List of Diagnostic Tests Performed in Different Batches

The following section lists what kind of tests are performed in batches from 0 to 1. Note that not all of the information mentioned here will be present in all the scans. What gets reported in 150021 and summary depends on scan configuration and the sequence taken by the scanner.

Batch Number 0

In this phase, these tests are launched on all the web application links and parameters.

- Virtual Host Discovery

- CMS Detection

- Path manipulation

- WS Directory Path manipulation

- WS enumeration

QID

Description

150004

Path Based Vulnerability

150007

Web Application Authentication Method

150009

Links Crawled

150010

External Links Discovered

150016

Sensitive Content In HTML

150020

Links Rejected By Crawl Scope or Exclusion List

150026

 Maximum Number of Links Reached During Crawl

150027

 Session Cookie Does Not Contain the "secure" Attribute

150029

Session Cookies

150032

Session Cookie Does Not Contain The "secure" Attribute

150034

U.S. Social Security Number Pattern Identified In HTML

150035

 HTTP Basic Authentication

150045

Session Cookie Does Not Contain The "HTTPOnly" Attribute

150081

X-Frame-Options header is not set

150104

Form Contains Email Address Field

150120

 Session Cookie (Authentication Related) Does Not Contain The "secure" Attribute

150121

 Session Cookie (Authentication Related) Does Not Contain The "HTTPOnly" Attribute

150122

 Cookie Does Not Contain The "secure" Attribute

150123

Cookie Does Not Contain The "HTTPOnly" Attribute

150124

Clickjacking - Framable Page

150142

Virtual Host Discovered

150162

Use of JavaScript Library with Known Vulnerability

150195

Analysis of Swagger file

150182

Joomla CMS Version Detected

150183

Drupal CMS Version Detected

150184

WordPress Plugins Detected

150185

Joomla Plugins Detection

150186

Drupal Plugins Detection

150023

Directory Listing

150223

RichFaces Remote Code Execution Vulnerabilities

150225

 Use of Liferay Portal with Known Vulnerabilities

150231

PrimeFaces Expression Language Remote Code Execution

Batch Number from 1 to 3

In this phase, these tests are performed on the form input fields, site links and parameters.

- URI parameter manipulation

- URI blind SQL manipulation

- URI parameter time-based tests

- Form parameter manipulation

- Form blind SQL manipulation

- Form field time-based tests

QID

Description

150000

Persistent Cross-Site Scripting (XSS) Vulnerabilities

150001

Reflected Cross-Site Scripting (XSS) Vulnerabilities

150013

Browser-Specific Cross-Site Scripting (XSS) Vulnerabilities

150048

Browser-Specific Cross-Site Scripting In HTTP Header

150003

SQL Injection

150012

Blind SQL Injection

150062

Flash-Based Cross-Site Scripting (XSS)

150084    

Unencoded characters

Batch Number 4

In this phase, these tests are launched on all links and parameters.

- DOM XSS exploitation

- File Upload analysis

- HTTP call manipulation

- Open Redirect

- CSRF

- File Inclusion analysis

- Cookie manipulation

- Header manipulation

- Shell shock detector

- httpoxy detector

- Struts time-based detector

- Static Session ID

- Login Brute Force

- Insecurely served credentials forms detector

QID

Description

150002

Persistent Cross-Site Scripting (XSS) in HTTP Header

150011

 Local File Inclusion

150046

Reflected Cross-Site Scripting (XSS) in HTTP Header

150047

SQL Injection In HTTP Header

150049

Login Brute Force Vulnerability

 150051

Open Redirect

150057

Remote File Include

150069

Static Session ID

 150071

Form can be manipulated with Cross-Site Request Forgery (CSRF)

150076

DOM-Based Cross-Site Scripting (XSS)

150129

Insufficient Session Protection/Regeneration

150134

Shellshock Apache Injection

150085

Slow HTTP POST vulnerability

150156

HTTP Proxy injection (httpoxy)

 150174

Path Traversal Vulnerability

Batch Number 5

Login forms will be tested in this phase for all QIDs that ran during Batch 1-3

- URI parameter manipulation

- Form parameter manipulation

- URI blind SQL manipulation

- Form blind SQL manipulation

- Form field time-based tests

- HTTP Time Bandit

- Path XSS manipulation

- Tomcat Vuln manipulation

- Path manipulation

- Time based path manipulation

QID

Description

150231

PrimeFaces Expression Language Remote Code Execution

150117

Path-Based Cross-Site Scripting (XSS)

150179

XML External Entity (XXE) Injection

150180

XML External Entity (XXE) File Disclosure

150181

XML External Entity (XXE) File Inclusion Error

150190  

Apache Tomcat Remote Code Execution Vulnerability