安全检测结果报告

1、AWVS平安监测后发现的问题整体截图:B-哥 Scan Thread 1 ( :/192.168.0,222:8080. Finished (46 alerts)g Web Alerts (46)-i- Directory traversal in Spring framew.,./css/login.css- O Vulnerable Javascript library (1) /js/jquery-1.7.2.min. js。Weak password (1)L U /login3- Apache JServ protocol service (1) Server) HTML form

2、without CSRF protection/login /skysafe/index- Slow Denial of Service Attack (1) Web Serveri- User credentials are sent in clear te., /login /skysafe/index+ Clickjacking: X-Frame-Options heade. + Cookie without Only flag set (1) i- Cookie without Secure Flag set (2) + Login page password-guessing att

3、ac. + Content type is not specified (22) + 。GHDB: Apache Tomcat Error messag. + - Password type input with auto-comp.+ Q Knowledge Base (5)+ Site Structure问题个数A acunetix threat level Acunetix Threat Level 3Level 3: HighOne or more high-severity tpe vulnerabilities have been discovered by the scanner

4、. A malicious user can exploit these vulnerabilities and compromise the backend database and/or deface your website.Level 3: HighTotal alerts foundO HighO Medium。LowInformational高级别漏洞问题截图1：攻击的细节连接之间的时差：9968 ms中级别漏洞问题截图5：User credentials are sent in cleartext medkjmVulnerability descriptionUser crede

5、ntials are transmitted over an unencrypted channel. This information should always be transferred via an encrypted channel ( S) to avoid being intercepted by malicious users.This vulnerability affects /login.Discovered by: Crawler.Attack detailsForm name: Form action: :/192.168.0.222:8080/loginForm

6、method: POSTForm inputs:username Textpassword Password翻译：用户凭证都以明文形式发送 漏洞描述：用户凭证传输通过未加密的通道。这个信息应该通过加密传输通道（ S）,以防止被恶意用户拦截。这个漏洞影响/login。发现:履带。攻击的细节表单名称：表单操作： :/192.168.0.222:8080/login形式方法：POST表单输入：用户名（文本）密码（密码）中级别漏洞问题截图6：User credentials are sent in clear text mediumVulnerability descriptionUser crede

7、ntials are transmitted over an unencrypted channel. This information should always be transferred via an encrypted channel ( S) to avoid being intercepted by malicious users.This vulnerability affects /skysnfsJindex.Discovered by: Crawler.Attack detailsForm name: Form action: :/192.168.0.222:8080/sk

8、ysafe/indexForm method: POSTForm inputs:username Textpassword PasswordbtnLogin Submit翻译：用户凭证都以明文形式发送 漏洞描述：用户凭证传输通过未加密的通道。这个信息应该通过加密传输通道（ S）,以防止被恶意用户拦截。这个漏洞影响/skysafe/index.。发现:履带。攻击的细节表单名称：表单操作： :/192.168.0.222:8080/skysafe/index形式方法：POST表单输入：用户名（文本）密码（密码）btnLogin提交Directory traversal in Spring fram

9、ework highVulnerability descriptionA directory traversal vulnerability was reported in the Spring framework related with static resource handling. Some URLs were not santized correctly before use allowing an attacker to obtain any file on the file system that was also accessible to process in which

10、the Spring web application was running.Affected Spring versions:Spring Framework 3.0.4 to 1Other unsupported versions may also be affectedThis vulnerability affects .Discovered by: Scripting (Spring_Framework_Audit.script).Attack detailsNo details are available.翻译：目录遍历Spring框架 漏洞描述：目录遍历脆弱性在Spring框架与

11、静态资源处理。一些url没有santized正确使用前允许攻击者获取文件系 统上的任何文件,也可以处理的Spring web应用程序运行。影响Spring版本：Spring 框架 304 3211Spring 框架 Spring 框架 4.1.0 以下 441其他不支持的版本也可能受到影响 这种 脆弱 性影响.发现:脚木(Spring_Framewok_Audit.script)。攻击的细节：没有细节高级别漏洞问题截图2：Directory traversal in Spring framework highVulnerability descriptionA directory traver

12、sal vulnerability was reported in the Spring framework related with static resource handling. Some URLs were not santized correctly before use allowing an attacker to obtain any file on the file system that was also accessible to process in which the Spring web application was running.Affected Sprin

13、g versions:Spring Framework 4.1.0 Other unsupported versions may also be affectedThis vulnerability affects /css/loqin.css.Discovered by: Scripting (Spring_Framework_Audit.script).Attack detailsNo details are available.翻译：目录遍历Spring框架 漏洞描述：目录遍历脆弱性在Spring框架与静态资源处理。一些url没有santized正确使用前允许攻击者获取文件系统上的任何文

14、件,也可以处理的Spring web应用程序运行。影响Spring版本:Spring 框架 Spring 框架 Spring 框架 4.1.0 以下 441其他不支持的版本也可能受到影响 这种脆弱性影响/css/loqin.css.发现:脚本(Spring_Frdmework_Audit.script)。攻击的细节：没有细节高级别漏洞问题截图3：Vulnerable Javascript libraryhighVulnerability descriptionYou are using a vulnerable Javascript library. One or more vulnerabi

15、lities were reported for this version of the Javascript library. Consult Attack details and Web References for more information about the affected library and the vulnerabilities that were reported.This vulnerability affects .Discovered by: Scripting (Javascript_Libraries_Audit.script).Attack detail

16、sDetected Javascript library jquery version 1.7.2.The version was detected from filename, file content.翻译：脆弱的Javascript库 漏洞描述：您使用的是一个脆弱的Javascript库。一个或多个漏洞报告了这个版本的Javascript库。和网络参考咨询 攻击细节更多信息的图书馆和漏洞影响的报道。这个漏洞影响/ js / 发现:脚本(Javascript_Libraries_Audit.script)。攻击的细节：检测到jquery Javascript库版本是172。从文件名,文件版

17、本检测内容。高级别漏洞问题截图4：Weak passwordhighVulnerability descriptionManual confirmation is required for this alert.This page is using a weak password. Acunetix VWS was able to guess the credentials required to access this page. A weak password is short, common, a system default or something that could be rap

18、idly guessed by executing a brute force attack using a subset of all possible passwords, such as words in the dictionary, proper names, words based on the user name or common variations on these themes.This vulnerability affects /login.Discovered by: Scripting (Html_Authentication_Audit.script).Atta

19、ck detailsUsername: admin, Password: 111111翻译:弱密码 漏洞描述：需要手动确认这个警报。这个页面使用弱密码。Acunetix”全球价值调查主要根据能够猜所需的凭证访问这个页面。弱密码是短暂的， 常见的，系统默认值，或者可以通过执行快速猜蛮力攻击使用所有可能的密码的一个子集，比方单词在字典里, 适当的名称，基于用户名或常见的变化在这些主题。这个漏洞影响/login。发现:脚木(Html_Authentication_Audit.script)。攻击的细节：用户名:admin,密码:111111中级别漏洞问题截图1:Apache JServ protoc

20、ol servicemediumVulnerability descriptionThe Apache JServ Protocol (AJP) is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server. Its not recommended to have AJP services publicly accessible on the internet. If AJP is mi

21、sconfigured it could allow an attacker to access to internal resources.This vulnerability affects Sen/er.Discovered by: Scripting (.AJP_Audit.script).Attack detailsThe AJP service is running on TCP port 8009.翻译：Apache JServ协议服务漏洞描述：Apache JServ协议(美国)是一种二进制协议,可以代理入站请求从web服务器到应用程序服务器,web服务 器。不推荐美国服务公开

22、在互联网上。如果美国是配置错误的它可能允许攻击者访问内部资源。这个漏洞影响服务器。发现:脚本(AJP_Audit.script)。攻击的细节：AJP服务运行在TCP端口 8009上。中级别漏洞问题截图2：HTML form without CSRF protection mediumVulnerability descriptionThis alert may be a false positive, manual confirmation is required.Cross-site request forgery, also known as a one-click attack or s

23、ession riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.Acunetix WVS found a HTML form with no apparent CSRF protection implemented. Consult details for more information about the aff

24、ected HTML form.This vulnerability affects /login.Discovered by: Crawler.Attack detailsForm name: Form action: :/192.168.0.222:8080/loginForm method: POSTForm inputs: username Text一:翻译：HTML表单没有CSRF保护漏洞描述：这个警报可能是假阳性,手动确认是必需的。跨站点请求伪造，也称为一键攻击或者会话控制和缩写为CSRF XSRE是一种恶意利用的一个网站，未经授权 的命令是传播从一个网站的用户信任。Acuneti

25、x、全球价值调查主要根据发现没有明显的HTML表单CSRF保护实现的。咨询更多的细节关于影响 HTML表单的信息。这个漏洞影响/login, o发现:履带。攻击的细节表单名称：表单操作: :/192.168.0.222:8080/login形式方法：POST表单输入： 用户名（文本） 密码（密码）中级别漏洞问题截图3：HTML form without CSRF protection mediumI Vulnerability descriptionI This alert may be a false positive, manual confirmation is I required.I

26、 Cross-site request forgery, also known as a one-click attack or I session riding and abbreviated as CSRF or XSRF, is a type of I malicious exploit of a website whereby unauthorized commands I are transmitted from a user that the website trusts.I Acunetix WVS found a HTML form with no apparent CSRF

27、I protection implemented. Consult details for more information I about the affected HTML form.I This vulnerability affects /skYsafe/index.I Discovered by: Crawler.I Attack detailsI Form name:emptyI Form action: 力192.168.0.222:8080/$灯$30力口（1乂I Form method: POSTI Form inputs:I username TextI password PasswordI btnLogin Submit翻译：HTML表单没有CSRF保护漏洞描述：这个警报可能是假阳性,手动确认是必需的。跨站点请求伪造，也称为一键攻击或者会话控制和缩写为CSRF XSRX是一种恶意利用的一个网站，未经授权 的命令是传播从一个网站的用户信任。Acunetix、全球价值调查主要根据发现没有明显的HTML表单CSRF保护实现的。咨询更多的细节关于影响 HTML表单的信息。这个漏洞影响/skysafe/index.。发现:履带