Security Assessment Report
GG Advanced IT Security  ·  ggsec.de
SAST 0.1s DAST 26.3s 978 requests 27 confirmed vulns 5 likely 57 SAST targets GGSec Cortex v0.9 Beta
F
Security
Rating

Executive Summary

GGSec Cortex identified 27 confirmed and 5 likely vulnerabilities in tests. Every confirmed finding is evidence-backed — proven by a live proof-of-concept or a baseline-difference control (a forged/malicious request is accepted while a matched control is rejected), so false positives are minimised. Immediate remediation is recommended.
💰
Business Impact
Account / administrator takeover
🧰
Exploitation Complexity
Low — reachable by a remote attacker
🎯
Likelihood
High — confirmed with a live proof-of-concept
Overall Risk
Critical · max CVSS 8.9

Assessment Scope

📄
Target
tests
🌐
Base URL
http://127.0.0.1:8888
🔗
Endpoints tested
23
📤
Total requests
978
HTTP methods
GET, POST, SCA, SMUGGLE
🛡
Vulnerability classes
9
🔑
Authentication
Unauthenticated
🔎
SAST duration
0.1s
DAST duration
26.3s
📅
Scan completed
2026-07-06 22:00

Scan Timeline

21:59:40
Scan started
21:59:40
SAST replay (cached plan)
21:59:40
DAST probing started
21:59:40
GGC-XSS-60F confirmed — XSS limit
21:59:40
GGC-XSS-955 confirmed — XSS id
21:59:40
GGC-XSS-659 confirmed — XSS q
21:59:41
GGC-XSS-80B confirmed — XSS user
21:59:41
GGC-XSS-7F9 confirmed — XSS search
21:59:41
GGC-XSS-13B confirmed — XSS id
21:59:41
GGC-XSS-263 confirmed — XSS id
21:59:41
GGC-XSS-09C confirmed — XSS as
21:59:41
GGC-XSS-556 confirmed — XSS id
21:59:41
GGC-XSS-72C confirmed — XSS id
21:59:42
GGC-XSS-D94 confirmed — XSS jwt
21:59:42
GGC-XSS-630 confirmed — XSS jwt
21:59:42
GGC-XSS-DF2 confirmed — XSS jwt
21:59:42
GGC-XSS-2B9 confirmed — XSS jwt
21:59:42
GGC-XSS-BBD confirmed — XSS user
21:59:42
GGC-XSS-FB1 confirmed — XSS q
21:59:42
GGC-XSS-D7C confirmed — XSS safe_username
21:59:42
GGC-XSS-937 confirmed — XSS reset
21:59:42
GGC-XSS-03D confirmed — XSS count
21:59:42
GGC-XSS-B1F confirmed — XSS xml
21:59:42
GGC-XSS-692 confirmed — XSS search
22:00:06
GGC-VULN-63C confirmed — REQUEST_SMUGGLING CL.TE
22:00:06
GGC-VULN-A8E confirmed — REQUEST_SMUGGLING TE.CL
22:00:06
GGC-VULN-57D confirmed — REQUEST_SMUGGLING TE.TE
22:00:06
GGC-VULN-01E confirmed — REQUEST_SMUGGLING 0.CL (/)
22:00:06
GGC-VULN-280 confirmed — REQUEST_SMUGGLING 0.CL (/robots.txt)
22:00:06
GGC-VULN-FB7 confirmed — REQUEST_SMUGGLING 0.CL (/favicon.ico)
22:00:07
DAST probing completed (26.3s, 978 requests)
22:00:09
Report generated

Overview

27
Confirmed Vulns
5
Likely (review)
💀
9
Critical SAST
🔥
42
High SAST
💻
0
RCE
🗃
0
SQLi
21
XSS
🌐
0
SSRF
📄
0
XXE
🎭
0
CSRF
📡
0
JSONP
🔓
0
Auth Bypass
📤
978
Total Requests
Confirmed vulns by sink type DAST
XSS: 693 REQUEST_SMUGGLING: 6 OUTDATED_COMPONENT: 5 704 total
XSS693
REQUEST_SMUGGLING6
OUTDATED_COMPONENT5
SAST impact distribution SAST
SESSION_THEFT
21
RCE
12
FILE_READ
9
AUTH_BYPASS
6
INFORMATION_DISCLOSURE
5
PRIV_ESC
4
DAST hit rate by sink DAST
XSS
693/735
REQUEST_SMUGGLING
6/6
OUTDATED_COMPONENT
5/5
SQL_QUERY
0/204
OPEN_REDIRECT
0/28

Risk Matrix

Likelihood ▼ / Impact ▶NegligibleMinorModerateMajorSevere
Almost certain
Likely216
Possible
Unlikely
Rare

Remediation Plan

IDFindingCVSSPrioritySLA
GGC-VULN-01E 🔍 REQUEST_SMUGGLING 0.CL (/) 8.9 P1 Within 7 days
GGC-VULN-FB7 🔍 REQUEST_SMUGGLING 0.CL (/favicon.ico) 8.9 P1 Within 7 days
GGC-VULN-280 🔍 REQUEST_SMUGGLING 0.CL (/robots.txt) 8.9 P1 Within 7 days
GGC-VULN-63C 🔍 REQUEST_SMUGGLING CL.TE 8.9 P1 Within 7 days
GGC-VULN-A8E 🔍 REQUEST_SMUGGLING TE.CL 8.9 P1 Within 7 days
GGC-VULN-57D 🔍 REQUEST_SMUGGLING TE.TE 8.9 P1 Within 7 days
GGC-XSS-09C ⚡ XSS as 6.1 P2 Within 30 days
GGC-XSS-03D ⚡ XSS count 6.1 P2 Within 30 days
GGC-XSS-72C ⚡ XSS id 6.1 P2 Within 30 days
GGC-XSS-556 ⚡ XSS id 6.1 P2 Within 30 days
GGC-XSS-263 ⚡ XSS id 6.1 P2 Within 30 days
GGC-XSS-13B ⚡ XSS id 6.1 P2 Within 30 days
GGC-XSS-955 ⚡ XSS id 6.1 P2 Within 30 days
GGC-XSS-2B9 ⚡ XSS jwt 6.1 P2 Within 30 days
GGC-XSS-DF2 ⚡ XSS jwt 6.1 P2 Within 30 days
GGC-XSS-630 ⚡ XSS jwt 6.1 P2 Within 30 days
GGC-XSS-D94 ⚡ XSS jwt 6.1 P2 Within 30 days
GGC-XSS-60F ⚡ XSS limit 6.1 P2 Within 30 days
GGC-XSS-FB1 ⚡ XSS q 6.1 P2 Within 30 days
GGC-XSS-659 ⚡ XSS q 6.1 P2 Within 30 days
GGC-XSS-937 ⚡ XSS reset 6.1 P2 Within 30 days
GGC-XSS-D7C ⚡ XSS safe_username 6.1 P2 Within 30 days
GGC-XSS-692 ⚡ XSS search 6.1 P2 Within 30 days
GGC-XSS-7F9 ⚡ XSS search 6.1 P2 Within 30 days
GGC-XSS-BBD ⚡ XSS user 6.1 P2 Within 30 days
GGC-XSS-80B ⚡ XSS user 6.1 P2 Within 30 days
GGC-XSS-B1F ⚡ XSS xml 6.1 P2 Within 30 days

Compliance Coverage

Each finding mapped to OWASP Top 10 2021, PCI-DSS v4.0, ISO/IEC 27001:2022 and GDPR. References are indicative for audit scoping, not a certification statement.

OWASP Top 10 (2021)# FindingsPCI-DSS v4.0ISO/IEC 27001:2022GDPR
A03:2021 – Injection 33 PCI-DSS v4.0 Req 6.2.4 (injection/XSS); PCI-DSS v4.0 Req 6.2.4 ISO/IEC 27001:2022 A.8.28 GDPR Art. 32 (security of processing)
A05:2021 – Security Misconfiguration 6 PCI-DSS v4.0 Req 2.2.1 / 6.2.4 ISO/IEC 27001:2022 A.8.9 / A.8.28 GDPR Art. 32 (security of processing)
A08:2021 – Software and Data Integrity Failures 5 PCI-DSS v4.0 Req 6.2.4 / 6.4.3 ISO/IEC 27001:2022 A.8.28 / A.8.29 GDPR Art. 32 (security of processing)
A01:2021 – Broken Access Control 5 PCI-DSS v4.0 Req 6.2.4 / 7.2.1 ISO/IEC 27001:2022 A.8.3 / A.5.15 GDPR Art. 5(1)(f) + Art. 32 (confidentiality)
A06:2021 – Vulnerable and Outdated Components 5 PCI-DSS v4.0 Req 6.3.1 / 6.3.3 (patch mgmt) ISO/IEC 27001:2022 A.8.8 GDPR Art. 32 (security of processing)
A07:2021 – Identification and Authentication Failures 3 PCI-DSS v4.0 Req 8.3.1 / 8.6 / 3.6 (key mgmt) ISO/IEC 27001:2022 A.8.5 / A.5.17 / A.8.24 GDPR Art. 32 (security of processing)

SAST — Attack Surface

SAST confidence = static taint-flow certainty (source→sink), not runtime proof. "Confirmed" is reserved for DAST findings the engine actually exploited.

#ParameterSinkRiskCVSSStatic confidenceExploit.ImpactLocation
1 limit ⚡ XSS High 6.1 MEDIUM Potential Low SESSION_THEFT api_fuzz_test.php:17
2 id ⚡ XSS High 6.1 MEDIUM Potential Low SESSION_THEFT api_fuzz_test.php:29
3 data 🤖 PHP_OBJECT_INJECTION High 9.8 CRITICAL Potential Low RCE deserialize_test.php:17
4 serialized 🤖 PHP_OBJECT_INJECTION High 9.8 CRITICAL Potential Low RCE deserialize_test.php:24
5 user 🤖 PHP_OBJECT_INJECTION High 9.8 CRITICAL Potential Low RCE deserialize_test.php:30
6 q ⚡ XSS High 6.1 MEDIUM Potential Low SESSION_THEFT form_login_test.php:25
7 user ⚡ XSS High 6.1 MEDIUM Potential Low SESSION_THEFT ggsec_test_app.php:187
8 search ⚡ XSS High 6.1 MEDIUM Potential Low SESSION_THEFT ggsec_test_app.php:210
9 user 🗃 SQL_QUERY Critical 9.8 CRITICAL Potential Low RCE ggsec_test_app.php:288
10 view_user 🗃 SQL_QUERY Critical 9.8 CRITICAL Potential Low RCE ggsec_test_app.php:300
11 render 🗃 SQL_QUERY Critical 9.8 CRITICAL Potential Low RCE ggsec_test_app.php:339
12 xml 📄 XXE High 7.5 HIGH Potential Low FILE_READ ggsec_test_app.php:451
13 file 🔍 PATH_TRAVERSAL High 7.5 HIGH Potential Low FILE_READ ggsec_test_app.php:694
14 id ⚡ XSS High 6.1 MEDIUM Potential Low SESSION_THEFT idor_test.php:31
15 id ⚡ XSS High 6.1 MEDIUM Potential Low SESSION_THEFT idor_uuid_test.php:39
16 as ⚡ XSS High 6.1 MEDIUM Potential Low SESSION_THEFT idor_v2_test.php:25
17 id ⚡ XSS High 6.1 MEDIUM Potential Low SESSION_THEFT idor_v2_test.php:40
18 id ⚡ XSS High 6.1 MEDIUM Potential Low SESSION_THEFT idor_v3_test.php:32
19 jwt ⚡ XSS High 6.1 MEDIUM Potential Low SESSION_THEFT jwt_jwks_test.php:100
20 jwt ⚡ XSS High 6.1 MEDIUM Potential Low SESSION_THEFT jwt_kid_test.php:45
21 jwt ⚡ XSS High 6.1 MEDIUM Potential Low SESSION_THEFT jwt_rs256_test.php:98
22 jwt ⚡ XSS High 6.1 MEDIUM Potential Low SESSION_THEFT jwt_test.php:49
23 user ⚡ XSS High 6.1 MEDIUM Potential Low SESSION_THEFT ldap_test.php:11
24 q ⚡ XSS High 6.1 MEDIUM Potential Low SESSION_THEFT members_test.php:21
25 safe_username ⚡ XSS High 6.1 MEDIUM Potential Low SESSION_THEFT nosql_test.php:18
26 xml 📄 XXE High 7.5 HIGH Potential Low FILE_READ oob_test.php:15
27 url 🔍 PATH_TRAVERSAL High 7.5 HIGH Potential Low FILE_READ oob_test.php:21
28 prefs 🤖 PHP_OBJECT_INJECTION High 9.8 CRITICAL Potential Low RCE poi_oob_test.php:16
29 reset ⚡ XSS High 6.1 MEDIUM Potential Low SESSION_THEFT race_singlepacket_test.php:17
30 count 🔍 PATH_TRAVERSAL High 7.5 HIGH Potential Low FILE_READ race_singlepacket_test.php:20
31 count ⚡ XSS High 6.1 MEDIUM Potential Low SESSION_THEFT race_singlepacket_test.php:20
32 balance 🗃 SQL_QUERY Critical 9.8 CRITICAL Potential Low RCE race_test.php:23
33 from 🗃 SQL_QUERY Critical 9.8 CRITICAL Potential Low RCE race_test.php:35
34 amount 🗃 SQL_QUERY Critical 9.8 CRITICAL Potential Low RCE race_test.php:41
35 xml 📄 XXE High 7.5 HIGH Potential Low FILE_READ xxe_test.php:8
36 xml ⚡ XSS High 6.1 MEDIUM Potential Low SESSION_THEFT xxe_test.php:10
37 dom 📄 XXE High 7.5 HIGH Potential Low FILE_READ xxe_test.php:16
38 xml_parse 📄 XXE High 7.5 HIGH Potential Low FILE_READ xxe_test.php:27
39 safe_xml 📄 XXE High 7.5 HIGH Potential Low FILE_READ xxe_test.php:44
40 search ⚡ XSS High 6.1 MEDIUM Potential Low SESSION_THEFT api_parsing_hell.php:69
41 prefs 🤖 PHP_OBJECT_INJECTION High 9.8 CRITICAL Potential Low RCE logic_nightmare.php:69
42 logout ↪ OPEN_REDIRECT Medium 6.1 MEDIUM Potential Low PRIV_ESC logic_nightmare.php:105
43 redirect ↪ OPEN_REDIRECT Medium 6.1 MEDIUM Potential Low PRIV_ESC race_and_files.php:46
44 private key 🔍 HARDCODED_SECRET Critical 8.2 HIGH Taint-flow Direct PRIV_ESC jwt_jwks_test.php:10
45 private key 🔍 HARDCODED_SECRET Critical 8.2 HIGH Taint-flow Direct PRIV_ESC jwt_rs256_test.php:10
46 hard-coded SECRET 🔍 HARDCODED_SECRET Medium 5.3 MEDIUM Taint-flow Direct INFORMATION_DISCLOSURE jwt_test.php:7
47 0.CL (/) 🔍 REQUEST_SMUGGLING High 8.9 HIGH High Conditional AUTH_BYPASS smuggle: 127.0.0.1
48 0.CL (/favicon.ico) 🔍 REQUEST_SMUGGLING High 8.9 HIGH High Conditional AUTH_BYPASS smuggle: 127.0.0.1
49 0.CL (/robots.txt) 🔍 REQUEST_SMUGGLING High 8.9 HIGH High Conditional AUTH_BYPASS smuggle: 127.0.0.1
50 CL.TE 🔍 REQUEST_SMUGGLING Critical 8.9 HIGH Taint-flow Direct AUTH_BYPASS smuggle: 127.0.0.1
51 TE.CL 🔍 REQUEST_SMUGGLING High 8.9 HIGH High Conditional AUTH_BYPASS smuggle: 127.0.0.1
52 TE.TE 🔍 REQUEST_SMUGGLING High 8.9 HIGH High Conditional AUTH_BYPASS smuggle: 127.0.0.1
53 guzzlehttp/guzzle@6.5.0 · CVE-2022-31090 🔍 OUTDATED_COMPONENT Medium 7.5 HIGH High Direct INFORMATION_DISCLOSURE composer lockfile: composer.lock
54 symfony/http-kernel@v5.4.10 · CVE-2022-24894 🔍 OUTDATED_COMPONENT Medium 7.5 HIGH High Direct INFORMATION_DISCLOSURE composer lockfile: composer.lock
55 lodash@4.17.15 · CVE-2021-23337 🔍 OUTDATED_COMPONENT High 9.8 CRITICAL High Direct RCE npm lockfile: package-lock.json
56 lodash@4.17.15 · CVE-2020-8203 🔍 OUTDATED_COMPONENT High 7.5 HIGH High Direct INFORMATION_DISCLOSURE npm lockfile: package-lock.json
57 jquery@3.4.1 · CVE-2020-11022 🔍 OUTDATED_COMPONENT Medium 7.5 HIGH High Direct INFORMATION_DISCLOSURE npm lockfile: package-lock.json

Endpoint Summary

EndpointRequestsFindingsRisk
tests\package-lock.json 3 🔍 OUTDATED_COMPONENT CRITICAL
http://127.0.0.1:8888/ 6 🔍 REQUEST_SMUGGLING HIGH
tests\composer.lock 2 🔍 OUTDATED_COMPONENT HIGH
idor_v2_test.php 70 ⚡ XSS MEDIUM
race_singlepacket_test.php 70 ⚡ XSS MEDIUM
api_fuzz_test.php 70 ⚡ XSS MEDIUM
ggsec_test_app.php 172 ⚡ XSS MEDIUM
idor_v3_test.php 35 ⚡ XSS MEDIUM
idor_uuid_test.php 35 ⚡ XSS MEDIUM
idor_test.php 35 ⚡ XSS MEDIUM
jwt_test.php 35 ⚡ XSS MEDIUM
jwt_rs256_test.php 35 ⚡ XSS MEDIUM
jwt_kid_test.php 35 ⚡ XSS MEDIUM
jwt_jwks_test.php 35 ⚡ XSS MEDIUM
members_test.php 35 ⚡ XSS MEDIUM
form_login_test.php 35 ⚡ XSS MEDIUM
nosql_test.php 35 ⚡ XSS MEDIUM
api_parsing_hell.php 35 ⚡ XSS MEDIUM
ldap_test.php 35 ⚡ XSS MEDIUM
xxe_test.php 35 ⚡ XSS MEDIUM
race_test.php 102 OK
logic_nightmare.php 14 OK
race_and_files.php 14 OK

DAST — Vulnerability Details

GGC-XSS-60F 6.1 MEDIUM P2 Confirmed XSS limit api_fuzz_test.php:17 33/35 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['limit'] reaches a XSS sink at api_fuzz_test.php:17 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 6.1 Medium
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (xss-reflection)
  • +6 Reproduced by 33 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'api_fuzz_test.php?limit=%22%3Cimg%20src%3Dx%20oNeRrOr%3Dalert%281%29%3E%22'
Evidence (live response):
OK path=/api_fuzz_test.php?limit=%22%3Cimg%20src%3Dx%20oNeRrOr%3Dalert%281%29%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
GGC-XSS-955 6.1 MEDIUM P2 Confirmed XSS id api_fuzz_test.php:29 33/35 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['id'] reaches a XSS sink at api_fuzz_test.php:29 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 6.1 Medium
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (xss-reflection)
  • +6 Reproduced by 33 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'api_fuzz_test.php?id=%22%3CSCRIPT%3Ealert%281%29%3C%2FSCRIPT%3E%22'
Evidence (live response):
OK path=/api_fuzz_test.php?id=%22%3CSCRIPT%3Ealert%281%29%3C%2FSCRIPT%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
🤖 GGC-POI-79C 8.3 HIGH Potential PHP_OBJECT_INJECTION data deserialize_test.php:17 0/0 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['data'] reaches a PHP_OBJECT_INJECTION sink at deserialize_test.php:17 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
RCE — Low
CWE / CVSS
CWE-502 Deserialization of Untrusted Data  ·  CVSS 8.3 High (Base 9.8 Critical)
Untrusted serialized data is deserialized, invoking gadget chains that can lead to remote code execution.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:U
ⓘ Base 9,8 → Effective 8,3 — potential (E:U/RC:U).
Compliance Impact
A08:2021 – Software and Data Integrity Failures
PCI-DSS v4.0 Req 6.2.4 / 6.4.3  ·  ISO/IEC 27001:2022 A.8.28 / A.8.29  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application · T1059 Command and Scripting Interpreter
Initial Access, Execution
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Do not unserialize untrusted data; use a safe format and restrict allowed classes.
  • Replace unserialize() on tainted input with json_decode() (data-only).
  • If PHP serialization is required, pass allowed_classes=false or an explicit allowlist.
  • Add integrity protection (HMAC) to any serialized blob that must round-trip via the client.
Refs: CWE-502 · OWASP: Deserialization Cheat Sheet
No DAST requests recorded for this target.
🤖 GGC-POI-41E 8.3 HIGH Potential PHP_OBJECT_INJECTION serialized deserialize_test.php:24 0/0 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['serialized'] reaches a PHP_OBJECT_INJECTION sink at deserialize_test.php:24 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
RCE — Low
CWE / CVSS
CWE-502 Deserialization of Untrusted Data  ·  CVSS 8.3 High (Base 9.8 Critical)
Untrusted serialized data is deserialized, invoking gadget chains that can lead to remote code execution.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:U
ⓘ Base 9,8 → Effective 8,3 — potential (E:U/RC:U).
Compliance Impact
A08:2021 – Software and Data Integrity Failures
PCI-DSS v4.0 Req 6.2.4 / 6.4.3  ·  ISO/IEC 27001:2022 A.8.28 / A.8.29  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application · T1059 Command and Scripting Interpreter
Initial Access, Execution
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Do not unserialize untrusted data; use a safe format and restrict allowed classes.
  • Replace unserialize() on tainted input with json_decode() (data-only).
  • If PHP serialization is required, pass allowed_classes=false or an explicit allowlist.
  • Add integrity protection (HMAC) to any serialized blob that must round-trip via the client.
Refs: CWE-502 · OWASP: Deserialization Cheat Sheet
No DAST requests recorded for this target.
🤖 GGC-POI-325 8.3 HIGH Potential PHP_OBJECT_INJECTION user deserialize_test.php:30 0/0 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['user'] reaches a PHP_OBJECT_INJECTION sink at deserialize_test.php:30 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
RCE — Low
CWE / CVSS
CWE-502 Deserialization of Untrusted Data  ·  CVSS 8.3 High (Base 9.8 Critical)
Untrusted serialized data is deserialized, invoking gadget chains that can lead to remote code execution.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:U
ⓘ Base 9,8 → Effective 8,3 — potential (E:U/RC:U).
Compliance Impact
A08:2021 – Software and Data Integrity Failures
PCI-DSS v4.0 Req 6.2.4 / 6.4.3  ·  ISO/IEC 27001:2022 A.8.28 / A.8.29  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application · T1059 Command and Scripting Interpreter
Initial Access, Execution
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Do not unserialize untrusted data; use a safe format and restrict allowed classes.
  • Replace unserialize() on tainted input with json_decode() (data-only).
  • If PHP serialization is required, pass allowed_classes=false or an explicit allowlist.
  • Add integrity protection (HMAC) to any serialized blob that must round-trip via the client.
Refs: CWE-502 · OWASP: Deserialization Cheat Sheet
No DAST requests recorded for this target.
GGC-XSS-659 6.1 MEDIUM P2 Confirmed XSS q form_login_test.php:25 33/35 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['q'] reaches a XSS sink at form_login_test.php:25 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 6.1 Medium
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (xss-reflection)
  • +6 Reproduced by 33 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'form_login_test.php?q=%22%3Cimg%20src%3D%5C%22x%5C%22%20onerror%3D%5C%22%26%2397%3Blert%281%29%5C%22%3E%22'
Evidence (live response):
OK path=/form_login_test.php?q=%22%3Cimg%20src%3D%5C%22x%5C%22%20onerror%3D%5C%22%26%2397%3Blert%281%29%5C%22%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
GGC-XSS-80B 6.1 MEDIUM P2 Confirmed XSS user ggsec_test_app.php:187 33/35 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['user'] reaches a XSS sink at ggsec_test_app.php:187 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 6.1 Medium
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (xss-reflection)
  • +6 Reproduced by 33 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?user=%22%3Cimg%20src%3D%5C%22x%5C%22%20onerror%3D%5C%22%26%2397%3Blert%281%29%5C%22%3E%22'
Evidence (live response):
OK path=/ggsec_test_app.php?user=%22%3Cimg%20src%3D%5C%22x%5C%22%20onerror%3D%5C%22%26%2397%3Blert%281%29%5C%22%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
GGC-XSS-7F9 6.1 MEDIUM P2 Confirmed XSS search ggsec_test_app.php:210 33/35 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['search'] reaches a XSS sink at ggsec_test_app.php:210 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 6.1 Medium
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (xss-reflection)
  • +6 Reproduced by 33 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ggsec_test_app.php?search=%22%3Cimg%20src%3Dx%20oNeRrOr%3Dalert%281%29%3E%22'
Evidence (live response):
OK path=/ggsec_test_app.php?search=%22%3Cimg%20src%3Dx%20oNeRrOr%3Dalert%281%29%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
🗃 GGC-SQLI-EAF 8.3 HIGH Potential SQL_QUERY user ggsec_test_app.php:288 0/34 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['user'] reaches a SQL_QUERY sink at ggsec_test_app.php:288 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
RCE — Low
CWE / CVSS
CWE-89 SQL Injection  ·  CVSS 8.3 High (Base 9.8 Critical)
SQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:U
ⓘ Base 9,8 → Effective 8,3 — potential (E:U/RC:U).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
  • Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
  • For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
  • Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
  • Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
ResultMethodURLPayloadStatusTimeDetectionDB
🗃 GGC-SQLI-692 8.3 HIGH Potential SQL_QUERY view_user ggsec_test_app.php:300 0/34 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['view_user'] reaches a SQL_QUERY sink at ggsec_test_app.php:300 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
RCE — Low
CWE / CVSS
CWE-89 SQL Injection  ·  CVSS 8.3 High (Base 9.8 Critical)
SQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:U
ⓘ Base 9,8 → Effective 8,3 — potential (E:U/RC:U).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
  • Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
  • For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
  • Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
  • Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
ResultMethodURLPayloadStatusTimeDetectionDB
🗃 GGC-SQLI-B13 8.3 HIGH Potential SQL_QUERY render ggsec_test_app.php:339 0/34 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['render'] reaches a SQL_QUERY sink at ggsec_test_app.php:339 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
RCE — Low
CWE / CVSS
CWE-89 SQL Injection  ·  CVSS 8.3 High (Base 9.8 Critical)
SQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:U
ⓘ Base 9,8 → Effective 8,3 — potential (E:U/RC:U).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
  • Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
  • For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
  • Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
  • Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
ResultMethodURLPayloadStatusTimeDetectionDB
📄 GGC-XXE-1D8 6.3 MEDIUM Potential XXE xml ggsec_test_app.php:451 0/0 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['xml'] reaches a XXE sink at ggsec_test_app.php:451 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
FILE_READ — Low
CWE / CVSS
CWE-611 XML External Entity Reference  ·  CVSS 6.3 Medium (Base 7.5 High)
An XML parser resolves external entities, enabling local-file disclosure, SSRF, or denial of service.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RC:U
ⓘ Base 7,5 → Effective 6,3 — potential (E:U/RC:U).
Compliance Impact
A05:2021 – Security Misconfiguration
PCI-DSS v4.0 Req 2.2.1 / 6.2.4  ·  ISO/IEC 27001:2022 A.8.9 / A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Disable external entity and DTD processing in the XML parser.
  • Disable entity loading/DTDs (e.g. libxml_disable_entity_loader, LIBXML_NONET, no LIBXML_NOENT/DTDLOAD).
  • Prefer a hardened parser configuration or a non-XML format (JSON) where possible.
Refs: CWE-611 · OWASP: XXE Prevention Cheat Sheet
No DAST requests recorded for this target.
🔍 GGC-PATH-5CD 6.3 MEDIUM Potential PATH_TRAVERSAL file ggsec_test_app.php:694 0/0 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['file'] reaches a PATH_TRAVERSAL sink at ggsec_test_app.php:694 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
FILE_READ — Low
CWE / CVSS
CWE-22 Path Traversal / Arbitrary File Read  ·  CVSS 6.3 Medium (Base 7.5 High)
User-controlled path components escape the intended directory, exposing arbitrary files (/etc/passwd, config, source).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RC:U
ⓘ Base 7,5 → Effective 6,3 — potential (E:U/RC:U).
Compliance Impact
A01:2021 – Broken Access Control
PCI-DSS v4.0 Req 6.2.4 / 7.2.1  ·  ISO/IEC 27001:2022 A.8.3 / A.5.15  ·  GDPR Art. 5(1)(f) + Art. 32 (confidentiality)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Never build filesystem paths from user input — map requests to a fixed allowlist and canonicalize before use.
  • Map the user-supplied identifier to a server-side allowlist of permitted files; never use it as a path directly.
  • Canonicalize the resolved path (realpath) and verify it is still inside the intended base directory before reading.
  • Reject traversal sequences AFTER decoding (../, ..\, encoded %2e%2e, and stripped variants like ....//).
  • Run with least privilege so sensitive files (/etc/passwd, app secrets) are unreadable by the web user.
Refs: CWE-22 · CWE-73 · OWASP: Path Traversal · OWASP: File Path Traversal Prevention Cheat Sheet
No DAST requests recorded for this target.
GGC-XSS-13B 6.1 MEDIUM P2 Confirmed XSS id idor_test.php:31 33/35 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['id'] reaches a XSS sink at idor_test.php:31 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 6.1 Medium
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (xss-reflection)
  • +6 Reproduced by 33 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'idor_test.php?id=%22%3Ca%20href%3Djavascript%3Aalert%28document.cookie%29%3Ex%3C%2Fa%3E%22'
Evidence (live response):
OK path=/idor_test.php?id=%22%3Ca%20href%3Djavascript%3Aalert%28document.cookie%29%3Ex%3C%2Fa%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
GGC-XSS-263 6.1 MEDIUM P2 Confirmed XSS id idor_uuid_test.php:39 33/35 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['id'] reaches a XSS sink at idor_uuid_test.php:39 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 6.1 Medium
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (xss-reflection)
  • +6 Reproduced by 33 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'idor_uuid_test.php?id=%22javascript%3Aalert%281%29%22'
Evidence (live response):
OK path=/idor_uuid_test.php?id=%22javascript%3Aalert%281%29%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
GGC-XSS-09C 6.1 MEDIUM P2 Confirmed XSS as idor_v2_test.php:25 33/35 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['as'] reaches a XSS sink at idor_v2_test.php:25 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 6.1 Medium
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (xss-reflection)
  • +6 Reproduced by 33 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'idor_v2_test.php?as=%22%3Cbody%20onload%3Dalert%281%29%3E%22'
Evidence (live response):
OK path=/idor_v2_test.php?as=%22%3Cbody%20onload%3Dalert%281%29%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
GGC-XSS-556 6.1 MEDIUM P2 Confirmed XSS id idor_v2_test.php:40 33/35 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['id'] reaches a XSS sink at idor_v2_test.php:40 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 6.1 Medium
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (xss-reflection)
  • +6 Reproduced by 33 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'idor_v2_test.php?id=%22%3CSCRIPT%3Ealert%281%29%3C%2FSCRIPT%3E%22'
Evidence (live response):
OK path=/idor_v2_test.php?id=%22%3CSCRIPT%3Ealert%281%29%3C%2FSCRIPT%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
GGC-XSS-72C 6.1 MEDIUM P2 Confirmed XSS id idor_v3_test.php:32 33/35 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['id'] reaches a XSS sink at idor_v3_test.php:32 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 6.1 Medium
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (xss-reflection)
  • +6 Reproduced by 33 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'idor_v3_test.php?id=%22%3Cimg%20src%3D%5C%22x%5C%22%20onerror%3D%5C%22%26%2397%3Blert%281%29%5C%22%3E%22'
Evidence (live response):
OK path=/idor_v3_test.php?id=%22%3Cimg%20src%3D%5C%22x%5C%22%20onerror%3D%5C%22%26%2397%3Blert%281%29%5C%22%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
GGC-XSS-D94 6.1 MEDIUM P2 Confirmed XSS jwt jwt_jwks_test.php:100 33/35 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['jwt'] reaches a XSS sink at jwt_jwks_test.php:100 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 6.1 Medium
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (xss-reflection)
  • +6 Reproduced by 33 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'jwt_jwks_test.php?jwt=%22%3Cimg%20src%3D%5C%22x%5C%22%20onerror%3D%5C%22%26%2397%3Blert%281%29%5C%22%3E%22'
Evidence (live response):
OK path=/jwt_jwks_test.php?jwt=%22%3Cimg%20src%3D%5C%22x%5C%22%20onerror%3D%5C%22%26%2397%3Blert%281%29%5C%22%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
GGC-XSS-630 6.1 MEDIUM P2 Confirmed XSS jwt jwt_kid_test.php:45 33/35 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['jwt'] reaches a XSS sink at jwt_kid_test.php:45 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 6.1 Medium
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (xss-reflection)
  • +6 Reproduced by 33 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'jwt_kid_test.php?jwt=%22%3C%2500script%3Ealert%281%29%3C%2F%2500script%3E%22'
Evidence (live response):
OK path=/jwt_kid_test.php?jwt=%22%3C%2500script%3Ealert%281%29%3C%2F%2500script%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
GGC-XSS-DF2 6.1 MEDIUM P2 Confirmed XSS jwt jwt_rs256_test.php:98 33/35 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['jwt'] reaches a XSS sink at jwt_rs256_test.php:98 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 6.1 Medium
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (xss-reflection)
  • +6 Reproduced by 33 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'jwt_rs256_test.php?jwt=%22%3Cimg%20src%3Dx%20oNeRrOr%3Dalert%281%29%3E%22'
Evidence (live response):
OK path=/jwt_rs256_test.php?jwt=%22%3Cimg%20src%3Dx%20oNeRrOr%3Dalert%281%29%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
GGC-XSS-2B9 6.1 MEDIUM P2 Confirmed XSS jwt jwt_test.php:49 33/35 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['jwt'] reaches a XSS sink at jwt_test.php:49 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 6.1 Medium
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (xss-reflection)
  • +6 Reproduced by 33 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'jwt_test.php?jwt=%22%3Cinput%20autofocus%20onfocus%3Dalert%281%29%3E%22'
Evidence (live response):
OK path=/jwt_test.php?jwt=%22%3Cinput%20autofocus%20onfocus%3Dalert%281%29%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
GGC-XSS-BBD 6.1 MEDIUM P2 Confirmed XSS user ldap_test.php:11 33/35 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['user'] reaches a XSS sink at ldap_test.php:11 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 6.1 Medium
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (xss-reflection)
  • +6 Reproduced by 33 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'ldap_test.php?user=%22%3Cscript%3Ealert%28%27stored%27%29%3C%2Fscript%3E%22'
Evidence (live response):
OK path=/ldap_test.php?user=%22%3Cscript%3Ealert%28%27stored%27%29%3C%2Fscript%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
GGC-XSS-FB1 6.1 MEDIUM P2 Confirmed XSS q members_test.php:21 33/35 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['q'] reaches a XSS sink at members_test.php:21 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 6.1 Medium
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (xss-reflection)
  • +6 Reproduced by 33 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'members_test.php?q=%22%3Csvg%2Fonload%3Dalert%281%29%3E%22'
Evidence (live response):
OK path=/members_test.php?q=%22%3Csvg%2Fonload%3Dalert%281%29%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
GGC-XSS-D7C 6.1 MEDIUM P2 Confirmed XSS safe_username nosql_test.php:18 33/35 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['safe_username'] reaches a XSS sink at nosql_test.php:18 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 6.1 Medium
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (xss-reflection)
  • +6 Reproduced by 33 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'nosql_test.php?safe_username=%22data%3Atext%2Fhtml%2C%3Cscript%3Ealert%281%29%3C%2Fscript%3E%22'
Evidence (live response):
OK path=/nosql_test.php?safe_username=%22data%3Atext%2Fhtml%2C%3Cscript%3Ealert%281%29%3C%2Fscript%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
📄 GGC-XXE-64D 6.3 MEDIUM Potential XXE xml oob_test.php:15 0/0 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['xml'] reaches a XXE sink at oob_test.php:15 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
FILE_READ — Low
CWE / CVSS
CWE-611 XML External Entity Reference  ·  CVSS 6.3 Medium (Base 7.5 High)
An XML parser resolves external entities, enabling local-file disclosure, SSRF, or denial of service.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RC:U
ⓘ Base 7,5 → Effective 6,3 — potential (E:U/RC:U).
Compliance Impact
A05:2021 – Security Misconfiguration
PCI-DSS v4.0 Req 2.2.1 / 6.2.4  ·  ISO/IEC 27001:2022 A.8.9 / A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Disable external entity and DTD processing in the XML parser.
  • Disable entity loading/DTDs (e.g. libxml_disable_entity_loader, LIBXML_NONET, no LIBXML_NOENT/DTDLOAD).
  • Prefer a hardened parser configuration or a non-XML format (JSON) where possible.
Refs: CWE-611 · OWASP: XXE Prevention Cheat Sheet
No DAST requests recorded for this target.
🔍 GGC-PATH-829 6.3 MEDIUM Potential PATH_TRAVERSAL url oob_test.php:21 0/0 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['url'] reaches a PATH_TRAVERSAL sink at oob_test.php:21 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
FILE_READ — Low
CWE / CVSS
CWE-22 Path Traversal / Arbitrary File Read  ·  CVSS 6.3 Medium (Base 7.5 High)
User-controlled path components escape the intended directory, exposing arbitrary files (/etc/passwd, config, source).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RC:U
ⓘ Base 7,5 → Effective 6,3 — potential (E:U/RC:U).
Compliance Impact
A01:2021 – Broken Access Control
PCI-DSS v4.0 Req 6.2.4 / 7.2.1  ·  ISO/IEC 27001:2022 A.8.3 / A.5.15  ·  GDPR Art. 5(1)(f) + Art. 32 (confidentiality)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Never build filesystem paths from user input — map requests to a fixed allowlist and canonicalize before use.
  • Map the user-supplied identifier to a server-side allowlist of permitted files; never use it as a path directly.
  • Canonicalize the resolved path (realpath) and verify it is still inside the intended base directory before reading.
  • Reject traversal sequences AFTER decoding (../, ..\, encoded %2e%2e, and stripped variants like ....//).
  • Run with least privilege so sensitive files (/etc/passwd, app secrets) are unreadable by the web user.
Refs: CWE-22 · CWE-73 · OWASP: Path Traversal · OWASP: File Path Traversal Prevention Cheat Sheet
No DAST requests recorded for this target.
🤖 GGC-POI-CEC 8.3 HIGH Potential PHP_OBJECT_INJECTION prefs poi_oob_test.php:16 0/0 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['prefs'] reaches a PHP_OBJECT_INJECTION sink at poi_oob_test.php:16 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
RCE — Low
CWE / CVSS
CWE-502 Deserialization of Untrusted Data  ·  CVSS 8.3 High (Base 9.8 Critical)
Untrusted serialized data is deserialized, invoking gadget chains that can lead to remote code execution.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:U
ⓘ Base 9,8 → Effective 8,3 — potential (E:U/RC:U).
Compliance Impact
A08:2021 – Software and Data Integrity Failures
PCI-DSS v4.0 Req 6.2.4 / 6.4.3  ·  ISO/IEC 27001:2022 A.8.28 / A.8.29  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application · T1059 Command and Scripting Interpreter
Initial Access, Execution
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Do not unserialize untrusted data; use a safe format and restrict allowed classes.
  • Replace unserialize() on tainted input with json_decode() (data-only).
  • If PHP serialization is required, pass allowed_classes=false or an explicit allowlist.
  • Add integrity protection (HMAC) to any serialized blob that must round-trip via the client.
Refs: CWE-502 · OWASP: Deserialization Cheat Sheet
No DAST requests recorded for this target.
GGC-XSS-937 6.1 MEDIUM P2 Confirmed XSS reset race_singlepacket_test.php:17 33/35 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['reset'] reaches a XSS sink at race_singlepacket_test.php:17 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 6.1 Medium
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (xss-reflection)
  • +6 Reproduced by 33 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'race_singlepacket_test.php?reset=%22%3C%2500script%3Ealert%281%29%3C%2F%2500script%3E%22'
Evidence (live response):
OK path=/race_singlepacket_test.php?reset=%22%3C%2500script%3Ealert%281%29%3C%2F%2500script%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
🔍 GGC-PATH-A9F 6.3 MEDIUM Potential PATH_TRAVERSAL count race_singlepacket_test.php:20 0/0 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['count'] reaches a PATH_TRAVERSAL sink at race_singlepacket_test.php:20 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
FILE_READ — Low
CWE / CVSS
CWE-22 Path Traversal / Arbitrary File Read  ·  CVSS 6.3 Medium (Base 7.5 High)
User-controlled path components escape the intended directory, exposing arbitrary files (/etc/passwd, config, source).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RC:U
ⓘ Base 7,5 → Effective 6,3 — potential (E:U/RC:U).
Compliance Impact
A01:2021 – Broken Access Control
PCI-DSS v4.0 Req 6.2.4 / 7.2.1  ·  ISO/IEC 27001:2022 A.8.3 / A.5.15  ·  GDPR Art. 5(1)(f) + Art. 32 (confidentiality)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Never build filesystem paths from user input — map requests to a fixed allowlist and canonicalize before use.
  • Map the user-supplied identifier to a server-side allowlist of permitted files; never use it as a path directly.
  • Canonicalize the resolved path (realpath) and verify it is still inside the intended base directory before reading.
  • Reject traversal sequences AFTER decoding (../, ..\, encoded %2e%2e, and stripped variants like ....//).
  • Run with least privilege so sensitive files (/etc/passwd, app secrets) are unreadable by the web user.
Refs: CWE-22 · CWE-73 · OWASP: Path Traversal · OWASP: File Path Traversal Prevention Cheat Sheet
No DAST requests recorded for this target.
GGC-XSS-03D 6.1 MEDIUM P2 Confirmed XSS count race_singlepacket_test.php:20 33/35 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['count'] reaches a XSS sink at race_singlepacket_test.php:20 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 6.1 Medium
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (xss-reflection)
  • +6 Reproduced by 33 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'race_singlepacket_test.php?count=%22%3Cinput%20autofocus%20onfocus%3Dalert%281%29%3E%22'
Evidence (live response):
OK path=/race_singlepacket_test.php?count=%22%3Cinput%20autofocus%20onfocus%3Dalert%281%29%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
🗃 GGC-SQLI-FF6 8.3 HIGH Potential SQL_QUERY balance race_test.php:23 0/34 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['balance'] reaches a SQL_QUERY sink at race_test.php:23 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
RCE — Low
CWE / CVSS
CWE-89 SQL Injection  ·  CVSS 8.3 High (Base 9.8 Critical)
SQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:U
ⓘ Base 9,8 → Effective 8,3 — potential (E:U/RC:U).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
  • Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
  • For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
  • Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
  • Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
ResultMethodURLPayloadStatusTimeDetectionDB
🗃 GGC-SQLI-CF5 8.3 HIGH Potential SQL_QUERY from race_test.php:35 0/34 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['from'] reaches a SQL_QUERY sink at race_test.php:35 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
RCE — Low
CWE / CVSS
CWE-89 SQL Injection  ·  CVSS 8.3 High (Base 9.8 Critical)
SQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:U
ⓘ Base 9,8 → Effective 8,3 — potential (E:U/RC:U).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
  • Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
  • For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
  • Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
  • Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
ResultMethodURLPayloadStatusTimeDetectionDB
🗃 GGC-SQLI-A5A 8.3 HIGH Potential SQL_QUERY amount race_test.php:41 0/34 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['amount'] reaches a SQL_QUERY sink at race_test.php:41 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
RCE — Low
CWE / CVSS
CWE-89 SQL Injection  ·  CVSS 8.3 High (Base 9.8 Critical)
SQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:U
ⓘ Base 9,8 → Effective 8,3 — potential (E:U/RC:U).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
  • Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
  • For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
  • Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
  • Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
ResultMethodURLPayloadStatusTimeDetectionDB
📄 GGC-XXE-3A1 6.3 MEDIUM Potential XXE xml xxe_test.php:8 0/0 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['xml'] reaches a XXE sink at xxe_test.php:8 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
FILE_READ — Low
CWE / CVSS
CWE-611 XML External Entity Reference  ·  CVSS 6.3 Medium (Base 7.5 High)
An XML parser resolves external entities, enabling local-file disclosure, SSRF, or denial of service.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RC:U
ⓘ Base 7,5 → Effective 6,3 — potential (E:U/RC:U).
Compliance Impact
A05:2021 – Security Misconfiguration
PCI-DSS v4.0 Req 2.2.1 / 6.2.4  ·  ISO/IEC 27001:2022 A.8.9 / A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Disable external entity and DTD processing in the XML parser.
  • Disable entity loading/DTDs (e.g. libxml_disable_entity_loader, LIBXML_NONET, no LIBXML_NOENT/DTDLOAD).
  • Prefer a hardened parser configuration or a non-XML format (JSON) where possible.
Refs: CWE-611 · OWASP: XXE Prevention Cheat Sheet
No DAST requests recorded for this target.
GGC-XSS-B1F 6.1 MEDIUM P2 Confirmed XSS xml xxe_test.php:10 33/35 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['xml'] reaches a XSS sink at xxe_test.php:10 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 6.1 Medium
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (xss-reflection)
  • +6 Reproduced by 33 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'xxe_test.php?xml=%22%3CScRiPt%3Ealert%281%29%3C%2FsCrIpT%3E%22'
Evidence (live response):
OK path=/xxe_test.php?xml=%22%3CScRiPt%3Ealert%281%29%3C%2FsCrIpT%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
📄 GGC-XXE-5F0 6.3 MEDIUM Potential XXE dom xxe_test.php:16 0/0 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['dom'] reaches a XXE sink at xxe_test.php:16 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
FILE_READ — Low
CWE / CVSS
CWE-611 XML External Entity Reference  ·  CVSS 6.3 Medium (Base 7.5 High)
An XML parser resolves external entities, enabling local-file disclosure, SSRF, or denial of service.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RC:U
ⓘ Base 7,5 → Effective 6,3 — potential (E:U/RC:U).
Compliance Impact
A05:2021 – Security Misconfiguration
PCI-DSS v4.0 Req 2.2.1 / 6.2.4  ·  ISO/IEC 27001:2022 A.8.9 / A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Disable external entity and DTD processing in the XML parser.
  • Disable entity loading/DTDs (e.g. libxml_disable_entity_loader, LIBXML_NONET, no LIBXML_NOENT/DTDLOAD).
  • Prefer a hardened parser configuration or a non-XML format (JSON) where possible.
Refs: CWE-611 · OWASP: XXE Prevention Cheat Sheet
No DAST requests recorded for this target.
📄 GGC-XXE-933 6.3 MEDIUM Potential XXE xml_parse xxe_test.php:27 0/0 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['xml_parse'] reaches a XXE sink at xxe_test.php:27 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
FILE_READ — Low
CWE / CVSS
CWE-611 XML External Entity Reference  ·  CVSS 6.3 Medium (Base 7.5 High)
An XML parser resolves external entities, enabling local-file disclosure, SSRF, or denial of service.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RC:U
ⓘ Base 7,5 → Effective 6,3 — potential (E:U/RC:U).
Compliance Impact
A05:2021 – Security Misconfiguration
PCI-DSS v4.0 Req 2.2.1 / 6.2.4  ·  ISO/IEC 27001:2022 A.8.9 / A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Disable external entity and DTD processing in the XML parser.
  • Disable entity loading/DTDs (e.g. libxml_disable_entity_loader, LIBXML_NONET, no LIBXML_NOENT/DTDLOAD).
  • Prefer a hardened parser configuration or a non-XML format (JSON) where possible.
Refs: CWE-611 · OWASP: XXE Prevention Cheat Sheet
No DAST requests recorded for this target.
📄 GGC-XXE-0BE 6.3 MEDIUM Potential XXE safe_xml xxe_test.php:44 0/0 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['safe_xml'] reaches a XXE sink at xxe_test.php:44 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
FILE_READ — Low
CWE / CVSS
CWE-611 XML External Entity Reference  ·  CVSS 6.3 Medium (Base 7.5 High)
An XML parser resolves external entities, enabling local-file disclosure, SSRF, or denial of service.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RC:U
ⓘ Base 7,5 → Effective 6,3 — potential (E:U/RC:U).
Compliance Impact
A05:2021 – Security Misconfiguration
PCI-DSS v4.0 Req 2.2.1 / 6.2.4  ·  ISO/IEC 27001:2022 A.8.9 / A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Disable external entity and DTD processing in the XML parser.
  • Disable entity loading/DTDs (e.g. libxml_disable_entity_loader, LIBXML_NONET, no LIBXML_NOENT/DTDLOAD).
  • Prefer a hardened parser configuration or a non-XML format (JSON) where possible.
Refs: CWE-611 · OWASP: XXE Prevention Cheat Sheet
No DAST requests recorded for this target.
GGC-XSS-692 6.1 MEDIUM P2 Confirmed XSS search api_parsing_hell.php:69 33/35 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['search'] reaches a XSS sink at api_parsing_hell.php:69 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
SESSION_THEFT — Low
CWE / CVSS
CWE-79 Cross-site Scripting  ·  CVSS 6.1 Medium
Untrusted input is reflected into a page without encoding, so attacker script runs in the victim's browser (session theft).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1059.007 Command and Scripting Interpreter: JavaScript · T1185 Browser Session Hijacking
Execution, Collection
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (xss-reflection)
  • +6 Reproduced by 33 payload(s)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'api_parsing_hell.php?search=%22%3Cimg%20src%3Dx%20onerror%3Dalert%281%29%3E%22'
Evidence (live response):
OK path=/api_parsing_hell.php?search=%22%3Cimg%20src%3Dx%20onerror%3Dalert%281%29%3E%22
Remediation
Apply context-aware output encoding on every place user data reaches HTML/JS, and add a CSP.
  • Encode on output by context: HTML body (htmlspecialchars/escapeHTML), attributes, JS, URL.
  • Prefer auto-escaping template engines; avoid raw echo/print of tainted data.
  • Deploy a strict Content-Security-Policy and set HttpOnly on session cookies.
Refs: CWE-79 · OWASP: XSS Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
🤖 GGC-POI-77B 8.3 HIGH Potential PHP_OBJECT_INJECTION prefs logic_nightmare.php:69 0/0 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['prefs'] reaches a PHP_OBJECT_INJECTION sink at logic_nightmare.php:69 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
RCE — Low
CWE / CVSS
CWE-502 Deserialization of Untrusted Data  ·  CVSS 8.3 High (Base 9.8 Critical)
Untrusted serialized data is deserialized, invoking gadget chains that can lead to remote code execution.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:U
ⓘ Base 9,8 → Effective 8,3 — potential (E:U/RC:U).
Compliance Impact
A08:2021 – Software and Data Integrity Failures
PCI-DSS v4.0 Req 6.2.4 / 6.4.3  ·  ISO/IEC 27001:2022 A.8.28 / A.8.29  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application · T1059 Command and Scripting Interpreter
Initial Access, Execution
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Do not unserialize untrusted data; use a safe format and restrict allowed classes.
  • Replace unserialize() on tainted input with json_decode() (data-only).
  • If PHP serialization is required, pass allowed_classes=false or an explicit allowlist.
  • Add integrity protection (HMAC) to any serialized blob that must round-trip via the client.
Refs: CWE-502 · OWASP: Deserialization Cheat Sheet
No DAST requests recorded for this target.
GGC-REDIR-AE3 5.2 MEDIUM Potential OPEN_REDIRECT logout logic_nightmare.php:105 0/14 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['logout'] reaches a OPEN_REDIRECT sink at logic_nightmare.php:105 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
PRIV_ESC — Low
CWE / CVSS
CWE-601 Open Redirect  ·  CVSS 5.2 Medium (Base 6.1 Medium)
An unvalidated redirect target lets an attacker send victims to a malicious site under the app's trust.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RC:U
ⓘ Base 6,1 → Effective 5,2 — potential (E:U/RC:U).
Compliance Impact
A01:2021 – Broken Access Control
PCI-DSS v4.0 Req 6.2.4 / 7.2.1  ·  ISO/IEC 27001:2022 A.8.3 / A.5.15  ·  GDPR Art. 5(1)(f) + Art. 32 (confidentiality)
MITRE ATT&CK
T1204 User Execution
Execution
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Validate redirect targets against an allowlist; never redirect to a raw user-supplied URL.
  • Allowlist permitted destinations or use server-side keys mapped to URLs.
  • Accept only relative paths; reject absolute URLs and protocol-relative (//) values.
Refs: CWE-601 · OWASP: Unvalidated Redirects and Forwards Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
GGC-REDIR-62C 5.2 MEDIUM Potential OPEN_REDIRECT redirect race_and_files.php:46 0/14 hits
Flow
Regex-SAST (no LLM): tainted ${_REQUEST}['redirect'] reaches a OPEN_REDIRECT sink at race_and_files.php:46 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
PRIV_ESC — Low
CWE / CVSS
CWE-601 Open Redirect  ·  CVSS 5.2 Medium (Base 6.1 Medium)
An unvalidated redirect target lets an attacker send victims to a malicious site under the app's trust.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RC:U
ⓘ Base 6,1 → Effective 5,2 — potential (E:U/RC:U).
Compliance Impact
A01:2021 – Broken Access Control
PCI-DSS v4.0 Req 6.2.4 / 7.2.1  ·  ISO/IEC 27001:2022 A.8.3 / A.5.15  ·  GDPR Art. 5(1)(f) + Art. 32 (confidentiality)
MITRE ATT&CK
T1204 User Execution
Execution
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Validate redirect targets against an allowlist; never redirect to a raw user-supplied URL.
  • Allowlist permitted destinations or use server-side keys mapped to URLs.
  • Accept only relative paths; reject absolute URLs and protocol-relative (//) values.
Refs: CWE-601 · OWASP: Unvalidated Redirects and Forwards Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
🔍 GGC-VULN-5ED 7.4 HIGH Probable HARDCODED_SECRET private key jwt_jwks_test.php:10 0/0 hits
Flow
Hard-coded private key in source (----******…(27 chars)). Anyone with read access to the repo obtains the credential. Move it to an environment variable / secret manager and ROTATE it — it must be treated as compromised.
Impact
PRIV_ESC — Direct
CWE / CVSS
CWE-798 Use of Hard-coded Credentials  ·  CVSS 7.4 High (Base 8.2 High)
A credential (API key, password, token, private key) is hard-coded in source — anyone with repo access gets it; it must be moved to a secret store and rotated.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RC:R
ⓘ Base 8,2 → Effective 7,4 — probable (E:P/RC:R).
Compliance Impact
A07:2021 – Identification and Authentication Failures
PCI-DSS v4.0 Req 8.3.1 / 8.6 / 3.6 (key mgmt)  ·  ISO/IEC 27001:2022 A.8.5 / A.5.17 / A.8.24  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1552.001 Unsecured Credentials: Credentials In Files
Credential Access
Certainty / Access
Probable  ·  🔓 Unauthenticated
Remediation
Remove the secret from source, load it from an environment variable / secret manager, and ROTATE it — it must be treated as compromised.
  • Rotate/revoke the exposed credential NOW — it is in version control history and must be assumed leaked.
  • Read it at runtime from an env var or a secret manager (Vault/AWS Secrets Manager/Azure Key Vault); never commit it.
  • Purge it from git history (git filter-repo / BFG) and add a pre-commit secret scanner (e.g. this scan) to CI.
Refs: CWE-798 · OWASP: Secrets Management Cheat Sheet
No DAST requests recorded for this target.
🔍 GGC-VULN-AA4 7.4 HIGH Probable HARDCODED_SECRET private key jwt_rs256_test.php:10 0/0 hits
Flow
Hard-coded private key in source (----******…(27 chars)). Anyone with read access to the repo obtains the credential. Move it to an environment variable / secret manager and ROTATE it — it must be treated as compromised.
Impact
PRIV_ESC — Direct
CWE / CVSS
CWE-798 Use of Hard-coded Credentials  ·  CVSS 7.4 High (Base 8.2 High)
A credential (API key, password, token, private key) is hard-coded in source — anyone with repo access gets it; it must be moved to a secret store and rotated.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RC:R
ⓘ Base 8,2 → Effective 7,4 — probable (E:P/RC:R).
Compliance Impact
A07:2021 – Identification and Authentication Failures
PCI-DSS v4.0 Req 8.3.1 / 8.6 / 3.6 (key mgmt)  ·  ISO/IEC 27001:2022 A.8.5 / A.5.17 / A.8.24  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1552.001 Unsecured Credentials: Credentials In Files
Credential Access
Certainty / Access
Probable  ·  🔓 Unauthenticated
Remediation
Remove the secret from source, load it from an environment variable / secret manager, and ROTATE it — it must be treated as compromised.
  • Rotate/revoke the exposed credential NOW — it is in version control history and must be assumed leaked.
  • Read it at runtime from an env var or a secret manager (Vault/AWS Secrets Manager/Azure Key Vault); never commit it.
  • Purge it from git history (git filter-repo / BFG) and add a pre-commit secret scanner (e.g. this scan) to CI.
Refs: CWE-798 · OWASP: Secrets Management Cheat Sheet
No DAST requests recorded for this target.
🔍 GGC-VULN-EF2 4.8 MEDIUM Probable HARDCODED_SECRET hard-coded SECRET jwt_test.php:7 0/0 hits
Flow
Hard-coded hard-coded SECRET in source (supe******…(27 chars)). Anyone with read access to the repo obtains the credential. Move it to an environment variable / secret manager and ROTATE it — it must be treated as compromised.
Impact
INFORMATION_DISCLOSURE — Direct
CWE / CVSS
CWE-798 Use of Hard-coded Credentials  ·  CVSS 4.8 Medium (Base 5.3 Medium)
A credential (API key, password, token, private key) is hard-coded in source — anyone with repo access gets it; it must be moved to a secret store and rotated.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RC:R
ⓘ Base 5,3 → Effective 4,8 — probable (E:P/RC:R).
Compliance Impact
A07:2021 – Identification and Authentication Failures
PCI-DSS v4.0 Req 8.3.1 / 8.6 / 3.6 (key mgmt)  ·  ISO/IEC 27001:2022 A.8.5 / A.5.17 / A.8.24  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1552.001 Unsecured Credentials: Credentials In Files
Credential Access
Certainty / Access
Probable  ·  🔓 Unauthenticated
Remediation
Remove the secret from source, load it from an environment variable / secret manager, and ROTATE it — it must be treated as compromised.
  • Rotate/revoke the exposed credential NOW — it is in version control history and must be assumed leaked.
  • Read it at runtime from an env var or a secret manager (Vault/AWS Secrets Manager/Azure Key Vault); never commit it.
  • Purge it from git history (git filter-repo / BFG) and add a pre-commit secret scanner (e.g. this scan) to CI.
Refs: CWE-798 · OWASP: Secrets Management Cheat Sheet
No DAST requests recorded for this target.
🔍 GGC-VULN-01E 8.9 HIGH P1 Confirmed REQUEST_SMUGGLING 0.CL (/) smuggle: 127.0.0.1 1/1 hits
Flow
The front-end and back-end disagree on request boundaries (0.CL (/)); a crafted Content-Length/Transfer-Encoding mismatch smuggles a second request past the front-end — request hijacking, security-control bypass, cache poisoning, or credential capture.
Impact
AUTH_BYPASS — Conditional
CWE / CVSS
CWE-444 HTTP Request Smuggling (front-end/back-end desync)  ·  CVSS 8.9 High
The front-end and back-end disagree on where a request ends (ambiguous Content-Length/Transfer-Encoding), letting an attacker smuggle a second request past the front-end — request hijacking, control bypass, or cache poisoning.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (request-smuggling)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'http://127.0.0.1:8888/' --data '0.CL (/)'
Reflection @ offset 10 — via request-smuggling:
[SMUGGLE] 0.CL (/) desync confirmed against 127.0.0.1:8888 (native confidence…
Evidence (live response):
[SMUGGLE] 0.CL (/) desync confirmed against 127.0.0.1:8888 (native confidence 75%, timing 2ms). 0.CL smuggle marker leaked into a subsequent response via gadget '/' — Content-Length: 0 body was processed by the back-end (Likely). HTTP/1.1 200 OK  Content-Type: text/plain  Conte…
Remediation
Validate and encode all untrusted input at the relevant trust boundary.
  • Apply input validation (allowlist) and context-aware output encoding for this sink.
Refs: CWE-707 · OWASP Top 10
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN SMUGGLE http://127.0.0.1:8888/
0.CL (/)
200 0ms request-smuggling
🔍 GGC-VULN-FB7 8.9 HIGH P1 Confirmed REQUEST_SMUGGLING 0.CL (/favicon.ico) smuggle: 127.0.0.1 1/1 hits
Flow
The front-end and back-end disagree on request boundaries (0.CL (/favicon.ico)); a crafted Content-Length/Transfer-Encoding mismatch smuggles a second request past the front-end — request hijacking, security-control bypass, cache poisoning, or credential capture.
Impact
AUTH_BYPASS — Conditional
CWE / CVSS
CWE-444 HTTP Request Smuggling (front-end/back-end desync)  ·  CVSS 8.9 High
The front-end and back-end disagree on where a request ends (ambiguous Content-Length/Transfer-Encoding), letting an attacker smuggle a second request past the front-end — request hijacking, control bypass, or cache poisoning.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (request-smuggling)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'http://127.0.0.1:8888/' --data '0.CL (/favicon.ico)'
Reflection @ offset 10 — via request-smuggling:
[SMUGGLE] 0.CL (/favicon.ico) desync confirmed against 127.0.0.1:8888 (native confidence…
Evidence (live response):
[SMUGGLE] 0.CL (/favicon.ico) desync confirmed against 127.0.0.1:8888 (native confidence 75%, timing 2ms). 0.CL smuggle marker leaked into a subsequent response via gadget '/favicon.ico' — Content-Length: 0 body was processed by the back-end (Likely). HTTP/1.1 200 OK  Content-T…
Remediation
Validate and encode all untrusted input at the relevant trust boundary.
  • Apply input validation (allowlist) and context-aware output encoding for this sink.
Refs: CWE-707 · OWASP Top 10
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN SMUGGLE http://127.0.0.1:8888/
0.CL (/favicon.ico)
200 0ms request-smuggling
🔍 GGC-VULN-280 8.9 HIGH P1 Confirmed REQUEST_SMUGGLING 0.CL (/robots.txt) smuggle: 127.0.0.1 1/1 hits
Flow
The front-end and back-end disagree on request boundaries (0.CL (/robots.txt)); a crafted Content-Length/Transfer-Encoding mismatch smuggles a second request past the front-end — request hijacking, security-control bypass, cache poisoning, or credential capture.
Impact
AUTH_BYPASS — Conditional
CWE / CVSS
CWE-444 HTTP Request Smuggling (front-end/back-end desync)  ·  CVSS 8.9 High
The front-end and back-end disagree on where a request ends (ambiguous Content-Length/Transfer-Encoding), letting an attacker smuggle a second request past the front-end — request hijacking, control bypass, or cache poisoning.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (request-smuggling)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'http://127.0.0.1:8888/' --data '0.CL (/robots.txt)'
Reflection @ offset 10 — via request-smuggling:
[SMUGGLE] 0.CL (/robots.txt) desync confirmed against 127.0.0.1:8888 (native confidence…
Evidence (live response):
[SMUGGLE] 0.CL (/robots.txt) desync confirmed against 127.0.0.1:8888 (native confidence 75%, timing 2ms). 0.CL smuggle marker leaked into a subsequent response via gadget '/robots.txt' — Content-Length: 0 body was processed by the back-end (Likely). HTTP/1.1 200 OK  Content-Typ…
Remediation
Validate and encode all untrusted input at the relevant trust boundary.
  • Apply input validation (allowlist) and context-aware output encoding for this sink.
Refs: CWE-707 · OWASP Top 10
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN SMUGGLE http://127.0.0.1:8888/
0.CL (/robots.txt)
200 0ms request-smuggling
🔍 GGC-VULN-63C 8.9 HIGH P1 Confirmed REQUEST_SMUGGLING CL.TE smuggle: 127.0.0.1 1/1 hits
Flow
The front-end and back-end disagree on request boundaries (CL.TE); a crafted Content-Length/Transfer-Encoding mismatch smuggles a second request past the front-end — request hijacking, security-control bypass, cache poisoning, or credential capture.
Impact
AUTH_BYPASS — Direct
CWE / CVSS
CWE-444 HTTP Request Smuggling (front-end/back-end desync)  ·  CVSS 8.9 High
The front-end and back-end disagree on where a request ends (ambiguous Content-Length/Transfer-Encoding), letting an attacker smuggle a second request past the front-end — request hijacking, control bypass, or cache poisoning.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (request-smuggling)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'http://127.0.0.1:8888/' --data 'CL.TE'
Reflection @ offset 10 — via request-smuggling:
[SMUGGLE] CL.TE desync confirmed against 127.0.0.1:8888 (native confidence…
Evidence (live response):
[SMUGGLE] CL.TE desync confirmed against 127.0.0.1:8888 (native confidence 92%, timing 6003ms). Timing-differential desync (CL.TE): baseline=3ms vs desync-probe=6003ms (~timeout 6000ms). Smuggle marker leaked into subsequent response. Confirmed CL.TE. HTTP/1.1 200 OK  Content-Typ…
Remediation
Validate and encode all untrusted input at the relevant trust boundary.
  • Apply input validation (allowlist) and context-aware output encoding for this sink.
Refs: CWE-707 · OWASP Top 10
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN SMUGGLE http://127.0.0.1:8888/
CL.TE
200 0ms request-smuggling
🔍 GGC-VULN-A8E 8.9 HIGH P1 Confirmed REQUEST_SMUGGLING TE.CL smuggle: 127.0.0.1 1/1 hits
Flow
The front-end and back-end disagree on request boundaries (TE.CL); a crafted Content-Length/Transfer-Encoding mismatch smuggles a second request past the front-end — request hijacking, security-control bypass, cache poisoning, or credential capture.
Impact
AUTH_BYPASS — Conditional
CWE / CVSS
CWE-444 HTTP Request Smuggling (front-end/back-end desync)  ·  CVSS 8.9 High
The front-end and back-end disagree on where a request ends (ambiguous Content-Length/Transfer-Encoding), letting an attacker smuggle a second request past the front-end — request hijacking, control bypass, or cache poisoning.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (request-smuggling)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'http://127.0.0.1:8888/' --data 'TE.CL'
Reflection @ offset 10 — via request-smuggling:
[SMUGGLE] TE.CL desync confirmed against 127.0.0.1:8888 (native confidence…
Evidence (live response):
[SMUGGLE] TE.CL desync confirmed against 127.0.0.1:8888 (native confidence 80%, timing 5068ms). Time-based confirmation (TE.CL): smuggled GET /?sleep=5 delayed the round-trip to 5068ms (baseline=2ms) — backend processed the smuggled request.
Remediation
Validate and encode all untrusted input at the relevant trust boundary.
  • Apply input validation (allowlist) and context-aware output encoding for this sink.
Refs: CWE-707 · OWASP Top 10
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN SMUGGLE http://127.0.0.1:8888/
TE.CL
200 0ms request-smuggling
🔍 GGC-VULN-57D 8.9 HIGH P1 Confirmed REQUEST_SMUGGLING TE.TE smuggle: 127.0.0.1 1/1 hits
Flow
The front-end and back-end disagree on request boundaries (TE.TE); a crafted Content-Length/Transfer-Encoding mismatch smuggles a second request past the front-end — request hijacking, security-control bypass, cache poisoning, or credential capture.
Impact
AUTH_BYPASS — Conditional
CWE / CVSS
CWE-444 HTTP Request Smuggling (front-end/back-end desync)  ·  CVSS 8.9 High
The front-end and back-end disagree on where a request ends (ambiguous Content-Length/Transfer-Encoding), letting an attacker smuggle a second request past the front-end — request hijacking, control bypass, or cache poisoning.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H/RC:C
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
75%Medium confidenceEvidence score 75/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (request-smuggling)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'http://127.0.0.1:8888/' --data 'TE.TE'
Reflection @ offset 10 — via request-smuggling:
[SMUGGLE] TE.TE desync confirmed against 127.0.0.1:8888 (native confidence…
Evidence (live response):
[SMUGGLE] TE.TE desync confirmed against 127.0.0.1:8888 (native confidence 75%, timing 2ms). Smuggled marker leaked into subsequent response (TE.TE) without clear timing delta (baseline=2ms, probe=2ms). Marker-leak signal (Likely). HTTP/1.1 200 OK  Content-Type: text/plain  Conte…
Remediation
Validate and encode all untrusted input at the relevant trust boundary.
  • Apply input validation (allowlist) and context-aware output encoding for this sink.
Refs: CWE-707 · OWASP Top 10
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN SMUGGLE http://127.0.0.1:8888/
TE.TE
200 0ms request-smuggling
🔍 GGC-VULN-91A 7.5 HIGH P1 Confirmed OUTDATED_COMPONENT guzzlehttp/guzzle@6.5.0 · CVE-2022-31090 composer lockfile: composer.lock 1/1 hits
Flow
guzzlehttp/guzzle@6.5.0 is a known-vulnerable dependency (CVE-2022-31090).
Impact
INFORMATION_DISCLOSURE — Direct
CWE / CVSS
CWE-1104 Use of Unmaintained/Vulnerable Third-Party Component  ·  CVSS 7.5 High
An unmaintained / known-vulnerable third-party component is in use; a published CVE may apply.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RC:C
Compliance Impact
A06:2021 – Vulnerable and Outdated Components
PCI-DSS v4.0 Req 6.3.1 / 6.3.3 (patch mgmt)  ·  ISO/IEC 27001:2022 A.8.8  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (outdated-component)
  • +6 Expected indicator reflected
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'tests\composer.lock' --data 'CVE-2022-31090'
Reflection @ offset 68 — via outdated-component:
…package guzzlehttp/guzzle@6.5.0 (in composer.lock) matches CVE-2022-31090 (CWE-200, Medium): Cross-domain cookie leakage on redirect.…
Evidence (live response):
composer package guzzlehttp/guzzle@6.5.0 (in composer.lock) matches CVE-2022-31090 (CWE-200, Medium): Cross-domain cookie leakage on redirect. Fixed in 6.5.8 — upgrade to >= 6.5.8.
Remediation
Upgrade the flagged component to a fixed release; version-indicated — verify against your actual (possibly backported) build.
  • Upgrade to the fixed version listed for the CVE (or a distro build with the backported patch).
  • Confirm the real installed version — a backported security fix can leave the banner version unchanged (avoid false positives).
  • Suppress the version banner (ServerTokens Prod / expose_php=Off / remove X-Powered-By) to reduce fingerprinting.
  • Track dependencies with SCA (composer audit / npm audit / Dependabot) and patch on a schedule.
Refs: CWE-1104 · OWASP A06:2021 Vulnerable & Outdated Components · NVD
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN SCA tests\composer.lock
CVE-2022-31090
200 0ms outdated-component
🔍 GGC-VULN-AD0 7.5 HIGH P1 Confirmed OUTDATED_COMPONENT symfony/http-kernel@v5.4.10 · CVE-2022-24894 composer lockfile: composer.lock 1/1 hits
Flow
symfony/http-kernel@v5.4.10 is a known-vulnerable dependency (CVE-2022-24894).
Impact
INFORMATION_DISCLOSURE — Direct
CWE / CVSS
CWE-1104 Use of Unmaintained/Vulnerable Third-Party Component  ·  CVSS 7.5 High
An unmaintained / known-vulnerable third-party component is in use; a published CVE may apply.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RC:C
Compliance Impact
A06:2021 – Vulnerable and Outdated Components
PCI-DSS v4.0 Req 6.3.1 / 6.3.3 (patch mgmt)  ·  ISO/IEC 27001:2022 A.8.8  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (outdated-component)
  • +6 Expected indicator reflected
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'tests\composer.lock' --data 'CVE-2022-24894'
Reflection @ offset 72 — via outdated-component:
…kage symfony/http-kernel@v5.4.10 (in composer.lock) matches CVE-2022-24894 (CWE-200, Medium): Sensitive header/cache-key information d…
Evidence (live response):
composer package symfony/http-kernel@v5.4.10 (in composer.lock) matches CVE-2022-24894 (CWE-200, Medium): Sensitive header/cache-key information disclosure. Fixed in 5.4.20 — upgrade to >= 5.4.20.
Remediation
Upgrade the flagged component to a fixed release; version-indicated — verify against your actual (possibly backported) build.
  • Upgrade to the fixed version listed for the CVE (or a distro build with the backported patch).
  • Confirm the real installed version — a backported security fix can leave the banner version unchanged (avoid false positives).
  • Suppress the version banner (ServerTokens Prod / expose_php=Off / remove X-Powered-By) to reduce fingerprinting.
  • Track dependencies with SCA (composer audit / npm audit / Dependabot) and patch on a schedule.
Refs: CWE-1104 · OWASP A06:2021 Vulnerable & Outdated Components · NVD
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN SCA tests\composer.lock
CVE-2022-24894
200 0ms outdated-component
🔍 GGC-VULN-50D 9.8 CRITICAL P0 Confirmed OUTDATED_COMPONENT lodash@4.17.15 · CVE-2021-23337 npm lockfile: package-lock.json 1/1 hits
Flow
lodash@4.17.15 is a known-vulnerable dependency (CVE-2021-23337).
Impact
RCE — Direct
CWE / CVSS
CWE-1104 Use of Unmaintained/Vulnerable Third-Party Component  ·  CVSS 9.8 Critical
An unmaintained / known-vulnerable third-party component is in use; a published CVE may apply.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RC:C
Compliance Impact
A06:2021 – Vulnerable and Outdated Components
PCI-DSS v4.0 Req 6.3.1 / 6.3.3 (patch mgmt)  ·  ISO/IEC 27001:2022 A.8.8  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (outdated-component)
  • +6 Expected indicator reflected
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'tests\package-lock.json' --data 'CVE-2021-23337'
Reflection @ offset 58 — via outdated-component:
npm package lodash@4.17.15 (in package-lock.json) matches CVE-2021-23337 (CWE-77, High): Command injection via template(). Fixed in…
Evidence (live response):
npm package lodash@4.17.15 (in package-lock.json) matches CVE-2021-23337 (CWE-77, High): Command injection via template(). Fixed in 4.17.21 — upgrade to >= 4.17.21.
Remediation
Upgrade the flagged component to a fixed release; version-indicated — verify against your actual (possibly backported) build.
  • Upgrade to the fixed version listed for the CVE (or a distro build with the backported patch).
  • Confirm the real installed version — a backported security fix can leave the banner version unchanged (avoid false positives).
  • Suppress the version banner (ServerTokens Prod / expose_php=Off / remove X-Powered-By) to reduce fingerprinting.
  • Track dependencies with SCA (composer audit / npm audit / Dependabot) and patch on a schedule.
Refs: CWE-1104 · OWASP A06:2021 Vulnerable & Outdated Components · NVD
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN SCA tests\package-lock.json
CVE-2021-23337
200 0ms outdated-component
🔍 GGC-VULN-606 7.5 HIGH P1 Confirmed OUTDATED_COMPONENT lodash@4.17.15 · CVE-2020-8203 npm lockfile: package-lock.json 1/1 hits
Flow
lodash@4.17.15 is a known-vulnerable dependency (CVE-2020-8203).
Impact
INFORMATION_DISCLOSURE — Direct
CWE / CVSS
CWE-1104 Use of Unmaintained/Vulnerable Third-Party Component  ·  CVSS 7.5 High
An unmaintained / known-vulnerable third-party component is in use; a published CVE may apply.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RC:C
Compliance Impact
A06:2021 – Vulnerable and Outdated Components
PCI-DSS v4.0 Req 6.3.1 / 6.3.3 (patch mgmt)  ·  ISO/IEC 27001:2022 A.8.8  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (outdated-component)
  • +6 Expected indicator reflected
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'tests\package-lock.json' --data 'CVE-2020-8203'
Reflection @ offset 58 — via outdated-component:
npm package lodash@4.17.15 (in package-lock.json) matches CVE-2020-8203 (CWE-1321, High): Prototype pollution via zipObjectDeep/set…
Evidence (live response):
npm package lodash@4.17.15 (in package-lock.json) matches CVE-2020-8203 (CWE-1321, High): Prototype pollution via zipObjectDeep/set. Fixed in 4.17.19 — upgrade to >= 4.17.19.
Remediation
Upgrade the flagged component to a fixed release; version-indicated — verify against your actual (possibly backported) build.
  • Upgrade to the fixed version listed for the CVE (or a distro build with the backported patch).
  • Confirm the real installed version — a backported security fix can leave the banner version unchanged (avoid false positives).
  • Suppress the version banner (ServerTokens Prod / expose_php=Off / remove X-Powered-By) to reduce fingerprinting.
  • Track dependencies with SCA (composer audit / npm audit / Dependabot) and patch on a schedule.
Refs: CWE-1104 · OWASP A06:2021 Vulnerable & Outdated Components · NVD
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN SCA tests\package-lock.json
CVE-2020-8203
200 0ms outdated-component
🔍 GGC-VULN-463 7.5 HIGH P1 Confirmed OUTDATED_COMPONENT jquery@3.4.1 · CVE-2020-11022 npm lockfile: package-lock.json 1/1 hits
Flow
jquery@3.4.1 is a known-vulnerable dependency (CVE-2020-11022).
Impact
INFORMATION_DISCLOSURE — Direct
CWE / CVSS
CWE-1104 Use of Unmaintained/Vulnerable Third-Party Component  ·  CVSS 7.5 High
An unmaintained / known-vulnerable third-party component is in use; a published CVE may apply.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RC:C
Compliance Impact
A06:2021 – Vulnerable and Outdated Components
PCI-DSS v4.0 Req 6.3.1 / 6.3.3 (patch mgmt)  ·  ISO/IEC 27001:2022 A.8.8  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Confidence & Evidence
81%Medium confidenceEvidence score 81/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (outdated-component)
  • +6 Expected indicator reflected
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'tests\package-lock.json' --data 'CVE-2020-11022'
Reflection @ offset 56 — via outdated-component:
npm package jquery@3.4.1 (in package-lock.json) matches CVE-2020-11022 (CWE-79, Medium): XSS via passing HTML from untrusted sourc…
Evidence (live response):
npm package jquery@3.4.1 (in package-lock.json) matches CVE-2020-11022 (CWE-79, Medium): XSS via passing HTML from untrusted sources to DOM manipulation methods. Fixed in 3.5.0 — upgrade to >= 3.5.0.
Remediation
Upgrade the flagged component to a fixed release; version-indicated — verify against your actual (possibly backported) build.
  • Upgrade to the fixed version listed for the CVE (or a distro build with the backported patch).
  • Confirm the real installed version — a backported security fix can leave the banner version unchanged (avoid false positives).
  • Suppress the version banner (ServerTokens Prod / expose_php=Off / remove X-Powered-By) to reduce fingerprinting.
  • Track dependencies with SCA (composer audit / npm audit / Dependabot) and patch on a schedule.
Refs: CWE-1104 · OWASP A06:2021 Vulnerable & Outdated Components · NVD
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN SCA tests\package-lock.json
CVE-2020-11022
200 0ms outdated-component

Security Headers

HeaderStatusRiskRecommendation
Content-Security-Policy ✗ MISSING HIGH Prevents XSS/injection. Use nonce or strict-dynamic.
X-Frame-Options ✗ MISSING MEDIUM Prevents clickjacking. Use DENY or SAMEORIGIN.
X-Content-Type-Options ✗ MISSING LOW Prevents MIME sniffing. Set to nosniff.
Strict-Transport-Security ✗ MISSING MEDIUM Enforces HTTPS. min-age=31536000; includeSubDomains.
Referrer-Policy ✗ MISSING LOW Limits referrer leakage. strict-origin-when-cross-origin.
Permissions-Policy ✗ MISSING LOW Restrict unused browser features (camera, mic, geo).