| hazardousCharactersNotSanitized |
Sanitation of hazardous
characters was not performed correctly on user input. |
| formatStringsVulnerability |
User input is used
directly as a formatting string input for C/C++'s sprintf and similar
functions. |
| hiddenParameterUsed |
Parameter values were
'hardcoded' in the HTML as a parameter of type 'hidden'. |
| boundsCheckingOnParamValues |
Proper bounds checking
were not performed on incoming parameter values. |
| incorrectDataType |
No validation was
done to ensure user input matches expected data type. |
| inputLengthNotChecked |
User input length
is not limited, thereby enabling buffer overflows. |
| errorMessagesReturned |
Exceptions and error
messages, which may contain sensitive debugging information, are presented
to users. |
| debugInfoInHtmlSource |
Debugging information
was left by the programmer in web pages. |
| backDoorLeftBehind |
A backdoor or a debugging
option was left behind by programmers. |
| clientSideValidation |
User input validation
is done at the client-side and may be bypassed. |
| usOfClientSideLogic |
The web application
uses client-side logic to create web pages. |
| cookiesCreatedAtClientSide |
Cookies are created
at the client-side. |
| javaScriptPassWordMechanism |
The web application
uses a client-side password authentication. |
| sqlBuiltByJavaScript |
The web application
uses client-side logic to create SQL queries. |
| dotDotNotSanitized |
User input is not
checked for the '..' string. |
| weakTokenUsed |
A weak token algorithm
is used by the web application. |
| missingPatchesForThirdPartyProds |
Latest patches or
hotfixes for 3rd party products were not installed. |
| tempFilesLeftBehind |
Temporary files were
left in production environment. |
| improperFileDirPermissions |
Improper permissions/ACLs
were set to file/directory. |
| nimdaWormBackdoor |
The Nimda worm was
found on the system. |
| sampleScriptsFound |
Default sample scripts
or directories were installed on the website. |
| insecureThirdPartySoftware |
A vulnerable third
party software, which does not have a known patch, is installed on
the website. |
| directoryBrowsingEnabled |
Directory browsing
is enabled. |
| managementConsoleAccess |
Web management console
is accessible from the web. |
| insecureWebServerConfiguration |
The web server or
application server is configured in an insecure way. |
| frontPageServerUnsecureInstall |
FrontPage server extensions
were installed with improper security settings. |
| insecureWebAppConfiguration |
Insecure web application
programming or configuration. |
| vulnSOAPserializer |
The SOAP serializer
used by your web services server does not validate SOAP input properly. |
| sensitiveDataNotSSL |
Sensitive input fields
such as usernames, passwords, and credit card numbers are passed unencrypted. |
| nonSecureCookiesSentOverSSL |
The web application
sends non-secure cookies over SSL. |
| sessionCookieNotRAM |
The web application
stores sensitive session information in a permanent cookie (on disk). |
| redirectionFromWithinSite |
The web application
performs a redirection to an external site. |
| remoteFileInclusion |
The web application allows remote
file inclusion. |
| GETParamOverSSL |
Query parameters were passed over
SSL, and may contain sensitive information. |
| SensitiveCache |
Sensitive information might have
been cached by your browser. |
| InsufficientAuthentication |
Insufficient authentication method
was used by the application. |
| useOfGlobalFlashParamsInPDNFs |
Global flash parameters used in
potentially dangerous native functions. |
| causeNotAvailable |
n/a |
| vulnActiveX |
The ActiveX control used is categorized
as vulnerable. The scanned Web site might have been hacked in order
to serve malware. |
| compromisedDigiNotarSSLCert |
The SSL certificate in use has
been flagged as compromised due to DigiNotar's security breach. |
| paramValManipAllowed |
Parameter value manipulation was
permitted by the application logic. |