GET Web Application Security Evidence: Security Misconfiguration Ingrid ⇤ Web Application Security Findings https://api.bitsighttech.com/ratings/v1/companies/company_guid/findings?risk_vector=web_appsec Get security misconfiguration evidence, including: CORS Violation Directory Listing Exposure HTTPS to HTTP Redirects Internal Server Error Overly Permissive CORS Whitelist Reverse Tabnabbing TLS Errors on Page Resource Fetch For details specific to Web Application Security, use the ?risk_vector=web_appsec parameter. Other query parameters are listed in GET: Finding Details. CORS Violation [assessmentName = cors_violation] Example Response { "resource": "url", "resolutionStatus": "blocked", "message": "Access to font at 'url' from origin 'url' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.", ⊕ See additional evidences } Response Attributes Field Description resource String A link to the resource as defined in the web application. resolutionStatus String The action the browser took when loading the resource. message String A summary of the issue. Directory Listing Exposure [assessmentName = directory_listing_exposure] Example Response { "url": "url", "server": "Apache 2", ⊕ See additional evidences } Response Attributes Field Description url String The location that is exposing a server directory listing. server String The server name. HTTPS to HTTP Redirects [assessmentName = https_to_http_redirect] Example Response [ { "value": "url", "responseChain": [ { "url": "url", "statusCode": 301, "ip": "ip", "port": 80 }, […] ], ⊕ See additional evidences } ] Response Attributes Field Description value String The redirect chain element that caused the downgrade. responseChain Array The response chain from the loaded domain. Object A response. url String The URL from a specific step in the response chain. statusCode Integer The HTTP status code for the redirect. ip String The IP address. port Integer The port used to connect on a particular step of the response chain. Internal Server Error [assessmentName = internal_server_error] Example Response { "url": "url", "message": "Request produced a 500 Internal Server Error response", ⊕ See additional evidences } Response Attributes Field Description url String The location where an internal server error was generated. message String A summary of the issue. Overly Permissive CORS Whitelist [assessmentName = permissive_cors_whitelist] Example Response { "name": "Access-Control-Allow-Origin", "value": "*", "resourceUrl":"http://example.com/", ⊕ See additional evidences } Response Attributes Field Description name String The header. value String The value of the HTTP header. resourceUrl String The resource URL that had the CSP violation. Reverse Tabnabbing [assessmentName = reverse_tabnabbing] Example Response { "resource": "url", "attributes": "rel=\"noopener\" href=\"url\" class=\"m-last-foc m-last-foc-main\" target=\"_blank\"", ⊕ See additional evidences } Response Attributes Field Description resource String The resource that will be loaded. attributes String Attributes associated with this link. TLS Errors on Page Resource Fetch [assessmentName = tls_error] Example Response { "certificate": "MIIEPDCCAySgAwIBAg...+oghLrGREt", "message": "This site is missing a valid, trusted certificate (net::ERR_CERT_COMMON_NAME_INVALID).", ⊕ See additional evidences } Response Attributes Field Description certificate String A string representation of the certificate. message String A summary of the issue. hash String The failure reason when validating the integrity attribute that’s present in the HTML element. May 15, 2024: Added resource to Overly Permissive CORS Whitelist response. December 12, 2023: Included general finding details; Added table of contents. August 11, 2023: Published. Related articles GET Web Application Security Evidence: Sensitive Data Exposure GET Web Application Security Evidence: Broken Authentication and Access Control Web Application Header Finding Considerations Web Application Header Finding Grades TLS/SSL Finding Remediation & Remediation Verification Feedback 0 comments Please sign in to leave a comment.