AnsweredAssumed Answered

WAS report URL doesn't match report Access Path

Question asked by jweiler on Jul 29, 2014

The WAS report, detailed results section, each finding has the exploitable URL at the beginning, and an 'Access path' line later in the finding. They are not the same as shown by the report exerpt below.  Is the 'Access path' just the string entered in some description in the report creation? It can't be the access path for the exploit url in the report below.

 

 

 

 

URL: https://prod-xxxxx-customer.yyyyy.com/authentication/authenticate

 

 

Finding
#
381507086 First Time Detected 28 Jul
2014 17:33 GMT-0400

 

 

Group Information
Disclosure
Last Time Detected 28 Jul 2014 17:33 GMT-0400

 

 

CWE - Last
Time Tested
28 Jul 2014 17:33 GMT-0400

 

 

OWASP A5
Security Misconfiguration
Times Detected 1

 

 

WASC WASC-15
Application Misconfiguration

 

 

CVSS
Base
5 CVSS Temporal4

 

 

Details

 

 

Threat

 

 

A test payload generated
a syntax error within the Web application. This often points to a problem with
input validation routines or lack of filters on user-supplied

 

 

  1. content.

 

 

Impact

 

 

A malicious user may be
able to create a denial of service, serious error, or exploit depending on the
error encountered by the Web application.

 

 

Solution

 

 

The Web application
should restrict user-supplied data to consist of a minimal set of characters
necessary for the input field. Additionally, all content received

 

 

from the client (i.e.
Web browser) should be validated to an expected format or checked for malicious
content.

 

 

Detection Information

 

 

ParameterIt has been detected by exploiting the parameter referer

 

 

The payloads section
will display a list of tests that show how the param could have been exploited
to collect the information

 

 

AuthenticationIn order to detect this vulnerability, no authentication has
been required.

 

 

Access
Path
Here is the path followed by the scanner to reach the
exploitable URL:

 

 

https://prod-xxxxx-customer.yyyyy.com/seller-offer-catalog/#/

 

 

 

Outcomes