Application Threat Modeling Report

 Scan Name: Webscantest-includeAPIs-reactjs
 Date: 8/24/2016 11:24:23 PM
 Authenticated User: testuser
 Total Links / Attackable Links: 416 / 416
 Target URL:


Attack Points by Site Layer

Crawl Statistics

  Links Discovered 416  
  Unique Forms 21  

Site Links & Interdependencies

Finding Statistics

  Module Performed Variances  
  Unrestricted File Upload        
  Autocomplete Attribute        
  Brute Force HTTP Authentication        
  Brute Force Form based Authentication  152       
  Blind SQL Injection  4,945    48    
  Information Leakage        
  SQL Information Leakage        
  Email Address        
  Forced Browsing  310       
  Information Disclosure        
  HttpOnly attribute        
  Cross-Site Request Forgery (CSRF)  126    50    
  Directory Indexing  31       
  HTTP Response Splitting  1,683       
  Business Logic Abuse  23       
  Command Injection  6,497       
  Parameter Fuzzing  926    16    
  Reflection analysis  420    135    
  Remote File Include (RFI)  2,012       
  Local File Include (LFI)  538       
  Predictable Resource Location  4,132       
  Reverse Proxy        
  Secure and non-secure content mix        
  Server Type Disclosure        
  Session Fixation  38       
  Form Session Strength analysis        
  Session Strength        
  HTTPS to HTTP Downgrade        
  Java files checks        
  Source Code Disclosure  83       
  SQL Injection  5,357    36    
  SQL injection Auth Bypass  16       
  SSL Strength        
  Heartbleed Check        
  Unvalidated URL Redirect  1,022       
  URL rewriting (Session IDs exposed in the URL)        
  Web Beacon        
  Cross-site tracing (XST)        
  Web Service Parameter Fuzzing        
  DOM based Cross-site scripting (XSS)        
  Reflected Cross-site scripting (XSS)  2,059    141    
  Server Side Include (SSI) Injection  399       
  Hard-Coded Password        
  Secure attribute        
  Form re-submission     31    
  Sensitive Data in URL        
  Buffer Overflow  365    10    
  Integer Overflow  168       
  Credit Card type        
  Credit Card number        
  Social Security Number        
  Phone Number        
  IP Address        
  Sensitive data sent over Un Encrypted Channel        
  Credentials Over Un Encrypted Channel        
  Apache Struts 2 Framework Checks  31       
  Apache Struts Framework Detection        
  HTTP Strict Transport Security        
  Cleartext Credentials        
  Unsecure Data Transmission        
  XPath Injection  1,258    11    
  LDAP Injection  1,456       
  ASP.NET ViewState security        
  ASP.NET Misconfiguration  31       
  Browser Cache directive (leaking sensitive information)     31    
  Browser Cache directive (web application performance)     11    
  HTTP Authentication Check        
  SQL Parameter Check        
  Cross Origin Resources Sharing (CORS)  2,292       
  PHP Code Execution  137       
  Collecting Sensitive Personal Information        
  Nginx NULL code vulnerability  222       
  Privilege Escalation  478       
  HTTP Verb Tampering  118       
  Content Type Charset Check     153    
  Microsoft FrontPage Server Extensions Checks  16       
  Persistent Cross-site scripting (XSS)  83       
  Reverse Clickjacking        
  Local Storage Usage        
  Clients Cross-Domain Policy Files  62       
  Expression Language Injection  680       
  XML External Entity        
  Subdomain discovery        
  Out of Band Cross-site scripting (XSS)  1,506       
  Out of Band Stored Cross-site scripting (XSS)  12       
  Custom Passive Check     10    

Resource Maps