⚡
GGC-XSS-60F
6.1
MEDIUM
P2
Confirmed
XSS
limit
api_fuzz_test.php:17
33/35 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['limit'] reaches a XSS sink at api_fuzz_test.php:17 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 6.1 MediumUntrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (xss-reflection)
- +6 Reproduced by 33 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'api_fuzz_test.php?limit=%22%3Cimg%20src%3Dx%20oNeRrOr%3Dalert%281%29%3E%22'
Evidence (live response):
OK path=/api_fuzz_test.php?limit=%22%3Cimg%20src%3Dx%20oNeRrOr%3Dalert%281%29%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
⚡
GGC-XSS-955
6.1
MEDIUM
P2
Confirmed
XSS
id
api_fuzz_test.php:29
33/35 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['id'] reaches a XSS sink at api_fuzz_test.php:29 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 6.1 MediumUntrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (xss-reflection)
- +6 Reproduced by 33 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'api_fuzz_test.php?id=%22%3CSCRIPT%3Ealert%281%29%3C%2FSCRIPT%3E%22'
Evidence (live response):
OK path=/api_fuzz_test.php?id=%22%3CSCRIPT%3Ealert%281%29%3C%2FSCRIPT%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
🤖
GGC-POI-79C
8.3
HIGH
Potential
PHP_OBJECT_INJECTION
data
deserialize_test.php:17
0/0 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['data'] reaches a PHP_OBJECT_INJECTION sink at deserialize_test.php:17 without an escape/parameterisation guard on the line. Heuristic — verify.
CWE / CVSS
CWE-502 Deserialization of Untrusted Data ·
CVSS 8.3 High (Base 9.8 Critical)Untrusted serialized data is deserialized, invoking gadget chains that can lead to remote code execution.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:U
ⓘ Base 9,8 → Effective 8,3 — potential (E:U/RC:U).
Compliance Impact
A08:2021 – Software and Data Integrity Failures
PCI-DSS v4.0 Req 6.2.4 / 6.4.3 · ISO/IEC 27001:2022 A.8.28 / A.8.29 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application · T1059 Command and Scripting Interpreter
Initial Access, Execution
Certainty / Access
Potential · 🔓 Unauthenticated
Remediation
Do not unserialize untrusted data; use a safe format and restrict allowed classes.
- Replace unserialize() on tainted input with json_decode() (data-only).
- If PHP serialization is required, pass allowed_classes=false or an explicit allowlist.
- Add integrity protection (HMAC) to any serialized blob that must round-trip via the client.
Refs: CWE-502 · OWASP: Deserialization Cheat Sheet
No DAST requests recorded for this target.
🤖
GGC-POI-41E
8.3
HIGH
Potential
PHP_OBJECT_INJECTION
serialized
deserialize_test.php:24
0/0 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['serialized'] reaches a PHP_OBJECT_INJECTION sink at deserialize_test.php:24 without an escape/parameterisation guard on the line. Heuristic — verify.
CWE / CVSS
CWE-502 Deserialization of Untrusted Data ·
CVSS 8.3 High (Base 9.8 Critical)Untrusted serialized data is deserialized, invoking gadget chains that can lead to remote code execution.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:U
ⓘ Base 9,8 → Effective 8,3 — potential (E:U/RC:U).
Compliance Impact
A08:2021 – Software and Data Integrity Failures
PCI-DSS v4.0 Req 6.2.4 / 6.4.3 · ISO/IEC 27001:2022 A.8.28 / A.8.29 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application · T1059 Command and Scripting Interpreter
Initial Access, Execution
Certainty / Access
Potential · 🔓 Unauthenticated
Remediation
Do not unserialize untrusted data; use a safe format and restrict allowed classes.
- Replace unserialize() on tainted input with json_decode() (data-only).
- If PHP serialization is required, pass allowed_classes=false or an explicit allowlist.
- Add integrity protection (HMAC) to any serialized blob that must round-trip via the client.
Refs: CWE-502 · OWASP: Deserialization Cheat Sheet
No DAST requests recorded for this target.
🤖
GGC-POI-325
8.3
HIGH
Potential
PHP_OBJECT_INJECTION
user
deserialize_test.php:30
0/0 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['user'] reaches a PHP_OBJECT_INJECTION sink at deserialize_test.php:30 without an escape/parameterisation guard on the line. Heuristic — verify.
CWE / CVSS
CWE-502 Deserialization of Untrusted Data ·
CVSS 8.3 High (Base 9.8 Critical)Untrusted serialized data is deserialized, invoking gadget chains that can lead to remote code execution.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:U
ⓘ Base 9,8 → Effective 8,3 — potential (E:U/RC:U).
Compliance Impact
A08:2021 – Software and Data Integrity Failures
PCI-DSS v4.0 Req 6.2.4 / 6.4.3 · ISO/IEC 27001:2022 A.8.28 / A.8.29 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application · T1059 Command and Scripting Interpreter
Initial Access, Execution
Certainty / Access
Potential · 🔓 Unauthenticated
Remediation
Do not unserialize untrusted data; use a safe format and restrict allowed classes.
- Replace unserialize() on tainted input with json_decode() (data-only).
- If PHP serialization is required, pass allowed_classes=false or an explicit allowlist.
- Add integrity protection (HMAC) to any serialized blob that must round-trip via the client.
Refs: CWE-502 · OWASP: Deserialization Cheat Sheet
No DAST requests recorded for this target.
⚡
GGC-XSS-659
6.1
MEDIUM
P2
Confirmed
XSS
q
form_login_test.php:25
33/35 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['q'] reaches a XSS sink at form_login_test.php:25 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 6.1 MediumUntrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (xss-reflection)
- +6 Reproduced by 33 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'form_login_test.php?q=%22%3Cimg%20src%3D%5C%22x%5C%22%20onerror%3D%5C%22%26%2397%3Blert%281%29%5C%22%3E%22'
Evidence (live response):
OK path=/form_login_test.php?q=%22%3Cimg%20src%3D%5C%22x%5C%22%20onerror%3D%5C%22%26%2397%3Blert%281%29%5C%22%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
⚡
GGC-XSS-80B
6.1
MEDIUM
P2
Confirmed
XSS
user
ggsec_test_app.php:187
33/35 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['user'] reaches a XSS sink at ggsec_test_app.php:187 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 6.1 MediumUntrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (xss-reflection)
- +6 Reproduced by 33 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?user=%22%3Cimg%20src%3D%5C%22x%5C%22%20onerror%3D%5C%22%26%2397%3Blert%281%29%5C%22%3E%22'
Evidence (live response):
OK path=/ggsec_test_app.php?user=%22%3Cimg%20src%3D%5C%22x%5C%22%20onerror%3D%5C%22%26%2397%3Blert%281%29%5C%22%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
⚡
GGC-XSS-7F9
6.1
MEDIUM
P2
Confirmed
XSS
search
ggsec_test_app.php:210
33/35 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['search'] reaches a XSS sink at ggsec_test_app.php:210 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 6.1 MediumUntrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (xss-reflection)
- +6 Reproduced by 33 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?search=%22%3Cimg%20src%3Dx%20oNeRrOr%3Dalert%281%29%3E%22'
Evidence (live response):
OK path=/ggsec_test_app.php?search=%22%3Cimg%20src%3Dx%20oNeRrOr%3Dalert%281%29%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
🗃
GGC-SQLI-EAF
8.3
HIGH
Potential
SQL_QUERY
user
ggsec_test_app.php:288
0/34 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['user'] reaches a SQL_QUERY sink at ggsec_test_app.php:288 without an escape/parameterisation guard on the line. Heuristic — verify.
CWE / CVSS
CWE-89 SQL Injection ·
CVSS 8.3 High (Base 9.8 Critical)SQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:U
ⓘ Base 9,8 → Effective 8,3 — potential (E:U/RC:U).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Potential · 🔓 Unauthenticated
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
- Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
- For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
- Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
- Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
| Result | Method | URL | Payload | Status | Time | Detection | DB |
🗃
GGC-SQLI-692
8.3
HIGH
Potential
SQL_QUERY
view_user
ggsec_test_app.php:300
0/34 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['view_user'] reaches a SQL_QUERY sink at ggsec_test_app.php:300 without an escape/parameterisation guard on the line. Heuristic — verify.
CWE / CVSS
CWE-89 SQL Injection ·
CVSS 8.3 High (Base 9.8 Critical)SQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:U
ⓘ Base 9,8 → Effective 8,3 — potential (E:U/RC:U).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Potential · 🔓 Unauthenticated
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
- Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
- For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
- Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
- Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
| Result | Method | URL | Payload | Status | Time | Detection | DB |
🗃
GGC-SQLI-B13
8.3
HIGH
Potential
SQL_QUERY
render
ggsec_test_app.php:339
0/34 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['render'] reaches a SQL_QUERY sink at ggsec_test_app.php:339 without an escape/parameterisation guard on the line. Heuristic — verify.
CWE / CVSS
CWE-89 SQL Injection ·
CVSS 8.3 High (Base 9.8 Critical)SQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:U
ⓘ Base 9,8 → Effective 8,3 — potential (E:U/RC:U).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Potential · 🔓 Unauthenticated
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
- Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
- For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
- Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
- Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
| Result | Method | URL | Payload | Status | Time | Detection | DB |
📄
GGC-XXE-1D8
6.3
MEDIUM
Potential
XXE
xml
ggsec_test_app.php:451
0/0 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['xml'] reaches a XXE sink at ggsec_test_app.php:451 without an escape/parameterisation guard on the line. Heuristic — verify.
CWE / CVSS
CWE-611 XML External Entity Reference ·
CVSS 6.3 Medium (Base 7.5 High)An XML parser resolves external entities, enabling local-file disclosure, SSRF, or denial of service.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RC:U
ⓘ Base 7,5 → Effective 6,3 — potential (E:U/RC:U).
Compliance Impact
A05:2021 – Security Misconfiguration
PCI-DSS v4.0 Req 2.2.1 / 6.2.4 · ISO/IEC 27001:2022 A.8.9 / A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Potential · 🔓 Unauthenticated
Remediation
Disable external entity and DTD processing in the XML parser.
- Disable entity loading/DTDs (e.g. libxml_disable_entity_loader, LIBXML_NONET, no LIBXML_NOENT/DTDLOAD).
- Prefer a hardened parser configuration or a non-XML format (JSON) where possible.
Refs: CWE-611 · OWASP: XXE Prevention Cheat Sheet
No DAST requests recorded for this target.
🔍
GGC-PATH-5CD
6.3
MEDIUM
Potential
PATH_TRAVERSAL
file
ggsec_test_app.php:694
0/0 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['file'] reaches a PATH_TRAVERSAL sink at ggsec_test_app.php:694 without an escape/parameterisation guard on the line. Heuristic — verify.
CWE / CVSS
CWE-22 Path Traversal / Arbitrary File Read ·
CVSS 6.3 Medium (Base 7.5 High)User-controlled path components escape the intended directory, exposing arbitrary files (/etc/passwd, config, source).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RC:U
ⓘ Base 7,5 → Effective 6,3 — potential (E:U/RC:U).
Compliance Impact
A01:2021 – Broken Access Control
PCI-DSS v4.0 Req 6.2.4 / 7.2.1 · ISO/IEC 27001:2022 A.8.3 / A.5.15 · GDPR Art. 5(1)(f) + Art. 32 (confidentiality)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Potential · 🔓 Unauthenticated
Remediation
Never build filesystem paths from user input — map requests to a fixed allowlist and canonicalize before use.
- Map the user-supplied identifier to a server-side allowlist of permitted files; never use it as a path directly.
- Canonicalize the resolved path (realpath) and verify it is still inside the intended base directory before reading.
- Reject traversal sequences AFTER decoding (../, ..\, encoded %2e%2e, and stripped variants like ....//).
- Run with least privilege so sensitive files (/etc/passwd, app secrets) are unreadable by the web user.
Refs: CWE-22 · CWE-73 · OWASP: Path Traversal · OWASP: File Path Traversal Prevention Cheat Sheet
No DAST requests recorded for this target.
⚡
GGC-XSS-13B
6.1
MEDIUM
P2
Confirmed
XSS
id
idor_test.php:31
33/35 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['id'] reaches a XSS sink at idor_test.php:31 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 6.1 MediumUntrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (xss-reflection)
- +6 Reproduced by 33 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'idor_test.php?id=%22%3Ca%20href%3Djavascript%3Aalert%28document.cookie%29%3Ex%3C%2Fa%3E%22'
Evidence (live response):
OK path=/idor_test.php?id=%22%3Ca%20href%3Djavascript%3Aalert%28document.cookie%29%3Ex%3C%2Fa%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
⚡
GGC-XSS-263
6.1
MEDIUM
P2
Confirmed
XSS
id
idor_uuid_test.php:39
33/35 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['id'] reaches a XSS sink at idor_uuid_test.php:39 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 6.1 MediumUntrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (xss-reflection)
- +6 Reproduced by 33 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'idor_uuid_test.php?id=%22javascript%3Aalert%281%29%22'
Evidence (live response):
OK path=/idor_uuid_test.php?id=%22javascript%3Aalert%281%29%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
⚡
GGC-XSS-09C
6.1
MEDIUM
P2
Confirmed
XSS
as
idor_v2_test.php:25
33/35 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['as'] reaches a XSS sink at idor_v2_test.php:25 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 6.1 MediumUntrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (xss-reflection)
- +6 Reproduced by 33 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'idor_v2_test.php?as=%22%3Cbody%20onload%3Dalert%281%29%3E%22'
Evidence (live response):
OK path=/idor_v2_test.php?as=%22%3Cbody%20onload%3Dalert%281%29%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
⚡
GGC-XSS-556
6.1
MEDIUM
P2
Confirmed
XSS
id
idor_v2_test.php:40
33/35 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['id'] reaches a XSS sink at idor_v2_test.php:40 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 6.1 MediumUntrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (xss-reflection)
- +6 Reproduced by 33 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'idor_v2_test.php?id=%22%3CSCRIPT%3Ealert%281%29%3C%2FSCRIPT%3E%22'
Evidence (live response):
OK path=/idor_v2_test.php?id=%22%3CSCRIPT%3Ealert%281%29%3C%2FSCRIPT%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
⚡
GGC-XSS-72C
6.1
MEDIUM
P2
Confirmed
XSS
id
idor_v3_test.php:32
33/35 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['id'] reaches a XSS sink at idor_v3_test.php:32 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 6.1 MediumUntrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (xss-reflection)
- +6 Reproduced by 33 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'idor_v3_test.php?id=%22%3Cimg%20src%3D%5C%22x%5C%22%20onerror%3D%5C%22%26%2397%3Blert%281%29%5C%22%3E%22'
Evidence (live response):
OK path=/idor_v3_test.php?id=%22%3Cimg%20src%3D%5C%22x%5C%22%20onerror%3D%5C%22%26%2397%3Blert%281%29%5C%22%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
⚡
GGC-XSS-D94
6.1
MEDIUM
P2
Confirmed
XSS
jwt
jwt_jwks_test.php:100
33/35 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['jwt'] reaches a XSS sink at jwt_jwks_test.php:100 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 6.1 MediumUntrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (xss-reflection)
- +6 Reproduced by 33 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'jwt_jwks_test.php?jwt=%22%3Cimg%20src%3D%5C%22x%5C%22%20onerror%3D%5C%22%26%2397%3Blert%281%29%5C%22%3E%22'
Evidence (live response):
OK path=/jwt_jwks_test.php?jwt=%22%3Cimg%20src%3D%5C%22x%5C%22%20onerror%3D%5C%22%26%2397%3Blert%281%29%5C%22%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
⚡
GGC-XSS-630
6.1
MEDIUM
P2
Confirmed
XSS
jwt
jwt_kid_test.php:45
33/35 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['jwt'] reaches a XSS sink at jwt_kid_test.php:45 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 6.1 MediumUntrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (xss-reflection)
- +6 Reproduced by 33 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'jwt_kid_test.php?jwt=%22%3C%2500script%3Ealert%281%29%3C%2F%2500script%3E%22'
Evidence (live response):
OK path=/jwt_kid_test.php?jwt=%22%3C%2500script%3Ealert%281%29%3C%2F%2500script%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
⚡
GGC-XSS-DF2
6.1
MEDIUM
P2
Confirmed
XSS
jwt
jwt_rs256_test.php:98
33/35 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['jwt'] reaches a XSS sink at jwt_rs256_test.php:98 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 6.1 MediumUntrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (xss-reflection)
- +6 Reproduced by 33 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'jwt_rs256_test.php?jwt=%22%3Cimg%20src%3Dx%20oNeRrOr%3Dalert%281%29%3E%22'
Evidence (live response):
OK path=/jwt_rs256_test.php?jwt=%22%3Cimg%20src%3Dx%20oNeRrOr%3Dalert%281%29%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
⚡
GGC-XSS-2B9
6.1
MEDIUM
P2
Confirmed
XSS
jwt
jwt_test.php:49
33/35 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['jwt'] reaches a XSS sink at jwt_test.php:49 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 6.1 MediumUntrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (xss-reflection)
- +6 Reproduced by 33 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'jwt_test.php?jwt=%22%3Cinput%20autofocus%20onfocus%3Dalert%281%29%3E%22'
Evidence (live response):
OK path=/jwt_test.php?jwt=%22%3Cinput%20autofocus%20onfocus%3Dalert%281%29%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
⚡
GGC-XSS-BBD
6.1
MEDIUM
P2
Confirmed
XSS
user
ldap_test.php:11
33/35 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['user'] reaches a XSS sink at ldap_test.php:11 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 6.1 MediumUntrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (xss-reflection)
- +6 Reproduced by 33 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ldap_test.php?user=%22%3Cscript%3Ealert%28%27stored%27%29%3C%2Fscript%3E%22'
Evidence (live response):
OK path=/ldap_test.php?user=%22%3Cscript%3Ealert%28%27stored%27%29%3C%2Fscript%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
⚡
GGC-XSS-FB1
6.1
MEDIUM
P2
Confirmed
XSS
q
members_test.php:21
33/35 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['q'] reaches a XSS sink at members_test.php:21 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 6.1 MediumUntrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (xss-reflection)
- +6 Reproduced by 33 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'members_test.php?q=%22%3Csvg%2Fonload%3Dalert%281%29%3E%22'
Evidence (live response):
OK path=/members_test.php?q=%22%3Csvg%2Fonload%3Dalert%281%29%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
⚡
GGC-XSS-D7C
6.1
MEDIUM
P2
Confirmed
XSS
safe_username
nosql_test.php:18
33/35 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['safe_username'] reaches a XSS sink at nosql_test.php:18 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 6.1 MediumUntrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (xss-reflection)
- +6 Reproduced by 33 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'nosql_test.php?safe_username=%22data%3Atext%2Fhtml%2C%3Cscript%3Ealert%281%29%3C%2Fscript%3E%22'
Evidence (live response):
OK path=/nosql_test.php?safe_username=%22data%3Atext%2Fhtml%2C%3Cscript%3Ealert%281%29%3C%2Fscript%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
📄
GGC-XXE-64D
6.3
MEDIUM
Potential
XXE
xml
oob_test.php:15
0/0 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['xml'] reaches a XXE sink at oob_test.php:15 without an escape/parameterisation guard on the line. Heuristic — verify.
CWE / CVSS
CWE-611 XML External Entity Reference ·
CVSS 6.3 Medium (Base 7.5 High)An XML parser resolves external entities, enabling local-file disclosure, SSRF, or denial of service.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RC:U
ⓘ Base 7,5 → Effective 6,3 — potential (E:U/RC:U).
Compliance Impact
A05:2021 – Security Misconfiguration
PCI-DSS v4.0 Req 2.2.1 / 6.2.4 · ISO/IEC 27001:2022 A.8.9 / A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Potential · 🔓 Unauthenticated
Remediation
Disable external entity and DTD processing in the XML parser.
- Disable entity loading/DTDs (e.g. libxml_disable_entity_loader, LIBXML_NONET, no LIBXML_NOENT/DTDLOAD).
- Prefer a hardened parser configuration or a non-XML format (JSON) where possible.
Refs: CWE-611 · OWASP: XXE Prevention Cheat Sheet
No DAST requests recorded for this target.
🔍
GGC-PATH-829
6.3
MEDIUM
Potential
PATH_TRAVERSAL
url
oob_test.php:21
0/0 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['url'] reaches a PATH_TRAVERSAL sink at oob_test.php:21 without an escape/parameterisation guard on the line. Heuristic — verify.
CWE / CVSS
CWE-22 Path Traversal / Arbitrary File Read ·
CVSS 6.3 Medium (Base 7.5 High)User-controlled path components escape the intended directory, exposing arbitrary files (/etc/passwd, config, source).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RC:U
ⓘ Base 7,5 → Effective 6,3 — potential (E:U/RC:U).
Compliance Impact
A01:2021 – Broken Access Control
PCI-DSS v4.0 Req 6.2.4 / 7.2.1 · ISO/IEC 27001:2022 A.8.3 / A.5.15 · GDPR Art. 5(1)(f) + Art. 32 (confidentiality)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Potential · 🔓 Unauthenticated
Remediation
Never build filesystem paths from user input — map requests to a fixed allowlist and canonicalize before use.
- Map the user-supplied identifier to a server-side allowlist of permitted files; never use it as a path directly.
- Canonicalize the resolved path (realpath) and verify it is still inside the intended base directory before reading.
- Reject traversal sequences AFTER decoding (../, ..\, encoded %2e%2e, and stripped variants like ....//).
- Run with least privilege so sensitive files (/etc/passwd, app secrets) are unreadable by the web user.
Refs: CWE-22 · CWE-73 · OWASP: Path Traversal · OWASP: File Path Traversal Prevention Cheat Sheet
No DAST requests recorded for this target.
🤖
GGC-POI-CEC
8.3
HIGH
Potential
PHP_OBJECT_INJECTION
prefs
poi_oob_test.php:16
0/0 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['prefs'] reaches a PHP_OBJECT_INJECTION sink at poi_oob_test.php:16 without an escape/parameterisation guard on the line. Heuristic — verify.
CWE / CVSS
CWE-502 Deserialization of Untrusted Data ·
CVSS 8.3 High (Base 9.8 Critical)Untrusted serialized data is deserialized, invoking gadget chains that can lead to remote code execution.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:U
ⓘ Base 9,8 → Effective 8,3 — potential (E:U/RC:U).
Compliance Impact
A08:2021 – Software and Data Integrity Failures
PCI-DSS v4.0 Req 6.2.4 / 6.4.3 · ISO/IEC 27001:2022 A.8.28 / A.8.29 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application · T1059 Command and Scripting Interpreter
Initial Access, Execution
Certainty / Access
Potential · 🔓 Unauthenticated
Remediation
Do not unserialize untrusted data; use a safe format and restrict allowed classes.
- Replace unserialize() on tainted input with json_decode() (data-only).
- If PHP serialization is required, pass allowed_classes=false or an explicit allowlist.
- Add integrity protection (HMAC) to any serialized blob that must round-trip via the client.
Refs: CWE-502 · OWASP: Deserialization Cheat Sheet
No DAST requests recorded for this target.
⚡
GGC-XSS-937
6.1
MEDIUM
P2
Confirmed
XSS
reset
race_singlepacket_test.php:17
33/35 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['reset'] reaches a XSS sink at race_singlepacket_test.php:17 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 6.1 MediumUntrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (xss-reflection)
- +6 Reproduced by 33 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'race_singlepacket_test.php?reset=%22%3C%2500script%3Ealert%281%29%3C%2F%2500script%3E%22'
Evidence (live response):
OK path=/race_singlepacket_test.php?reset=%22%3C%2500script%3Ealert%281%29%3C%2F%2500script%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
🔍
GGC-PATH-A9F
6.3
MEDIUM
Potential
PATH_TRAVERSAL
count
race_singlepacket_test.php:20
0/0 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['count'] reaches a PATH_TRAVERSAL sink at race_singlepacket_test.php:20 without an escape/parameterisation guard on the line. Heuristic — verify.
CWE / CVSS
CWE-22 Path Traversal / Arbitrary File Read ·
CVSS 6.3 Medium (Base 7.5 High)User-controlled path components escape the intended directory, exposing arbitrary files (/etc/passwd, config, source).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RC:U
ⓘ Base 7,5 → Effective 6,3 — potential (E:U/RC:U).
Compliance Impact
A01:2021 – Broken Access Control
PCI-DSS v4.0 Req 6.2.4 / 7.2.1 · ISO/IEC 27001:2022 A.8.3 / A.5.15 · GDPR Art. 5(1)(f) + Art. 32 (confidentiality)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Potential · 🔓 Unauthenticated
Remediation
Never build filesystem paths from user input — map requests to a fixed allowlist and canonicalize before use.
- Map the user-supplied identifier to a server-side allowlist of permitted files; never use it as a path directly.
- Canonicalize the resolved path (realpath) and verify it is still inside the intended base directory before reading.
- Reject traversal sequences AFTER decoding (../, ..\, encoded %2e%2e, and stripped variants like ....//).
- Run with least privilege so sensitive files (/etc/passwd, app secrets) are unreadable by the web user.
Refs: CWE-22 · CWE-73 · OWASP: Path Traversal · OWASP: File Path Traversal Prevention Cheat Sheet
No DAST requests recorded for this target.
⚡
GGC-XSS-03D
6.1
MEDIUM
P2
Confirmed
XSS
count
race_singlepacket_test.php:20
33/35 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['count'] reaches a XSS sink at race_singlepacket_test.php:20 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 6.1 MediumUntrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (xss-reflection)
- +6 Reproduced by 33 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'race_singlepacket_test.php?count=%22%3Cinput%20autofocus%20onfocus%3Dalert%281%29%3E%22'
Evidence (live response):
OK path=/race_singlepacket_test.php?count=%22%3Cinput%20autofocus%20onfocus%3Dalert%281%29%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
🗃
GGC-SQLI-FF6
8.3
HIGH
Potential
SQL_QUERY
balance
race_test.php:23
0/34 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['balance'] reaches a SQL_QUERY sink at race_test.php:23 without an escape/parameterisation guard on the line. Heuristic — verify.
CWE / CVSS
CWE-89 SQL Injection ·
CVSS 8.3 High (Base 9.8 Critical)SQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:U
ⓘ Base 9,8 → Effective 8,3 — potential (E:U/RC:U).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Potential · 🔓 Unauthenticated
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
- Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
- For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
- Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
- Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
| Result | Method | URL | Payload | Status | Time | Detection | DB |
🗃
GGC-SQLI-CF5
8.3
HIGH
Potential
SQL_QUERY
from
race_test.php:35
0/34 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['from'] reaches a SQL_QUERY sink at race_test.php:35 without an escape/parameterisation guard on the line. Heuristic — verify.
CWE / CVSS
CWE-89 SQL Injection ·
CVSS 8.3 High (Base 9.8 Critical)SQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:U
ⓘ Base 9,8 → Effective 8,3 — potential (E:U/RC:U).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Potential · 🔓 Unauthenticated
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
- Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
- For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
- Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
- Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
| Result | Method | URL | Payload | Status | Time | Detection | DB |
🗃
GGC-SQLI-A5A
8.3
HIGH
Potential
SQL_QUERY
amount
race_test.php:41
0/34 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['amount'] reaches a SQL_QUERY sink at race_test.php:41 without an escape/parameterisation guard on the line. Heuristic — verify.
CWE / CVSS
CWE-89 SQL Injection ·
CVSS 8.3 High (Base 9.8 Critical)SQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:U
ⓘ Base 9,8 → Effective 8,3 — potential (E:U/RC:U).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Potential · 🔓 Unauthenticated
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
- Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
- For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
- Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
- Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
| Result | Method | URL | Payload | Status | Time | Detection | DB |
📄
GGC-XXE-3A1
6.3
MEDIUM
Potential
XXE
xml
xxe_test.php:8
0/0 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['xml'] reaches a XXE sink at xxe_test.php:8 without an escape/parameterisation guard on the line. Heuristic — verify.
CWE / CVSS
CWE-611 XML External Entity Reference ·
CVSS 6.3 Medium (Base 7.5 High)An XML parser resolves external entities, enabling local-file disclosure, SSRF, or denial of service.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RC:U
ⓘ Base 7,5 → Effective 6,3 — potential (E:U/RC:U).
Compliance Impact
A05:2021 – Security Misconfiguration
PCI-DSS v4.0 Req 2.2.1 / 6.2.4 · ISO/IEC 27001:2022 A.8.9 / A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Potential · 🔓 Unauthenticated
Remediation
Disable external entity and DTD processing in the XML parser.
- Disable entity loading/DTDs (e.g. libxml_disable_entity_loader, LIBXML_NONET, no LIBXML_NOENT/DTDLOAD).
- Prefer a hardened parser configuration or a non-XML format (JSON) where possible.
Refs: CWE-611 · OWASP: XXE Prevention Cheat Sheet
No DAST requests recorded for this target.
⚡
GGC-XSS-B1F
6.1
MEDIUM
P2
Confirmed
XSS
xml
xxe_test.php:10
33/35 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['xml'] reaches a XSS sink at xxe_test.php:10 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 6.1 MediumUntrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (xss-reflection)
- +6 Reproduced by 33 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'xxe_test.php?xml=%22%3CScRiPt%3Ealert%281%29%3C%2FsCrIpT%3E%22'
Evidence (live response):
OK path=/xxe_test.php?xml=%22%3CScRiPt%3Ealert%281%29%3C%2FsCrIpT%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
📄
GGC-XXE-5F0
6.3
MEDIUM
Potential
XXE
dom
xxe_test.php:16
0/0 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['dom'] reaches a XXE sink at xxe_test.php:16 without an escape/parameterisation guard on the line. Heuristic — verify.
CWE / CVSS
CWE-611 XML External Entity Reference ·
CVSS 6.3 Medium (Base 7.5 High)An XML parser resolves external entities, enabling local-file disclosure, SSRF, or denial of service.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RC:U
ⓘ Base 7,5 → Effective 6,3 — potential (E:U/RC:U).
Compliance Impact
A05:2021 – Security Misconfiguration
PCI-DSS v4.0 Req 2.2.1 / 6.2.4 · ISO/IEC 27001:2022 A.8.9 / A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Potential · 🔓 Unauthenticated
Remediation
Disable external entity and DTD processing in the XML parser.
- Disable entity loading/DTDs (e.g. libxml_disable_entity_loader, LIBXML_NONET, no LIBXML_NOENT/DTDLOAD).
- Prefer a hardened parser configuration or a non-XML format (JSON) where possible.
Refs: CWE-611 · OWASP: XXE Prevention Cheat Sheet
No DAST requests recorded for this target.
📄
GGC-XXE-933
6.3
MEDIUM
Potential
XXE
xml_parse
xxe_test.php:27
0/0 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['xml_parse'] reaches a XXE sink at xxe_test.php:27 without an escape/parameterisation guard on the line. Heuristic — verify.
CWE / CVSS
CWE-611 XML External Entity Reference ·
CVSS 6.3 Medium (Base 7.5 High)An XML parser resolves external entities, enabling local-file disclosure, SSRF, or denial of service.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RC:U
ⓘ Base 7,5 → Effective 6,3 — potential (E:U/RC:U).
Compliance Impact
A05:2021 – Security Misconfiguration
PCI-DSS v4.0 Req 2.2.1 / 6.2.4 · ISO/IEC 27001:2022 A.8.9 / A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Potential · 🔓 Unauthenticated
Remediation
Disable external entity and DTD processing in the XML parser.
- Disable entity loading/DTDs (e.g. libxml_disable_entity_loader, LIBXML_NONET, no LIBXML_NOENT/DTDLOAD).
- Prefer a hardened parser configuration or a non-XML format (JSON) where possible.
Refs: CWE-611 · OWASP: XXE Prevention Cheat Sheet
No DAST requests recorded for this target.
📄
GGC-XXE-0BE
6.3
MEDIUM
Potential
XXE
safe_xml
xxe_test.php:44
0/0 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['safe_xml'] reaches a XXE sink at xxe_test.php:44 without an escape/parameterisation guard on the line. Heuristic — verify.
CWE / CVSS
CWE-611 XML External Entity Reference ·
CVSS 6.3 Medium (Base 7.5 High)An XML parser resolves external entities, enabling local-file disclosure, SSRF, or denial of service.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RC:U
ⓘ Base 7,5 → Effective 6,3 — potential (E:U/RC:U).
Compliance Impact
A05:2021 – Security Misconfiguration
PCI-DSS v4.0 Req 2.2.1 / 6.2.4 · ISO/IEC 27001:2022 A.8.9 / A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Potential · 🔓 Unauthenticated
Remediation
Disable external entity and DTD processing in the XML parser.
- Disable entity loading/DTDs (e.g. libxml_disable_entity_loader, LIBXML_NONET, no LIBXML_NOENT/DTDLOAD).
- Prefer a hardened parser configuration or a non-XML format (JSON) where possible.
Refs: CWE-611 · OWASP: XXE Prevention Cheat Sheet
No DAST requests recorded for this target.
⚡
GGC-XSS-692
6.1
MEDIUM
P2
Confirmed
XSS
search
api_parsing_hell.php:69
33/35 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['search'] reaches a XSS sink at api_parsing_hell.php:69 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting ·
CVSS 6.1 MediumUntrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS) · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (xss-reflection)
- +6 Reproduced by 33 payload(s)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'api_parsing_hell.php?search=%22%3Cimg%20src%3Dx%20onerror%3Dalert%281%29%3E%22'
Evidence (live response):
OK path=/api_parsing_hell.php?search=%22%3Cimg%20src%3Dx%20onerror%3Dalert%281%29%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
- Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
- Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
- Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
🤖
GGC-POI-77B
8.3
HIGH
Potential
PHP_OBJECT_INJECTION
prefs
logic_nightmare.php:69
0/0 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['prefs'] reaches a PHP_OBJECT_INJECTION sink at logic_nightmare.php:69 without an escape/parameterisation guard on the line. Heuristic — verify.
CWE / CVSS
CWE-502 Deserialization of Untrusted Data ·
CVSS 8.3 High (Base 9.8 Critical)Untrusted serialized data is deserialized, invoking gadget chains that can lead to remote code execution.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:U
ⓘ Base 9,8 → Effective 8,3 — potential (E:U/RC:U).
Compliance Impact
A08:2021 – Software and Data Integrity Failures
PCI-DSS v4.0 Req 6.2.4 / 6.4.3 · ISO/IEC 27001:2022 A.8.28 / A.8.29 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application · T1059 Command and Scripting Interpreter
Initial Access, Execution
Certainty / Access
Potential · 🔓 Unauthenticated
Remediation
Do not unserialize untrusted data; use a safe format and restrict allowed classes.
- Replace unserialize() on tainted input with json_decode() (data-only).
- If PHP serialization is required, pass allowed_classes=false or an explicit allowlist.
- Add integrity protection (HMAC) to any serialized blob that must round-trip via the client.
Refs: CWE-502 · OWASP: Deserialization Cheat Sheet
No DAST requests recorded for this target.
↪
GGC-REDIR-AE3
5.2
MEDIUM
Potential
OPEN_REDIRECT
logout
logic_nightmare.php:105
0/14 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['logout'] reaches a OPEN_REDIRECT sink at logic_nightmare.php:105 without an escape/parameterisation guard on the line. Heuristic — verify.
CWE / CVSS
CWE-601 Open Redirect ·
CVSS 5.2 Medium (Base 6.1 Medium)An unvalidated redirect target lets an attacker send victims to a malicious site under the app's trust.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RC:U
ⓘ Base 6,1 → Effective 5,2 — potential (E:U/RC:U).
Compliance Impact
A01:2021 – Broken Access Control
PCI-DSS v4.0 Req 6.2.4 / 7.2.1 · ISO/IEC 27001:2022 A.8.3 / A.5.15 · GDPR Art. 5(1)(f) + Art. 32 (confidentiality)
MITRE ATT&CK
T1204 User Execution
Execution
Certainty / Access
Potential · 🔓 Unauthenticated
Remediation
Validate redirect targets against an allowlist; never redirect to a raw user-supplied URL.
- Allowlist permitted destinations or use server-side keys mapped to URLs.
- Accept only relative paths; reject absolute URLs and protocol-relative (//) values.
Refs: CWE-601 · OWASP: Unvalidated Redirects and Forwards Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
↪
GGC-REDIR-62C
5.2
MEDIUM
Potential
OPEN_REDIRECT
redirect
race_and_files.php:46
0/14 hits
▼
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['redirect'] reaches a OPEN_REDIRECT sink at race_and_files.php:46 without an escape/parameterisation guard on the line. Heuristic — verify.
CWE / CVSS
CWE-601 Open Redirect ·
CVSS 5.2 Medium (Base 6.1 Medium)An unvalidated redirect target lets an attacker send victims to a malicious site under the app's trust.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RC:U
ⓘ Base 6,1 → Effective 5,2 — potential (E:U/RC:U).
Compliance Impact
A01:2021 – Broken Access Control
PCI-DSS v4.0 Req 6.2.4 / 7.2.1 · ISO/IEC 27001:2022 A.8.3 / A.5.15 · GDPR Art. 5(1)(f) + Art. 32 (confidentiality)
MITRE ATT&CK
T1204 User Execution
Execution
Certainty / Access
Potential · 🔓 Unauthenticated
Remediation
Validate redirect targets against an allowlist; never redirect to a raw user-supplied URL.
- Allowlist permitted destinations or use server-side keys mapped to URLs.
- Accept only relative paths; reject absolute URLs and protocol-relative (//) values.
Refs: CWE-601 · OWASP: Unvalidated Redirects and Forwards Cheat Sheet
| Result | Method | URL | Payload | Status | Time | Detection | DB |
🔍
GGC-VULN-5ED
7.4
HIGH
Probable
HARDCODED_SECRET
private key
jwt_jwks_test.php:10
0/0 hits
▼
Flow
Hard-coded private key in source (----******…(27 chars)). Anyone with read access to the repo obtains the credential. Move it to an environment variable / secret manager and ROTATE it — it must be treated as compromised.
CWE / CVSS
CWE-798 Use of Hard-coded Credentials ·
CVSS 7.4 High (Base 8.2 High)A credential (API key, password, token, private key) is hard-coded in source — anyone with repo access gets it; it must be moved to a secret store and rotated.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RC:R
ⓘ Base 8,2 → Effective 7,4 — probable (E:P/RC:R).
Compliance Impact
A07:2021 – Identification and Authentication Failures
PCI-DSS v4.0 Req 8.3.1 / 8.6 / 3.6 (key mgmt) · ISO/IEC 27001:2022 A.8.5 / A.5.17 / A.8.24 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1552.001 Unsecured Credentials: Credentials In Files
Credential Access
Certainty / Access
Probable · 🔓 Unauthenticated
Remediation
Remove the secret from source, load it from an environment variable / secret manager, and ROTATE it — it must be treated as compromised.
- Rotate/revoke the exposed credential NOW — it is in version control history and must be assumed leaked.
- Read it at runtime from an env var or a secret manager (Vault/AWS Secrets Manager/Azure Key Vault); never commit it.
- Purge it from git history (git filter-repo / BFG) and add a pre-commit secret scanner (e.g. this scan) to CI.
Refs: CWE-798 · OWASP: Secrets Management Cheat Sheet
No DAST requests recorded for this target.
🔍
GGC-VULN-AA4
7.4
HIGH
Probable
HARDCODED_SECRET
private key
jwt_rs256_test.php:10
0/0 hits
▼
Flow
Hard-coded private key in source (----******…(27 chars)). Anyone with read access to the repo obtains the credential. Move it to an environment variable / secret manager and ROTATE it — it must be treated as compromised.
CWE / CVSS
CWE-798 Use of Hard-coded Credentials ·
CVSS 7.4 High (Base 8.2 High)A credential (API key, password, token, private key) is hard-coded in source — anyone with repo access gets it; it must be moved to a secret store and rotated.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RC:R
ⓘ Base 8,2 → Effective 7,4 — probable (E:P/RC:R).
Compliance Impact
A07:2021 – Identification and Authentication Failures
PCI-DSS v4.0 Req 8.3.1 / 8.6 / 3.6 (key mgmt) · ISO/IEC 27001:2022 A.8.5 / A.5.17 / A.8.24 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1552.001 Unsecured Credentials: Credentials In Files
Credential Access
Certainty / Access
Probable · 🔓 Unauthenticated
Remediation
Remove the secret from source, load it from an environment variable / secret manager, and ROTATE it — it must be treated as compromised.
- Rotate/revoke the exposed credential NOW — it is in version control history and must be assumed leaked.
- Read it at runtime from an env var or a secret manager (Vault/AWS Secrets Manager/Azure Key Vault); never commit it.
- Purge it from git history (git filter-repo / BFG) and add a pre-commit secret scanner (e.g. this scan) to CI.
Refs: CWE-798 · OWASP: Secrets Management Cheat Sheet
No DAST requests recorded for this target.
🔍
GGC-VULN-EF2
4.8
MEDIUM
Probable
HARDCODED_SECRET
hard-coded SECRET
jwt_test.php:7
0/0 hits
▼
Flow
Hard-coded hard-coded SECRET in source (supe******…(27 chars)). Anyone with read access to the repo obtains the credential. Move it to an environment variable / secret manager and ROTATE it — it must be treated as compromised.
Impact
INFORMATION_DISCLOSURE — Direct
CWE / CVSS
CWE-798 Use of Hard-coded Credentials ·
CVSS 4.8 Medium (Base 5.3 Medium)A credential (API key, password, token, private key) is hard-coded in source — anyone with repo access gets it; it must be moved to a secret store and rotated.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RC:R
ⓘ Base 5,3 → Effective 4,8 — probable (E:P/RC:R).
Compliance Impact
A07:2021 – Identification and Authentication Failures
PCI-DSS v4.0 Req 8.3.1 / 8.6 / 3.6 (key mgmt) · ISO/IEC 27001:2022 A.8.5 / A.5.17 / A.8.24 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1552.001 Unsecured Credentials: Credentials In Files
Credential Access
Certainty / Access
Probable · 🔓 Unauthenticated
Remediation
Remove the secret from source, load it from an environment variable / secret manager, and ROTATE it — it must be treated as compromised.
- Rotate/revoke the exposed credential NOW — it is in version control history and must be assumed leaked.
- Read it at runtime from an env var or a secret manager (Vault/AWS Secrets Manager/Azure Key Vault); never commit it.
- Purge it from git history (git filter-repo / BFG) and add a pre-commit secret scanner (e.g. this scan) to CI.
Refs: CWE-798 · OWASP: Secrets Management Cheat Sheet
No DAST requests recorded for this target.
🔍
GGC-VULN-01E
8.9
HIGH
P1
Confirmed
REQUEST_SMUGGLING
0.CL (/)
smuggle: 127.0.0.1
1/1 hits
▼
Flow
The front-end and back-end disagree on request boundaries (0.CL (/)); a crafted Content-Length/Transfer-Encoding mismatch smuggles a second request past the front-end — request hijacking, security-control bypass, cache poisoning, or credential capture.
Impact
AUTH_BYPASS — Conditional
CWE / CVSS
CWE-444 HTTP Request Smuggling (front-end/back-end desync) ·
CVSS 8.9 HighThe front-end and back-end disagree on where a request ends (ambiguous Content-Length/Transfer-Encoding), letting an attacker smuggle a second request past the front-end — request hijacking, control bypass, or cache poisoning.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
- +50 Confirmed (strong signal)
- +20 Direct detection (request-smuggling)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'http://127.0.0.1:8888/' --data '0.CL (/)'
Reflection @ offset 10 — via request-smuggling:
[SMUGGLE] 0.CL (/) desync confirmed against 127.0.0.1:8888 (native confidence…
Evidence (live response):
[SMUGGLE] 0.CL (/) desync confirmed against 127.0.0.1:8888 (native confidence 75%, timing 2ms). 0.CL smuggle marker leaked into a subsequent response via gadget '/' — Content-Length: 0 body was processed by the back-end (Likely). HTTP/1.1 200 OK Content-Type: text/plain Conte…
Remediation
Validate and encode all untrusted input at the relevant trust boundary.
- Apply input validation (allowlist) and context-aware output encoding for this sink.
Refs: CWE-707 · OWASP Top 10
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
SMUGGLE |
http://127.0.0.1:8888/ |
0.CL (/) |
200 |
0ms |
request-smuggling |
— |
🔍
GGC-VULN-FB7
8.9
HIGH
P1
Confirmed
REQUEST_SMUGGLING
0.CL (/favicon.ico)
smuggle: 127.0.0.1
1/1 hits
▼
Flow
The front-end and back-end disagree on request boundaries (0.CL (/favicon.ico)); a crafted Content-Length/Transfer-Encoding mismatch smuggles a second request past the front-end — request hijacking, security-control bypass, cache poisoning, or credential capture.
Impact
AUTH_BYPASS — Conditional
CWE / CVSS
CWE-444 HTTP Request Smuggling (front-end/back-end desync) ·
CVSS 8.9 HighThe front-end and back-end disagree on where a request ends (ambiguous Content-Length/Transfer-Encoding), letting an attacker smuggle a second request past the front-end — request hijacking, control bypass, or cache poisoning.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
- +50 Confirmed (strong signal)
- +20 Direct detection (request-smuggling)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'http://127.0.0.1:8888/' --data '0.CL (/favicon.ico)'
Reflection @ offset 10 — via request-smuggling:
[SMUGGLE] 0.CL (/favicon.ico) desync confirmed against 127.0.0.1:8888 (native confidence…
Evidence (live response):
[SMUGGLE] 0.CL (/favicon.ico) desync confirmed against 127.0.0.1:8888 (native confidence 75%, timing 2ms). 0.CL smuggle marker leaked into a subsequent response via gadget '/favicon.ico' — Content-Length: 0 body was processed by the back-end (Likely). HTTP/1.1 200 OK Content-T…
Remediation
Validate and encode all untrusted input at the relevant trust boundary.
- Apply input validation (allowlist) and context-aware output encoding for this sink.
Refs: CWE-707 · OWASP Top 10
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
SMUGGLE |
http://127.0.0.1:8888/ |
0.CL (/favicon.ico) |
200 |
0ms |
request-smuggling |
— |
🔍
GGC-VULN-280
8.9
HIGH
P1
Confirmed
REQUEST_SMUGGLING
0.CL (/robots.txt)
smuggle: 127.0.0.1
1/1 hits
▼
Flow
The front-end and back-end disagree on request boundaries (0.CL (/robots.txt)); a crafted Content-Length/Transfer-Encoding mismatch smuggles a second request past the front-end — request hijacking, security-control bypass, cache poisoning, or credential capture.
Impact
AUTH_BYPASS — Conditional
CWE / CVSS
CWE-444 HTTP Request Smuggling (front-end/back-end desync) ·
CVSS 8.9 HighThe front-end and back-end disagree on where a request ends (ambiguous Content-Length/Transfer-Encoding), letting an attacker smuggle a second request past the front-end — request hijacking, control bypass, or cache poisoning.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
- +50 Confirmed (strong signal)
- +20 Direct detection (request-smuggling)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'http://127.0.0.1:8888/' --data '0.CL (/robots.txt)'
Reflection @ offset 10 — via request-smuggling:
[SMUGGLE] 0.CL (/robots.txt) desync confirmed against 127.0.0.1:8888 (native confidence…
Evidence (live response):
[SMUGGLE] 0.CL (/robots.txt) desync confirmed against 127.0.0.1:8888 (native confidence 75%, timing 2ms). 0.CL smuggle marker leaked into a subsequent response via gadget '/robots.txt' — Content-Length: 0 body was processed by the back-end (Likely). HTTP/1.1 200 OK Content-Typ…
Remediation
Validate and encode all untrusted input at the relevant trust boundary.
- Apply input validation (allowlist) and context-aware output encoding for this sink.
Refs: CWE-707 · OWASP Top 10
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
SMUGGLE |
http://127.0.0.1:8888/ |
0.CL (/robots.txt) |
200 |
0ms |
request-smuggling |
— |
🔍
GGC-VULN-63C
8.9
HIGH
P1
Confirmed
REQUEST_SMUGGLING
CL.TE
smuggle: 127.0.0.1
1/1 hits
▼
Flow
The front-end and back-end disagree on request boundaries (CL.TE); a crafted Content-Length/Transfer-Encoding mismatch smuggles a second request past the front-end — request hijacking, security-control bypass, cache poisoning, or credential capture.
Impact
AUTH_BYPASS — Direct
CWE / CVSS
CWE-444 HTTP Request Smuggling (front-end/back-end desync) ·
CVSS 8.9 HighThe front-end and back-end disagree on where a request ends (ambiguous Content-Length/Transfer-Encoding), letting an attacker smuggle a second request past the front-end — request hijacking, control bypass, or cache poisoning.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
- +50 Confirmed (strong signal)
- +20 Direct detection (request-smuggling)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'http://127.0.0.1:8888/' --data 'CL.TE'
Reflection @ offset 10 — via request-smuggling:
[SMUGGLE] CL.TE desync confirmed against 127.0.0.1:8888 (native confidence…
Evidence (live response):
[SMUGGLE] CL.TE desync confirmed against 127.0.0.1:8888 (native confidence 92%, timing 6003ms). Timing-differential desync (CL.TE): baseline=3ms vs desync-probe=6003ms (~timeout 6000ms). Smuggle marker leaked into subsequent response. Confirmed CL.TE. HTTP/1.1 200 OK Content-Typ…
Remediation
Validate and encode all untrusted input at the relevant trust boundary.
- Apply input validation (allowlist) and context-aware output encoding for this sink.
Refs: CWE-707 · OWASP Top 10
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
SMUGGLE |
http://127.0.0.1:8888/ |
CL.TE |
200 |
0ms |
request-smuggling |
— |
🔍
GGC-VULN-A8E
8.9
HIGH
P1
Confirmed
REQUEST_SMUGGLING
TE.CL
smuggle: 127.0.0.1
1/1 hits
▼
Flow
The front-end and back-end disagree on request boundaries (TE.CL); a crafted Content-Length/Transfer-Encoding mismatch smuggles a second request past the front-end — request hijacking, security-control bypass, cache poisoning, or credential capture.
Impact
AUTH_BYPASS — Conditional
CWE / CVSS
CWE-444 HTTP Request Smuggling (front-end/back-end desync) ·
CVSS 8.9 HighThe front-end and back-end disagree on where a request ends (ambiguous Content-Length/Transfer-Encoding), letting an attacker smuggle a second request past the front-end — request hijacking, control bypass, or cache poisoning.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
- +50 Confirmed (strong signal)
- +20 Direct detection (request-smuggling)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'http://127.0.0.1:8888/' --data 'TE.CL'
Reflection @ offset 10 — via request-smuggling:
[SMUGGLE] TE.CL desync confirmed against 127.0.0.1:8888 (native confidence…
Evidence (live response):
[SMUGGLE] TE.CL desync confirmed against 127.0.0.1:8888 (native confidence 80%, timing 5068ms). Time-based confirmation (TE.CL): smuggled GET /?sleep=5 delayed the round-trip to 5068ms (baseline=2ms) — backend processed the smuggled request.
Remediation
Validate and encode all untrusted input at the relevant trust boundary.
- Apply input validation (allowlist) and context-aware output encoding for this sink.
Refs: CWE-707 · OWASP Top 10
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
SMUGGLE |
http://127.0.0.1:8888/ |
TE.CL |
200 |
0ms |
request-smuggling |
— |
🔍
GGC-VULN-57D
8.9
HIGH
P1
Confirmed
REQUEST_SMUGGLING
TE.TE
smuggle: 127.0.0.1
1/1 hits
▼
Flow
The front-end and back-end disagree on request boundaries (TE.TE); a crafted Content-Length/Transfer-Encoding mismatch smuggles a second request past the front-end — request hijacking, security-control bypass, cache poisoning, or credential capture.
Impact
AUTH_BYPASS — Conditional
CWE / CVSS
CWE-444 HTTP Request Smuggling (front-end/back-end desync) ·
CVSS 8.9 HighThe front-end and back-end disagree on where a request ends (ambiguous Content-Length/Transfer-Encoding), letting an attacker smuggle a second request past the front-end — request hijacking, control bypass, or cache poisoning.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 · ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
- +50 Confirmed (strong signal)
- +20 Direct detection (request-smuggling)
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'http://127.0.0.1:8888/' --data 'TE.TE'
Reflection @ offset 10 — via request-smuggling:
[SMUGGLE] TE.TE desync confirmed against 127.0.0.1:8888 (native confidence…
Evidence (live response):
[SMUGGLE] TE.TE desync confirmed against 127.0.0.1:8888 (native confidence 75%, timing 2ms). Smuggled marker leaked into subsequent response (TE.TE) without clear timing delta (baseline=2ms, probe=2ms). Marker-leak signal (Likely). HTTP/1.1 200 OK Content-Type: text/plain Conte…
Remediation
Validate and encode all untrusted input at the relevant trust boundary.
- Apply input validation (allowlist) and context-aware output encoding for this sink.
Refs: CWE-707 · OWASP Top 10
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
SMUGGLE |
http://127.0.0.1:8888/ |
TE.TE |
200 |
0ms |
request-smuggling |
— |
🔍
GGC-VULN-91A
7.5
HIGH
P1
Confirmed
OUTDATED_COMPONENT
guzzlehttp/guzzle@6.5.0 · CVE-2022-31090
composer lockfile: composer.lock
1/1 hits
▼
Flow
guzzlehttp/guzzle@6.5.0 is a known-vulnerable dependency (CVE-2022-31090).
Impact
INFORMATION_DISCLOSURE — Direct
CWE / CVSS
CWE-1104 Use of Unmaintained/Vulnerable Third-Party Component ·
CVSS 7.5 HighAn unmaintained / known-vulnerable third-party component is in use; a published CVE may apply.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RC:C
Compliance Impact
A06:2021 – Vulnerable and Outdated Components
PCI-DSS v4.0 Req 6.3.1 / 6.3.3 (patch mgmt) · ISO/IEC 27001:2022 A.8.8 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (outdated-component)
- +6 Expected indicator reflected
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'tests\composer.lock' --data 'CVE-2022-31090'
Reflection @ offset 68 — via outdated-component:
…package guzzlehttp/guzzle@6.5.0 (in composer.lock) matches CVE-2022-31090 (CWE-200, Medium): Cross-domain cookie leakage on redirect.…
Evidence (live response):
composer package guzzlehttp/guzzle@6.5.0 (in composer.lock) matches CVE-2022-31090 (CWE-200, Medium): Cross-domain cookie leakage on redirect. Fixed in 6.5.8 — upgrade to >= 6.5.8.
Remediation
Upgrade the flagged component to a fixed release; version-indicated — verify against your actual (possibly backported) build.
- Upgrade to the fixed version listed for the CVE (or a distro build with the backported patch).
- Confirm the real installed version — a backported security fix can leave the banner version unchanged (avoid false positives).
- Suppress the version banner (ServerTokens Prod / expose_php=Off / remove X-Powered-By) to reduce fingerprinting.
- Track dependencies with SCA (composer audit / npm audit / Dependabot) and patch on a schedule.
Refs: CWE-1104 · OWASP A06:2021 Vulnerable & Outdated Components · NVD
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
SCA |
tests\composer.lock |
CVE-2022-31090 |
200 |
0ms |
outdated-component |
— |
🔍
GGC-VULN-AD0
7.5
HIGH
P1
Confirmed
OUTDATED_COMPONENT
symfony/http-kernel@v5.4.10 · CVE-2022-24894
composer lockfile: composer.lock
1/1 hits
▼
Flow
symfony/http-kernel@v5.4.10 is a known-vulnerable dependency (CVE-2022-24894).
Impact
INFORMATION_DISCLOSURE — Direct
CWE / CVSS
CWE-1104 Use of Unmaintained/Vulnerable Third-Party Component ·
CVSS 7.5 HighAn unmaintained / known-vulnerable third-party component is in use; a published CVE may apply.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RC:C
Compliance Impact
A06:2021 – Vulnerable and Outdated Components
PCI-DSS v4.0 Req 6.3.1 / 6.3.3 (patch mgmt) · ISO/IEC 27001:2022 A.8.8 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (outdated-component)
- +6 Expected indicator reflected
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'tests\composer.lock' --data 'CVE-2022-24894'
Reflection @ offset 72 — via outdated-component:
…kage symfony/http-kernel@v5.4.10 (in composer.lock) matches CVE-2022-24894 (CWE-200, Medium): Sensitive header/cache-key information d…
Evidence (live response):
composer package symfony/http-kernel@v5.4.10 (in composer.lock) matches CVE-2022-24894 (CWE-200, Medium): Sensitive header/cache-key information disclosure. Fixed in 5.4.20 — upgrade to >= 5.4.20.
Remediation
Upgrade the flagged component to a fixed release; version-indicated — verify against your actual (possibly backported) build.
- Upgrade to the fixed version listed for the CVE (or a distro build with the backported patch).
- Confirm the real installed version — a backported security fix can leave the banner version unchanged (avoid false positives).
- Suppress the version banner (ServerTokens Prod / expose_php=Off / remove X-Powered-By) to reduce fingerprinting.
- Track dependencies with SCA (composer audit / npm audit / Dependabot) and patch on a schedule.
Refs: CWE-1104 · OWASP A06:2021 Vulnerable & Outdated Components · NVD
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
SCA |
tests\composer.lock |
CVE-2022-24894 |
200 |
0ms |
outdated-component |
— |
🔍
GGC-VULN-50D
9.8
CRITICAL
P0
Confirmed
OUTDATED_COMPONENT
lodash@4.17.15 · CVE-2021-23337
npm lockfile: package-lock.json
1/1 hits
▼
Flow
lodash@4.17.15 is a known-vulnerable dependency (CVE-2021-23337).
CWE / CVSS
CWE-1104 Use of Unmaintained/Vulnerable Third-Party Component ·
CVSS 9.8 CriticalAn unmaintained / known-vulnerable third-party component is in use; a published CVE may apply.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RC:C
Compliance Impact
A06:2021 – Vulnerable and Outdated Components
PCI-DSS v4.0 Req 6.3.1 / 6.3.3 (patch mgmt) · ISO/IEC 27001:2022 A.8.8 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (outdated-component)
- +6 Expected indicator reflected
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'tests\package-lock.json' --data 'CVE-2021-23337'
Reflection @ offset 58 — via outdated-component:
npm package lodash@4.17.15 (in package-lock.json) matches CVE-2021-23337 (CWE-77, High): Command injection via template(). Fixed in…
Evidence (live response):
npm package lodash@4.17.15 (in package-lock.json) matches CVE-2021-23337 (CWE-77, High): Command injection via template(). Fixed in 4.17.21 — upgrade to >= 4.17.21.
Remediation
Upgrade the flagged component to a fixed release; version-indicated — verify against your actual (possibly backported) build.
- Upgrade to the fixed version listed for the CVE (or a distro build with the backported patch).
- Confirm the real installed version — a backported security fix can leave the banner version unchanged (avoid false positives).
- Suppress the version banner (ServerTokens Prod / expose_php=Off / remove X-Powered-By) to reduce fingerprinting.
- Track dependencies with SCA (composer audit / npm audit / Dependabot) and patch on a schedule.
Refs: CWE-1104 · OWASP A06:2021 Vulnerable & Outdated Components · NVD
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
SCA |
tests\package-lock.json |
CVE-2021-23337 |
200 |
0ms |
outdated-component |
— |
🔍
GGC-VULN-606
7.5
HIGH
P1
Confirmed
OUTDATED_COMPONENT
lodash@4.17.15 · CVE-2020-8203
npm lockfile: package-lock.json
1/1 hits
▼
Flow
lodash@4.17.15 is a known-vulnerable dependency (CVE-2020-8203).
Impact
INFORMATION_DISCLOSURE — Direct
CWE / CVSS
CWE-1104 Use of Unmaintained/Vulnerable Third-Party Component ·
CVSS 7.5 HighAn unmaintained / known-vulnerable third-party component is in use; a published CVE may apply.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RC:C
Compliance Impact
A06:2021 – Vulnerable and Outdated Components
PCI-DSS v4.0 Req 6.3.1 / 6.3.3 (patch mgmt) · ISO/IEC 27001:2022 A.8.8 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (outdated-component)
- +6 Expected indicator reflected
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'tests\package-lock.json' --data 'CVE-2020-8203'
Reflection @ offset 58 — via outdated-component:
npm package lodash@4.17.15 (in package-lock.json) matches CVE-2020-8203 (CWE-1321, High): Prototype pollution via zipObjectDeep/set…
Evidence (live response):
npm package lodash@4.17.15 (in package-lock.json) matches CVE-2020-8203 (CWE-1321, High): Prototype pollution via zipObjectDeep/set. Fixed in 4.17.19 — upgrade to >= 4.17.19.
Remediation
Upgrade the flagged component to a fixed release; version-indicated — verify against your actual (possibly backported) build.
- Upgrade to the fixed version listed for the CVE (or a distro build with the backported patch).
- Confirm the real installed version — a backported security fix can leave the banner version unchanged (avoid false positives).
- Suppress the version banner (ServerTokens Prod / expose_php=Off / remove X-Powered-By) to reduce fingerprinting.
- Track dependencies with SCA (composer audit / npm audit / Dependabot) and patch on a schedule.
Refs: CWE-1104 · OWASP A06:2021 Vulnerable & Outdated Components · NVD
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
SCA |
tests\package-lock.json |
CVE-2020-8203 |
200 |
0ms |
outdated-component |
— |
🔍
GGC-VULN-463
7.5
HIGH
P1
Confirmed
OUTDATED_COMPONENT
jquery@3.4.1 · CVE-2020-11022
npm lockfile: package-lock.json
1/1 hits
▼
Flow
jquery@3.4.1 is a known-vulnerable dependency (CVE-2020-11022).
Impact
INFORMATION_DISCLOSURE — Direct
CWE / CVSS
CWE-1104 Use of Unmaintained/Vulnerable Third-Party Component ·
CVSS 7.5 HighAn unmaintained / known-vulnerable third-party component is in use; a published CVE may apply.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RC:C
Compliance Impact
A06:2021 – Vulnerable and Outdated Components
PCI-DSS v4.0 Req 6.3.1 / 6.3.3 (patch mgmt) · ISO/IEC 27001:2022 A.8.8 · GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed · 🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
- +50 Confirmed (strong signal)
- +20 Direct detection (outdated-component)
- +6 Expected indicator reflected
- +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'tests\package-lock.json' --data 'CVE-2020-11022'
Reflection @ offset 56 — via outdated-component:
npm package jquery@3.4.1 (in package-lock.json) matches CVE-2020-11022 (CWE-79, Medium): XSS via passing HTML from untrusted sourc…
Evidence (live response):
npm package jquery@3.4.1 (in package-lock.json) matches CVE-2020-11022 (CWE-79, Medium): XSS via passing HTML from untrusted sources to DOM manipulation methods. Fixed in 3.5.0 — upgrade to >= 3.5.0.
Remediation
Upgrade the flagged component to a fixed release; version-indicated — verify against your actual (possibly backported) build.
- Upgrade to the fixed version listed for the CVE (or a distro build with the backported patch).
- Confirm the real installed version — a backported security fix can leave the banner version unchanged (avoid false positives).
- Suppress the version banner (ServerTokens Prod / expose_php=Off / remove X-Powered-By) to reduce fingerprinting.
- Track dependencies with SCA (composer audit / npm audit / Dependabot) and patch on a schedule.
Refs: CWE-1104 · OWASP A06:2021 Vulnerable & Outdated Components · NVD
| Result | Method | URL | Payload | Status | Time | Detection | DB |
| ⚠ VULN |
SCA |
tests\package-lock.json |
CVE-2020-11022 |
200 |
0ms |
outdated-component |
— |