Issue Types (PHP)

Exploitable Security Issues (103)

Name Severity Second-Order Analysis CWE [?] OWASP Top 10 (2010) [?] OWASP Top 10 (2013) [?] OWASP Top 10 (2017) [?] SANS 25 [?] PCI DSS [?] ASVS 3.01 [?]
Command Injection Critical Yes 78 A1 A1 A1 2 6.5.1 5.12
Code Injection Critical Yes 95 A1 A1 A1 18 6.5.1 16.4
File Write (Arbitrary) Critical Yes 96 A1 A1 A1 10 6.5.8 16.2
File Write (PHP file) Critical Yes 96 A1 A1 A1 10 6.5.8
Code Injection (eval modifier) Critical Yes 624 A1 A1 A1 18 6.5.1 16.4
Remote File Inclusion Critical Yes 98 A1 A4 A5 13 6.5.8 5.13
SQL Injection Critical Yes 89 A1 A1 A1 1 6.5.1 5.1
SQL Injection (unquoted) Critical Yes 89 A1 A1 A1 1 6.5.1 5.1
SQL Injection (single-quoted) Critical Yes 89 A1 A1 A1 1 6.5.1 5.1
SQL Injection (double-quoted) Critical Yes 89 A1 A1 A1 1 6.5.1 5.1
SQL Injection (multiple-input) Critical Yes 89 A1 A1 A1 1 6.5.1 5.1
Object Injection Critical No 502 A4 A4 A8 18 6.5.1
Phar Deserialization High No 915 A4 A4 A8 16 6.5.8 16.4
Local File Inclusion High Yes 97 A4 A4 A5 13 6.5.8 5.13
Local File Inclusion (limited) High Yes 626 A4 A4 A5 13 6.5.8 5.13
File Inclusion High Yes 98 A4 A4 A5 13 6.5.8 5.13
LDAP Injection High Yes 90 A1 A1 A1
6.5.1
Path Traversal High Yes 22 A4 A4 A5 13 6.5.8 9.5
Object Instantiation High No 470 A4 A4 A5 10 6.5.8 16.4
CVE High Yes

A9 A9
6.2
Buffer Overflow High Yes 120
A9 A9 3 6.2 5.1
Incorrect Buffer Size High Yes 131
A9 A9 20 6.2
Denial of Service High Yes 400
A9 A9
6.2
Integer Overflow High Yes 190
A9 A9 24 6.2
Format String High Yes 134
A9 A9 23 6.2
Security Bypass High Yes 693
A9 A9 18 6.2
Use After Free High Yes 416
A9 A9
6.2
Double Free High Yes 415
A9 A9
6.2
Null Pointer Dereference High Yes 476
A9 A9
6.2
Type Confusion High Yes 843
A9 A9
6.2
Path Traversal (limited) High Yes 626 A4 A4 A5 13 6.5.8 9.5
Denial of Service High Yes 730 A1 A5 A1
6.5.5
XQuery Injection Medium Yes 652 A1 A1 A1
6.5.1 5.14
XPath Injection Medium Yes 643 A1 A1 A1
6.5.1 5.14
XPath Injection (unquoted) Medium Yes 643 A1 A1 A1
6.5.1 5.14
XPath Injection (single-quoted) Medium Yes 643 A1 A1 A1
6.5.1 5.14
XPath Injection (double-quoted) Medium Yes 643 A1 A1 A1
6.5.1 5.14
Reflection Injection Medium No 470 A1 A7 A5 16 6.5.8 16.4
XSLT Injection Medium Yes 494 A1 A1 A1 9 6.5.1 5.14
File Create Medium Yes 73 A4 A4 A5 13 6.5.8 16.2
File Delete Medium Yes 73 A4 A4 A10 13 6.5.8 9.5
File Manipulation Medium Yes 732 A4 A4 A5 17 6.5.8 9.5
XML/XXE Injection Medium Yes 91 A1 A1 A4
6.5.1 5.14
File Upload Medium No 434
A5 A5 9 6.5.8
Cross-Site Scripting Medium Yes 79 A2 A3 A7 4 6.5.7 5.15
Cross-Site Scripting (normal tag) Medium Yes 80 A2 A3 A7 4 6.5.7 5.15
Cross-Site Scripting (script tag) Medium Yes 79 A2 A3 A7 4 6.5.7 5.15

Cross-Site Scripting (style tag)

Medium Yes 79 A2 A3 A7 4 6.5.7 5.15
Cross-Site Scripting (comment) Medium Yes 80 A2 A3 A7 4 6.5.7 5.15
Cross-Site Scripting (attribute name) Medium Yes 79 A2 A3 A7 4 6.5.7 5.15
Cross-Site Scripting (unquoted attribute) Medium Yes 79 A2 A3 A7 4 6.5.7 5.15
Cross-Site Scripting (single-quoted attribute) Medium Yes 79 A2 A3 A7 4 6.5.7 5.15
Cross-Site Scripting (double-quoted attribute) Medium Yes 79 A2 A3 A7 4 6.5.7 5.15
Cross-Site Scripting (eventhandler) Medium Yes 83 A2 A3 A7 4 6.5.7 5.15
Cross-Site Scripting (url attribute) Medium Yes 84 A2 A3 A7 4 6.5.7 5.15
Cross-Site Scripting (style attribute) Medium Yes 79 A2 A3 A7 4 6.5.7 5.15
File Write Medium Yes 96 A4 A1 A1 10 6.5.8 16.2
File Write (JSON file) Medium Yes 96 A4 A4 A5 10 6.5.8 16.2
File Write (CSS file) Medium Yes 96 A2 A3 A7 10 6.5.8 16.2
File Write (HTML file) Medium Yes 96 A2 A3 A7 10 6.5.8 16.2
Server-Side JavaScript Injection Medium Yes 94 A1 A1 A1 16 6.5.1
NoSQL Injection Medium Yes 94 A1 A1 A1
6.5.1
MongoDB Injection Medium Yes 94 A1 A1 A1
6.5.1
Session Fixation Medium No 384 A3 A2 A2
6.5.10 3.1
Server-Side Request Forgery Medium No 918 A8 A10 A2
6.5.1 16.1
Open Redirect Medium No 601 A10 A10 A2 22 6.5.8 16.1
Reflection Injection (Autoload) Medium No 23 A4 A7 A5 13 6.5.8 16.4
HTTP Response Splitting Medium No 113 A10 A10 A1

3.1
Variable Tampering Medium Yes 627 A4 A4 A2
6.5.8 16.4
Variable Tampering (register globals) Medium Yes 621 A3 A5 A2 10 6.5.8 16.4
Variable Tampering (write) Medium Yes 473 A4 A4 A2
6.5.8 16.4
Variable Tampering (read) Medium Yes 621 A4 A4 A2
6.5.8 16.4
Mass Assignment Medium Yes 915 A4 A4 A2 10 6.5.8 5.16
Log Forging Low Yes 117 A4 A4 A10

8.8
Memcached Injection Low Yes 143 A1 A1 A1 20 6.5.1
Connection String Injection Low Yes 99 A3 A5 A2 16 6.5.4
Connection String Injection (FTP) Low Yes 99 A3 A5 A2 16 6.5.4
Connection String Injection (DBMS) Low Yes 99 A3 A5 A2 16 6.5.4
Resource Injection Low No 93 A9 A4 A5 16 6.5.1
Resource Injection (Mail) Low No 93 A9 A4 A5 16 6.5.1
Resource Injection (FTP) Low No 93 A9 A4 A5 16 6.5.1
Environment Manipulation Low Yes 471 A4 A5 A2 10 6.5.8
Library Injection Low No 114 A1 A5 A1 11

HTTP Parameter Pollution Low No 233 A10 A10 A2
6.5.4 5.17
Directory Listing Low Yes 548 A4 A4 A5 13 6.5.8 4.5
Information Leakage Low Yes 209 A6 A6 A6
6.5.5 8.1
Information Leakage (System) Low Yes 214 A6 A6 A6
6.5.5 8.1
Information Leakage (SQL Error) Low Yes 209 A6 A6 A6
6.5.5 8.1
Information Leakage (Session Token in URL) Low Yes 201 A3 A2 A2
6.5.10 3.6
Information Leakage (Password) Low Yes 209 A6 A6 A6
6.5.5
Information Leakage (Crypto) Low Yes 209 A6 A6 A6
6.5.5
Weak Cryptography Low Yes 310 A9 A6 A3
6.5.3
Weak Cryptography (broken algorithm) Low Yes 327 A9 A6 A3 19 6.5.3 7.8
Weak Cryptography (static parameter) Low Yes 328 A9 A6 A3
6.5.3
Weak Cryptography (low entropy) Low Yes 330 A9 A6 A3
6.5.3 7.15
Weak Cryptography (missing padding) Low Yes 325 A9 A6 A3
6.5.3
Weak Cryptography (unsafe storage) Low Yes
A7 A6 A3 8 6.5.3
Weak Cryptography (unsafe hash comparison) Low Yes
A3 A6 A3
6.5.3
Weak Cryptography (cert verification) Low Yes 295 A9 A6 A3
6.5.4 10.3

Misconfiguration Issues (65)

Name Severity CWE OWASP Top 10 (2010) OWASP Top 10 (2013) OWASP Top 10 (2017) SANS 25 PCI DSS ASVS 3.01

Used Root User

Medium
A6
A6


Disabled CSRF Protection

Medium

352

A5 A8 A6


Cookie Misconfiguration (use for session)

Low
A6 A5 A6
6.5.10

Cookie Misconfiguration (session only with cookie)

Low
A9 A5 A6
6.5.10

Cookie Misconfiguration (domain)

Low
A6 A5 A6
6.5.10

Cookie Misconfiguration (only http)

Low
A6 A5 A6
6.5.10

Cookie Misconfiguration (secure flag)

Low
A9 A5 A6
6.5.10

Enabled Bug Compatability

Low
A6 A5 A6


Enabled Bug Compatibility (warning)

Low
A6 A5 A6


Session Misconfiguration (weak hash)

Low
A3 A2 A6
6.5.10

Session Misconfiguration (path)

Low
A3 A2 A6
6.5.10

Session Misconfiguration (trans_sid)

Low
A3 A2 A6
6.5.10

Session Misconfiguration (entropy file)

Low
A3 A2 A6
6.5.10

Session Misconfiguration (strict mode)

Low
A3 A2 A6
6.5.10

Session Misconfiguration (lazy write)

Low
A3 A2 A6
6.5.10

Session Misconfiguration (default name)

Low
A3 A2 A6
6.5.10

Remote File Open (allow_url_fopen)

Low
A6 A1 A6


Remote File Include (allow_url_include)

Low
A6 A1 A6


Error Displaying

Low
A6 A6 A6


No Error Log

Low
A6
A6


Display PHP Signature

Low
A6 A6 A6


Enabled Register Globals

Low 518 A6 A5 A6


Enabled Magic Quotes

Low
A6 A5 A6


Enabled Magic Quotes Runtime

Low
A6 A5 A6


Too Large Maximum Post Size

Low
A6 A5 A6


Safe Mode Enabled

Low
A6
A6


Long Arrays Allowed

Low
A6 A5 A6


No Maximum Input Var Set

Low
A6 A5 A6


No PHP File Access Restriction

Low
A6 A1 A6


No Maximum Set (file size)

Low
A6 A5 A6


Too High Maximum (file size)

Low
A6 A5 A6


No Maximum Set (post)

Low
A6 A5 A6


Too High Limit (post)

Low
A6 A5 A6


No Maximum Set (memory)

Low
A6 A5 A6


Too High Limit (memory)

Low
A6 A5 A6


Allowed ASP Tags

Low
A6
A6


No UTF-8 as Default Charset

Low
A6
A6


Enabled Zend Compatibility

Low
A6 A5 A6


Xdebug Waiting For Client

Low
A6 A6 A6


Enabled Dangerous Functions

Low
A6 A5 A6


SOAP WSDL Cache Directory

Low
A6 A5 A6


Wrong Upload Directory

Low
A6 A1 A6


Use Default Values

Low
A6 A5 A6


Hardcoded Parameter

Low 259 A6
A6


Disabled Validation

Low
A6 A5 A6


No File Extension Restriction

Low
A6 A1 A6


Disabled mod_mime_fix

Low
A6 A1 A6


Disabled Mime Type Detection

Low
A6 A1 A6


Allow Insecure FTP File Upload

Low
A6 A1 A6


Disabled XSS Filter

Low
A6 A3 A6


Hardcoded Password

Low 259 A6
A6


Weak Password

Low
A6 A5 A6


Default or Weak Salts and Keys

Low
A9 A5 A6


Enabled Debug Mode

Low
A6 A6 A6


Use Basic Auth

Low
A6 A5 A6


Disabled SSL Secured Login

Low
A9 A5 A6


Disabled SSL Secured Login for Admins

Low
A9 A5 A6

Enabled Plugin and Theme Editor

Low
A6 A5 A6


Enabled Plugin and Theme Installation

Low
A6 A5 A6


Disabled Auto Update

Low
A6 A5 A6


Allow External URL Requests

Low
A10 A10 A6


Allow Unauthenticated DB Repair

Low
A6
A6


Weak Encryption (mode)

Low
A7 A5 A6


Weak Encryption (cipher)

Low
A7 A5 A6


Showing Startup Errors

Low
A6 A6 A6


Code Quality Issues (44)

Name Severity CWE [?] OWASP Top 10 (2010) OWASP Top 10 (2013) [?] OWASP Top 10 (2017) SANS 25 [?] PCI DSS [?] ASVS 3.01 [?]
External Variable Initialization Medium 454





Variable Extraction Error Medium 621





Cookie Misconfiguration Low 494 A6 A5 A6
6.5.10 3.12
Cookie Misconfiguration (expiry) Low 539 A6 A5 A6
6.5.10 3.4
Cookie Misconfiguration (secure flag) Low 614 A6 A5 A6
6.5.10
Cookie Misconfiguration (path) Low 287 A6 A5 A6
6.5.10
Cookie Misconfiguration (domain) Low 287 A6 A5 A6
6.5.10
Cookie Misconfiguration (httpOnly flag) Low 200 A6 A5 A6
6.5.10
Weak HTTP header Low 644 A6 A5 A6
6.5.4
Generic Exception Catch Low 396





Hard-coded Password Low 259





Dangerous Feature Low 242





Executable Regex Low 624





Execution After Redirect Low 698
A7 A2


Weak Strict-Transport-Security header Low 523 A6 A5 A6
6.5.4 10.11
Weak X-XSS Protection header Low 693 A6 A5 A6
4.1.g 11.8
Weak CSP header Low 693 A6 A5 A6
6.5.4 11.7
Weak CORS Header Low 346 A6 A5 A6
6.5.4 16.5
Weak XFO header Low 1021 A6 A6 A6
6.5.4 11.4
Divide By Zero Low 369





Dynamic SQL Query Low 89





Missing Error Handling Low 390





Missing Default Case Low 478





Omitted Break Statement Low 484





Deprecated Feature Low 477





Permissive Regex Low 625





Weak Hash Function Low 328 A7




Type Unsafe Comparison Low 597





Generic Exception Throw Low 397





Empty Exception Catch Low 755





Uncaught Exception Low 248





Return Inside Finally Low 584





Expression Always True Low 571





Expression Always False Low 572





Ignored Return Value Low 253





Write to $GLOBALS Low 518





Loop Iteration Change Low 834





Leftover Debug Code Low 489





Assign Instead Compare Low 481





Compare Instead Assign Low 482





Decision by Cookie Low 784 A3 A2 A2


Decision by DNS Low 350 A3 A2 A2


Decision by IP Low 291 A3 A2 A2


Parse error Low






Suspicious Comment Low 546