Attack Vector Detail Report Atlassian

Attack Vector Detail Report
Report As Of
Tuesday, March 24, 2015
Prepared By
[email protected]
Report Description
The Attack Vector Details report provides details of vulnerability instances (attack vectors)
found on sites selected for Dynamic Analysis. In addition to the location and time the
vulnerability was discovered, the attack vector details include a breakdown of the exact request
and response so that developers can easily address the problem. Note that this report is
available for Sentinel (dynamic testing) only, since it is based on an assessment of the production
or pre-production site.
This report is intended for security team members, development managers and developers.
Sites are assessed using dynamic analysis, and vulnerabilities are rated by their severity levels.
For descriptions of dynamic analysis and severity levels, please see the Appendix.
Report Filtered By
Vulnerability Status
Vulnerability Rating
Urgent, Critical, High, Medium, Low, Informational
Start Date
End Date
Number of Sites
Selected Vulnerability Classes
Brute Force
Insufficient Password Strength
Autocomplete Attribute
Insufficient User Session Invalidation
Insufficient Session Invalidation
Weak Cipher Strength
Invalid HTTP Method Usage
Non-HttpOnly Session Cookie
Insufficient Password Aging
Personally Identifiable Information
Persistent Session Cookie
Unsecured Session Cookie
Insufficient Cookie Access Control
Insufficient Crossdomain
Secured Cachable HTTP Messages
Application Misconfiguration
HTTP Request Smuggling
HTTP Request Splitting
HTTP Response Smuggling
Improper Filesystem Permissions
Improper Input Handling
Insufficient Password Recovery
Insufficient Transport Layer
Integer Overflows
Mail Command Injection
Null Byte Injection
Path Traversal
Remote File Inclusion
Routing Detour
SOAP Array Abuse
Server Misconfiguration
URL Redirector Abuse
XML Attribute Blowup
XML Entity Expansion
XML External Entities
XML Injection
XQuery Injection
Format String Attack
Content Spoofing
Credential/Session Prediction
Session Fixation
Cross Site Scripting
Insufficient Process Validation
Weak Password Recovery
Insufficient Anti-automation
SQL Injection
SSI Injection
Insufficient Authentication
HTTP Response Splitting
Denial of Service
Insufficient Authorization
Directory Traversal
Predictable Resource Location
OS Command Injection
Cross Site Request Forgery
Insufficient Session Expiration
Buffer Overflow
Information Leakage
LDAP Injection
OS Commanding
XPath Injection
Frameable Response
Mixed Content Security
Abuse of Functionality
Improper Output Handling
Insecure Indexing
Directory Indexing
The Index of Content can be found on the last page
Copyright © 2002-2015 WhiteHat Security, Inc. All Rights Reserved
Asset List
This report has been generated for following assets:
No Vulnerabilities
Appendix - Assessment Methodology for Dynamic Analysis
WhiteHat Security combines a proprietary vulnerability scanning engine with human intelligence and analysis from its Threat Research Center to deliver
thorough and accurate assessments of web applications with its Sentinel Service.
WhiteHat Sentinel dynamic scanning services are all based on a continuously evolving top of class scanning engine with manual verification of all
vulnerabilities to ensure quality results. WhiteHat's model allows customers to keep all sites covered at all times with minimal investment of personnel,
while having access to the worlds largest team of web application security experts who keep on top of the latest web security issues, manage security
assessments for customers, and provide support and information. With Premium service the security experts in the Threat Research Center also
perform business logic assessments of sites, which may uncover additional issues which cannot be found through automatic scanning. This combination
provides the highest quality of security assessments in the industry with high scalability and ease of use, to keep customers on top of their risk posture
and help them secure their assets.
WhiteHat Security - Attack Vector Report
Page 4 of 7
Appendix - Vulnerability Level Definitions (by Severity)
Severity is defined as the potential business impact if a specific vulnerability is exploited. The levels of severity are based on the same conditions
factored into the PCI Security Scan report ratings, but the definitions below are clarified for Web application security concerns.
The Severity is scored between 0 and 5:
Severity ratings are defined below:
Attacker can assume remote root or remote administrator roles; exposes entire host to attacker; backend database,
personally identifiable records, credit card data; full read and write access, remote execution of commands; example Weakness
Class: Insufficient Authorization; example Attack Classes: SQL Injection, Directory/Path Traversal
Attacker can assume remote user only, not root or admin; exposes internal IP addresses, source code; partial file-system
access (full read access without full write access); example Weakness Class: Insufficient Authentication; example Attack
Classes: Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Abuse of Functionality
Exposes security settings, software distributions and versions, database names; example Weakness Classes: Information
Leakage, Predictable Resource Location; example Attack Class: Content Spoofing
Exposes precise versions of applications; sensitive configuration information may be used to research potential attacks against
General information may be exposed to attackers, such as developer comments
No actual exposure: a failure to comply with best practices for security.
WhiteHat Security - Attack Vector Report
Page 5 of 7
About WhiteHat Security
WhiteHat Security is the leading provider of application risk assessment and management services that enable customers to protect critical data, ensure
compliance, and narrow windows of risk. By providing accurate, complete, and cost-effective application vulnerability assessments as a software-as-aservice, we deliver the visibility, flexibility, and guidance that organizations need to prevent web attacks.
Deloitte, SC Magazine, the San Jose/Silicon Valley Business Journal, Gartner and the American Business Awards have all recognized WhiteHat Security
for our remarkable innovations, executive leadership and our ability to execute in the application security market.
To learn more about WhiteHat Security and how our solutions can support your applications throughout the entire software development lifecycle,
please visit our website at
WhiteHat Security - Attack Vector Report
Page 6 of 7
Assessment Methodology for Dynamic Analysis
Appendix - Vulnerability Level Definitions (by Severity)
About WhiteHat Security
WhiteHat Security - Attack Vector Report
Page 7 of 7