 Posted - 12/17/2025 : 10:57:18
My recent PCI scan has failed with some new issues of which I have no idea how to address.
ECT v7.9.1
PHP 8.3.28
Thanks, Patrick
#1 Threat
Insecure configuration of Cookie attributes
Impact
A Cookie Vulnerability helps an attacker to gain access to session information stored in cookies. It may also be used as a 'locator' attack that precedes a Cross-Site Scripting (XSS) or Man-In-The-Middle attack. When looking for Cookie Vulnerabilities, an attacker will first observe cookies through various HTTP proxies and check their attributes. The attacker will then try to steal cookies of various users by employing multiple attacks. If successful, he/she may be able to get sensitive information which can be further used in an illegitimate way.
Solution
It is important to set Secure and HTTPOnly flags for all the cookies on the application. The Secure flag prevents cookies from being transmitted over clear text. An HTTPOnly flag would limit cookie access in cases of Cross-Site Scripting issues. Proper Caching headers should be set for responses carrying the cookie. Cookies set on the client side should also contain Secure and HTTPOnly tags.
DetectionDetails: Cookie Vulnerabilities Found
ecttestcart = 2464
Path = /
Host = www.mywebsite.com
Cookie does not have an HTTPOnly Attribute
Cookie Change Observed on CLIENTside
Request: GET https://www.mywebsite.com/index.php HTTP/1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Cookie: ECTTESTCART=2464; ectcartcookie=c83e9522f4223712a06e52b308; PHPSESSID=t1ah2c0c0vpdh2oi8ukleit2r3
location: https://www.mywebsite.com/index.php
#2 Threat
Boolean Based SQL Injection Vulnerability
Impact
A SQL injection vulnerability (SQLi) was identified in this web application. SQL injection is when modified SQL syntax is supplied to a user defined parameter to have it query the SQL database directly, which is not the desired intent of the web application. A simple proof of concept example of this would be for a user to supply "' or SELECT DATABASES;--" to a user defined parameter and then upon submission, a list of databases on the system would be supplied for the user because the SQL query was interpreted directly on the SQL server instance. SQL injection can be found in many different forms and combinations so the full request and response that was used demonstrate this vulnerability has been provided below as evidence.
DetectionDetails: Boolean based SQL vulnerability found
GET - https://www.mywebsite.com/proddetail.php?prod=Slixprings-Main-Hammer-Spring-Installation-Instructions+and+2371%3D5793+%2F* - prod
False Injection: Slixprings-Main-Hammer-Spring-Installation-Instructions and 2371=5793 /*
True Injection: Slixprings-Main-Hammer-Spring-Installation-Instructions and 5647=5647 /*
True and false injections produced different responses
#3 Threat
Server Banner Disclosure
Impact
Many times server banner includes a version number of the server or the technology used. Information of known security issues for particular versions of servers are available on various security forums. Even if such version number is not present, knowing the server or technology may help the attacker to perform more focused attacks.
Solution
Always configure the web servers to not disclose more information about the server from the response headers
DetectionDetails: Found Server banner with no version information.
GET https://www.mywebsite.com/vsadmin/admin.php
Server: nginx
Request: GET https://www.mywebsite.com/vsadmin/admin.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Referer: https://www.mywebsite.com/vsadmin/
location: https://www.mywebsite.com/vsadmin/admin.php
| 
PCI Scan Failure