.0
OS: windows
Web Language: Unknown
Third-Party Application: unknown 0
Login Method: Not login
URLs Scanned: 344

Possible Threats:

  • Intercept session, get user login credential to get access to site.
  • Find sensitive information and error configuration on server and perform further attack to the site;
  • Solution(s):

    1. Check validity of data on client-side and server-side, and filter special characters.
    2. Set security options for Web application program.
    3. Deploy security appliance that is able to perform Web application protection.
    No. Page Vulnerability Count Threat Level
    1 http://www.cs.psu.ac.th/ 2 High
    Vulnerability Content Details
    WebDav Security Configurations (1)


    Find that WebDav configuration of the server is incorrect, and insecure WebDav methods are enabled, such as 'put', 'delete', 'trace', 'search', 'copy', 'move', 'propfind', 'proppatch', 'mkcol', 'lock' and 'unlock'.


      Disable WebDav
    Vulnerability1 /1
    URL: http://www.cs.psu.ac.th/
    Request Method: OPTIONS
    Parameter: -
    Threat Level: High


    HTTP method is enabled in WebDav security configurations. TRACE

    Request Content:

    OPTIONS http://www.cs.psu.ac.th/ HTTP/1.1
    Referer: http://www.cs.psu.ac.th/

    Response Content:

    HTTP/1.1 200 OK
    Content-Length: 0
    MicrosoftOfficeWebServer: 5.0_Pub
    X-Powered-By: ASP.NET
    MS-Author-Via: MS-FP/4.0
    Server: Microsoft-IIS/6.0
    Date: Wed, 24 Jun 2015 06:34:34 GMT

    Clickjacking (1)


    Clickjacking is a malicious technique that attacker uses multiple transparent or opaque layers to trick a user into clicking on something different from what the user perceives they are clicking on.


      Increase or set value of HTTP header option X-Frame-Options to DENY or SAMEORIGIN
    Vulnerability1 /1
    URL: http://www.cs.psu.ac.th/
    Request Method: GET
    Parameter: -
    Threat Level: Medium


    As the whole site has not configured the X-Frame-Options field in HTTP header under protection, it's vulnerable to clickjacking.

    Information Content Details
    Web Server Type and Version History Vulnerability(1)


    Web server type and list of corresponding vulnerability which exists in the version


      Update the server to the latest version or update SP.
    Info1 /1
    URL: http://www.cs.psu.ac.th/
    Request Method: GET
    Parameter: -
    Threat Level: Information


    1. If IIS runs Index Server, it will contain a vulnerability through Null.htw even if no .htw files exist on the server. The vulnerability displays the source code of an ASP page. Sensitive information such as user account is contained in global.asa. The ability to view ASP pages could provide sensitive information such as usernames and passwords. An attacker providing IIS with a malformed URL request could escape the virtual directory, providing access to the logical drive and root directory. The "hit-highlighting" function in the Index Server does not adequately restrain what types of files may be requested, allowing an attacker to request any file on the server. Null.htw function has 3 variables which gets their inputs from the user:CiWebhitsfile, CiRestriction and CiHiliteType. You can see source code of default.asp by typing the link: http://www.victim.com/null.htw?CiWebhitsfile=/default.asp%20&%20CiRestriction=none%20&%20&CiHiliteType=full. A legal .htwfile is not required because the virtual file is restored on the memory.
    2. IIS' MDAC has a vulnerability where an attacker can submit commands for local execution. The core problem is with the RDSDatafactory. By default, it allows remote commands to be sent to the IIS server. The commands will be run as the effective user of the service, which is typically the SYSTEM user. You can find a vulnerable site by checking:c:\>nc -nw -w 2 <Target> 80
    GET /msadc/msadcs.dll HTTP. And if you get the following application/x_varg, it is most probably vulnerable if not patched.
    3. This exploit is also ever so similar to dot asp bug and you can get the source code of ASA and ASP files by appending a +.htr to the URL of asp and asa files: http://www.Target.com/global.asa+.htr.
    4. By requesting site.csc, which is normally located in /adsamples/config/site.csc,The attacker may be able to retrieve the DSN, UID and PASS of the database as this file may contain them. By typing the following http://www.victim.com/adsamples/config/site.csc, the attacker will download the file site.csc and (s)he can get some important data.
    5. The hit-highligting functionality provided by Index Server allows a web user to have a document with their original search terms highlighted on the page. The name of the document is passed to .htw file with the CiWebhitsfile argument. Webhits.dll, the ISAPI Application that deals with the request, opens the file highlights accordingly and returns the resulting page. As the user has control of the CiWebhitsfile argument passed to the .htw file they can request anything they want. And the real problem is that, they can view the source of ASP and other scripted pages. To understand you are vulnerable, request the following from the site:http://www.victim.com/nosuchfile.htw, and if you get the following from the server: format of the QUERY_STRING is invalid, it means that you are vulnerable.
    1. IIS6.0 is prone to parsing directory vulnerability. When IIS6.0 handles the files under the folder with the extension *.asp, *.asa, *.cer or *.cdx, it will parse the file according to the script type (asp, asa, cer, cdx), causing the WebShell with legal extension (such as jpg and txt ) uploaded.
    2. IIS6.0 is vulnerable to file parsing. When IIS6.0 handles the files under the folder with the extension *.asp, *.asa, *.cer or *.cdx, it will parse the file according to the script type (asp, asa, cer, cdx), causing the WebShell with legal extension jpg uploaded.

    Back to Top