dradis-netsparker 3.8.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -0,0 +1,2485 @@
1
+ <?xml version="1.0" encoding="utf-8" ?>
2
+ <?xml-stylesheet href="vulnerabilities-list.xsl" type="text/xsl" ?>
3
+
4
+ <netsparker generated="12/8/2016 2:56:36 PM">
5
+ <target>
6
+ <url>http://localhost:3000/</url>
7
+ <scantime>18</scantime>
8
+ </target>
9
+ <vulnerability confirmed="True">
10
+ <url>http://localhost:3000/login</url>
11
+ <type>PasswordOverHttp</type>
12
+ <severity>Important</severity>
13
+ <certainty>100</certainty>
14
+ <description><p>{PRODUCT} detected that password data is being transmitted over HTTP.</p></description>
15
+ <remedy><div>All sensitive data should be transferred over HTTPS rather than HTTP. Forms should be served over HTTPS. All aspects of the application that accept user input, starting from the login process, should only be served over HTTPS.</div></remedy>
16
+
17
+ <rawrequest><![CDATA[GET /login HTTP/1.1
18
+ Host: localhost:3000
19
+ Cache-Control: no-cache
20
+ Referer: http://localhost:3000/
21
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
22
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
23
+ Accept-Language: en-us,en;q=0.5
24
+ X-Scanner: Netsparker
25
+ Cookie: _redmine_session=Z1BMOHFEY2RERDVJUldNL1RqNG92dmJ2bVFNcUwyVm54Z09PTTJEUkhTM0VCOW1Yd3lYNWtRNmNOYTR6cGVRZkgyWXVGcUl2MTg1UERlc3ZWNjBLZHZBRkZzUXJTbER6UTNVTGQ2amdZVmRaZXg4aCtSdXVaVzcrZExGMEVXdC9LaWp6ZE96WWVPWGJ0NmE1cE1WbGQvQXdiczhuUGZNejE5dTF3ekM0WW4wYzF6V2xwenNXdnRvd05YRHF1V0F3NDc3bUdJc0xlYXc5ck53M2FSY2pLNTd3L2I4dEJuS04rNVZrc1k5TXFiREE4WkJQZ1NxRmJMMmJaYlZxRlNlYzhtSHZxRFFIS01KamJ1UjdHUVdYMjlETC9WN1lBMUZERlBLSm5aRU1RWnAzbG05N002NldVTFg0SmY3ZTA1bHctLW9SSGxMblRLc2o5a1VFQTg5N1MzQXc9PQ%3D%3D--8c3350ab21690b49d42705363c23860a196cdae0
26
+ Accept-Encoding: gzip, deflate
27
+
28
+ ]]></rawrequest>
29
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
30
+ Set-Cookie: _redmine_session=MFRLazZ0NFFuQUVpamxhbnZJbWpxRThZSVpJUng5L0FPYlRFQy9uUmsxcm4xN0ROZGhNN0ltVmZIejhtQjdBSmIzQTg2cXIwZ3hPUGMxcTRZSXQ4dEdKRmFRTkdwUkpJZG8zbFppZldwRC9TcWF5OWdraHBackJtckVWUGEyZ2poMlVHeXpnWHE0NVR4QXRZaElqbmJXZVJiVWNRck1OUmxKY0xxTkxaVXNmVUVjaUhyRWhackRUbDlJRlJZYjlnLS05SW9kaHlZK1oyOGZlQmg3cUNXdjFRPT0%3D--fec1b0a3d26c80dd3241888bb49365054793188f; path=/; HttpOnly
31
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
32
+ X-Content-Type-Options: nosniff
33
+ X-Runtime: 0.009771
34
+ Connection: Keep-Alive
35
+ X-Xss-Protection: 1; mode=block
36
+ X-Frame-Options: SAMEORIGIN
37
+ X-Request-Id: a2e0332c-ac9b-4668-8c98-0590efe7b57e
38
+ Content-Type: text/html; charset=utf-8
39
+ Content-Length: 4617
40
+ Date: Thu, 08 Dec 2016 19:56:16 GMT
41
+ Etag: W/"8d030fd5a6fb923712bfdd6647b81414"
42
+ Cache-Control: max-age=0, private, must-revalidate
43
+
44
+ <!DOCTYPE html>
45
+ <html lang="en">
46
+ <head>
47
+ <meta charset="utf-8" />
48
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
49
+ <title>HNL Security Team Project Tracking System</title>
50
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
51
+ <meta name="description" content="Redmine" />
52
+ <meta name="keywords" content="issue,bug,tracker" />
53
+ <meta name="csrf-param" content="authenticity_token" />
54
+ <meta name="csrf-token" content="I6weEBpkwMCXdbHbdfXBPGY4D8CW4Wbtnc+3oCdU9egPc8QJIofJtkdEZtuqjf2A5yhZlMOuoH5PMI+t6fO17w==" />
55
+ <link rel='shortcut icon' href='/favicon.ico' />
56
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
57
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
58
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
59
+
60
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
61
+ <script src="/javascripts/application.js"></script>
62
+ <script src="/javascripts/responsive.js"></script>
63
+ <script>
64
+ //<![CDATA[
65
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
66
+ //]]]]><![CDATA[>
67
+ </script>
68
+
69
+
70
+ <!-- page specific tags -->
71
+ </head>
72
+ <body class="controller-account action-login">
73
+
74
+ <div id="wrapper">
75
+
76
+ <div class="flyout-menu js-flyout-menu">
77
+
78
+
79
+ <div class="flyout-menu__search">
80
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
81
+
82
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
83
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
84
+ </form> </div>
85
+
86
+
87
+
88
+ <h3>General</h3>
89
+ <span class="js-general-menu"></span>
90
+
91
+ <span class="js-sidebar flyout-menu__sidebar"></span>
92
+
93
+ <h3>Profile</h3>
94
+ <span class="js-profile-menu"></span>
95
+
96
+ </div>
97
+
98
+ <div id="wrapper2">
99
+ <div id="wrapper3">
100
+ <div id="top-menu">
101
+ <div id="account">
102
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
103
+
104
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
105
+
106
+ <div id="header">
107
+
108
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
109
+
110
+ <div id="quick-search">
111
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
112
+
113
+ <label for='q'>
114
+ <a accesskey="4" href="/search">Search</a>:
115
+ </label>
116
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
117
+ </form>
118
+ </div>
119
+
120
+ <h1>HNL Security Team Project Tracking System</h1>
121
+
122
+ </div>
123
+
124
+ <div id="main" class="nosidebar">
125
+ <div id="sidebar">
126
+
127
+
128
+ </div>
129
+
130
+ <div id="content">
131
+
132
+
133
+ <div id="login-form">
134
+ <form onsubmit="return keepAnchorOnSignIn(this);" action="/login" accept-charset="UTF-8" method="post"><input name="utf8" type="hidden" value="&#x2713;" /><input type="hidden" name="authenticity_token" value="R6BbMva0XQgJFncuT2APQ+ImLhLrLaZcEVApzVpKGs5rf4ErzldUftknoC6QGDP/YzZ4Rr5iYM/DrxHAlO1ayQ==" />
135
+ <input type="hidden" name="back_url" value="http://localhost:3000/" />
136
+ <table>
137
+ <tr>
138
+ <td style="text-align:right;"><label for="username">Login:</label></td>
139
+ <td style="text-align:left;"><input type="text" name="username" id="username" tabindex="1" /></td>
140
+ </tr>
141
+ <tr>
142
+ <td style="text-align:right;"><label for="password">Password:</label></td>
143
+ <td style="text-align:left;"><input type="password" name="password" id="password" tabindex="2" /></td>
144
+ </tr>
145
+ <tr>
146
+ <td></td>
147
+ <td style="text-align:left;">
148
+ </td>
149
+ </tr>
150
+ <tr>
151
+ <td style="text-align:left;">
152
+ <a href="/account/lost_password">Lost password</a>
153
+ </td>
154
+ <td style="text-align:right;">
155
+ <input type="submit" name="login" value="Login &#187;" tabindex="5"/>
156
+ </td>
157
+ </tr>
158
+ </table>
159
+ </form></div>
160
+
161
+
162
+ <script>
163
+ //<![CDATA[
164
+ $('#username').focus();
165
+ //]]]]><![CDATA[>
166
+ </script>
167
+
168
+
169
+ <div style="clear:both;"></div>
170
+ </div>
171
+ </div>
172
+ </div>
173
+
174
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
175
+ <div id="ajax-modal" style="display:none;"></div>
176
+
177
+ <div id="footer">
178
+ <div class="bgl"><div class="bgr">
179
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
180
+ </div></div>
181
+ </div>
182
+ </div>
183
+ </div>
184
+
185
+ </body>
186
+ </html>
187
+ ]]></rawresponse>
188
+ <extrainformation>
189
+ <info name="Form target action"><![CDATA[/login]]></info>
190
+ </extrainformation>
191
+
192
+ <proofs></proofs>
193
+
194
+ <classification>
195
+ <OWASP2013>A6</OWASP2013>
196
+ <WASC>4</WASC>
197
+ <CWE>319</CWE>
198
+ <CAPEC>65</CAPEC>
199
+ <PCI31>6.5.4</PCI31>
200
+ <PCI32>6.5.4</PCI32>
201
+ <HIPAA></HIPAA>
202
+ <OWASPPC></OWASPPC>
203
+ <CVSS>
204
+ <vector>CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N</vector>
205
+
206
+ <score>
207
+ <type>Base</type>
208
+ <value>5.7</value>
209
+ <severity>Medium</severity>
210
+ </score>
211
+ <score>
212
+ <type>Temporal</type>
213
+ <value>5.7</value>
214
+ <severity>Medium</severity>
215
+ </score>
216
+ <score>
217
+ <type>Environmental</type>
218
+ <value>5.7</value>
219
+ <severity>Medium</severity>
220
+ </score>
221
+
222
+ </CVSS>
223
+ </classification>
224
+ </vulnerability>
225
+ <vulnerability confirmed="True">
226
+ <url>http://localhost:3000/</url>
227
+ <type>SslVersion3Support</type>
228
+ <severity>Medium</severity>
229
+ <certainty>100</certainty>
230
+ <description><p>{PRODUCT} detected that insecure transportation security protocol (SSLv3) is supported by your web server.</p><p>SSLv3 has several flaws. An attacker can cause connection failures and they can trigger the use of SSL 3.0 to exploit vulnerabilities like POODLE.</p></description>
231
+ <remedy><div><p>Configure your web server to disallow using weak ciphers. You need to restart the web server to enable changes.</p><ul><li>For Apache, adjust the SSLProtocol directive provided by the mod_ssl module. This directive can be set either at the server level or in a virtual host configuration.<pre class="xml code">SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
232
+ </pre></li><li>For Nginx, locate any use of the directive ssl_protocols in the <code>nginx.conf</code> file and remove <code>SSLv3</code>.<pre class="code">ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
233
+ </pre></li><li>For Microsoft IIS, you should make some changes on the system registry.<ol><li>Click on Start and then Run, type <code>regedt32</code> or <code>regedit</code>, and then click OK.</li><li>In Registry Editor, locate the following registry key or create if it does not exist:<pre class="code">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\
234
+ </pre></li><li>Locate a key named <code>Server</code> or create if it doesn't exist.</li><li>Under the <code>Server</code> key, locate a DWORD value named <code>Enabled</code> or create if it doesn't exist and set its value to "0".</li></ol></li><li>For Lighttpd, put the following lines in your configuration file:<pre class="code">ssl.use-sslv2 = "disable"
235
+ ssl.use-sslv3 = "disable"
236
+ </pre></li></ul></div></remedy>
237
+
238
+ <rawrequest><![CDATA[[NETSPARKER] SSL Connection]]></rawrequest>
239
+ <rawresponse><![CDATA[[NETSPARKER] SSL Connection]]></rawresponse>
240
+ <extrainformation>
241
+ </extrainformation>
242
+
243
+ <proofs></proofs>
244
+
245
+ <classification>
246
+ <OWASP2013>A6</OWASP2013>
247
+ <WASC>4</WASC>
248
+ <CWE>327</CWE>
249
+ <CAPEC>217</CAPEC>
250
+ <PCI31>6.5.4</PCI31>
251
+ <PCI32>6.5.4</PCI32>
252
+ <HIPAA></HIPAA>
253
+ <OWASPPC></OWASPPC>
254
+
255
+ <CVSS>
256
+ <vector>CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C</vector>
257
+
258
+ <score>
259
+ <type>Base</type>
260
+ <value>6.8</value>
261
+ <severity>Medium</severity>
262
+ </score>
263
+ <score>
264
+ <type>Temporal</type>
265
+ <value>6.1</value>
266
+ <severity>Medium</severity>
267
+ </score>
268
+ <score>
269
+ <type>Environmental</type>
270
+ <value>6.1</value>
271
+ <severity>Medium</severity>
272
+ </score>
273
+
274
+ </CVSS>
275
+ </classification>
276
+ </vulnerability>
277
+ <vulnerability confirmed="True">
278
+ <url>http://localhost:3000/login</url>
279
+ <type>AutoCompleteEnabled</type>
280
+ <severity>Low</severity>
281
+ <certainty>100</certainty>
282
+ <description><p>{PRODUCT} detected that autocomplete is enabled in one or more of the form fields which might contain sensitive information like "username", "credit card" or "CVV".</p></description>
283
+ <remedy></remedy>
284
+
285
+ <rawrequest><![CDATA[GET /login HTTP/1.1
286
+ Host: localhost:3000
287
+ Cache-Control: no-cache
288
+ Referer: http://localhost:3000/
289
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
290
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
291
+ Accept-Language: en-us,en;q=0.5
292
+ X-Scanner: Netsparker
293
+ Cookie: _redmine_session=Z1BMOHFEY2RERDVJUldNL1RqNG92dmJ2bVFNcUwyVm54Z09PTTJEUkhTM0VCOW1Yd3lYNWtRNmNOYTR6cGVRZkgyWXVGcUl2MTg1UERlc3ZWNjBLZHZBRkZzUXJTbER6UTNVTGQ2amdZVmRaZXg4aCtSdXVaVzcrZExGMEVXdC9LaWp6ZE96WWVPWGJ0NmE1cE1WbGQvQXdiczhuUGZNejE5dTF3ekM0WW4wYzF6V2xwenNXdnRvd05YRHF1V0F3NDc3bUdJc0xlYXc5ck53M2FSY2pLNTd3L2I4dEJuS04rNVZrc1k5TXFiREE4WkJQZ1NxRmJMMmJaYlZxRlNlYzhtSHZxRFFIS01KamJ1UjdHUVdYMjlETC9WN1lBMUZERlBLSm5aRU1RWnAzbG05N002NldVTFg0SmY3ZTA1bHctLW9SSGxMblRLc2o5a1VFQTg5N1MzQXc9PQ%3D%3D--8c3350ab21690b49d42705363c23860a196cdae0
294
+ Accept-Encoding: gzip, deflate
295
+
296
+ ]]></rawrequest>
297
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
298
+ Set-Cookie: _redmine_session=MFRLazZ0NFFuQUVpamxhbnZJbWpxRThZSVpJUng5L0FPYlRFQy9uUmsxcm4xN0ROZGhNN0ltVmZIejhtQjdBSmIzQTg2cXIwZ3hPUGMxcTRZSXQ4dEdKRmFRTkdwUkpJZG8zbFppZldwRC9TcWF5OWdraHBackJtckVWUGEyZ2poMlVHeXpnWHE0NVR4QXRZaElqbmJXZVJiVWNRck1OUmxKY0xxTkxaVXNmVUVjaUhyRWhackRUbDlJRlJZYjlnLS05SW9kaHlZK1oyOGZlQmg3cUNXdjFRPT0%3D--fec1b0a3d26c80dd3241888bb49365054793188f; path=/; HttpOnly
299
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
300
+ X-Content-Type-Options: nosniff
301
+ X-Runtime: 0.009771
302
+ Connection: Keep-Alive
303
+ X-Xss-Protection: 1; mode=block
304
+ X-Frame-Options: SAMEORIGIN
305
+ X-Request-Id: a2e0332c-ac9b-4668-8c98-0590efe7b57e
306
+ Content-Type: text/html; charset=utf-8
307
+ Content-Length: 4617
308
+ Date: Thu, 08 Dec 2016 19:56:16 GMT
309
+ Etag: W/"8d030fd5a6fb923712bfdd6647b81414"
310
+ Cache-Control: max-age=0, private, must-revalidate
311
+
312
+ <!DOCTYPE html>
313
+ <html lang="en">
314
+ <head>
315
+ <meta charset="utf-8" />
316
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
317
+ <title>HNL Security Team Project Tracking System</title>
318
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
319
+ <meta name="description" content="Redmine" />
320
+ <meta name="keywords" content="issue,bug,tracker" />
321
+ <meta name="csrf-param" content="authenticity_token" />
322
+ <meta name="csrf-token" content="I6weEBpkwMCXdbHbdfXBPGY4D8CW4Wbtnc+3oCdU9egPc8QJIofJtkdEZtuqjf2A5yhZlMOuoH5PMI+t6fO17w==" />
323
+ <link rel='shortcut icon' href='/favicon.ico' />
324
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
325
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
326
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
327
+
328
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
329
+ <script src="/javascripts/application.js"></script>
330
+ <script src="/javascripts/responsive.js"></script>
331
+ <script>
332
+ //<![CDATA[
333
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
334
+ //]]]]><![CDATA[>
335
+ </script>
336
+
337
+
338
+ <!-- page specific tags -->
339
+ </head>
340
+ <body class="controller-account action-login">
341
+
342
+ <div id="wrapper">
343
+
344
+ <div class="flyout-menu js-flyout-menu">
345
+
346
+
347
+ <div class="flyout-menu__search">
348
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
349
+
350
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
351
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
352
+ </form> </div>
353
+
354
+
355
+
356
+ <h3>General</h3>
357
+ <span class="js-general-menu"></span>
358
+
359
+ <span class="js-sidebar flyout-menu__sidebar"></span>
360
+
361
+ <h3>Profile</h3>
362
+ <span class="js-profile-menu"></span>
363
+
364
+ </div>
365
+
366
+ <div id="wrapper2">
367
+ <div id="wrapper3">
368
+ <div id="top-menu">
369
+ <div id="account">
370
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
371
+
372
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
373
+
374
+ <div id="header">
375
+
376
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
377
+
378
+ <div id="quick-search">
379
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
380
+
381
+ <label for='q'>
382
+ <a accesskey="4" href="/search">Search</a>:
383
+ </label>
384
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
385
+ </form>
386
+ </div>
387
+
388
+ <h1>HNL Security Team Project Tracking System</h1>
389
+
390
+ </div>
391
+
392
+ <div id="main" class="nosidebar">
393
+ <div id="sidebar">
394
+
395
+
396
+ </div>
397
+
398
+ <div id="content">
399
+
400
+
401
+ <div id="login-form">
402
+ <form onsubmit="return keepAnchorOnSignIn(this);" action="/login" accept-charset="UTF-8" method="post"><input name="utf8" type="hidden" value="&#x2713;" /><input type="hidden" name="authenticity_token" value="R6BbMva0XQgJFncuT2APQ+ImLhLrLaZcEVApzVpKGs5rf4ErzldUftknoC6QGDP/YzZ4Rr5iYM/DrxHAlO1ayQ==" />
403
+ <input type="hidden" name="back_url" value="http://localhost:3000/" />
404
+ <table>
405
+ <tr>
406
+ <td style="text-align:right;"><label for="username">Login:</label></td>
407
+ <td style="text-align:left;"><input type="text" name="username" id="username" tabindex="1" /></td>
408
+ </tr>
409
+ <tr>
410
+ <td style="text-align:right;"><label for="password">Password:</label></td>
411
+ <td style="text-align:left;"><input type="password" name="password" id="password" tabindex="2" /></td>
412
+ </tr>
413
+ <tr>
414
+ <td></td>
415
+ <td style="text-align:left;">
416
+ </td>
417
+ </tr>
418
+ <tr>
419
+ <td style="text-align:left;">
420
+ <a href="/account/lost_password">Lost password</a>
421
+ </td>
422
+ <td style="text-align:right;">
423
+ <input type="submit" name="login" value="Login &#187;" tabindex="5"/>
424
+ </td>
425
+ </tr>
426
+ </table>
427
+ </form></div>
428
+
429
+
430
+ <script>
431
+ //<![CDATA[
432
+ $('#username').focus();
433
+ //]]]]><![CDATA[>
434
+ </script>
435
+
436
+
437
+ <div style="clear:both;"></div>
438
+ </div>
439
+ </div>
440
+ </div>
441
+
442
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
443
+ <div id="ajax-modal" style="display:none;"></div>
444
+
445
+ <div id="footer">
446
+ <div class="bgl"><div class="bgr">
447
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
448
+ </div></div>
449
+ </div>
450
+ </div>
451
+ </div>
452
+
453
+ </body>
454
+ </html>
455
+ ]]></rawresponse>
456
+ <extrainformation>
457
+ <info name="Identified Field Name"><![CDATA[username]]></info>
458
+ </extrainformation>
459
+
460
+ <proofs></proofs>
461
+
462
+ <classification>
463
+ <OWASP2013>A5</OWASP2013>
464
+ <WASC>15</WASC>
465
+ <CWE>16</CWE>
466
+ <CAPEC></CAPEC>
467
+ <PCI31></PCI31>
468
+ <PCI32></PCI32>
469
+ <HIPAA></HIPAA>
470
+ <OWASPPC></OWASPPC>
471
+
472
+ <CVSS>
473
+ <vector>CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</vector>
474
+
475
+ <score>
476
+ <type>Base</type>
477
+ <value>4.6</value>
478
+ <severity>Medium</severity>
479
+ </score>
480
+ <score>
481
+ <type>Temporal</type>
482
+ <value>4.6</value>
483
+ <severity>Medium</severity>
484
+ </score>
485
+ <score>
486
+ <type>Environmental</type>
487
+ <value>4.6</value>
488
+ <severity>Medium</severity>
489
+ </score>
490
+
491
+ </CVSS>
492
+ </classification>
493
+ </vulnerability>
494
+ <vulnerability confirmed="False">
495
+ <url>http://localhost:3000/</url>
496
+ <type>VersionDisclosureRuby</type>
497
+ <severity>Low</severity>
498
+ <certainty>90</certainty>
499
+ <description><p>{PRODUCT} identified that the target web server is disclosing the Ruby version in its HTTP response. This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Ruby.</p></description>
500
+ <remedy><div>Configure your web server to prevent information leakage from its HTTP response.</div></remedy>
501
+
502
+ <rawrequest><![CDATA[GET / HTTP/1.1
503
+ Host: localhost:3000
504
+ Cache-Control: no-cache
505
+ Connection: Keep-Alive
506
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
507
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
508
+ Accept-Language: en-us,en;q=0.5
509
+ X-Scanner: Netsparker
510
+ Accept-Encoding: gzip, deflate
511
+
512
+ ]]></rawrequest>
513
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
514
+ Set-Cookie: _redmine_session=NVU5aUwyZ0VRTndIb21Va2pNZk15SXRyeXpGOWZtMk5rS1QwaVFpSi9vSkh1Lyt3U1lzcTdlOS8wYkdUTE1JMjVQNmp5dHU0akM0L0pmdDZRalkvdkVDbzdqOC9qOHRJRG1CSllNcENBMkkxbGJ0ODd1RXZwL0drNVRCbkZwYVFHQVVTWWtGQXY5eXBwdzJTQnBuVXpCMWFOVEZHOFVTeVFDUmJmekhEU3NGK3JGMlFsTytCRFpIemx2bkJCZzViLS1CV295alVPcnRJaUhDY2UxVmRLOWt3PT0%3D--374cb50cbcce265e356b52f82eadb8c778158726; path=/; HttpOnly
515
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
516
+ X-Content-Type-Options: nosniff
517
+ X-Runtime: 0.015338
518
+ Connection: Keep-Alive
519
+ X-Xss-Protection: 1; mode=block
520
+ X-Frame-Options: SAMEORIGIN
521
+ X-Request-Id: 9c7ebeb0-d69c-4315-ba90-5e154e2eebed
522
+ Content-Type: text/html; charset=utf-8
523
+ Content-Length: 3876
524
+ Date: Thu, 08 Dec 2016 19:56:08 GMT
525
+ Etag: W/"58de55885d9765a460c7728ca5cce1da"
526
+ Cache-Control: max-age=0, private, must-revalidate
527
+
528
+ <!DOCTYPE html>
529
+ <html lang="en">
530
+ <head>
531
+ <meta charset="utf-8" />
532
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
533
+ <title>HNL Security Team Project Tracking System</title>
534
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
535
+ <meta name="description" content="Redmine" />
536
+ <meta name="keywords" content="issue,bug,tracker" />
537
+ <meta name="csrf-param" content="authenticity_token" />
538
+ <meta name="csrf-token" content="TV0QvO/RZcDnbKGv7N8Aq6rDRRfrL8sFjLxwBAonrSZhgsql1zJstjdddq8zpzwXK9MTQ75gDZZeQ0gJxIDtIQ==" />
539
+ <link rel='shortcut icon' href='/favicon.ico' />
540
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
541
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
542
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
543
+
544
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
545
+ <script src="/javascripts/application.js"></script>
546
+ <script src="/javascripts/responsive.js"></script>
547
+ <script>
548
+ //<![CDATA[
549
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
550
+ //]]]]><![CDATA[>
551
+ </script>
552
+
553
+
554
+ <!-- page specific tags -->
555
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Latest news" href="http://localhost:3000/news.atom" />
556
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Activity" href="http://localhost:3000/activity.atom" />
557
+ </head>
558
+ <body class="controller-welcome action-index">
559
+
560
+ <div id="wrapper">
561
+
562
+ <div class="flyout-menu js-flyout-menu">
563
+
564
+
565
+ <div class="flyout-menu__search">
566
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
567
+
568
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
569
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
570
+ </form> </div>
571
+
572
+
573
+
574
+ <h3>General</h3>
575
+ <span class="js-general-menu"></span>
576
+
577
+ <span class="js-sidebar flyout-menu__sidebar"></span>
578
+
579
+ <h3>Profile</h3>
580
+ <span class="js-profile-menu"></span>
581
+
582
+ </div>
583
+
584
+ <div id="wrapper2">
585
+ <div id="wrapper3">
586
+ <div id="top-menu">
587
+ <div id="account">
588
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
589
+
590
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
591
+
592
+ <div id="header">
593
+
594
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
595
+
596
+ <div id="quick-search">
597
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
598
+
599
+ <label for='q'>
600
+ <a accesskey="4" href="/search">Search</a>:
601
+ </label>
602
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
603
+ </form>
604
+ </div>
605
+
606
+ <h1>HNL Security Team Project Tracking System</h1>
607
+
608
+ </div>
609
+
610
+ <div id="main" class="nosidebar">
611
+ <div id="sidebar">
612
+
613
+
614
+ </div>
615
+
616
+ <div id="content">
617
+
618
+ <h2>Home</h2>
619
+
620
+ <div class="splitcontentleft">
621
+ <div class="wiki">
622
+
623
+ </div>
624
+
625
+ </div>
626
+
627
+ <div class="splitcontentright">
628
+
629
+ </div>
630
+
631
+
632
+
633
+ <div style="clear:both;"></div>
634
+ </div>
635
+ </div>
636
+ </div>
637
+
638
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
639
+ <div id="ajax-modal" style="display:none;"></div>
640
+
641
+ <div id="footer">
642
+ <div class="bgl"><div class="bgr">
643
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
644
+ </div></div>
645
+ </div>
646
+ </div>
647
+ </div>
648
+
649
+ </body>
650
+ </html>
651
+ ]]></rawresponse>
652
+ <extrainformation>
653
+ <info name="ExtractedVersion"><![CDATA[2.3.0]]></info>
654
+ </extrainformation>
655
+
656
+ <proofs></proofs>
657
+
658
+ <classification>
659
+ <OWASP2013></OWASP2013>
660
+ <WASC>45</WASC>
661
+ <CWE>205</CWE>
662
+ <CAPEC>170</CAPEC>
663
+ <PCI31></PCI31>
664
+ <PCI32></PCI32>
665
+ <HIPAA>164.306(a), 164.308(a)</HIPAA>
666
+ <OWASPPC></OWASPPC>
667
+
668
+ <CVSS>
669
+ <vector>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</vector>
670
+
671
+ <score>
672
+ <type>Base</type>
673
+ <value>5.3</value>
674
+ <severity>Medium</severity>
675
+ </score>
676
+ <score>
677
+ <type>Temporal</type>
678
+ <value>5.3</value>
679
+ <severity>Medium</severity>
680
+ </score>
681
+ <score>
682
+ <type>Environmental</type>
683
+ <value>5.3</value>
684
+ <severity>Medium</severity>
685
+ </score>
686
+
687
+ </CVSS>
688
+ </classification>
689
+ </vulnerability>
690
+ <vulnerability confirmed="False">
691
+ <url>http://localhost:3000/</url>
692
+ <type>VersionDisclosureWebrick</type>
693
+ <severity>Low</severity>
694
+ <certainty>90</certainty>
695
+ <description><p>{PRODUCT} identified that the target web server is disclosing the WEBrick version in its HTTP response. This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of WEBrick.</p></description>
696
+ <remedy><div>Configure your web server to prevent information leakage from its HTTP response.</div></remedy>
697
+
698
+ <rawrequest><![CDATA[GET / HTTP/1.1
699
+ Host: localhost:3000
700
+ Cache-Control: no-cache
701
+ Connection: Keep-Alive
702
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
703
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
704
+ Accept-Language: en-us,en;q=0.5
705
+ X-Scanner: Netsparker
706
+ Accept-Encoding: gzip, deflate
707
+
708
+ ]]></rawrequest>
709
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
710
+ Set-Cookie: _redmine_session=NVU5aUwyZ0VRTndIb21Va2pNZk15SXRyeXpGOWZtMk5rS1QwaVFpSi9vSkh1Lyt3U1lzcTdlOS8wYkdUTE1JMjVQNmp5dHU0akM0L0pmdDZRalkvdkVDbzdqOC9qOHRJRG1CSllNcENBMkkxbGJ0ODd1RXZwL0drNVRCbkZwYVFHQVVTWWtGQXY5eXBwdzJTQnBuVXpCMWFOVEZHOFVTeVFDUmJmekhEU3NGK3JGMlFsTytCRFpIemx2bkJCZzViLS1CV295alVPcnRJaUhDY2UxVmRLOWt3PT0%3D--374cb50cbcce265e356b52f82eadb8c778158726; path=/; HttpOnly
711
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
712
+ X-Content-Type-Options: nosniff
713
+ X-Runtime: 0.015338
714
+ Connection: Keep-Alive
715
+ X-Xss-Protection: 1; mode=block
716
+ X-Frame-Options: SAMEORIGIN
717
+ X-Request-Id: 9c7ebeb0-d69c-4315-ba90-5e154e2eebed
718
+ Content-Type: text/html; charset=utf-8
719
+ Content-Length: 3876
720
+ Date: Thu, 08 Dec 2016 19:56:08 GMT
721
+ Etag: W/"58de55885d9765a460c7728ca5cce1da"
722
+ Cache-Control: max-age=0, private, must-revalidate
723
+
724
+ <!DOCTYPE html>
725
+ <html lang="en">
726
+ <head>
727
+ <meta charset="utf-8" />
728
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
729
+ <title>HNL Security Team Project Tracking System</title>
730
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
731
+ <meta name="description" content="Redmine" />
732
+ <meta name="keywords" content="issue,bug,tracker" />
733
+ <meta name="csrf-param" content="authenticity_token" />
734
+ <meta name="csrf-token" content="TV0QvO/RZcDnbKGv7N8Aq6rDRRfrL8sFjLxwBAonrSZhgsql1zJstjdddq8zpzwXK9MTQ75gDZZeQ0gJxIDtIQ==" />
735
+ <link rel='shortcut icon' href='/favicon.ico' />
736
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
737
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
738
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
739
+
740
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
741
+ <script src="/javascripts/application.js"></script>
742
+ <script src="/javascripts/responsive.js"></script>
743
+ <script>
744
+ //<![CDATA[
745
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
746
+ //]]]]><![CDATA[>
747
+ </script>
748
+
749
+
750
+ <!-- page specific tags -->
751
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Latest news" href="http://localhost:3000/news.atom" />
752
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Activity" href="http://localhost:3000/activity.atom" />
753
+ </head>
754
+ <body class="controller-welcome action-index">
755
+
756
+ <div id="wrapper">
757
+
758
+ <div class="flyout-menu js-flyout-menu">
759
+
760
+
761
+ <div class="flyout-menu__search">
762
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
763
+
764
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
765
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
766
+ </form> </div>
767
+
768
+
769
+
770
+ <h3>General</h3>
771
+ <span class="js-general-menu"></span>
772
+
773
+ <span class="js-sidebar flyout-menu__sidebar"></span>
774
+
775
+ <h3>Profile</h3>
776
+ <span class="js-profile-menu"></span>
777
+
778
+ </div>
779
+
780
+ <div id="wrapper2">
781
+ <div id="wrapper3">
782
+ <div id="top-menu">
783
+ <div id="account">
784
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
785
+
786
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
787
+
788
+ <div id="header">
789
+
790
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
791
+
792
+ <div id="quick-search">
793
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
794
+
795
+ <label for='q'>
796
+ <a accesskey="4" href="/search">Search</a>:
797
+ </label>
798
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
799
+ </form>
800
+ </div>
801
+
802
+ <h1>HNL Security Team Project Tracking System</h1>
803
+
804
+ </div>
805
+
806
+ <div id="main" class="nosidebar">
807
+ <div id="sidebar">
808
+
809
+
810
+ </div>
811
+
812
+ <div id="content">
813
+
814
+ <h2>Home</h2>
815
+
816
+ <div class="splitcontentleft">
817
+ <div class="wiki">
818
+
819
+ </div>
820
+
821
+ </div>
822
+
823
+ <div class="splitcontentright">
824
+
825
+ </div>
826
+
827
+
828
+
829
+ <div style="clear:both;"></div>
830
+ </div>
831
+ </div>
832
+ </div>
833
+
834
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
835
+ <div id="ajax-modal" style="display:none;"></div>
836
+
837
+ <div id="footer">
838
+ <div class="bgl"><div class="bgr">
839
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
840
+ </div></div>
841
+ </div>
842
+ </div>
843
+ </div>
844
+
845
+ </body>
846
+ </html>
847
+ ]]></rawresponse>
848
+ <extrainformation>
849
+ <info name="ExtractedVersion"><![CDATA[1.3.1]]></info>
850
+ </extrainformation>
851
+
852
+ <proofs></proofs>
853
+
854
+ <classification>
855
+ <OWASP2013></OWASP2013>
856
+ <WASC>45</WASC>
857
+ <CWE>205</CWE>
858
+ <CAPEC>170</CAPEC>
859
+ <PCI31></PCI31>
860
+ <PCI32></PCI32>
861
+ <HIPAA>164.306(a), 164.308(a)</HIPAA>
862
+ <OWASPPC></OWASPPC>
863
+
864
+ <CVSS>
865
+ <vector>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</vector>
866
+
867
+ <score>
868
+ <type>Base</type>
869
+ <value>5.3</value>
870
+ <severity>Medium</severity>
871
+ </score>
872
+ <score>
873
+ <type>Temporal</type>
874
+ <value>5.3</value>
875
+ <severity>Medium</severity>
876
+ </score>
877
+ <score>
878
+ <type>Environmental</type>
879
+ <value>5.3</value>
880
+ <severity>Medium</severity>
881
+ </score>
882
+
883
+ </CVSS>
884
+ </classification>
885
+ </vulnerability>
886
+ <vulnerability confirmed="True">
887
+ <url>http://localhost:3000/</url>
888
+ <type>TlsVersion1Support</type>
889
+ <severity>Low</severity>
890
+ <certainty>100</certainty>
891
+ <description><p>{PRODUCT} detected that insecure transportation security protocol (TLS 1.0) is supported by your web server.</p><p>TLS 1.0 has several flaws. An attacker can cause connection failures and they can trigger the use of TLS 1.0 to exploit vulnerabilities like BEAST (Browser Exploit Against SSL/TLS).</p><p>Websites using TLS 1.0 will be considered non-compliant by PCI after 30 June 2018.</p></description>
892
+ <remedy><div><p>Configure your web server to disallow using weak ciphers. You need to restart the web server to enable changes.</p><ul><li>For Apache, adjust the SSLProtocol directive provided by the mod_ssl module. This directive can be set either at the server level or in a virtual host configuration.<pre class="xml code">SSLProtocol +TLSv1.1 +TLSv1.2
893
+ </pre></li><li>For Nginx, locate any use of the directive ssl_protocols in the <code>nginx.conf</code> file and remove <code>TLSv1</code>.<pre class="code">ssl_protocols TLSv1.1 TLSv1.2;
894
+ </pre></li><li>For Microsoft IIS, you should make some changes on the system registry.<ol><li>Click on Start and then Run, type <code>regedt32</code> or <code>regedit</code>, and then click OK.</li><li>In Registry Editor, locate the following registry key or create if it does not exist:<pre class="code">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\
895
+ </pre></li><li>Locate a key named <code>Server</code> or create if it doesn't exist.</li><li>Under the <code>Server</code> key, locate a DWORD value named <code>Enabled</code> or create if it doesn't exist and set its value to "0".</li></ol></li></ul></div></remedy>
896
+
897
+ <rawrequest><![CDATA[[NETSPARKER] SSL Connection]]></rawrequest>
898
+ <rawresponse><![CDATA[[NETSPARKER] SSL Connection]]></rawresponse>
899
+ <extrainformation>
900
+ </extrainformation>
901
+
902
+ <proofs></proofs>
903
+
904
+ <classification>
905
+ <OWASP2013>A6</OWASP2013>
906
+ <WASC>4</WASC>
907
+ <CWE>327</CWE>
908
+ <CAPEC>217</CAPEC>
909
+ <PCI31>6.5.4</PCI31>
910
+ <PCI32>6.5.4</PCI32>
911
+ <HIPAA></HIPAA>
912
+ <OWASPPC></OWASPPC>
913
+ </classification>
914
+ </vulnerability>
915
+ <vulnerability confirmed="True">
916
+ <url>http://localhost:3000/robots.txt</url>
917
+ <type>RobotsIdentified</type>
918
+ <severity>Information</severity>
919
+ <certainty>100</certainty>
920
+ <description><p>{PRODUCT} detected a <code>Robots.txt</code> file with potentially sensitive content.</p></description>
921
+ <remedy><div><span style="font-weight: 400;" data-mce-style="font-weight: 400;">Ensure you have nothing sensitive exposed within this file, such as the path of an administration panel. If disallowed paths are sensitive and you want to keep it from unauthorized access, do not write them in the <code>Robots.txt</code>, and ensure they are correctly protected by means of authentication.</span></div><div><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;"><code>Robots.txt</code> is only used to instruct search robots which resources should be indexed and which ones are not.</span></p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">The following block can be used to tell the crawler to index files under /web/ and </span><strong>ignore the rest</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;">:</span><br></div><pre>User-Agent: *<br>Allow: /web/<br>Disallow: /</pre><div><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">Please note that when you use the instructions above, </span><strong>search engines will not index your website </strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;">except for the specified directories.</span></p><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">If you want to hide certain section of the website from the search engines <code>X-Robots-Tag</code> can be set in the response header to tell crawlers whether the file should be indexed or not:</span><br></p></div><pre>X-Robots-Tag: googlebot: nofollow<br>X-Robots-Tag: otherbot: noindex, nofollow<br></pre><div><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">By using <code>X-Robots-Tag</code> you don't have to list the these files in your <code>Robots.txt</code>. </span></p><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">It is also not possible to prevent media files from being indexed by putting using Robots Meta Tags. <code>X-Robots-Tag</code> resolves this issue as well.</span></p><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">For Apache, the following snippet can be put into <code>httpd.conf</code> or an <code>.htaccess</code> file to restrict crawlers to index multimedia files without exposing them in <code>Robots.txt</code></span><br></p></div><pre>&lt;Files ~ "\.pdf$"&gt;<br># Don't index PDF files.<br> Header set X-Robots-Tag "noindex, nofollow"<br>&lt;/Files&gt;</pre><pre>&lt;Files ~ "\.(png|jpe?g|gif)$"&gt;<br>#Don't index image files.<br> Header set X-Robots-Tag "noindex"<br>&lt;/Files&gt;</pre><div>&nbsp;<br></div></remedy>
922
+
923
+ <rawrequest><![CDATA[GET /robots.txt HTTP/1.1
924
+ Host: localhost:3000
925
+ Cache-Control: no-cache
926
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
927
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
928
+ Accept-Language: en-us,en;q=0.5
929
+ X-Scanner: Netsparker
930
+ Cookie: _redmine_session=dXFGaE1aakY4ZWxQV0ZiMVlmaWtaUTBpYlQrOVlkWWUxOUtuYlJZMHgwT3ZFUlZheVJmSnQ2SUllUi9hYktZOWU5OFhGTjJ6S1V2NHZxd21vLzhwUDBDZXZZVjdmeFZaOXA1emprRktNODQ4SW9OV3JSWUZrYllRWXpxSjFHazcrMVFBNFova2JQNnBIK0N5YmpvRGZhOWVLVEY0RHJkRjBIL3NScmZGOHZISFcvM0lOSHBVVnlEK3dYaDNmVFFtV3FBb216T0V2aE0zdVpQRUZweDRZbDdncWN4TWxjYjZoRzByejQ5YlFzR2FpaHNUS1poM1JaOWV6YWJpWkl2NmhBM0Z2cmt0TzQzMnZ1YVIvUm5FdmNOUTgvOUFpV1lKSVloaVkvZkM5eDFiK0l1SXNHUzhhSlMwTExHYjBSM0gtLXdzSDI3Q1NNRllPK0FmRjI0cnZkVmc9PQ%3D%3D--054cb1c4bd8ee505c94de1d15b77d628ee5202ae
931
+ Accept-Encoding: gzip, deflate
932
+
933
+ ]]></rawrequest>
934
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
935
+ Set-Cookie: _redmine_session=TEVOVmFFcm11RCtqT1lLZFdPUTh1QkRPTEZCdEhOVWNwbW56Wnl1bGpDT2pFWUFIQ0x6NjQyN0tYWDFwRW9tRWtVWnFXYXlEUzZYQXFKODkxRlNMVlVxYUlGVktmaUNLYmdaeVJnMjBGT2FlRXNmK0FXR3V4ZlhLaUJvMVZ5QmoxVE5Ec1A3M2Q2cXRIZ2FOYm5VUTZvcjdRelJ1elhpdGUxWG1nd09sU2NDZGlpcjU0blNWSVhreVNsb3dOWDhQdVBjVWJ3K0U2bkQrTmlyUEpNWmdpN2xIMFpNS2J2K1NVVGkzalBPSk5EQlNSeDY5Nk5aSzVFbEJkUHNhbVZWVHNWZkEya3FPeUduUlo0aEdOVHpaSWxWV3JLMkliZnE3N0tKRUJzOVo1aHI0a2x6emE1VzJtV3lRNnE4VGVQaWMtLXJvRmM4VnRDTFZJTHI4dm4vLzVnU1E9PQ%3D%3D--54b4336d57a06867496da46514052a428dfe476f; path=/; HttpOnly
936
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
937
+ X-Content-Type-Options: nosniff
938
+ X-Runtime: 0.004503
939
+ Connection: Keep-Alive
940
+ X-Xss-Protection: 1; mode=block
941
+ X-Frame-Options: SAMEORIGIN
942
+ X-Request-Id: d322a824-0038-4e11-b073-c7d6a4d31580
943
+ Content-Type: text/html; charset=utf-8
944
+ Content-Length: 103
945
+ Date: Thu, 08 Dec 2016 19:56:14 GMT
946
+ Etag: W/"e5d026a5a27744c1c3d9c77b3e035178"
947
+ Cache-Control: max-age=0, private, must-revalidate
948
+
949
+ User-agent: *
950
+ Disallow: /issues/gantt
951
+ Disallow: /issues/calendar
952
+ Disallow: /activity
953
+ Disallow: /search
954
+ ]]></rawresponse>
955
+ <extrainformation>
956
+ <info name="Interesting Robots.txt Entries"><![CDATA[Disallow: /issues/gantt, Disallow: /issues/calendar, Disallow: /activity, Disallow: /search]]></info>
957
+ </extrainformation>
958
+
959
+ <proofs></proofs>
960
+
961
+ <classification>
962
+ <OWASP2013></OWASP2013>
963
+ <WASC></WASC>
964
+ <CWE></CWE>
965
+ <CAPEC></CAPEC>
966
+ <PCI31></PCI31>
967
+ <PCI32></PCI32>
968
+ <HIPAA></HIPAA>
969
+ <OWASPPC>C7</OWASPPC>
970
+ </classification>
971
+ </vulnerability>
972
+ <vulnerability confirmed="True">
973
+ <url>http://localhost:3000/login</url>
974
+ <type>AutoCompleteEnabledPasswordField</type>
975
+ <severity>Information</severity>
976
+ <certainty>100</certainty>
977
+ <description><p>{PRODUCT} detected that autocomplete is enabled in one or more of the password fields.</p></description>
978
+ <remedy></remedy>
979
+
980
+ <rawrequest><![CDATA[GET /login HTTP/1.1
981
+ Host: localhost:3000
982
+ Cache-Control: no-cache
983
+ Referer: http://localhost:3000/
984
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
985
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
986
+ Accept-Language: en-us,en;q=0.5
987
+ X-Scanner: Netsparker
988
+ Cookie: _redmine_session=Z1BMOHFEY2RERDVJUldNL1RqNG92dmJ2bVFNcUwyVm54Z09PTTJEUkhTM0VCOW1Yd3lYNWtRNmNOYTR6cGVRZkgyWXVGcUl2MTg1UERlc3ZWNjBLZHZBRkZzUXJTbER6UTNVTGQ2amdZVmRaZXg4aCtSdXVaVzcrZExGMEVXdC9LaWp6ZE96WWVPWGJ0NmE1cE1WbGQvQXdiczhuUGZNejE5dTF3ekM0WW4wYzF6V2xwenNXdnRvd05YRHF1V0F3NDc3bUdJc0xlYXc5ck53M2FSY2pLNTd3L2I4dEJuS04rNVZrc1k5TXFiREE4WkJQZ1NxRmJMMmJaYlZxRlNlYzhtSHZxRFFIS01KamJ1UjdHUVdYMjlETC9WN1lBMUZERlBLSm5aRU1RWnAzbG05N002NldVTFg0SmY3ZTA1bHctLW9SSGxMblRLc2o5a1VFQTg5N1MzQXc9PQ%3D%3D--8c3350ab21690b49d42705363c23860a196cdae0
989
+ Accept-Encoding: gzip, deflate
990
+
991
+ ]]></rawrequest>
992
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
993
+ Set-Cookie: _redmine_session=MFRLazZ0NFFuQUVpamxhbnZJbWpxRThZSVpJUng5L0FPYlRFQy9uUmsxcm4xN0ROZGhNN0ltVmZIejhtQjdBSmIzQTg2cXIwZ3hPUGMxcTRZSXQ4dEdKRmFRTkdwUkpJZG8zbFppZldwRC9TcWF5OWdraHBackJtckVWUGEyZ2poMlVHeXpnWHE0NVR4QXRZaElqbmJXZVJiVWNRck1OUmxKY0xxTkxaVXNmVUVjaUhyRWhackRUbDlJRlJZYjlnLS05SW9kaHlZK1oyOGZlQmg3cUNXdjFRPT0%3D--fec1b0a3d26c80dd3241888bb49365054793188f; path=/; HttpOnly
994
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
995
+ X-Content-Type-Options: nosniff
996
+ X-Runtime: 0.009771
997
+ Connection: Keep-Alive
998
+ X-Xss-Protection: 1; mode=block
999
+ X-Frame-Options: SAMEORIGIN
1000
+ X-Request-Id: a2e0332c-ac9b-4668-8c98-0590efe7b57e
1001
+ Content-Type: text/html; charset=utf-8
1002
+ Content-Length: 4617
1003
+ Date: Thu, 08 Dec 2016 19:56:16 GMT
1004
+ Etag: W/"8d030fd5a6fb923712bfdd6647b81414"
1005
+ Cache-Control: max-age=0, private, must-revalidate
1006
+
1007
+ <!DOCTYPE html>
1008
+ <html lang="en">
1009
+ <head>
1010
+ <meta charset="utf-8" />
1011
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
1012
+ <title>HNL Security Team Project Tracking System</title>
1013
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
1014
+ <meta name="description" content="Redmine" />
1015
+ <meta name="keywords" content="issue,bug,tracker" />
1016
+ <meta name="csrf-param" content="authenticity_token" />
1017
+ <meta name="csrf-token" content="I6weEBpkwMCXdbHbdfXBPGY4D8CW4Wbtnc+3oCdU9egPc8QJIofJtkdEZtuqjf2A5yhZlMOuoH5PMI+t6fO17w==" />
1018
+ <link rel='shortcut icon' href='/favicon.ico' />
1019
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
1020
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
1021
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
1022
+
1023
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
1024
+ <script src="/javascripts/application.js"></script>
1025
+ <script src="/javascripts/responsive.js"></script>
1026
+ <script>
1027
+ //<![CDATA[
1028
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
1029
+ //]]]]><![CDATA[>
1030
+ </script>
1031
+
1032
+
1033
+ <!-- page specific tags -->
1034
+ </head>
1035
+ <body class="controller-account action-login">
1036
+
1037
+ <div id="wrapper">
1038
+
1039
+ <div class="flyout-menu js-flyout-menu">
1040
+
1041
+
1042
+ <div class="flyout-menu__search">
1043
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
1044
+
1045
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
1046
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
1047
+ </form> </div>
1048
+
1049
+
1050
+
1051
+ <h3>General</h3>
1052
+ <span class="js-general-menu"></span>
1053
+
1054
+ <span class="js-sidebar flyout-menu__sidebar"></span>
1055
+
1056
+ <h3>Profile</h3>
1057
+ <span class="js-profile-menu"></span>
1058
+
1059
+ </div>
1060
+
1061
+ <div id="wrapper2">
1062
+ <div id="wrapper3">
1063
+ <div id="top-menu">
1064
+ <div id="account">
1065
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
1066
+
1067
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
1068
+
1069
+ <div id="header">
1070
+
1071
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
1072
+
1073
+ <div id="quick-search">
1074
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
1075
+
1076
+ <label for='q'>
1077
+ <a accesskey="4" href="/search">Search</a>:
1078
+ </label>
1079
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
1080
+ </form>
1081
+ </div>
1082
+
1083
+ <h1>HNL Security Team Project Tracking System</h1>
1084
+
1085
+ </div>
1086
+
1087
+ <div id="main" class="nosidebar">
1088
+ <div id="sidebar">
1089
+
1090
+
1091
+ </div>
1092
+
1093
+ <div id="content">
1094
+
1095
+
1096
+ <div id="login-form">
1097
+ <form onsubmit="return keepAnchorOnSignIn(this);" action="/login" accept-charset="UTF-8" method="post"><input name="utf8" type="hidden" value="&#x2713;" /><input type="hidden" name="authenticity_token" value="R6BbMva0XQgJFncuT2APQ+ImLhLrLaZcEVApzVpKGs5rf4ErzldUftknoC6QGDP/YzZ4Rr5iYM/DrxHAlO1ayQ==" />
1098
+ <input type="hidden" name="back_url" value="http://localhost:3000/" />
1099
+ <table>
1100
+ <tr>
1101
+ <td style="text-align:right;"><label for="username">Login:</label></td>
1102
+ <td style="text-align:left;"><input type="text" name="username" id="username" tabindex="1" /></td>
1103
+ </tr>
1104
+ <tr>
1105
+ <td style="text-align:right;"><label for="password">Password:</label></td>
1106
+ <td style="text-align:left;"><input type="password" name="password" id="password" tabindex="2" /></td>
1107
+ </tr>
1108
+ <tr>
1109
+ <td></td>
1110
+ <td style="text-align:left;">
1111
+ </td>
1112
+ </tr>
1113
+ <tr>
1114
+ <td style="text-align:left;">
1115
+ <a href="/account/lost_password">Lost password</a>
1116
+ </td>
1117
+ <td style="text-align:right;">
1118
+ <input type="submit" name="login" value="Login &#187;" tabindex="5"/>
1119
+ </td>
1120
+ </tr>
1121
+ </table>
1122
+ </form></div>
1123
+
1124
+
1125
+ <script>
1126
+ //<![CDATA[
1127
+ $('#username').focus();
1128
+ //]]]]><![CDATA[>
1129
+ </script>
1130
+
1131
+
1132
+ <div style="clear:both;"></div>
1133
+ </div>
1134
+ </div>
1135
+ </div>
1136
+
1137
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
1138
+ <div id="ajax-modal" style="display:none;"></div>
1139
+
1140
+ <div id="footer">
1141
+ <div class="bgl"><div class="bgr">
1142
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
1143
+ </div></div>
1144
+ </div>
1145
+ </div>
1146
+ </div>
1147
+
1148
+ </body>
1149
+ </html>
1150
+ ]]></rawresponse>
1151
+ <extrainformation>
1152
+ <info name="Identified Field Name"><![CDATA[password]]></info>
1153
+ </extrainformation>
1154
+
1155
+ <proofs></proofs>
1156
+
1157
+ <classification>
1158
+ <OWASP2013>A5</OWASP2013>
1159
+ <WASC>15</WASC>
1160
+ <CWE>16</CWE>
1161
+ <CAPEC></CAPEC>
1162
+ <PCI31></PCI31>
1163
+ <PCI32></PCI32>
1164
+ <HIPAA></HIPAA>
1165
+ <OWASPPC></OWASPPC>
1166
+
1167
+ <CVSS>
1168
+ <vector>CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</vector>
1169
+
1170
+ <score>
1171
+ <type>Base</type>
1172
+ <value>4.6</value>
1173
+ <severity>Medium</severity>
1174
+ </score>
1175
+ <score>
1176
+ <type>Temporal</type>
1177
+ <value>4.6</value>
1178
+ <severity>Medium</severity>
1179
+ </score>
1180
+ <score>
1181
+ <type>Environmental</type>
1182
+ <value>4.6</value>
1183
+ <severity>Medium</severity>
1184
+ </score>
1185
+
1186
+ </CVSS>
1187
+ </classification>
1188
+ </vulnerability>
1189
+ <vulnerability confirmed="False">
1190
+ <url>http://localhost:3000/</url>
1191
+ <type>RubyOutOfDate</type>
1192
+ <severity>Information</severity>
1193
+ <certainty>90</certainty>
1194
+ <description><p>{PRODUCT} identified the target web site is using Ruby and detected that it is out of date.</p></description>
1195
+ <remedy><div><p>Please upgrade your installation of Ruby to the latest stable version.</p></div></remedy>
1196
+
1197
+ <rawrequest><![CDATA[GET / HTTP/1.1
1198
+ Host: localhost:3000
1199
+ Cache-Control: no-cache
1200
+ Connection: Keep-Alive
1201
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
1202
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
1203
+ Accept-Language: en-us,en;q=0.5
1204
+ X-Scanner: Netsparker
1205
+ Accept-Encoding: gzip, deflate
1206
+
1207
+ ]]></rawrequest>
1208
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
1209
+ Set-Cookie: _redmine_session=NVU5aUwyZ0VRTndIb21Va2pNZk15SXRyeXpGOWZtMk5rS1QwaVFpSi9vSkh1Lyt3U1lzcTdlOS8wYkdUTE1JMjVQNmp5dHU0akM0L0pmdDZRalkvdkVDbzdqOC9qOHRJRG1CSllNcENBMkkxbGJ0ODd1RXZwL0drNVRCbkZwYVFHQVVTWWtGQXY5eXBwdzJTQnBuVXpCMWFOVEZHOFVTeVFDUmJmekhEU3NGK3JGMlFsTytCRFpIemx2bkJCZzViLS1CV295alVPcnRJaUhDY2UxVmRLOWt3PT0%3D--374cb50cbcce265e356b52f82eadb8c778158726; path=/; HttpOnly
1210
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
1211
+ X-Content-Type-Options: nosniff
1212
+ X-Runtime: 0.015338
1213
+ Connection: Keep-Alive
1214
+ X-Xss-Protection: 1; mode=block
1215
+ X-Frame-Options: SAMEORIGIN
1216
+ X-Request-Id: 9c7ebeb0-d69c-4315-ba90-5e154e2eebed
1217
+ Content-Type: text/html; charset=utf-8
1218
+ Content-Length: 3876
1219
+ Date: Thu, 08 Dec 2016 19:56:08 GMT
1220
+ Etag: W/"58de55885d9765a460c7728ca5cce1da"
1221
+ Cache-Control: max-age=0, private, must-revalidate
1222
+
1223
+ <!DOCTYPE html>
1224
+ <html lang="en">
1225
+ <head>
1226
+ <meta charset="utf-8" />
1227
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
1228
+ <title>HNL Security Team Project Tracking System</title>
1229
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
1230
+ <meta name="description" content="Redmine" />
1231
+ <meta name="keywords" content="issue,bug,tracker" />
1232
+ <meta name="csrf-param" content="authenticity_token" />
1233
+ <meta name="csrf-token" content="TV0QvO/RZcDnbKGv7N8Aq6rDRRfrL8sFjLxwBAonrSZhgsql1zJstjdddq8zpzwXK9MTQ75gDZZeQ0gJxIDtIQ==" />
1234
+ <link rel='shortcut icon' href='/favicon.ico' />
1235
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
1236
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
1237
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
1238
+
1239
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
1240
+ <script src="/javascripts/application.js"></script>
1241
+ <script src="/javascripts/responsive.js"></script>
1242
+ <script>
1243
+ //<![CDATA[
1244
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
1245
+ //]]]]><![CDATA[>
1246
+ </script>
1247
+
1248
+
1249
+ <!-- page specific tags -->
1250
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Latest news" href="http://localhost:3000/news.atom" />
1251
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Activity" href="http://localhost:3000/activity.atom" />
1252
+ </head>
1253
+ <body class="controller-welcome action-index">
1254
+
1255
+ <div id="wrapper">
1256
+
1257
+ <div class="flyout-menu js-flyout-menu">
1258
+
1259
+
1260
+ <div class="flyout-menu__search">
1261
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
1262
+
1263
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
1264
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
1265
+ </form> </div>
1266
+
1267
+
1268
+
1269
+ <h3>General</h3>
1270
+ <span class="js-general-menu"></span>
1271
+
1272
+ <span class="js-sidebar flyout-menu__sidebar"></span>
1273
+
1274
+ <h3>Profile</h3>
1275
+ <span class="js-profile-menu"></span>
1276
+
1277
+ </div>
1278
+
1279
+ <div id="wrapper2">
1280
+ <div id="wrapper3">
1281
+ <div id="top-menu">
1282
+ <div id="account">
1283
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
1284
+
1285
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
1286
+
1287
+ <div id="header">
1288
+
1289
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
1290
+
1291
+ <div id="quick-search">
1292
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
1293
+
1294
+ <label for='q'>
1295
+ <a accesskey="4" href="/search">Search</a>:
1296
+ </label>
1297
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
1298
+ </form>
1299
+ </div>
1300
+
1301
+ <h1>HNL Security Team Project Tracking System</h1>
1302
+
1303
+ </div>
1304
+
1305
+ <div id="main" class="nosidebar">
1306
+ <div id="sidebar">
1307
+
1308
+
1309
+ </div>
1310
+
1311
+ <div id="content">
1312
+
1313
+ <h2>Home</h2>
1314
+
1315
+ <div class="splitcontentleft">
1316
+ <div class="wiki">
1317
+
1318
+ </div>
1319
+
1320
+ </div>
1321
+
1322
+ <div class="splitcontentright">
1323
+
1324
+ </div>
1325
+
1326
+
1327
+
1328
+ <div style="clear:both;"></div>
1329
+ </div>
1330
+ </div>
1331
+ </div>
1332
+
1333
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
1334
+ <div id="ajax-modal" style="display:none;"></div>
1335
+
1336
+ <div id="footer">
1337
+ <div class="bgl"><div class="bgr">
1338
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
1339
+ </div></div>
1340
+ </div>
1341
+ </div>
1342
+ </div>
1343
+
1344
+ </body>
1345
+ </html>
1346
+ ]]></rawresponse>
1347
+ <extrainformation>
1348
+ <info name="Identified Version"><![CDATA[2.3.0]]></info>
1349
+ <info name="Latest Version"><![CDATA[2.3.1]]></info>
1350
+ <info name="Vulnerability Database"><![CDATA[Result is based on 10/27/2016 vulnerability database content.]]></info>
1351
+ </extrainformation>
1352
+
1353
+ <proofs></proofs>
1354
+
1355
+ <classification>
1356
+ <OWASP2013>A9</OWASP2013>
1357
+ <WASC></WASC>
1358
+ <CWE></CWE>
1359
+ <CAPEC>310</CAPEC>
1360
+ <PCI31>6.2</PCI31>
1361
+ <PCI32>6.2</PCI32>
1362
+ <HIPAA></HIPAA>
1363
+ <OWASPPC>C1</OWASPPC>
1364
+ </classification>
1365
+ </vulnerability>
1366
+ <vulnerability confirmed="False">
1367
+ <url>http://localhost:3000/</url>
1368
+ <type>JqueryOutOfDate</type>
1369
+ <severity>Information</severity>
1370
+ <certainty>90</certainty>
1371
+ <description><p>{PRODUCT} identified the target web site is using jQuery and detected that it is out of date.</p></description>
1372
+ <remedy><div><p>Please upgrade your installation of jQuery to the latest stable version.</p></div></remedy>
1373
+
1374
+ <rawrequest><![CDATA[GET / HTTP/1.1
1375
+ Host: localhost:3000
1376
+ Cache-Control: no-cache
1377
+ Connection: Keep-Alive
1378
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
1379
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
1380
+ Accept-Language: en-us,en;q=0.5
1381
+ X-Scanner: Netsparker
1382
+ Accept-Encoding: gzip, deflate
1383
+
1384
+ ]]></rawrequest>
1385
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
1386
+ Set-Cookie: _redmine_session=NVU5aUwyZ0VRTndIb21Va2pNZk15SXRyeXpGOWZtMk5rS1QwaVFpSi9vSkh1Lyt3U1lzcTdlOS8wYkdUTE1JMjVQNmp5dHU0akM0L0pmdDZRalkvdkVDbzdqOC9qOHRJRG1CSllNcENBMkkxbGJ0ODd1RXZwL0drNVRCbkZwYVFHQVVTWWtGQXY5eXBwdzJTQnBuVXpCMWFOVEZHOFVTeVFDUmJmekhEU3NGK3JGMlFsTytCRFpIemx2bkJCZzViLS1CV295alVPcnRJaUhDY2UxVmRLOWt3PT0%3D--374cb50cbcce265e356b52f82eadb8c778158726; path=/; HttpOnly
1387
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
1388
+ X-Content-Type-Options: nosniff
1389
+ X-Runtime: 0.015338
1390
+ Connection: Keep-Alive
1391
+ X-Xss-Protection: 1; mode=block
1392
+ X-Frame-Options: SAMEORIGIN
1393
+ X-Request-Id: 9c7ebeb0-d69c-4315-ba90-5e154e2eebed
1394
+ Content-Type: text/html; charset=utf-8
1395
+ Content-Length: 3876
1396
+ Date: Thu, 08 Dec 2016 19:56:08 GMT
1397
+ Etag: W/"58de55885d9765a460c7728ca5cce1da"
1398
+ Cache-Control: max-age=0, private, must-revalidate
1399
+
1400
+ <!DOCTYPE html>
1401
+ <html lang="en">
1402
+ <head>
1403
+ <meta charset="utf-8" />
1404
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
1405
+ <title>HNL Security Team Project Tracking System</title>
1406
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
1407
+ <meta name="description" content="Redmine" />
1408
+ <meta name="keywords" content="issue,bug,tracker" />
1409
+ <meta name="csrf-param" content="authenticity_token" />
1410
+ <meta name="csrf-token" content="TV0QvO/RZcDnbKGv7N8Aq6rDRRfrL8sFjLxwBAonrSZhgsql1zJstjdddq8zpzwXK9MTQ75gDZZeQ0gJxIDtIQ==" />
1411
+ <link rel='shortcut icon' href='/favicon.ico' />
1412
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
1413
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
1414
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
1415
+
1416
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
1417
+ <script src="/javascripts/application.js"></script>
1418
+ <script src="/javascripts/responsive.js"></script>
1419
+ <script>
1420
+ //<![CDATA[
1421
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
1422
+ //]]]]><![CDATA[>
1423
+ </script>
1424
+
1425
+
1426
+ <!-- page specific tags -->
1427
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Latest news" href="http://localhost:3000/news.atom" />
1428
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Activity" href="http://localhost:3000/activity.atom" />
1429
+ </head>
1430
+ <body class="controller-welcome action-index">
1431
+
1432
+ <div id="wrapper">
1433
+
1434
+ <div class="flyout-menu js-flyout-menu">
1435
+
1436
+
1437
+ <div class="flyout-menu__search">
1438
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
1439
+
1440
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
1441
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
1442
+ </form> </div>
1443
+
1444
+
1445
+
1446
+ <h3>General</h3>
1447
+ <span class="js-general-menu"></span>
1448
+
1449
+ <span class="js-sidebar flyout-menu__sidebar"></span>
1450
+
1451
+ <h3>Profile</h3>
1452
+ <span class="js-profile-menu"></span>
1453
+
1454
+ </div>
1455
+
1456
+ <div id="wrapper2">
1457
+ <div id="wrapper3">
1458
+ <div id="top-menu">
1459
+ <div id="account">
1460
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
1461
+
1462
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
1463
+
1464
+ <div id="header">
1465
+
1466
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
1467
+
1468
+ <div id="quick-search">
1469
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
1470
+
1471
+ <label for='q'>
1472
+ <a accesskey="4" href="/search">Search</a>:
1473
+ </label>
1474
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
1475
+ </form>
1476
+ </div>
1477
+
1478
+ <h1>HNL Security Team Project Tracking System</h1>
1479
+
1480
+ </div>
1481
+
1482
+ <div id="main" class="nosidebar">
1483
+ <div id="sidebar">
1484
+
1485
+
1486
+ </div>
1487
+
1488
+ <div id="content">
1489
+
1490
+ <h2>Home</h2>
1491
+
1492
+ <div class="splitcontentleft">
1493
+ <div class="wiki">
1494
+
1495
+ </div>
1496
+
1497
+ </div>
1498
+
1499
+ <div class="splitcontentright">
1500
+
1501
+ </div>
1502
+
1503
+
1504
+
1505
+ <div style="clear:both;"></div>
1506
+ </div>
1507
+ </div>
1508
+ </div>
1509
+
1510
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
1511
+ <div id="ajax-modal" style="display:none;"></div>
1512
+
1513
+ <div id="footer">
1514
+ <div class="bgl"><div class="bgr">
1515
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
1516
+ </div></div>
1517
+ </div>
1518
+ </div>
1519
+ </div>
1520
+
1521
+ </body>
1522
+ </html>
1523
+ ]]></rawresponse>
1524
+ <extrainformation>
1525
+ <info name="Identified Version"><![CDATA[1.11.1]]></info>
1526
+ <info name="Latest Version"><![CDATA[1.12.4]]></info>
1527
+ <info name="Vulnerability Database"><![CDATA[Result is based on 10/27/2016 vulnerability database content.]]></info>
1528
+ </extrainformation>
1529
+
1530
+ <proofs></proofs>
1531
+
1532
+ <classification>
1533
+ <OWASP2013>A9</OWASP2013>
1534
+ <WASC></WASC>
1535
+ <CWE></CWE>
1536
+ <CAPEC>310</CAPEC>
1537
+ <PCI31>6.2</PCI31>
1538
+ <PCI32>6.2</PCI32>
1539
+ <HIPAA></HIPAA>
1540
+ <OWASPPC>C1</OWASPPC>
1541
+ </classification>
1542
+ </vulnerability>
1543
+ <vulnerability confirmed="False">
1544
+ <url>http://localhost:3000/</url>
1545
+ <type>JqueryUiDialogOutOfDate</type>
1546
+ <severity>Information</severity>
1547
+ <certainty>90</certainty>
1548
+ <description><p>{PRODUCT} identified the target web site is using jQuery UI Dialog and detected that it is out of date.</p></description>
1549
+ <remedy><div><p>Please upgrade your installation of jQuery UI Dialog to the latest stable version.</p></div></remedy>
1550
+
1551
+ <rawrequest><![CDATA[GET / HTTP/1.1
1552
+ Host: localhost:3000
1553
+ Cache-Control: no-cache
1554
+ Connection: Keep-Alive
1555
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
1556
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
1557
+ Accept-Language: en-us,en;q=0.5
1558
+ X-Scanner: Netsparker
1559
+ Accept-Encoding: gzip, deflate
1560
+
1561
+ ]]></rawrequest>
1562
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
1563
+ Set-Cookie: _redmine_session=NVU5aUwyZ0VRTndIb21Va2pNZk15SXRyeXpGOWZtMk5rS1QwaVFpSi9vSkh1Lyt3U1lzcTdlOS8wYkdUTE1JMjVQNmp5dHU0akM0L0pmdDZRalkvdkVDbzdqOC9qOHRJRG1CSllNcENBMkkxbGJ0ODd1RXZwL0drNVRCbkZwYVFHQVVTWWtGQXY5eXBwdzJTQnBuVXpCMWFOVEZHOFVTeVFDUmJmekhEU3NGK3JGMlFsTytCRFpIemx2bkJCZzViLS1CV295alVPcnRJaUhDY2UxVmRLOWt3PT0%3D--374cb50cbcce265e356b52f82eadb8c778158726; path=/; HttpOnly
1564
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
1565
+ X-Content-Type-Options: nosniff
1566
+ X-Runtime: 0.015338
1567
+ Connection: Keep-Alive
1568
+ X-Xss-Protection: 1; mode=block
1569
+ X-Frame-Options: SAMEORIGIN
1570
+ X-Request-Id: 9c7ebeb0-d69c-4315-ba90-5e154e2eebed
1571
+ Content-Type: text/html; charset=utf-8
1572
+ Content-Length: 3876
1573
+ Date: Thu, 08 Dec 2016 19:56:08 GMT
1574
+ Etag: W/"58de55885d9765a460c7728ca5cce1da"
1575
+ Cache-Control: max-age=0, private, must-revalidate
1576
+
1577
+ <!DOCTYPE html>
1578
+ <html lang="en">
1579
+ <head>
1580
+ <meta charset="utf-8" />
1581
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
1582
+ <title>HNL Security Team Project Tracking System</title>
1583
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
1584
+ <meta name="description" content="Redmine" />
1585
+ <meta name="keywords" content="issue,bug,tracker" />
1586
+ <meta name="csrf-param" content="authenticity_token" />
1587
+ <meta name="csrf-token" content="TV0QvO/RZcDnbKGv7N8Aq6rDRRfrL8sFjLxwBAonrSZhgsql1zJstjdddq8zpzwXK9MTQ75gDZZeQ0gJxIDtIQ==" />
1588
+ <link rel='shortcut icon' href='/favicon.ico' />
1589
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
1590
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
1591
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
1592
+
1593
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
1594
+ <script src="/javascripts/application.js"></script>
1595
+ <script src="/javascripts/responsive.js"></script>
1596
+ <script>
1597
+ //<![CDATA[
1598
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
1599
+ //]]]]><![CDATA[>
1600
+ </script>
1601
+
1602
+
1603
+ <!-- page specific tags -->
1604
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Latest news" href="http://localhost:3000/news.atom" />
1605
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Activity" href="http://localhost:3000/activity.atom" />
1606
+ </head>
1607
+ <body class="controller-welcome action-index">
1608
+
1609
+ <div id="wrapper">
1610
+
1611
+ <div class="flyout-menu js-flyout-menu">
1612
+
1613
+
1614
+ <div class="flyout-menu__search">
1615
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
1616
+
1617
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
1618
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
1619
+ </form> </div>
1620
+
1621
+
1622
+
1623
+ <h3>General</h3>
1624
+ <span class="js-general-menu"></span>
1625
+
1626
+ <span class="js-sidebar flyout-menu__sidebar"></span>
1627
+
1628
+ <h3>Profile</h3>
1629
+ <span class="js-profile-menu"></span>
1630
+
1631
+ </div>
1632
+
1633
+ <div id="wrapper2">
1634
+ <div id="wrapper3">
1635
+ <div id="top-menu">
1636
+ <div id="account">
1637
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
1638
+
1639
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
1640
+
1641
+ <div id="header">
1642
+
1643
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
1644
+
1645
+ <div id="quick-search">
1646
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
1647
+
1648
+ <label for='q'>
1649
+ <a accesskey="4" href="/search">Search</a>:
1650
+ </label>
1651
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
1652
+ </form>
1653
+ </div>
1654
+
1655
+ <h1>HNL Security Team Project Tracking System</h1>
1656
+
1657
+ </div>
1658
+
1659
+ <div id="main" class="nosidebar">
1660
+ <div id="sidebar">
1661
+
1662
+
1663
+ </div>
1664
+
1665
+ <div id="content">
1666
+
1667
+ <h2>Home</h2>
1668
+
1669
+ <div class="splitcontentleft">
1670
+ <div class="wiki">
1671
+
1672
+ </div>
1673
+
1674
+ </div>
1675
+
1676
+ <div class="splitcontentright">
1677
+
1678
+ </div>
1679
+
1680
+
1681
+
1682
+ <div style="clear:both;"></div>
1683
+ </div>
1684
+ </div>
1685
+ </div>
1686
+
1687
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
1688
+ <div id="ajax-modal" style="display:none;"></div>
1689
+
1690
+ <div id="footer">
1691
+ <div class="bgl"><div class="bgr">
1692
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
1693
+ </div></div>
1694
+ </div>
1695
+ </div>
1696
+ </div>
1697
+
1698
+ </body>
1699
+ </html>
1700
+ ]]></rawresponse>
1701
+ <extrainformation>
1702
+ <info name="Identified Version"><![CDATA[1.11.0]]></info>
1703
+ <info name="Latest Version"><![CDATA[1.12.1]]></info>
1704
+ <info name="Vulnerability Database"><![CDATA[Result is based on 10/27/2016 vulnerability database content.]]></info>
1705
+ </extrainformation>
1706
+
1707
+ <proofs></proofs>
1708
+
1709
+ <classification>
1710
+ <OWASP2013>A9</OWASP2013>
1711
+ <WASC></WASC>
1712
+ <CWE></CWE>
1713
+ <CAPEC>310</CAPEC>
1714
+ <PCI31>6.2</PCI31>
1715
+ <PCI32>6.2</PCI32>
1716
+ <HIPAA></HIPAA>
1717
+ <OWASPPC>C1</OWASPPC>
1718
+ </classification>
1719
+ </vulnerability>
1720
+ <vulnerability confirmed="False">
1721
+ <url>http://localhost:3000/</url>
1722
+ <type>JqueryUiAutocompleteOutOfDate</type>
1723
+ <severity>Information</severity>
1724
+ <certainty>90</certainty>
1725
+ <description><p>{PRODUCT} identified the target web site is using jQuery UI Autocomplete and detected that it is out of date.</p></description>
1726
+ <remedy><div><p>Please upgrade your installation of jQuery UI Autocomplete to the latest stable version.</p></div></remedy>
1727
+
1728
+ <rawrequest><![CDATA[GET / HTTP/1.1
1729
+ Host: localhost:3000
1730
+ Cache-Control: no-cache
1731
+ Connection: Keep-Alive
1732
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
1733
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
1734
+ Accept-Language: en-us,en;q=0.5
1735
+ X-Scanner: Netsparker
1736
+ Accept-Encoding: gzip, deflate
1737
+
1738
+ ]]></rawrequest>
1739
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
1740
+ Set-Cookie: _redmine_session=NVU5aUwyZ0VRTndIb21Va2pNZk15SXRyeXpGOWZtMk5rS1QwaVFpSi9vSkh1Lyt3U1lzcTdlOS8wYkdUTE1JMjVQNmp5dHU0akM0L0pmdDZRalkvdkVDbzdqOC9qOHRJRG1CSllNcENBMkkxbGJ0ODd1RXZwL0drNVRCbkZwYVFHQVVTWWtGQXY5eXBwdzJTQnBuVXpCMWFOVEZHOFVTeVFDUmJmekhEU3NGK3JGMlFsTytCRFpIemx2bkJCZzViLS1CV295alVPcnRJaUhDY2UxVmRLOWt3PT0%3D--374cb50cbcce265e356b52f82eadb8c778158726; path=/; HttpOnly
1741
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
1742
+ X-Content-Type-Options: nosniff
1743
+ X-Runtime: 0.015338
1744
+ Connection: Keep-Alive
1745
+ X-Xss-Protection: 1; mode=block
1746
+ X-Frame-Options: SAMEORIGIN
1747
+ X-Request-Id: 9c7ebeb0-d69c-4315-ba90-5e154e2eebed
1748
+ Content-Type: text/html; charset=utf-8
1749
+ Content-Length: 3876
1750
+ Date: Thu, 08 Dec 2016 19:56:08 GMT
1751
+ Etag: W/"58de55885d9765a460c7728ca5cce1da"
1752
+ Cache-Control: max-age=0, private, must-revalidate
1753
+
1754
+ <!DOCTYPE html>
1755
+ <html lang="en">
1756
+ <head>
1757
+ <meta charset="utf-8" />
1758
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
1759
+ <title>HNL Security Team Project Tracking System</title>
1760
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
1761
+ <meta name="description" content="Redmine" />
1762
+ <meta name="keywords" content="issue,bug,tracker" />
1763
+ <meta name="csrf-param" content="authenticity_token" />
1764
+ <meta name="csrf-token" content="TV0QvO/RZcDnbKGv7N8Aq6rDRRfrL8sFjLxwBAonrSZhgsql1zJstjdddq8zpzwXK9MTQ75gDZZeQ0gJxIDtIQ==" />
1765
+ <link rel='shortcut icon' href='/favicon.ico' />
1766
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
1767
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
1768
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
1769
+
1770
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
1771
+ <script src="/javascripts/application.js"></script>
1772
+ <script src="/javascripts/responsive.js"></script>
1773
+ <script>
1774
+ //<![CDATA[
1775
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
1776
+ //]]]]><![CDATA[>
1777
+ </script>
1778
+
1779
+
1780
+ <!-- page specific tags -->
1781
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Latest news" href="http://localhost:3000/news.atom" />
1782
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Activity" href="http://localhost:3000/activity.atom" />
1783
+ </head>
1784
+ <body class="controller-welcome action-index">
1785
+
1786
+ <div id="wrapper">
1787
+
1788
+ <div class="flyout-menu js-flyout-menu">
1789
+
1790
+
1791
+ <div class="flyout-menu__search">
1792
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
1793
+
1794
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
1795
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
1796
+ </form> </div>
1797
+
1798
+
1799
+
1800
+ <h3>General</h3>
1801
+ <span class="js-general-menu"></span>
1802
+
1803
+ <span class="js-sidebar flyout-menu__sidebar"></span>
1804
+
1805
+ <h3>Profile</h3>
1806
+ <span class="js-profile-menu"></span>
1807
+
1808
+ </div>
1809
+
1810
+ <div id="wrapper2">
1811
+ <div id="wrapper3">
1812
+ <div id="top-menu">
1813
+ <div id="account">
1814
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
1815
+
1816
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
1817
+
1818
+ <div id="header">
1819
+
1820
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
1821
+
1822
+ <div id="quick-search">
1823
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
1824
+
1825
+ <label for='q'>
1826
+ <a accesskey="4" href="/search">Search</a>:
1827
+ </label>
1828
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
1829
+ </form>
1830
+ </div>
1831
+
1832
+ <h1>HNL Security Team Project Tracking System</h1>
1833
+
1834
+ </div>
1835
+
1836
+ <div id="main" class="nosidebar">
1837
+ <div id="sidebar">
1838
+
1839
+
1840
+ </div>
1841
+
1842
+ <div id="content">
1843
+
1844
+ <h2>Home</h2>
1845
+
1846
+ <div class="splitcontentleft">
1847
+ <div class="wiki">
1848
+
1849
+ </div>
1850
+
1851
+ </div>
1852
+
1853
+ <div class="splitcontentright">
1854
+
1855
+ </div>
1856
+
1857
+
1858
+
1859
+ <div style="clear:both;"></div>
1860
+ </div>
1861
+ </div>
1862
+ </div>
1863
+
1864
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
1865
+ <div id="ajax-modal" style="display:none;"></div>
1866
+
1867
+ <div id="footer">
1868
+ <div class="bgl"><div class="bgr">
1869
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
1870
+ </div></div>
1871
+ </div>
1872
+ </div>
1873
+ </div>
1874
+
1875
+ </body>
1876
+ </html>
1877
+ ]]></rawresponse>
1878
+ <extrainformation>
1879
+ <info name="Identified Version"><![CDATA[1.11.0]]></info>
1880
+ <info name="Latest Version"><![CDATA[1.12.1]]></info>
1881
+ <info name="Vulnerability Database"><![CDATA[Result is based on 10/27/2016 vulnerability database content.]]></info>
1882
+ </extrainformation>
1883
+
1884
+ <proofs></proofs>
1885
+
1886
+ <classification>
1887
+ <OWASP2013>A9</OWASP2013>
1888
+ <WASC></WASC>
1889
+ <CWE></CWE>
1890
+ <CAPEC>310</CAPEC>
1891
+ <PCI31>6.2</PCI31>
1892
+ <PCI32>6.2</PCI32>
1893
+ <HIPAA></HIPAA>
1894
+ <OWASPPC>C1</OWASPPC>
1895
+ </classification>
1896
+ </vulnerability>
1897
+ <vulnerability confirmed="False">
1898
+ <url>http://localhost:3000/</url>
1899
+ <type>JqueryUiTooltipOutOfDate</type>
1900
+ <severity>Information</severity>
1901
+ <certainty>90</certainty>
1902
+ <description><p>{PRODUCT} identified the target web site is using jQuery UI Tooltip and detected that it is out of date.</p></description>
1903
+ <remedy><div><p>Please upgrade your installation of jQuery UI Tooltip to the latest stable version.</p></div></remedy>
1904
+
1905
+ <rawrequest><![CDATA[GET / HTTP/1.1
1906
+ Host: localhost:3000
1907
+ Cache-Control: no-cache
1908
+ Connection: Keep-Alive
1909
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
1910
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
1911
+ Accept-Language: en-us,en;q=0.5
1912
+ X-Scanner: Netsparker
1913
+ Accept-Encoding: gzip, deflate
1914
+
1915
+ ]]></rawrequest>
1916
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
1917
+ Set-Cookie: _redmine_session=NVU5aUwyZ0VRTndIb21Va2pNZk15SXRyeXpGOWZtMk5rS1QwaVFpSi9vSkh1Lyt3U1lzcTdlOS8wYkdUTE1JMjVQNmp5dHU0akM0L0pmdDZRalkvdkVDbzdqOC9qOHRJRG1CSllNcENBMkkxbGJ0ODd1RXZwL0drNVRCbkZwYVFHQVVTWWtGQXY5eXBwdzJTQnBuVXpCMWFOVEZHOFVTeVFDUmJmekhEU3NGK3JGMlFsTytCRFpIemx2bkJCZzViLS1CV295alVPcnRJaUhDY2UxVmRLOWt3PT0%3D--374cb50cbcce265e356b52f82eadb8c778158726; path=/; HttpOnly
1918
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
1919
+ X-Content-Type-Options: nosniff
1920
+ X-Runtime: 0.015338
1921
+ Connection: Keep-Alive
1922
+ X-Xss-Protection: 1; mode=block
1923
+ X-Frame-Options: SAMEORIGIN
1924
+ X-Request-Id: 9c7ebeb0-d69c-4315-ba90-5e154e2eebed
1925
+ Content-Type: text/html; charset=utf-8
1926
+ Content-Length: 3876
1927
+ Date: Thu, 08 Dec 2016 19:56:08 GMT
1928
+ Etag: W/"58de55885d9765a460c7728ca5cce1da"
1929
+ Cache-Control: max-age=0, private, must-revalidate
1930
+
1931
+ <!DOCTYPE html>
1932
+ <html lang="en">
1933
+ <head>
1934
+ <meta charset="utf-8" />
1935
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
1936
+ <title>HNL Security Team Project Tracking System</title>
1937
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
1938
+ <meta name="description" content="Redmine" />
1939
+ <meta name="keywords" content="issue,bug,tracker" />
1940
+ <meta name="csrf-param" content="authenticity_token" />
1941
+ <meta name="csrf-token" content="TV0QvO/RZcDnbKGv7N8Aq6rDRRfrL8sFjLxwBAonrSZhgsql1zJstjdddq8zpzwXK9MTQ75gDZZeQ0gJxIDtIQ==" />
1942
+ <link rel='shortcut icon' href='/favicon.ico' />
1943
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
1944
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
1945
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
1946
+
1947
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
1948
+ <script src="/javascripts/application.js"></script>
1949
+ <script src="/javascripts/responsive.js"></script>
1950
+ <script>
1951
+ //<![CDATA[
1952
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
1953
+ //]]]]><![CDATA[>
1954
+ </script>
1955
+
1956
+
1957
+ <!-- page specific tags -->
1958
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Latest news" href="http://localhost:3000/news.atom" />
1959
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Activity" href="http://localhost:3000/activity.atom" />
1960
+ </head>
1961
+ <body class="controller-welcome action-index">
1962
+
1963
+ <div id="wrapper">
1964
+
1965
+ <div class="flyout-menu js-flyout-menu">
1966
+
1967
+
1968
+ <div class="flyout-menu__search">
1969
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
1970
+
1971
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
1972
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
1973
+ </form> </div>
1974
+
1975
+
1976
+
1977
+ <h3>General</h3>
1978
+ <span class="js-general-menu"></span>
1979
+
1980
+ <span class="js-sidebar flyout-menu__sidebar"></span>
1981
+
1982
+ <h3>Profile</h3>
1983
+ <span class="js-profile-menu"></span>
1984
+
1985
+ </div>
1986
+
1987
+ <div id="wrapper2">
1988
+ <div id="wrapper3">
1989
+ <div id="top-menu">
1990
+ <div id="account">
1991
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
1992
+
1993
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
1994
+
1995
+ <div id="header">
1996
+
1997
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
1998
+
1999
+ <div id="quick-search">
2000
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
2001
+
2002
+ <label for='q'>
2003
+ <a accesskey="4" href="/search">Search</a>:
2004
+ </label>
2005
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
2006
+ </form>
2007
+ </div>
2008
+
2009
+ <h1>HNL Security Team Project Tracking System</h1>
2010
+
2011
+ </div>
2012
+
2013
+ <div id="main" class="nosidebar">
2014
+ <div id="sidebar">
2015
+
2016
+
2017
+ </div>
2018
+
2019
+ <div id="content">
2020
+
2021
+ <h2>Home</h2>
2022
+
2023
+ <div class="splitcontentleft">
2024
+ <div class="wiki">
2025
+
2026
+ </div>
2027
+
2028
+ </div>
2029
+
2030
+ <div class="splitcontentright">
2031
+
2032
+ </div>
2033
+
2034
+
2035
+
2036
+ <div style="clear:both;"></div>
2037
+ </div>
2038
+ </div>
2039
+ </div>
2040
+
2041
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
2042
+ <div id="ajax-modal" style="display:none;"></div>
2043
+
2044
+ <div id="footer">
2045
+ <div class="bgl"><div class="bgr">
2046
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
2047
+ </div></div>
2048
+ </div>
2049
+ </div>
2050
+ </div>
2051
+
2052
+ </body>
2053
+ </html>
2054
+ ]]></rawresponse>
2055
+ <extrainformation>
2056
+ <info name="Identified Version"><![CDATA[1.11.0]]></info>
2057
+ <info name="Latest Version"><![CDATA[1.12.1]]></info>
2058
+ <info name="Vulnerability Database"><![CDATA[Result is based on 10/27/2016 vulnerability database content.]]></info>
2059
+ </extrainformation>
2060
+
2061
+ <proofs></proofs>
2062
+
2063
+ <classification>
2064
+ <OWASP2013>A9</OWASP2013>
2065
+ <WASC></WASC>
2066
+ <CWE></CWE>
2067
+ <CAPEC>310</CAPEC>
2068
+ <PCI31>6.2</PCI31>
2069
+ <PCI32>6.2</PCI32>
2070
+ <HIPAA></HIPAA>
2071
+ <OWASPPC>C1</OWASPPC>
2072
+ </classification>
2073
+ </vulnerability>
2074
+ <vulnerability confirmed="False">
2075
+ <url>http://localhost:3000/javascripts/</url>
2076
+ <type>MissingXssProtectionHeader</type>
2077
+ <severity>Information</severity>
2078
+ <certainty>100</certainty>
2079
+ <description><p>{PRODUCT} detected a missing <code>X-XSS-Protection</code> header which means that this website could be at risk of a Cross-site Scripting (XSS) attacks.</p></description>
2080
+ <remedy><div>Add the X-XSS-Protection header with a value of "1; mode= block".<ul><li><pre class="code">X-XSS-Protection: 1; mode=block</pre></li></ul></div></remedy>
2081
+
2082
+ <rawrequest><![CDATA[GET /javascripts/ HTTP/1.1
2083
+ Host: localhost:3000
2084
+ Cache-Control: no-cache
2085
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
2086
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
2087
+ Accept-Language: en-us,en;q=0.5
2088
+ X-Scanner: Netsparker
2089
+ Cookie: _redmine_session=dXFGaE1aakY4ZWxQV0ZiMVlmaWtaUTBpYlQrOVlkWWUxOUtuYlJZMHgwT3ZFUlZheVJmSnQ2SUllUi9hYktZOWU5OFhGTjJ6S1V2NHZxd21vLzhwUDBDZXZZVjdmeFZaOXA1emprRktNODQ4SW9OV3JSWUZrYllRWXpxSjFHazcrMVFBNFova2JQNnBIK0N5YmpvRGZhOWVLVEY0RHJkRjBIL3NScmZGOHZISFcvM0lOSHBVVnlEK3dYaDNmVFFtV3FBb216T0V2aE0zdVpQRUZweDRZbDdncWN4TWxjYjZoRzByejQ5YlFzR2FpaHNUS1poM1JaOWV6YWJpWkl2NmhBM0Z2cmt0TzQzMnZ1YVIvUm5FdmNOUTgvOUFpV1lKSVloaVkvZkM5eDFiK0l1SXNHUzhhSlMwTExHYjBSM0gtLXdzSDI3Q1NNRllPK0FmRjI0cnZkVmc9PQ%3D%3D--054cb1c4bd8ee505c94de1d15b77d628ee5202ae
2090
+ Accept-Encoding: gzip, deflate
2091
+
2092
+ ]]></rawrequest>
2093
+ <rawresponse><![CDATA[HTTP/1.1 404 Not Found
2094
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
2095
+ X-Runtime: 0.001726
2096
+ Connection: Keep-Alive
2097
+ Content-Length: 459
2098
+ X-Request-Id: aa38d534-7b20-4836-afa1-f2500d266718
2099
+ Content-Type: text/html; charset=utf-8
2100
+ Date: Thu, 08 Dec 2016 19:56:14 GMT
2101
+
2102
+ <!DOCTYPE html>
2103
+ <html>
2104
+ <head>
2105
+ <meta charset="utf-8" />
2106
+ <title>Redmine 404 error</title>
2107
+ <style>
2108
+ body {font-family: "Trebuchet MS", Georgia, "Times New Roman", serif; color: #303030; margin: 10px;}
2109
+ h1 {font-size:1.5em;}
2110
+ p {font-size:0.8em;}
2111
+ </style>
2112
+ </head>
2113
+ <body>
2114
+ <h1>Page not found</h1>
2115
+ <p>The page you were trying to access doesn't exist or has been removed.</p>
2116
+ <p><a href="javascript:history.back()">Back</a></p>
2117
+ </body>
2118
+ </html>
2119
+ ]]></rawresponse>
2120
+ <extrainformation>
2121
+ </extrainformation>
2122
+
2123
+ <proofs></proofs>
2124
+
2125
+ <classification>
2126
+ <OWASP2013></OWASP2013>
2127
+ <WASC></WASC>
2128
+ <CWE></CWE>
2129
+ <CAPEC></CAPEC>
2130
+ <PCI31></PCI31>
2131
+ <PCI32></PCI32>
2132
+ <HIPAA>164.308(a)</HIPAA>
2133
+ <OWASPPC>C9</OWASPPC>
2134
+ </classification>
2135
+ </vulnerability>
2136
+ <vulnerability confirmed="True">
2137
+ <url>http://localhost:3000/</url>
2138
+ <type>SameSiteCookieNotImplemented</type>
2139
+ <severity>Information</severity>
2140
+ <certainty>100</certainty>
2141
+ <description><p>Cookies are typically sent to third parties in cross origin requests. This can be abused to do CSRF attacks. Recently a new cookie attribute named <em>SameSite</em> was proposed to disable third-party usage for some cookies, to prevent CSRF attacks.</p><p>Same-site cookies allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.</p></description>
2142
+ <remedy><p>The server can set a same-site cookie by adding the SameSite=... attribute to the Set-Cookie header:</p><div><pre>Set-Cookie: key=value; SameSite=strict</pre></div><p>There are two possible values for the same-site attribute:</p><ul><li>Lax</li><li>Strict</li></ul><p>In the strict mode, the cookie is not sent with any cross-site usage even if the user follows a link to another website. Lax cookies are only sent with a top-level get request.</p></remedy>
2143
+
2144
+ <rawrequest><![CDATA[GET / HTTP/1.1
2145
+ Host: localhost:3000
2146
+ Cache-Control: no-cache
2147
+ Connection: Keep-Alive
2148
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
2149
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
2150
+ Accept-Language: en-us,en;q=0.5
2151
+ X-Scanner: Netsparker
2152
+ Accept-Encoding: gzip, deflate
2153
+
2154
+ ]]></rawrequest>
2155
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
2156
+ Set-Cookie: _redmine_session=NVU5aUwyZ0VRTndIb21Va2pNZk15SXRyeXpGOWZtMk5rS1QwaVFpSi9vSkh1Lyt3U1lzcTdlOS8wYkdUTE1JMjVQNmp5dHU0akM0L0pmdDZRalkvdkVDbzdqOC9qOHRJRG1CSllNcENBMkkxbGJ0ODd1RXZwL0drNVRCbkZwYVFHQVVTWWtGQXY5eXBwdzJTQnBuVXpCMWFOVEZHOFVTeVFDUmJmekhEU3NGK3JGMlFsTytCRFpIemx2bkJCZzViLS1CV295alVPcnRJaUhDY2UxVmRLOWt3PT0%3D--374cb50cbcce265e356b52f82eadb8c778158726; path=/; HttpOnly
2157
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
2158
+ X-Content-Type-Options: nosniff
2159
+ X-Runtime: 0.015338
2160
+ Connection: Keep-Alive
2161
+ X-Xss-Protection: 1; mode=block
2162
+ X-Frame-Options: SAMEORIGIN
2163
+ X-Request-Id: 9c7ebeb0-d69c-4315-ba90-5e154e2eebed
2164
+ Content-Type: text/html; charset=utf-8
2165
+ Content-Length: 3876
2166
+ Date: Thu, 08 Dec 2016 19:56:08 GMT
2167
+ Etag: W/"58de55885d9765a460c7728ca5cce1da"
2168
+ Cache-Control: max-age=0, private, must-revalidate
2169
+
2170
+ <!DOCTYPE html>
2171
+ <html lang="en">
2172
+ <head>
2173
+ <meta charset="utf-8" />
2174
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
2175
+ <title>HNL Security Team Project Tracking System</title>
2176
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
2177
+ <meta name="description" content="Redmine" />
2178
+ <meta name="keywords" content="issue,bug,tracker" />
2179
+ <meta name="csrf-param" content="authenticity_token" />
2180
+ <meta name="csrf-token" content="TV0QvO/RZcDnbKGv7N8Aq6rDRRfrL8sFjLxwBAonrSZhgsql1zJstjdddq8zpzwXK9MTQ75gDZZeQ0gJxIDtIQ==" />
2181
+ <link rel='shortcut icon' href='/favicon.ico' />
2182
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
2183
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
2184
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
2185
+
2186
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
2187
+ <script src="/javascripts/application.js"></script>
2188
+ <script src="/javascripts/responsive.js"></script>
2189
+ <script>
2190
+ //<![CDATA[
2191
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
2192
+ //]]]]><![CDATA[>
2193
+ </script>
2194
+
2195
+
2196
+ <!-- page specific tags -->
2197
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Latest news" href="http://localhost:3000/news.atom" />
2198
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Activity" href="http://localhost:3000/activity.atom" />
2199
+ </head>
2200
+ <body class="controller-welcome action-index">
2201
+
2202
+ <div id="wrapper">
2203
+
2204
+ <div class="flyout-menu js-flyout-menu">
2205
+
2206
+
2207
+ <div class="flyout-menu__search">
2208
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
2209
+
2210
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
2211
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
2212
+ </form> </div>
2213
+
2214
+
2215
+
2216
+ <h3>General</h3>
2217
+ <span class="js-general-menu"></span>
2218
+
2219
+ <span class="js-sidebar flyout-menu__sidebar"></span>
2220
+
2221
+ <h3>Profile</h3>
2222
+ <span class="js-profile-menu"></span>
2223
+
2224
+ </div>
2225
+
2226
+ <div id="wrapper2">
2227
+ <div id="wrapper3">
2228
+ <div id="top-menu">
2229
+ <div id="account">
2230
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
2231
+
2232
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
2233
+
2234
+ <div id="header">
2235
+
2236
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
2237
+
2238
+ <div id="quick-search">
2239
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
2240
+
2241
+ <label for='q'>
2242
+ <a accesskey="4" href="/search">Search</a>:
2243
+ </label>
2244
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
2245
+ </form>
2246
+ </div>
2247
+
2248
+ <h1>HNL Security Team Project Tracking System</h1>
2249
+
2250
+ </div>
2251
+
2252
+ <div id="main" class="nosidebar">
2253
+ <div id="sidebar">
2254
+
2255
+
2256
+ </div>
2257
+
2258
+ <div id="content">
2259
+
2260
+ <h2>Home</h2>
2261
+
2262
+ <div class="splitcontentleft">
2263
+ <div class="wiki">
2264
+
2265
+ </div>
2266
+
2267
+ </div>
2268
+
2269
+ <div class="splitcontentright">
2270
+
2271
+ </div>
2272
+
2273
+
2274
+
2275
+ <div style="clear:both;"></div>
2276
+ </div>
2277
+ </div>
2278
+ </div>
2279
+
2280
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
2281
+ <div id="ajax-modal" style="display:none;"></div>
2282
+
2283
+ <div id="footer">
2284
+ <div class="bgl"><div class="bgr">
2285
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
2286
+ </div></div>
2287
+ </div>
2288
+ </div>
2289
+ </div>
2290
+
2291
+ </body>
2292
+ </html>
2293
+ ]]></rawresponse>
2294
+ <extrainformation>
2295
+ <info name="Identified Cookie(s)"><![CDATA[_redmine_session]]></info>
2296
+ </extrainformation>
2297
+
2298
+ <proofs></proofs>
2299
+
2300
+ <classification>
2301
+ <OWASP2013></OWASP2013>
2302
+ <WASC></WASC>
2303
+ <CWE></CWE>
2304
+ <CAPEC></CAPEC>
2305
+ <PCI31></PCI31>
2306
+ <PCI32></PCI32>
2307
+ <HIPAA></HIPAA>
2308
+ <OWASPPC>C9</OWASPPC>
2309
+ </classification>
2310
+ </vulnerability>
2311
+ <vulnerability confirmed="False">
2312
+ <url>http://localhost:3000/</url>
2313
+ <type>CspNotImplemented</type>
2314
+ <severity>Information</severity>
2315
+ <certainty>100</certainty>
2316
+ <description><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">CSP is a added layer of security against that helps to mitigate mainly Cross-site Scripting attacks. </span></p><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">CSP can be enabled instructing the browser with a Content-Security-Policy directive in a response header;</span></p><pre><span style="font-weight: 400;" data-mce-style="font-weight: 400;"> Content-Security-Policy: script-src 'self';</span></pre><p>or in a meta tag;</p><pre><span style="font-weight: 400;" data-mce-style="font-weight: 400;">&lt;meta http-equiv="Content-Security-Policy" content="script-src 'self';"&gt; </span></pre><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">In the above example, you can restrict script loading only to same domain. It will also restrict inline script executions both in element attribute and event handler. There are various directives which you can use declaring CSP:</span></p><ul><li style="text-align: justify;" data-mce-style="text-align: justify;"><strong>script-src:</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;"> Restricts the script loading resources to the ones you declared. By default, it disables inline script executions unless you permit to the evaluation functions and inline scripts by the unsafe-eval and unsafe-inline keywords.</span></li><li style="text-align: justify;" data-mce-style="text-align: justify;"><strong>base-uri:</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;"> &nbsp;Base element is used to resolve relative URL to absolute one. By using this CSP directive, you can define all possible URLs which could be assigned to base-href attribute of the document. </span></li><li><strong>frame-ancestors</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;">: &nbsp;It is very similar to X-Frame-Options HTTP header. It defines the URLs by which the page can be loaded in an iframe.</span></li><li><strong>frame-src &nbsp;&nbsp;/ child-src</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;">: frame-src is the deprecated version of child-src. Both define the sources that can be loaded by iframe in the page.</span></li><li><strong>object-src</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;"> : Defines the resources that can be loaded by embedding such as Flash files, Java Applets.</span></li><li><strong>img-src</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;">: As its name implies, it defines the resources where the images can be loaded from.</span></li><li><strong>connect-src</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;">: Defines the whitelisted targets for XMLHttpRequest and WebSocket objects.</span></li><li><strong>default-src</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;">: It is a fallback for the directives that mostly ends with -src prefix. When the directives below are not defined, the value set to default-src will be used:</span></li><ul><li><span style="font-weight: 400;" data-mce-style="font-weight: 400;">child-src</span></li><li><span style="font-weight: 400;" data-mce-style="font-weight: 400;">connect-src</span></li><li><span style="font-weight: 400;" data-mce-style="font-weight: 400;">font-src</span></li><li><span style="font-weight: 400;" data-mce-style="font-weight: 400;">img-src</span></li><li><span style="font-weight: 400;" data-mce-style="font-weight: 400;">manifest-src</span></li><li><span style="font-weight: 400;" data-mce-style="font-weight: 400;">media-src</span></li><li><span style="font-weight: 400;" data-mce-style="font-weight: 400;">object-src</span></li><li><span style="font-weight: 400;" data-mce-style="font-weight: 400;">script-src</span></li><li><span style="font-weight: 400;" data-mce-style="font-weight: 400;">style-src</span></li></ul></ul><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">When setting the CSP directives, you can also use some CSP keywords: </span></p><ul><li style="padding-left: 30px;" data-mce-style="padding-left: 30px;"><strong>none</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;">: When used, it denies all resources loadings.</span></li><li style="padding-left: 30px;" data-mce-style="padding-left: 30px;"><strong>self </strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;">: It points to the document's URL (domain + port).</span></li><li style="padding-left: 30px;" data-mce-style="padding-left: 30px;"><strong>unsafe-inline</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;">: It permits running inline scripts . </span></li><li style="padding-left: 30px;" data-mce-style="padding-left: 30px;"><strong>unsafe-eval</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;">: It permits execution of evaluations function such as <code>eval()</code>.</span></li></ul><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">In addition to CSP keywords, you can also use wildcard or only a schema when defining whitelist URLs for the points. Wildcard can be used for subdomain and port portions of the URLs:</span></p><pre><span style="font-weight: 400;" data-mce-style="font-weight: 400;">Content-Security-Policy: script-src </span><a href="about:blank" data-mce-href="about:blank"><span style="font-weight: 400;" data-mce-style="font-weight: 400;">https://*.example.com</span></a><span style="font-weight: 400;" data-mce-style="font-weight: 400;">;</span></pre><pre><span style="font-weight: 400;" data-mce-style="font-weight: 400;">Content-Security-Policy: script-src </span><a href="about:blank" data-mce-href="about:blank"><span style="font-weight: 400;" data-mce-style="font-weight: 400;">https://example.com</span></a><span style="font-weight: 400;" data-mce-style="font-weight: 400;">:*;</span></pre><pre><span style="font-weight: 400;" data-mce-style="font-weight: 400;">Content-Security-Policy: script-src https;</span></pre><p style="text-align: justify;" data-mce-style="text-align: justify;"><span style="font-weight: 400;" data-mce-style="font-weight: 400;">It is also possible to set a CSP in Report-Only mode instead of forcing it immediately in the migration period. Thus you can see the violations of the CSP policy in the current state of your web site while migrating to CSP:</span></p><pre><span style="font-weight: 400;" data-mce-style="font-weight: 400;">Content-Security-Policy-Report-Only: script-src 'self'; report-uri: <a href="https://example.com" data-mce-href="https://example.com">https://example.com</a>;</span></pre></description>
2317
+ <remedy><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">Enable CSP on your website by sending the </span><code><span style="font-weight: 400;" data-mce-style="font-weight: 400;">Content-Security-Policy</span></code><span style="font-weight: 400;" data-mce-style="font-weight: 400;"> in HTTP response headers that instruct the browser to apply the policies you specified.</span></p></remedy>
2318
+
2319
+ <rawrequest><![CDATA[GET / HTTP/1.1
2320
+ Host: localhost:3000
2321
+ Cache-Control: no-cache
2322
+ Connection: Keep-Alive
2323
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
2324
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
2325
+ Accept-Language: en-us,en;q=0.5
2326
+ X-Scanner: Netsparker
2327
+ Accept-Encoding: gzip, deflate
2328
+
2329
+ ]]></rawrequest>
2330
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
2331
+ Set-Cookie: _redmine_session=NVU5aUwyZ0VRTndIb21Va2pNZk15SXRyeXpGOWZtMk5rS1QwaVFpSi9vSkh1Lyt3U1lzcTdlOS8wYkdUTE1JMjVQNmp5dHU0akM0L0pmdDZRalkvdkVDbzdqOC9qOHRJRG1CSllNcENBMkkxbGJ0ODd1RXZwL0drNVRCbkZwYVFHQVVTWWtGQXY5eXBwdzJTQnBuVXpCMWFOVEZHOFVTeVFDUmJmekhEU3NGK3JGMlFsTytCRFpIemx2bkJCZzViLS1CV295alVPcnRJaUhDY2UxVmRLOWt3PT0%3D--374cb50cbcce265e356b52f82eadb8c778158726; path=/; HttpOnly
2332
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
2333
+ X-Content-Type-Options: nosniff
2334
+ X-Runtime: 0.015338
2335
+ Connection: Keep-Alive
2336
+ X-Xss-Protection: 1; mode=block
2337
+ X-Frame-Options: SAMEORIGIN
2338
+ X-Request-Id: 9c7ebeb0-d69c-4315-ba90-5e154e2eebed
2339
+ Content-Type: text/html; charset=utf-8
2340
+ Content-Length: 3876
2341
+ Date: Thu, 08 Dec 2016 19:56:08 GMT
2342
+ Etag: W/"58de55885d9765a460c7728ca5cce1da"
2343
+ Cache-Control: max-age=0, private, must-revalidate
2344
+
2345
+ <!DOCTYPE html>
2346
+ <html lang="en">
2347
+ <head>
2348
+ <meta charset="utf-8" />
2349
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
2350
+ <title>HNL Security Team Project Tracking System</title>
2351
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
2352
+ <meta name="description" content="Redmine" />
2353
+ <meta name="keywords" content="issue,bug,tracker" />
2354
+ <meta name="csrf-param" content="authenticity_token" />
2355
+ <meta name="csrf-token" content="TV0QvO/RZcDnbKGv7N8Aq6rDRRfrL8sFjLxwBAonrSZhgsql1zJstjdddq8zpzwXK9MTQ75gDZZeQ0gJxIDtIQ==" />
2356
+ <link rel='shortcut icon' href='/favicon.ico' />
2357
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
2358
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
2359
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
2360
+
2361
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
2362
+ <script src="/javascripts/application.js"></script>
2363
+ <script src="/javascripts/responsive.js"></script>
2364
+ <script>
2365
+ //<![CDATA[
2366
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
2367
+ //]]]]><![CDATA[>
2368
+ </script>
2369
+
2370
+
2371
+ <!-- page specific tags -->
2372
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Latest news" href="http://localhost:3000/news.atom" />
2373
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Activity" href="http://localhost:3000/activity.atom" />
2374
+ </head>
2375
+ <body class="controller-welcome action-index">
2376
+
2377
+ <div id="wrapper">
2378
+
2379
+ <div class="flyout-menu js-flyout-menu">
2380
+
2381
+
2382
+ <div class="flyout-menu__search">
2383
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
2384
+
2385
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
2386
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
2387
+ </form> </div>
2388
+
2389
+
2390
+
2391
+ <h3>General</h3>
2392
+ <span class="js-general-menu"></span>
2393
+
2394
+ <span class="js-sidebar flyout-menu__sidebar"></span>
2395
+
2396
+ <h3>Profile</h3>
2397
+ <span class="js-profile-menu"></span>
2398
+
2399
+ </div>
2400
+
2401
+ <div id="wrapper2">
2402
+ <div id="wrapper3">
2403
+ <div id="top-menu">
2404
+ <div id="account">
2405
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
2406
+
2407
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
2408
+
2409
+ <div id="header">
2410
+
2411
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
2412
+
2413
+ <div id="quick-search">
2414
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
2415
+
2416
+ <label for='q'>
2417
+ <a accesskey="4" href="/search">Search</a>:
2418
+ </label>
2419
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
2420
+ </form>
2421
+ </div>
2422
+
2423
+ <h1>HNL Security Team Project Tracking System</h1>
2424
+
2425
+ </div>
2426
+
2427
+ <div id="main" class="nosidebar">
2428
+ <div id="sidebar">
2429
+
2430
+
2431
+ </div>
2432
+
2433
+ <div id="content">
2434
+
2435
+ <h2>Home</h2>
2436
+
2437
+ <div class="splitcontentleft">
2438
+ <div class="wiki">
2439
+
2440
+ </div>
2441
+
2442
+ </div>
2443
+
2444
+ <div class="splitcontentright">
2445
+
2446
+ </div>
2447
+
2448
+
2449
+
2450
+ <div style="clear:both;"></div>
2451
+ </div>
2452
+ </div>
2453
+ </div>
2454
+
2455
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
2456
+ <div id="ajax-modal" style="display:none;"></div>
2457
+
2458
+ <div id="footer">
2459
+ <div class="bgl"><div class="bgr">
2460
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
2461
+ </div></div>
2462
+ </div>
2463
+ </div>
2464
+ </div>
2465
+
2466
+ </body>
2467
+ </html>
2468
+ ]]></rawresponse>
2469
+ <extrainformation>
2470
+ </extrainformation>
2471
+
2472
+ <proofs></proofs>
2473
+
2474
+ <classification>
2475
+ <OWASP2013></OWASP2013>
2476
+ <WASC></WASC>
2477
+ <CWE></CWE>
2478
+ <CAPEC></CAPEC>
2479
+ <PCI31></PCI31>
2480
+ <PCI32></PCI32>
2481
+ <HIPAA></HIPAA>
2482
+ <OWASPPC>C9</OWASPPC>
2483
+ </classification>
2484
+ </vulnerability>
2485
+ </netsparker>