dradis-netsparker 3.8.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (30) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +12 -0
  3. data/CHANGELOG.md +4 -0
  4. data/CONTRIBUTING.md +3 -0
  5. data/Gemfile +23 -0
  6. data/LICENSE +339 -0
  7. data/README.md +27 -0
  8. data/Rakefile +1 -0
  9. data/dradis-netsparker.gemspec +35 -0
  10. data/lib/dradis-netsparker.rb +8 -0
  11. data/lib/dradis/plugins/netsparker.rb +11 -0
  12. data/lib/dradis/plugins/netsparker/engine.rb +9 -0
  13. data/lib/dradis/plugins/netsparker/field_processor.rb +21 -0
  14. data/lib/dradis/plugins/netsparker/gem_version.rb +19 -0
  15. data/lib/dradis/plugins/netsparker/importer.rb +64 -0
  16. data/lib/dradis/plugins/netsparker/version.rb +13 -0
  17. data/lib/netsparker/vulnerability.rb +130 -0
  18. data/lib/tasks/thorfile.rb +20 -0
  19. data/spec/dradis-netsparker_spec.rb +85 -0
  20. data/spec/fixtures/files/example-evidence.xml +85 -0
  21. data/spec/fixtures/files/example.xml +2485 -0
  22. data/spec/fixtures/files/netsparker-localhost-demo.xml +2529 -0
  23. data/spec/spec_helper.rb +10 -0
  24. data/templates/evidence.fields +3 -0
  25. data/templates/evidence.sample +55 -0
  26. data/templates/evidence.template +8 -0
  27. data/templates/issue.fields +14 -0
  28. data/templates/issue.sample +55 -0
  29. data/templates/issue.template +15 -0
  30. metadata +162 -0
data/spec/fixtures/files/netsparker-localhost-demo.xml ADDED
@@ -0,0 +1,2529 @@
1
+ <?xml version="1.0" encoding="utf-8" ?>
2
+ <?xml-stylesheet href="vulnerabilities-list.xsl" type="text/xsl" ?>
3
+
4
+ <netsparker generated="12/8/2016 2:56:36 PM">
5
+ <target>
6
+ <url>http://localhost:3000/</url>
7
+ <scantime>18</scantime>
8
+ </target>
9
+ <vulnerability confirmed="True">
10
+ <url>http://localhost:3000/login</url>
11
+ <type>PasswordOverHttp</type>
12
+ <severity>Important</severity>
13
+ <certainty>100</certainty>
14
+ <description><p>{PRODUCT} detected that password data is being transmitted over HTTP.</p></description>
15
+ <remedy><div>All sensitive data should be transferred over HTTPS rather than HTTP. Forms should be served over HTTPS. All aspects of the application that accept user input, starting from the login process, should only be served over HTTPS.</div></remedy>
16
+
17
+ <rawrequest><![CDATA[GET /login HTTP/1.1
18
+ Host: localhost:3000
19
+ Cache-Control: no-cache
20
+ Referer: http://localhost:3000/
21
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
22
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
23
+ Accept-Language: en-us,en;q=0.5
24
+ X-Scanner: Netsparker
25
+ Cookie: _redmine_session=Z1BMOHFEY2RERDVJUldNL1RqNG92dmJ2bVFNcUwyVm54Z09PTTJEUkhTM0VCOW1Yd3lYNWtRNmNOYTR6cGVRZkgyWXVGcUl2MTg1UERlc3ZWNjBLZHZBRkZzUXJTbER6UTNVTGQ2amdZVmRaZXg4aCtSdXVaVzcrZExGMEVXdC9LaWp6ZE96WWVPWGJ0NmE1cE1WbGQvQXdiczhuUGZNejE5dTF3ekM0WW4wYzF6V2xwenNXdnRvd05YRHF1V0F3NDc3bUdJc0xlYXc5ck53M2FSY2pLNTd3L2I4dEJuS04rNVZrc1k5TXFiREE4WkJQZ1NxRmJMMmJaYlZxRlNlYzhtSHZxRFFIS01KamJ1UjdHUVdYMjlETC9WN1lBMUZERlBLSm5aRU1RWnAzbG05N002NldVTFg0SmY3ZTA1bHctLW9SSGxMblRLc2o5a1VFQTg5N1MzQXc9PQ%3D%3D--8c3350ab21690b49d42705363c23860a196cdae0
26
+ Accept-Encoding: gzip, deflate
27
+
28
+ ]]></rawrequest>
29
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
30
+ Set-Cookie: _redmine_session=MFRLazZ0NFFuQUVpamxhbnZJbWpxRThZSVpJUng5L0FPYlRFQy9uUmsxcm4xN0ROZGhNN0ltVmZIejhtQjdBSmIzQTg2cXIwZ3hPUGMxcTRZSXQ4dEdKRmFRTkdwUkpJZG8zbFppZldwRC9TcWF5OWdraHBackJtckVWUGEyZ2poMlVHeXpnWHE0NVR4QXRZaElqbmJXZVJiVWNRck1OUmxKY0xxTkxaVXNmVUVjaUhyRWhackRUbDlJRlJZYjlnLS05SW9kaHlZK1oyOGZlQmg3cUNXdjFRPT0%3D--fec1b0a3d26c80dd3241888bb49365054793188f; path=/; HttpOnly
31
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
32
+ X-Content-Type-Options: nosniff
33
+ X-Runtime: 0.009771
34
+ Connection: Keep-Alive
35
+ X-Xss-Protection: 1; mode=block
36
+ X-Frame-Options: SAMEORIGIN
37
+ X-Request-Id: a2e0332c-ac9b-4668-8c98-0590efe7b57e
38
+ Content-Type: text/html; charset=utf-8
39
+ Content-Length: 4617
40
+ Date: Thu, 08 Dec 2016 19:56:16 GMT
41
+ Etag: W/"8d030fd5a6fb923712bfdd6647b81414"
42
+ Cache-Control: max-age=0, private, must-revalidate
43
+
44
+ <!DOCTYPE html>
45
+ <html lang="en">
46
+ <head>
47
+ <meta charset="utf-8" />
48
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
49
+ <title>HNL Security Team Project Tracking System</title>
50
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
51
+ <meta name="description" content="Redmine" />
52
+ <meta name="keywords" content="issue,bug,tracker" />
53
+ <meta name="csrf-param" content="authenticity_token" />
54
+ <meta name="csrf-token" content="I6weEBpkwMCXdbHbdfXBPGY4D8CW4Wbtnc+3oCdU9egPc8QJIofJtkdEZtuqjf2A5yhZlMOuoH5PMI+t6fO17w==" />
55
+ <link rel='shortcut icon' href='/favicon.ico' />
56
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
57
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
58
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
59
+
60
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
61
+ <script src="/javascripts/application.js"></script>
62
+ <script src="/javascripts/responsive.js"></script>
63
+ <script>
64
+ //<![CDATA[
65
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
66
+ //]]]]><![CDATA[>
67
+ </script>
68
+
69
+
70
+ <!-- page specific tags -->
71
+ </head>
72
+ <body class="controller-account action-login">
73
+
74
+ <div id="wrapper">
75
+
76
+ <div class="flyout-menu js-flyout-menu">
77
+
78
+
79
+ <div class="flyout-menu__search">
80
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
81
+
82
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
83
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
84
+ </form> </div>
85
+
86
+
87
+
88
+ <h3>General</h3>
89
+ <span class="js-general-menu"></span>
90
+
91
+ <span class="js-sidebar flyout-menu__sidebar"></span>
92
+
93
+ <h3>Profile</h3>
94
+ <span class="js-profile-menu"></span>
95
+
96
+ </div>
97
+
98
+ <div id="wrapper2">
99
+ <div id="wrapper3">
100
+ <div id="top-menu">
101
+ <div id="account">
102
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
103
+
104
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
105
+
106
+ <div id="header">
107
+
108
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
109
+
110
+ <div id="quick-search">
111
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
112
+
113
+ <label for='q'>
114
+ <a accesskey="4" href="/search">Search</a>:
115
+ </label>
116
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
117
+ </form>
118
+ </div>
119
+
120
+ <h1>HNL Security Team Project Tracking System</h1>
121
+
122
+ </div>
123
+
124
+ <div id="main" class="nosidebar">
125
+ <div id="sidebar">
126
+
127
+
128
+ </div>
129
+
130
+ <div id="content">
131
+
132
+
133
+ <div id="login-form">
134
+ <form onsubmit="return keepAnchorOnSignIn(this);" action="/login" accept-charset="UTF-8" method="post"><input name="utf8" type="hidden" value="&#x2713;" /><input type="hidden" name="authenticity_token" value="R6BbMva0XQgJFncuT2APQ+ImLhLrLaZcEVApzVpKGs5rf4ErzldUftknoC6QGDP/YzZ4Rr5iYM/DrxHAlO1ayQ==" />
135
+ <input type="hidden" name="back_url" value="http://localhost:3000/" />
136
+ <table>
137
+ <tr>
138
+ <td style="text-align:right;"><label for="username">Login:</label></td>
139
+ <td style="text-align:left;"><input type="text" name="username" id="username" tabindex="1" /></td>
140
+ </tr>
141
+ <tr>
142
+ <td style="text-align:right;"><label for="password">Password:</label></td>
143
+ <td style="text-align:left;"><input type="password" name="password" id="password" tabindex="2" /></td>
144
+ </tr>
145
+ <tr>
146
+ <td></td>
147
+ <td style="text-align:left;">
148
+ </td>
149
+ </tr>
150
+ <tr>
151
+ <td style="text-align:left;">
152
+ <a href="/account/lost_password">Lost password</a>
153
+ </td>
154
+ <td style="text-align:right;">
155
+ <input type="submit" name="login" value="Login &#187;" tabindex="5"/>
156
+ </td>
157
+ </tr>
158
+ </table>
159
+ </form></div>
160
+
161
+
162
+ <script>
163
+ //<![CDATA[
164
+ $('#username').focus();
165
+ //]]]]><![CDATA[>
166
+ </script>
167
+
168
+
169
+ <div style="clear:both;"></div>
170
+ </div>
171
+ </div>
172
+ </div>
173
+
174
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
175
+ <div id="ajax-modal" style="display:none;"></div>
176
+
177
+ <div id="footer">
178
+ <div class="bgl"><div class="bgr">
179
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
180
+ </div></div>
181
+ </div>
182
+ </div>
183
+ </div>
184
+
185
+ </body>
186
+ </html>
187
+ ]]></rawresponse>
188
+ <extrainformation>
189
+ <info name="Form target action"><![CDATA[/login]]></info>
190
+ </extrainformation>
191
+
192
+ <proofs></proofs>
193
+
194
+
195
+ <classification>
196
+ <OWASP2013>A6</OWASP2013>
197
+ <WASC>4</WASC>
198
+ <CWE>319</CWE>
199
+ <CAPEC>65</CAPEC>
200
+ <PCI31>6.5.4</PCI31>
201
+ <PCI32>6.5.4</PCI32>
202
+ <HIPAA></HIPAA>
203
+ <OWASPPC></OWASPPC>
204
+
205
+ <CVSS>
206
+ <vector>CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N</vector>
207
+
208
+ <score>
209
+ <type>Base</type>
210
+ <value>5.7</value>
211
+ <severity>Medium</severity>
212
+ </score>
213
+ <score>
214
+ <type>Temporal</type>
215
+ <value>5.7</value>
216
+ <severity>Medium</severity>
217
+ </score>
218
+ <score>
219
+ <type>Environmental</type>
220
+ <value>5.7</value>
221
+ <severity>Medium</severity>
222
+ </score>
223
+
224
+ </CVSS>
225
+ </classification>
226
+
227
+ </vulnerability>
228
+ <vulnerability confirmed="True">
229
+ <url>http://localhost:3000/</url>
230
+ <type>SslVersion3Support</type>
231
+ <severity>Medium</severity>
232
+ <certainty>100</certainty>
233
+ <description><p>{PRODUCT} detected that insecure transportation security protocol (SSLv3) is supported by your web server.</p><p>SSLv3 has several flaws. An attacker can cause connection failures and they can trigger the use of SSL 3.0 to exploit vulnerabilities like POODLE.</p></description>
234
+ <remedy><div><p>Configure your web server to disallow using weak ciphers. You need to restart the web server to enable changes.</p><ul><li>For Apache, adjust the SSLProtocol directive provided by the mod_ssl module. This directive can be set either at the server level or in a virtual host configuration.<pre class="xml code">SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
235
+ </pre></li><li>For Nginx, locate any use of the directive ssl_protocols in the <code>nginx.conf</code> file and remove <code>SSLv3</code>.<pre class="code">ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
236
+ </pre></li><li>For Microsoft IIS, you should make some changes on the system registry.<ol><li>Click on Start and then Run, type <code>regedt32</code> or <code>regedit</code>, and then click OK.</li><li>In Registry Editor, locate the following registry key or create if it does not exist:<pre class="code">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\
237
+ </pre></li><li>Locate a key named <code>Server</code> or create if it doesn't exist.</li><li>Under the <code>Server</code> key, locate a DWORD value named <code>Enabled</code> or create if it doesn't exist and set its value to "0".</li></ol></li><li>For Lighttpd, put the following lines in your configuration file:<pre class="code">ssl.use-sslv2 = "disable"
238
+ ssl.use-sslv3 = "disable"
239
+ </pre></li></ul></div></remedy>
240
+
241
+ <rawrequest><![CDATA[[NETSPARKER] SSL Connection]]></rawrequest>
242
+ <rawresponse><![CDATA[[NETSPARKER] SSL Connection]]></rawresponse>
243
+ <extrainformation>
244
+ </extrainformation>
245
+
246
+ <proofs></proofs>
247
+
248
+
249
+ <classification>
250
+ <OWASP2013>A6</OWASP2013>
251
+ <WASC>4</WASC>
252
+ <CWE>327</CWE>
253
+ <CAPEC>217</CAPEC>
254
+ <PCI31>6.5.4</PCI31>
255
+ <PCI32>6.5.4</PCI32>
256
+ <HIPAA></HIPAA>
257
+ <OWASPPC></OWASPPC>
258
+
259
+ <CVSS>
260
+ <vector>CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C</vector>
261
+
262
+ <score>
263
+ <type>Base</type>
264
+ <value>6.8</value>
265
+ <severity>Medium</severity>
266
+ </score>
267
+ <score>
268
+ <type>Temporal</type>
269
+ <value>6.1</value>
270
+ <severity>Medium</severity>
271
+ </score>
272
+ <score>
273
+ <type>Environmental</type>
274
+ <value>6.1</value>
275
+ <severity>Medium</severity>
276
+ </score>
277
+
278
+ </CVSS>
279
+ </classification>
280
+
281
+ </vulnerability>
282
+ <vulnerability confirmed="True">
283
+ <url>http://localhost:3000/login</url>
284
+ <type>AutoCompleteEnabled</type>
285
+ <severity>Low</severity>
286
+ <certainty>100</certainty>
287
+ <description><p>{PRODUCT} detected that autocomplete is enabled in one or more of the form fields which might contain sensitive information like "username", "credit card" or "CVV".</p></description>
288
+ <remedy></remedy>
289
+
290
+ <rawrequest><![CDATA[GET /login HTTP/1.1
291
+ Host: localhost:3000
292
+ Cache-Control: no-cache
293
+ Referer: http://localhost:3000/
294
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
295
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
296
+ Accept-Language: en-us,en;q=0.5
297
+ X-Scanner: Netsparker
298
+ Cookie: _redmine_session=Z1BMOHFEY2RERDVJUldNL1RqNG92dmJ2bVFNcUwyVm54Z09PTTJEUkhTM0VCOW1Yd3lYNWtRNmNOYTR6cGVRZkgyWXVGcUl2MTg1UERlc3ZWNjBLZHZBRkZzUXJTbER6UTNVTGQ2amdZVmRaZXg4aCtSdXVaVzcrZExGMEVXdC9LaWp6ZE96WWVPWGJ0NmE1cE1WbGQvQXdiczhuUGZNejE5dTF3ekM0WW4wYzF6V2xwenNXdnRvd05YRHF1V0F3NDc3bUdJc0xlYXc5ck53M2FSY2pLNTd3L2I4dEJuS04rNVZrc1k5TXFiREE4WkJQZ1NxRmJMMmJaYlZxRlNlYzhtSHZxRFFIS01KamJ1UjdHUVdYMjlETC9WN1lBMUZERlBLSm5aRU1RWnAzbG05N002NldVTFg0SmY3ZTA1bHctLW9SSGxMblRLc2o5a1VFQTg5N1MzQXc9PQ%3D%3D--8c3350ab21690b49d42705363c23860a196cdae0
299
+ Accept-Encoding: gzip, deflate
300
+
301
+ ]]></rawrequest>
302
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
303
+ Set-Cookie: _redmine_session=MFRLazZ0NFFuQUVpamxhbnZJbWpxRThZSVpJUng5L0FPYlRFQy9uUmsxcm4xN0ROZGhNN0ltVmZIejhtQjdBSmIzQTg2cXIwZ3hPUGMxcTRZSXQ4dEdKRmFRTkdwUkpJZG8zbFppZldwRC9TcWF5OWdraHBackJtckVWUGEyZ2poMlVHeXpnWHE0NVR4QXRZaElqbmJXZVJiVWNRck1OUmxKY0xxTkxaVXNmVUVjaUhyRWhackRUbDlJRlJZYjlnLS05SW9kaHlZK1oyOGZlQmg3cUNXdjFRPT0%3D--fec1b0a3d26c80dd3241888bb49365054793188f; path=/; HttpOnly
304
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
305
+ X-Content-Type-Options: nosniff
306
+ X-Runtime: 0.009771
307
+ Connection: Keep-Alive
308
+ X-Xss-Protection: 1; mode=block
309
+ X-Frame-Options: SAMEORIGIN
310
+ X-Request-Id: a2e0332c-ac9b-4668-8c98-0590efe7b57e
311
+ Content-Type: text/html; charset=utf-8
312
+ Content-Length: 4617
313
+ Date: Thu, 08 Dec 2016 19:56:16 GMT
314
+ Etag: W/"8d030fd5a6fb923712bfdd6647b81414"
315
+ Cache-Control: max-age=0, private, must-revalidate
316
+
317
+ <!DOCTYPE html>
318
+ <html lang="en">
319
+ <head>
320
+ <meta charset="utf-8" />
321
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
322
+ <title>HNL Security Team Project Tracking System</title>
323
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
324
+ <meta name="description" content="Redmine" />
325
+ <meta name="keywords" content="issue,bug,tracker" />
326
+ <meta name="csrf-param" content="authenticity_token" />
327
+ <meta name="csrf-token" content="I6weEBpkwMCXdbHbdfXBPGY4D8CW4Wbtnc+3oCdU9egPc8QJIofJtkdEZtuqjf2A5yhZlMOuoH5PMI+t6fO17w==" />
328
+ <link rel='shortcut icon' href='/favicon.ico' />
329
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
330
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
331
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
332
+
333
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
334
+ <script src="/javascripts/application.js"></script>
335
+ <script src="/javascripts/responsive.js"></script>
336
+ <script>
337
+ //<![CDATA[
338
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
339
+ //]]]]><![CDATA[>
340
+ </script>
341
+
342
+
343
+ <!-- page specific tags -->
344
+ </head>
345
+ <body class="controller-account action-login">
346
+
347
+ <div id="wrapper">
348
+
349
+ <div class="flyout-menu js-flyout-menu">
350
+
351
+
352
+ <div class="flyout-menu__search">
353
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
354
+
355
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
356
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
357
+ </form> </div>
358
+
359
+
360
+
361
+ <h3>General</h3>
362
+ <span class="js-general-menu"></span>
363
+
364
+ <span class="js-sidebar flyout-menu__sidebar"></span>
365
+
366
+ <h3>Profile</h3>
367
+ <span class="js-profile-menu"></span>
368
+
369
+ </div>
370
+
371
+ <div id="wrapper2">
372
+ <div id="wrapper3">
373
+ <div id="top-menu">
374
+ <div id="account">
375
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
376
+
377
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
378
+
379
+ <div id="header">
380
+
381
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
382
+
383
+ <div id="quick-search">
384
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
385
+
386
+ <label for='q'>
387
+ <a accesskey="4" href="/search">Search</a>:
388
+ </label>
389
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
390
+ </form>
391
+ </div>
392
+
393
+ <h1>HNL Security Team Project Tracking System</h1>
394
+
395
+ </div>
396
+
397
+ <div id="main" class="nosidebar">
398
+ <div id="sidebar">
399
+
400
+
401
+ </div>
402
+
403
+ <div id="content">
404
+
405
+
406
+ <div id="login-form">
407
+ <form onsubmit="return keepAnchorOnSignIn(this);" action="/login" accept-charset="UTF-8" method="post"><input name="utf8" type="hidden" value="&#x2713;" /><input type="hidden" name="authenticity_token" value="R6BbMva0XQgJFncuT2APQ+ImLhLrLaZcEVApzVpKGs5rf4ErzldUftknoC6QGDP/YzZ4Rr5iYM/DrxHAlO1ayQ==" />
408
+ <input type="hidden" name="back_url" value="http://localhost:3000/" />
409
+ <table>
410
+ <tr>
411
+ <td style="text-align:right;"><label for="username">Login:</label></td>
412
+ <td style="text-align:left;"><input type="text" name="username" id="username" tabindex="1" /></td>
413
+ </tr>
414
+ <tr>
415
+ <td style="text-align:right;"><label for="password">Password:</label></td>
416
+ <td style="text-align:left;"><input type="password" name="password" id="password" tabindex="2" /></td>
417
+ </tr>
418
+ <tr>
419
+ <td></td>
420
+ <td style="text-align:left;">
421
+ </td>
422
+ </tr>
423
+ <tr>
424
+ <td style="text-align:left;">
425
+ <a href="/account/lost_password">Lost password</a>
426
+ </td>
427
+ <td style="text-align:right;">
428
+ <input type="submit" name="login" value="Login &#187;" tabindex="5"/>
429
+ </td>
430
+ </tr>
431
+ </table>
432
+ </form></div>
433
+
434
+
435
+ <script>
436
+ //<![CDATA[
437
+ $('#username').focus();
438
+ //]]]]><![CDATA[>
439
+ </script>
440
+
441
+
442
+ <div style="clear:both;"></div>
443
+ </div>
444
+ </div>
445
+ </div>
446
+
447
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
448
+ <div id="ajax-modal" style="display:none;"></div>
449
+
450
+ <div id="footer">
451
+ <div class="bgl"><div class="bgr">
452
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
453
+ </div></div>
454
+ </div>
455
+ </div>
456
+ </div>
457
+
458
+ </body>
459
+ </html>
460
+ ]]></rawresponse>
461
+ <extrainformation>
462
+ <info name="Identified Field Name"><![CDATA[username]]></info>
463
+ </extrainformation>
464
+
465
+ <proofs></proofs>
466
+
467
+
468
+ <classification>
469
+ <OWASP2013>A5</OWASP2013>
470
+ <WASC>15</WASC>
471
+ <CWE>16</CWE>
472
+ <CAPEC></CAPEC>
473
+ <PCI31></PCI31>
474
+ <PCI32></PCI32>
475
+ <HIPAA></HIPAA>
476
+ <OWASPPC></OWASPPC>
477
+
478
+ <CVSS>
479
+ <vector>CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</vector>
480
+
481
+ <score>
482
+ <type>Base</type>
483
+ <value>4.6</value>
484
+ <severity>Medium</severity>
485
+ </score>
486
+ <score>
487
+ <type>Temporal</type>
488
+ <value>4.6</value>
489
+ <severity>Medium</severity>
490
+ </score>
491
+ <score>
492
+ <type>Environmental</type>
493
+ <value>4.6</value>
494
+ <severity>Medium</severity>
495
+ </score>
496
+
497
+ </CVSS>
498
+ </classification>
499
+
500
+ </vulnerability>
501
+ <vulnerability confirmed="False">
502
+ <url>http://localhost:3000/</url>
503
+ <type>VersionDisclosureRuby</type>
504
+ <severity>Low</severity>
505
+ <certainty>90</certainty>
506
+ <description><p>{PRODUCT} identified that the target web server is disclosing the Ruby version in its HTTP response. This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Ruby.</p></description>
507
+ <remedy><div>Configure your web server to prevent information leakage from its HTTP response.</div></remedy>
508
+
509
+ <rawrequest><![CDATA[GET / HTTP/1.1
510
+ Host: localhost:3000
511
+ Cache-Control: no-cache
512
+ Connection: Keep-Alive
513
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
514
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
515
+ Accept-Language: en-us,en;q=0.5
516
+ X-Scanner: Netsparker
517
+ Accept-Encoding: gzip, deflate
518
+
519
+ ]]></rawrequest>
520
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
521
+ Set-Cookie: _redmine_session=NVU5aUwyZ0VRTndIb21Va2pNZk15SXRyeXpGOWZtMk5rS1QwaVFpSi9vSkh1Lyt3U1lzcTdlOS8wYkdUTE1JMjVQNmp5dHU0akM0L0pmdDZRalkvdkVDbzdqOC9qOHRJRG1CSllNcENBMkkxbGJ0ODd1RXZwL0drNVRCbkZwYVFHQVVTWWtGQXY5eXBwdzJTQnBuVXpCMWFOVEZHOFVTeVFDUmJmekhEU3NGK3JGMlFsTytCRFpIemx2bkJCZzViLS1CV295alVPcnRJaUhDY2UxVmRLOWt3PT0%3D--374cb50cbcce265e356b52f82eadb8c778158726; path=/; HttpOnly
522
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
523
+ X-Content-Type-Options: nosniff
524
+ X-Runtime: 0.015338
525
+ Connection: Keep-Alive
526
+ X-Xss-Protection: 1; mode=block
527
+ X-Frame-Options: SAMEORIGIN
528
+ X-Request-Id: 9c7ebeb0-d69c-4315-ba90-5e154e2eebed
529
+ Content-Type: text/html; charset=utf-8
530
+ Content-Length: 3876
531
+ Date: Thu, 08 Dec 2016 19:56:08 GMT
532
+ Etag: W/"58de55885d9765a460c7728ca5cce1da"
533
+ Cache-Control: max-age=0, private, must-revalidate
534
+
535
+ <!DOCTYPE html>
536
+ <html lang="en">
537
+ <head>
538
+ <meta charset="utf-8" />
539
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
540
+ <title>HNL Security Team Project Tracking System</title>
541
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
542
+ <meta name="description" content="Redmine" />
543
+ <meta name="keywords" content="issue,bug,tracker" />
544
+ <meta name="csrf-param" content="authenticity_token" />
545
+ <meta name="csrf-token" content="TV0QvO/RZcDnbKGv7N8Aq6rDRRfrL8sFjLxwBAonrSZhgsql1zJstjdddq8zpzwXK9MTQ75gDZZeQ0gJxIDtIQ==" />
546
+ <link rel='shortcut icon' href='/favicon.ico' />
547
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
548
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
549
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
550
+
551
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
552
+ <script src="/javascripts/application.js"></script>
553
+ <script src="/javascripts/responsive.js"></script>
554
+ <script>
555
+ //<![CDATA[
556
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
557
+ //]]]]><![CDATA[>
558
+ </script>
559
+
560
+
561
+ <!-- page specific tags -->
562
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Latest news" href="http://localhost:3000/news.atom" />
563
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Activity" href="http://localhost:3000/activity.atom" />
564
+ </head>
565
+ <body class="controller-welcome action-index">
566
+
567
+ <div id="wrapper">
568
+
569
+ <div class="flyout-menu js-flyout-menu">
570
+
571
+
572
+ <div class="flyout-menu__search">
573
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
574
+
575
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
576
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
577
+ </form> </div>
578
+
579
+
580
+
581
+ <h3>General</h3>
582
+ <span class="js-general-menu"></span>
583
+
584
+ <span class="js-sidebar flyout-menu__sidebar"></span>
585
+
586
+ <h3>Profile</h3>
587
+ <span class="js-profile-menu"></span>
588
+
589
+ </div>
590
+
591
+ <div id="wrapper2">
592
+ <div id="wrapper3">
593
+ <div id="top-menu">
594
+ <div id="account">
595
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
596
+
597
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
598
+
599
+ <div id="header">
600
+
601
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
602
+
603
+ <div id="quick-search">
604
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
605
+
606
+ <label for='q'>
607
+ <a accesskey="4" href="/search">Search</a>:
608
+ </label>
609
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
610
+ </form>
611
+ </div>
612
+
613
+ <h1>HNL Security Team Project Tracking System</h1>
614
+
615
+ </div>
616
+
617
+ <div id="main" class="nosidebar">
618
+ <div id="sidebar">
619
+
620
+
621
+ </div>
622
+
623
+ <div id="content">
624
+
625
+ <h2>Home</h2>
626
+
627
+ <div class="splitcontentleft">
628
+ <div class="wiki">
629
+
630
+ </div>
631
+
632
+ </div>
633
+
634
+ <div class="splitcontentright">
635
+
636
+ </div>
637
+
638
+
639
+
640
+ <div style="clear:both;"></div>
641
+ </div>
642
+ </div>
643
+ </div>
644
+
645
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
646
+ <div id="ajax-modal" style="display:none;"></div>
647
+
648
+ <div id="footer">
649
+ <div class="bgl"><div class="bgr">
650
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
651
+ </div></div>
652
+ </div>
653
+ </div>
654
+ </div>
655
+
656
+ </body>
657
+ </html>
658
+ ]]></rawresponse>
659
+ <extrainformation>
660
+ <info name="ExtractedVersion"><![CDATA[2.3.0]]></info>
661
+ </extrainformation>
662
+
663
+ <proofs></proofs>
664
+
665
+
666
+ <classification>
667
+ <OWASP2013></OWASP2013>
668
+ <WASC>45</WASC>
669
+ <CWE>205</CWE>
670
+ <CAPEC>170</CAPEC>
671
+ <PCI31></PCI31>
672
+ <PCI32></PCI32>
673
+ <HIPAA>164.306(a), 164.308(a)</HIPAA>
674
+ <OWASPPC></OWASPPC>
675
+
676
+ <CVSS>
677
+ <vector>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</vector>
678
+
679
+ <score>
680
+ <type>Base</type>
681
+ <value>5.3</value>
682
+ <severity>Medium</severity>
683
+ </score>
684
+ <score>
685
+ <type>Temporal</type>
686
+ <value>5.3</value>
687
+ <severity>Medium</severity>
688
+ </score>
689
+ <score>
690
+ <type>Environmental</type>
691
+ <value>5.3</value>
692
+ <severity>Medium</severity>
693
+ </score>
694
+
695
+ </CVSS>
696
+ </classification>
697
+
698
+ </vulnerability>
699
+ <vulnerability confirmed="False">
700
+ <url>http://localhost:3000/</url>
701
+ <type>VersionDisclosureWebrick</type>
702
+ <severity>Low</severity>
703
+ <certainty>90</certainty>
704
+ <description><p>{PRODUCT} identified that the target web server is disclosing the WEBrick version in its HTTP response. This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of WEBrick.</p></description>
705
+ <remedy><div>Configure your web server to prevent information leakage from its HTTP response.</div></remedy>
706
+
707
+ <rawrequest><![CDATA[GET / HTTP/1.1
708
+ Host: localhost:3000
709
+ Cache-Control: no-cache
710
+ Connection: Keep-Alive
711
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
712
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
713
+ Accept-Language: en-us,en;q=0.5
714
+ X-Scanner: Netsparker
715
+ Accept-Encoding: gzip, deflate
716
+
717
+ ]]></rawrequest>
718
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
719
+ Set-Cookie: _redmine_session=NVU5aUwyZ0VRTndIb21Va2pNZk15SXRyeXpGOWZtMk5rS1QwaVFpSi9vSkh1Lyt3U1lzcTdlOS8wYkdUTE1JMjVQNmp5dHU0akM0L0pmdDZRalkvdkVDbzdqOC9qOHRJRG1CSllNcENBMkkxbGJ0ODd1RXZwL0drNVRCbkZwYVFHQVVTWWtGQXY5eXBwdzJTQnBuVXpCMWFOVEZHOFVTeVFDUmJmekhEU3NGK3JGMlFsTytCRFpIemx2bkJCZzViLS1CV295alVPcnRJaUhDY2UxVmRLOWt3PT0%3D--374cb50cbcce265e356b52f82eadb8c778158726; path=/; HttpOnly
720
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
721
+ X-Content-Type-Options: nosniff
722
+ X-Runtime: 0.015338
723
+ Connection: Keep-Alive
724
+ X-Xss-Protection: 1; mode=block
725
+ X-Frame-Options: SAMEORIGIN
726
+ X-Request-Id: 9c7ebeb0-d69c-4315-ba90-5e154e2eebed
727
+ Content-Type: text/html; charset=utf-8
728
+ Content-Length: 3876
729
+ Date: Thu, 08 Dec 2016 19:56:08 GMT
730
+ Etag: W/"58de55885d9765a460c7728ca5cce1da"
731
+ Cache-Control: max-age=0, private, must-revalidate
732
+
733
+ <!DOCTYPE html>
734
+ <html lang="en">
735
+ <head>
736
+ <meta charset="utf-8" />
737
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
738
+ <title>HNL Security Team Project Tracking System</title>
739
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
740
+ <meta name="description" content="Redmine" />
741
+ <meta name="keywords" content="issue,bug,tracker" />
742
+ <meta name="csrf-param" content="authenticity_token" />
743
+ <meta name="csrf-token" content="TV0QvO/RZcDnbKGv7N8Aq6rDRRfrL8sFjLxwBAonrSZhgsql1zJstjdddq8zpzwXK9MTQ75gDZZeQ0gJxIDtIQ==" />
744
+ <link rel='shortcut icon' href='/favicon.ico' />
745
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
746
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
747
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
748
+
749
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
750
+ <script src="/javascripts/application.js"></script>
751
+ <script src="/javascripts/responsive.js"></script>
752
+ <script>
753
+ //<![CDATA[
754
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
755
+ //]]]]><![CDATA[>
756
+ </script>
757
+
758
+
759
+ <!-- page specific tags -->
760
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Latest news" href="http://localhost:3000/news.atom" />
761
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Activity" href="http://localhost:3000/activity.atom" />
762
+ </head>
763
+ <body class="controller-welcome action-index">
764
+
765
+ <div id="wrapper">
766
+
767
+ <div class="flyout-menu js-flyout-menu">
768
+
769
+
770
+ <div class="flyout-menu__search">
771
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
772
+
773
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
774
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
775
+ </form> </div>
776
+
777
+
778
+
779
+ <h3>General</h3>
780
+ <span class="js-general-menu"></span>
781
+
782
+ <span class="js-sidebar flyout-menu__sidebar"></span>
783
+
784
+ <h3>Profile</h3>
785
+ <span class="js-profile-menu"></span>
786
+
787
+ </div>
788
+
789
+ <div id="wrapper2">
790
+ <div id="wrapper3">
791
+ <div id="top-menu">
792
+ <div id="account">
793
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
794
+
795
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
796
+
797
+ <div id="header">
798
+
799
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
800
+
801
+ <div id="quick-search">
802
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
803
+
804
+ <label for='q'>
805
+ <a accesskey="4" href="/search">Search</a>:
806
+ </label>
807
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
808
+ </form>
809
+ </div>
810
+
811
+ <h1>HNL Security Team Project Tracking System</h1>
812
+
813
+ </div>
814
+
815
+ <div id="main" class="nosidebar">
816
+ <div id="sidebar">
817
+
818
+
819
+ </div>
820
+
821
+ <div id="content">
822
+
823
+ <h2>Home</h2>
824
+
825
+ <div class="splitcontentleft">
826
+ <div class="wiki">
827
+
828
+ </div>
829
+
830
+ </div>
831
+
832
+ <div class="splitcontentright">
833
+
834
+ </div>
835
+
836
+
837
+
838
+ <div style="clear:both;"></div>
839
+ </div>
840
+ </div>
841
+ </div>
842
+
843
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
844
+ <div id="ajax-modal" style="display:none;"></div>
845
+
846
+ <div id="footer">
847
+ <div class="bgl"><div class="bgr">
848
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
849
+ </div></div>
850
+ </div>
851
+ </div>
852
+ </div>
853
+
854
+ </body>
855
+ </html>
856
+ ]]></rawresponse>
857
+ <extrainformation>
858
+ <info name="ExtractedVersion"><![CDATA[1.3.1]]></info>
859
+ </extrainformation>
860
+
861
+ <proofs></proofs>
862
+
863
+
864
+ <classification>
865
+ <OWASP2013></OWASP2013>
866
+ <WASC>45</WASC>
867
+ <CWE>205</CWE>
868
+ <CAPEC>170</CAPEC>
869
+ <PCI31></PCI31>
870
+ <PCI32></PCI32>
871
+ <HIPAA>164.306(a), 164.308(a)</HIPAA>
872
+ <OWASPPC></OWASPPC>
873
+
874
+ <CVSS>
875
+ <vector>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</vector>
876
+
877
+ <score>
878
+ <type>Base</type>
879
+ <value>5.3</value>
880
+ <severity>Medium</severity>
881
+ </score>
882
+ <score>
883
+ <type>Temporal</type>
884
+ <value>5.3</value>
885
+ <severity>Medium</severity>
886
+ </score>
887
+ <score>
888
+ <type>Environmental</type>
889
+ <value>5.3</value>
890
+ <severity>Medium</severity>
891
+ </score>
892
+
893
+ </CVSS>
894
+ </classification>
895
+
896
+ </vulnerability>
897
+ <vulnerability confirmed="True">
898
+ <url>http://localhost:3000/</url>
899
+ <type>TlsVersion1Support</type>
900
+ <severity>Low</severity>
901
+ <certainty>100</certainty>
902
+ <description><p>{PRODUCT} detected that insecure transportation security protocol (TLS 1.0) is supported by your web server.</p><p>TLS 1.0 has several flaws. An attacker can cause connection failures and they can trigger the use of TLS 1.0 to exploit vulnerabilities like BEAST (Browser Exploit Against SSL/TLS).</p><p>Websites using TLS 1.0 will be considered non-compliant by PCI after 30 June 2018.</p></description>
903
+ <remedy><div><p>Configure your web server to disallow using weak ciphers. You need to restart the web server to enable changes.</p><ul><li>For Apache, adjust the SSLProtocol directive provided by the mod_ssl module. This directive can be set either at the server level or in a virtual host configuration.<pre class="xml code">SSLProtocol +TLSv1.1 +TLSv1.2
904
+ </pre></li><li>For Nginx, locate any use of the directive ssl_protocols in the <code>nginx.conf</code> file and remove <code>TLSv1</code>.<pre class="code">ssl_protocols TLSv1.1 TLSv1.2;
905
+ </pre></li><li>For Microsoft IIS, you should make some changes on the system registry.<ol><li>Click on Start and then Run, type <code>regedt32</code> or <code>regedit</code>, and then click OK.</li><li>In Registry Editor, locate the following registry key or create if it does not exist:<pre class="code">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\
906
+ </pre></li><li>Locate a key named <code>Server</code> or create if it doesn't exist.</li><li>Under the <code>Server</code> key, locate a DWORD value named <code>Enabled</code> or create if it doesn't exist and set its value to "0".</li></ol></li></ul></div></remedy>
907
+
908
+ <rawrequest><![CDATA[[NETSPARKER] SSL Connection]]></rawrequest>
909
+ <rawresponse><![CDATA[[NETSPARKER] SSL Connection]]></rawresponse>
910
+ <extrainformation>
911
+ </extrainformation>
912
+
913
+ <proofs></proofs>
914
+
915
+
916
+ <classification>
917
+ <OWASP2013>A6</OWASP2013>
918
+ <WASC>4</WASC>
919
+ <CWE>327</CWE>
920
+ <CAPEC>217</CAPEC>
921
+ <PCI31>6.5.4</PCI31>
922
+ <PCI32>6.5.4</PCI32>
923
+ <HIPAA></HIPAA>
924
+ <OWASPPC></OWASPPC>
925
+
926
+ </classification>
927
+
928
+ </vulnerability>
929
+ <vulnerability confirmed="True">
930
+ <url>http://localhost:3000/robots.txt</url>
931
+ <type>RobotsIdentified</type>
932
+ <severity>Information</severity>
933
+ <certainty>100</certainty>
934
+ <description><p>{PRODUCT} detected a <code>Robots.txt</code> file with potentially sensitive content.</p></description>
935
+ <remedy><div><span style="font-weight: 400;" data-mce-style="font-weight: 400;">Ensure you have nothing sensitive exposed within this file, such as the path of an administration panel. If disallowed paths are sensitive and you want to keep it from unauthorized access, do not write them in the <code>Robots.txt</code>, and ensure they are correctly protected by means of authentication.</span></div><div><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;"><code>Robots.txt</code> is only used to instruct search robots which resources should be indexed and which ones are not.</span></p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">The following block can be used to tell the crawler to index files under /web/ and </span><strong>ignore the rest</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;">:</span><br></div><pre>User-Agent: *<br>Allow: /web/<br>Disallow: /</pre><div><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">Please note that when you use the instructions above, </span><strong>search engines will not index your website </strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;">except for the specified directories.</span></p><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">If you want to hide certain section of the website from the search engines <code>X-Robots-Tag</code> can be set in the response header to tell crawlers whether the file should be indexed or not:</span><br></p></div><pre>X-Robots-Tag: googlebot: nofollow<br>X-Robots-Tag: otherbot: noindex, nofollow<br></pre><div><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">By using <code>X-Robots-Tag</code> you don't have to list the these files in your <code>Robots.txt</code>. </span></p><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">It is also not possible to prevent media files from being indexed by putting using Robots Meta Tags. <code>X-Robots-Tag</code> resolves this issue as well.</span></p><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">For Apache, the following snippet can be put into <code>httpd.conf</code> or an <code>.htaccess</code> file to restrict crawlers to index multimedia files without exposing them in <code>Robots.txt</code></span><br></p></div><pre>&lt;Files ~ "\.pdf$"&gt;<br># Don't index PDF files.<br> Header set X-Robots-Tag "noindex, nofollow"<br>&lt;/Files&gt;</pre><pre>&lt;Files ~ "\.(png|jpe?g|gif)$"&gt;<br>#Don't index image files.<br> Header set X-Robots-Tag "noindex"<br>&lt;/Files&gt;</pre><div>&nbsp;<br></div></remedy>
936
+
937
+ <rawrequest><![CDATA[GET /robots.txt HTTP/1.1
938
+ Host: localhost:3000
939
+ Cache-Control: no-cache
940
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
941
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
942
+ Accept-Language: en-us,en;q=0.5
943
+ X-Scanner: Netsparker
944
+ Cookie: _redmine_session=dXFGaE1aakY4ZWxQV0ZiMVlmaWtaUTBpYlQrOVlkWWUxOUtuYlJZMHgwT3ZFUlZheVJmSnQ2SUllUi9hYktZOWU5OFhGTjJ6S1V2NHZxd21vLzhwUDBDZXZZVjdmeFZaOXA1emprRktNODQ4SW9OV3JSWUZrYllRWXpxSjFHazcrMVFBNFova2JQNnBIK0N5YmpvRGZhOWVLVEY0RHJkRjBIL3NScmZGOHZISFcvM0lOSHBVVnlEK3dYaDNmVFFtV3FBb216T0V2aE0zdVpQRUZweDRZbDdncWN4TWxjYjZoRzByejQ5YlFzR2FpaHNUS1poM1JaOWV6YWJpWkl2NmhBM0Z2cmt0TzQzMnZ1YVIvUm5FdmNOUTgvOUFpV1lKSVloaVkvZkM5eDFiK0l1SXNHUzhhSlMwTExHYjBSM0gtLXdzSDI3Q1NNRllPK0FmRjI0cnZkVmc9PQ%3D%3D--054cb1c4bd8ee505c94de1d15b77d628ee5202ae
945
+ Accept-Encoding: gzip, deflate
946
+
947
+ ]]></rawrequest>
948
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
949
+ Set-Cookie: _redmine_session=TEVOVmFFcm11RCtqT1lLZFdPUTh1QkRPTEZCdEhOVWNwbW56Wnl1bGpDT2pFWUFIQ0x6NjQyN0tYWDFwRW9tRWtVWnFXYXlEUzZYQXFKODkxRlNMVlVxYUlGVktmaUNLYmdaeVJnMjBGT2FlRXNmK0FXR3V4ZlhLaUJvMVZ5QmoxVE5Ec1A3M2Q2cXRIZ2FOYm5VUTZvcjdRelJ1elhpdGUxWG1nd09sU2NDZGlpcjU0blNWSVhreVNsb3dOWDhQdVBjVWJ3K0U2bkQrTmlyUEpNWmdpN2xIMFpNS2J2K1NVVGkzalBPSk5EQlNSeDY5Nk5aSzVFbEJkUHNhbVZWVHNWZkEya3FPeUduUlo0aEdOVHpaSWxWV3JLMkliZnE3N0tKRUJzOVo1aHI0a2x6emE1VzJtV3lRNnE4VGVQaWMtLXJvRmM4VnRDTFZJTHI4dm4vLzVnU1E9PQ%3D%3D--54b4336d57a06867496da46514052a428dfe476f; path=/; HttpOnly
950
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
951
+ X-Content-Type-Options: nosniff
952
+ X-Runtime: 0.004503
953
+ Connection: Keep-Alive
954
+ X-Xss-Protection: 1; mode=block
955
+ X-Frame-Options: SAMEORIGIN
956
+ X-Request-Id: d322a824-0038-4e11-b073-c7d6a4d31580
957
+ Content-Type: text/html; charset=utf-8
958
+ Content-Length: 103
959
+ Date: Thu, 08 Dec 2016 19:56:14 GMT
960
+ Etag: W/"e5d026a5a27744c1c3d9c77b3e035178"
961
+ Cache-Control: max-age=0, private, must-revalidate
962
+
963
+ User-agent: *
964
+ Disallow: /issues/gantt
965
+ Disallow: /issues/calendar
966
+ Disallow: /activity
967
+ Disallow: /search
968
+ ]]></rawresponse>
969
+ <extrainformation>
970
+ <info name="Interesting Robots.txt Entries"><![CDATA[Disallow: /issues/gantt, Disallow: /issues/calendar, Disallow: /activity, Disallow: /search]]></info>
971
+ </extrainformation>
972
+
973
+ <proofs></proofs>
974
+
975
+
976
+ <classification>
977
+ <OWASP2013></OWASP2013>
978
+ <WASC></WASC>
979
+ <CWE></CWE>
980
+ <CAPEC></CAPEC>
981
+ <PCI31></PCI31>
982
+ <PCI32></PCI32>
983
+ <HIPAA></HIPAA>
984
+ <OWASPPC>C7</OWASPPC>
985
+
986
+ </classification>
987
+
988
+ </vulnerability>
989
+ <vulnerability confirmed="True">
990
+ <url>http://localhost:3000/login</url>
991
+ <type>AutoCompleteEnabledPasswordField</type>
992
+ <severity>Information</severity>
993
+ <certainty>100</certainty>
994
+ <description><p>{PRODUCT} detected that autocomplete is enabled in one or more of the password fields.</p></description>
995
+ <remedy></remedy>
996
+
997
+ <rawrequest><![CDATA[GET /login HTTP/1.1
998
+ Host: localhost:3000
999
+ Cache-Control: no-cache
1000
+ Referer: http://localhost:3000/
1001
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
1002
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
1003
+ Accept-Language: en-us,en;q=0.5
1004
+ X-Scanner: Netsparker
1005
+ Cookie: _redmine_session=Z1BMOHFEY2RERDVJUldNL1RqNG92dmJ2bVFNcUwyVm54Z09PTTJEUkhTM0VCOW1Yd3lYNWtRNmNOYTR6cGVRZkgyWXVGcUl2MTg1UERlc3ZWNjBLZHZBRkZzUXJTbER6UTNVTGQ2amdZVmRaZXg4aCtSdXVaVzcrZExGMEVXdC9LaWp6ZE96WWVPWGJ0NmE1cE1WbGQvQXdiczhuUGZNejE5dTF3ekM0WW4wYzF6V2xwenNXdnRvd05YRHF1V0F3NDc3bUdJc0xlYXc5ck53M2FSY2pLNTd3L2I4dEJuS04rNVZrc1k5TXFiREE4WkJQZ1NxRmJMMmJaYlZxRlNlYzhtSHZxRFFIS01KamJ1UjdHUVdYMjlETC9WN1lBMUZERlBLSm5aRU1RWnAzbG05N002NldVTFg0SmY3ZTA1bHctLW9SSGxMblRLc2o5a1VFQTg5N1MzQXc9PQ%3D%3D--8c3350ab21690b49d42705363c23860a196cdae0
1006
+ Accept-Encoding: gzip, deflate
1007
+
1008
+ ]]></rawrequest>
1009
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
1010
+ Set-Cookie: _redmine_session=MFRLazZ0NFFuQUVpamxhbnZJbWpxRThZSVpJUng5L0FPYlRFQy9uUmsxcm4xN0ROZGhNN0ltVmZIejhtQjdBSmIzQTg2cXIwZ3hPUGMxcTRZSXQ4dEdKRmFRTkdwUkpJZG8zbFppZldwRC9TcWF5OWdraHBackJtckVWUGEyZ2poMlVHeXpnWHE0NVR4QXRZaElqbmJXZVJiVWNRck1OUmxKY0xxTkxaVXNmVUVjaUhyRWhackRUbDlJRlJZYjlnLS05SW9kaHlZK1oyOGZlQmg3cUNXdjFRPT0%3D--fec1b0a3d26c80dd3241888bb49365054793188f; path=/; HttpOnly
1011
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
1012
+ X-Content-Type-Options: nosniff
1013
+ X-Runtime: 0.009771
1014
+ Connection: Keep-Alive
1015
+ X-Xss-Protection: 1; mode=block
1016
+ X-Frame-Options: SAMEORIGIN
1017
+ X-Request-Id: a2e0332c-ac9b-4668-8c98-0590efe7b57e
1018
+ Content-Type: text/html; charset=utf-8
1019
+ Content-Length: 4617
1020
+ Date: Thu, 08 Dec 2016 19:56:16 GMT
1021
+ Etag: W/"8d030fd5a6fb923712bfdd6647b81414"
1022
+ Cache-Control: max-age=0, private, must-revalidate
1023
+
1024
+ <!DOCTYPE html>
1025
+ <html lang="en">
1026
+ <head>
1027
+ <meta charset="utf-8" />
1028
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
1029
+ <title>HNL Security Team Project Tracking System</title>
1030
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
1031
+ <meta name="description" content="Redmine" />
1032
+ <meta name="keywords" content="issue,bug,tracker" />
1033
+ <meta name="csrf-param" content="authenticity_token" />
1034
+ <meta name="csrf-token" content="I6weEBpkwMCXdbHbdfXBPGY4D8CW4Wbtnc+3oCdU9egPc8QJIofJtkdEZtuqjf2A5yhZlMOuoH5PMI+t6fO17w==" />
1035
+ <link rel='shortcut icon' href='/favicon.ico' />
1036
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
1037
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
1038
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
1039
+
1040
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
1041
+ <script src="/javascripts/application.js"></script>
1042
+ <script src="/javascripts/responsive.js"></script>
1043
+ <script>
1044
+ //<![CDATA[
1045
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
1046
+ //]]]]><![CDATA[>
1047
+ </script>
1048
+
1049
+
1050
+ <!-- page specific tags -->
1051
+ </head>
1052
+ <body class="controller-account action-login">
1053
+
1054
+ <div id="wrapper">
1055
+
1056
+ <div class="flyout-menu js-flyout-menu">
1057
+
1058
+
1059
+ <div class="flyout-menu__search">
1060
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
1061
+
1062
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
1063
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
1064
+ </form> </div>
1065
+
1066
+
1067
+
1068
+ <h3>General</h3>
1069
+ <span class="js-general-menu"></span>
1070
+
1071
+ <span class="js-sidebar flyout-menu__sidebar"></span>
1072
+
1073
+ <h3>Profile</h3>
1074
+ <span class="js-profile-menu"></span>
1075
+
1076
+ </div>
1077
+
1078
+ <div id="wrapper2">
1079
+ <div id="wrapper3">
1080
+ <div id="top-menu">
1081
+ <div id="account">
1082
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
1083
+
1084
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
1085
+
1086
+ <div id="header">
1087
+
1088
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
1089
+
1090
+ <div id="quick-search">
1091
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
1092
+
1093
+ <label for='q'>
1094
+ <a accesskey="4" href="/search">Search</a>:
1095
+ </label>
1096
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
1097
+ </form>
1098
+ </div>
1099
+
1100
+ <h1>HNL Security Team Project Tracking System</h1>
1101
+
1102
+ </div>
1103
+
1104
+ <div id="main" class="nosidebar">
1105
+ <div id="sidebar">
1106
+
1107
+
1108
+ </div>
1109
+
1110
+ <div id="content">
1111
+
1112
+
1113
+ <div id="login-form">
1114
+ <form onsubmit="return keepAnchorOnSignIn(this);" action="/login" accept-charset="UTF-8" method="post"><input name="utf8" type="hidden" value="&#x2713;" /><input type="hidden" name="authenticity_token" value="R6BbMva0XQgJFncuT2APQ+ImLhLrLaZcEVApzVpKGs5rf4ErzldUftknoC6QGDP/YzZ4Rr5iYM/DrxHAlO1ayQ==" />
1115
+ <input type="hidden" name="back_url" value="http://localhost:3000/" />
1116
+ <table>
1117
+ <tr>
1118
+ <td style="text-align:right;"><label for="username">Login:</label></td>
1119
+ <td style="text-align:left;"><input type="text" name="username" id="username" tabindex="1" /></td>
1120
+ </tr>
1121
+ <tr>
1122
+ <td style="text-align:right;"><label for="password">Password:</label></td>
1123
+ <td style="text-align:left;"><input type="password" name="password" id="password" tabindex="2" /></td>
1124
+ </tr>
1125
+ <tr>
1126
+ <td></td>
1127
+ <td style="text-align:left;">
1128
+ </td>
1129
+ </tr>
1130
+ <tr>
1131
+ <td style="text-align:left;">
1132
+ <a href="/account/lost_password">Lost password</a>
1133
+ </td>
1134
+ <td style="text-align:right;">
1135
+ <input type="submit" name="login" value="Login &#187;" tabindex="5"/>
1136
+ </td>
1137
+ </tr>
1138
+ </table>
1139
+ </form></div>
1140
+
1141
+
1142
+ <script>
1143
+ //<![CDATA[
1144
+ $('#username').focus();
1145
+ //]]]]><![CDATA[>
1146
+ </script>
1147
+
1148
+
1149
+ <div style="clear:both;"></div>
1150
+ </div>
1151
+ </div>
1152
+ </div>
1153
+
1154
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
1155
+ <div id="ajax-modal" style="display:none;"></div>
1156
+
1157
+ <div id="footer">
1158
+ <div class="bgl"><div class="bgr">
1159
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
1160
+ </div></div>
1161
+ </div>
1162
+ </div>
1163
+ </div>
1164
+
1165
+ </body>
1166
+ </html>
1167
+ ]]></rawresponse>
1168
+ <extrainformation>
1169
+ <info name="Identified Field Name"><![CDATA[password]]></info>
1170
+ </extrainformation>
1171
+
1172
+ <proofs></proofs>
1173
+
1174
+
1175
+ <classification>
1176
+ <OWASP2013>A5</OWASP2013>
1177
+ <WASC>15</WASC>
1178
+ <CWE>16</CWE>
1179
+ <CAPEC></CAPEC>
1180
+ <PCI31></PCI31>
1181
+ <PCI32></PCI32>
1182
+ <HIPAA></HIPAA>
1183
+ <OWASPPC></OWASPPC>
1184
+
1185
+ <CVSS>
1186
+ <vector>CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</vector>
1187
+
1188
+ <score>
1189
+ <type>Base</type>
1190
+ <value>4.6</value>
1191
+ <severity>Medium</severity>
1192
+ </score>
1193
+ <score>
1194
+ <type>Temporal</type>
1195
+ <value>4.6</value>
1196
+ <severity>Medium</severity>
1197
+ </score>
1198
+ <score>
1199
+ <type>Environmental</type>
1200
+ <value>4.6</value>
1201
+ <severity>Medium</severity>
1202
+ </score>
1203
+
1204
+ </CVSS>
1205
+ </classification>
1206
+
1207
+ </vulnerability>
1208
+ <vulnerability confirmed="False">
1209
+ <url>http://localhost:3000/</url>
1210
+ <type>RubyOutOfDate</type>
1211
+ <severity>Information</severity>
1212
+ <certainty>90</certainty>
1213
+ <description><p>{PRODUCT} identified the target web site is using Ruby and detected that it is out of date.</p></description>
1214
+ <remedy><div><p>Please upgrade your installation of Ruby to the latest stable version.</p></div></remedy>
1215
+
1216
+ <rawrequest><![CDATA[GET / HTTP/1.1
1217
+ Host: localhost:3000
1218
+ Cache-Control: no-cache
1219
+ Connection: Keep-Alive
1220
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
1221
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
1222
+ Accept-Language: en-us,en;q=0.5
1223
+ X-Scanner: Netsparker
1224
+ Accept-Encoding: gzip, deflate
1225
+
1226
+ ]]></rawrequest>
1227
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
1228
+ Set-Cookie: _redmine_session=NVU5aUwyZ0VRTndIb21Va2pNZk15SXRyeXpGOWZtMk5rS1QwaVFpSi9vSkh1Lyt3U1lzcTdlOS8wYkdUTE1JMjVQNmp5dHU0akM0L0pmdDZRalkvdkVDbzdqOC9qOHRJRG1CSllNcENBMkkxbGJ0ODd1RXZwL0drNVRCbkZwYVFHQVVTWWtGQXY5eXBwdzJTQnBuVXpCMWFOVEZHOFVTeVFDUmJmekhEU3NGK3JGMlFsTytCRFpIemx2bkJCZzViLS1CV295alVPcnRJaUhDY2UxVmRLOWt3PT0%3D--374cb50cbcce265e356b52f82eadb8c778158726; path=/; HttpOnly
1229
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
1230
+ X-Content-Type-Options: nosniff
1231
+ X-Runtime: 0.015338
1232
+ Connection: Keep-Alive
1233
+ X-Xss-Protection: 1; mode=block
1234
+ X-Frame-Options: SAMEORIGIN
1235
+ X-Request-Id: 9c7ebeb0-d69c-4315-ba90-5e154e2eebed
1236
+ Content-Type: text/html; charset=utf-8
1237
+ Content-Length: 3876
1238
+ Date: Thu, 08 Dec 2016 19:56:08 GMT
1239
+ Etag: W/"58de55885d9765a460c7728ca5cce1da"
1240
+ Cache-Control: max-age=0, private, must-revalidate
1241
+
1242
+ <!DOCTYPE html>
1243
+ <html lang="en">
1244
+ <head>
1245
+ <meta charset="utf-8" />
1246
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
1247
+ <title>HNL Security Team Project Tracking System</title>
1248
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
1249
+ <meta name="description" content="Redmine" />
1250
+ <meta name="keywords" content="issue,bug,tracker" />
1251
+ <meta name="csrf-param" content="authenticity_token" />
1252
+ <meta name="csrf-token" content="TV0QvO/RZcDnbKGv7N8Aq6rDRRfrL8sFjLxwBAonrSZhgsql1zJstjdddq8zpzwXK9MTQ75gDZZeQ0gJxIDtIQ==" />
1253
+ <link rel='shortcut icon' href='/favicon.ico' />
1254
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
1255
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
1256
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
1257
+
1258
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
1259
+ <script src="/javascripts/application.js"></script>
1260
+ <script src="/javascripts/responsive.js"></script>
1261
+ <script>
1262
+ //<![CDATA[
1263
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
1264
+ //]]]]><![CDATA[>
1265
+ </script>
1266
+
1267
+
1268
+ <!-- page specific tags -->
1269
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Latest news" href="http://localhost:3000/news.atom" />
1270
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Activity" href="http://localhost:3000/activity.atom" />
1271
+ </head>
1272
+ <body class="controller-welcome action-index">
1273
+
1274
+ <div id="wrapper">
1275
+
1276
+ <div class="flyout-menu js-flyout-menu">
1277
+
1278
+
1279
+ <div class="flyout-menu__search">
1280
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
1281
+
1282
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
1283
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
1284
+ </form> </div>
1285
+
1286
+
1287
+
1288
+ <h3>General</h3>
1289
+ <span class="js-general-menu"></span>
1290
+
1291
+ <span class="js-sidebar flyout-menu__sidebar"></span>
1292
+
1293
+ <h3>Profile</h3>
1294
+ <span class="js-profile-menu"></span>
1295
+
1296
+ </div>
1297
+
1298
+ <div id="wrapper2">
1299
+ <div id="wrapper3">
1300
+ <div id="top-menu">
1301
+ <div id="account">
1302
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
1303
+
1304
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
1305
+
1306
+ <div id="header">
1307
+
1308
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
1309
+
1310
+ <div id="quick-search">
1311
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
1312
+
1313
+ <label for='q'>
1314
+ <a accesskey="4" href="/search">Search</a>:
1315
+ </label>
1316
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
1317
+ </form>
1318
+ </div>
1319
+
1320
+ <h1>HNL Security Team Project Tracking System</h1>
1321
+
1322
+ </div>
1323
+
1324
+ <div id="main" class="nosidebar">
1325
+ <div id="sidebar">
1326
+
1327
+
1328
+ </div>
1329
+
1330
+ <div id="content">
1331
+
1332
+ <h2>Home</h2>
1333
+
1334
+ <div class="splitcontentleft">
1335
+ <div class="wiki">
1336
+
1337
+ </div>
1338
+
1339
+ </div>
1340
+
1341
+ <div class="splitcontentright">
1342
+
1343
+ </div>
1344
+
1345
+
1346
+
1347
+ <div style="clear:both;"></div>
1348
+ </div>
1349
+ </div>
1350
+ </div>
1351
+
1352
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
1353
+ <div id="ajax-modal" style="display:none;"></div>
1354
+
1355
+ <div id="footer">
1356
+ <div class="bgl"><div class="bgr">
1357
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
1358
+ </div></div>
1359
+ </div>
1360
+ </div>
1361
+ </div>
1362
+
1363
+ </body>
1364
+ </html>
1365
+ ]]></rawresponse>
1366
+ <extrainformation>
1367
+ <info name="Identified Version"><![CDATA[2.3.0]]></info>
1368
+ <info name="Latest Version"><![CDATA[2.3.1]]></info>
1369
+ <info name="Vulnerability Database"><![CDATA[Result is based on 10/27/2016 vulnerability database content.]]></info>
1370
+ </extrainformation>
1371
+
1372
+ <proofs></proofs>
1373
+
1374
+
1375
+ <classification>
1376
+ <OWASP2013>A9</OWASP2013>
1377
+ <WASC></WASC>
1378
+ <CWE></CWE>
1379
+ <CAPEC>310</CAPEC>
1380
+ <PCI31>6.2</PCI31>
1381
+ <PCI32>6.2</PCI32>
1382
+ <HIPAA></HIPAA>
1383
+ <OWASPPC>C1</OWASPPC>
1384
+
1385
+ </classification>
1386
+
1387
+ </vulnerability>
1388
+ <vulnerability confirmed="False">
1389
+ <url>http://localhost:3000/</url>
1390
+ <type>JqueryOutOfDate</type>
1391
+ <severity>Information</severity>
1392
+ <certainty>90</certainty>
1393
+ <description><p>{PRODUCT} identified the target web site is using jQuery and detected that it is out of date.</p></description>
1394
+ <remedy><div><p>Please upgrade your installation of jQuery to the latest stable version.</p></div></remedy>
1395
+
1396
+ <rawrequest><![CDATA[GET / HTTP/1.1
1397
+ Host: localhost:3000
1398
+ Cache-Control: no-cache
1399
+ Connection: Keep-Alive
1400
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
1401
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
1402
+ Accept-Language: en-us,en;q=0.5
1403
+ X-Scanner: Netsparker
1404
+ Accept-Encoding: gzip, deflate
1405
+
1406
+ ]]></rawrequest>
1407
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
1408
+ Set-Cookie: _redmine_session=NVU5aUwyZ0VRTndIb21Va2pNZk15SXRyeXpGOWZtMk5rS1QwaVFpSi9vSkh1Lyt3U1lzcTdlOS8wYkdUTE1JMjVQNmp5dHU0akM0L0pmdDZRalkvdkVDbzdqOC9qOHRJRG1CSllNcENBMkkxbGJ0ODd1RXZwL0drNVRCbkZwYVFHQVVTWWtGQXY5eXBwdzJTQnBuVXpCMWFOVEZHOFVTeVFDUmJmekhEU3NGK3JGMlFsTytCRFpIemx2bkJCZzViLS1CV295alVPcnRJaUhDY2UxVmRLOWt3PT0%3D--374cb50cbcce265e356b52f82eadb8c778158726; path=/; HttpOnly
1409
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
1410
+ X-Content-Type-Options: nosniff
1411
+ X-Runtime: 0.015338
1412
+ Connection: Keep-Alive
1413
+ X-Xss-Protection: 1; mode=block
1414
+ X-Frame-Options: SAMEORIGIN
1415
+ X-Request-Id: 9c7ebeb0-d69c-4315-ba90-5e154e2eebed
1416
+ Content-Type: text/html; charset=utf-8
1417
+ Content-Length: 3876
1418
+ Date: Thu, 08 Dec 2016 19:56:08 GMT
1419
+ Etag: W/"58de55885d9765a460c7728ca5cce1da"
1420
+ Cache-Control: max-age=0, private, must-revalidate
1421
+
1422
+ <!DOCTYPE html>
1423
+ <html lang="en">
1424
+ <head>
1425
+ <meta charset="utf-8" />
1426
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
1427
+ <title>HNL Security Team Project Tracking System</title>
1428
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
1429
+ <meta name="description" content="Redmine" />
1430
+ <meta name="keywords" content="issue,bug,tracker" />
1431
+ <meta name="csrf-param" content="authenticity_token" />
1432
+ <meta name="csrf-token" content="TV0QvO/RZcDnbKGv7N8Aq6rDRRfrL8sFjLxwBAonrSZhgsql1zJstjdddq8zpzwXK9MTQ75gDZZeQ0gJxIDtIQ==" />
1433
+ <link rel='shortcut icon' href='/favicon.ico' />
1434
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
1435
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
1436
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
1437
+
1438
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
1439
+ <script src="/javascripts/application.js"></script>
1440
+ <script src="/javascripts/responsive.js"></script>
1441
+ <script>
1442
+ //<![CDATA[
1443
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
1444
+ //]]]]><![CDATA[>
1445
+ </script>
1446
+
1447
+
1448
+ <!-- page specific tags -->
1449
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Latest news" href="http://localhost:3000/news.atom" />
1450
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Activity" href="http://localhost:3000/activity.atom" />
1451
+ </head>
1452
+ <body class="controller-welcome action-index">
1453
+
1454
+ <div id="wrapper">
1455
+
1456
+ <div class="flyout-menu js-flyout-menu">
1457
+
1458
+
1459
+ <div class="flyout-menu__search">
1460
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
1461
+
1462
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
1463
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
1464
+ </form> </div>
1465
+
1466
+
1467
+
1468
+ <h3>General</h3>
1469
+ <span class="js-general-menu"></span>
1470
+
1471
+ <span class="js-sidebar flyout-menu__sidebar"></span>
1472
+
1473
+ <h3>Profile</h3>
1474
+ <span class="js-profile-menu"></span>
1475
+
1476
+ </div>
1477
+
1478
+ <div id="wrapper2">
1479
+ <div id="wrapper3">
1480
+ <div id="top-menu">
1481
+ <div id="account">
1482
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
1483
+
1484
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
1485
+
1486
+ <div id="header">
1487
+
1488
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
1489
+
1490
+ <div id="quick-search">
1491
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
1492
+
1493
+ <label for='q'>
1494
+ <a accesskey="4" href="/search">Search</a>:
1495
+ </label>
1496
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
1497
+ </form>
1498
+ </div>
1499
+
1500
+ <h1>HNL Security Team Project Tracking System</h1>
1501
+
1502
+ </div>
1503
+
1504
+ <div id="main" class="nosidebar">
1505
+ <div id="sidebar">
1506
+
1507
+
1508
+ </div>
1509
+
1510
+ <div id="content">
1511
+
1512
+ <h2>Home</h2>
1513
+
1514
+ <div class="splitcontentleft">
1515
+ <div class="wiki">
1516
+
1517
+ </div>
1518
+
1519
+ </div>
1520
+
1521
+ <div class="splitcontentright">
1522
+
1523
+ </div>
1524
+
1525
+
1526
+
1527
+ <div style="clear:both;"></div>
1528
+ </div>
1529
+ </div>
1530
+ </div>
1531
+
1532
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
1533
+ <div id="ajax-modal" style="display:none;"></div>
1534
+
1535
+ <div id="footer">
1536
+ <div class="bgl"><div class="bgr">
1537
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
1538
+ </div></div>
1539
+ </div>
1540
+ </div>
1541
+ </div>
1542
+
1543
+ </body>
1544
+ </html>
1545
+ ]]></rawresponse>
1546
+ <extrainformation>
1547
+ <info name="Identified Version"><![CDATA[1.11.1]]></info>
1548
+ <info name="Latest Version"><![CDATA[1.12.4]]></info>
1549
+ <info name="Vulnerability Database"><![CDATA[Result is based on 10/27/2016 vulnerability database content.]]></info>
1550
+ </extrainformation>
1551
+
1552
+ <proofs></proofs>
1553
+
1554
+
1555
+ <classification>
1556
+ <OWASP2013>A9</OWASP2013>
1557
+ <WASC></WASC>
1558
+ <CWE></CWE>
1559
+ <CAPEC>310</CAPEC>
1560
+ <PCI31>6.2</PCI31>
1561
+ <PCI32>6.2</PCI32>
1562
+ <HIPAA></HIPAA>
1563
+ <OWASPPC>C1</OWASPPC>
1564
+
1565
+ </classification>
1566
+
1567
+ </vulnerability>
1568
+ <vulnerability confirmed="False">
1569
+ <url>http://localhost:3000/</url>
1570
+ <type>JqueryUiDialogOutOfDate</type>
1571
+ <severity>Information</severity>
1572
+ <certainty>90</certainty>
1573
+ <description><p>{PRODUCT} identified the target web site is using jQuery UI Dialog and detected that it is out of date.</p></description>
1574
+ <remedy><div><p>Please upgrade your installation of jQuery UI Dialog to the latest stable version.</p></div></remedy>
1575
+
1576
+ <rawrequest><![CDATA[GET / HTTP/1.1
1577
+ Host: localhost:3000
1578
+ Cache-Control: no-cache
1579
+ Connection: Keep-Alive
1580
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
1581
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
1582
+ Accept-Language: en-us,en;q=0.5
1583
+ X-Scanner: Netsparker
1584
+ Accept-Encoding: gzip, deflate
1585
+
1586
+ ]]></rawrequest>
1587
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
1588
+ Set-Cookie: _redmine_session=NVU5aUwyZ0VRTndIb21Va2pNZk15SXRyeXpGOWZtMk5rS1QwaVFpSi9vSkh1Lyt3U1lzcTdlOS8wYkdUTE1JMjVQNmp5dHU0akM0L0pmdDZRalkvdkVDbzdqOC9qOHRJRG1CSllNcENBMkkxbGJ0ODd1RXZwL0drNVRCbkZwYVFHQVVTWWtGQXY5eXBwdzJTQnBuVXpCMWFOVEZHOFVTeVFDUmJmekhEU3NGK3JGMlFsTytCRFpIemx2bkJCZzViLS1CV295alVPcnRJaUhDY2UxVmRLOWt3PT0%3D--374cb50cbcce265e356b52f82eadb8c778158726; path=/; HttpOnly
1589
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
1590
+ X-Content-Type-Options: nosniff
1591
+ X-Runtime: 0.015338
1592
+ Connection: Keep-Alive
1593
+ X-Xss-Protection: 1; mode=block
1594
+ X-Frame-Options: SAMEORIGIN
1595
+ X-Request-Id: 9c7ebeb0-d69c-4315-ba90-5e154e2eebed
1596
+ Content-Type: text/html; charset=utf-8
1597
+ Content-Length: 3876
1598
+ Date: Thu, 08 Dec 2016 19:56:08 GMT
1599
+ Etag: W/"58de55885d9765a460c7728ca5cce1da"
1600
+ Cache-Control: max-age=0, private, must-revalidate
1601
+
1602
+ <!DOCTYPE html>
1603
+ <html lang="en">
1604
+ <head>
1605
+ <meta charset="utf-8" />
1606
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
1607
+ <title>HNL Security Team Project Tracking System</title>
1608
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
1609
+ <meta name="description" content="Redmine" />
1610
+ <meta name="keywords" content="issue,bug,tracker" />
1611
+ <meta name="csrf-param" content="authenticity_token" />
1612
+ <meta name="csrf-token" content="TV0QvO/RZcDnbKGv7N8Aq6rDRRfrL8sFjLxwBAonrSZhgsql1zJstjdddq8zpzwXK9MTQ75gDZZeQ0gJxIDtIQ==" />
1613
+ <link rel='shortcut icon' href='/favicon.ico' />
1614
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
1615
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
1616
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
1617
+
1618
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
1619
+ <script src="/javascripts/application.js"></script>
1620
+ <script src="/javascripts/responsive.js"></script>
1621
+ <script>
1622
+ //<![CDATA[
1623
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
1624
+ //]]]]><![CDATA[>
1625
+ </script>
1626
+
1627
+
1628
+ <!-- page specific tags -->
1629
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Latest news" href="http://localhost:3000/news.atom" />
1630
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Activity" href="http://localhost:3000/activity.atom" />
1631
+ </head>
1632
+ <body class="controller-welcome action-index">
1633
+
1634
+ <div id="wrapper">
1635
+
1636
+ <div class="flyout-menu js-flyout-menu">
1637
+
1638
+
1639
+ <div class="flyout-menu__search">
1640
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
1641
+
1642
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
1643
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
1644
+ </form> </div>
1645
+
1646
+
1647
+
1648
+ <h3>General</h3>
1649
+ <span class="js-general-menu"></span>
1650
+
1651
+ <span class="js-sidebar flyout-menu__sidebar"></span>
1652
+
1653
+ <h3>Profile</h3>
1654
+ <span class="js-profile-menu"></span>
1655
+
1656
+ </div>
1657
+
1658
+ <div id="wrapper2">
1659
+ <div id="wrapper3">
1660
+ <div id="top-menu">
1661
+ <div id="account">
1662
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
1663
+
1664
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
1665
+
1666
+ <div id="header">
1667
+
1668
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
1669
+
1670
+ <div id="quick-search">
1671
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
1672
+
1673
+ <label for='q'>
1674
+ <a accesskey="4" href="/search">Search</a>:
1675
+ </label>
1676
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
1677
+ </form>
1678
+ </div>
1679
+
1680
+ <h1>HNL Security Team Project Tracking System</h1>
1681
+
1682
+ </div>
1683
+
1684
+ <div id="main" class="nosidebar">
1685
+ <div id="sidebar">
1686
+
1687
+
1688
+ </div>
1689
+
1690
+ <div id="content">
1691
+
1692
+ <h2>Home</h2>
1693
+
1694
+ <div class="splitcontentleft">
1695
+ <div class="wiki">
1696
+
1697
+ </div>
1698
+
1699
+ </div>
1700
+
1701
+ <div class="splitcontentright">
1702
+
1703
+ </div>
1704
+
1705
+
1706
+
1707
+ <div style="clear:both;"></div>
1708
+ </div>
1709
+ </div>
1710
+ </div>
1711
+
1712
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
1713
+ <div id="ajax-modal" style="display:none;"></div>
1714
+
1715
+ <div id="footer">
1716
+ <div class="bgl"><div class="bgr">
1717
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
1718
+ </div></div>
1719
+ </div>
1720
+ </div>
1721
+ </div>
1722
+
1723
+ </body>
1724
+ </html>
1725
+ ]]></rawresponse>
1726
+ <extrainformation>
1727
+ <info name="Identified Version"><![CDATA[1.11.0]]></info>
1728
+ <info name="Latest Version"><![CDATA[1.12.1]]></info>
1729
+ <info name="Vulnerability Database"><![CDATA[Result is based on 10/27/2016 vulnerability database content.]]></info>
1730
+ </extrainformation>
1731
+
1732
+ <proofs></proofs>
1733
+
1734
+
1735
+ <classification>
1736
+ <OWASP2013>A9</OWASP2013>
1737
+ <WASC></WASC>
1738
+ <CWE></CWE>
1739
+ <CAPEC>310</CAPEC>
1740
+ <PCI31>6.2</PCI31>
1741
+ <PCI32>6.2</PCI32>
1742
+ <HIPAA></HIPAA>
1743
+ <OWASPPC>C1</OWASPPC>
1744
+
1745
+ </classification>
1746
+
1747
+ </vulnerability>
1748
+ <vulnerability confirmed="False">
1749
+ <url>http://localhost:3000/</url>
1750
+ <type>JqueryUiAutocompleteOutOfDate</type>
1751
+ <severity>Information</severity>
1752
+ <certainty>90</certainty>
1753
+ <description><p>{PRODUCT} identified the target web site is using jQuery UI Autocomplete and detected that it is out of date.</p></description>
1754
+ <remedy><div><p>Please upgrade your installation of jQuery UI Autocomplete to the latest stable version.</p></div></remedy>
1755
+
1756
+ <rawrequest><![CDATA[GET / HTTP/1.1
1757
+ Host: localhost:3000
1758
+ Cache-Control: no-cache
1759
+ Connection: Keep-Alive
1760
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
1761
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
1762
+ Accept-Language: en-us,en;q=0.5
1763
+ X-Scanner: Netsparker
1764
+ Accept-Encoding: gzip, deflate
1765
+
1766
+ ]]></rawrequest>
1767
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
1768
+ Set-Cookie: _redmine_session=NVU5aUwyZ0VRTndIb21Va2pNZk15SXRyeXpGOWZtMk5rS1QwaVFpSi9vSkh1Lyt3U1lzcTdlOS8wYkdUTE1JMjVQNmp5dHU0akM0L0pmdDZRalkvdkVDbzdqOC9qOHRJRG1CSllNcENBMkkxbGJ0ODd1RXZwL0drNVRCbkZwYVFHQVVTWWtGQXY5eXBwdzJTQnBuVXpCMWFOVEZHOFVTeVFDUmJmekhEU3NGK3JGMlFsTytCRFpIemx2bkJCZzViLS1CV295alVPcnRJaUhDY2UxVmRLOWt3PT0%3D--374cb50cbcce265e356b52f82eadb8c778158726; path=/; HttpOnly
1769
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
1770
+ X-Content-Type-Options: nosniff
1771
+ X-Runtime: 0.015338
1772
+ Connection: Keep-Alive
1773
+ X-Xss-Protection: 1; mode=block
1774
+ X-Frame-Options: SAMEORIGIN
1775
+ X-Request-Id: 9c7ebeb0-d69c-4315-ba90-5e154e2eebed
1776
+ Content-Type: text/html; charset=utf-8
1777
+ Content-Length: 3876
1778
+ Date: Thu, 08 Dec 2016 19:56:08 GMT
1779
+ Etag: W/"58de55885d9765a460c7728ca5cce1da"
1780
+ Cache-Control: max-age=0, private, must-revalidate
1781
+
1782
+ <!DOCTYPE html>
1783
+ <html lang="en">
1784
+ <head>
1785
+ <meta charset="utf-8" />
1786
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
1787
+ <title>HNL Security Team Project Tracking System</title>
1788
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
1789
+ <meta name="description" content="Redmine" />
1790
+ <meta name="keywords" content="issue,bug,tracker" />
1791
+ <meta name="csrf-param" content="authenticity_token" />
1792
+ <meta name="csrf-token" content="TV0QvO/RZcDnbKGv7N8Aq6rDRRfrL8sFjLxwBAonrSZhgsql1zJstjdddq8zpzwXK9MTQ75gDZZeQ0gJxIDtIQ==" />
1793
+ <link rel='shortcut icon' href='/favicon.ico' />
1794
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
1795
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
1796
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
1797
+
1798
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
1799
+ <script src="/javascripts/application.js"></script>
1800
+ <script src="/javascripts/responsive.js"></script>
1801
+ <script>
1802
+ //<![CDATA[
1803
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
1804
+ //]]]]><![CDATA[>
1805
+ </script>
1806
+
1807
+
1808
+ <!-- page specific tags -->
1809
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Latest news" href="http://localhost:3000/news.atom" />
1810
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Activity" href="http://localhost:3000/activity.atom" />
1811
+ </head>
1812
+ <body class="controller-welcome action-index">
1813
+
1814
+ <div id="wrapper">
1815
+
1816
+ <div class="flyout-menu js-flyout-menu">
1817
+
1818
+
1819
+ <div class="flyout-menu__search">
1820
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
1821
+
1822
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
1823
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
1824
+ </form> </div>
1825
+
1826
+
1827
+
1828
+ <h3>General</h3>
1829
+ <span class="js-general-menu"></span>
1830
+
1831
+ <span class="js-sidebar flyout-menu__sidebar"></span>
1832
+
1833
+ <h3>Profile</h3>
1834
+ <span class="js-profile-menu"></span>
1835
+
1836
+ </div>
1837
+
1838
+ <div id="wrapper2">
1839
+ <div id="wrapper3">
1840
+ <div id="top-menu">
1841
+ <div id="account">
1842
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
1843
+
1844
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
1845
+
1846
+ <div id="header">
1847
+
1848
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
1849
+
1850
+ <div id="quick-search">
1851
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
1852
+
1853
+ <label for='q'>
1854
+ <a accesskey="4" href="/search">Search</a>:
1855
+ </label>
1856
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
1857
+ </form>
1858
+ </div>
1859
+
1860
+ <h1>HNL Security Team Project Tracking System</h1>
1861
+
1862
+ </div>
1863
+
1864
+ <div id="main" class="nosidebar">
1865
+ <div id="sidebar">
1866
+
1867
+
1868
+ </div>
1869
+
1870
+ <div id="content">
1871
+
1872
+ <h2>Home</h2>
1873
+
1874
+ <div class="splitcontentleft">
1875
+ <div class="wiki">
1876
+
1877
+ </div>
1878
+
1879
+ </div>
1880
+
1881
+ <div class="splitcontentright">
1882
+
1883
+ </div>
1884
+
1885
+
1886
+
1887
+ <div style="clear:both;"></div>
1888
+ </div>
1889
+ </div>
1890
+ </div>
1891
+
1892
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
1893
+ <div id="ajax-modal" style="display:none;"></div>
1894
+
1895
+ <div id="footer">
1896
+ <div class="bgl"><div class="bgr">
1897
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
1898
+ </div></div>
1899
+ </div>
1900
+ </div>
1901
+ </div>
1902
+
1903
+ </body>
1904
+ </html>
1905
+ ]]></rawresponse>
1906
+ <extrainformation>
1907
+ <info name="Identified Version"><![CDATA[1.11.0]]></info>
1908
+ <info name="Latest Version"><![CDATA[1.12.1]]></info>
1909
+ <info name="Vulnerability Database"><![CDATA[Result is based on 10/27/2016 vulnerability database content.]]></info>
1910
+ </extrainformation>
1911
+
1912
+ <proofs></proofs>
1913
+
1914
+
1915
+ <classification>
1916
+ <OWASP2013>A9</OWASP2013>
1917
+ <WASC></WASC>
1918
+ <CWE></CWE>
1919
+ <CAPEC>310</CAPEC>
1920
+ <PCI31>6.2</PCI31>
1921
+ <PCI32>6.2</PCI32>
1922
+ <HIPAA></HIPAA>
1923
+ <OWASPPC>C1</OWASPPC>
1924
+
1925
+ </classification>
1926
+
1927
+ </vulnerability>
1928
+ <vulnerability confirmed="False">
1929
+ <url>http://localhost:3000/</url>
1930
+ <type>JqueryUiTooltipOutOfDate</type>
1931
+ <severity>Information</severity>
1932
+ <certainty>90</certainty>
1933
+ <description><p>{PRODUCT} identified the target web site is using jQuery UI Tooltip and detected that it is out of date.</p></description>
1934
+ <remedy><div><p>Please upgrade your installation of jQuery UI Tooltip to the latest stable version.</p></div></remedy>
1935
+
1936
+ <rawrequest><![CDATA[GET / HTTP/1.1
1937
+ Host: localhost:3000
1938
+ Cache-Control: no-cache
1939
+ Connection: Keep-Alive
1940
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
1941
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
1942
+ Accept-Language: en-us,en;q=0.5
1943
+ X-Scanner: Netsparker
1944
+ Accept-Encoding: gzip, deflate
1945
+
1946
+ ]]></rawrequest>
1947
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
1948
+ Set-Cookie: _redmine_session=NVU5aUwyZ0VRTndIb21Va2pNZk15SXRyeXpGOWZtMk5rS1QwaVFpSi9vSkh1Lyt3U1lzcTdlOS8wYkdUTE1JMjVQNmp5dHU0akM0L0pmdDZRalkvdkVDbzdqOC9qOHRJRG1CSllNcENBMkkxbGJ0ODd1RXZwL0drNVRCbkZwYVFHQVVTWWtGQXY5eXBwdzJTQnBuVXpCMWFOVEZHOFVTeVFDUmJmekhEU3NGK3JGMlFsTytCRFpIemx2bkJCZzViLS1CV295alVPcnRJaUhDY2UxVmRLOWt3PT0%3D--374cb50cbcce265e356b52f82eadb8c778158726; path=/; HttpOnly
1949
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
1950
+ X-Content-Type-Options: nosniff
1951
+ X-Runtime: 0.015338
1952
+ Connection: Keep-Alive
1953
+ X-Xss-Protection: 1; mode=block
1954
+ X-Frame-Options: SAMEORIGIN
1955
+ X-Request-Id: 9c7ebeb0-d69c-4315-ba90-5e154e2eebed
1956
+ Content-Type: text/html; charset=utf-8
1957
+ Content-Length: 3876
1958
+ Date: Thu, 08 Dec 2016 19:56:08 GMT
1959
+ Etag: W/"58de55885d9765a460c7728ca5cce1da"
1960
+ Cache-Control: max-age=0, private, must-revalidate
1961
+
1962
+ <!DOCTYPE html>
1963
+ <html lang="en">
1964
+ <head>
1965
+ <meta charset="utf-8" />
1966
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
1967
+ <title>HNL Security Team Project Tracking System</title>
1968
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
1969
+ <meta name="description" content="Redmine" />
1970
+ <meta name="keywords" content="issue,bug,tracker" />
1971
+ <meta name="csrf-param" content="authenticity_token" />
1972
+ <meta name="csrf-token" content="TV0QvO/RZcDnbKGv7N8Aq6rDRRfrL8sFjLxwBAonrSZhgsql1zJstjdddq8zpzwXK9MTQ75gDZZeQ0gJxIDtIQ==" />
1973
+ <link rel='shortcut icon' href='/favicon.ico' />
1974
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
1975
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
1976
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
1977
+
1978
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
1979
+ <script src="/javascripts/application.js"></script>
1980
+ <script src="/javascripts/responsive.js"></script>
1981
+ <script>
1982
+ //<![CDATA[
1983
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
1984
+ //]]]]><![CDATA[>
1985
+ </script>
1986
+
1987
+
1988
+ <!-- page specific tags -->
1989
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Latest news" href="http://localhost:3000/news.atom" />
1990
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Activity" href="http://localhost:3000/activity.atom" />
1991
+ </head>
1992
+ <body class="controller-welcome action-index">
1993
+
1994
+ <div id="wrapper">
1995
+
1996
+ <div class="flyout-menu js-flyout-menu">
1997
+
1998
+
1999
+ <div class="flyout-menu__search">
2000
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
2001
+
2002
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
2003
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
2004
+ </form> </div>
2005
+
2006
+
2007
+
2008
+ <h3>General</h3>
2009
+ <span class="js-general-menu"></span>
2010
+
2011
+ <span class="js-sidebar flyout-menu__sidebar"></span>
2012
+
2013
+ <h3>Profile</h3>
2014
+ <span class="js-profile-menu"></span>
2015
+
2016
+ </div>
2017
+
2018
+ <div id="wrapper2">
2019
+ <div id="wrapper3">
2020
+ <div id="top-menu">
2021
+ <div id="account">
2022
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
2023
+
2024
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
2025
+
2026
+ <div id="header">
2027
+
2028
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
2029
+
2030
+ <div id="quick-search">
2031
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
2032
+
2033
+ <label for='q'>
2034
+ <a accesskey="4" href="/search">Search</a>:
2035
+ </label>
2036
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
2037
+ </form>
2038
+ </div>
2039
+
2040
+ <h1>HNL Security Team Project Tracking System</h1>
2041
+
2042
+ </div>
2043
+
2044
+ <div id="main" class="nosidebar">
2045
+ <div id="sidebar">
2046
+
2047
+
2048
+ </div>
2049
+
2050
+ <div id="content">
2051
+
2052
+ <h2>Home</h2>
2053
+
2054
+ <div class="splitcontentleft">
2055
+ <div class="wiki">
2056
+
2057
+ </div>
2058
+
2059
+ </div>
2060
+
2061
+ <div class="splitcontentright">
2062
+
2063
+ </div>
2064
+
2065
+
2066
+
2067
+ <div style="clear:both;"></div>
2068
+ </div>
2069
+ </div>
2070
+ </div>
2071
+
2072
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
2073
+ <div id="ajax-modal" style="display:none;"></div>
2074
+
2075
+ <div id="footer">
2076
+ <div class="bgl"><div class="bgr">
2077
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
2078
+ </div></div>
2079
+ </div>
2080
+ </div>
2081
+ </div>
2082
+
2083
+ </body>
2084
+ </html>
2085
+ ]]></rawresponse>
2086
+ <extrainformation>
2087
+ <info name="Identified Version"><![CDATA[1.11.0]]></info>
2088
+ <info name="Latest Version"><![CDATA[1.12.1]]></info>
2089
+ <info name="Vulnerability Database"><![CDATA[Result is based on 10/27/2016 vulnerability database content.]]></info>
2090
+ </extrainformation>
2091
+
2092
+ <proofs></proofs>
2093
+
2094
+
2095
+ <classification>
2096
+ <OWASP2013>A9</OWASP2013>
2097
+ <WASC></WASC>
2098
+ <CWE></CWE>
2099
+ <CAPEC>310</CAPEC>
2100
+ <PCI31>6.2</PCI31>
2101
+ <PCI32>6.2</PCI32>
2102
+ <HIPAA></HIPAA>
2103
+ <OWASPPC>C1</OWASPPC>
2104
+
2105
+ </classification>
2106
+
2107
+ </vulnerability>
2108
+ <vulnerability confirmed="False">
2109
+ <url>http://localhost:3000/javascripts/</url>
2110
+ <type>MissingXssProtectionHeader</type>
2111
+ <severity>Information</severity>
2112
+ <certainty>100</certainty>
2113
+ <description><p>{PRODUCT} detected a missing <code>X-XSS-Protection</code> header which means that this website could be at risk of a Cross-site Scripting (XSS) attacks.</p></description>
2114
+ <remedy><div>Add the X-XSS-Protection header with a value of "1; mode= block".<ul><li><pre class="code">X-XSS-Protection: 1; mode=block</pre></li></ul></div></remedy>
2115
+
2116
+ <rawrequest><![CDATA[GET /javascripts/ HTTP/1.1
2117
+ Host: localhost:3000
2118
+ Cache-Control: no-cache
2119
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
2120
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
2121
+ Accept-Language: en-us,en;q=0.5
2122
+ X-Scanner: Netsparker
2123
+ Cookie: _redmine_session=dXFGaE1aakY4ZWxQV0ZiMVlmaWtaUTBpYlQrOVlkWWUxOUtuYlJZMHgwT3ZFUlZheVJmSnQ2SUllUi9hYktZOWU5OFhGTjJ6S1V2NHZxd21vLzhwUDBDZXZZVjdmeFZaOXA1emprRktNODQ4SW9OV3JSWUZrYllRWXpxSjFHazcrMVFBNFova2JQNnBIK0N5YmpvRGZhOWVLVEY0RHJkRjBIL3NScmZGOHZISFcvM0lOSHBVVnlEK3dYaDNmVFFtV3FBb216T0V2aE0zdVpQRUZweDRZbDdncWN4TWxjYjZoRzByejQ5YlFzR2FpaHNUS1poM1JaOWV6YWJpWkl2NmhBM0Z2cmt0TzQzMnZ1YVIvUm5FdmNOUTgvOUFpV1lKSVloaVkvZkM5eDFiK0l1SXNHUzhhSlMwTExHYjBSM0gtLXdzSDI3Q1NNRllPK0FmRjI0cnZkVmc9PQ%3D%3D--054cb1c4bd8ee505c94de1d15b77d628ee5202ae
2124
+ Accept-Encoding: gzip, deflate
2125
+
2126
+ ]]></rawrequest>
2127
+ <rawresponse><![CDATA[HTTP/1.1 404 Not Found
2128
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
2129
+ X-Runtime: 0.001726
2130
+ Connection: Keep-Alive
2131
+ Content-Length: 459
2132
+ X-Request-Id: aa38d534-7b20-4836-afa1-f2500d266718
2133
+ Content-Type: text/html; charset=utf-8
2134
+ Date: Thu, 08 Dec 2016 19:56:14 GMT
2135
+
2136
+ <!DOCTYPE html>
2137
+ <html>
2138
+ <head>
2139
+ <meta charset="utf-8" />
2140
+ <title>Redmine 404 error</title>
2141
+ <style>
2142
+ body {font-family: "Trebuchet MS", Georgia, "Times New Roman", serif; color: #303030; margin: 10px;}
2143
+ h1 {font-size:1.5em;}
2144
+ p {font-size:0.8em;}
2145
+ </style>
2146
+ </head>
2147
+ <body>
2148
+ <h1>Page not found</h1>
2149
+ <p>The page you were trying to access doesn't exist or has been removed.</p>
2150
+ <p><a href="javascript:history.back()">Back</a></p>
2151
+ </body>
2152
+ </html>
2153
+ ]]></rawresponse>
2154
+ <extrainformation>
2155
+ </extrainformation>
2156
+
2157
+ <proofs></proofs>
2158
+
2159
+
2160
+ <classification>
2161
+ <OWASP2013></OWASP2013>
2162
+ <WASC></WASC>
2163
+ <CWE></CWE>
2164
+ <CAPEC></CAPEC>
2165
+ <PCI31></PCI31>
2166
+ <PCI32></PCI32>
2167
+ <HIPAA>164.308(a)</HIPAA>
2168
+ <OWASPPC>C9</OWASPPC>
2169
+
2170
+ </classification>
2171
+
2172
+ </vulnerability>
2173
+ <vulnerability confirmed="True">
2174
+ <url>http://localhost:3000/</url>
2175
+ <type>SameSiteCookieNotImplemented</type>
2176
+ <severity>Information</severity>
2177
+ <certainty>100</certainty>
2178
+ <description><p>Cookies are typically sent to third parties in cross origin requests. This can be abused to do CSRF attacks. Recently a new cookie attribute named <em>SameSite</em> was proposed to disable third-party usage for some cookies, to prevent CSRF attacks.</p><p>Same-site cookies allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.</p></description>
2179
+ <remedy><p>The server can set a same-site cookie by adding the SameSite=... attribute to the Set-Cookie header:</p><div><pre>Set-Cookie: key=value; SameSite=strict</pre></div><p>There are two possible values for the same-site attribute:</p><ul><li>Lax</li><li>Strict</li></ul><p>In the strict mode, the cookie is not sent with any cross-site usage even if the user follows a link to another website. Lax cookies are only sent with a top-level get request.</p></remedy>
2180
+
2181
+ <rawrequest><![CDATA[GET / HTTP/1.1
2182
+ Host: localhost:3000
2183
+ Cache-Control: no-cache
2184
+ Connection: Keep-Alive
2185
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
2186
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
2187
+ Accept-Language: en-us,en;q=0.5
2188
+ X-Scanner: Netsparker
2189
+ Accept-Encoding: gzip, deflate
2190
+
2191
+ ]]></rawrequest>
2192
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
2193
+ Set-Cookie: _redmine_session=NVU5aUwyZ0VRTndIb21Va2pNZk15SXRyeXpGOWZtMk5rS1QwaVFpSi9vSkh1Lyt3U1lzcTdlOS8wYkdUTE1JMjVQNmp5dHU0akM0L0pmdDZRalkvdkVDbzdqOC9qOHRJRG1CSllNcENBMkkxbGJ0ODd1RXZwL0drNVRCbkZwYVFHQVVTWWtGQXY5eXBwdzJTQnBuVXpCMWFOVEZHOFVTeVFDUmJmekhEU3NGK3JGMlFsTytCRFpIemx2bkJCZzViLS1CV295alVPcnRJaUhDY2UxVmRLOWt3PT0%3D--374cb50cbcce265e356b52f82eadb8c778158726; path=/; HttpOnly
2194
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
2195
+ X-Content-Type-Options: nosniff
2196
+ X-Runtime: 0.015338
2197
+ Connection: Keep-Alive
2198
+ X-Xss-Protection: 1; mode=block
2199
+ X-Frame-Options: SAMEORIGIN
2200
+ X-Request-Id: 9c7ebeb0-d69c-4315-ba90-5e154e2eebed
2201
+ Content-Type: text/html; charset=utf-8
2202
+ Content-Length: 3876
2203
+ Date: Thu, 08 Dec 2016 19:56:08 GMT
2204
+ Etag: W/"58de55885d9765a460c7728ca5cce1da"
2205
+ Cache-Control: max-age=0, private, must-revalidate
2206
+
2207
+ <!DOCTYPE html>
2208
+ <html lang="en">
2209
+ <head>
2210
+ <meta charset="utf-8" />
2211
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
2212
+ <title>HNL Security Team Project Tracking System</title>
2213
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
2214
+ <meta name="description" content="Redmine" />
2215
+ <meta name="keywords" content="issue,bug,tracker" />
2216
+ <meta name="csrf-param" content="authenticity_token" />
2217
+ <meta name="csrf-token" content="TV0QvO/RZcDnbKGv7N8Aq6rDRRfrL8sFjLxwBAonrSZhgsql1zJstjdddq8zpzwXK9MTQ75gDZZeQ0gJxIDtIQ==" />
2218
+ <link rel='shortcut icon' href='/favicon.ico' />
2219
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
2220
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
2221
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
2222
+
2223
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
2224
+ <script src="/javascripts/application.js"></script>
2225
+ <script src="/javascripts/responsive.js"></script>
2226
+ <script>
2227
+ //<![CDATA[
2228
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
2229
+ //]]]]><![CDATA[>
2230
+ </script>
2231
+
2232
+
2233
+ <!-- page specific tags -->
2234
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Latest news" href="http://localhost:3000/news.atom" />
2235
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Activity" href="http://localhost:3000/activity.atom" />
2236
+ </head>
2237
+ <body class="controller-welcome action-index">
2238
+
2239
+ <div id="wrapper">
2240
+
2241
+ <div class="flyout-menu js-flyout-menu">
2242
+
2243
+
2244
+ <div class="flyout-menu__search">
2245
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
2246
+
2247
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
2248
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
2249
+ </form> </div>
2250
+
2251
+
2252
+
2253
+ <h3>General</h3>
2254
+ <span class="js-general-menu"></span>
2255
+
2256
+ <span class="js-sidebar flyout-menu__sidebar"></span>
2257
+
2258
+ <h3>Profile</h3>
2259
+ <span class="js-profile-menu"></span>
2260
+
2261
+ </div>
2262
+
2263
+ <div id="wrapper2">
2264
+ <div id="wrapper3">
2265
+ <div id="top-menu">
2266
+ <div id="account">
2267
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
2268
+
2269
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
2270
+
2271
+ <div id="header">
2272
+
2273
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
2274
+
2275
+ <div id="quick-search">
2276
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
2277
+
2278
+ <label for='q'>
2279
+ <a accesskey="4" href="/search">Search</a>:
2280
+ </label>
2281
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
2282
+ </form>
2283
+ </div>
2284
+
2285
+ <h1>HNL Security Team Project Tracking System</h1>
2286
+
2287
+ </div>
2288
+
2289
+ <div id="main" class="nosidebar">
2290
+ <div id="sidebar">
2291
+
2292
+
2293
+ </div>
2294
+
2295
+ <div id="content">
2296
+
2297
+ <h2>Home</h2>
2298
+
2299
+ <div class="splitcontentleft">
2300
+ <div class="wiki">
2301
+
2302
+ </div>
2303
+
2304
+ </div>
2305
+
2306
+ <div class="splitcontentright">
2307
+
2308
+ </div>
2309
+
2310
+
2311
+
2312
+ <div style="clear:both;"></div>
2313
+ </div>
2314
+ </div>
2315
+ </div>
2316
+
2317
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
2318
+ <div id="ajax-modal" style="display:none;"></div>
2319
+
2320
+ <div id="footer">
2321
+ <div class="bgl"><div class="bgr">
2322
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
2323
+ </div></div>
2324
+ </div>
2325
+ </div>
2326
+ </div>
2327
+
2328
+ </body>
2329
+ </html>
2330
+ ]]></rawresponse>
2331
+ <extrainformation>
2332
+ <info name="Identified Cookie(s)"><![CDATA[_redmine_session]]></info>
2333
+ </extrainformation>
2334
+
2335
+ <proofs></proofs>
2336
+
2337
+
2338
+ <classification>
2339
+ <OWASP2013></OWASP2013>
2340
+ <WASC></WASC>
2341
+ <CWE></CWE>
2342
+ <CAPEC></CAPEC>
2343
+ <PCI31></PCI31>
2344
+ <PCI32></PCI32>
2345
+ <HIPAA></HIPAA>
2346
+ <OWASPPC>C9</OWASPPC>
2347
+
2348
+ </classification>
2349
+
2350
+ </vulnerability>
2351
+ <vulnerability confirmed="False">
2352
+ <url>http://localhost:3000/</url>
2353
+ <type>CspNotImplemented</type>
2354
+ <severity>Information</severity>
2355
+ <certainty>100</certainty>
2356
+ <description><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">CSP is a added layer of security against that helps to mitigate mainly Cross-site Scripting attacks. </span></p><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">CSP can be enabled instructing the browser with a Content-Security-Policy directive in a response header;</span></p><pre><span style="font-weight: 400;" data-mce-style="font-weight: 400;"> Content-Security-Policy: script-src 'self';</span></pre><p>or in a meta tag;</p><pre><span style="font-weight: 400;" data-mce-style="font-weight: 400;">&lt;meta http-equiv="Content-Security-Policy" content="script-src 'self';"&gt; </span></pre><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">In the above example, you can restrict script loading only to same domain. It will also restrict inline script executions both in element attribute and event handler. There are various directives which you can use declaring CSP:</span></p><ul><li style="text-align: justify;" data-mce-style="text-align: justify;"><strong>script-src:</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;"> Restricts the script loading resources to the ones you declared. By default, it disables inline script executions unless you permit to the evaluation functions and inline scripts by the unsafe-eval and unsafe-inline keywords.</span></li><li style="text-align: justify;" data-mce-style="text-align: justify;"><strong>base-uri:</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;"> &nbsp;Base element is used to resolve relative URL to absolute one. By using this CSP directive, you can define all possible URLs which could be assigned to base-href attribute of the document. </span></li><li><strong>frame-ancestors</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;">: &nbsp;It is very similar to X-Frame-Options HTTP header. It defines the URLs by which the page can be loaded in an iframe.</span></li><li><strong>frame-src &nbsp;&nbsp;/ child-src</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;">: frame-src is the deprecated version of child-src. Both define the sources that can be loaded by iframe in the page.</span></li><li><strong>object-src</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;"> : Defines the resources that can be loaded by embedding such as Flash files, Java Applets.</span></li><li><strong>img-src</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;">: As its name implies, it defines the resources where the images can be loaded from.</span></li><li><strong>connect-src</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;">: Defines the whitelisted targets for XMLHttpRequest and WebSocket objects.</span></li><li><strong>default-src</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;">: It is a fallback for the directives that mostly ends with -src prefix. When the directives below are not defined, the value set to default-src will be used:</span></li><ul><li><span style="font-weight: 400;" data-mce-style="font-weight: 400;">child-src</span></li><li><span style="font-weight: 400;" data-mce-style="font-weight: 400;">connect-src</span></li><li><span style="font-weight: 400;" data-mce-style="font-weight: 400;">font-src</span></li><li><span style="font-weight: 400;" data-mce-style="font-weight: 400;">img-src</span></li><li><span style="font-weight: 400;" data-mce-style="font-weight: 400;">manifest-src</span></li><li><span style="font-weight: 400;" data-mce-style="font-weight: 400;">media-src</span></li><li><span style="font-weight: 400;" data-mce-style="font-weight: 400;">object-src</span></li><li><span style="font-weight: 400;" data-mce-style="font-weight: 400;">script-src</span></li><li><span style="font-weight: 400;" data-mce-style="font-weight: 400;">style-src</span></li></ul></ul><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">When setting the CSP directives, you can also use some CSP keywords: </span></p><ul><li style="padding-left: 30px;" data-mce-style="padding-left: 30px;"><strong>none</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;">: When used, it denies all resources loadings.</span></li><li style="padding-left: 30px;" data-mce-style="padding-left: 30px;"><strong>self </strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;">: It points to the document's URL (domain + port).</span></li><li style="padding-left: 30px;" data-mce-style="padding-left: 30px;"><strong>unsafe-inline</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;">: It permits running inline scripts . </span></li><li style="padding-left: 30px;" data-mce-style="padding-left: 30px;"><strong>unsafe-eval</strong><span style="font-weight: 400;" data-mce-style="font-weight: 400;">: It permits execution of evaluations function such as <code>eval()</code>.</span></li></ul><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">In addition to CSP keywords, you can also use wildcard or only a schema when defining whitelist URLs for the points. Wildcard can be used for subdomain and port portions of the URLs:</span></p><pre><span style="font-weight: 400;" data-mce-style="font-weight: 400;">Content-Security-Policy: script-src </span><a href="about:blank" data-mce-href="about:blank"><span style="font-weight: 400;" data-mce-style="font-weight: 400;">https://*.example.com</span></a><span style="font-weight: 400;" data-mce-style="font-weight: 400;">;</span></pre><pre><span style="font-weight: 400;" data-mce-style="font-weight: 400;">Content-Security-Policy: script-src </span><a href="about:blank" data-mce-href="about:blank"><span style="font-weight: 400;" data-mce-style="font-weight: 400;">https://example.com</span></a><span style="font-weight: 400;" data-mce-style="font-weight: 400;">:*;</span></pre><pre><span style="font-weight: 400;" data-mce-style="font-weight: 400;">Content-Security-Policy: script-src https;</span></pre><p style="text-align: justify;" data-mce-style="text-align: justify;"><span style="font-weight: 400;" data-mce-style="font-weight: 400;">It is also possible to set a CSP in Report-Only mode instead of forcing it immediately in the migration period. Thus you can see the violations of the CSP policy in the current state of your web site while migrating to CSP:</span></p><pre><span style="font-weight: 400;" data-mce-style="font-weight: 400;">Content-Security-Policy-Report-Only: script-src 'self'; report-uri: <a href="https://example.com" data-mce-href="https://example.com">https://example.com</a>;</span></pre></description>
2357
+ <remedy><p><span style="font-weight: 400;" data-mce-style="font-weight: 400;">Enable CSP on your website by sending the </span><code><span style="font-weight: 400;" data-mce-style="font-weight: 400;">Content-Security-Policy</span></code><span style="font-weight: 400;" data-mce-style="font-weight: 400;"> in HTTP response headers that instruct the browser to apply the policies you specified.</span></p></remedy>
2358
+
2359
+ <rawrequest><![CDATA[GET / HTTP/1.1
2360
+ Host: localhost:3000
2361
+ Cache-Control: no-cache
2362
+ Connection: Keep-Alive
2363
+ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
2364
+ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
2365
+ Accept-Language: en-us,en;q=0.5
2366
+ X-Scanner: Netsparker
2367
+ Accept-Encoding: gzip, deflate
2368
+
2369
+ ]]></rawrequest>
2370
+ <rawresponse><![CDATA[HTTP/1.1 200 OK
2371
+ Set-Cookie: _redmine_session=NVU5aUwyZ0VRTndIb21Va2pNZk15SXRyeXpGOWZtMk5rS1QwaVFpSi9vSkh1Lyt3U1lzcTdlOS8wYkdUTE1JMjVQNmp5dHU0akM0L0pmdDZRalkvdkVDbzdqOC9qOHRJRG1CSllNcENBMkkxbGJ0ODd1RXZwL0drNVRCbkZwYVFHQVVTWWtGQXY5eXBwdzJTQnBuVXpCMWFOVEZHOFVTeVFDUmJmekhEU3NGK3JGMlFsTytCRFpIemx2bkJCZzViLS1CV295alVPcnRJaUhDY2UxVmRLOWt3PT0%3D--374cb50cbcce265e356b52f82eadb8c778158726; path=/; HttpOnly
2372
+ Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
2373
+ X-Content-Type-Options: nosniff
2374
+ X-Runtime: 0.015338
2375
+ Connection: Keep-Alive
2376
+ X-Xss-Protection: 1; mode=block
2377
+ X-Frame-Options: SAMEORIGIN
2378
+ X-Request-Id: 9c7ebeb0-d69c-4315-ba90-5e154e2eebed
2379
+ Content-Type: text/html; charset=utf-8
2380
+ Content-Length: 3876
2381
+ Date: Thu, 08 Dec 2016 19:56:08 GMT
2382
+ Etag: W/"58de55885d9765a460c7728ca5cce1da"
2383
+ Cache-Control: max-age=0, private, must-revalidate
2384
+
2385
+ <!DOCTYPE html>
2386
+ <html lang="en">
2387
+ <head>
2388
+ <meta charset="utf-8" />
2389
+ <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
2390
+ <title>HNL Security Team Project Tracking System</title>
2391
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
2392
+ <meta name="description" content="Redmine" />
2393
+ <meta name="keywords" content="issue,bug,tracker" />
2394
+ <meta name="csrf-param" content="authenticity_token" />
2395
+ <meta name="csrf-token" content="TV0QvO/RZcDnbKGv7N8Aq6rDRRfrL8sFjLxwBAonrSZhgsql1zJstjdddq8zpzwXK9MTQ75gDZZeQ0gJxIDtIQ==" />
2396
+ <link rel='shortcut icon' href='/favicon.ico' />
2397
+ <link rel="stylesheet" media="all" href="/stylesheets/jquery/jquery-ui-1.11.0.css" />
2398
+ <link rel="stylesheet" media="all" href="/stylesheets/application.css" />
2399
+ <link rel="stylesheet" media="all" href="/stylesheets/responsive.css" />
2400
+
2401
+ <script src="/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.4.js"></script>
2402
+ <script src="/javascripts/application.js"></script>
2403
+ <script src="/javascripts/responsive.js"></script>
2404
+ <script>
2405
+ //<![CDATA[
2406
+ $(window).load(function(){ warnLeavingUnsaved('The current page contains unsaved text that will be lost if you leave this page.'); });
2407
+ //]]]]><![CDATA[>
2408
+ </script>
2409
+
2410
+
2411
+ <!-- page specific tags -->
2412
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Latest news" href="http://localhost:3000/news.atom" />
2413
+ <link rel="alternate" type="application/atom+xml" title="HNL Security Team Project Tracking System: Activity" href="http://localhost:3000/activity.atom" />
2414
+ </head>
2415
+ <body class="controller-welcome action-index">
2416
+
2417
+ <div id="wrapper">
2418
+
2419
+ <div class="flyout-menu js-flyout-menu">
2420
+
2421
+
2422
+ <div class="flyout-menu__search">
2423
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
2424
+
2425
+ <label class="search-magnifier search-magnifier--flyout" for="flyout-search">&#9906;</label>
2426
+ <input type="text" name="q" id="flyout-search" class="small js-search-input" placeholder="Search" />
2427
+ </form> </div>
2428
+
2429
+
2430
+
2431
+ <h3>General</h3>
2432
+ <span class="js-general-menu"></span>
2433
+
2434
+ <span class="js-sidebar flyout-menu__sidebar"></span>
2435
+
2436
+ <h3>Profile</h3>
2437
+ <span class="js-profile-menu"></span>
2438
+
2439
+ </div>
2440
+
2441
+ <div id="wrapper2">
2442
+ <div id="wrapper3">
2443
+ <div id="top-menu">
2444
+ <div id="account">
2445
+ <ul><li><a class="login" href="/login">Sign in</a></li><li><a class="register" href="/account/register">Register</a></li></ul> </div>
2446
+
2447
+ <ul><li><a class="home" href="/">Home</a></li><li><a class="projects" href="/projects">Projects</a></li><li><a class="help" href="https://www.redmine.org/guide">Help</a></li></ul></div>
2448
+
2449
+ <div id="header">
2450
+
2451
+ <a href="#" class="mobile-toggle-button js-flyout-menu-toggle-button"></a>
2452
+
2453
+ <div id="quick-search">
2454
+ <form action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="&#x2713;" />
2455
+
2456
+ <label for='q'>
2457
+ <a accesskey="4" href="/search">Search</a>:
2458
+ </label>
2459
+ <input type="text" name="q" id="q" size="20" class="small" accesskey="f" />
2460
+ </form>
2461
+ </div>
2462
+
2463
+ <h1>HNL Security Team Project Tracking System</h1>
2464
+
2465
+ </div>
2466
+
2467
+ <div id="main" class="nosidebar">
2468
+ <div id="sidebar">
2469
+
2470
+
2471
+ </div>
2472
+
2473
+ <div id="content">
2474
+
2475
+ <h2>Home</h2>
2476
+
2477
+ <div class="splitcontentleft">
2478
+ <div class="wiki">
2479
+
2480
+ </div>
2481
+
2482
+ </div>
2483
+
2484
+ <div class="splitcontentright">
2485
+
2486
+ </div>
2487
+
2488
+
2489
+
2490
+ <div style="clear:both;"></div>
2491
+ </div>
2492
+ </div>
2493
+ </div>
2494
+
2495
+ <div id="ajax-indicator" style="display:none;"><span>Loading...</span></div>
2496
+ <div id="ajax-modal" style="display:none;"></div>
2497
+
2498
+ <div id="footer">
2499
+ <div class="bgl"><div class="bgr">
2500
+ Powered by <a href="https://www.redmine.org/">Redmine</a> &copy; 2006-2016 Jean-Philippe Lang
2501
+ </div></div>
2502
+ </div>
2503
+ </div>
2504
+ </div>
2505
+
2506
+ </body>
2507
+ </html>
2508
+ ]]></rawresponse>
2509
+ <extrainformation>
2510
+ </extrainformation>
2511
+
2512
+ <proofs></proofs>
2513
+
2514
+
2515
+ <classification>
2516
+ <OWASP2013></OWASP2013>
2517
+ <WASC></WASC>
2518
+ <CWE></CWE>
2519
+ <CAPEC></CAPEC>
2520
+ <PCI31></PCI31>
2521
+ <PCI32></PCI32>
2522
+ <HIPAA></HIPAA>
2523
+ <OWASPPC>C9</OWASPPC>
2524
+
2525
+ </classification>
2526
+
2527
+ </vulnerability>
2528
+
2529
+ </netsparker>