• Name: Web Browser XSS Protection Not Enabled
• ID: 9c4519393a386927e5c7ba316f645530
• Affected Hosts: ['https://kolyaak.github.io/robots.txt']
• Description: Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
• First seen: 2018-02-01 10:36:21
• Recommendation: Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
• Source Link: https://staging.horangi.com/storyfier/detect/f34a65ab-6957-4b0c-a761-ab58391142ba/9c4519393a386927e5c7ba316f645530

Details

• ID: 722125a3b5759c8ecdf18a549b5564e4
• Affected Hosts: 129.9.9.1
• First seen: 2014-02-91

Description

Dummy Description

Recommendation

rm -rf

• Name: Web Browser XSS Protection Not Enabled
• ID: 9c4519393a386927e5c7ba316f645530
• Affected Hosts: ['https://kolyaak.github.io/robots.txt']
• Description: Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
• First seen: 2018-02-01 10:36:21
• Recommendation: Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
• Source Link: https://staging.horangi.com/storyfier/detect/f34a65ab-6957-4b0c-a761-ab58391142ba/9c4519393a386927e5c7ba316f645530

• Name: Buffer Underflow
• ID: bc6839967ebf463d34d1d81af246362b
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: /storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/bc6839967ebf463d34d1d81af246362b

• Name: Web Browser XSS Protection Not Enabled
• ID: 9c4519393a386927e5c7ba316f645530
• Affected Hosts: ['https://kolyaak.github.io/robots.txt']
• Description: Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
• First seen: 2018-02-01 10:36:21
• Recommendation: Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
• Source Link: https://staging.horangi.com/storyfier/detect/f34a65ab-6957-4b0c-a761-ab58391142ba/9c4519393a386927e5c7ba316f645530

• Name: SQL Injection
• ID: 341a6688c2628376f945e0e1d6aa9976
• Affected Hosts: ['http://testphp.vulnweb.com/listproducts.php?cat=3+AND+1%3D1+--+']
• Description: SQL injection may be possible.
• First seen: 2018-06-08 09:27:40
• Recommendation: Do not trust client side input, even if there is client side validation in place.
  In general, type check all data on the server side.
  If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'
  If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.
  If database Stored Procedures can be used, use them.
  Do not concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!
  Do not create dynamic SQL queries using simple string concatenation.
  Escape all data received from the client.
  Apply a 'whitelist' of allowed characters, or a 'blacklist' of disallowed characters in user input.
  Apply the principle of least privilege by using the least privileged database user possible.
  In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.
  Grant the minimum database access that is necessary for the application.
• Source Link: https://staging.horangi.com/storyfier/detect/f67ba203-0e81-4164-a8d1-633d7e74c1a7/341a6688c2628376f945e0e1d6aa9976

• Name: Cross Site Scripting (Reflected)
• ID: 91ba0e4256917848be0f66f8656d0302
• Affected Hosts: ['http://testphp.vulnweb.com/hpp/?pp=javascript%3Aalert%281%29%3B']
• Description: Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.
  When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.

There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.
Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.
Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.

• First seen: 2018-06-08 08:13:00
• Recommendation: Phase: Architecture and Design
  Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.

Phases: Implementation; Architecture and Design
Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.
For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.
Consult the XSS Prevention Cheat Sheet for more details on the types of encoding and escaping that are needed.

Phase: Architecture and Design
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.

Phase: Implementation
For every web page that is generated, use and specify a character encoding such as ISO-8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different encoding by guessing which encoding is actually being used by the web page. This can cause the web browser to treat certain sequences as special, opening up the client to subtle XSS attacks. See CWE-116 for more mitigations related to encoding/escaping.

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."

Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.

• Source Link: https://staging.horangi.com/storyfier/detect/f67ba203-0e81-4164-a8d1-633d7e74c1a7/91ba0e4256917848be0f66f8656d0302

• Name: Incomplete or No Cache-control and Pragma HTTP Header Set
• ID: 43464f832990755a31f0e703312c6fa7
• Affected Hosts: ['https://kolyaak.github.io/']
• Description: The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.
• First seen: 2018-02-01 10:36:21
• Recommendation: Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.
• Source Link: https://staging.horangi.com/storyfier/detect/f34a65ab-6957-4b0c-a761-ab58391142ba/43464f832990755a31f0e703312c6fa7

• Name: Cross Site Scripting (Reflected)
• ID: d30897d254d77aa38277157e43cc5995
• Affected Hosts: ['http://testphp.vulnweb.com/listproducts.php?artist=%3C%2Fdiv%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cdiv%3E']
• Description: Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.
  When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.

There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.
Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.
Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.

• First seen: 2018-06-08 08:13:00
• Recommendation: Phase: Architecture and Design
  Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.

Phases: Implementation; Architecture and Design
Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.
For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.
Consult the XSS Prevention Cheat Sheet for more details on the types of encoding and escaping that are needed.

Phase: Architecture and Design
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.

Phase: Implementation
For every web page that is generated, use and specify a character encoding such as ISO-8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different encoding by guessing which encoding is actually being used by the web page. This can cause the web browser to treat certain sequences as special, opening up the client to subtle XSS attacks. See CWE-116 for more mitigations related to encoding/escaping.

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."

Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.

• Source Link: https://staging.horangi.com/storyfier/detect/f67ba203-0e81-4164-a8d1-633d7e74c1a7/d30897d254d77aa38277157e43cc5995

Risk: critical

Description

It was discovered that "Read" privilege was granted to "Everyone" for one or more AWS S3 buckets.

Providing "Read" privilege to "Everyone" in the AWS S3 bucket allows anyone from the public Internet to list and read all objects stored within the bucket.

Implication

An attacker could leverage this privilege to dump all file objects stored within this bucket and steal any sensitive data that might be unintentionally left behind. This could impact the confidentiality of data and, depending on the criticality and sensitivity of the data, it could result in reputational damage or non-compliance to regulatory requirements your company is subject to.

Recommendation

It is recommended that the S3 Bucket Permissions are set based on least privilege principle. You should not set "Everyone" to have "Read" privilege unless there is a need to give public access to the S3 Bucket.

If there is a need to share the bucket publicly, it should be reviewed thoroughly and ensure there are no sensitive data in it.

Remediation Steps:

1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3/
2. Select the S3 bucket that needs to be updated.
3. Click the Permissions tab.
4. Click Access Control List.
5. Under the Public access header click Everyone option and do the following:
   i. Untick List objects under the Access to the objects section.
6. Click Save.

S3 Bucket Read privilege for everyone has now been removed.

Parameters

Account gid: 410801124909

Region: global

Resource type : S3 Bucket

Resources

   - {'id': 'tgr-hire-devops-test', 'gid': 'arn:aws:s3:::tgr-hire-devops-test', 'notes': None}

Related Resources

None

Horangi detected this issue on 2019-04-14 08:52:59.998002

Risk: high

Description

In addition to being obtuse from a syntax perspective, function constructors
are also dangerous: their execution evaluates the constructor's string
arguments similar to the way eval works, which could expose your program to
random, unintended code which can be both slow and a security risk.

In general it is better to avoid it altogether, particularly when used to
parse JSON data. You should use ECMAScript 5's built-in JSON functions or a
dedicated library.

Noncompliant Code Example

var obj =  new Function("return " + data)();  // Noncompliant

Compliant Solution

var obj = JSON.parse(data);

Exceptions

Function calls where the argument is a string literal (e.g. (Function('return this'))()) are ignored.

Recommendation

Review this "Function" call and make sure its arguments are properly validated.

Code

Link : https://gitlab.com/reyesreg/react-todo/blob/89aa7360990ded17a76364355a35df86d7eee9dc/dist/bundle.js#L31199

Author: [email protected]

Horangi detected this issue on 2019-04-12 10:15:15.713348

• Name: Web Browser XSS Protection Not Enabled
• ID: 9c4519393a386927e5c7ba316f645530
• Affected Hosts: ['https://kolyaak.github.io/robots.txt']
• Description: Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
• First seen: 2018-02-01 10:36:21
• Recommendation: Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
• Source Link: https://staging.horangi.com/storyfier/detect/f34a65ab-6957-4b0c-a761-ab58391142ba/9c4519393a386927e5c7ba316f645530