List of causes



hazardousCharactersNotSanitized Sanitation of hazardous characters was not performed correctly on user input.
formatStringsVulnerability User input is used directly as a formatting string input for C/C++'s sprintf and similar functions.
hiddenParameterUsed Parameter values were 'hardcoded' in the HTML as a parameter of type 'hidden'.
boundsCheckingOnParamValues Proper bounds checking were not performed on incoming parameter values.
incorrectDataType No validation was done to ensure user input matches expected data type.
inputLengthNotChecked User input length is not limited, thereby enabling buffer overflows.
errorMessagesReturned Exceptions and error messages, which may contain sensitive debugging information, are presented to users.
debugInfoInHtmlSource Debugging information was left by the programmer in web pages.
backDoorLeftBehind A backdoor or a debugging option was left behind by programmers.
clientSideValidation User input validation is done at the client-side and may be bypassed.
usOfClientSideLogic The web application uses client-side logic to create web pages.
cookiesCreatedAtClientSide Cookies are created at the client-side.
javaScriptPassWordMechanism The web application uses a client-side password authentication.
sqlBuiltByJavaScript The web application uses client-side logic to create SQL queries.
dotDotNotSanitized User input is not checked for the '..' string.
weakTokenUsed A weak token algorithm is used by the web application.
missingPatchesForThirdPartyProds Latest patches or hotfixes for 3rd party products were not installed.
tempFilesLeftBehind Temporary files were left in production environment.
improperFileDirPermissions Improper permissions/ACLs were set to file/directory.
nimdaWormBackdoor The Nimda worm was found on the system.
sampleScriptsFound Default sample scripts or directories were installed on the website.
insecureThirdPartySoftware A vulnerable third party software, which does not have a known patch, is installed on the website.
directoryBrowsingEnabled Directory browsing is enabled.
managementConsoleAccess Web management console is accessible from the web.
insecureWebServerConfiguration The web server or application server is configured in an insecure way.
frontPageServerUnsecureInstall FrontPage server extensions were installed with improper security settings.
insecureWebAppConfiguration Insecure web application programming or configuration.
vulnSOAPserializer The SOAP serializer used by your web services server does not validate SOAP input properly.
sensitiveDataNotSSL Sensitive input fields such as usernames, passwords, and credit card numbers are passed unencrypted.
nonSecureCookiesSentOverSSL The web application sends non-secure cookies over SSL.
sessionCookieNotRAM The web application stores sensitive session information in a permanent cookie (on disk).
redirectionFromWithinSite The web application performs a redirection to an external site.
remoteFileInclusion The web application allows remote file inclusion.
GETParamOverSSL Query parameters were passed over SSL, and may contain sensitive information.
SensitiveCache Sensitive information might have been cached by your browser.
InsufficientAuthentication Insufficient authentication method was used by the application.
useOfGlobalFlashParamsInPDNFs Global flash parameters used in potentially dangerous native functions.
causeNotAvailable n/a
vulnActiveX The ActiveX control used is categorized as vulnerable. The scanned Web site might have been hacked in order to serve malware.
compromisedDigiNotarSSLCert The SSL certificate in use has been flagged as compromised due to DigiNotar's security breach.
paramValManipAllowed Parameter value manipulation was permitted by the application logic.