Vooki

SUMMARY OF FINDINGS (Scanned Node: localhost)

Risk	Count
High	34
Medium	193
Low	4
Warning	1
Information	28
Total	260

No	Vulnerability Name	Risk	Severity	Cvss score	Occurrences
1	Insecure communication	High	High	8.1	27
2	Directory traversal	High	High	7.5	2
3	Sql injection - MySQL	High	High	7.4	2
4	Cross site scripting - reflected	High	High	7.1	1
5	Direct dynamic code execution - eval injection	High	High	7.1	2
6	Sensitive information exposure through query strings in the URL	Medium	Medium	6.4	1
7	Verb tampering	Medium	Medium	6.4	30
8	Weak password policy	Medium	Medium	5.6	2
9	Missing security headers - X-Content-Type-Options	Medium	Medium	5.0	30
10	Missing security headers - X-Frame-Options	Medium	Medium	5.0	30
11	Sensitive information disclosure in response headers - server	Medium	Medium	5.0	31
12	Sensitive information disclosure in response headers - x-powered-by	Medium	Medium	5.0	30
13	Missing Content Security Policy in response header	Medium	Medium	5.0	29
14	Technical information exposure on the webpage	Low	Low	3.1	4
15	Autocomplete on password fields	Medium	Medium	4.3	7
16	Autocomplete on sensitive fields	Medium	Medium	4.3	3
17	Cross-Domain javaScript source file inclusion	Warning	Warning		1
18	Missing security headers - X-XSS-Protection	Information	Information		28

Payloads and Evidence are highlighted in the red color.

Findings: 1 Insecure communication

Risk	High
Severity	High
CVSS Score	8.1
Occurrences	27
Details	Vooki detected insecure communication vulnerability. Insecure communications are when a client and server communicate over a non-secure (unencrypted) channel. Without encrypting the channel, the developer can’t guarantee the integrity of the data.
Remediation	Make sure all client-to-server connections are encrypted with SSL.

URL:
Occurrences in this URL:	1

Request	Response
Method: GET Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Accept-Language: en-US,en;q=0.9 Connection: keep-alive	status code: 200

Request

Response

Method: GET
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request	Response
Method: GET Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Referer: http://localhost/dvwa/login.php Accept-Language: en-US,en;q=0.9 Connection: keep-alive	status code: 200

Request

Response

Method: GET
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Referer: http://localhost/dvwa/login.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request	Response
Method: GET sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dvwa/index.php Accept-Language: en-US,en;q=0.9 Connection: keep-alive	status code: 200

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/index.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request	Response
Method: GET sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dvwa/security.php Accept-Language: en-US,en;q=0.9 Connection: keep-alive	status code: 200

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/security.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request	Response
Method: GET sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dvwa/vulnerabilities/brute/ Accept-Language: en-US,en;q=0.9 Connection: keep-alive	status code: 200

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/brute/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request	Response
Method: GET sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dvwa/vulnerabilities/brute/?username=admin&password=password&Login=Login Accept-Language: en-US,en;q=0.9 Connection: keep-alive	status code: 200

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/brute/?username=admin&password=password&Login=Login
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request	Response
Method: POST Cache-Control: max-age=0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dvwa/vulnerabilities/exec/ Accept-Language: en-US,en;q=0.9 Connection: keep-alive	status code: 200

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/exec/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

ip=1.1.1.1&Submit=Submit

status code: 200

URL:
Occurrences in this URL:	1

Request	Response
Method: GET sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dvwa/vulnerabilities/exec/ Accept-Language: en-US,en;q=0.9 Connection: keep-alive	status code: 200

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/exec/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request	Response
Method: GET sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dvwa/vulnerabilities/csrf/ Accept-Language: en-US,en;q=0.9 Connection: keep-alive	status code: 200

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/csrf/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request	Response
Method: GET sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dvwa/vulnerabilities/fi/?page=include.php Accept-Language: en-US,en;q=0.9 Connection: keep-alive	status code: 200

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/fi/?page=include.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request	Response
Method: GET sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dvwa/vulnerabilities/fi/?page=file1.php Accept-Language: en-US,en;q=0.9 Connection: keep-alive	status code: 200

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/fi/?page=file1.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request	Response
Method: GET sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dvwa/vulnerabilities/upload/ Accept-Language: en-US,en;q=0.9 Connection: keep-alive	status code: 200

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/upload/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request	Response
Method: GET sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dvwa/vulnerabilities/captcha/ Accept-Language: en-US,en;q=0.9 Connection: keep-alive	status code: 200

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/captcha/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request	Response
Method: GET sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dvwa/vulnerabilities/sqli/ Accept-Language: en-US,en;q=0.9 Connection: keep-alive	status code: 200

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request	Response
Method: GET sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit Accept-Language: en-US,en;q=0.9 Connection: keep-alive	status code: 200

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request	Response
Method: GET sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dvwa/vulnerabilities/sqli_blind/ Accept-Language: en-US,en;q=0.9 Connection: keep-alive	status code: 200

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli_blind/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request	Response
Method: GET sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit Accept-Language: en-US,en;q=0.9 Connection: keep-alive	status code: 200

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request	Response
Method: POST Cache-Control: max-age=0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dvwa/vulnerabilities/weak_id/ Accept-Language: en-US,en;q=0.9 Connection: keep-alive	status code: 200

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/weak_id/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request	Response
Method: GET sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dvwa/vulnerabilities/weak_id/ Accept-Language: en-US,en;q=0.9 Connection: keep-alive	status code: 200

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/weak_id/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request	Response
Method: GET sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dvwa/vulnerabilities/xss_d/ Accept-Language: en-US,en;q=0.9 Connection: keep-alive	status code: 200

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_d/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request	Response
Method: GET sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dvwa/vulnerabilities/xss_d/?default=English Accept-Language: en-US,en;q=0.9 Connection: keep-alive	status code: 200

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_d/?default=English
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request	Response
Method: GET sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dvwa/vulnerabilities/xss_r/ Accept-Language: en-US,en;q=0.9 Connection: keep-alive	status code: 200

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_r/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request	Response
Method: GET sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dvwa/vulnerabilities/xss_r/?name=1 Accept-Language: en-US,en;q=0.9 Connection: keep-alive	status code: 200

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_r/?name=1
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_s/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/csp/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

include=1

status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/csp/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/javascript/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

token=8b479aefbd90795395b3e7089ae0dc09&phrase=ChangeMe&send=Submit

status code: 200

Findings: 2 Directory traversal

Risk	High
Severity	High
CVSS Score	7.5
Occurrences	2
Details	Vooki detected the directory traversal in the application. A directory traversal attack aims to access files and directories stored outside the webroot folder. By manipulating the URL path with 'dot-dot-slash (../)' sequences and its variations by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files.
Remediation	Disable directory traversal.

URL:
Occurrences in this URL:	1

Request	Response
Method: GET	date: Fri, 16 Jul 2021 05:52:36 GMT server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8 content-length: 1632 keep-alive: timeout=5, max=92 connection: Keep-Alive content-type: text/html;charset=UTF-8 status code: 200

URL:
Occurrences in this URL:	1

Request	Response
Method: GET	date: Fri, 16 Jul 2021 05:52:36 GMT server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8 content-length: 1615 keep-alive: timeout=5, max=92 connection: Keep-Alive content-type: text/html;charset=UTF-8 status code: 200

Findings: 3 Sql injection - MySQL

Risk	High
Severity	High
CVSS Score	7.4
Occurrences	2
Details	Vooki identified SQL Injection vulnerability. A SQL injection attack consists of the insertion or injection of a SQL query via the client's input data to the application. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input to affect the execution of predefined SQL commands. A successful SQL injection can Read sensitive data from the database. Modify database data (Insert/Update/Delete). Execute administration operations on the database (such as shutdown the DBMS). Recover the content of a given file present on the DBMS file system. In some cases, issue commands to the operating system.
Remediation	SQL Injection flaws are introduced when software developers create dynamic database queries that include user-supplied input. Techniques for preventing SQL Injection vulnerabilities are: Use of prepared statements (with Parameterized Queries) Use of stored procedures (only in java) Whitelist input validation. Escape all user-supplied inputs.

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/brute/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:43 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
content-length: 192
keep-alive: timeout=5, max=50
connection: Keep-Alive
content-type: text/html; charset=UTF-8
status code: 200

<pre>You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '5f4dcc3b5aa765d61d8327deb882cf99'' at line 1</pre>

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:58 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
content-length: 162
keep-alive: timeout=5, max=1
connection: Keep-Alive
content-type: text/html; charset=UTF-8
status code: 200

<pre>You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''''' at line 1</pre>

Findings: 4 Cross site scripting - reflected

Risk	High
Severity	High
CVSS Score	7.1
Occurrences	1
Details	Vooki identified a cross-site scripting - reflected vulnerability. Cross-site scripting (XSS) attacks are a type of injection in which malicious scripts are injected into trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end-user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere. A web application uses input from a user within the output it generates without validating or encoding it.
Remediation	Sanitize all the user inputs before executing them. Your application code should never output data received as input directly to the browser, check it for malicious code. URL encode before inserting untrusted data into HTML URL parameter values. JavaScript encode before inserting untrusted data into JavaScript data values. Add XSS protection headers on server & client-side. CSS encode and strictly validate before inserting untrusted data into HTML style property values.

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_r/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:06 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
x-xss-protection: 0
content-length: 4238
keep-alive: timeout=5, max=60
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

<!DOCTYPE html> <html lang="en-GB"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Vulnerability: Reflected Cross Site Scripting (XSS) :: Damn Vulnerable Web Application (DVWA) v1.10 *Development*</title> <link rel="stylesheet" type="text/css" href="../../dvwa/css/main.css" /> <link rel="icon" type="\image/ico" href="../../favicon.ico" /> <script type="text/javascript" src="../../dvwa/js/dvwaPage.js"></script> </head> <body class="home"> <div id="container"> <div id="header"> <img src="../../dvwa/images/logo.png" alt="Damn Vulnerable Web Application" /> </div> <div id="main_menu"> <div id="main_menu_padded"> <ul class="menuBlocks"><li class=""><a href="../../.">Home</a></li> <li class=""><a href="../../instructions.php">Instructions</a></li> <li class=""><a href="../../setup.php">Setup / Reset DB</a></li> </ul><ul class="menuBlocks"><li class=""><a href="../../vulnerabilities/brute/">Brute Force</a></li> <li class=""><a href="../../vulnerabilities/exec/">Command Injection</a></li> <li class=""><a href="../../vulnerabilities/csrf/">CSRF</a></li> <li class=""><a href="../../vulnerabilities/fi/.?page=include.php">File Inclusion</a></li> <li class=""><a href="../../vulnerabilities/upload/">File Upload</a></li> <li class=""><a href="../../vulnerabilities/captcha/">Insecure CAPTCHA</a></li> <li class=""><a href="../../vulnerabilities/sqli/">SQL Injection</a></li> <li class=""><a href="../../vulnerabilities/sqli_blind/">SQL Injection (Blind)</a></li> <li class=""><a href="../../vulnerabilities/weak_id/">Weak Session IDs</a></li> <li class=""><a href="../../vulnerabilities/xss_d/">XSS (DOM)</a></li> <li class="selected"><a href="../../vulnerabilities/xss_r/">XSS (Reflected)</a></li> <li class=""><a href="../../vulnerabilities/xss_s/">XSS (Stored)</a></li> <li class=""><a href="../../vulnerabilities/csp/">CSP Bypass</a></li> <li class=""><a href="../../vulnerabilities/javascript/">JavaScript</a></li> </ul><ul class="menuBlocks"><li class=""><a href="../../security.php">DVWA Security</a></li> <li class=""><a href="../../phpinfo.php">PHP Info</a></li> <li class=""><a href="../../about.php">About</a></li> </ul><ul class="menuBlocks"><li class=""><a href="../../logout.php">Logout</a></li> </ul> </div> </div> <div id="main_body"> <div class="body_padded"> <h1>Vulnerability: Reflected Cross Site Scripting (XSS)</h1> <div class="vulnerable_code_area"> <form name="XSS" action="#" method="GET"> <p> What's your name? <input type="text" name="name"> <input type="submit" value="Submit"> </p> </form> <pre>Hello <script>alert(123)</script></pre> </div> <h2>More Information</h2> <ul> <li><a href="https://owasp.org/www-community/attacks/xss/" target="_blank">https://owasp.org/www-community/attacks/xss/</a></li> <li><a href="https://owasp.org/www-community/xss-filter-evasion-cheatsheet" target="_blank">https://owasp.org/www-community/xss-filter-evasion-cheatsheet</a></li> <li><a href="https://en.wikipedia.org/wiki/Cross-site_scripting" target="_blank">https://en.wikipedia.org/wiki/Cross-site_scripting</a></li> <li><a href="http://www.cgisecurity.com/xss-faq.html" target="_blank">http://www.cgisecurity.com/xss-faq.html</a></li> <li><a href="http://www.scriptalert1.com/" target="_blank">http://www.scriptalert1.com/</a></li> </ul> </div> <br /><br /> </div> <div class="clear"> </div> <div id="system_info"> <input type="button" value="View Help" class="popup_button" id='help_button' data-help-url='../../vulnerabilities/view_help.php?id=xss_r&security=low' )"> <input type="button" value="View Source" class="popup_button" id='source_button' data-source-url='../../vulnerabilities/view_source.php?id=xss_r&security=low' )"> <div align="left"><em>Username:</em> admin<br /><em>Security Level:</em> low<br /><em>PHPIDS:</em> disabled</div> </div> <div id="footer"> <p>Damn Vulnerable Web Application (DVWA) v1.10 *Development*</p> <script src='../..//dvwa/js/add_event_listeners.js'></script> </div> </div> </body> </html>

Findings: 5 Direct dynamic code execution - eval injection

Risk	High
Severity	High
CVSS Score	7.1
Occurrences	2
Details	Vooki detected the direct dynamic code execution - eval injection vulnerability. The eval() function evaluates JavaScript code represented as a string. If unvalidated input passed through this eval() function, the eval function would execute it.
Remediation	It is recommended to avoid the use of eval() function or validate the user input before passing into eval() function.

URL:
Occurrences in this URL:	1

Request

Response

date: Fri, 16 Jul 2021 05:52:40 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 5269
keep-alive: timeout=5, max=68
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

<!DOCTYPE html> <html lang="en-GB"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>DVWA Security :: Damn Vulnerable Web Application (DVWA) v1.10 *Development*</title> <link rel="stylesheet" type="text/css" href="dvwa/css/main.css" /> <link rel="icon" type="\image/ico" href="favicon.ico" /> <script type="text/javascript" src="dvwa/js/dvwaPage.js"></script> </head> <body class="home"> <div id="container"> <div id="header"> <img src="dvwa/images/logo.png" alt="Damn Vulnerable Web Application" /> </div> <div id="main_menu"> <div id="main_menu_padded"> <ul class="menuBlocks"><li class=""><a href=".">Home</a></li> <li class=""><a href="instructions.php">Instructions</a></li> <li class=""><a href="setup.php">Setup / Reset DB</a></li> </ul><ul class="menuBlocks"><li class=""><a href="vulnerabilities/brute/">Brute Force</a></li> <li class=""><a href="vulnerabilities/exec/">Command Injection</a></li> <li class=""><a href="vulnerabilities/csrf/">CSRF</a></li> <li class=""><a href="vulnerabilities/fi/.?page=include.php">File Inclusion</a></li> <li class=""><a href="vulnerabilities/upload/">File Upload</a></li> <li class=""><a href="vulnerabilities/captcha/">Insecure CAPTCHA</a></li> <li class=""><a href="vulnerabilities/sqli/">SQL Injection</a></li> <li class=""><a href="vulnerabilities/sqli_blind/">SQL Injection (Blind)</a></li> <li class=""><a href="vulnerabilities/weak_id/">Weak Session IDs</a></li> <li class=""><a href="vulnerabilities/xss_d/">XSS (DOM)</a></li> <li class=""><a href="vulnerabilities/xss_r/">XSS (Reflected)</a></li> <li class=""><a href="vulnerabilities/xss_s/">XSS (Stored)</a></li> <li class=""><a href="vulnerabilities/csp/">CSP Bypass</a></li> <li class=""><a href="vulnerabilities/javascript/">JavaScript</a></li> </ul><ul class="menuBlocks"><li class="selected"><a href="security.php">DVWA Security</a></li> <li class=""><a href="phpinfo.php">PHP Info</a></li> <li class=""><a href="about.php">About</a></li> </ul><ul class="menuBlocks"><li class=""><a href="logout.php">Logout</a></li> </ul> </div> </div> <div id="main_body"> <div class="body_padded"> <h1>DVWA Security <img src="dvwa/images/lock.png" /></h1> <br /> <h2>Security Level</h2> <form action="#" method="POST"> <p>Security level is currently: <em>low</em>.<p> <p>You can set the security level to low, medium, high or impossible. The security level changes the vulnerability level of DVWA:</p> <ol> <li> Low - This security level is completely vulnerable and <em>has no security measures at all</em>. It's use is to be as an example of how web application vulnerabilities manifest through bad coding practices and to serve as a platform to teach or learn basic exploitation techniques.</li> <li> Medium - This setting is mainly to give an example to the user of <em>bad security practices</em>, where the developer has tried but failed to secure an application. It also acts as a challenge to users to refine their exploitation techniques.</li> <li> High - This option is an extension to the medium difficulty, with a mixture of <em>harder or alternative bad practices</em> to attempt to secure the code. The vulnerability may not allow the same extent of the exploitation, similar in various Capture The Flags (CTFs) competitions.</li> <li> Impossible - This level should be <em>secure against all vulnerabilities</em>. It is used to compare the vulnerable source code to the secure source code.<br /> Prior to DVWA v1.9, this level was known as 'high'.</li> </ol> <select name="security"> <option value="low" selected="selected">Low</option><option value="medium">Medium</option><option value="high">High</option><option value="impossible">Impossible</option> </select> <input type="submit" value="Submit" name="seclev_submit"> <input type='hidden' name='user_token' value='771cd692079acb28ef6485f28c742485' /> </form> <br /> <hr /> <br /> <h2>PHPIDS</h2> <p><a href="https://github.com/PHPIDS/PHPIDS" target="_blank">PHPIDS</a> v0.6 (PHP-Intrusion Detection System) is a security layer for PHP based web applications.</p> <p>PHPIDS works by filtering any user supplied input against a blacklist of potentially malicious code. It is used in DVWA to serve as a live example of how Web Application Firewalls (WAFs) can help improve security and in some cases how WAFs can be circumvented.</p> <p>You can enable PHPIDS across this site for the duration of your session.</p> <p>PHPIDS is currently: <em>disabled</em>. [<a href="?phpids=on">Enable PHPIDS</a>]</p> [<a href="?test=%22><script>eval(<xmp style= 'white-space:pre-wrap;'>window.name)</script>">Simulate attack</a>] - [<a href="ids_log.php">View IDS log</a>] </div> <br /><br /> </div> <div class="clear"> </div> <div id="system_info"> <div align="left"><em>Username:</em> admin<br /><em>Security Level:</em> low<br /><em>PHPIDS:</em> disabled</div> </div> <div id="footer"> <p>Damn Vulnerable Web Application (DVWA) v1.10 *Development*</p> <script src='/dvwa/js/add_event_listeners.js'></script> </div> </div> </body> </html>

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/security.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:41 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 5269
keep-alive: timeout=5, max=79
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

<!DOCTYPE html> <html lang="en-GB"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>DVWA Security :: Damn Vulnerable Web Application (DVWA) v1.10 *Development*</title> <link rel="stylesheet" type="text/css" href="dvwa/css/main.css" /> <link rel="icon" type="\image/ico" href="favicon.ico" /> <script type="text/javascript" src="dvwa/js/dvwaPage.js"></script> </head> <body class="home"> <div id="container"> <div id="header"> <img src="dvwa/images/logo.png" alt="Damn Vulnerable Web Application" /> </div> <div id="main_menu"> <div id="main_menu_padded"> <ul class="menuBlocks"><li class=""><a href=".">Home</a></li> <li class=""><a href="instructions.php">Instructions</a></li> <li class=""><a href="setup.php">Setup / Reset DB</a></li> </ul><ul class="menuBlocks"><li class=""><a href="vulnerabilities/brute/">Brute Force</a></li> <li class=""><a href="vulnerabilities/exec/">Command Injection</a></li> <li class=""><a href="vulnerabilities/csrf/">CSRF</a></li> <li class=""><a href="vulnerabilities/fi/.?page=include.php">File Inclusion</a></li> <li class=""><a href="vulnerabilities/upload/">File Upload</a></li> <li class=""><a href="vulnerabilities/captcha/">Insecure CAPTCHA</a></li> <li class=""><a href="vulnerabilities/sqli/">SQL Injection</a></li> <li class=""><a href="vulnerabilities/sqli_blind/">SQL Injection (Blind)</a></li> <li class=""><a href="vulnerabilities/weak_id/">Weak Session IDs</a></li> <li class=""><a href="vulnerabilities/xss_d/">XSS (DOM)</a></li> <li class=""><a href="vulnerabilities/xss_r/">XSS (Reflected)</a></li> <li class=""><a href="vulnerabilities/xss_s/">XSS (Stored)</a></li> <li class=""><a href="vulnerabilities/csp/">CSP Bypass</a></li> <li class=""><a href="vulnerabilities/javascript/">JavaScript</a></li> </ul><ul class="menuBlocks"><li class="selected"><a href="security.php">DVWA Security</a></li> <li class=""><a href="phpinfo.php">PHP Info</a></li> <li class=""><a href="about.php">About</a></li> </ul><ul class="menuBlocks"><li class=""><a href="logout.php">Logout</a></li> </ul> </div> </div> <div id="main_body"> <div class="body_padded"> <h1>DVWA Security <img src="dvwa/images/lock.png" /></h1> <br /> <h2>Security Level</h2> <form action="#" method="POST"> <p>Security level is currently: <em>low</em>.<p> <p>You can set the security level to low, medium, high or impossible. The security level changes the vulnerability level of DVWA:</p> <ol> <li> Low - This security level is completely vulnerable and <em>has no security measures at all</em>. It's use is to be as an example of how web application vulnerabilities manifest through bad coding practices and to serve as a platform to teach or learn basic exploitation techniques.</li> <li> Medium - This setting is mainly to give an example to the user of <em>bad security practices</em>, where the developer has tried but failed to secure an application. It also acts as a challenge to users to refine their exploitation techniques.</li> <li> High - This option is an extension to the medium difficulty, with a mixture of <em>harder or alternative bad practices</em> to attempt to secure the code. The vulnerability may not allow the same extent of the exploitation, similar in various Capture The Flags (CTFs) competitions.</li> <li> Impossible - This level should be <em>secure against all vulnerabilities</em>. It is used to compare the vulnerable source code to the secure source code.<br /> Prior to DVWA v1.9, this level was known as 'high'.</li> </ol> <select name="security"> <option value="low" selected="selected">Low</option><option value="medium">Medium</option><option value="high">High</option><option value="impossible">Impossible</option> </select> <input type="submit" value="Submit" name="seclev_submit"> <input type='hidden' name='user_token' value='2eee9046cdbc019785bb1d9f620890aa' /> </form> <br /> <hr /> <br /> <h2>PHPIDS</h2> <p><a href="https://github.com/PHPIDS/PHPIDS" target="_blank">PHPIDS</a> v0.6 (PHP-Intrusion Detection System) is a security layer for PHP based web applications.</p> <p>PHPIDS works by filtering any user supplied input against a blacklist of potentially malicious code. It is used in DVWA to serve as a live example of how Web Application Firewalls (WAFs) can help improve security and in some cases how WAFs can be circumvented.</p> <p>You can enable PHPIDS across this site for the duration of your session.</p> <p>PHPIDS is currently: <em>disabled</em>. [<a href="?phpids=on">Enable PHPIDS</a>]</p> [<a href="?test=%22><script>eval(<xmp style= 'white-space:pre-wrap;'>window.name)</script>">Simulate attack</a>] - [<a href="ids_log.php">View IDS log</a>] </div> <br /><br /> </div> <div class="clear"> </div> <div id="system_info"> <div align="left"><em>Username:</em> admin<br /><em>Security Level:</em> low<br /><em>PHPIDS:</em> disabled</div> </div> <div id="footer"> <p>Damn Vulnerable Web Application (DVWA) v1.10 *Development*</p> <script src='/dvwa/js/add_event_listeners.js'></script> </div> </div> </body> </html>

Findings: 6 Sensitive information exposure through query strings in the URL

Risk	Medium
Severity	Medium
CVSS Score	6.4
Occurrences	1
Details	Vooki detected sensitive information exposure through query strings in the URL. The web application utilizes the HTTP GET method to process a request and sends sensitive information in the request string's query string. The query string passed as part of the URL can be saved in the browser's history and passed through refers to other websites. If the query string contains sensitive information such as session identifiers, attackers can obtain and use it to launch further attacks.
Remediation	It is not recommended to send sensitive information in the URL. It would be best to deliver sensitive information over HTTPS and use the request method as POST, PUT, and PATCH.

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/brute/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

Findings: 7 Verb tampering

Risk	Medium
Severity	Medium
CVSS Score	6.4
Occurrences	30
Details	Vooki detected verb tampering vulnerability. The HTTP includes many request methods other than the standard GET, POST, PUT and PATCH requests. A web server may respond to these alternative methods and return some data. Sometimes it may reveal some fruitful information to the attacker.
Remediation	Apply a whitelist of permitted HTTP Methods e.g. GET, POST, PUT. Reject all requests not matching the whitelisted HTTP Methods with HTTP response code 405 Method not allowed.

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:32 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=94
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Accept-Encoding: gzip, deflate, br Cookie: security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:34 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=93
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa/login.php HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Accept-Encoding: gzip, deflate, br Cookie: security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/login.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:38 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 1415
keep-alive: timeout=5, max=83
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

<!DOCTYPE html> <html lang="en-GB"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Login :: Damn Vulnerable Web Application (DVWA) v1.10 *Development*</title> <link rel="stylesheet" type="text/css" href="dvwa/css/login.css" /> </head> <body> <div id="wrapper"> <div id="header"> <br /> <p><img src="dvwa/images/login_logo.png" /></p> <br /> </div>  <div id="content"> <form action="login.php" method="post"> <fieldset> <label for="user">Username</label> <input type="text" class="loginInput" size="20" name="username"><br /> <label for="pass">Password</label> <input type="password" class="loginInput" AUTOCOMPLETE="off" size="20" name="password"><br /> <br /> <p class="submit"><input type="submit" value="Login" name="Login"></p> </fieldset> <input type='hidden' name='user_token' value='a4d811183bac86ca241d824ca649d685' /> </form> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br />  </div >  <div id="footer"> <p><a href="https://github.com/digininja/DVWA/" target="_blank">Damn Vulnerable Web Application (DVWA)</a></p> </div>  </div>  </body> </html>

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Referer: http://localhost/dvwa/login.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:39 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=74
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa/index.php HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Referer: http://localhost/dvwa/login.php Accept-Encoding: gzip, deflate, br Cookie: security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/index.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:40 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=74
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa/security.php HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Referer: http://localhost/dvwa/index.php Accept-Encoding: gzip, deflate, br Cookie: security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/security.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:41 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 5269
keep-alive: timeout=5, max=66
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

<!DOCTYPE html> <html lang="en-GB"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>DVWA Security :: Damn Vulnerable Web Application (DVWA) v1.10 *Development*</title> <link rel="stylesheet" type="text/css" href="dvwa/css/main.css" /> <link rel="icon" type="\image/ico" href="favicon.ico" /> <script type="text/javascript" src="dvwa/js/dvwaPage.js"></script> </head> <body class="home"> <div id="container"> <div id="header"> <img src="dvwa/images/logo.png" alt="Damn Vulnerable Web Application" /> </div> <div id="main_menu"> <div id="main_menu_padded"> <ul class="menuBlocks"><li class=""><a href=".">Home</a></li> <li class=""><a href="instructions.php">Instructions</a></li> <li class=""><a href="setup.php">Setup / Reset DB</a></li> </ul><ul class="menuBlocks"><li class=""><a href="vulnerabilities/brute/">Brute Force</a></li> <li class=""><a href="vulnerabilities/exec/">Command Injection</a></li> <li class=""><a href="vulnerabilities/csrf/">CSRF</a></li> <li class=""><a href="vulnerabilities/fi/.?page=include.php">File Inclusion</a></li> <li class=""><a href="vulnerabilities/upload/">File Upload</a></li> <li class=""><a href="vulnerabilities/captcha/">Insecure CAPTCHA</a></li> <li class=""><a href="vulnerabilities/sqli/">SQL Injection</a></li> <li class=""><a href="vulnerabilities/sqli_blind/">SQL Injection (Blind)</a></li> <li class=""><a href="vulnerabilities/weak_id/">Weak Session IDs</a></li> <li class=""><a href="vulnerabilities/xss_d/">XSS (DOM)</a></li> <li class=""><a href="vulnerabilities/xss_r/">XSS (Reflected)</a></li> <li class=""><a href="vulnerabilities/xss_s/">XSS (Stored)</a></li> <li class=""><a href="vulnerabilities/csp/">CSP Bypass</a></li> <li class=""><a href="vulnerabilities/javascript/">JavaScript</a></li> </ul><ul class="menuBlocks"><li class="selected"><a href="security.php">DVWA Security</a></li> <li class=""><a href="phpinfo.php">PHP Info</a></li> <li class=""><a href="about.php">About</a></li> </ul><ul class="menuBlocks"><li class=""><a href="logout.php">Logout</a></li> </ul> </div> </div> <div id="main_body"> <div class="body_padded"> <h1>DVWA Security <img src="dvwa/images/lock.png" /></h1> <br /> <h2>Security Level</h2> <form action="#" method="POST"> <p>Security level is currently: <em>low</em>.<p> <p>You can set the security level to low, medium, high or impossible. The security level changes the vulnerability level of DVWA:</p> <ol> <li> Low - This security level is completely vulnerable and <em>has no security measures at all</em>. It's use is to be as an example of how web application vulnerabilities manifest through bad coding practices and to serve as a platform to teach or learn basic exploitation techniques.</li> <li> Medium - This setting is mainly to give an example to the user of <em>bad security practices</em>, where the developer has tried but failed to secure an application. It also acts as a challenge to users to refine their exploitation techniques.</li> <li> High - This option is an extension to the medium difficulty, with a mixture of <em>harder or alternative bad practices</em> to attempt to secure the code. The vulnerability may not allow the same extent of the exploitation, similar in various Capture The Flags (CTFs) competitions.</li> <li> Impossible - This level should be <em>secure against all vulnerabilities</em>. It is used to compare the vulnerable source code to the secure source code.<br /> Prior to DVWA v1.9, this level was known as 'high'.</li> </ol> <select name="security"> <option value="low" selected="selected">Low</option><option value="medium">Medium</option><option value="high">High</option><option value="impossible">Impossible</option> </select> <input type="submit" value="Submit" name="seclev_submit"> <input type='hidden' name='user_token' value='eddfa88ebdf03dd27c5aa182dc7ee72e' /> </form> <br /> <hr /> <br /> <h2>PHPIDS</h2> <p><a href="https://github.com/PHPIDS/PHPIDS" target="_blank">PHPIDS</a> v0.6 (PHP-Intrusion Detection System) is a security layer for PHP based web applications.</p> <p>PHPIDS works by filtering any user supplied input against a blacklist of potentially malicious code. It is used in DVWA to serve as a live example of how Web Application Firewalls (WAFs) can help improve security and in some cases how WAFs can be circumvented.</p> <p>You can enable PHPIDS across this site for the duration of your session.</p> <p>PHPIDS is currently: <em>disabled</em>. [<a href="?phpids=on">Enable PHPIDS</a>]</p> [<a href="?test=%22><script>eval(window.name)</script>">Simulate attack</a>] - [<a href="ids_log.php">View IDS log</a>] </div> <br /><br /> </div> <div class="clear"> </div> <div id="system_info"> <div align="left"><em>Username:</em> admin<br /><em>Security Level:</em> low<br /><em>PHPIDS:</em> disabled</div> </div> <div id="footer"> <p>Damn Vulnerable Web Application (DVWA) v1.10 *Development*</p> <script src='/dvwa/js/add_event_listeners.js'></script> </div> </div> </body> </html>

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/security.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:42 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=61
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa/vulnerabilities/brute HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Referer: http://localhost/dvwa/security.php Accept-Encoding: gzip, deflate, br Cookie: security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/brute/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:43 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=47
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa/vulnerabilities/brute/?username=admin&password=password&Login=Login HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Referer: http://localhost/dvwa/vulnerabilities/brute/ Accept-Encoding: gzip, deflate, br Cookie: security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/brute/?username=admin&password=password&Login=Login
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:44 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=43
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa/vulnerabilities/exec HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Referer: http://localhost/dvwa/vulnerabilities/brute/?username=admin&password=password&Login=Login Accept-Encoding: gzip, deflate, br Cookie: security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/exec/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:51 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4071
keep-alive: timeout=5, max=74
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

<!DOCTYPE html> <html lang="en-GB"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Vulnerability: Command Injection :: Damn Vulnerable Web Application (DVWA) v1.10 *Development*</title> <link rel="stylesheet" type="text/css" href="../../dvwa/css/main.css" /> <link rel="icon" type="\image/ico" href="../../favicon.ico" /> <script type="text/javascript" src="../../dvwa/js/dvwaPage.js"></script> </head> <body class="home"> <div id="container"> <div id="header"> <img src="../../dvwa/images/logo.png" alt="Damn Vulnerable Web Application" /> </div> <div id="main_menu"> <div id="main_menu_padded"> <ul class="menuBlocks"><li class=""><a href="../../.">Home</a></li> <li class=""><a href="../../instructions.php">Instructions</a></li> <li class=""><a href="../../setup.php">Setup / Reset DB</a></li> </ul><ul class="menuBlocks"><li class=""><a href="../../vulnerabilities/brute/">Brute Force</a></li> <li class="selected"><a href="../../vulnerabilities/exec/">Command Injection</a></li> <li class=""><a href="../../vulnerabilities/csrf/">CSRF</a></li> <li class=""><a href="../../vulnerabilities/fi/.?page=include.php">File Inclusion</a></li> <li class=""><a href="../../vulnerabilities/upload/">File Upload</a></li> <li class=""><a href="../../vulnerabilities/captcha/">Insecure CAPTCHA</a></li> <li class=""><a href="../../vulnerabilities/sqli/">SQL Injection</a></li> <li class=""><a href="../../vulnerabilities/sqli_blind/">SQL Injection (Blind)</a></li> <li class=""><a href="../../vulnerabilities/weak_id/">Weak Session IDs</a></li> <li class=""><a href="../../vulnerabilities/xss_d/">XSS (DOM)</a></li> <li class=""><a href="../../vulnerabilities/xss_r/">XSS (Reflected)</a></li> <li class=""><a href="../../vulnerabilities/xss_s/">XSS (Stored)</a></li> <li class=""><a href="../../vulnerabilities/csp/">CSP Bypass</a></li> <li class=""><a href="../../vulnerabilities/javascript/">JavaScript</a></li> </ul><ul class="menuBlocks"><li class=""><a href="../../security.php">DVWA Security</a></li> <li class=""><a href="../../phpinfo.php">PHP Info</a></li> <li class=""><a href="../../about.php">About</a></li> </ul><ul class="menuBlocks"><li class=""><a href="../../logout.php">Logout</a></li> </ul> </div> </div> <div id="main_body"> <div class="body_padded"> <h1>Vulnerability: Command Injection</h1> <div class="vulnerable_code_area"> <h2>Ping a device</h2> <form name="ping" action="#" method="post"> <p> Enter an IP address: <input type="text" name="ip" size="30"> <input type="submit" name="Submit" value="Submit"> </p> </form> </div> <h2>More Information</h2> <ul> <li><a href="https://www.scribd.com/doc/2530476/Php-Endangers-Remote-Code-Execution" target="_blank">https://www.scribd.com/doc/2530476/Php-Endangers-Remote-Code-Execution</a></li> <li><a href="http://www.ss64.com/bash/" target="_blank">http://www.ss64.com/bash/</a></li> <li><a href="http://www.ss64.com/nt/" target="_blank">http://www.ss64.com/nt/</a></li> <li><a href="https://owasp.org/www-community/attacks/Command_Injection" target="_blank">https://owasp.org/www-community/attacks/Command_Injection</a></li> </ul> </div> <br /><br /> </div> <div class="clear"> </div> <div id="system_info"> <input type="button" value="View Help" class="popup_button" id='help_button' data-help-url='../../vulnerabilities/view_help.php?id=exec&security=low' )"> <input type="button" value="View Source" class="popup_button" id='source_button' data-source-url='../../vulnerabilities/view_source.php?id=exec&security=low' )"> <div align="left"><em>Username:</em> admin<br /><em>Security Level:</em> low<br /><em>PHPIDS:</em> disabled</div> </div> <div id="footer"> <p>Damn Vulnerable Web Application (DVWA) v1.10 *Development*</p> <script src='../..//dvwa/js/add_event_listeners.js'></script> </div> </div> </body> </html>

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/exec/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:53 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=28
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa/vulnerabilities/csrf HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Referer: http://localhost/dvwa/vulnerabilities/exec/ Accept-Encoding: gzip, deflate, br Cookie: security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/csrf/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:53 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=58
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa/vulnerabilities/fi/?page=include.php HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Referer: http://localhost/dvwa/vulnerabilities/csrf/ Accept-Encoding: gzip, deflate, br Cookie: security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/fi/?page=include.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:55 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=53
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa/vulnerabilities/fi/?page=file1.php HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Referer: http://localhost/dvwa/vulnerabilities/fi/?page=include.php Accept-Encoding: gzip, deflate, br Cookie: security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/fi/?page=file1.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:55 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=90
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa/vulnerabilities/upload HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Referer: http://localhost/dvwa/vulnerabilities/fi/?page=file1.php Accept-Encoding: gzip, deflate, br Cookie: security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/upload/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:56 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=43
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa/vulnerabilities/captcha HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Referer: http://localhost/dvwa/vulnerabilities/upload/ Accept-Encoding: gzip, deflate, br Cookie: security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/captcha/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:57 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=40
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa/vulnerabilities/sqli HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Referer: http://localhost/dvwa/vulnerabilities/captcha/ Accept-Encoding: gzip, deflate, br Cookie: security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:58 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=3
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa/vulnerabilities/sqli/?id=1&Submit=Submit HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Referer: http://localhost/dvwa/vulnerabilities/sqli/ Accept-Encoding: gzip, deflate, br Cookie: security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:59 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=82
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa/vulnerabilities/sqli_blind HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Referer: http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit Accept-Encoding: gzip, deflate, br Cookie: security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli_blind/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:01 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=85
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Referer: http://localhost/dvwa/vulnerabilities/sqli_blind/ Accept-Encoding: gzip, deflate, br Cookie: security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:02 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=73
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa/vulnerabilities/weak_id HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Referer: http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit Accept-Encoding: gzip, deflate, br Cookie: dvwaSession=1; security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/weak_id/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:04 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=1
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa/vulnerabilities/xss_d HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Referer: http://localhost/dvwa/vulnerabilities/weak_id/ Accept-Encoding: gzip, deflate, br Cookie: security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_d/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:05 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=22
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa/vulnerabilities/xss_d/?default=English HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Referer: http://localhost/dvwa/vulnerabilities/xss_d/ Accept-Encoding: gzip, deflate, br Cookie: security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_d/?default=English
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:06 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=63
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa/vulnerabilities/xss_r HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Referer: http://localhost/dvwa/vulnerabilities/xss_d/?default=English Accept-Encoding: gzip, deflate, br Cookie: security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_r/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:07 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=78
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa/vulnerabilities/xss_r/?name=1 HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Referer: http://localhost/dvwa/vulnerabilities/xss_r/ Accept-Encoding: gzip, deflate, br Cookie: security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_r/?name=1
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:07 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=62
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa/vulnerabilities/xss_s HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Referer: http://localhost/dvwa/vulnerabilities/xss_r/?name=1 Accept-Encoding: gzip, deflate, br Cookie: security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_s/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:08 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=74
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa/vulnerabilities/csp HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Referer: http://localhost/dvwa/vulnerabilities/xss_s/ Accept-Encoding: gzip, deflate, br Cookie: security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/csp/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:11 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-security-policy: script-src 'self' https://pastebin.com hastebin.com example.com code.jquery.com https://ssl.google-analytics.com ;
content-length: 4109
keep-alive: timeout=5, max=43
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

<!DOCTYPE html> <html lang="en-GB"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Vulnerability: Content Security Policy (CSP) Bypass :: Damn Vulnerable Web Application (DVWA) v1.10 *Development*</title> <link rel="stylesheet" type="text/css" href="../../dvwa/css/main.css" /> <link rel="icon" type="\image/ico" href="../../favicon.ico" /> <script type="text/javascript" src="../../dvwa/js/dvwaPage.js"></script> </head> <body class="home"> <div id="container"> <div id="header"> <img src="../../dvwa/images/logo.png" alt="Damn Vulnerable Web Application" /> </div> <div id="main_menu"> <div id="main_menu_padded"> <ul class="menuBlocks"><li class=""><a href="../../.">Home</a></li> <li class=""><a href="../../instructions.php">Instructions</a></li> <li class=""><a href="../../setup.php">Setup / Reset DB</a></li> </ul><ul class="menuBlocks"><li class=""><a href="../../vulnerabilities/brute/">Brute Force</a></li> <li class=""><a href="../../vulnerabilities/exec/">Command Injection</a></li> <li class=""><a href="../../vulnerabilities/csrf/">CSRF</a></li> <li class=""><a href="../../vulnerabilities/fi/.?page=include.php">File Inclusion</a></li> <li class=""><a href="../../vulnerabilities/upload/">File Upload</a></li> <li class=""><a href="../../vulnerabilities/captcha/">Insecure CAPTCHA</a></li> <li class=""><a href="../../vulnerabilities/sqli/">SQL Injection</a></li> <li class=""><a href="../../vulnerabilities/sqli_blind/">SQL Injection (Blind)</a></li> <li class=""><a href="../../vulnerabilities/weak_id/">Weak Session IDs</a></li> <li class=""><a href="../../vulnerabilities/xss_d/">XSS (DOM)</a></li> <li class=""><a href="../../vulnerabilities/xss_r/">XSS (Reflected)</a></li> <li class=""><a href="../../vulnerabilities/xss_s/">XSS (Stored)</a></li> <li class="selected"><a href="../../vulnerabilities/csp/">CSP Bypass</a></li> <li class=""><a href="../../vulnerabilities/javascript/">JavaScript</a></li> </ul><ul class="menuBlocks"><li class=""><a href="../../security.php">DVWA Security</a></li> <li class=""><a href="../../phpinfo.php">PHP Info</a></li> <li class=""><a href="../../about.php">About</a></li> </ul><ul class="menuBlocks"><li class=""><a href="../../logout.php">Logout</a></li> </ul> </div> </div> <div id="main_body"> <div class="body_padded"> <h1>Vulnerability: Content Security Policy (CSP) Bypass</h1> <div class="vulnerable_code_area"> <form name="csp" method="POST"> <p>You can include scripts from external sources, examine the Content Security Policy and enter a URL to include here:</p> <input size="50" type="text" name="include" value="" id="include" /> <input type="submit" value="Include" /> </form> </div> <h2>More Information</h2> <ul> <li><a href="https://content-security-policy.com/" target="_blank">Content Security Policy Reference</a></li> <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP" target="_blank">Mozilla Developer Network - CSP: script-src</a></li> <li><a href="https://blog.mozilla.org/security/2014/10/04/csp-for-the-web-we-have/" target="_blank">Mozilla Security Blog - CSP for the web we have</a></li> </ul> <p><i>Module developed by <a href='https://twitter.com/digininja'>Digininja</a>.</i></p> </div> <br /><br /> </div> <div class="clear"> </div> <div id="system_info"> <input type="button" value="View Help" class="popup_button" id='help_button' data-help-url='../../vulnerabilities/view_help.php?id=csp&security=low' )"> <input type="button" value="View Source" class="popup_button" id='source_button' data-source-url='../../vulnerabilities/view_source.php?id=csp&security=low' )"> <div align="left"><em>Username:</em> admin<br /><em>Security Level:</em> low<br /><em>PHPIDS:</em> disabled</div> </div> <div id="footer"> <p>Damn Vulnerable Web Application (DVWA) v1.10 *Development*</p> <script src='../..//dvwa/js/add_event_listeners.js'></script> </div> </div> </body> </html>

URL:
Occurrences in this URL:	1

Request	Response
Method: TRACE sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Dest: script Referer: http://localhost/dvwa/vulnerabilities/csp/ Accept-Language: en-US,en;q=0.9 Connection: keep-alive	date: Fri, 16 Jul 2021 05:53:11 GMT server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8 keep-alive: timeout=5, max=61 connection: Keep-Alive transfer-encoding: chunked content-type: message/http status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: TRACE
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/csp/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:12 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
keep-alive: timeout=5, max=95
connection: Keep-Alive
transfer-encoding: chunked
content-type: message/http
status code: 200

TRACE /dvwa/vulnerabilities/javascript HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 0 sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9 Sec-Fetch-Mode: no-cors Referer: http://localhost/dvwa/vulnerabilities/csp/ Accept-Encoding: gzip, deflate, br Cookie: security=low; PHPSESSID=rscru98uh549cs7d97khsele52

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/javascript/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:13 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
keep-alive: timeout=5, max=73
connection: Keep-Alive
transfer-encoding: chunked
content-type: text/html;charset=utf-8
status code: 200

<!DOCTYPE html> <html lang="en-GB"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Vulnerability: JavaScript Attacks :: Damn Vulnerable Web Application (DVWA) v1.10 *Development*</title> <link rel="stylesheet" type="text/css" href="../../dvwa/css/main.css" /> <link rel="icon" type="\image/ico" href="../../favicon.ico" /> <script type="text/javascript" src="../../dvwa/js/dvwaPage.js"></script> </head> <body class="home"> <div id="container"> <div id="header"> <img src="../../dvwa/images/logo.png" alt="Damn Vulnerable Web Application" /> </div> <div id="main_menu"> <div id="main_menu_padded"> <ul class="menuBlocks"><li class=""><a href="../../.">Home</a></li> <li class=""><a href="../../instructions.php">Instructions</a></li> <li class=""><a href="../../setup.php">Setup / Reset DB</a></li> </ul><ul class="menuBlocks"><li class=""><a href="../../vulnerabilities/brute/">Brute Force</a></li> <li class=""><a href="../../vulnerabilities/exec/">Command Injection</a></li> <li class=""><a href="../../vulnerabilities/csrf/">CSRF</a></li> <li class=""><a href="../../vulnerabilities/fi/.?page=include.php">File Inclusion</a></li> <li class=""><a href="../../vulnerabilities/upload/">File Upload</a></li> <li class=""><a href="../../vulnerabilities/captcha/">Insecure CAPTCHA</a></li> <li class=""><a href="../../vulnerabilities/sqli/">SQL Injection</a></li> <li class=""><a href="../../vulnerabilities/sqli_blind/">SQL Injection (Blind)</a></li> <li class=""><a href="../../vulnerabilities/weak_id/">Weak Session IDs</a></li> <li class=""><a href="../../vulnerabilities/xss_d/">XSS (DOM)</a></li> <li class=""><a href="../../vulnerabilities/xss_r/">XSS (Reflected)</a></li> <li class=""><a href="../../vulnerabilities/xss_s/">XSS (Stored)</a></li> <li class=""><a href="../../vulnerabilities/csp/">CSP Bypass</a></li> <li class="selected"><a href="../../vulnerabilities/javascript/">JavaScript</a></li> </ul><ul class="menuBlocks"><li class=""><a href="../../security.php">DVWA Security</a></li> <li class=""><a href="../../phpinfo.php">PHP Info</a></li> <li class=""><a href="../../about.php">About</a></li> </ul><ul class="menuBlocks"><li class=""><a href="../../logout.php">Logout</a></li> </ul> </div> </div> <div id="main_body"> <div class="body_padded"> <h1>Vulnerability: JavaScript Attacks</h1> <div class="vulnerable_code_area"> <p> Submit the word "success" to win. </p> <form name="low_js" method="post"> <input type="hidden" name="token" value="" id="token" /> <label for="phrase">Phrase</label> <input type="text" name="phrase" value="ChangeMe" id="phrase" /> <input type="submit" id="send" name="send" value="Submit" /> </form><script> /* MD5 code from here https://github.com/blueimp/JavaScript-MD5 */ !function(n){"use strict";function t(n,t){var r=(65535&n)+(65535&t);return(n>>16)+(t>>16)+(r>>16)<<16|65535&r}function r(n,t){return n<<t|n>>>32-t}function e(n,e,o,u,c,f){return t(r(t(t(e,n),t(u,f)),c),o)}function o(n,t,r,o,u,c,f){return e(t&r|~t&o,n,t,u,c,f)}function u(n,t,r,o,u,c,f){return e(t&o|r&~o,n,t,u,c,f)}function c(n,t,r,o,u,c,f){return e(t^r^o,n,t,u,c,f)}function f(n,t,r,o,u,c,f){return e(r^(t|~o),n,t,u,c,f)}function i(n,r){n[r>>5]|=128<<r%32,n[14+(r+64>>>9<<4)]=r;var e,i,a,d,h,l=1732584193,g=-271733879,v=-1732584194,m=271733878;for(e=0;e<n.length;e+=16)i=l,a=g,d=v,h=m,g=f(g=f(g=f(g=f(g=c(g=c(g=c(g=c(g=u(g=u(g=u(g=u(g=o(g=o(g=o(g=o(g,v=o(v,m=o(m,l=o(l,g,v,m,n[e],7,-680876936),g,v,n[e+1],12,-389564586),l,g,n[e+2],17,606105819),m,l,n[e+3],22,-1044525330),v=o(v,m=o(m,l=o(l,g,v,m,n[e+4],7,-176418897),g,v,n[e+5],12,1200080426),l,g,n[e+6],17,-1473231341),m,l,n[e+7],22,-45705983),v=o(v,m=o(m,l=o(l,g,v,m,n[e+8],7,1770035416),g,v,n[e+9],12,-1958414417),l,g,n[e+10],17,-42063),m,l,n[e+11],22,-1990404162),v=o(v,m=o(m,l=o(l,g,v,m,n[e+12],7,1804603682),g,v,n[e+13],12,-40341101),l,g,n[e+14],17,-1502002290),m,l,n[e+15],22,1236535329),v=u(v,m=u(m,l=u(l,g,v,m,n[e+1],5,-165796510),g,v,n[e+6],9,-1069501632),l,g,n[e+11],14,643717713),m,l,n[e],20,-373897302),v=u(v,m=u(m,l=u(l,g,v,m,n[e+5],5,-701558691),g,v,n[e+10],9,38016083),l,g,n[e+15],14,-660478335),m,l,n[e+4],20,-405537848),v=u(v,m=u(m,l=u(l,g,v,m,n[e+9],5,568446438),g,v,n[e+14],9,-1019803690),l,g,n[e+3],14,-187363961),m,l,n[e+8],20,1163531501),v=u(v,m=u(m,l=u(l,g,v,m,n[e+13],5,-1444681467),g,v,n[e+2],9,-51403784),l,g,n[e+7],14,1735328473),m,l,n[e+12],20,-1926607734),v=c(v,m=c(m,l=c(l,g,v,m,n[e+5],4,-378558),g,v,n[e+8],11,-2022574463),l,g,n[e+11],16,1839030562),m,l,n[e+14],23,-35309556),v=c(v,m=c(m,l=c(l,g,v,m,n[e+1],4,-1530992060),g,v,n[e+4],11,1272893353),l,g,n[e+7],16,-155497632),m,l,n[e+10],23,-1094730640),v=c(v,m=c(m,l=c(l,g,v,m,n[e+13],4,681279174),g,v,n[e],11,-358537222),l,g,n[e+3],16,-722521979),m,l,n[e+6],23,76029189),v=c(v,m=c(m,l=c(l,g,v,m,n[e+9],4,-640364487),g,v,n[e+12],11,-421815835),l,g,n[e+15],16,530742520),m,l,n[e+2],23,-995338651),v=f(v,m=f(m,l=f(l,g,v,m,n[e],6,-198630844),g,v,n[e+7],10,1126891415),l,g,n[e+14],15,-1416354905),m,l,n[e+5],21,-57434055),v=f(v,m=f(m,l=f(l,g,v,m,n[e+12],6,1700485571),g,v,n[e+3],10,-1894986606),l,g,n[e+10],15,-1051523),m,l,n[e+1],21,-2054922799),v=f(v,m=f(m,l=f(l,g,v,m,n[e+8],6,1873313359),g,v,n[e+15],10,-30611744),l,g,n[e+6],15,-1560198380),m,l,n[e+13],21,1309151649),v=f(v,m=f(m,l=f(l,g,v,m,n[e+4],6,-145523070),g,v,n[e+11],10,-1120210379),l,g,n[e+2],15,718787259),m,l,n[e+9],21,-343485551),l=t(l,i),g=t(g,a),v=t(v,d),m=t(m,h);return[l,g,v,m]}function a(n){var t,r="",e=32*n.length;for(t=0;t<e;t+=8)r+=String.fromCharCode(n[t>>5]>>>t%32&255);return r}function d(n){var t,r=[];for(r[(n.length>>2)-1]=void 0,t=0;t<r.length;t+=1)r[t]=0;var e=8*n.length;for(t=0;t<e;t+=8)r[t>>5]|=(255&n.charCodeAt(t/8))<<t%32;return r}function h(n){return a(i(d(n),8*n.length))}function l(n,t){var r,e,o=d(n),u=[],c=[];for(u[15]=c[15]=void 0,o.length>16&&(o=i(o,8*n.length)),r=0;r<16;r+=1)u[r]=909522486^o[r],c[r]=1549556828^o[r];return e=i(u.concat(d(t)),512+8*t.length),a(i(c.concat(e),640))}function g(n){var t,r,e="";for(r=0;r<n.length;r+=1)t=n.charCodeAt(r),e+="0123456789abcdef".charAt(t>>>4&15)+"0123456789abcdef".charAt(15&t);return e}function v(n){return unescape(encodeURIComponent(n))}function m(n){return h(v(n))}function p(n){return g(m(n))}function s(n,t){return l(v(n),v(t))}function C(n,t){return g(s(n,t))}function A(n,t,r){return t?r?s(t,n):C(t,n):r?m(n):p(n)}"function"==typeof define&&define.amd?define(function(){return A}):"object"==typeof module&&module.exports?module.exports=A:n.md5=A}(this); function rot13(inp) { return inp.replace(/[a-zA-Z]/g,function(c){return String.fromCharCode((c<="Z"?90:122)>=(c=c.charCodeAt(0)+13)?c:c-26);}); } function generate_token() { var phrase = document.getElementById("phrase").value; document.getElementById("token").value = md5(rot13(phrase)); } generate_token(); </script> </div> <h2>More Information</h2> <ul> <li><a href="https://www.w3schools.com/js/" target="_blank">https://www.w3schools.com/js/</a></li> <li><a href="https://www.youtube.com/watch?v=cs7EQdWO5o0&index=17&list=WL" target="_blank">https://www.youtube.com/watch?v=cs7EQdWO5o0&index=17&list=WL</a></li> <li><a href="https://ponyfoo.com/articles/es6-proxies-in-depth" target="_blank">https://ponyfoo.com/articles/es6-proxies-in-depth</a></li> </ul> <p><i>Module developed by <a href='https://twitter.com/digininja'>Digininja</a>.</i></p> </div> <br /><br /> </div> <div class="clear"> </div> <div id="system_info"> <input type="button" value="View Help" class="popup_button" id='help_button' data-help-url='../../vulnerabilities/view_help.php?id=javascript&security=low' )"> <input type="button" value="View Source" class="popup_button" id='source_button' data-source-url='../../vulnerabilities/view_source.php?id=javascript&security=low' )"> <div align="left"><em>Username:</em> admin<br /><em>Security Level:</em> low<br /><em>PHPIDS:</em> disabled</div> </div> <div id="footer"> <p>Damn Vulnerable Web Application (DVWA) v1.10 *Development*</p> <script src='../..//dvwa/js/add_event_listeners.js'></script> </div> </div> </body> </html>

Findings: 8 Weak password policy

Risk	Medium
Severity	Medium
CVSS Score	5.6
Occurrences	2
Details	Vooki detected the weak password policy in the application. A weak password policy leaves the application open to the dictionary and brute force attack against the user account. The attacker can take over the user account if he guesses or determines a weak password.
Remediation	Implement a strong password policy that includes the following: One or more uppercase characters One or more numerical digits One or more special characters Minimum length of 8 characters Disallow any part of the username Disallow dictionary words Disallow any character more than three times in succession Disallow previously used passwords

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/login.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

Login=Login&password=password&user_token=58886de2389d508ae203eccbab9090b7&username=admin

cache-control: no-store, no-cache, must-revalidate
connection: Keep-Alive
content-length: 0
content-type: text/html; charset=UTF-8
date: Fri, 16 Jul 2021 05:48:49 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
keep-alive: timeout=5, max=100
location: index.php
pragma: no-cache
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
Cache-Control: no-cache
status code: 302

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/brute/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

Findings: 9 Missing security headers - X-Content-Type-Options

Risk	Medium
Severity	Medium
CVSS Score	5.0
Occurrences	30
Details	Vooki detected that 'X-Content-Type-Options' security header is missing. There are some HTTP response headers that your application can use to increase security of your application. Once set, these HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities. The 'X-Content-Type-Options' response HTTP header indicates the browser that the MIME types in the Content-Type headers should not be changed and be followed. Example: X-Content-Type-Options: nosniff If 'X-Content-Type-Options: nosniff' is specified in the response header, the browser checks the content type and blocks the request if the content type is mismatched.
Remediation	It's recommended to implement the x-content-type-options security header. Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xcto

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:32 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 6340
keep-alive: timeout=5, max=91
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

date: Fri, 16 Jul 2021 05:52:36 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 1415
keep-alive: timeout=5, max=93
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/login.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

date: Fri, 16 Jul 2021 05:52:39 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 6340
keep-alive: timeout=5, max=72
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/security.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/security.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:42 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4185
keep-alive: timeout=5, max=94
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/brute/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:43 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4280
keep-alive: timeout=5, max=48
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/brute/?username=admin&password=password&Login=Login
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:45 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4071
keep-alive: timeout=5, max=39
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

date: Fri, 16 Jul 2021 05:52:52 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4071
keep-alive: timeout=5, max=25
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/exec/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:53 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4462
keep-alive: timeout=5, max=62
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/csrf/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:54 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4155
keep-alive: timeout=5, max=99
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/fi/?page=include.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:55 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4063
keep-alive: timeout=5, max=93
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/fi/?page=file1.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:56 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4003
keep-alive: timeout=5, max=18
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/upload/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:56 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4608
keep-alive: timeout=5, max=14
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/captcha/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:57 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4207
keep-alive: timeout=5, max=38
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:59 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4266
keep-alive: timeout=5, max=83
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:00 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4269
keep-alive: timeout=5, max=90
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli_blind/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:02 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4311
keep-alive: timeout=5, max=74
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:03 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 3397
keep-alive: timeout=5, max=89
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/weak_id/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:03 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 3397
keep-alive: timeout=5, max=4
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/weak_id/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:04 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4590
keep-alive: timeout=5, max=83
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_d/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:05 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4590
keep-alive: timeout=5, max=66
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_d/?default=English
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_r/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:07 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
x-xss-protection: 0
content-length: 4212
keep-alive: timeout=5, max=55
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_r/?name=1
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:08 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4846
keep-alive: timeout=5, max=59
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_s/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:09 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-security-policy: script-src 'self' https://pastebin.com hastebin.com example.com code.jquery.com https://ssl.google-analytics.com ;
content-length: 4109
keep-alive: timeout=5, max=54
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/csp/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/csp/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:12 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
keep-alive: timeout=5, max=38
connection: Keep-Alive
transfer-encoding: chunked
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/javascript/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:14 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
keep-alive: timeout=5, max=60
connection: Keep-Alive
transfer-encoding: chunked
content-type: text/html;charset=utf-8
status code: 200

Findings: 10 Missing security headers - X-Frame-Options

Risk	Medium
Severity	Medium
CVSS Score	5.0
Occurrences	30
Details	Vooki detected that 'X-Frame-Options' security header is missing. There are some HTTP response headers that your application can use to increase security of your application. Once set, these HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities. X-Frame-Options: The 'X-Frame-Options' HTTP response header can be used to indicate whether browsers should be allowed to render a page in a . Values of 'X-Frame-Options' header: X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN DENY: If 'X-Frame-Options: DENY' is specified, the page cannot be displayed in a frame, regardless of the site attempting to do so. SAMEORIGIN: If 'X-Frame-Options: DENY' is specified, the page can only be displayed in a frame on the same origin as the page itself.
Remediation	It's recommended to implement the 'X-Frame-Options' security header with 'deny' or 'sameorigin' value. Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xcto

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/login.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

URL:
Occurrences in this URL:	1

Request

Response

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/security.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/security.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/brute/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/brute/?username=admin&password=password&Login=Login
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/exec/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/csrf/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/fi/?page=include.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/fi/?page=file1.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/upload/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:56 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4608
keep-alive: timeout=5, max=14
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/captcha/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli_blind/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/weak_id/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:03 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 3397
keep-alive: timeout=5, max=4
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/weak_id/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_d/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_d/?default=English
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_r/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_r/?name=1
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_s/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/csp/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/csp/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/javascript/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

Findings: 11 Sensitive information disclosure in response headers - server

Risk	Medium
Severity	Medium
CVSS Score	5.0
Occurrences	31
Details	Vooki detected a Sensitive information disclosure in the server response header. Information gathering is a type of attack during which the attackers send requests to the server to gather more information. If the server is not configured correctly, it may leak information about itself, such as the server version, PHP/ASP.NET version, OpenSSH version. These issues are not exploitable in most cases but are considered web application security issues because they allow attackers to gather the information that can be used later in the attack lifecycle.
Remediation	Remove the unnecessary information from HTTP response headers related to the OS, web server version, and application frameworks. Ensure that your web server does not send out response headers or background information that reveals technical details about the back-end technology type, version, or setup.

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:32 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 6340
keep-alive: timeout=5, max=92
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

date: Fri, 16 Jul 2021 05:52:34 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 1415
keep-alive: timeout=5, max=94
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/login.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

URL:
Occurrences in this URL:	1

Request

Response

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/security.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/security.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:42 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4185
keep-alive: timeout=5, max=58
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/brute/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:43 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4280
keep-alive: timeout=5, max=72
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/brute/?username=admin&password=password&Login=Login
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:44 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4071
keep-alive: timeout=5, max=40
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

date: Fri, 16 Jul 2021 05:52:52 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4071
keep-alive: timeout=5, max=63
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/exec/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:53 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4462
keep-alive: timeout=5, max=27
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/csrf/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:54 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4155
keep-alive: timeout=5, max=56
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/fi/?page=include.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:55 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4063
keep-alive: timeout=5, max=19
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/fi/?page=file1.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:56 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4003
keep-alive: timeout=5, max=89
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/upload/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:56 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4608
keep-alive: timeout=5, max=42
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/captcha/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:57 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4207
keep-alive: timeout=5, max=9
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:58 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4266
keep-alive: timeout=5, max=12
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:00 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4269
keep-alive: timeout=5, max=81
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli_blind/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:02 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4311
keep-alive: timeout=5, max=95
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:02 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 3397
keep-alive: timeout=5, max=90
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/weak_id/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:03 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 3397
keep-alive: timeout=5, max=5
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/weak_id/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:04 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4590
keep-alive: timeout=5, max=70
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_d/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:05 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4590
keep-alive: timeout=5, max=19
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_d/?default=English
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_r/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:07 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
x-xss-protection: 0
content-length: 4212
keep-alive: timeout=5, max=75
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_r/?name=1
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:08 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4846
keep-alive: timeout=5, max=60
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_s/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:08 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-security-policy: script-src 'self' https://pastebin.com hastebin.com example.com code.jquery.com https://ssl.google-analytics.com ;
content-length: 4109
keep-alive: timeout=5, max=48
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/csp/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request	Response
Method: GET sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Dest: script Referer: http://localhost/dvwa/vulnerabilities/csp/ Accept-Language: en-US,en;q=0.9 Connection: keep-alive	date: Fri, 16 Jul 2021 05:53:11 GMT server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8 content-length: 295 keep-alive: timeout=5, max=59 connection: Keep-Alive content-type: text/html; charset=iso-8859-1 status code: 404

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/csp/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:12 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
keep-alive: timeout=5, max=52
connection: Keep-Alive
transfer-encoding: chunked
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/javascript/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:14 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
keep-alive: timeout=5, max=32
connection: Keep-Alive
transfer-encoding: chunked
content-type: text/html;charset=utf-8
status code: 200

Findings: 12 Sensitive information disclosure in response headers - x-powered-by

Risk	Medium
Severity	Medium
CVSS Score	5.0
Occurrences	30
Details	Vooki detected a Sensitive information disclosure in the x-powered-by response header. Information gathering is a type of attack during which the attackers send requests to the server to gather more information. If the server is not configured correctly, it may leak information about itself, such as the server version, PHP/ASP.NET version, OpenSSH version. These issues are not exploitable in most cases but are considered web application security issues because they allow attackers to gather the information that can be used later in the attack lifecycle.
Remediation	Remove the unnecessary information from HTTP response headers related to the OS, web server version, and application frameworks. Ensure that your web server does not send out response headers or background information that reveals technical details about the back-end technology type, version, or setup.

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:32 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 6340
keep-alive: timeout=5, max=92
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/login.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

URL:
Occurrences in this URL:	1

Request

Response

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/security.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/security.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:42 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4185
keep-alive: timeout=5, max=58
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/brute/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:43 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4280
keep-alive: timeout=5, max=72
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/brute/?username=admin&password=password&Login=Login
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

date: Fri, 16 Jul 2021 05:52:52 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4071
keep-alive: timeout=5, max=63
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/exec/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:53 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4462
keep-alive: timeout=5, max=27
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/csrf/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:54 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4155
keep-alive: timeout=5, max=56
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/fi/?page=include.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:55 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4063
keep-alive: timeout=5, max=19
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/fi/?page=file1.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:56 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4003
keep-alive: timeout=5, max=89
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/upload/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:56 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4608
keep-alive: timeout=5, max=42
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/captcha/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:57 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4207
keep-alive: timeout=5, max=9
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:00 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4269
keep-alive: timeout=5, max=81
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli_blind/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:02 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4311
keep-alive: timeout=5, max=95
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:02 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 3397
keep-alive: timeout=5, max=90
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/weak_id/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:03 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 3397
keep-alive: timeout=5, max=5
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/weak_id/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:04 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4590
keep-alive: timeout=5, max=70
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_d/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:05 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4590
keep-alive: timeout=5, max=19
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_d/?default=English
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_r/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:07 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
x-xss-protection: 0
content-length: 4212
keep-alive: timeout=5, max=75
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_r/?name=1
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:08 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4846
keep-alive: timeout=5, max=60
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_s/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:08 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-security-policy: script-src 'self' https://pastebin.com hastebin.com example.com code.jquery.com https://ssl.google-analytics.com ;
content-length: 4109
keep-alive: timeout=5, max=48
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/csp/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/csp/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:12 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
keep-alive: timeout=5, max=52
connection: Keep-Alive
transfer-encoding: chunked
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/javascript/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:14 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
keep-alive: timeout=5, max=32
connection: Keep-Alive
transfer-encoding: chunked
content-type: text/html;charset=utf-8
status code: 200

Findings: 13 Missing Content Security Policy in response header

Risk	Medium
Severity	Medium
CVSS Score	5.0
Occurrences	29
Details	Vooki detected that the Content Security Policy (CSP) is missing in the response header. It is an added layer of security that helps to detect and mitigate data injection and Cross Site Scripting (XSS) vulnerabilities.
Remediation	It's recommended to include the Content Security Policy (CSP) header in the response. Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

cache-control: no-store, no-cache, must-revalidate
connection: Keep-Alive
content-length: 0
content-type: text/html; charset=UTF-8
date: Fri, 16 Jul 2021 05:48:32 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
keep-alive: timeout=5, max=100
location: login.php
pragma: no-cache
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
Cache-Control: no-cache

URL:
Occurrences in this URL:	1

Request

Response

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/login.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

username=admin&password=password&Login=Login&user_token=58886de2389d508ae203eccbab9090b7

URL:
Occurrences in this URL:	1

Request

Response

URL:
Occurrences in this URL:	1

Request

Response

date: Fri, 16 Jul 2021 05:49:10 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 5283
keep-alive: timeout=5, max=100
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/security.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

security=low&seclev_submit=Submit&user_token=47cc0d11f1b010d5f10fad67d51b4444

cache-control: no-store, no-cache, must-revalidate
connection: Keep-Alive
content-length: 0
content-type: text/html; charset=UTF-8
date: Fri, 16 Jul 2021 05:49:16 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
keep-alive: timeout=5, max=99
location: /dvwa/security.php
pragma: no-cache
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
Cache-Control: no-cache

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/security.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/brute/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/brute/?username=admin&password=password&Login=Login
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:49:51 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4071
keep-alive: timeout=5, max=98
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache

URL:
Occurrences in this URL:	1

Request

Response

date: Fri, 16 Jul 2021 05:50:05 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4491
keep-alive: timeout=5, max=100
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/exec/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/csrf/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:50:24 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4155
keep-alive: timeout=5, max=100
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/fi/?page=include.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:50:29 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4063
keep-alive: timeout=5, max=99
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/fi/?page=file1.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:50:33 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4003
keep-alive: timeout=5, max=98
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/upload/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/captcha/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:50:44 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4207
keep-alive: timeout=5, max=100
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:50:51 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4266
keep-alive: timeout=5, max=100
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:50:56 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4269
keep-alive: timeout=5, max=99
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli_blind/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:51:03 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4311
keep-alive: timeout=5, max=100
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:51:08 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 3397
keep-alive: timeout=5, max=99
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/weak_id/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:51:12 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
set-cookie: dvwaSession=1
content-length: 3397
keep-alive: timeout=5, max=98
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/weak_id/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:51:18 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4590
keep-alive: timeout=5, max=100
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_d/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:51:25 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4590
keep-alive: timeout=5, max=100
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_d/?default=English
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:51:30 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
x-xss-protection: 0
content-length: 4194
keep-alive: timeout=5, max=100
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_r/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:51:37 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
x-xss-protection: 0
content-length: 4212
keep-alive: timeout=5, max=100
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_r/?name=1
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:51:41 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4846
keep-alive: timeout=5, max=99
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache

URL:
Occurrences in this URL:	1

Request	Response
Method: GET sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Dest: script Referer: http://localhost/dvwa/vulnerabilities/csp/ Accept-Language: en-US,en;q=0.9 Connection: keep-alive	date: Fri, 16 Jul 2021 05:51:56 GMT server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8 content-length: 295 keep-alive: timeout=5, max=99 connection: Keep-Alive content-type: text/html; charset=iso-8859-1 Cache-Control: no-cache

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/csp/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:51:58 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
keep-alive: timeout=5, max=98
connection: Keep-Alive
transfer-encoding: chunked
content-type: text/html;charset=utf-8
Cache-Control: no-cache

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/javascript/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

token=8b479aefbd90795395b3e7089ae0dc09&phrase=ChangeMe&send=Submit

date: Fri, 16 Jul 2021 05:52:02 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
keep-alive: timeout=5, max=97
connection: Keep-Alive
transfer-encoding: chunked
content-type: text/html;charset=utf-8
Cache-Control: no-cache

Findings: 14 Technical information exposure on the webpage

Risk	Low
Severity	Low
CVSS Score	3.1
Occurrences	4
Details	Vooki identified technical information exposure on the webpage. Information disclosure is when an application fails to properly protect technical, sensitive and confidential information from parties that are not supposed to have access to the subject matter in normal circumstances.
Remediation	Remove unnecessary technical information from the webpage.

URL:
Occurrences in this URL:	2

Request

Response

date: Fri, 16 Jul 2021 05:48:50 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 6434
keep-alive: timeout=5, max=99
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache

<!DOCTYPE html> <html lang="en-GB"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Welcome :: Damn Vulnerable Web Application (DVWA) v1.10 *Development*</title> <link rel="stylesheet" type="text/css" href="dvwa/css/main.css" /> <link rel="icon" type="\image/ico" href="favicon.ico" /> <script type="text/javascript" src="dvwa/js/dvwaPage.js"></script> </head> <body class="home"> <div id="container"> <div id="header"> <img src="dvwa/images/logo.png" alt="Damn Vulnerable Web Application" /> </div> <div id="main_menu"> <div id="main_menu_padded"> <ul class="menuBlocks"><li class="selected"><a href=".">Home</a></li> <li class=""><a href="instructions.php">Instructions</a></li> <li class=""><a href="setup.php">Setup / Reset DB</a></li> </ul><ul class="menuBlocks"><li class=""><a href="vulnerabilities/brute/">Brute Force</a></li> <li class=""><a href="vulnerabilities/exec/">Command Injection</a></li> <li class=""><a href="vulnerabilities/csrf/">CSRF</a></li> <li class=""><a href="vulnerabilities/fi/.?page=include.php">File Inclusion</a></li> <li class=""><a href="vulnerabilities/upload/">File Upload</a></li> <li class=""><a href="vulnerabilities/captcha/">Insecure CAPTCHA</a></li> <li class=""><a href="vulnerabilities/sqli/">SQL Injection</a></li> <li class=""><a href="vulnerabilities/sqli_blind/">SQL Injection (Blind)</a></li> <li class=""><a href="vulnerabilities/weak_id/">Weak Session IDs</a></li> <li class=""><a href="vulnerabilities/xss_d/">XSS (DOM)</a></li> <li class=""><a href="vulnerabilities/xss_r/">XSS (Reflected)</a></li> <li class=""><a href="vulnerabilities/xss_s/">XSS (Stored)</a></li> <li class=""><a href="vulnerabilities/csp/">CSP Bypass</a></li> <li class=""><a href="vulnerabilities/javascript/">JavaScript</a></li> </ul><ul class="menuBlocks"><li class=""><a href="security.php">DVWA Security</a></li> <li class=""><a href="phpinfo.php">PHP Info</a></li> <li class=""><a href="about.php">About</a></li> </ul><ul class="menuBlocks"><li class=""><a href="logout.php">Logout</a></li> </ul> </div> </div> <div id="main_body"> <div class="body_padded"> <h1>Welcome to Damn Vulnerable Web Application!</h1> <p>Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.</p> <p>The aim of DVWA is to <em>practice some of the most common web vulnerabilities</em>, with <em>various levels of difficultly</em>, with a simple straightforward interface.</p> <hr /> <br /> <h2>General Instructions</h2> <p>It is up to the user how they approach DVWA. Either by working through every module at a fixed level, or selecting any module and working up to reach the highest level they can before moving onto the next one. There is not a fixed object to complete a module; however users should feel that they have successfully exploited the system as best as they possible could by using that particular vulnerability.</p> <p>Please note, there are <em>both documented and undocumented vulnerability</em> with this software. This is intentional. You are encouraged to try and discover as many issues as possible.</p> <p>DVWA also includes a Web Application Firewall (WAF), PHPIDS, which can be enabled at any stage to further increase the difficulty. This will demonstrate how adding another layer of security may block certain malicious actions. Note, there are also various public methods at bypassing these protections (so this can be seen as an extension for more advanced users)!</p> <p>There is a help button at the bottom of each page, which allows you to view hints & tips for that vulnerability. There are also additional links for further background reading, which relates to that security issue.</p> <hr /> <br /> <h2>WARNING!</h2> <p>Damn Vulnerable Web Application is damn vulnerable! <em>Do not upload it to your hosting provider's public html folder or any Internet facing servers</em>, as they will be compromised. It is recommend using a virtual machine (such as <a href="https://www.virtualbox.org/" target="_blank">VirtualBox</a> or <a href="https://www.vmware.com/" target="_blank">VMware</a>), which is set to NAT networking mode. Inside a guest machine, you can download and install <a href="https://www.apachefriends.org/en/xampp.html" target="_blank">XAMPP</a> for the web server and database.</p> <br /> <h3>Disclaimer</h3> <p>We do not take responsibility for the way in which any one uses this application (DVWA). We have made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing DVWA on to live web servers. If your web server is compromised via an installation of DVWA it is not our responsibility it is the responsibility of the person/s who uploaded and installed it.</p> <hr /> <br /> <h2>More Training Resources</h2> <p>DVWA aims to cover the most commonly seen vulnerabilities found in today's web applications. However there are plenty of other issues with web applications. Should you wish to explore any additional attack vectors, or want more difficult challenges, you may wish to look into the following other projects:</p> <ul> <li><a href="https://github.com/webpwnized/mutillidae" target="_blank">Mutillidae</a></li> <li><a href="https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project" target="_blank">OWASP Broken Web Applications Project </a></li> </ul> <hr /> <br /> </div> <br /><br /> <div class="body_padded"><div class="message">You have logged in as 'admin'</div></div> </div> <div class="clear"> </div> <div id="system_info"> <div align="left"><em>Username:</em> admin<br /><em>Security Level:</em> impossible<br /><em>PHPIDS:</em> disabled</div> </div> <div id="footer"> <p>Damn Vulnerable Web Application (DVWA) v1.10 *Development*</p> <script src='/dvwa/js/add_event_listeners.js'></script> </div> </div> </body> </html>

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/upload/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:50:38 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4608
keep-alive: timeout=5, max=97
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache

<!DOCTYPE html> <html lang="en-GB"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Vulnerability: Insecure CAPTCHA :: Damn Vulnerable Web Application (DVWA) v1.10 *Development*</title> <link rel="stylesheet" type="text/css" href="../../dvwa/css/main.css" /> <link rel="icon" type="\image/ico" href="../../favicon.ico" /> <script type="text/javascript" src="../../dvwa/js/dvwaPage.js"></script> </head> <body class="home"> <div id="container"> <div id="header"> <img src="../../dvwa/images/logo.png" alt="Damn Vulnerable Web Application" /> </div> <div id="main_menu"> <div id="main_menu_padded"> <ul class="menuBlocks"><li class=""><a href="../../.">Home</a></li> <li class=""><a href="../../instructions.php">Instructions</a></li> <li class=""><a href="../../setup.php">Setup / Reset DB</a></li> </ul><ul class="menuBlocks"><li class=""><a href="../../vulnerabilities/brute/">Brute Force</a></li> <li class=""><a href="../../vulnerabilities/exec/">Command Injection</a></li> <li class=""><a href="../../vulnerabilities/csrf/">CSRF</a></li> <li class=""><a href="../../vulnerabilities/fi/.?page=include.php">File Inclusion</a></li> <li class=""><a href="../../vulnerabilities/upload/">File Upload</a></li> <li class="selected"><a href="../../vulnerabilities/captcha/">Insecure CAPTCHA</a></li> <li class=""><a href="../../vulnerabilities/sqli/">SQL Injection</a></li> <li class=""><a href="../../vulnerabilities/sqli_blind/">SQL Injection (Blind)</a></li> <li class=""><a href="../../vulnerabilities/weak_id/">Weak Session IDs</a></li> <li class=""><a href="../../vulnerabilities/xss_d/">XSS (DOM)</a></li> <li class=""><a href="../../vulnerabilities/xss_r/">XSS (Reflected)</a></li> <li class=""><a href="../../vulnerabilities/xss_s/">XSS (Stored)</a></li> <li class=""><a href="../../vulnerabilities/csp/">CSP Bypass</a></li> <li class=""><a href="../../vulnerabilities/javascript/">JavaScript</a></li> </ul><ul class="menuBlocks"><li class=""><a href="../../security.php">DVWA Security</a></li> <li class=""><a href="../../phpinfo.php">PHP Info</a></li> <li class=""><a href="../../about.php">About</a></li> </ul><ul class="menuBlocks"><li class=""><a href="../../logout.php">Logout</a></li> </ul> </div> </div> <div id="main_body"> <div class="body_padded"> <h1>Vulnerability: Insecure CAPTCHA</h1> <div class="warning"><em>reCAPTCHA API key missing</em> from config file: C:\xampp\htdocs\dvwa\config\config.inc.php</div> <div class="vulnerable_code_area"> <form action="#" method="POST" style="display:none;"> <h3>Change your password:</h3> <br /> <input type="hidden" name="step" value="1" /> New password:<br /> <input type="password" AUTOCOMPLETE="off" name="password_new"><br /> Confirm new password:<br /> <input type="password" AUTOCOMPLETE="off" name="password_conf"><br /> <script src='https://www.google.com/recaptcha/api.js'></script> <br /> <div class='g-recaptcha' data-theme='dark' data-sitekey=''></div> <br /> <input type="submit" value="Change" name="Change"> </form> <em>Please register for a key</em> from reCAPTCHA: <a href="https://www.google.com/recaptcha/admin/create" target="_blank">https://www.google.com/recaptcha/admin/create</a> </div> <h2>More Information</h2> <ul> <li><a href="https://en.wikipedia.org/wiki/CAPTCHA" target="_blank">https://en.wikipedia.org/wiki/CAPTCHA</a></li> <li><a href="https://www.google.com/recaptcha/" target="_blank">https://www.google.com/recaptcha/</a></li> <li><a href="https://www.owasp.org/index.php/Testing_for_Captcha_(OWASP-AT-012)" target="_blank">https://www.owasp.org/index.php/Testing_for_Captcha_(OWASP-AT-012)</a></li> </ul> </div> <br /><br /> </div> <div class="clear"> </div> <div id="system_info"> <input type="button" value="View Help" class="popup_button" id='help_button' data-help-url='../../vulnerabilities/view_help.php?id=captcha&security=low' )"> <input type="button" value="View Source" class="popup_button" id='source_button' data-source-url='../../vulnerabilities/view_source.php?id=captcha&security=low' )"> <div align="left"><em>Username:</em> admin<br /><em>Security Level:</em> low<br /><em>PHPIDS:</em> disabled</div> </div> <div id="footer"> <p>Damn Vulnerable Web Application (DVWA) v1.10 *Development*</p> <script src='../..//dvwa/js/add_event_listeners.js'></script> </div> </div> </body> </html>

URL:
Occurrences in this URL:	1

Request	Response
Method: GET sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Dest: script Referer: http://localhost/dvwa/vulnerabilities/csp/ Accept-Language: en-US,en;q=0.9 Connection: keep-alive	date: Fri, 16 Jul 2021 05:51:56 GMT server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8 content-length: 295 keep-alive: timeout=5, max=99 connection: Keep-Alive content-type: text/html; charset=iso-8859-1 Cache-Control: no-cache

Findings: 15 Autocomplete on password fields

Risk	Medium
Severity	Medium
CVSS Score	4.3
Occurrences	7
Details	Vooki detected an autocomplete vulnerability on password fields. By default, browsers remember information and store in local memory whatever user submits through input fields on websites. This mechanism enables the browser to offer autocompletion and autofill. The attacker can capture the stored information if the attacker gains access to the user's computer.
Remediation	Include the attribute autocomplete = 'off' in the username, password, and the form's sensitive input fields to avoid storing the browser's data.

URL:
Occurrences in this URL:	1

Request

Response

date: Fri, 16 Jul 2021 05:48:33 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 1415
keep-alive: timeout=5, max=99
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache
status code: 200

<!DOCTYPE html> <html lang="en-GB"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Login :: Damn Vulnerable Web Application (DVWA) v1.10 *Development*</title> <link rel="stylesheet" type="text/css" href="dvwa/css/login.css"> </head> <body> <div id="wrapper"> <div id="header"> <br> <p><img src="dvwa/images/login_logo.png"></p> <br> </div> <div id="content"> <form action="login.php" method="post"> <fieldset> <label for="user">Username</label> <input type="text" class="loginInput" size="20" name="username"><br> <label for="pass">Password</label> <input type="password" class="loginInput" AUTOCOMPLETE="off" size="20" name="password"><br> <br> <p class="submit"><input type="submit" value="Login" name="Login"></p> </fieldset> <input type='hidden' name='user_token' value='58886de2389d508ae203eccbab9090b7'> </form> <br> <br> <br> <br> <br> <br> <br> <br> <br> </div> <div id="footer"> <p><a href="https://github.com/digininja/DVWA/" target="_blank">Damn Vulnerable Web Application (DVWA)</a></p> </div> </div> </body> </html>

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/security.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:49:34 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4185
keep-alive: timeout=5, max=100
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache
status code: 200

<!DOCTYPE html> <html lang="en-GB"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Vulnerability: Brute Force :: Damn Vulnerable Web Application (DVWA) v1.10 *Development*</title> <link rel="stylesheet" type="text/css" href="../../dvwa/css/main.css"> <link rel="icon" type="\image/ico" href="../../favicon.ico"> <script type="text/javascript" src="../../dvwa/js/dvwaPage.js"></script> </head> <body class="home"> <div id="container"> <div id="header"> <img src="../../dvwa/images/logo.png" alt="Damn Vulnerable Web Application"> </div> <div id="main_menu"> <div id="main_menu_padded"> <ul class="menuBlocks"> <li class=""><a href="../../.">Home</a></li> <li class=""><a href="../../instructions.php">Instructions</a></li> <li class=""><a href="../../setup.php">Setup / Reset DB</a></li> </ul> <ul class="menuBlocks"> <li class="selected"><a href="../../vulnerabilities/brute/">Brute Force</a></li> <li class=""><a href="../../vulnerabilities/exec/">Command Injection</a></li> <li class=""><a href="../../vulnerabilities/csrf/">CSRF</a></li> <li class=""><a href="../../vulnerabilities/fi/.?page=include.php">File Inclusion</a></li> <li class=""><a href="../../vulnerabilities/upload/">File Upload</a></li> <li class=""><a href="../../vulnerabilities/captcha/">Insecure CAPTCHA</a></li> <li class=""><a href="../../vulnerabilities/sqli/">SQL Injection</a></li> <li class=""><a href="../../vulnerabilities/sqli_blind/">SQL Injection (Blind)</a></li> <li class=""><a href="../../vulnerabilities/weak_id/">Weak Session IDs</a></li> <li class=""><a href="../../vulnerabilities/xss_d/">XSS (DOM)</a></li> <li class=""><a href="../../vulnerabilities/xss_r/">XSS (Reflected)</a></li> <li class=""><a href="../../vulnerabilities/xss_s/">XSS (Stored)</a></li> <li class=""><a href="../../vulnerabilities/csp/">CSP Bypass</a></li> <li class=""><a href="../../vulnerabilities/javascript/">JavaScript</a></li> </ul> <ul class="menuBlocks"> <li class=""><a href="../../security.php">DVWA Security</a></li> <li class=""><a href="../../phpinfo.php">PHP Info</a></li> <li class=""><a href="../../about.php">About</a></li> </ul> <ul class="menuBlocks"> <li class=""><a href="../../logout.php">Logout</a></li> </ul> </div> </div> <div id="main_body"> <div class="body_padded"> <h1>Vulnerability: Brute Force</h1> <div class="vulnerable_code_area"> <h2>Login</h2> <form action="#" method="GET"> Username:<br> <input type="text" name="username"><br> Password:<br> <input type="password" AUTOCOMPLETE="off" name="password"><br> <br> <input type="submit" value="Login" name="Login"> </form> </div> <h2>More Information</h2> <ul> <li><a href="https://owasp.org/www-community/attacks/Brute_force_attack" target="_blank">https://owasp.org/www-community/attacks/Brute_force_attack</a></li> <li><a href="http://www.symantec.com/connect/articles/password-crackers-ensuring-security-your-password" target="_blank">http://www.symantec.com/connect/articles/password-crackers-ensuring-security-your-password</a></li> <li><a href="http://www.sillychicken.co.nz/Security/how-to-brute-force-http-forms-in-windows.html" target="_blank">http://www.sillychicken.co.nz/Security/how-to-brute-force-http-forms-in-windows.html</a></li> </ul> </div> <br><br> </div> <div class="clear"> </div> <div id="system_info"> <input type="button" value="View Help" class="popup_button" id='help_button' data-help-url='../../vulnerabilities/view_help.php?id=brute&security=low' )"> <input type="button" value="View Source" class="popup_button" id='source_button' data-source-url='../../vulnerabilities/view_source.php?id=brute&security=low' )"> <div align="left"><em>Username:</em> admin<br><em>Security Level:</em> low<br><em>PHPIDS:</em> disabled</div> </div> <div id="footer"> <p>Damn Vulnerable Web Application (DVWA) v1.10 *Development*</p> <script src='../..//dvwa/js/add_event_listeners.js'></script> </div> </div> </body> </html>

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/brute/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:49:47 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4280
keep-alive: timeout=5, max=100
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache
status code: 200

<!DOCTYPE html> <html lang="en-GB"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Vulnerability: Brute Force :: Damn Vulnerable Web Application (DVWA) v1.10 *Development*</title> <link rel="stylesheet" type="text/css" href="../../dvwa/css/main.css"> <link rel="icon" type="\image/ico" href="../../favicon.ico"> <script type="text/javascript" src="../../dvwa/js/dvwaPage.js"></script> </head> <body class="home"> <div id="container"> <div id="header"> <img src="../../dvwa/images/logo.png" alt="Damn Vulnerable Web Application"> </div> <div id="main_menu"> <div id="main_menu_padded"> <ul class="menuBlocks"> <li class=""><a href="../../.">Home</a></li> <li class=""><a href="../../instructions.php">Instructions</a></li> <li class=""><a href="../../setup.php">Setup / Reset DB</a></li> </ul> <ul class="menuBlocks"> <li class="selected"><a href="../../vulnerabilities/brute/">Brute Force</a></li> <li class=""><a href="../../vulnerabilities/exec/">Command Injection</a></li> <li class=""><a href="../../vulnerabilities/csrf/">CSRF</a></li> <li class=""><a href="../../vulnerabilities/fi/.?page=include.php">File Inclusion</a></li> <li class=""><a href="../../vulnerabilities/upload/">File Upload</a></li> <li class=""><a href="../../vulnerabilities/captcha/">Insecure CAPTCHA</a></li> <li class=""><a href="../../vulnerabilities/sqli/">SQL Injection</a></li> <li class=""><a href="../../vulnerabilities/sqli_blind/">SQL Injection (Blind)</a></li> <li class=""><a href="../../vulnerabilities/weak_id/">Weak Session IDs</a></li> <li class=""><a href="../../vulnerabilities/xss_d/">XSS (DOM)</a></li> <li class=""><a href="../../vulnerabilities/xss_r/">XSS (Reflected)</a></li> <li class=""><a href="../../vulnerabilities/xss_s/">XSS (Stored)</a></li> <li class=""><a href="../../vulnerabilities/csp/">CSP Bypass</a></li> <li class=""><a href="../../vulnerabilities/javascript/">JavaScript</a></li> </ul> <ul class="menuBlocks"> <li class=""><a href="../../security.php">DVWA Security</a></li> <li class=""><a href="../../phpinfo.php">PHP Info</a></li> <li class=""><a href="../../about.php">About</a></li> </ul> <ul class="menuBlocks"> <li class=""><a href="../../logout.php">Logout</a></li> </ul> </div> </div> <div id="main_body"> <div class="body_padded"> <h1>Vulnerability: Brute Force</h1> <div class="vulnerable_code_area"> <h2>Login</h2> <form action="#" method="GET"> Username:<br> <input type="text" name="username"><br> Password:<br> <input type="password" AUTOCOMPLETE="off" name="password"><br> <br> <input type="submit" value="Login" name="Login"> </form> <p>Welcome to the password protected area admin</p><img src="/dvwa/hackable/users/admin.jpg"> </div> <h2>More Information</h2> <ul> <li><a href="https://owasp.org/www-community/attacks/Brute_force_attack" target="_blank">https://owasp.org/www-community/attacks/Brute_force_attack</a></li> <li><a href="http://www.symantec.com/connect/articles/password-crackers-ensuring-security-your-password" target="_blank">http://www.symantec.com/connect/articles/password-crackers-ensuring-security-your-password</a></li> <li><a href="http://www.sillychicken.co.nz/Security/how-to-brute-force-http-forms-in-windows.html" target="_blank">http://www.sillychicken.co.nz/Security/how-to-brute-force-http-forms-in-windows.html</a></li> </ul> </div> <br><br> </div> <div class="clear"> </div> <div id="system_info"> <input type="button" value="View Help" class="popup_button" id='help_button' data-help-url='../../vulnerabilities/view_help.php?id=brute&security=low' )"> <input type="button" value="View Source" class="popup_button" id='source_button' data-source-url='../../vulnerabilities/view_source.php?id=brute&security=low' )"> <div align="left"><em>Username:</em> admin<br><em>Security Level:</em> low<br><em>PHPIDS:</em> disabled</div> </div> <div id="footer"> <p>Damn Vulnerable Web Application (DVWA) v1.10 *Development*</p> <script src='../..//dvwa/js/add_event_listeners.js'></script> </div> </div> </body> </html>

URL:
Occurrences in this URL:	2

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/exec/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:50:14 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4462
keep-alive: timeout=5, max=100
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache
status code: 200

<!DOCTYPE html> <html lang="en-GB"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Vulnerability: Cross Site Request Forgery (CSRF) :: Damn Vulnerable Web Application (DVWA) v1.10 *Development*</title> <link rel="stylesheet" type="text/css" href="../../dvwa/css/main.css"> <link rel="icon" type="\image/ico" href="../../favicon.ico"> <script type="text/javascript" src="../../dvwa/js/dvwaPage.js"></script> </head> <body class="home"> <div id="container"> <div id="header"> <img src="../../dvwa/images/logo.png" alt="Damn Vulnerable Web Application"> </div> <div id="main_menu"> <div id="main_menu_padded"> <ul class="menuBlocks"> <li class=""><a href="../../.">Home</a></li> <li class=""><a href="../../instructions.php">Instructions</a></li> <li class=""><a href="../../setup.php">Setup / Reset DB</a></li> </ul> <ul class="menuBlocks"> <li class=""><a href="../../vulnerabilities/brute/">Brute Force</a></li> <li class=""><a href="../../vulnerabilities/exec/">Command Injection</a></li> <li class="selected"><a href="../../vulnerabilities/csrf/">CSRF</a></li> <li class=""><a href="../../vulnerabilities/fi/.?page=include.php">File Inclusion</a></li> <li class=""><a href="../../vulnerabilities/upload/">File Upload</a></li> <li class=""><a href="../../vulnerabilities/captcha/">Insecure CAPTCHA</a></li> <li class=""><a href="../../vulnerabilities/sqli/">SQL Injection</a></li> <li class=""><a href="../../vulnerabilities/sqli_blind/">SQL Injection (Blind)</a></li> <li class=""><a href="../../vulnerabilities/weak_id/">Weak Session IDs</a></li> <li class=""><a href="../../vulnerabilities/xss_d/">XSS (DOM)</a></li> <li class=""><a href="../../vulnerabilities/xss_r/">XSS (Reflected)</a></li> <li class=""><a href="../../vulnerabilities/xss_s/">XSS (Stored)</a></li> <li class=""><a href="../../vulnerabilities/csp/">CSP Bypass</a></li> <li class=""><a href="../../vulnerabilities/javascript/">JavaScript</a></li> </ul> <ul class="menuBlocks"> <li class=""><a href="../../security.php">DVWA Security</a></li> <li class=""><a href="../../phpinfo.php">PHP Info</a></li> <li class=""><a href="../../about.php">About</a></li> </ul> <ul class="menuBlocks"> <li class=""><a href="../../logout.php">Logout</a></li> </ul> </div> </div> <div id="main_body"> <div class="body_padded"> <h1>Vulnerability: Cross Site Request Forgery (CSRF)</h1> <div class="vulnerable_code_area"> <h3>Change your admin password:</h3> <br> <div id="test_credentials"> <button onclick="testFunct()">Test Credentials</button><br><br> <script> function testFunct() { window.open("../../vulnerabilities/csrf/test_credentials.php", "_blank", "toolbar=yes,scrollbars=yes,resizable=yes,top=500,left=500,width=600,height=400"); } </script> </div><br> <form action="#" method="GET"> New password:<br> <input type="password" AUTOCOMPLETE="off" name="password_new"><br> Confirm new password:<br> <input type="password" AUTOCOMPLETE="off" name="password_conf"><br> <br> <input type="submit" value="Change" name="Change"> </form> </div> <h2>More Information</h2> <ul> <li><a href="https://owasp.org/www-community/attacks/csrf" target="_blank">https://owasp.org/www-community/attacks/csrf</a></li> <li><a href="http://www.cgisecurity.com/csrf-faq.html" target="_blank">http://www.cgisecurity.com/csrf-faq.html</a></li> <li><a href="https://en.wikipedia.org/wiki/Cross-site_request_forgery " target="_blank">https://en.wikipedia.org/wiki/Cross-site_request_forgery </a></li> </ul> </div> <br><br> </div> <div class="clear"> </div> <div id="system_info"> <input type="button" value="View Help" class="popup_button" id='help_button' data-help-url='../../vulnerabilities/view_help.php?id=csrf&security=low' )"> <input type="button" value="View Source" class="popup_button" id='source_button' data-source-url='../../vulnerabilities/view_source.php?id=csrf&security=low' )"> <div align="left"><em>Username:</em> admin<br><em>Security Level:</em> low<br><em>PHPIDS:</em> disabled</div> </div> <div id="footer"> <p>Damn Vulnerable Web Application (DVWA) v1.10 *Development*</p> <script src='../..//dvwa/js/add_event_listeners.js'></script> </div> </div> </body> </html>

URL:
Occurrences in this URL:	2

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/upload/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:50:38 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4608
keep-alive: timeout=5, max=97
connection: Keep-Alive
content-type: text/html;charset=utf-8
Cache-Control: no-cache
status code: 200

<!DOCTYPE html> <html lang="en-GB"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Vulnerability: Insecure CAPTCHA :: Damn Vulnerable Web Application (DVWA) v1.10 *Development*</title> <link rel="stylesheet" type="text/css" href="../../dvwa/css/main.css"> <link rel="icon" type="\image/ico" href="../../favicon.ico"> <script type="text/javascript" src="../../dvwa/js/dvwaPage.js"></script> </head> <body class="home"> <div id="container"> <div id="header"> <img src="../../dvwa/images/logo.png" alt="Damn Vulnerable Web Application"> </div> <div id="main_menu"> <div id="main_menu_padded"> <ul class="menuBlocks"> <li class=""><a href="../../.">Home</a></li> <li class=""><a href="../../instructions.php">Instructions</a></li> <li class=""><a href="../../setup.php">Setup / Reset DB</a></li> </ul> <ul class="menuBlocks"> <li class=""><a href="../../vulnerabilities/brute/">Brute Force</a></li> <li class=""><a href="../../vulnerabilities/exec/">Command Injection</a></li> <li class=""><a href="../../vulnerabilities/csrf/">CSRF</a></li> <li class=""><a href="../../vulnerabilities/fi/.?page=include.php">File Inclusion</a></li> <li class=""><a href="../../vulnerabilities/upload/">File Upload</a></li> <li class="selected"><a href="../../vulnerabilities/captcha/">Insecure CAPTCHA</a></li> <li class=""><a href="../../vulnerabilities/sqli/">SQL Injection</a></li> <li class=""><a href="../../vulnerabilities/sqli_blind/">SQL Injection (Blind)</a></li> <li class=""><a href="../../vulnerabilities/weak_id/">Weak Session IDs</a></li> <li class=""><a href="../../vulnerabilities/xss_d/">XSS (DOM)</a></li> <li class=""><a href="../../vulnerabilities/xss_r/">XSS (Reflected)</a></li> <li class=""><a href="../../vulnerabilities/xss_s/">XSS (Stored)</a></li> <li class=""><a href="../../vulnerabilities/csp/">CSP Bypass</a></li> <li class=""><a href="../../vulnerabilities/javascript/">JavaScript</a></li> </ul> <ul class="menuBlocks"> <li class=""><a href="../../security.php">DVWA Security</a></li> <li class=""><a href="../../phpinfo.php">PHP Info</a></li> <li class=""><a href="../../about.php">About</a></li> </ul> <ul class="menuBlocks"> <li class=""><a href="../../logout.php">Logout</a></li> </ul> </div> </div> <div id="main_body"> <div class="body_padded"> <h1>Vulnerability: Insecure CAPTCHA</h1> <div class="warning"><em>reCAPTCHA API key missing</em> from config file: C:\xampp\htdocs\dvwa\config\config.inc.php</div> <div class="vulnerable_code_area"> <form action="#" method="POST" style="display:none;"> <h3>Change your password:</h3> <br> <input type="hidden" name="step" value="1"> New password:<br> <input type="password" AUTOCOMPLETE="off" name="password_new"><br> Confirm new password:<br> <input type="password" AUTOCOMPLETE="off" name="password_conf"><br> <script src='https://www.google.com/recaptcha/api.js'></script> <br> <div class='g-recaptcha' data-theme='dark' data-sitekey=''></div> <br> <input type="submit" value="Change" name="Change"> </form> <em>Please register for a key</em> from reCAPTCHA: <a href="https://www.google.com/recaptcha/admin/create" target="_blank">https://www.google.com/recaptcha/admin/create</a> </div> <h2>More Information</h2> <ul> <li><a href="https://en.wikipedia.org/wiki/CAPTCHA" target="_blank">https://en.wikipedia.org/wiki/CAPTCHA</a></li> <li><a href="https://www.google.com/recaptcha/" target="_blank">https://www.google.com/recaptcha/</a></li> <li><a href="https://www.owasp.org/index.php/Testing_for_Captcha_(OWASP-AT-012)" target="_blank">https://www.owasp.org/index.php/Testing_for_Captcha_(OWASP-AT-012)</a></li> </ul> </div> <br><br> </div> <div class="clear"> </div> <div id="system_info"> <input type="button" value="View Help" class="popup_button" id='help_button' data-help-url='../../vulnerabilities/view_help.php?id=captcha&security=low' )"> <input type="button" value="View Source" class="popup_button" id='source_button' data-source-url='../../vulnerabilities/view_source.php?id=captcha&security=low' )"> <div align="left"><em>Username:</em> admin<br><em>Security Level:</em> low<br><em>PHPIDS:</em> disabled</div> </div> <div id="footer"> <p>Damn Vulnerable Web Application (DVWA) v1.10 *Development*</p> <script src='../..//dvwa/js/add_event_listeners.js'></script> </div> </div> </body> </html>

Findings: 16 Autocomplete on sensitive fields

Risk	Medium
Severity	Medium
CVSS Score	4.3
Occurrences	3
Details	Vooki detected an autocomplete vulnerability on sensitive fields. By default, browsers remember information and store in local memory whatever user submits through input fields on websites. This mechanism enables the browser to offer autocompletion and autofill. The attacker can capture the stored information if the attacker gains access to the user's computer.
Remediation	Include the attribute autocomplete = 'off' in the username, password, and the form's sensitive input fields to avoid storing the browser's data.

URL:
Occurrences in this URL:	1

Request

Response

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/security.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/brute/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

Findings: 17 Cross-Domain javaScript source file inclusion

Risk	Warning
Severity	Warning
Occurrences	1
Details	Vooki identified that the Cross-Domain JavaScript source file included on the webpage. The page includes JavaScript files from a third-party domain. The inclusion of unknown and untrusted JavaScript may harm the end-users of the website. This is just a warning, not vulnerability if included JavaScript files from a trusted domain.
Remediation	All the included JavaScript files should be verified that this has been intentionally included in the website. Applications using third-party scripts should consider using subresource integrity to make browsers verify them or copy the contents of these scripts onto their domain and include them from there. Reference: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/upload/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

Findings: 18 Missing security headers - X-XSS-Protection

Risk	Information
Severity	Information
Occurrences	28
Details	Vooki detected that 'X-XSS-Protection' security header is missing. There are some HTTP response headers that your application can use to increase security ofyour application. Once set, these HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities. X-XSS-Protection: The HTTP 'X-XSS-Protection' response header is a mechanism that stops pages from loading when Internet Explorer, Chrome, and Safari detect reflected cross-site scripting (XSS) attacks. For example: X-XSS-Protection: 1 X-XSS-Protection: 1; mode=block X-XSS-Protection: 1;report=
Remediation	It's recommended to implement the 'X-XSS-Protection' security header Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xcto

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/login.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

URL:
Occurrences in this URL:	1

Request

Response

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/security.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/security.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/brute/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/brute/?username=admin&password=password&Login=Login
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/exec/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/csrf/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/fi/?page=include.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/fi/?page=file1.php
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/upload/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:52:56 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 4608
keep-alive: timeout=5, max=14
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/captcha/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli_blind/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/weak_id/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

date: Fri, 16 Jul 2021 05:53:03 GMT
server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8
x-powered-by: PHP/8.0.8
expires: Tue, 23 Jun 2009 12:00:00 GMT
cache-control: no-cache, must-revalidate
pragma: no-cache
content-length: 3397
keep-alive: timeout=5, max=4
connection: Keep-Alive
content-type: text/html;charset=utf-8
status code: 200

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/weak_id/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_d/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_r/?name=1
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/xss_s/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/csp/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: GET
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/csp/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

URL:
Occurrences in this URL:	1

Request

Response

Method: POST
Cache-Control: max-age=0
sec-ch-ua: ";Not\\A\"Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/dvwa/vulnerabilities/javascript/
Accept-Language: en-US,en;q=0.9
Connection: keep-alive