July ‘18 Coverage of Detectify

Executive summary

This is an overview of the tests that Detectify will perfom during a security scan. 500+ 380+ 50+ fuzzed tests passive tests other tests

Fuzzed tests

ACME-Challenge Path Reflection XSS CVE-2017-11460: SAP NetWeaver SWF-Upload Open-Redirect DataArchivingService servlet Reflected XSS Apache Superset RCE Unix Arbitrary Command Execution CVE-2017-12615: Tomcat RCE Apache Tomcat Open Redirect User-Agent / XSS CVE-2017-12650: WordPress plugin-loganizer Apereo CAS XSS Windows HTTP-based NTLM Information Blind SQL Injection Exposure Atlassian Confluence ShareLinks SSRF CVE-2017-14619: phpMyFAQ XSS WordPress buddypress Authenticated Open Composr Plupload Flash XSS CVE-2017-15946: Joomla! com_tag SQL Injection Redirect CORS Bypass CVE-2017-17671: vBulletin routeString LFI/RCE WordPress cta XSS CVE-2006-3916: Apache Expect-Header XSS CVE-2017-8514: SharePoint XSS WordPress flashmediaelement Flash XSS CVE-2009-1975: WebLogic XSS CVE-2017-8917: Joomla! SQL Injection WordPress formidable Reflected XSS CVE-2009-2163: SiteCore XSS CVE-2017-9356: SiteCore Reflected XSS WordPress mediaelement Flash XSS CVE-2011-4106: TimThumb RCE CVE-2017-9506: Jira OAuth SSRF WWW Authenticate Bypass CVE-2012-3414: SWF-Upload Flash XSS CVE-2018-6389: WordPress Denial-of-Service Access Control Bypass CVE-2012-4000: CKEditor XSS File Upload using PUT-verb Adobe AEM DAM swfupload XSS CVE-2013-4939: Yahoo! YUI IO Flash XSS Host / XSS Adobe AEM External Entities Injection (XXE) via CVE-2014-100004: SiteCore Reflected XSS Apache JackRabbit Image Resize Denial-of-Service CVE-2014-4161: SAP NetWeaver SRM Reflected Adobe AEM Foundation player-flv-maxi XSS Jira SAML/SSO XSS XSS Adobe AEM Foundation slideshow XSS Joomla! joomanager Path Traversal CVE-2015-2065: WordPress wordpress-video- Adobe AEM Foundation strobemediaplayback gallery SQL Injection LUA Injection XSS CVE-2015-5608: Joomla! com_user Open Redirect Magento MLX extension RCE Adobe AEM Mobile User-Agent Test XSS CVE-2016-10134: Zabbix SQL Injection Microsoft Windows Arbitrary Command Adobe AEM S7SDK 2.11 XSS Execution CVE-2016-2386: SAP NetWeaver UDDI SQL Adobe AEM S7SDK 2.9 XSS Injection NGINX / WordPress HTTP Response Splitting Adobe AEM Server-Side Request Forgery (SSRF) CVE-2016-2387: SAP NetWeaver ProxyServer- NGINX Alias Path Traversal via OpenSocial Servlet Reflected XSS NGINX Path Traversal Adobe AEM swfupload XSS CVE-2016-2389: SAP xMII Path Traversal phpMyFAQ Authenticated XSS Amazon S3 Takeover CVE-2016-3976: SAP NetWeaver Directory Referer / XSS Traversal AmCharts Reflected XSS SAP NetWeaver CAFAdapterTest servlet Reflected CVE-2016-9263: XSF in FlashMediaElement AngularJS Template Injection XSS CVE-2017-10106: Oracle PeopleSoft TestServlet Apache .htaccess Exposure SAP NetWeaver ConfigServlet Arbitrary XSS Command Execution Apache AXIS Information Disclosure CVE-2017-10271: WebLogic RCE Spring Boot Actuator SSTI Apache HTTP Server /server-info Exposure

Detectify AB, Långholmsgatan 34, 117 33 / Stockholm,Sweden. 1 Mail: [email protected] / Twitter: @detectify / Facebook: Detectify / Org number: 556985-9084 Apache HTTP Server /server-status Exposure CVE-2014-3704: Drupalgeddon Java Remote Code Execution Apache HTTP Server Icon Leakage CVE-2014-6271: Shellshock JBoss Unauthenticated Console Apache HTTP Server VHOST Disclosure CVE-2015-0235: GHOST check in WordPress Jira XSS via SAML SSO plugin pingback Apache Maven Disclosure Jobportals XSS CVE-2015-1397: Magento Shoplift SQL Injection Apache Struts actionErrors XSS Joomla! Backup Disclosure CVE-2015-1427: ElasticSearch RCE Apache Struts OGNL Command Injection Joomla! com_advertisementboard SQL Injection CVE-2015-2080: Jetleak Apache Struts setup in Debug-Mode Joomla! com_extrasearch SQL Injection CVE-2015-3429: WordPress Twenty Fifteen DOM Apache Tomcat Examples Cookie Disclosure Joomla! com_filecabinet SQL Injection XSS Apache Tomcat Examples Request Disclosure Joomla! com_frontpage SQL Injection CVE-2015-7297: Joomla! Unauthenticated SQL Apache Velocity XSS Injection Joomla! com_jcart SQL Injection APPSEC-1378: Magento Web API allows CVE-2015-7808: vBulletin 5.1.2 Unserialize Code Joomla! com_jdownloads SQL Injection anonymous access Execution Joomla! com_news SQL Injection ASP.NET in Debug Mode CVE-2015-8103: Jenkins Deserialization RCE Joomla! com_opencart SQL Injection Atom /.ftpconfig Information Disclosure CVE-2015-8562: Joomla! Unauthenticated RCE Joomla! com_phocadownload SQL Injection Bitrix Site Manager Log Disclosure CVE-2016-0957: Adobe AEM Felix Console Joomla! com_publication SQL Injection Blind Server Side JavaScript injection (SSJI) Exposure Joomla! com_simplemembership SQL Injection Blind SQL Injection in Microsoft SQL Server CVE-2016-10033: WordPress RCE Joomla! com_vikrentcar SQL Injection Blind SQL Injection in MySQL CVE-2016-4566: WordPress plupload.swf Flash Joomla! com_vikrentitems SQL Injection XSS Blind SQL Injection in PostgreSQL Joomla! com_webgrouper SQL Injection CVE-2016-5110: LiteSpeed HTTP Header Injection BookContent Flash XSS Joomla! Flash XSS in flashmediaelement.swf CVE-2016-6195: vBulletin SQL Injection Bower Disclosure Joomla! Security Check SQL Injection CVE-2016-8869 &: CVE-2016-8870: Joomla! CGIEmail: Path Traversal Privilege Escalation Joomla! vik SQL Injection CKEditor Samples API DOM XSS CVE-2017-5611: WordPress Content Injection Joomla! Xtec XSS CKEditor Samples Posted-Data XSS CVE-2017-5614: CGIEmail Open Redirect Jplayer XSS CKEditor Spellchecker XSS CVE-2017-5615: CGIEmail HTTP Response JWPlayer Reflected XSS CKEditor wiris Plugin XSS Splitting LDAP Injection CKFinder Disclosure CVE-2017-5616: CGIEmail XSS Local File Inclusion (LFI) Command Injection CVE-2017-5638: Apache Struts Content-Type RCE Local Username Disclosure in entropysearch.cgi Concerto XSS CVE-2017-7269: Microsoft IIS RCE Locomotive CMS XSS Core Dump Disclosure CVE-2017-8295: WordPress Unauthorized Magento Admin Panel XSS Password Reset cPanel Open Redirect Magento Admin Path Disclosure CVE-2017-9791: Apache Struts RCE CSRF Token Leakage via IFRAME Covert Channel Magento Admin Uploader XSS CVS Entries Exposure CSS based XSS &: UI-redressing Magento Backup Disclosure Django Tastypie XXE CVE-2001-1013: Apache HTTP Server Local Magento Configuration Disclosure Username Enumeration Dockerfile Disclosure Magento Customer Information Leak via RSS and CVE-2005-3299: phpMyAdmin LFI DOM based Open-Redirect Privilege Escalation CVE-2006-3918: Apache HTTP Server Expect DOM based XSS Magento Downloader / Connect Manager Header XSS DOM XSS in Grafana Disclosure CVE-2008-0252: CherryPy Path Traversal Dot PHPS Source Code Disclosure Magento Downloader XSS CVE-2009-1151: phpMyAdmin RCE Drupal Backup Disclosure Magento MAGMI Config XSS CVE-2010-2861: Adobe ColdFusion Path Traversal Drupal Database Disclosure Magento Stored XSS CVE-2011-2505: phpMyAdmin RCE Drupal error_log Disclosure Magento Unrestricted Cron Script CVE-2011-4107: phpMyAdmin XXE Eclipse build.properties Disclosure MediaWiki Backup Disclosure CVE-2012-0053: Apache HttpOnly Cookie Eclipse build.xml Disclosure Microsoft ASP.NET Remote Code Execution Disclosure EdgeCast CDN XSS Microsoft IIS Tilde File Enumeration CVE-2012-1823: Remote Code Execution Fontlist Flash XSS Microsoft IIS Tilde File Enumeration CVE-2012-1823: Remote Code Execution (Kingcope) Form Upload accept PHP Microsoft Windows Remote Command Execution CVE-2012-3414: SWFUpload Flash XSS Ganglia Open Redirect MongoDB Operator Injection CVE-2012-4000: FCKEditor XSS HelpJuice XSS Moodle Block-Accessability Open-Redirect CVE-2012-5159: phpMyAdmin server_sync Host-header XSS Moodle Flowplayer Flash XSS Backdoor HTML Injection Movable Type Backup Disclosure CVE-2013-0156: Ruby on Rails RCE HTTP OPTIONS Moxieplayer Open Redirect CVE-2013-0235: WordPress Pingback SSRF Index Backup Disclosure MyBB <:= 1.8.3 Remote Code Execution CVE-2013-0262: Rack File Disclosure Information Disclosure in unzip.php Nagios Authentication Bypass CVE-2013-1808: ZeroClipboard Flash XSS Internal IP Disclosure NextJS XSS

Detectify AB, Långholmsgatan 34, 117 33 / Stockholm,Sweden. 2 Mail: [email protected] / Twitter: @detectify / Facebook: Detectify / Org number: 556985-9084 NTOPNG Reflected XSS URL based HTTP Response Splitting (HRS) WordPress instalinker XSS Open Redirect in awstats.pl URL based Open-Redirect WordPress jetpack Reflected XSS Open Redirect in TenderApp URL based SQL injection WordPress js-appointment SQL Injection OpenVPN Access Server CRLF Injection User-Agent-header XSS WordPress loco-translate Authenticated XSS OSVDB-83814: Magento XXE VBS based XSS WordPress mainwp XSS Parameter based HTTP Response Splitting (HRS) Web Cache Deception WordPress max-mega-menu Authenticated XSS Parameter based Open-Redirect WordPress ad-inserter LFI WordPress media-library-categories SQL Injection Parameter based SQL Injection WordPress adrotate SQL Injection WordPress multi-device-switcher Open Redirect Path based XSS WordPress adrotate XSS WordPress my-tickets Authenticated XSS Path Traversal WordPress all-in-one-schemaorg-rich-snippets XSS WordPress my-wp-translate Authenticated XSS Perl Remote Code Execution WordPress all-in-one-seo-pack XSS WordPress mydbr XSS Pharmacy Hack WordPress allow-php-in-posts-and-pages SQL WordPress myflash LFI Injection PHP based RCE with malicious URL rewrites WordPress myflash RFI WordPress appointments Object Injection PHP Null Session WordPress mygallery RFI WordPress apptha-slider-gallery LFI PHP Object Injection WordPress nelio-ab-testing Path Traversal WordPress apptha-slider-gallery SQL Injection PHP Remote Code Execution WordPress nextgen SQL Injection WordPress booking Authenticated XSS phpMyAdmin File Disclosure WordPress ninja-forms Authenticated XSS WordPress bridge DOM XSS phpMyAdmin Unauthenticated Access WordPress odihost-newsletter SQL Injection WordPress caldera-forms Flash XSS Proxy Server via CONNECT-verb WordPress Open Redirect WordPress contus-hd-flv-player SQL Injection Proxy Server via Host-header WordPress oqey-headers SQL Injection WordPress couponer SQL Injection Python Eve Werkzeug RCE WordPress participants-database XSS WordPress cp-multi-view-calendar SQL Injection Python Flask/Werkzeug RCE WordPress photoracer SQL Injection WordPress cp-multi-view-calendar XSS Python Object Transformation WordPress pica-photo-gallery SQL Injection WordPress crayon-highlight XSS Query based XSS WordPress pinfinity XSS WordPress crelly-slider Authenticated XSS Referer-header XSS WordPress Plugin 404 to 301 Unauthenticated WordPress dm-albums RFI Stored Cross-Site Scripting (XSS) Reflected Flash XSS WordPress dsubscribers SQL Injection WordPress pootle-button Authenticated XSS Reflected XSS WordPress duplicate-page Authenticated XSS WordPress popup-by-supsystic Authenticated XSS Reflected XSS in cshopcart.cgi WordPress easy-contact-form-lite SQL Injection WordPress pretty-link Authenticated XSS Reflected XSS in FusionCharts WordPress easy-social-share-buttons XSS WordPress proplayer SQL Injection Reflected XSS in FusionCharts3 WordPress enhanced-tooltipglossary XSS WordPress registrationmagic Object Injection Reflected XSS in FusionWidgets WordPress esig-redirect-after-signing XSS WordPress revolution-slider LFI Reflected XSS in Ganglia WordPress evarisk SQL Injection WordPress robo-gallery RCE Reflected XSS in hazel.cgi WordPress event-espresso Blind SQL Injection WordPress Rosetta Flash XSS Reflected XSS in hyperseek.cgi WordPress ewww-image-optimizer RCE WordPress search-autocomplete SQL Injection Reflected XSS in JW-Player WordPress facebook-opengraph-meta-plugin SQL WordPress search-everything (<:= 8.1.6) SQL Reflected XSS in PowerCharts Injection Injection Reflected XSS in testcgi.exe WordPress faq-wd XSS WordPress simple-membership Authenticated XSS Relative Path Overwrite (RPO) WordPress file-groups SQL Injection WordPress smush LFI Remote File Inclusion (RFI) WordPress firestats XSS WordPress sniplets RFI Rosetta Flash XSS WordPress flickr-gallery Object Injection WordPress soundcloud-is-gold XSS Server Side Includes (SSI) WordPress flickr-picture-backup RFI WordPress spider-event-calendar Blind SQL Server Side Template Injection Injection WordPress fluid-responsive-slideshow XSS SharePoint XSS WordPress spiffy-calendar XSS WordPress forum-server SQL Injection ShareThis XSS WordPress stop-user-enumeration Bypass WordPress gadgetry XSS SSH Private Key Exposure WordPress stream Unauthenticated Events Export WordPress gallery-album Authenticated SQL SWFUpload Open Redirect Injection WordPress super-captcha SQL Injection Teamcity ZeroClipboard Flash XSS WordPress gallery-video SQL Injection WordPress theme-my-login Authentication Bypass TYPO3 Flash Player XSS WordPress github-btn XSS WordPress Plugins using TimThumb TYPO3 Flowplayer Flash XSS WordPress global-content-blocks SQL Injection WordPress tracking-code-manager XSS TYPO3 SVG XSS WordPress google-pagespeed-insights WordPress ultimate-form-build Authenticated SQL TYPO3 SWF-Upload XSS Authenticated XSS Injection Unauthenticated / Exposed Memcache WordPress gotmls Authenticated XSS WordPress ultimate-form-builder-lite XSS Unix Remote Command Execution WordPress grand-media XSS WordPress ungallery LFI Uploadify Flash XSS WordPress gtranslate Open Redirect WordPress upm-polls SQL Injection WordPress image-export LFI WordPress userpro XSS

Detectify AB, Långholmsgatan 34, 117 33 / Stockholm,Sweden. 3 Mail: [email protected] / Twitter: @detectify / Facebook: Detectify / Org number: 556985-9084 WordPress videojs-html5-video-player-for- Ruby RCE Injection wordpress XSS HubSpot Open Redirect CVE-2018-7178: Joomla! saxumpicker SQL WordPress wd-instagram-feed XSS Injection CVE-2012-0053: Apache HttpOnly Cookie WordPress webplayer SQL Injection Disclosure CVE-2018-7179: Joomla! squadmanagment SQL Injection WordPress woocommerce SQL Injection CVE-2016&ndash:3714: ImageTragick CVE-2018-7179: Joomla! saxumnumerology SQL WordPress woocommerce-pdf-invoices-packing- CVE-2016-8869 &: CVE-2016-8870: Joomla! Injection slips Authenticated XSS Privilege Escalation CVE-2018-7180: Joomla! saxumastro SQL WordPress wordpress-donation-plugin SQL CVE-2002-1717: Microsoft FrontPage Information Injection Injection Exposure Joomla! ekrishta SQL Injection WordPress wordpress-video-gallery SQL Injection CVE-2014-4663: TimThumb RCE CVE-2018-7315: Joomla! ekrishta SQL Injection WordPress wordtube RFI CVE-2011-4106: TimThumb RCE Evoluted XSS WordPress wp-database-backup RCE WordPress Registration Enabled CVE-2007-2440: Caucho Resin Path Traversal WordPress wp-ds-faq SQL Injection WordPress mgl-instagram-gallery XSS EPiServer XXE WordPress wp-hide-security-enhancer LFI WordPress revslider Path Traversal EPiServer API XSS WordPress wp-members Authenticated XSS WordPress Themes using TimThumb CVE-2015-1427: ElasticSearch RCE WordPress wp-menu-creator SQL Injection UnZIP Path Traversal Citrix XenMobile XXE WordPress wp-mobile-detector RCE WordPress download-monitor Log Exposure Caddy Open Redirect WordPress wp-special-textboxes Authenticated WordPress gadgetry-parent XSS XSS CVE-2015-8398: Atlassian Confluence Reflected CVE-2014-5465: WordPress force-download Path XSS WordPress wp-symposium SQL Injection Traversal Atlassian Confluence status-list XSS WordPress wp-table RFI CVE-2017-16842: WordPress wordpress-seo XSS Atlassian Confluence Enterprise Wiki XSS WordPress wp-ultimate-form-builder SQL CVE-2015-2065: WordPress video-gallery SQL Injection Injection Adobe AEM Default Credentials WordPress wpdiscuz XSS WordPress webplayer SQL Injection Liferay Portal SSRF WordPress wpforum SQL Injection WordPress theme-my-login Authentication CVE-2018-9205: Drupal avatar_uploader Path Bypass Traversal WordPress wpml XSS CVE-2017-16562: WordPress userpro CVE-2018-7600: Drupal RCE (Drupalgeddon 2) WordPress wpml XSS Authentication Bypass Laravel Log Path Traversal WordPress XCloner - Backup and Restore LFI CVE-2017-15919: WordPress ultimate-form- CVE-2018-8947: Laravel Log Path Traversal WordPress xcloner-backup-and-restore XSS builder-lite SQL Injection CVE-2017-12629: Apache Solr RCE WPVDB-7019: WordPress alo-easymail XSS WordPress caldera-forms Flash XSS ASP-Nuke Open Redirect WPVDB-8190: WordPress alo-easymail XSS CVE-2018-7543: WordPress duplicator XSS CVE-2015-1164: Node serve-static Open Redirect WPVDB-8544: WordPress wp-live-chat-support CVE-2017-17092: WordPress Authenticated XSS XSS CVE-2017-9841: PHP-Unit RCE CVE-2016-6195: vBulletin SQL Injection WPVDB-8568: WordPress colorway XSS SAP B2B/B2C CRM LFI CVE-2017-5966: SiteCore Reflected XSS WPVDB-8585: WordPress aryo-activity-log XSS VideoJS Flash XSS Sitecore Open Redirect XPATH Injection Clipboard Flash XSS Preemtech XSS XSS via TRACE-verb CopyToClipboard Flash XSS CVE-2017-3546: Oracle PeopleSoft IMServlet SSRF XSS via TRACK-verb CVE-2013-1636: Open Flash Chart XSS CVE-2014-4210: Oracle WebLogic SSRF YaBB Open Redirect Microsoft IIS Tilde File Enumeration CVE-2017-10246: Oracle E-Business Suite SSRF YaBB Reflected XSS CVE-2017-3549: Oracle EBS SQL Injection Zabbix SQL Injection CVE-2016-0457: Oracle E-Business XXE External Link using ":target _blank": One2Com Blind SQL-Injection CVE-2016-9263: XSF in FlashMediaElement CVE-2014-3744: NodeJS Directory Traversal XSF in Moxie MyDBR Path Traversal Expect / XSS Magento Invoice IDOR Host Header Poisoning Kirby CMS Path Traversal Edge Side Includes Kentico CMS XSS Parameter-based SSRF CVE-2014-7981: Joomla! SQL Injection Boolean-Based SQL Injection CVE-2018-6582: Joomla! zhgooglemap SQL Python RCE Injection Blind Unix-based Arbitrary Command Execution CVE-2018-7318: Joomla! checklist SQL Injection Unix Arbitrary Command Execution CVE-2018-7312: Joomla! abook SQL Injection Ruby Path Traversal CVE-2018-7314: Joomla! prayercenter SQL

Detectify AB, Långholmsgatan 34, 117 33 / Stockholm,Sweden. 4 Mail: [email protected] / Twitter: @detectify / Facebook: Detectify / Org number: 556985-9084 Passive tests

Adminer Exposure Plesk Test Page Exposure X-Frame-Options / Reflecting Referer-Header AdRoll CSP Bypass Prometheus Alertmanager Exposure X-XSS-Protection / Disabled Auditor Ansible Tower Exposure Prometheus Exposure X-XSS-Protection / Invalid Directive Apple .DS_Store Directory Listing Prometheus Information Disclosure X-XSS-Protection / Missing Header Atom Synchronization Exposure Prometheus Metrics Disclosure Adobe AEM CQ5 Custom Scripts Exposure Bitrix Path Disclosure README.md Disclosure Adobe AEM CQ5 JsonRendererServlet Exposure CKEditor AJAX-File-Manager Exposure Referrer-Policy / Invalid Directive Adobe AEM CQ5 Package Manager Exposure CKEditor Samples API DOM XSS #1 Referrer-Policy / Missing Header Adobe AEM CQ5 Query-Builder Exposure CKEditor Samples API DOM XSS #2 Rocket Chat NoSQL Injection Adobe AEM CRX Browser Exposure CORS Wildcard Policy SAP ICF Information Exposure Adobe AEM CRX DE Console Exposure CVE-2017-1001000: WordPress Content Injection Script Integrity Attribute Not Implemented Adobe AEM CRX Explorer Console Exposure / Authentication Bypass SnoopServlet Information Exposure Adobe AEM CRX Namespace Editor Exposure CVE-2017-12149: Potential JBoss RCE Spring Boot Actuator /trace Adobe AEM CRX Package Manager Exposure CVE-2017-14725: WordPress Open Redirect SSH .known_hosts Exposure Adobe AEM CRX Statistics Exposure CVE-2017-16510: WordPress SQL Injection Strict-Transport-Security / Invalid Directive Adobe AEM Disk Usage Information Disclosure CVE-2017-5611: WordPress 4.7.0 &: 4.7.1 Strict-Transport-Security / Low Timeout Adobe ColdFusion Admin Panel Disclosure Authentication Bypass Strict-Transport-Security / Missing Header Adobe ColdFusion Source Code Disclosure Dropwizard Exposure Strict-Transport-Security / Served via HTTP Adobe ColdFusion Stack Trace Drupal Username Enumeration WebLogic Console Exposure Apache Solr EPiServer Image Resizer Exposure WordPress caldera-forms Authenticated XSS Application Serving Empty Documents Exposure of /.mysql_history WordPress Database Exposure ASP.NET Source Code Disclosure Exposure of /.pgsql_history WordPress duplicate-page 2.3 Authenticated XSS ASP.NET Stack Trace Exposure of /.sqlite_history WordPress duplicate-page 2.4 Authenticated XSS AWStats Open Access Fantastico Filename Listing WordPress duplicator Stored XSS Caddy Directory Listing Frames Lacking Sandbox Attribute WordPress file-manager Exposure Content-Security-Policy Bypass GitLab CI Configuration Exposure WordPress functions.php Full Path Disclosure Content-Type-Options Google Ads CSP Bypass WordPress hrm Authenticated SQL Injection Cookie lacking HttpOnly-flag Google Analytics CSP Bypass WordPress instagram-feed Authenticated XSS Cookie lacking Secure-flag Google cAdvisor Exposure WordPress invite-anyone Object Injection CSRF via GET-verb Hadoop Namenode Exposure WordPress ninja-forms 3.1.8 Authenticated XSS CSRF via Login Form HasiCorp Consul Exposure WordPress ninja-forms 3.2.12 Authenticated XSS CVE-2011-4969: jQuery XSS HTML Comments WordPress qards SSRF CVE-2013-6837: jQuery prettyPhoto XSS Jaeger UI Exposure WordPress shortcodes-ultimate Authenticated CVE-2014-1869: ZeroClipboard Flash XSS jQuery Mobile 1.2 XSS Command Execution CVE-2016&ndash:3714: ImageTragick jQuery Mobile XSS WordPress simple-login-log SQL Injection Database Error Message Disclosure Kubernetes Console Exposure WordPress tablespress Authenticated XXE DC-2017-04-003: Magento RCE Lacking Redirect to HTTPS WordPress upme Authentication Bypass Deprecated Drupal Lynk Zipper Information Disclosure WordPress userpro Authentication Bypass Deprecated JavaScript Framework Microsoft SharePoint files Disclosure WordPress wordcamp CSV Formula Injection Deprecated Joomla! Version Microsoft SharePoint layouts Disclosure WordPress wordpress-seo XSS Deprecated Version of Microsoft Windows Microsoft SharePoint lists-api Disclosure WordPress work-the-flow-file-upload Arbitrary Deprecated WordPress Microsoft SharePoint master-page Disclosure File Upload Directory Listing Enabled Microsoft SharePoint site-collection Disclosure WordPress wp-all-import XSS Disclosure of .cer File Microsoft SharePoint site-pages Disclosure WordPress wp-custom-fields-search XSS Disclosure of .cert File Mixpanel CSP Bypass WordPress wpforms-lite Authenticated XSS Disclosure of .cfg File Node Exporter Exposure WordPress wp-support-plus-responsive-ticket- system CSRF/RCE Disclosure of .conf File Node.JS Source Code Exposure X-Content-Type-Options / Invalid Directive Disclosure of .config File Oracle WebLogic Admin Console Exposure X-Content-Type-Options / Missing Header Disclosure of .crt File Oracle WebLogic T3 Enabled X-Frame-Options / Invalid Directive Disclosure of .pem File phpMyAdmin Exposure X-Frame-Options / Lacking Header Disclosure of .pfx File phpMyAdmin Lacking Authentication X-Frame-Options / Reflecting Host-Header E-Mail Address Disclosure Piwik Exposure

Detectify AB, Långholmsgatan 34, 117 33 / Stockholm,Sweden. 5 Mail: [email protected] / Twitter: @detectify / Facebook: Detectify / Org number: 556985-9084 Embedded JavaScript in PDF Magento Admin Panel Disclosure SVN Database Disclosure Embedded Metadata in Graphics Magento Package Disclosure SVN Entries Disclosure Embedded Metadata in PDF Mercurial Branch-file Disclosure Swagger Disclosure Environment Variable Disclosure Mercurial Requires-file Disclosure Symfony Debug Toolbar Exposure Environment Variable Disclosure in /.env Microsoft Exchange IP Disclosure Tomcat Default Files Environment Variable Disclosure in cgiscript.cgi Microsoft IIS /elmah.axd Information Disclosure Tor Hostname File Disclosure Environment Variable Disclosure in info.cgi Microsoft IIS /trace.axd Information Disclosure Tor Private Key Disclosure Environment Variable Disclosure in printenv.cgi Microsoft IIS /web.config Disclosure Travis-CI Config Disclosure Environment Variable Disclosure in test.cgi Microsoft SharePoint all-items Disclosure Typo-Squatting XSS EPiServer .NET Version Disclosure Microsoft SharePoint all-pages Disclosure Ultimate Bulletin Board Email Disclosure EPiServer Logout CSRF Microsoft SharePoint all-sites-content Disclosure Unauthenticated Access to Xymon Evaluation of /humans.txt MIME text/html set for invalid HTML Unauthenticated Apache Solr Evaluation of /manifest.json Missing Content-Type Unauthenticated Ganglia Evaluation of /robots.txt Mixed Content Unauthenticated JBoss JMX Console Evaluation of clientaccesspolicy.xml MS15-034: Range-header Integer Overflow Unencrypted Basic Authentication Evaluation of crossdomain.xml NGINX Status Disclosure Unencrypted Login Form Execution After Redirect (EAR) NPM /npm-debug.log Disclosure Vulnerable JavaScript Frameworks eXist Unauthenticated Access NPM /package.json Disclosure Wildcard Cookie Exposed S3CMD Attributes Open Instance of PHPSysInfo WooCommerce Electro Electronics Store CSRF Exposed Selenium Grid Configuration Open Spring Boot Actuator Information Leakage WordPress Authenticated Open-Redirect Express Stack Trace Oracle Weblogic Admin Console Disclosure WordPress Backup Disclosure External Link using ":target _blank": PHP /composer.json Disclosure WordPress backup-with-restore Database Disclosure Form Action lack proper Cache-Control Directive PHP /composer.lock Disclosure WordPress backwpup Backup Disclosure Form Lacking CSRF Token PHP Configuration Disclosure WordPress clean-login CSRF FrontPage Information Exposure PHP Debug Array via print_r(): WordPress Content Injection Full Path Disclosure Vulnerability Hubspot PHP Easter Egg WordPress Debug Log Disclosure Git /.git/config Disclosure PHP Error-log Disclosure WordPress download-monitor Unauthenticated Git /.git/HEAD Disclosure PHP Laravel Stack Trace Log Download Git /.git/index Disclosure PHP phpinfo()-Disclosure WordPress error_log Disclosure Git /.gitignore Disclosure PHP Source Code Disclosure WordPress fluid-responsive-slideshow CSRF Golang Godeps Disclosure PHP Stack Trace WordPress Full Path Disclosure Golang Stack Trace PHP Symfony Debug Toolbar WordPress ninjaforms Arbitrary File Upload Grunt Disclosure PHP Zend Stack Trace WordPress ninjaforms Nonce Leakage Gulp Disclosure Piwik Error Information Disclosure WordPress ninjaforms Unauthenticated HAProxy Statistics Disclosure Proxy Judge Information Disclosure Tampering Heroku Procfile Disclosure Public Cacti Instance WordPress plugin-organizer CSRF HTML comments Public Predis Example Files WordPress Setup Script Identified HTML using External Resources Publicly exposed Webalizer Interface WordPress Theme Database Disclosure HTTP Stripping Python Django Admin Panel WordPress use-any-font CSRF Information Disclosure of sftp-config.json Python Django Stack Trace WordPress Username Enumeration via author- Information Disclosure via /.bash_history Python Source Code Disclosure parameter Java Source Code Disclosure Python Stack Trace WordPress Username Enumeration via REST API Java Stack Trace Python Werkzeug Debug Console WordPress whizz CSRF Jetbrains Data Sources Disclosure Roxy File Manager Open Access WordPress wp-fastest-cache CSRF Jetty Config Disclosure Ruby /Gemfile Disclosure WordPress wp-include/wp-db.php Exposure jQuery CORS Requests may lead to XSS Ruby on Rails /info/properties/ Disclosure WordPress xcloner-backup-and-restore phpinfo() Information Disclosure jQuery Migrate Selector Degredation Ruby on Rails /info/routes/ Disclosure WordPress youtube-embed-plus CSRF jQuery Migrate Selector Manipulation Ruby on Rails CSRF Token Leakage WPVDB-8390: WordPress alo-easymail CSRF jQuery Migrate XSS Ruby on Rails Object Transformation WPVDB-8392: WordPress alo-easymail CSRF jQuery prettyPhoto Selector Injection Ruby Source Code Disclosure WPVDB-8487: WordPress YoastSEO Data jQuery prettyPhoto XSS Sensitive Data Disclosure in JSON Exposure jQuery Selector Injection Sensitive Form using Plaintext HTTP Zend application.ini Exposure KCEditor Filemanager Unauthenticated Access Serve Static 1.7.0 Open Redirect Sensitive Token Disclosure Login submits via GET SSL BREACH Admin Panel Exposure Lua Stack Trace SSL Private Key Disclosure Slack API Key Disclosure

Detectify AB, Långholmsgatan 34, 117 33 / Stockholm,Sweden. 6 Mail: [email protected] / Twitter: @detectify / Facebook: Detectify / Org number: 556985-9084 Execution After Redirect (EAR) Xymon Exposure Deletion Application Serving Empty Documents WordPress bridge DOM XSS WordPress error_log Disclosure MIME text/html set for invalid HTML WordPress youtube-embed-plus CSRF CVE-2018-11409: Splunk Information Disclosure Missing Content-Type WPVDB-8487: WordPress Yoast-SEO Data Perl Source Code Disclosure Exposure Unencrypted Basic Authentication MediaWiki Information Disclosure WordPress wpforms-lite Authenticated XSS Amazon API-Key Disclosure Magento Follow Up Email SQL Injection WordPress woocommerce-pdf-invoices-packing- Facebook OAuth Token Disclosure Indico Information Exposure slips Authenticated XSS GitHub API Key Disclosure ElasticSearch Exposure WordPress tracking-code-manager XSS Google OAuth Token Disclosure Atlassian Bitbucket Authentication Bypass WordPress wp-stream Unauthenticated Export Heroku API Key Disclosure Mutt Configuration Exposure WordPress spider-event-calendar Blind SQL Twitter OAuth Token Disclosure Injection CVE-2018-7602: Drupalgeddon3 Database Error Message Disclosure WordPress wp-database-backup RCE Laravel Log Exposure Directory Listing Enabled WordPress wordcamp-talks Formula Injection Apache Tomcat Status Exposure E-Mail Address Disclosure WordPress ultimate-form-builder-lite Apache Spark Exposure Express Stack Trace Authenticated SQL Injection Apache Hadoop Exposure Evaluation of /hackers.txt WordPress ultimate-form-builder-lite XSS Yii Debugger Exposure Spring Boot Configuration Exposure WordPress wp-support-plus-responsive-ticket- WS-FTP Exposure system Autenticated RCE Spring Boot Beans Exposure Adobe Dreamweaver Information Disclosure WordPress caldera-forms Authenticated XSS Spring Boot Environment Exposure PGP Private Key Disclosure WordPress upme Authentication Bypass Spring Boot Mapping Exposure SVN Database Disclosure CVE-2017-10889: WordPress tablespress WordPress Automatic Updates Disabled SVN Entries Disclosure Authenticated XXE WordPress Configuration Exposure Bazaar Repository Exposure WordPress ninjaforms Unauthenticated WordPress revslider Fingerprinting Tampering Evoluted Directory Listing PHP Configuration Disclosure WordPress ninjaforms Arbitrary File Upload Bitcoin Wallet Exposure PHP APC Exposure WordPress ninjaforms Nonce Leakage Exposed S3CMD Attributes PHP Proberv Exposure WordPress gravity-forms Debug Log Exposure Content-Security-Policy / Lacking Header PHP Coredumps Exposure CVE-2018-12895: WordPress Authenticated File

SSL tests

CVE-2017-9798: Apache Optionsbleed Expiring SSL Certificate SSL Certificate Signed using an Untrusted Root CVE-2011-3389: SSL BEAST Server uses SSLv2 SSL Certificate Signed with 1024-bits Key Length CVE-2012-4929: SSL CRIME Server uses SSLv3 SSL Certificate Signed with 512-bits Key Length CVE-2014-0160: SSL Heartbleed Server uses TLS 1.0 SSL Certificate Signed with Weak Hashing Algorithm CVE-2014-8730: SSL POODLE SSL Certificate bundled with Subject Alternative SSL Expired Certificate Names (SAN) CVE-2015-0204: SSL FREAK SSL is Lacking SSL Certificate Information CVE-2015-4000: SSL Logjam SSL using Deprecated Ciphers SSL Certificate is Revoked CVE-2016-0800: SSL DROWN SSL using Weak Ciphers SSL Certificate is Self-Signed CVE-2016-2107: SSL LuckyNegative20 CVE-2017-15361: SSL ROCA SSL Certificate Signed for other Domain CVE-2017-15361: SSL ROCA SSL Certificate Signed for Partial Domains DNS tests

NSEC Walking Domain Takeover Same Site Scripting DNS DMARC Name Server Recursive Lookups DNS Reserved Range DNS SPF 10-Request Limit Name Server Replying with Invalid DNS Status Domain Takeover / DNS Hijacking DNS SPF Evaluation Name Server Single Record DNS Zone-Transfer Name Servers on Redundant Networks DNSSEC CVE-1999-0532: DNS Zone Transfer Domain Serving Internal Addresses Same Network Scripting

Detectify AB, Långholmsgatan 34, 117 33 / Stockholm,Sweden. 7 Mail: [email protected] / Twitter: @detectify / Facebook: Detectify / Org number: 556985-9084 Third party tests

JavaScript served from Untrusted Parties SSL Blacklist VirusTotal File Scan VirusTotal URL Scanning Slack Webhook Exposure Google Groups Exposure GitLab Public Repository Exposure

Other

Forced Browsing

• Custom made tests available upon customer request, could include zero days.

• New tests added frequently sourced via Detectify Crowdsource

• Please note that this overview does not include all Detectify tests.

Detectify AB, Långholmsgatan 34, 117 33 / Stockholm,Sweden. 8 Mail: [email protected] / Twitter: @detectify / Facebook: Detectify / Org number: 556985-9084