http://demo.testfire.net/ 540 http://demo.testfire.net/bank/login.aspx HighlyPossibleSqlInjection Critical 50 Netsparker identified a probable SQL injection, which occurs when data input by a user is interpreted as an SQL command rather than as normal data by the backend database.

This is an extremely common vulnerability and its successful exploitation can have critical implications.

Even though Netsparker believes there is a SQL injection in here, it could not confirm it. There can be numerous reasons for Netsparker not being able to confirm this. We strongly recommend investigating the issue manually to ensure it is an SQL injection and that it needs to be addressed. You can also consider sending the details of this issue to us so we can address this issue for the next time and give you a more precise result.

]]> Depending on the backend database, database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:

Reading, updating and deleting arbitrary data/tables from the database.
Executing commands on the underlying operating system.

]]>

See the remedy for solution.
If you are not using a database access layer (DAL) within the architecture consider its benefits and implement if appropriate. As a minimum the use of s DAL will help centralize the issue and its resolution. You can also use ORM (object relational mapping). Most ORM systems use parameterized queries and this can solve many if not all SQL injection based problems.
Locate all of the dynamically generated SQL queries and convert them to parameterized queries. (If you decide to use a DAL/ORM, change all legacy code to use these new libraries.)
Monitor and review weblogs and application logs to uncover active or previous exploitation attempts.

]]> A very robust method for mitigating the threat of SQL injection-based vulnerabilities is to use parameterized queries (prepared statements). Almost all modern languages provide built-in libraries for this. Wherever possible, do not create dynamic SQL queries or SQL queries with string concatenation. ]]> There are numerous freely available tools to test for SQL injection vulnerabilities. This is a complex area with many dependencies; however, it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them. SQL injection is one of the most common web application vulnerabilities. ]]>

]]>

]]> POST uid '+ (select convert(int, cast(0x5f21403264696c656d6d61 as varchar(8000))) from syscolumns) +' 500 - Internal server error.

500 - Internal server error.

There is a problem with the resource you are looking for, and it cannot be displayed.

Altoro Mutual: Server Error

An Error Has Occurred

Summary:

IErrorInfo.GetDescription failed with E_FAIL(0x80004005).

Error Message:

System.Data.OleDb.OleDbException: IErrorInfo.GetDescription failed with E_FAIL(0x80004005). at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr) at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult) at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult) at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult) at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method) at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior) at System.Data.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior) at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, String srcTable) at Altoro.Authentication.ValidateUser(String uName, String pWord) in c:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs:line 68 at Altoro.Authentication.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs:line 33 at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) at System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

The Altoro Mutual website is published by Watchfire, Inc. for the sole purpose of demonstrating the effectiveness of Watchfire products in detecting web application vulnerabilities and website defects. This site is not a real banking site. Similarities, if any, to third party products and/or websites are purely coincidental. This site is provided "as is" without warranty of any kind, either express or implied. Watchfire does not assume any risk in relation to your use of this website. For additional Terms of Use, please go to http://www.watchfire.com/statements/terms.aspx.

Copyright © 2018, Watchfire Corporation, All rights reserved.

]]> A1 A1 19 89 66 6.5.1 6.5.1 164.306(a), 164.308(a) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Base 10.0 Critical Temporal 10.0 Critical Environmental 10.0 Critical http://demo.testfire.net/bank/login.aspx HighlyPossibleSqlInjection Critical 50 Netsparker identified a probable SQL injection, which occurs when data input by a user is interpreted as an SQL command rather than as normal data by the backend database.

This is an extremely common vulnerability and its successful exploitation can have critical implications.

]]> Depending on the backend database, database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:

Reading, updating and deleting arbitrary data/tables from the database.
Executing commands on the underlying operating system.

]]>

See the remedy for solution.
If you are not using a database access layer (DAL) within the architecture consider its benefits and implement if appropriate. As a minimum the use of s DAL will help centralize the issue and its resolution. You can also use ORM (object relational mapping). Most ORM systems use parameterized queries and this can solve many if not all SQL injection based problems.
Locate all of the dynamically generated SQL queries and convert them to parameterized queries. (If you decide to use a DAL/ORM, change all legacy code to use these new libraries.)
Monitor and review weblogs and application logs to uncover active or previous exploitation attempts.

]]>

]]> POST btnSubmit %27 500 - Internal server error.

500 - Internal server error.

There is a problem with the resource you are looking for, and it cannot be displayed.

Altoro Mutual: Server Error

An Error Has Occurred

Summary:

Unspecified error

Error Message:

System.Data.OleDb.OleDbException: Unspecified error at System.Data.OleDb.OleDbConnectionInternal..ctor(OleDbConnectionString constr, OleDbConnection connection) at System.Data.OleDb.OleDbConnectionFactory.CreateConnection(DbConnectionOptions options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningObject) at System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection owningConnection, DbConnectionPoolGroup poolGroup) at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection) at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory) at System.Data.OleDb.OleDbConnection.Open() at Altoro.Authentication.ValidateUser(String uName, String pWord) in c:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs:line 53 at Altoro.Authentication.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs:line 33 at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) at System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

This is an extremely common vulnerability and its successful exploitation can have critical implications.

]]> Depending on the backend database, database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:

Reading, updating and deleting arbitrary data/tables from the database.
Executing commands on the underlying operating system.

]]>

See the remedy for solution.
If you are not using a database access layer (DAL) within the architecture consider its benefits and implement if appropriate. As a minimum the use of s DAL will help centralize the issue and its resolution. You can also use ORM (object relational mapping). Most ORM systems use parameterized queries and this can solve many if not all SQL injection based problems.
Locate all of the dynamically generated SQL queries and convert them to parameterized queries. (If you decide to use a DAL/ORM, change all legacy code to use these new libraries.)
Monitor and review weblogs and application logs to uncover active or previous exploitation attempts.

]]>

]]> POST passw '+ (select convert(int, cast(0x5f21403264696c656d6d61 as varchar(8000))) from syscolumns) +' 500 - Internal server error.

500 - Internal server error.

There is a problem with the resource you are looking for, and it cannot be displayed.

Altoro Mutual: Server Error

An Error Has Occurred

Summary:

IErrorInfo.GetDescription failed with E_FAIL(0x80004005).

Error Message:

]]> A1 A1 19 89 66 6.5.1 6.5.1 164.306(a), 164.308(a) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Base 10.0 Critical Temporal 10.0 Critical Environmental 10.0 Critical http://demo.testfire.net/bank/login.aspx Xss High 100 Netsparker detected cross-site scripting, which allows an attacker to execute a dynamic script (JavaScript, VBScript) in the context of the application.

This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/JavaScript/VBScript by the browser. Cross-site scripting targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' sessions, an attacker might attack an administrator to gain full control over the application.

]]> There are many different attacks that can be leveraged through the use of cross-site scripting, including:

Hijacking user's active session.
Mounting phishing attacks.
Intercepting data and performing man-in-the-middle attacks.

]]> The issue occurs because the browser interprets the input as active HTML, JavaScript or VBScript. To avoid this, output should be encoded according to the output location and context. For example, if the output goes in to a JavaScript block within the HTML document, then output needs to be encoded accordingly. Encoding can get very complex, therefore it's strongly recommended to use an encoding library such as OWASP ESAPI and Microsoft Anti-cross-site scripting. ]]>

]]>

Generated XSS exploit might not work due to browser XSS filtering. Please follow the guidelines below in order to disable XSS filtering for different browsers. Also note that;

XSS filtering is a feature that's enabled by default in some of the modern browsers. It should only be disabled temporarily to test exploits and should be reverted back if the browser is actively used other than testing purposes.
Even though browsers have certain checks to prevent Cross-site scripting attacks in practice there are a variety of ways to bypass this mechanism therefore a web application should not rely on this kind of client-side browser checks.

Chrome

Open command prompt.
Go to folder where chrome.exe is located.
Run the command chrome.exe --args --disable-xss-auditor

Internet Explorer

Click Tools->Internet Options and then navigate to the Security Tab.
Click Custom level and scroll towards the bottom where you will find that Enable XSS filter is currently Enabled.
Set it to disabled. Click OK.
Click Yes to accept the warning followed by Apply.

Firefox

Go to about:config in the URL address bar.
In the search field, type urlbar.filter and find browser.urlbar.filter.javascript.
Set its value to false by double clicking the row.

]]> POST uid x" onmouseover=netsparker(0x0011C7) x=" Altoro Mutual: Online Banking Login

MY ACCOUNT

PERSONAL

SMALL BUSINESS

INSIDE ALTORO MUTUAL

PERSONAL SMALL BUSINESS INSIDE ALTORO MUTUAL

Online Banking Login

]]> A3 A7 8 79 19 6.5.7 6.5.7 164.308(a) CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N Base 7.4 High Temporal 7.4 High Environmental 7.4 High http://demo.testfire.net/search.aspx?txtSearch=%3cscRipt%3enetsparker(0x000561)%3c%2fscRipt%3e Xss High 100 Netsparker detected cross-site scripting, which allows an attacker to execute a dynamic script (JavaScript, VBScript) in the context of the application.

]]> There are many different attacks that can be leveraged through the use of cross-site scripting, including:

Hijacking user's active session.
Mounting phishing attacks.
Intercepting data and performing man-in-the-middle attacks.

]]>

Generated XSS exploit might not work due to browser XSS filtering. Please follow the guidelines below in order to disable XSS filtering for different browsers. Also note that;

XSS filtering is a feature that's enabled by default in some of the modern browsers. It should only be disabled temporarily to test exploits and should be reverted back if the browser is actively used other than testing purposes.
Even though browsers have certain checks to prevent Cross-site scripting attacks in practice there are a variety of ways to bypass this mechanism therefore a web application should not rely on this kind of client-side browser checks.

Chrome

Open command prompt.
Go to folder where chrome.exe is located.
Run the command chrome.exe --args --disable-xss-auditor

Internet Explorer

Click Tools->Internet Options and then navigate to the Security Tab.
Click Custom level and scroll towards the bottom where you will find that Enable XSS filter is currently Enabled.
Set it to disabled. Click OK.
Click Yes to accept the warning followed by Apply.

Firefox

Go to about:config in the URL address bar.
In the search field, type urlbar.filter and find browser.urlbar.filter.javascript.
Set its value to false by double clicking the row.

]]> GET txtSearch <scRipt>netsparker(0x000561)</scRipt> Altoro Mutual: Search Results

PERSONAL SMALL BUSINESS INSIDE ALTORO MUTUAL

Search Results

No results were found for the query:

]]> A3 A7 8 79 19 6.5.7 6.5.7 164.308(a) CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N Base 7.4 High Temporal 7.4 High Environmental 7.4 High http://demo.testfire.net/bank/login.aspx PasswordOverHttp High 100 Netsparker detected that password data is being transmitted over HTTP.

]]> If an attacker can intercept network traffic, he/she can steal users' credentials. ]]>

See the remedy for solution.
Move all of your critical forms and pages to HTTPS and do not serve them over HTTP.

]]> All sensitive data should be transferred over HTTPS rather than HTTP. Forms should be served over HTTPS. All aspects of the application that accept user input, starting from the login process, should only be served over HTTPS. ]]> Altoro Mutual: Online Banking Login

PERSONAL SMALL BUSINESS INSIDE ALTORO MUTUAL

Online Banking Login

]]> A6 A3 4 319 65 6.5.4 6.5.4 CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Base 5.7 Medium Temporal 5.7 Medium Environmental 5.7 Medium https://demo.testfire.net/bank/customize.aspx CookieNotMarkedAsSecure High 100 Netsparker identified a cookie not marked as secure, and transmitted over HTTPS.

This means the cookie could potentially be stolen by an attacker who can successfully intercept and decrypt the traffic, or following a successful man-in-the-middle attack.

]]> This cookie will be transmitted over a HTTP connection, therefore if this cookie is important (such as a session cookie), an attacker might intercept it and hijack a victim's session. If the attacker can carry out a man-in-the-middle attack, he/she can force the victim to make an HTTP request to steal the cookie. ]]>

See the remedy for solution.
Mark all cookies used within the application as secure. (If the cookie is not related to authentication or does not carry any personal information, you do not have to mark it as secure.)

]]> Mark all cookies used within the application as secure. ]]> To exploit this issue, the attacker needs to be able to intercept traffic. This generally requires local access to the web server or to the victim's network. Attackers need to be understand layer 2, have physical access to systems either as waypoints for the traffic, or have locally gained access to to a system between the victim and the web server. ]]>

]]> 500 - Internal server error.

500 - Internal server error.

There is a problem with the resource you are looking for, and it cannot be displayed.

Altoro Mutual: Server Error

An Error Has Occurred

Summary:

Object reference not set to an instance of an object.

Error Message:

System.NullReferenceException: Object reference not set to an instance of an object. at BankMaster.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\bank\bank.master.cs:line 27 at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) at System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

]]> A6 A3 15 614 102 6.5.10 6.5.10 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Base 5.3 Medium Temporal 5.3 Medium Environmental 5.3 Medium http://demo.testfire.net/default.aspx?content=%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00.htm Lfi High 100 Netsparker identified a local file inclusion vulnerability, which occurs when a file from the target system is injected into the attacked server page.

Netsparker confirmed this issue by reading some files from the target web server.

]]> The impact can vary, based on the exploitation and the read permission of the web server user. Depending on these factors, an attacker might carry out one or more of the following attacks:

Gather usernames via an "/etc/passwd" file
Harvest useful information from the log files, such as "/apache/logs/error.log" or "/apache/logs/access.log"
Remotely execute commands by combining this vulnerability with some other attack vectors, such as file upload vulnerability or log injection

]]>

If possible, do not permit appending file paths directly. Make them hard-coded or selectable from a limited hard-coded path list via an index variable.
If you definitely need dynamic path concatenation, ensure you only accept required characters such as "a-Z0-9" and do not allow ".." or "/" or "%00" (null byte) or any other similar unexpected characters.
It is important to limit the API to allow inclusion only from a directory and directories below it. This way you can ensure any potential attack cannot perform a directory traversal attack.

]]>

Local File Inclusion Vulnerability

]]> GET content /../../../../../../../../../../boot.ini�.htm Altoro Mutual

PERSONAL SMALL BUSINESS INSIDE ALTORO MUTUAL

[boot loader]timeout=30default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Enterprise" /fastdetect /bootlogo /noguiboot

]]> A4 A5 33 98 252 6.5.8 6.5.8 164.306(a) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N Base 8.6 High Temporal 8.6 High Environmental 8.6 High http://demo.testfire.net/search.aspx?txtSearch=%3ciframe%20src%3d%22http%3a%2f%2fr87.com%2f%3f%22%3e%3c%2fiframe%3e FrameInjection Medium 100 Netsparker detected frame injection, which occurs when a frame on a vulnerable web page displays another web page via a user-controllable input.

]]> An attacker might use this vulnerability to redirect users to other malicious websites that are used for phishing and similar attacks. ]]>

Where possible do not use users' input for URLs.
If you definitely need dynamic URLs, make a list of valid accepted URLs and do not accept other URLs.
Ensure that you only accept URLs which are located on accepted domains.

]]>

OWASP - Cross Frame Scripting

]]> GET txtSearch <iframe src="http://r87.com/?"></iframe> Altoro Mutual: Search Results

PERSONAL SMALL BUSINESS INSIDE ALTORO MUTUAL

Search Results

No results were found for the query:

]]> A10 A6 38 601 6.5.1 6.5.1 164.308(a) CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N Base 4.7 Medium Temporal 4.7 Medium Environmental 4.7 Medium https://demo.testfire.net/ WeakCiphersDetected Medium 100 Netsparker detected that weak ciphers are enabled during secure communication (SSL).

You should allow only strong ciphers on your web server to protect secure communication with your visitors.

]]> Attackers might decrypt SSL traffic between your server and your visitors. ]]>

For Apache, you should modify the SSLCipherSuite directive in the httpd.conf.
```
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
```
For Microsoft IIS, you should make some changes to the system registry.
Click Start, click Run, type regedt32 or type regedit, and then click OK.
In Registry Editor, locate the following registry key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
Set "Enabled" DWORD to "0x0" for the following registry keys:
```
SCHANNEL\Ciphers\DES 56/56
SCHANNEL\Ciphers\RC4 64/128
SCHANNEL\Ciphers\RC4 40/128
SCHANNEL\Ciphers\RC2 56/128
SCHANNEL\Ciphers\RC2 40/128
SCHANNEL\Ciphers\NULL
SCHANNEL\Hashes\MD 
```

]]> Configure your web server to disallow using weak ciphers. ]]>

]]> A6 A3 4 327 217 6.5.4 6.5.4 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Base 6.8 Medium Temporal 6.8 Medium Environmental 6.8 Medium https://demo.testfire.net/ InvalidSslCertificate Medium 100 Netsparker identified an invalid SSL certificate.

An SSL certificate can be created and signed by anyone. You should have a valid SSL certificate to make your visitors sure about the secure communication between your website and them. If you have an invalid certificate, your visitors will have trouble distinguishing between your certificate and those of attackers.

]]> Attackers can perform man-in-the-middle attacks and observe the encryption traffic between your website and its visitors. ]]> Fix the problem with your SSL certificate to provide secure communication between your website and its visitors. ]]>

]]> A6 A3 4 295 459 6.5.4 6.5.4 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Base 6.8 Medium Temporal 6.8 Medium Environmental 6.8 Medium https://demo.testfire.net/ SslVersion3Support Medium 100 Netsparker detected that insecure transportation security protocol (SSLv3) is supported by your web server.

SSLv3 has several flaws. An attacker can cause connection failures and they can trigger the use of SSL 3.0 to exploit vulnerabilities like POODLE.

]]> Attackers can perform man-in-the-middle attacks and observe the encryption traffic between your website and its visitors. ]]>

Configure your web server to disallow using weak ciphers. You need to restart the web server to enable changes.

For Apache, adjust the SSLProtocol directive provided by the mod_ssl module. This directive can be set either at the server level or in a virtual host configuration.
```
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
```
For Nginx, locate any use of the directive ssl_protocols in the nginx.conf file and remove SSLv3.
```
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
```
For Microsoft IIS, you should make some changes on the system registry.
1. Click on Start and then Run, type regedt32 or regedit, and then click OK.
2. In Registry Editor, locate the following registry key or create if it does not exist:
```
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\
```
3. Locate a key named Server or create if it doesn't exist.
4. Under the Server key, locate a DWORD value named Enabled or create if it doesn't exist and set its value to "0".
For lighttpd, put the following lines in your configuration file:
```
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
```

]]>

]]> A6 A3 4 327 217 6.5.4 6.5.4 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C Base 6.8 Medium Temporal 6.1 Medium Environmental 6.1 Medium http://demo.testfire.net/bank/customize.aspx InternalServerError Low 100 Netsparker identified an internal server error.

The server responded with an HTTP status 500, indicating there is a server-side error. Reasons may vary, and the behavior should be analyzed carefully. If Netsparker is able to find a security issue in the same resource, it will report this as a separate vulnerability.

]]> The impact may vary depending on the condition. Generally this indicates poor coding practices, not enough error checking, sanitization and whitelisting. However, there might be a bigger issue, such as SQL injection. If that's the case, Netsparker will check for other possible issues and report them separately. ]]> Analyze this issue and review the application code in order to handle unexpected errors; this should be a generic practice, which does not disclose further information upon an error. All errors should be handled server-side only. ]]> 500 - Internal server error.

500 - Internal server error.

There is a problem with the resource you are looking for, and it cannot be displayed.

Altoro Mutual: Server Error

An Error Has Occurred

Summary:

Object reference not set to an instance of an object.

Error Message:

]]> http://demo.testfire.net/ CookieNotMarkedAsHttpOnly Low 100 Netsparker identified a cookie not marked as HTTPOnly.

HTTPOnly cookies cannot be read by client-side scripts, therefore marking a cookie as HTTPOnly can provide an additional layer of protection against cross-site scripting attacks.

]]> During a cross-site scripting attack, an attacker might easily access cookies and hijack the victim's session. ]]>

See the remedy for solution.
Consider marking all of the cookies used by the application as HTTPOnly. (After these changes javascript code will not be able to read cookies.)

]]> Mark the cookie as HTTPOnly. This will be an extra layer of defense against XSS. However this is not a silver bullet and will not protect the system against cross-site scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection. ]]>

]]> Altoro Mutual

PERSONAL SMALL BUSINESS INSIDE ALTORO MUTUAL

Online Banking with FREE Online Bill Pay
No stamps, envelopes, or checks to write give you more time to spend on the things you enjoy.

Real Estate Financing
Fast. Simple. Professional. Whether you are preparing to buy, build, purchase land, or construct new space, let Altoro Mutual's premier real estate lenders help with financing. As a regional leader, we know the market, we understand the business, and we have the track record to prove it

Business Credit Cards
You're always looking for ways to improve your company's bottom line. You want to be informed, improve efficiency and control expenses. Now, you can do it all - with a business credit card account from Altoro Mutual.

Retirement Solutions
Retaining good employees is a tough task. See how Altoro Mutual can assist you in accomplishing this feat through effective Retirement Solutions.

Privacy and Security
The 2000 employees of Altoro Mutual are dedicated to protecting your privacy and security. We pledge to provide you with the information and resources that you need to help secure your information and keep it confidential. This is our promise.

Win an 8GB iPod Nano
Completing this short survey will enter you in a draw for 1 of 50 iPod Nanos. We look forward to hearing your important feedback.

]]> A5 A6 15 16 107 http://demo.testfire.net/ AspNetVersionDisclosure Low 90 Netsparker identified a version disclosure (ASP.NET) in target web server's HTTP response.

This information can help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of ASP.NET.

]]> An attacker might use the disclosed information to harvest specific security vulnerabilities for the version identified. ]]> Apply the following changes to your web.config file to prevent information leakage by using custom error pages and removing X-AspNet-Version from HTTP responses.

<System.Web>
     <httpRuntime enableVersionHeader="false" /> 
     <customErrors mode="On" defaultRedirect="~/error/GeneralError.aspx">
          <error statusCode="403" redirect="~/error/Forbidden.aspx" />
          <error statusCode="404" redirect="~/error/PageNotFound.aspx" />
          <error statusCode="500" redirect="~/error/InternalError.aspx" />
     </customErrors>
</System.Web>

]]>

]]> Altoro Mutual

PERSONAL SMALL BUSINESS INSIDE ALTORO MUTUAL

Online Banking with FREE Online Bill Pay
No stamps, envelopes, or checks to write give you more time to spend on the things you enjoy.

Win an 8GB iPod Nano
Completing this short survey will enter you in a draw for 1 of 50 iPod Nanos. We look forward to hearing your important feedback.

]]> A6 45 205 170 164.306(a), 164.308(a) http://demo.testfire.net/bank/login.aspx DatabaseErrorMessages Low 35 Netsparker identified a database error message disclosure.

]]> The error message may disclose sensitive information and this information can be used by an attacker to mount new attacks or to enlarge the attack surface. In rare conditions this may be a clue for an SQL injection vulnerability. Most of the time Netsparker will detect and report that problem separately. ]]> Do not provide any error messages on production environments. Save error messages with a reference number to a backend storage such as a text file or database, then show this number and a static user-friendly error message to the user. ]]> 500 - Internal server error.

500 - Internal server error.

There is a problem with the resource you are looking for, and it cannot be displayed.

Altoro Mutual: Server Error

An Error Has Occurred

Summary:

IErrorInfo.GetDescription failed with E_FAIL(0x80004005).

Error Message:

]]> A5 A6 13 210 118 6.5.5 6.5.5 164.306(a), 164.308(a) http://demo.testfire.net/bank/ws.asmx ProgrammingErrorMessages Low 90 Netsparker identified a programming error message.

]]> The error message may disclose sensitive information and this information can be used by an attacker to mount new attacks or to enlarge the attack surface. Source code, stack trace, etc. data may be disclosed. Most of these issues will be identified and reported separately by Netsparker. ]]> Do not provide error messages on production environments. Save error messages with a reference number to a backend storage such as a log, text file or database, then show this number and a static user-friendly error message to the user. ]]> _NS_ ]]> soap:ServerServer was unable to process request. ---> Could not find file 'C:\Windows\TEMP\opu13isg.dll'.]]> A5 A6 13 210 118 6.5.5 6.5.5 164.306(a), 164.308(a) http://demo.testfire.net/bank/customize.aspx AspNetStackTrace Low 90 Netsparker identified a stack trace disclosure (ASP.NET) in the target web server's HTTP response.

]]> An attacker can obtain information such as:

ASP.NET version.
Physical file path of temporary ASP.NET files.
Information about the generated exception and possibly source code, SQL queries, etc.

This information might help an attacker gain more information and potentially focus on the development of further attacks for the target system. ]]> Apply following changes on your web.config file to prevent information leakage by applying custom error pages.

<System.Web>
     <customErrors mode="On" defaultRedirect="~/error/GeneralError.aspx">
          <error statusCode="403" redirect="~/error/Forbidden.aspx" />
          <error statusCode="404" redirect="~/error/PageNotFound.aspx" />
          <error statusCode="500" redirect="~/error/InternalError.aspx" />
     </customErrors>
</System.Web>

]]>

Error Handling in ASP.NET Pages and Applications

]]> 500 - Internal server error.

500 - Internal server error.

There is a problem with the resource you are looking for, and it cannot be displayed.

Altoro Mutual: Server Error

An Error Has Occurred

Summary:

Object reference not set to an instance of an object.

Error Message:

]]> A5 A6 14 248 214 6.5.5 6.5.5 164.306(a), 164.308(a) http://demo.testfire.net/ MissingXFrameOptionsHeader Low 90 Netsparker detected a missing X-Frame-Options header which means that this website could be at risk of a clickjacking attack.

The X-Frame-Options HTTP header field indicates a policy that specifies whether the browser should render the transmitted resource within a frame or an iframe. Servers can declare this policy in the header of their HTTP responses to prevent clickjacking attacks, which ensures that their content is not embedded into other pages or frames.

]]>

Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on a framed page when they were intending to click on the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

]]>

Sending the proper X-Frame-Options in HTTP response headers that instruct the browser to not allow framing from other domains.
- X-Frame-Options: DENY It completely denies to be loaded in frame/iframe.
- X-Frame-Options: SAMEORIGIN It allows only if the site which wants to load has a same origin.
- X-Frame-Options: ALLOW-FROM URL It grants a specific URL to load itself in a iframe. However please pay attention to that, not all browsers support this.
Employing defensive code in the UI to ensure that the current frame is the most top level window.

]]>

Clickjacking Defense Cheat Sheet

]]> Altoro Mutual

PERSONAL SMALL BUSINESS INSIDE ALTORO MUTUAL

Online Banking with FREE Online Bill Pay
No stamps, envelopes, or checks to write give you more time to spend on the things you enjoy.

Win an 8GB iPod Nano
Completing this short survey will enter you in a draw for 1 of 50 iPod Nanos. We look forward to hearing your important feedback.

]]> A5 A6 693 103 http://demo.testfire.net/*~1*%5ca.aspx?aspxerrorpath=/ WindowsShortFilename Low 100 Netsparker identified a Windows short file/folder name disclosure.

The vulnerability is caused by the tilde character (~) with the old DOS 8.3 name convention in an HTTP request. It allows a remote attacker to disclose file and folder names that is not supposed to be accessible.

]]> Attackers could find important files that are normally not accessible from the outside and gain intelligence about the application infrastructure. This may cause the leakage of files containing sensitive information such as credentials, configuration files and maintenance scripts. ]]>

For Windows Server 2012 and after

Set value to "1" of the NtfsDisable8dot3NameCreation registry key in HKLM\SYSTEM\CurrentControlSet\Control\FileSystem
Open the Command Line with administrator rights and run the command below.
```
C:\Windows\System32>FSUTIL.exe 8dot3name set C: 1
```

For Windows Server 2008 and before

Set value to "1" of the NtfsDisable8dot3NameCreation registry key in HKLM\SYSTEM\CurrentControlSet\Control\FileSystem
Open the Command Line with administrator rights and run the command below.
```
C:\Windows\System32>FSUTIL.exe behavior set disable8dot3 1
```

]]>

Short File/Folder Name Disclosure

]]>

Microsoft - NtfsDisable8dot3NameCreation

]]> 404 - File or directory not found.

404 - File or directory not found.

The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.

]]> A7 A6 34 425 87 6.5.8 6.5.8 164.306(a), 164.308(a) https://demo.testfire.net/ TlsVersion1Support Low 100 Netsparker detected that insecure transportation security protocol (TLS 1.0) is supported by your web server.

TLS 1.0 has several flaws. An attacker can cause connection failures and they can trigger the use of TLS 1.0 to exploit vulnerabilities like BEAST (Browser Exploit Against SSL/TLS).

Websites using TLS 1.0 will be considered non-compliant by PCI after 30 June 2018.

]]> Attackers can perform man-in-the-middle attacks and observe the encryption traffic between your website and its visitors. ]]>

Configure your web server to disallow using weak ciphers. You need to restart the web server to enable changes.

For Apache, adjust the SSLProtocol directive provided by the mod_ssl module. This directive can be set either at the server level or in a virtual host configuration.
```
SSLProtocol +TLSv1.1 +TLSv1.2
```
For Nginx, locate any use of the directive ssl_protocols in the nginx.conf file and remove TLSv1.
```
ssl_protocols TLSv1.1 TLSv1.2;
```
For Microsoft IIS, you should make some changes on the system registry.
1. Click on Start and then Run, type regedt32 or regedit, and then click OK.
2. In Registry Editor, locate the following registry key or create if it does not exist:
```
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\
```
3. Locate a key named Server or create if it doesn't exist.
4. Under the Server key, locate a DWORD value named Enabled or create if it doesn't exist and set its value to "0".

]]>

]]> A6 A9 4 327 217 6.5.4 6.5.4 http://demo.testfire.net/feedback.aspx CsrfDetected Low 90 Netsparker identified a possible Cross-Site Request Forgery.

CSRF is a very common vulnerability. It's an attack which forces a user to execute unwanted actions on a web application in which the user is currently authenticated.

]]> Depending on the application, an attacker can mount any of the actions that can be done by the user such as adding a user, modifying content, deleting data. All the functionality that’s available to the victim can be used by the attacker. Only exception to this rule is a page that requires extra information that only the legitimate user can know (such as user’s password). ]]>

Send additional information in each HTTP request that can be used to determine whether the request came from an authorized source. This "validation token" should be hard to guess for attacker who does not already have access to the user's account. If a request is missing a validation token or the token does not match the expected value, the server should reject the request.
If you are posting form in ajax request, custom HTTP headers can be used to prevent CSRF because the browser prevents sites from sending custom HTTP headers to another site but allows sites to send custom HTTP headers to themselves using XMLHttpRequest.
- For native XMLHttpRequest (XHR) object in JavaScript;
```
xhr = new XMLHttpRequest();
xhr.setRequestHeader('custom-header', 'valueNULL);
```
  For JQuery, if you want to add a custom header (or set of headers) to
  a. individual request
```
$.ajax({
    url: 'foo/bar',
    headers: { 'x-my-custom-header': 'some value' }
});
```
  b. every request
```
$.ajaxSetup({
    headers: { 'x-my-custom-header': 'some value' }
});
OR
$.ajaxSetup({
    beforeSend: function(xhr) {
        xhr.setRequestHeader('x-my-custom-header', 'some value');
    }
});
```

]]>

OWASP Cross-Site Request Forgery (CSRF)

]]>

OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet

]]> Altoro Mutual: Feedback

PERSONAL SMALL BUSINESS INSIDE ALTORO MUTUAL

Feedback

Our Frequently Asked Questions area will help you with many of your inquiries.
If you can't find your question, return to this page and use the e-mail form below.

IMPORTANT! This feedback facility is not secure. Please do not send any
account information in a message sent from here.

]]> A8 A5 9 352 62 6.5.9 6.5.9 164.306(a) http://demo.testfire.net/bank/login.aspx CsrfInLoginFormDetected Low 90 Netsparker identified a possible Cross-Site Request Forgery in login form.

In a login CSRF attack, the attacker forges a login request to an honest site using the attacker’s user name and password at that site. If the forgery succeeds, the honest server responds with a Set-Cookie header that instructs the browser to mutate its state by storing a session cookie, logging the user into the honest site as the attacker. This session cookie is used to bind subsequent requests to the user’s session and hence to the attacker’s authentication credentials. The attacker can later log into the site with his legitimate credentials and view private information like activity history that has been saved in the account.

]]>

In this particular case CSRF affects the login form in which the impact of this vulnerability is decreased significantly. Unlike normal CSRF vulnerabilities this will only allow an attacker to exploit some complex XSS vulnerabilities otherwise it can't be exploited.

For example;

If there is a page that's different for every user (such as "edit my profile") and vulnerable to XSS (Cross-site Scripting) then normally it cannot be exploited. However if the login form is vulnerable, an attacker can prepare a special profile, force victim to login as that user which will trigger the XSS exploit. Again attacker is still quite limited with this XSS as there is no active session. However the attacker can leverage this XSS in many ways such as showing the same login form again but this time capturing and sending the entered username/password to the attacker.

In this kind of attack, attacker will send a link containing html as simple as the following in which attacker's user name and password is attached.

<form method="POST" action="http://honest.site/login">
  <input type="text" name="user" value="h4ck3r" />
  <input type="password" name="pass" value="passw0rd" />
</form>
<script>
    document.forms[0].submit();
</script>

When the victim clicks the link then form will be submitted automatically to the honest site and exploitation is successful, victim will be logged in as the attacker and consequences will depend on the website behavior.

Search History
Many sites allow their users to opt-in to saving their search history and provide an interface for a user to review his or her personal search history. Search queries contain sensitive details about the user’s interests and activities and could be used by the attacker to embarrass the user, to steal the user’s identity, or to spy on the user. Since the victim logs in as the attacker, the victim's search queries are then stored in the attacker’s search history, and the attacker can retrieve the queries by logging into his or her own account.
Shopping
Merchant sites might save the credit card details in user's profile. In login CSRF attack, when user funds a purchase and enrolls the credit card, the credit card details might be added to the attacker's account.

]]>

Send additional information in each HTTP request that can be used to determine whether the request came from an authorized source. This "validation token" should be hard to guess for attacker who does not already have access to the user's account. If a request is missing a validation token or the token does not match the expected value, the server should reject the request.
If you are posting form in ajax request, custom HTTP headers can be used to prevent CSRF because the browser prevents sites from sending custom HTTP headers to another site but allows sites to send custom HTTP headers to themselves using XMLHttpRequest.
- For native XMLHttpRequest (XHR) object in JavaScript;
```
xhr = new XMLHttpRequest();
xhr.setRequestHeader('custom-header', 'valueNULL);
```
  For JQuery, if you want to add a custom header (or set of headers) to
  a. individual request
```
$.ajax({
    url: 'foo/bar',
    headers: { 'x-my-custom-header': 'some value' }
});
```
  b. every request
```
$.ajaxSetup({
    headers: { 'x-my-custom-header': 'some value' }
});
OR
$.ajaxSetup({
    beforeSend: function(xhr) {
        xhr.setRequestHeader('x-my-custom-header', 'some value');
    }
});
```

]]>

OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet

]]> Altoro Mutual: Online Banking Login

PERSONAL SMALL BUSINESS INSIDE ALTORO MUTUAL

Online Banking Login

]]> A8 A5 9 352 62 6.5.9 6.5.9 164.306(a) https://demo.testfire.net/feedback.aspx PassiveMixedContent Low 100 Netsparker detected a mixed content loaded over HTTP within an HTTPS page.

]]>

If the HTTPS page includes content retrieved through regular, cleartext HTTP, then the connection is only partially encrypted. The unencrypted content is accessible to sniffers.

A man-in-the-middle attacker can intercept the request and also rewrite the response to include malicious or deceptive content. This content can be used to steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerabilities in the browser or its plugins, for example), and therefore the connection is not safeguarded anymore.

]]> There are two technologies to defense against the mixed content issues:

HTTP Strict Transport Security (HSTS) is a mechanism that enforces secure resource retrieval, even in the face of user mistakes (attempting to access your web site on port 80) and implementation errors (your developers place an insecure link into a secure page)
Content Security Policy (CSP) can be used to block insecure resource retrieval from third-party web sites

Last but not least, you can use "protocol relative URLs" to have the user's browser automatically choose HTTP or HTTPS as appropriate, depending on which protocol the user is connected with. For example;

a protocol relative URL to load an image would look like <img src="//example.com/image.png">. The browser will automatically add either "http:" or "https:" to the start of the URL, whichever is appropriate.

]]>

Mixed Content

]]>

]]> Altoro Mutual: Feedback

PERSONAL SMALL BUSINESS INSIDE ALTORO MUTUAL

Feedback

Our Frequently Asked Questions area will help you with many of your inquiries.
If you can't find your question, return to this page and use the e-mail form below.

IMPORTANT! This feedback facility is not secure. Please do not send any
account information in a message sent from here.

]]> A6 A3 319 http://demo.testfire.net/bank/20060308_bak/ ForbiddenResource Information 100 Netsparker identified a forbidden resource.

Access to this resource has been denied by the web server. This is generally not a security issue, and is reported here for informational purposes.

]]> This issue is reported as additional information only. There is no direct impact arising from this issue. ]]> 403 - Forbidden: Access is denied.

403 - Forbidden: Access is denied.

You do not have permission to view this directory or page using the credentials that you supplied.

]]> C8 http://demo.testfire.net/ AspNetIdentified Information 90 Netsparker identified that the target website is using ASP.NET as its web application framework.

This issue is reported as extra information only.

]]> This issue is reported as additional information only. There is no direct impact arising from this issue. ]]> Altoro Mutual

PERSONAL SMALL BUSINESS INSIDE ALTORO MUTUAL

Online Banking with FREE Online Bill Pay
No stamps, envelopes, or checks to write give you more time to spend on the things you enjoy.

Win an 8GB iPod Nano
Completing this short survey will enter you in a draw for 1 of 50 iPod Nanos. We look forward to hearing your important feedback.

]]> C7 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C Base 5.3 Medium Temporal 5.1 Medium Environmental 5.1 Medium http://demo.testfire.net/bank/ IisDirectoryListing Information 90 Netsparker identified a directory listing (IIS).

The web server responded with a list of files located in the target directory.

]]> An attacker can see the files located in the directory and could potentially access files which disclose sensitive information. ]]>

Configure the web server to disallow directory listing requests.
Ensure that the latest security patches have been applied to the web server and the current stable version of the software is in use.

]]>

WASC - Directory Indexing

]]>

How to configure Web server permissions for Web content in IIS

]]> demo.testfire.net - /bank/

demo.testfire.net - /bank/

[To Parent Directory]

 5/10/2015  4:25 AM        <dir> 20060308_bak
11/20/2006 10:05 AM         1831 account.aspx
 6/18/2015  7:41 PM         5067 account.aspx.cs
11/20/2006 10:05 AM          771 apply.aspx
11/20/2006 10:05 AM         2828 apply.aspx.cs
11/10/2006  1:20 PM         2236 bank.master
 7/16/2007  8:35 AM         1134 bank.master.cs
11/20/2006 10:05 AM          904 customize.aspx
11/20/2006 10:05 AM         1955 customize.aspx.cs
 7/23/2007  4:26 PM         1806 login.aspx
 7/23/2007  4:27 PM         5847 login.aspx.cs
 11/1/2006  8:42 PM           78 logout.aspx
 7/16/2007  9:39 AM         3254 logout.aspx.cs
 7/16/2007  8:21 AM          935 main.aspx
 7/16/2007  9:36 AM         3951 main.aspx.cs
 5/10/2015  4:25 AM        <dir> members
 1/12/2007  1:55 PM         1414 mozxpath.js
11/20/2006 10:05 AM          785 queryxpath.aspx
11/20/2006 10:05 AM         1838 queryxpath.aspx.cs
 7/18/2007  5:13 PM          499 servererror.aspx
 7/18/2007  4:13 PM         1700 transaction.aspx
 6/18/2015  7:41 PM         3867 transaction.aspx.cs
 7/17/2007  3:03 PM         3930 transfer.aspx
 6/18/2015  7:41 PM         3505 transfer.aspx.cs
 7/17/2007  2:44 PM           82 ws.asmx

]]> A5 A6 16 548 127 C6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C Base 5.3 Medium Temporal 5.1 Medium Environmental 5.1 Medium http://demo.testfire.net/bank/mozxpath.js EmailDisclosure Information 95 Email addresses discovered within the application can be used by both spam email engines and also brute-force tools. Furthermore, valid email addresses may lead to social engineering attacks. ]]> Use generic email addresses such as contact@ or info@ for general communications and remove user/people-specific email addresses from the website; should this be required, use submission forms for this purpose. ]]>

Wikipedia - Email Spam

]]> 0 ) { return xItems[0]; } else { return null; } } Element.prototype.selectNodes = function(cXPathString) { if(this.ownerDocument.selectNodes) { return this.ownerDocument.selectNodes(cXPathString, this); } else{throw "For XML Elements Only";} } Element.prototype.selectSingleNode = function(cXPathString) { if(this.ownerDocument.selectSingleNode) { return this.ownerDocument.selectSingleNode(cXPathString, this); } else{throw "For XML Elements Only";} } }]]> 13 200 118 C7 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base 5.3 Medium Temporal 5.3 Medium Environmental 5.3 Medium http://demo.testfire.net/ IisVersionDisclosure Information 90 Netsparker identified a version disclosure (IIS) in target web server's HTTP response.

This information can help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of IIS.

]]> An attacker might use the disclosed information to harvest specific security vulnerabilities for the version identified. ]]> Configure your web server to prevent information leakage from the SERVER header of its HTTP response. ]]>

URLScan RemoveServerHeader Directive

]]> Altoro Mutual

PERSONAL SMALL BUSINESS INSIDE ALTORO MUTUAL

Online Banking with FREE Online Bill Pay
No stamps, envelopes, or checks to write give you more time to spend on the things you enjoy.

Win an 8GB iPod Nano
Completing this short survey will enter you in a draw for 1 of 50 iPod Nanos. We look forward to hearing your important feedback.

]]> A6 45 205 170 164.306(a), 164.308(a) C7 https://demo.testfire.net/ HstsNotEnabled Information 95 Netsparker identified that HTTP Strict Transport Security (HSTS) policy is not enabled.

The target website is being served from not only HTTP but also HTTPS and it lacks of HSTS policy implementation.

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTP (HTTPS) connections. The HSTS Policy is communicated by the server to the user agent via a HTTP response header field named "Strict-Transport-Security". HSTS Policy specifies a period of time during which the user agent shall access the server in only secure fashion.

When a web application issues HSTS Policy to user agents, conformant user agents behave as follows:

Automatically turn any insecure links referencing the web application into secure links. (For instance, http://example.com/some/page/ will be modified to https://example.com/some/page/ before accessing the server.)
If the security of the connection cannot be ensured (e.g. the server's TLS certificate is self-signed), show an error message and do not allow the user to access the web application.

]]>

Configure your webserver to redirect HTTP requests to HTTPS.

For Apache, you should have modification in the httpd.conf.

# load module
LoadModule headers_module modules/mod_headers.so
 
# redirect all HTTP to HTTPS (optional)
<VirtualHost *:80>
       ServerAlias *
       RewriteEngine On
       RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</VirtualHost>
 
# HTTPS-Host-Configuration
<VirtualHost *:443>
      # Use HTTP Strict Transport Security to force client to use secure connections only
      Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
 
      # Further Configuration goes here
      [...]
</VirtualHost>

]]>

]]> Altoro Mutual

PERSONAL SMALL BUSINESS INSIDE ALTORO MUTUAL

Online Banking with FREE Online Bill Pay
No stamps, envelopes, or checks to write give you more time to spend on the things you enjoy.

Win an 8GB iPod Nano
Completing this short survey will enter you in a draw for 1 of 50 iPod Nanos. We look forward to hearing your important feedback.

]]> C8 http://demo.testfire.net/ OptionsMethodEnabled Information 100 Netsparker detected that OPTIONS method is allowed. This issue is reported as extra information.

]]> Information disclosed from this page can be used to gain additional information about the target system. ]]> Disable OPTIONS method in all production systems. ]]>

]]> A5 A6 14 16 107 http://demo.testfire.net/bank/login.aspx AutoCompleteEnabledPasswordField Information 100 Netsparker detected that autocomplete is enabled in one or more of the password fields.

]]> If user chooses to save, data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information. This is especially important if the application is commonly used in shared computers, such as cyber cafes or airport terminals.

]]>

Add the attribute autocomplete="off" to the form tag or to individual "input" fields. However, since early 2014, major browsers don't respect this instruction, due to their integrated password management mechanism, and offer to users to store password internally.
Re-scan the application after addressing the identified issues to ensure all of the fixes have been applied properly.

]]> First and foremost, attacker needs either physical access or user-level code execution rights for successful exploitation. Dumping all data from a browser can be fairly easy, and a number of automated tools exist to undertake this. Where the attacker cannot dump the data, he/she could still browse the recently visited websites and activate the autocomplete feature to see previously entered values. ]]>

]]> Altoro Mutual: Online Banking Login

PERSONAL SMALL BUSINESS INSIDE ALTORO MUTUAL

Online Banking Login

]]> A5 A6 15 16 CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base 4.6 Medium Temporal 4.6 Medium Environmental 4.6 Medium http://demo.testfire.net/ MissingXssProtectionHeader Information 100 Netsparker detected a missing X-XSS-Protection header which means that this website could be at risk of a Cross-site Scripting (XSS) attacks.

]]> This issue is reported as additional information only. There is no direct impact arising from this issue. ]]> Add the X-XSS-Protection header with a value of "1; mode= block".

```
X-XSS-Protection: 1; mode=block
```

]]>

]]> Altoro Mutual

PERSONAL SMALL BUSINESS INSIDE ALTORO MUTUAL

Online Banking with FREE Online Bill Pay
No stamps, envelopes, or checks to write give you more time to spend on the things you enjoy.

Win an 8GB iPod Nano
Completing this short survey will enter you in a draw for 1 of 50 iPod Nanos. We look forward to hearing your important feedback.

]]> 164.308(a) C9 http://demo.testfire.net/ SameSiteCookieNotImplemented Information 100 Cookies are typically sent to third parties in cross origin requests. This can be abused to do CSRF attacks. Recently a new cookie attribute named SameSite was proposed to disable third-party usage for some cookies, to prevent CSRF attacks.

Same-site cookies allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.

]]> The server can set a same-site cookie by adding the SameSite=... attribute to the Set-Cookie header:

Set-Cookie: key=value; SameSite=strict

There are two possible values for the same-site attribute:

Lax
Strict

In the strict mode, the cookie is not sent with any cross-site usage even if the user follows a link to another website. Lax cookies are only sent with a top-level get request.

]]>

]]> Altoro Mutual

PERSONAL SMALL BUSINESS INSIDE ALTORO MUTUAL

Online Banking with FREE Online Bill Pay
No stamps, envelopes, or checks to write give you more time to spend on the things you enjoy.

Win an 8GB iPod Nano
Completing this short survey will enter you in a draw for 1 of 50 iPod Nanos. We look forward to hearing your important feedback.

]]> C9 http://demo.testfire.net/default.aspx?content=personal_investments.htm SubResourceIntegrityNotImplemented Information 100 Subresource Integrity (SRI) provides a mechanism to check integrity of the resource hosted by third parties like Content Delivery Networks (CDNs) and verifies that the fetched resource has been delivered without unexpected manipulation.

SRI does this using hash comparison mechanism. In this way, hash value declared in HTML elements (for now only script and link elements are supported) will be compared with the hash value of the resource hosted by third party.

Use of SRI is recommended as a best-practice, whenever libraries are loaded from a third-party source.

]]> Using Subresource Integrity is simply to add integrity attribute to the script tag along with a base64 encoded cryptographic hash value.

<script src="https://code.jquery.com/jquery-2.1.4.min.js" integrity="sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC" crossorigin="anonymous"></script>

The hash algorithm must be one of sha256, sha384 or sha512, followed by a '-' character.

]]>

]]> Altoro Mutual

PERSONAL SMALL BUSINESS INSIDE ALTORO MUTUAL

Investments & Insurance

Through ongoing service, sound advice and direct access to a variety of investment products, Altoro Mutual can help you develop and reach your financial goals.

Whether you're looking for a short-term solution or a long-term investment strategy, Altoro Mutual offers a full range of account options to help you manage your investments including:

Brokerage Services
Retirement
Insurance
Private Banking
Wealth & Tax Services

For more information about these products, please contact Altoro Mutual.

This page was last updated on: 10/30/2006

Whether you're looking for a short-term solution or a long-term investment strategy, Altoro Mutual offers a full range of account options

]]> http://demo.testfire.net/ CspNotImplemented Information 100 CSP is an added layer of security that helps to mitigate mainly Cross-site Scripting attacks.

CSP can be enabled instructing the browser with a Content-Security-Policy directive in a response header;

 Content-Security-Policy: script-src 'self';

or in a meta tag;

<meta http-equiv="Content-Security-Policy" content="script-src 'self';">

In the above example, you can restrict script loading only to the same domain. It will also restrict inline script executions both in the element attributes and the event handlers. There are various directives which you can use by declaring CSP:

script-src: Restricts the script loading resources to the ones you declared. By default, it disables inline script executions unless you permit to the evaluation functions and inline scripts by the unsafe-eval and unsafe-inline keywords.
base-uri: Base element is used to resolve relative URL to absolute one. By using this CSP directive, you can define all possible URLs which could be assigned to base-href attribute of the document.
frame-ancestors: It is very similar to X-Frame-Options HTTP header. It defines the URLs by which the page can be loaded in an iframe.
frame-src / child-src: frame-src is the deprecated version of child-src. Both define the sources that can be loaded by iframe in the page. (Please note that frame-src was brought back in CSP 3)
object-src : Defines the resources that can be loaded by embedding such as Flash files, Java Applets.
img-src: As its name implies, it defines the resources where the images can be loaded from.
connect-src: Defines the whitelisted targets for XMLHttpRequest and WebSocket objects.
default-src: It is a fallback for the directives that mostly ends with -src suffix. When the directives below are not defined, the value set to default-src will be used instead:
- child-src
- connect-src
- font-src
- img-src
- manifest-src
- media-src
- object-src
- script-src
- style-src

When setting the CSP directives, you can also use some CSP keywords:

none: Denies loading resources from anywhere.
self : Points to the document's URL (domain + port).
unsafe-inline: Permits running inline scripts.
unsafe-eval: Permits execution of evaluation functions such as eval().

In addition to CSP keywords, you can also use wildcard or only a scheme when defining whitelist URLs for the points. Wildcard can be used for subdomain and port portions of the URLs:

Content-Security-Policy: script-src https://*.example.com;

Content-Security-Policy: script-src https://example.com:*;

Content-Security-Policy: script-src https;

It is also possible to set a CSP in Report-Only mode instead of forcing it immediately in the migration period. Thus you can see the violations of the CSP policy in the current state of your web site while migrating to CSP:

Content-Security-Policy-Report-Only: script-src 'self'; report-uri: https://example.com;

]]> There is no direct impact of not implementing CSP on your website. However, if your website is vulnerable to a Cross-site Scripting attack CSP can prevent successful exploitation of that vulnerability. By not implementing CSP you’ll be missing out this extra layer of security.

]]>

Enable CSP on your website by sending the Content-Security-Policy in HTTP response headers that instruct the browser to apply the policies you specified.

Apply the whitelist and policies as strict as possible.

Rescan your application to see if Netsparker identifies any weaknesses in your policies.

]]> Enable CSP on your website by sending the Content-Security-Policy in HTTP response headers that instruct the browser to apply the policies you specified.

]]>

]]> Altoro Mutual

PERSONAL SMALL BUSINESS INSIDE ALTORO MUTUAL

Online Banking with FREE Online Bill Pay
No stamps, envelopes, or checks to write give you more time to spend on the things you enjoy.

Win an 8GB iPod Nano
Completing this short survey will enter you in a draw for 1 of 50 iPod Nanos. We look forward to hearing your important feedback.

]]> C9 http://demo.testfire.net/ ReferrerPolicyNotImplemented Information 100 Netsparker detected that no Referrer-Policy header implemented.

Referrer-Policy is a security header designed to prevent cross-domain Referer leakage.

]]> Referer header is a request header that indicates the site which the traffic originated from. If there is no adequate prevention in place, the URL itself, and even sensitive information contained in the URL will be leaked to the cross-site.

The lack of Referrer-Policy header might affect privacy of the users and site's itself

]]> In a response header:

Referrer-Policy: no-referrer | same-origin | origin | strict-origin | no-origin-when-downgrading

In a META tag

<meta name="Referrer-Policy" value="no-referrer | same-origin"/>

In an element attribute

<a href="http://crosssite.example.com" rel="noreferrer"></a>

<a href="http://crosssite.example.com" referrerpolicy="no-referrer | same-origin | origin | strict-origin | no-origin-when-downgrading"></a>

]]> Please implement a Referrer-Policy by using the Referrer-Policy response header or by declaring it in the meta tags. It’s also possible to control referrer information over an HTML-element by using the rel attribute.

]]>

]]> Altoro Mutual

PERSONAL SMALL BUSINESS INSIDE ALTORO MUTUAL

Online Banking with FREE Online Bill Pay
No stamps, envelopes, or checks to write give you more time to spend on the things you enjoy.

Win an 8GB iPod Nano
Completing this short survey will enter you in a draw for 1 of 50 iPod Nanos. We look forward to hearing your important feedback.

]]> A6 A3 200 C9 https://demo.testfire.net/ ExpectCtIsMissing Information 100 Netsparker identified that Expect-CT is not enabled.

Certificate Transparency is a technology that makes impossible (or at least very difficult) for a CA to issue an SSL certificate for a domain without the certificate being visible to the owner of that domain.

Google announced that, starting with April 2018, if it runs into a certificate that is not seen in Certificate Transparency (CT) Log, it will consider that certificate invalid and reject the connection. Thus sites should serve certificate that takes place in CT Logs. While handshaking, sites should serve a valid Signed Certificate Timestamp (SCT) along with the certificate itself.

Expect-CT can also be used for detecting the compatibility of the certificates that are issued before the April 2018 deadline. For instance, a certificate that was signed before April 2018, for 10 years it will be still posing a risk and can be ignored by the certificate transparency policy of the browser. By setting Expect-CT header, you can prevent misissused certificates to be used.

]]> Configure your web server to respond with Expect-CT header.

Expect-CT: enforce, max-age=7776000, report-uri="https://ABSOLUTE_REPORT_URL"

Note: We strongly suggest you to use Expect-CT header in report-only mode first. If everything goes well and your certificate is ready, go with the Expect-CT enforce mode. To use report-only mode first, omit enforce flag and see the browser's behavior with your deployed certificate.

Expect-CT: max-age=7776000, report-uri="https://ABSOLUTE_REPORT_URL"

]]>

]]> Altoro Mutual

PERSONAL SMALL BUSINESS INSIDE ALTORO MUTUAL

Online Banking with FREE Online Bill Pay
No stamps, envelopes, or checks to write give you more time to spend on the things you enjoy.

Win an 8GB iPod Nano
Completing this short survey will enter you in a draw for 1 of 50 iPod Nanos. We look forward to hearing your important feedback.

]]> C9 http://demo.testfire.net/feedback.aspx PossibleInternalWindowsPathLeakage Information 75 Netsparker identified a possible Internal Path Disclosure (Windows) in the document.

]]> There is no direct impact, however this information can help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities. ]]> Ensure this is not a false positive. Due to the nature of the issue, Netsparker could not confirm that this file path was actually the real file path of the target web server.

Error messages should be disabled.
Remove this kind of sensitive data from the output.

]]>

OWASP - Full Path Disclosure

]]> Altoro Mutual: Feedback

PERSONAL SMALL BUSINESS INSIDE ALTORO MUTUAL

Feedback

Our Frequently Asked Questions area will help you with many of your inquiries.
If you can't find your question, return to this page and use the e-mail form below.

IMPORTANT! This feedback facility is not secure. Please do not send any
account information in a message sent from here.

]]> 13 200 118 164.306(a), 164.308(a) C7