List of causes
Cause |
Description |
|---|---|
| hazardousCharactersNotSanitized | Sanitation of hazardous characters was not performed correctly on user input. |
| formatStringsVulnerability | User input is used directly as a formatting string input for C/C++'s sprintf and similar functions. |
| hiddenParameterUsed | Parameter values were 'hardcoded' in the HTML as a parameter of type 'hidden'. |
| boundsCheckingOnParamValues | Proper bounds checking were not performed on incoming parameter values. |
| incorrectDataType | No validation was done to ensure user input matches expected data type. |
| inputLengthNotChecked | User input length is not limited, thereby enabling buffer overflows. |
| errorMessagesReturned | Exceptions and error messages, which may contain sensitive debugging information, are presented to users. |
| debugInfoInHtmlSource | Debugging information was left by the programmer in web pages. |
| backDoorLeftBehind | A backdoor or a debugging option was left behind by programmers. |
| clientSideValidation | User input validation is done at the client-side and may be bypassed. |
| usOfClientSideLogic | The web application uses client-side logic to create web pages. |
| cookiesCreatedAtClientSide | Cookies are created at the client-side. |
| javaScriptPassWordMechanism | The web application uses a client-side password authentication. |
| sqlBuiltByJavaScript | The web application uses client-side logic to create SQL queries. |
| dotDotNotSanitized | User input is not checked for the '..' string. |
| weakTokenUsed | A weak token algorithm is used by the web application. |
| missingPatchesForThirdPartyProds | Latest patches or hotfixes for 3rd party products were not installed. |
| tempFilesLeftBehind | Temporary files were left in production environment. |
| improperFileDirPermissions | Improper permissions/ACLs were set to file/directory. |
| nimdaWormBackdoor | The Nimda worm was found on the system. |
| sampleScriptsFound | Default sample scripts or directories were installed on the website. |
| insecureThirdPartySoftware | A vulnerable third party software, which does not have a known patch, is installed on the website. |
| directoryBrowsingEnabled | Directory browsing is enabled. |
| managementConsoleAccess | Web management console is accessible from the web. |
| insecureWebServerConfiguration | The web server or application server is configured in an insecure way. |
| frontPageServerUnsecureInstall | FrontPage server extensions were installed with improper security settings. |
| insecureWebAppConfiguration | Insecure web application programming or configuration. |
| vulnSOAPserializer | The SOAP serializer used by your web services server does not validate SOAP input properly. |
| sensitiveDataNotSSL | Sensitive input fields such as usernames, passwords, and credit card numbers are passed unencrypted. |
| nonSecureCookiesSentOverSSL | The web application sends non-secure cookies over SSL. |
| sessionCookieNotRAM | The web application stores sensitive session information in a permanent cookie (on disk). |
| redirectionFromWithinSite | The web application performs a redirection to an external site. |
| remoteFileInclusion | The web application allows remote file inclusion. |
| GETParamOverSSL | Query parameters were passed over SSL, and may contain sensitive information. |
| SensitiveCache | Sensitive information might have been cached by your browser. |
| InsufficientAuthentication | Insufficient authentication method was used by the application. |
| useOfGlobalFlashParamsInPDNFs | Global flash parameters used in potentially dangerous native functions. |
| causeNotAvailable | n/a |
| vulnActiveX | The ActiveX control used is categorized as vulnerable. The scanned Web site might have been hacked in order to serve malware. |
| compromisedDigiNotarSSLCert | The SSL certificate in use has been flagged as compromised due to DigiNotar's security breach. |
| paramValManipAllowed | Parameter value manipulation was permitted by the application logic. |