⇤ Web Application Security Findings
https://api.bitsighttech.com/ratings/v1/companies/company_guid/findings?risk_vector=web_appsec
Get broken authentication and access control scripting evidence, including:
- Authentication on Insecure Channel
- CMS Administration Portal Exposed
- Cross-Site Request Forgery (CSRF) Mitigations Present
For details specific to Web Application Security, use the ?risk_vector=web_appsec
parameter. Other query parameters are listed in GET: Finding Details.
Authentication on Insecure Channel
[assessmentName
= authentication_on_insecure_channel
]
Example Response
{ "name": "input", "message": "Password input field present in a form on a non-HTTPS page", "details": "size=\"5\" name=\"password\" style=\"width:100px\" type=\"password\"", "authCategory": "password_on_insecure_channel", ⊕ See additional evidences }
Response Attributes
Field | Description |
---|---|
nameString |
The name of the HTML element that represents an authentication mechanism. |
messageString |
A summary of the issue. |
detailsString |
Additional details of the identified HTML element. |
authCategoryString |
The issue category.
|
resourceString |
The application that sent the WWW-Authenticate header. |
CMS Administration Portal Exposed
[assessmentName
= exposed_csm_admin_page
]
Example Response
{ "cms": "Wordpress", "location": "url", ⊕ See additional evidences }
Response Attributes
Field | Description |
---|---|
cmsString |
The content management system (CMS) that was identified. |
locationString |
The login page URL. |
Cross-Site Request Forgery (CSRF) Mitigations Present
[assessmentName
= cross_site_request_forgery
]
Example Response
{ "documentUrl":"url", "name":"input types", "value":"string", "path":"/html/body#top/header/div/form#quicksearch", "message":"Page contains a form that does not include a hidden attribute with a value of 20 characters or more", ⊕ See additional evidences }
Response Attributes
Field | Description |
---|---|
documentUrlString |
The URL of the page containing the token. |
nameString |
The token name. |
valueString |
The token value. |
pathString |
The HTML element path. |
messageString |
A summary of the issue. |
- May 15, 2024: Added
message
field to Cross-Site Request Forgery (CSRF) Mitigations Present. - December 12, 2023: Included general finding details; Added table of contents.
- August 11, 2023: Published.
Feedback
0 comments
Please sign in to leave a comment.