ZAP Scanning Report
ZAP Scanning Report
| Risk Level | Number of Alerts |
|---|---|
|
High
|
0
|
|
Medium
|
1
|
|
Low
|
0
|
|
Informational
|
0
|
| Name | Risk Level | Number of Instances |
|---|---|---|
| ELMAH Information Leak | Medium | 1 |
|
Medium |
ELMAH Information Leak |
|---|---|
| Description |
The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information.
|
| URL | http://127.0.0.1:8000/elmah.axd |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | HTTP/1.0 301 Moved Permanently |
| Instances | 1 |
| Solution |
Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also: https://elmah.github.io/a/securing-error-log-pages/
|
| Reference |
https://www.troyhunt.com/aspnet-session-hijacking-with-google/
https://www.nuget.org/packages/elmah https://elmah.github.io/ |
| CWE Id | 94 |
| WASC Id | 14 |
| Plugin Id | 40028 |