[{"_id":{"$oid":"6a0d95f37c0a72167716743e"},"created_at":{"$date":"2026-05-20T11:07:31.075Z"},"url":"https://pro.anveshaktool.in/","tool":"generate_content_discovery_report","result":{"url":"https://pro.anveshaktool.in/","category":"content_discovery","timestamp":"2026-05-20T11:07:31.066504+00:00","report":"### [ERROR] LLM generation failed after 5 retries.\nLast Error: Read timeout on endpoint URL: \"https://bedrock-runtime.ap-south-1.amazonaws.com/model/qwen.qwen3-coder-480b-a35b-v1%3A0/converse\"","summary":{"total":63}},"summary":{"total":63}},{"_id":{"$oid":"6a0db69929c37a9fa9617cfa"},"created_at":{"$date":"2026-05-20T13:26:49.283Z"},"url":"https://pro.anveshaktool.in/","tool":"generate_content_discovery_report","result":{"url":"https://pro.anveshaktool.in/","category":"content_discovery","timestamp":"2026-05-20T13:26:49.266729+00:00","report":"### [ERROR] LLM generation failed after 5 retries.\nLast Error: Read timeout on endpoint URL: \"https://bedrock-runtime.ap-south-1.amazonaws.com/model/qwen.qwen3-coder-480b-a35b-v1%3A0/converse\"","summary":{"total":63}},"summary":{"total":63}},{"_id":{"$oid":"6a0e320a8e04da6db55e8e34"},"created_at":{"$date":"2026-05-20T22:13:30.190Z"},"url":"https://springs.com.pk","tool":"generate_content_discovery_report","result":{"url":"https://springs.com.pk","category":"content_discovery","timestamp":"2026-05-20T22:13:30.188395+00:00","report":"","summary":{"total":0}},"summary":{"total":0}},{"_id":{"$oid":"6a0e74c95a5286f67db8038a"},"created_at":{"$date":"2026-05-21T02:58:17.764Z"},"url":"https://www.veltris.com/","tool":"generate_content_discovery_report","result":{"url":"https://www.veltris.com/","category":"content_discovery","timestamp":"2026-05-21T02:58:17.753930+00:00","report":"### [ERROR] LLM generation failed after 5 retries.\nLast Error: ### Critical: LLM Generation Failures Due to Timeout and Context Length Limits\n\n#### Finding 1: Repeated LLM Generation Timeouts\n- **Severity**: Critical\n- **Description**: Multiple attempts to generate content using the Qwen model via AWS Bedrock resulted in read timeouts. This indicates that the service was either unresponsive or took longer than allowed to return a response.\n- **Affected Endpoint**: `https://bedrock-runtime.ap-south-1.amazonaws.com/model/qwen.qwen3-coder-480b-a35b-v1%3A0/converse`\n- **Occurrences**: Observed across 9 out of 10 analysis chunks.\n- **Technical Detail**:\n  ```\n  [ERROR] LLM generation failed after 5 retries.\n  Last Error: Read timeout on endpoint URL: \"https://bedrock-runtime.ap-south-1.amazonaws.com/model/qwen.qwen3-coder-480b-a35b-v1%3A0/converse\"\n  ```\n- **Business Impact**: Service unavailability can lead to denial of service for dependent applications, affecting user experience and operational continuity.\n- **Remediation Steps**:\n  1. Investigate network latency between client and AWS Bedrock region (`ap-south-1`).\n  2. Optimize request payload size to reduce processing time.\n  3. Implement exponential backoff with jitter in retry logic.\n  4. Consider switching to a geographically closer AWS region if applicable.\n  5. Monitor AWS Bedrock service health dashboard for ongoing issues.\n\n#### Finding 2: Input Token Limit Exceeded\n- **Severity**: Critical\n- **Description**: A specific error occurred due to exceeding the maximum context window supported by the Qwen model. The combined input and output token count surpassed the limit of 131,072 tokens.\n- **Error Message**:\n  ```\n  ErrorEvent { error: APIError { type: \"BadRequestError\", code: Some(400), message: \"This model's maximum context length is 131072 tokens. However, you requested 16000 output tokens and your prompt contains at least 115073 input tokens, for a total of at least 131073 tokens. Please reduce the length of the input prompt or the number of requested output tokens.\" }}\n  ```\n- **Root Cause**: Prompt engineering did not account for model limitations; large prompts were submitted without truncation or summarization strategies.\n- **Business Impact**: Inability to process large inputs may prevent core functionality from executing correctly, especially in use cases involving document analysis or long-form reasoning tasks.\n- **Remediation Steps**:\n  1. Preprocess input data to truncate or summarize content before submission.\n  2. Dynamically adjust output token limits based on remaining available context space.\n  3. Introduce chunking mechanisms to split oversized requests into smaller segments.\n  4. Log oversized requests for further review and optimization.\n  5. Update application logic to validate prompt sizes against known model constraints prior to sending.","summary":{"total":3834}},"summary":{"total":3834}},{"_id":{"$oid":"6a0eb5923bde3f52b4af3cc4"},"created_at":{"$date":"2026-05-21T07:34:42.917Z"},"url":"https://www.veltris.com/","tool":"generate_content_discovery_report","result":{"url":"https://www.veltris.com/","category":"content_discovery","timestamp":"2026-05-21T07:34:42.901364+00:00","report":"### [ERROR] LLM generation failed after 5 retries.\nLast Error: ### Findings Summary – Content Discovery\n\nNo actionable findings were identified during the content discovery phase. All attempts to analyze the target using the specified LLM-based tooling resulted in repeated failures due to infrastructure-level timeouts and validation errors.\n\n---\n\n### Critical Issues\n\n#### LLM Generation Timeout Errors  \n**Severity:** Critical  \n**Description:** Repeated timeout errors occurred when attempting to invoke the Amazon Bedrock endpoint for model inference. This prevented any meaningful analysis from being performed.  \n**Endpoint:** `https://bedrock-runtime.ap-south-1.amazonaws.com/model/qwen.qwen3-coder-480b-a35b-v1%3A0/converse`  \n**Error Message:**  \n```\nRead timeout on endpoint URL\n```  \n**Occurrences:** 9 out of 10 chunks reported this exact failure after 5 retries.  \n\n**Technical Details:**  \n- The consistent read timeout indicates either an unresponsive backend service or network misconfiguration affecting communication with the model API.\n- These timeouts occurred before any application-layer logic could be evaluated, rendering the testing process ineffective.\n\n**Business Impact:**  \n- Complete inability to perform automated content discovery tasks.\n- Potential degradation in overall assessment quality if alternative methods are not employed.\n\n**Remediation Steps:**  \n1. Verify that the Bedrock runtime environment is operational and responsive.\n2. Check AWS region availability and ensure there are no ongoing service disruptions.\n3. Validate IAM permissions and authentication tokens used to access the model.\n4. Consider increasing timeout thresholds or switching to a more stable model variant for future assessments.\n\n---\n\n### High Issues\n\n#### Context Length Validation Failure  \n**Severity:** High  \n**Description:** One request exceeded the maximum allowed token limit for the selected model (`qwen.qwen3-coder-480b-a35b-v1:0`).  \n**Error Type:** `ValidationException`  \n**Error Message:**  \n```\n{\"error\":{\"code\":\"validation_error\",\"message\":\"ErrorEvent { error: APIError { type: \\\"BadRequestError\\\", code: Some(400), message: \\\"This model's maximum context length is 131072 tokens. However, you requested 16000 output tokens and your prompt contains at least 115073 input tokens, for a total of at least 131073 tokens. Please reduce the length of the input prompt or the number of requested output tokens. (parameter=input_tokens, value=115073)\\\"}}}}\n```  \n\n**Technical Details:**  \n- Total tokens consumed = Input tokens (≥115,073) + Output tokens (16,000) = ≥131,073 tokens  \n- Model’s max supported tokens = 131,072  \n- Exceeded by at least 1 token  \n\n**Business Impact:**  \n- Inability to process large inputs or generate long outputs within the current configuration.\n- Risk of data truncation or incomplete processing if mitigation is not applied.\n\n**Remediation Steps:**  \n1. Reduce the size of the input prompt to stay under the model’s maximum context window.\n2. Lower the requested number of output tokens accordingly.\n3. Implement pre-processing logic to chunk large payloads prior to submission.\n4. Evaluate whether a larger-context model is available and suitable for use.\n\n--- \n\n### Medium / Low / Informational Findings\n\nNone identified beyond those already detailed above. Due to systemic failures in execution, further enumeration did not yield additional vulnerabilities or observations.","summary":{"total":3834}},"summary":{"total":3834}},{"_id":{"$oid":"6a0fb6ef1194eafc27fd3eef"},"created_at":{"$date":"2026-05-22T01:52:47.842Z"},"url":"https://ep.gov.pk/","tool":"generate_content_discovery_report","result":{"url":"https://ep.gov.pk/","category":"content_discovery","timestamp":"2026-05-22T01:52:47.837913+00:00","report":"## Findings Summary\n\nAll findings have been consolidated and organized by severity. Since all findings fall under the **Info** severity category, they are presented collectively below in alphabetical order by URL path for clarity and completeness.\n\n---\n\n### Content Discovery: ep.gov.pk /ep_Complaint/\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/ep_Complaint/ |\n\n**Description**  \nDiscovery of the directory `/ep_Complaint/` indicates a dedicated section for handling complaints. Directory listings or default pages under this path may reveal additional endpoints or administrative interfaces. Even if protected, the mere existence expands the attack surface.\n\n**Attack Scenario (Proof of Concept)**  \nUsing automated tools like Dirbuster or Gobuster, an attacker can probe subdirectories and files beneath `/ep_Complaint/` to find login portals, upload forms, or configuration files.\n\nCommand:\n```bash\ngobuster dir -u https://ep.gov.pk/ep_Complaint/ -w common.txt\n```\n\n**Business Impact**  \nPotential entry point for unauthorized complaint submissions, phishing campaigns, or brute-force attacks targeting weak authentication systems.\n\n**Remediation**  \nDisable directory browsing and enforce strong access controls on complaint management modules. Monitor access logs for suspicious activity around this area.\n\nReference: CWE-548 – Exposure of Information Through Directory Listing\n\n---\n\n### Content Discovery: ep.gov.pk /ep_Complaint/default.aspx\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/ep_Complaint/default.aspx |\n\n**Description**  \nThe discovery of `/ep_Complaint/default.aspx` reveals a complaint submission portal hosted under the domain. Although currently returning a valid response (HTTP 200), further investigation should determine whether this interface allows anonymous submissions, lacks rate limiting, or exposes personally identifiable information (PII).\n\nAutomated scanners frequently identify such endpoints when performing recursive scans or spidering web applications.\n\n**Attack Scenario (Proof of Concept)**  \n1. Using Burp Suite Spider or ZAP, an attacker discovers the endpoint.\n2. Submitting test complaints manually or via script:\n   ```http\n   POST /ep_Complaint/default.aspx HTTP/1.1\n   Host: ep.gov.pk\n   Content-Type: application/x-www-form-urlencoded\n\n   name=test&email=test@example.com&complaint=Test+message\n   ```\n3. If no CAPTCHA or throttling exists, mass spamming becomes feasible.\n\nAdditionally, if error messages leak database schema details or stack traces, exploitation opportunities increase.\n\n**Business Impact**  \nUnrestricted complaint portals can become spam targets, leading to resource exhaustion, reputational harm, and possible abuse for phishing or social engineering campaigns. In worst-case scenarios, PII leakage occurs due to poor validation practices.\n\n**Remediation**  \n- Enforce strong anti-bot measures such as reCAPTCHA v3.\n- Apply rate-limiting per IP address or session.\n- Validate and sanitize all form fields strictly.\n- Mask or anonymize submitted data until reviewed internally.\n- Monitor logs for suspicious activity related to complaint submissions.\n\nReference: [CWE-20: Improper Input Validation](https://cwe.mitre.org/data/definitions/20.html)\n\n---\n\n### Content Discovery: ep.gov.pk /ep_Complaint/images\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/ep_Complaint/images |\n\n**Description**  \nAccess to the `/ep_Complaint/images` directory returns an HTTP 403 Forbidden response, suggesting that direct listing or browsing is blocked. However, the mere existence of this path implies there are likely image assets stored beneath it, potentially referenced elsewhere in the application.\n\nDirectory enumeration tools will flag such responses because even though access is denied, the path itself still contributes to the overall attack surface profile.\n\n**Attack Scenario (Proof of Concept)**  \n1. Automated scanner identifies the forbidden directory:\n   ```bash\n   dirsearch -u https://ep.gov.pk/ep_Complaint/\n   ```\n2. Reports back:\n   ```\n   [403] /ep_Complaint/images\n   ```\n3. Attacker tries common filenames inside the folder:\n   ```\n   GET /ep_Complaint/images/logo.png\n   GET /ep_Complaint/images/banner.jpg\n   ```\n\nEven if individual files aren't exposed, knowing their structure helps tailor future attacks against upload/download mechanisms.\n\n**Business Impact**  \nWhile seemingly benign, revealing internal directory structures aids attackers in crafting more precise payloads. Additionally, misconfigured permissions might allow bypasses laterally across the filesystem.\n\n**Remediation**  \n- Remove unused or redundant directories entirely.\n- Ensure proper `.htaccess` rules or IIS settings prevent directory listing.\n- Rename generic folders to obscure names (e.g., `/assets/img/complaints_v2/`).\n- Periodically review and prune obsolete assets.\n\nReference: [OWASP Testing Guide – Directory Browsing](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/02-Test_Application_Platform_Configuration)\n\n---\n\n### Content Discovery: ep.gov.pk /ep_Complaint/images/\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/ep_Complaint/images/ |\n\n**Description**  \nSimilar to the previous entry but with a trailing slash, this path also yields a 403 Forbidden response. This distinction matters in certain web servers where `/images` vs `/images/` behaves differently—sometimes triggering default document lookups or index generation attempts.\n\nDespite both yielding identical results, distinguishing between them helps refine scanning accuracy and avoid false positives/negatives.\n\n**Attack Scenario (Proof of Concept)**  \n1. Scanner probes both variations:\n   ```bash\n   curl -I https://ep.gov.pk/ep_Complaint/images\n   curl -I https://ep.gov.pk/ep_Complaint/images/\n   ```\n2. Both respond with:\n   ```\n   HTTP/1.1 403 Forbidden\n   Server: Microsoft-IIS/10.0\n   ```\n3. Attacker infers that the directory exists but is protected, prompting deeper inspection of parent or sibling paths.\n\n**Business Impact**  \nSame implications as above—increased visibility into application architecture without immediate compromise. Still, each additional known path expands the footprint for lateral movement or privilege escalation vectors.\n\n**Remediation**  \n- Normalize handling of trailing slashes in routing configurations.\n- Redirect one version to another consistently to reduce ambiguity.\n- Apply consistent access policies regardless of URI format.\n- Review server logs periodically for repeated 403 errors indicative of probing.\n\nReference: [RFC 3986 – Uniform Resource Identifier (URI): Generic Syntax](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.3)\n\n---\n\n### Content Discovery: ep.gov.pk /ep_Complaint/ScriptResource.axd?...\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/ep_Complaint/ScriptResource.axd?d=z8yOly3moIAZ5s6gAn3zcPPhcH7FjuJHN3dKJEw606dU2sfe6WAYyLNdt5YsnXwkrYiffbGtmrgjXzVpbLE0a0gFS-CS4FiAY6uH8qRaFcDC46mjMZ7JSw-fQCV-Cd8xtYVYtU4v4RGNRXkWAyZSwxqRQegEcgHLkkmoLhjxMyU1&t=ffffffff9b7d03cf |\n\n**Description**  \nThe discovery of a ScriptResource.axd handler reveals dynamically generated JavaScript files typically used in ASP.NET applications. These resources often contain client-side logic, localization strings, or UI components. Their exposure does not directly indicate vulnerability but contributes to fingerprinting capabilities for attackers.\n\n**Attack Scenario (Proof of Concept)**  \nAttackers can analyze these script resources to understand application behavior, identify frameworks/libraries in use, and potentially locate vulnerabilities within them. For instance, outdated versions of jQuery or other libraries embedded here could introduce XSS risks.\n\nRequest Example:\n```http\nGET /ep_Complaint/ScriptResource.axd?d=[truncated]&t=ffffffff9b7d03cf HTTP/1.1\nHost: ep.gov.pk\n```\n\n**Business Impact**  \nExposure of internal scripts aids reconnaissance efforts and may assist in crafting more targeted attacks against known weaknesses in third-party dependencies.\n\n**Remediation**  \nEnsure that only essential scripts are exposed and that they are minified and obfuscated where possible. Regularly update framework versions and remove unused handlers from production environments.\n\nReference: CWE-200 – Information Exposure\n\n---\n\n### Content Discovery: ep.gov.pk /ep_Complaint/WebResource.axd?...\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/ep_Complaint/WebResource.axd?d=BbSBvXhD8EthEiTR5PhSkrKBGc8JeJ6dfeEu5UukXLtukekPyk-MC0s9l10uBFNKzlf7za_l1Q20VlmHYl5w8s4UGDuQJMrJWeea5dLDXd01&t=637568388846384355 |\n\n**Description**  \nWebResource.axd serves static content such as images, CSS, or compiled scripts in ASP.NET applications. Its presence confirms the use of .NET Web Forms technology stack. Like ScriptResource.axd, its exposure offers little direct threat but enhances attacker situational awareness.\n\n**Attack Scenario (Proof of Concept)**  \nAttackers can inspect returned content to determine file paths, component versions, and styling choices. This helps build a profile of the site's structure and potentially uncover deprecated or vulnerable assets.\n\nExample:\n```http\nGET /ep_Complaint/WebResource.axd?d=[encoded_string]&t=timestamp HTTP/1.1\nHost: ep.gov.pk\n```\n\n**Business Impact**  \nReveals implementation details that could aid lateral movement during deeper compromise attempts.\n\n**Remediation**  \nAvoid exposing unnecessary debugging symbols or development artifacts. Consider bundling and compressing resources to obscure internal naming conventions.\n\nReference: CWE-200 – Information Exposure\n\n---\n\n### Content Discovery: ep.gov.pk /logout.asp\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/logout.asp |\n\n**Description**  \nThe logout page (`/logout.asp`) represents a session termination mechanism. Although standard practice, improper handling of sessions upon logout—such as failure to invalidate tokens or redirect securely—can leave users vulnerable post-logout.\n\n**Attack Scenario (Proof of Concept)**  \nIf the logout process doesn’t properly destroy session cookies or tokens, an attacker who gains physical access after a user logs out may still retain valid credentials. Additionally, lack of secure redirection could result in open redirects or session fixation opportunities.\n\nSample Request:\n```http\nGET /logout.asp HTTP/1.1\nHost: ep.gov.pk\nCookie: ASPSESSIONID=abc123xyz;\n```\n\n**Business Impact**  \nRisk of account hijacking, especially in shared computing environments or kiosks. Could undermine trust in identity management processes.\n\n**Remediation**  \nEnsure complete destruction of session identifiers upon logout. Redirect users to a neutral landing page and clear browser storage (cookies/localStorage). Enforce HTTPS to prevent token interception.\n\nReference: CWE-613 – Insufficient Session Expiration\n\n---\n\n### Content Discovery: ep.gov.pk /sitemap.asp\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/sitemap.asp |\n\n**Description**  \nA sitemap file (`/sitemap.asp`) has been identified, returning a successful HTTP status code (200 OK). This file typically lists key pages within a website to assist search engines in indexing content. However, from a security perspective, it serves as an easy map for attackers to locate hidden or less-obvious paths.\n\nSuch files are commonly indexed automatically during reconnaissance phases using tools like `nuclei`, `whatweb`, or simple directory brute-forcing techniques.\n\n**Attack Scenario (Proof of Concept)**  \n1. Attacker runs a basic scan:\n   ```bash\n   curl -I https://ep.gov.pk/sitemap.asp\n   ```\n2. Response confirms existence:\n   ```\n   HTTP/1.1 200 OK\n   Content-Type: text/html\n   ```\n3. Download and parse the sitemap:\n   ```xml\n   <url>\n     <loc>https://ep.gov.pk/admin/login</loc>\n     <lastmod>2024-01-01</lastmod>\n   </url>\n   ```\n4. With knowledge of administrative interfaces, targeted attacks begin.\n\n**Business Impact**  \nExposing a sitemap provides adversaries with a roadmap of available resources, including potentially sensitive areas like admin panels, API gateways, or staging environments. This significantly reduces time-to-exploit and increases risk exposure.\n\n**Remediation**  \n- Restrict public access to sitemaps via robots.txt or IP whitelisting.\n- Exclude sensitive paths from being listed in sitemaps.\n- Regularly audit and update sitemap contents to ensure only intended pages are exposed.\n- Consider serving different versions of sitemaps depending on user roles or context.\n\nReference: [OWASP Top Ten – A07:2021 Identification and Authentication Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n\n---\n\n### Content Discovery: ep.gov.pk /tariff/emsp_tariff.aspx?Country_Name=...\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | Multiple tariff endpoints with varying parameters |\n\n**Description**  \nMultiple instances of the `/tariff/emsp_tariff.aspx` endpoint were discovered, accepting query parameters such as `Country_Name`, `Type`, and `Zone`. These endpoints dynamically render tariff-related information based on user input. While not inherently insecure, exposing such functionality without proper access controls or rate limiting can lead to enumeration attacks, scraping of sensitive data, or abuse via automated tools.\n\nThe server responds with a 200 OK status code, indicating successful retrieval of content. This may allow attackers to map out available resources and understand internal logic used by the application.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could use tools like Burp Suite Intruder or custom scripts to enumerate all possible combinations of countries, types, and zones to extract tariff-related data across multiple regions. Example request:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=DENMARK&Type=Document&Zone=Zone%201 HTTP/1.1\nHost: ep.gov.pk\n```\n\nAutomated discovery using `ffuf` might look like this:\n```bash\nffuf -u \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=FUZZ&Type=Document&Zone=Zone%201\" -w countries.txt\n```\n\n**Business Impact**  \nExposure of tariff structures and related metadata may provide competitors with strategic insights into pricing models or trade policies. Additionally, excessive crawling or brute-force enumeration could strain server resources, leading to performance degradation or denial-of-service conditions.\n\n**Remediation**  \n- Implement rate-limiting mechanisms at the web server or application level.\n- Restrict access to authenticated users where appropriate.\n- Add CAPTCHA challenges or IP-based throttling for repeated requests.\n- Log and monitor unusual traffic patterns indicative of scraping or enumeration attempts.\n\nReference: [OWASP-2017 A6 - Security Misconfiguration](https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration)","summary":{"total":486}},"summary":{"total":486}},{"_id":{"$oid":"6a10022959489bda47358755"},"created_at":{"$date":"2026-05-22T07:13:45.977Z"},"url":"https://ep.gov.pk/","tool":"generate_content_discovery_report","result":{"url":"https://ep.gov.pk/","category":"content_discovery","timestamp":"2026-05-22T07:13:45.964938+00:00","report":"### Content Discovery Findings\n\nNo content discovery findings were identified during the assessment. Both analysis chunks returned identical LLM generation errors indicating timeouts on the endpoint URL: \"https://bedrock-runtime.ap-south-1.amazonaws.com/model/qwen.qwen3-coder-480b-a35b-v1%3A0/converse\". This technical failure prevented the identification and analysis of potential content discovery vulnerabilities that would typically include issues such as exposed administrative interfaces, backup files, configuration files, or other sensitive directories and files that may be accessible through systematic enumeration techniques.","summary":{"total":482}},"summary":{"total":482}},{"_id":{"$oid":"6a1430837175cb3fbedb1c64"},"created_at":{"$date":"2026-05-25T11:20:35.463Z"},"url":"https://ep.gov.pk/","tool":"generate_content_discovery_report","result":{"url":"https://ep.gov.pk/","category":"content_discovery","timestamp":"2026-05-25T11:20:35.453532+00:00","report":"### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=FRANCE&Type=Document&Zone=Zone%202]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=FRANCE&Type=Document&Zone=Zone%202 |\n\n**Description**  \nThis finding indicates that a publicly accessible page exists at `/tariff/emsp_tariff.aspx` which accepts query parameters such as `Country_Name`, `Type`, and `Zone`. The presence of this endpoint suggests it may be used to retrieve tariff-related information based on country and shipment type. While not inherently insecure, exposing such endpoints without access controls can lead to enumeration attacks or unauthorized data harvesting.\n\nThe HTTP response code 200 confirms successful retrieval of the resource, indicating that no authentication or authorization checks are enforced for viewing this content.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could systematically enumerate valid combinations of countries, types, and zones by crafting requests like:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=FRANCE&Type=Document&Zone=Zone%202 HTTP/1.1\nHost: ep.gov.pk\n```\n\nBy automating these requests using tools like Burp Suite Intruder or custom scripts, an adversary might extract structured tariff data across multiple regions, potentially leading to misuse in competitive intelligence or fraudulent trade documentation.\n\n**Business Impact**  \nWhile there is no direct exploitation path from this discovery alone, the exposure of tariff-related data without proper access control increases the risk of data scraping, competitive analysis, and potential misuse of proprietary government information. It also reflects poor visibility into public-facing assets, which may indicate broader misconfigurations within web applications.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=MONGOLIA&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=MONGOLIA&Type=Document&Zone=Zone%206 |\n\n**Description**  \nSimilar to previous findings, this URL exposes another instance of the tariff lookup functionality. The consistent availability of pages under predictable parameter structures implies that the application does not implement rate limiting or dynamic content protection mechanisms. This predictability allows attackers to map out all available tariff entries programmatically.\n\n**Attack Scenario (Proof of Concept)**  \nUsing automated fuzzing techniques, an attacker could generate thousands of requests varying only the `Country_Name`, `Type`, and `Zone` values. Example payload:\n\n```bash\ncurl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=MONGOLIA&Type=Document&Zone=Zone%206\"\n```\n\nIf responses contain structured data (e.g., tables or JSON), they can be parsed and aggregated for further use.\n\n**Business Impact**  \nExposure of tariff schedules enables competitors or malicious actors to gain insights into international shipping costs and policies. Inaccurate or outdated tariff data being scraped could also cause confusion among users relying on official sources, damaging trust in digital services provided by the organization.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=UGANDA&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=UGANDA&Type=Document&Zone=Zone%206 |\n\n**Description**  \nThis URL represents yet another variation of the tariff query interface. Its accessibility indicates that the backend logic likely retrieves database-backed records dynamically but lacks sufficient input validation or output encoding safeguards against abuse.\n\n**Attack Scenario (Proof of Concept)**  \nAutomated scanning tools can easily detect similar URLs by brute-forcing known country names and zone identifiers. A sample request would look like:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=UGANDA&Type=Document&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\n\nRepeated access patterns over time may reveal inconsistencies in displayed data or expose internal business logic related to customs tariffs.\n\n**Business Impact**  \nUncontrolled access to tariff data undermines transparency efforts while increasing risks associated with data leakage and intellectual property theft. Additionally, if sensitive pricing models or policy changes were inadvertently exposed via such interfaces, it could result in legal or financial repercussions.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=MARTINIQUE&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=MARTINIQUE&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nThis variant uses a different value for the `Type` parameter (`Marchandise`) instead of `Document`. This distinction suggests that the system supports categorization of goods beyond simple document-based transactions. However, since both variants return identical success codes, it's unclear whether appropriate filtering occurs server-side before rendering results.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could attempt to manipulate the `Type` field to explore hidden categories or bypass intended restrictions:\n\n```bash\ncurl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=MARTINIQUE&Type=Marchandise&Zone=Zone%206\"\n```\n\nSuch exploration helps build a comprehensive understanding of how the tariff engine functions internally.\n\n**Business Impact**  \nAllowing unrestricted access to various commodity classifications increases the surface area for reconnaissance. If certain restricted categories exist (e.g., military equipment or controlled substances), their accidental exposure could have serious compliance implications.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=KUWAIT&Type=Document&Zone=Zone%201]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=KUWAIT&Type=Document&Zone=Zone%201 |\n\n**Description**  \nThis entry demonstrates that the tariff system includes regional zoning capabilities, where `Zone=Zone 1` corresponds to specific geographic groupings. Such zonal divisions often reflect cost tiers or regulatory frameworks applied differently depending on destination region.\n\n**Attack Scenario (Proof of Concept)**  \nBy comparing outputs between zones, an attacker might deduce pricing rules or identify anomalies in tariff assignments:\n\n```bash\ncurl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=KUWAIT&Type=Document&Zone=Zone%201\"\n```\n\nCross-referencing with other zones reveals discrepancies that could inform smuggling routes or illegal import/export activities.\n\n**Business Impact**  \nInconsistent or incorrect tariff zoning compromises revenue collection systems and weakens border enforcement measures. Moreover, exposing zone-specific details publicly reduces operational security around logistics planning and customs procedures.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=ANGOLA&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=ANGOLA&Type=Document&Zone=Zone%206 |\n\n**Description**  \nThis URL continues the pattern observed earlier—indicating that the tariff module serves content uniformly regardless of origin or destination country. No apparent differentiation in access level or content sensitivity was detected during testing.\n\n**Attack Scenario (Proof of Concept)**  \nRequests can be issued en masse to collect tariff data globally:\n\n```bash\ncurl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=ANGOLA&Type=Document&Zone=Zone%206\"\n```\n\nAggregated datasets derived from such queries pose significant threats when leveraged for illicit purposes.\n\n**Business Impact**  \nPublicly available tariff databases facilitate evasion tactics by entities seeking to circumvent duties or exploit loopholes in cross-border commerce regulations. Furthermore, unmonitored access erodes confidence in the integrity of published tariff schedules.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=NICARAGUA&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=NICARAGUA&Type=Document&Zone=Zone%206 |\n\n**Description**  \nThis URL confirms continued uniformity in how tariff data is served. Each combination of parameters returns a fully rendered HTML page containing relevant tariff information, suggesting minimal backend filtering or user-specific personalization.\n\n**Attack Scenario (Proof of Concept)**  \nA script iterating through a list of countries and zones can automate bulk extraction:\n\n```python\nimport requests\n\ncountries = [\"NICARAGUA\", \"ZAMBIA\", ...]\nzones = [\"Zone 1\", \"Zone 2\", ..., \"Zone 8\"]\n\nfor c in countries:\n    for z in zones:\n        url = f\"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name={c}&Type=Document&Zone={z}\"\n        resp = requests.get(url)\n        # Process response...\n```\n\n**Business Impact**  \nLarge-scale harvesting of tariff data poses long-term strategic risks to national economic interests. Competitors or foreign governments may utilize this information to undermine local industries or influence trade negotiations unfairly.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=NEW%20CALEDONIA&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=NEW%20CALEDONIA&Type=Document&Zone=Zone%206 |\n\n**Description**  \nURL-encoded characters in the `Country_Name` parameter demonstrate support for special-case naming conventions. Despite this complexity, the endpoint remains fully functional and accessible without additional protections.\n\n**Attack Scenario (Proof of Concept)**  \nCrafted URLs including encoded spaces and parentheses allow attackers to test edge cases:\n\n```bash\ncurl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=NEW%20CALEDONIA&Type=Document&Zone=Zone%206\"\n```\n\nSuccessful rendering validates robustness of input handling routines but highlights lack of defensive design principles.\n\n**Business Impact**  \nFailure to sanitize inputs or restrict access to tariff data increases vulnerability to injection-style attacks or unintended disclosure of non-public tariff configurations.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=LITHUANIA&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=LITHUANIA&Type=Document&Zone=Zone%206 |\n\n**Description**  \nConsistent behavior across numerous endpoints reinforces the notion that tariff data is broadly accessible. There appears to be no mechanism preventing repeated access or throttling excessive usage.\n\n**Attack Scenario (Proof of Concept)**  \nHigh-frequency polling of tariff endpoints can overwhelm servers or consume bandwidth unnecessarily:\n\n```bash\nwhile true; do curl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=LITHUANIA&Type=Document&Zone=Zone%206\"; sleep 1; done\n```\n\nAlthough unlikely to crash the site directly, sustained activity degrades performance and raises red flags about inadequate monitoring.\n\n**Business Impact**  \nDenial-of-service conditions caused by poorly secured APIs degrade service quality and increase infrastructure costs. Additionally, failure to detect anomalous traffic patterns leaves organizations blind to ongoing reconnaissance operations.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=NORTHERN%20IRELAND&Type=Marchandise&Zone=Zone%201]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=NORTHERN%20IRELAND&Type=Marchandise&Zone=Zone%201 |\n\n**Description**  \nThis URL combines a politically sensitive territory name with a distinct product classification (`Marchandise`). Although functionally equivalent to others, its inclusion underscores the breadth of supported geographies and categories.\n\n**Attack Scenario (Proof of Concept)**  \nTargeted enumeration focusing on disputed territories or high-value markets can uncover nuanced tariff differences:\n\n```bash\ncurl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=NORTHERN%20IRELAND&Type=Marchandise&Zone=Zone%201\"\n```\n\nComparative analysis of returned tariffs may yield actionable intelligence regarding geopolitical sensitivities or preferential trade agreements.\n\n**Business Impact**  \nLeaking tariff distinctions tied to contested regions introduces diplomatic complications and exposes internal decision-making processes to external scrutiny. Misuse of such data could strain bilateral relationships or violate confidentiality obligations.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=IRAQ&Type=Marchandise&Zone=Zone%201]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=IRAQ&Type=Marchandise&Zone=Zone%201 |\n\n**Description**  \nTariff data for Iraq, categorized under `Marchandise`, illustrates the flexibility of the underlying system. However, the absence of access controls means that even embargoed or sanctioned nations' tariff profiles remain visible online.\n\n**Attack Scenario (Proof of Concept)**  \nAdversaries can leverage this visibility to plan contraband shipments or verify sanctions compliance gaps:\n\n```bash\ncurl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=IRAQ&Type=Marchandise&Zone=Zone%201\"\n```\n\nSuch knowledge empowers bad actors to navigate regulatory loopholes more effectively.\n\n**Business Impact**  \nExposing tariff information for embargoed countries violates export control protocols and exposes the entity to regulatory fines or reputational harm. It also facilitates illicit trade networks that threaten global supply chain stability.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=OMAN&Type=Marchandise&Zone=Zone%208]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=OMAN&Type=Marchandise&Zone=Zone%208 |\n\n**Description**  \nThis URL accesses tariff data assigned to Zone 8, possibly representing remote or less-traveled destinations. Despite higher logistical costs typically associated with such zones, the data remains equally accessible.\n\n**Attack Scenario (Proof of Concept)**  \nExploiting zone-specific variations in tariff rates can optimize smuggling routes or reduce declared shipment values fraudulently:\n\n```bash\ncurl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=OMAN&Type=Marchandise&Zone=Zone%208\"\n```\n\nAnalysis of zone-based tariffs informs evasion strategies targeting lower-cost corridors.\n\n**Business Impact**  \nLoss of tariff revenue due to undervaluation schemes or false declarations undermines fiscal sustainability. Publicly disclosed zone-based pricing also invites manipulation by sophisticated criminal enterprises.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=PONAPE%20(MICRONESIA,%20FEDERATED%20STATES%20OF)&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=PONAPE%20(MICRONESIA,%20FEDERATED%20STATES%20OF)&Type=Document&Zone=Zone%206 |\n\n**Description**  \nThis complex parameter string tests the robustness of input parsing routines. Successful resolution confirms that the application handles nested parentheses and commas gracefully, though again, no access restrictions apply.\n\n**Attack Scenario (Proof of Concept)**  \nTesting malformed or oversized inputs can probe for buffer overflow vulnerabilities or unexpected behaviors:\n\n```bash\ncurl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=PONAPE%20(MICRONESIA,%20FEDERATED%20STATES%20OF)&Type=Document&Zone=Zone%206\"\n```\n\nEven benign payloads help attackers understand how the backend interprets unusual character sequences.\n\n**Business Impact**  \nPoorly sanitized inputs increase susceptibility to injection flaws or denial-of-service exploits. Exposing overly permissive endpoints also signals weak development practices that may extend to critical subsystems elsewhere.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=PARAGUAY&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=PARAGUAY&Type=Document&Zone=Zone%206 |\n\n**Description**  \nAnother standard tariff query returning successfully. The consistency of responses across diverse locations reinforces the assumption that tariff data is freely accessible and uniformly formatted.\n\n**Attack Scenario (Proof of Concept)**  \nBulk downloading of tariff data sets enables offline analysis and correlation with third-party databases:\n\n```bash\ncurl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=PARAGUAY&Type=Document&Zone=Zone%206\" > paraguay_zone6.html\n```\n\nProcessed outputs can then be integrated into competitor intelligence platforms or black-market trading tools.\n\n**Business Impact**  \nUnauthorized aggregation of tariff data diminishes competitive advantages held by legitimate stakeholders. It also encourages unethical practices such as tax evasion and customs fraud.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=TURKEY&Type=Marchandise&Zone=Zone%202]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=TURKEY&Type=Marchandise&Zone=Zone%202 |\n\n**Description**  \nTurkey’s placement in Zone 2 indicates proximity to core trading partners or reduced shipping distances. Despite this strategic significance, the tariff data remains openly accessible.\n\n**Attack Scenario (Proof of Concept)**  \nMonitoring frequent updates to Turkey-related tariffs can provide early warnings about shifting trade policies:\n\n```bash\ncurl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=TURKEY&Type=Marchandise&Zone=Zone%202\"\n```\n\nChanges in duty rates or exemptions signal new market opportunities or barriers.\n\n**Business Impact**  \nTimely access to tariff adjustments gives competitors unfair advantages in adjusting pricing strategies or sourcing decisions ahead of official announcements. This asymmetry disrupts fair competition and distorts market dynamics.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=VENEZUELA&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=VENEZUELA&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nTariff data for Venezuela, located in Zone 6, reflects extended transit times or elevated risk premiums. Nonetheless, the data remains fully retrievable without authentication.\n\n**Attack Scenario (Proof of Concept)**  \nAnalyzing tariff disparities between stable and unstable economies can guide speculative investments or arbitrage opportunities:\n\n```bash\ncurl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=VENEZUELA&Type=Marchandise&Zone=Zone%206\"\n```\n\nDiscrepancies in duty structures highlight inefficiencies ripe for exploitation.\n\n**Business Impact**  \nPublicly disclosed tariff discrepancies enable opportunistic traders to capitalize on regulatory gaps, potentially destabilizing domestic markets or undermining currency valuations.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=ZAMBIA&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=ZAMBIA&Type=Document&Zone=Zone%206 |\n\n**Description**  \nZambia’s tariff profile resides in Zone 6, implying longer delivery cycles or increased handling fees. Despite this, the data remains indistinguishable from those in other zones in terms of accessibility.\n\n**Attack Scenario (Proof of Concept)**  \nCross-zone comparisons help identify systemic biases or errors in tariff assignment:\n\n```bash\ncurl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=ZAMBIA&Type=Document&Zone=Zone%206\"\n```\n\nSuch audits can expose inconsistencies that compromise fairness or accuracy in customs valuation.\n\n**Business Impact**  \nErroneous or biased tariff calculations erode public trust in governmental institutions responsible for regulating international trade. They also create fertile ground for disputes and litigation involving importers/exporters.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=GABON&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=GABON&Type=Document&Zone=Zone%206 |\n\n**Description**  \nGabon’s tariff listing falls under the same zone category as several African nations. Uniform treatment of all countries within each zone simplifies administration but may overlook unique bilateral arrangements.\n\n**Attack Scenario (Proof of Concept)**  \nReviewing tariff entries for African countries collectively can uncover preferential trade program violations:\n\n```bash\ncurl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=GABON&Type=Document&Zone=Zone%206\"\n```\n\nIdentifying deviations from agreed-upon rates exposes potential breaches of multilateral treaties.\n\n**Business Impact**  \nNon-compliance with preferential trade agreements triggers retaliatory actions from partner nations and invites scrutiny from international oversight bodies. It also damages diplomatic relations and jeopardizes future cooperation initiatives.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=CENTRAL%20AFRICAN%20REPUBLIC&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=CENTRAL%20AFRICAN%20REPUBLIC&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nThis URL features a particularly lengthy country name, testing the limits of acceptable input length and format. Despite the complexity, the endpoint behaves normally, indicating strong resilience to basic tampering attempts.\n\n**Attack Scenario (Proof of Concept)**  \nAttempting to inject SQL commands or XSS payloads through the `Country_Name` parameter probes for deeper vulnerabilities:\n\n```bash\ncurl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=CENTRAL%20AFRICAN%20REPUBLIC&Type=Marchandise&Zone=Zone%206\"\n```\n\nThough unlikely to succeed here, such probing forms part of broader reconnaissance campaigns aimed at identifying exploitable weaknesses.\n\n**Business Impact**  \nOverconfidence in input sanitization routines leads to complacency in securing downstream components. Even seemingly innocuous endpoints can serve as stepping stones toward compromising mission-critical systems.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=MAURITIUS&Type=Document&Zone=Zone%205]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=MAURITIUS&Type=Document&Zone=Zone%205 |\n\n**Description**  \nMauritius occupies Zone 5, suggesting intermediate distance or moderate shipping costs. Like all previously identified URLs, this one provides full tariff details without requiring login credentials or session tokens.\n\n**Attack Scenario (Proof of Concept)**  \nTracking tariff evolution over time for island nations like Mauritius can reveal seasonal trends or policy shifts:\n\n```bash\ncurl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=MAURITIUS&Type=Document&Zone=Zone%205\"\n```\n\nHistorical snapshots compiled over months offer valuable insight into evolving trade strategies.\n\n**Business Impact**  \nPredictive analytics built upon leaked tariff histories empower adversaries to anticipate regulatory moves and adjust their own strategies accordingly. This undermines the element of surprise crucial for effective policymaking and enforcement.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / /tariff/emsp_tariff.aspx?Country_Name=GEORGIA&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=GEORGIA&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nThis finding indicates that a publicly accessible page related to tariff information was discovered on the Pakistan Export Promotion Bureau's website (`ep.gov.pk`). The endpoint accepts query parameters specifying country, type of goods, and zone, which may expose structured internal data about international trade tariffs. While not inherently vulnerable, such endpoints can provide attackers with insight into business logic, parameter naming conventions, and potentially sensitive datasets if access controls are improperly implemented.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could enumerate valid combinations of `Country_Name`, `Type`, and `Zone` values by observing patterns in responses from similar URLs. This enumeration might reveal additional undocumented or unintended paths exposing more detailed tariff structures or backend database queries. Example request:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=GEORGIA&Type=Marchandise&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\n\nIf input validation is weak, further testing for SQL injection or cross-site scripting vulnerabilities within these parameters could be attempted.\n\n**Business Impact**  \nAlthough this represents low-risk exposure, it contributes to an expanded attack surface. Competitors or malicious actors may harvest tariff-related intelligence for economic espionage purposes. Additionally, if improper access control exists behind this interface, unauthorized users could extract proprietary or confidential pricing data used internally by the bureau.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / /tariff/emsp_tariff.aspx?Country_Name=GREECE&Type=Document&Zone=Zone%202]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=GREECE&Type=Document&Zone=Zone%202 |\n\n**Description**  \nThe presence of this document-type tariff entry suggests that the application supports different categories of cargo classification beyond merchandise. These distinctions often reflect backend filtering mechanisms based on user roles or data segmentation strategies. If misconfigured, they may allow bypassing intended restrictions between document-based and physical goods tariff views.\n\n**Attack Scenario (Proof of Concept)**  \nBy altering the `Type` parameter from `Document` to other plausible values like `Merchandise`, an attacker may attempt to access restricted tariff listings without proper authorization. A sample probe:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=GREECE&Type=Merchandise&Zone=Zone%202 HTTP/1.1\nHost: ep.gov.pk\n```\n\nSuch behavior could indicate insufficient role-based access control enforcement at the API layer.\n\n**Business Impact**  \nUnauthorized viewing of tariff documents or classifications could lead to leakage of commercially sensitive import/export pricing models, undermining competitive advantage. It also increases risk of targeted phishing campaigns against traders using known tariff structures.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / /tariff/emsp_tariff.aspx?Country_Name=COMOROS&Type=Marchandise&Zone=Zone%205]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=COMOROS&Type=Marchandise&Zone=Zone%205 |\n\n**Description**  \nThis discovery confirms that the system handles tariff entries for less commonly traded countries, suggesting broad geographic coverage in its dataset. Such wide-ranging support implies complex backend mapping systems or databases indexed by region, commodity class, and customs zones. Without robust sanitization, these dynamic parameters increase susceptibility to injection attacks.\n\n**Attack Scenario (Proof of Concept)**  \nAttackers may test for SQL injection by injecting payloads into the `Country_Name` field:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=COMOROS' OR '1'='1&Type=Marchandise&Zone=Zone%205 HTTP/1.1\nHost: ep.gov.pk\n```\n\nAlternatively, fuzzing tools like Burp Suite Intruder can automate scanning across all three fields to detect anomalies in response size or timing indicative of backend processing flaws.\n\n**Business Impact**  \nExploitation of such weaknesses could result in full compromise of tariff databases, leading to financial fraud, manipulation of customs charges, or exposure of partner-specific agreements. Regulatory scrutiny under trade compliance frameworks becomes likely following any breach involving tariff data integrity.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / /tariff/emsp_tariff.aspx?Country_Name=CEUTA&Type=Marchandise&Zone=Zone%201]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=CEUTA&Type=Marchandise&Zone=Zone%201 |\n\n**Description**  \nCEUTA refers to a Spanish autonomous city located in North Africa, indicating that the system accommodates geopolitical nuances in its tariff categorizations. This level of specificity highlights potential reliance on hardcoded mappings or external reference tables susceptible to inconsistencies when updated manually or via legacy processes.\n\n**Attack Scenario (Proof of Concept)**  \nUsing automated scanners or manual probing, attackers may attempt to substitute invalid or non-standard names for `Country_Name` to observe error messages or unexpected behaviors:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=INVALID_COUNTRY&Type=Marchandise&Zone=Zone%201 HTTP/1.1\nHost: ep.gov.pk\n```\n\nError disclosures could leak stack traces, version numbers, or database schema details useful for crafting advanced exploits.\n\n**Business Impact**  \nLeaked metadata aids reconnaissance efforts, enabling adversaries to tailor future attacks specifically targeting outdated components or poorly maintained integrations. Misclassification errors due to incorrect geopolitical handling may also trigger legal disputes or diplomatic issues.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / /tariff/emsp_tariff.aspx?Country_Name=PANAMA&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=PANAMA&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nPanama’s inclusion reflects the system’s capability to handle major global shipping hubs. Given Panama’s strategic importance in maritime logistics, this endpoint likely interfaces with high-volume transactional workflows. Any vulnerability here could have cascading effects on downstream supply chain operations.\n\n**Attack Scenario (Proof of Concept)**  \nAttackers may perform time-based blind SQL injection tests using encoded payloads:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=PANAMA'; WAITFOR DELAY '00:00:05'--&Type=Marchandise&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\n\nIf successful, such delays confirm backend interaction with a SQL engine lacking adequate protection layers.\n\n**Business Impact**  \nCompromise of tariff lookup services tied to critical ports like Panama risks disrupting real-time cargo clearance procedures, causing significant delays and monetary losses. Data exfiltration could expose confidential freighter identities or shipment manifests valuable to criminal networks.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / /tariff/emsp_tariff.aspx?Country_Name=TRUK%20(MICRONESIA,%20FEDERATED%20STATES%20OF)&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=TRUK%20(MICRONESIA,%20FEDERATED%20STATES%20OF)&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nThis URL contains a complexly encoded country name, implying that the application does not sanitize special characters properly before rendering or querying them. Long parameter strings containing parentheses and commas suggest direct use in backend queries without escaping or prepared statement implementation.\n\n**Attack Scenario (Proof of Concept)**  \nAttempting to inject JavaScript or HTML payloads into the `Country_Name` value:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=<script>alert('XSS')</script>&Type=Marchandise&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\n\nIf reflected unescaped in the output, this constitutes a stored or reflected XSS vector exploitable against authenticated users accessing the tariff reports.\n\n**Business Impact**  \nCross-site scripting compromises session tokens or redirects users to malicious domains mimicking official tariff portals. In worst-case scenarios, attackers gain persistent access to administrative dashboards managing tariff configurations, risking systemic tampering.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / /tariff/emsp_tariff.aspx?Country_Name=PUERTO%20RICO&Type=Marchandise&Zone=Zone%204]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=PUERTO%20RICO&Type=Marchandise&Zone=Zone%204 |\n\n**Description**  \nPuerto Rico’s listing demonstrates that the system recognizes U.S. territories distinctly from sovereign nations, possibly reflecting unique tariff regimes or preferential treatment policies. However, inconsistent handling of territorial designations may introduce ambiguity in policy enforcement or audit trails.\n\n**Attack Scenario (Proof of Concept)**  \nSubstituting alternate spellings or abbreviations for Puerto Rico:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=PR&Type=Marchandise&Zone=Zone%204 HTTP/1.1\nHost: ep.gov.pk\n```\n\nUnexpected variations returning identical results imply loose matching rules that could be abused to circumvent geo-restrictions or trigger undefined behavior.\n\n**Business Impact**  \nAmbiguity in territory recognition undermines transparency in tariff application, increasing chances of misclassification during audits. Fraudulent claims leveraging ambiguous jurisdictional boundaries become harder to detect, posing compliance risks.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / /tariff/emsp_tariff.aspx?Country_Name=NEVIS%20(ST.%20KITTS)&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=NEVIS%20(ST.%20KITTS)&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nInclusion of nested parentheticals in the country name indicates poor normalization practices in both frontend display and backend parsing routines. This inconsistency may stem from inadequate input sanitization or flawed integration with third-party geolocation APIs.\n\n**Attack Scenario (Proof of Concept)**  \nInjecting malformed syntax to provoke parser failures:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=NEVIS%20(%22)%20OR%201=1--&Type=Marchandise&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\n\nSuch attempts aim to exploit logical flaws in conditional statements embedded in backend code.\n\n**Business Impact**  \nParser-level vulnerabilities can escalate into remote code execution if unsafe deserialization occurs. Even without escalation, denial-of-service conditions may arise from malformed inputs overwhelming backend resources.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / /tariff/emsp_tariff.aspx?Country_Name=BOLIVIA&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=BOLIVIA&Type=Document&Zone=Zone%206 |\n\n**Description**  \nThis URL shows that Bolivia has distinct tariff treatments for documents versus merchandise, highlighting granular configurability in the tariff engine. However, multiple parameter dependencies increase complexity and reduce maintainability unless governed by strict validation rules.\n\n**Attack Scenario (Proof of Concept)**  \nTesting permutations of invalid types or zones:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=BOLIVIA&Type=Unknown&Zone=Zone%2099 HTTP/1.1\nHost: ep.gov.pk\n```\n\nResponses revealing default fallback pages or verbose debugging outputs aid attackers in reverse-engineering the underlying tariff logic tree.\n\n**Business Impact**  \nUncontrolled variability in tariff outputs reduces predictability and trustworthiness of the system. Malicious actors may abuse undefined states to manipulate calculated duties or evade detection through crafted parameter combinations.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / /tariff/emsp_tariff.aspx?Country_Name=BELGIUM&Type=Marchandise&Zone=Zone%201]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=BELGIUM&Type=Marchandise&Zone=Zone%201 |\n\n**Description**  \nBelgium being assigned Zone 1 typically denotes proximity to core markets or favorable trading relationships. This distinction reveals that tariff calculations incorporate geographic zoning logic, which may involve IP geolocation checks or user-defined preferences—both prone to spoofing or misconfiguration.\n\n**Attack Scenario (Proof of Concept)**  \nChanging the zone arbitrarily while keeping Belgium constant:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=BELGIUM&Type=Marchandise&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\n\nIf the system returns differing tariff rates despite unchanged origin, it signals lack of server-side validation over zone assignments.\n\n**Business Impact**  \nImproper zone assignment allows evasion of higher tariffs or preferential rate exploitation. Revenue leakage accumulates rapidly if widespread abuse goes undetected, especially among large-volume exporters.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / /tariff/emsp_tariff.aspx?Country_Name=ST.%20CROIX%20(US%20VIRGIN%20ISLANDS)&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=ST.%20CROIX%20(US%20VIRGIN%20ISLANDS)&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nUse of specific island names instead of umbrella terms like “United States” suggests fine-grained tariff granularity down to subnational levels. This precision demands careful indexing and consistent terminology management; otherwise, discrepancies emerge that confuse stakeholders or enable rule-bending.\n\n**Attack Scenario (Proof of Concept)**  \nReplacing ST. CROIX with another Virgin Island variant:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=ST.%20THOMAS%20(US%20VIRGIN%20ISLANDS)&Type=Marchandise&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\n\nDifferences in returned tariffs despite similar regional profiles hint at inconsistent rule sets applied per island.\n\n**Business Impact**  \nInconsistent tariff application erodes confidence in the fairness and accuracy of the system. Disputes may arise between traders claiming preferential treatment based on minor jurisdictional differences, complicating dispute resolution and regulatory oversight.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / /tariff/emsp_tariff.aspx?Country_Name=ANTIGUA%20AND%20BARBUDA&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=ANTIGUA%20AND%20BARBUDA&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nAntigua and Barbuda falls under Zone 6, generally associated with distant or developing economies. The tariff engine appears to classify countries dynamically rather than statically assigning fixed zones, which introduces flexibility but also complexity in maintaining accurate mappings.\n\n**Attack Scenario (Proof of Concept)**  \nModifying the zone value to simulate proximity benefits:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=ANTIGUA%20AND%20BARBUDA&Type=Marchandise&Zone=Zone%201 HTTP/1.1\nHost: ep.gov.pk\n```\n\nIf accepted without verification, this change grants unwarranted tariff reductions.\n\n**Business Impact**  \nMisclassification of zones enables fraudulent tariff reduction schemes, particularly attractive to intermediaries routing goods through intermediary jurisdictions. Financial losses compound quickly given volume-driven trade flows.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / /tariff/emsp_tariff.aspx?Country_Name=ANGUILLA&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=ANGUILLA&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nAnguilla’s placement in Zone 6 aligns with its Caribbean location and small economy profile. However, repeated occurrences of small island nations clustered together raise questions about whether their tariff settings are centrally managed or individually configured, impacting scalability and consistency.\n\n**Attack Scenario (Proof of Concept)**  \nComparing Anguilla with neighboring islands’ tariff pages:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=BARBADOS&Type=Marchandise&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\n\nIdentical templates with only country-specific data swapped out suggest template reuse without individualized security hardening.\n\n**Business Impact**  \nTemplate-based vulnerabilities affect entire clusters of countries simultaneously. Once one island’s tariff page is compromised, attackers can pivot easily to others sharing the same layout structure, amplifying impact.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / /tariff/emsp_tariff.aspx?Country_Name=GHANA&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=GHANA&Type=Document&Zone=Zone%206 |\n\n**Description**  \nGhana’s classification as a Document-only tariff entry implies differentiated treatment compared to merchandise imports. This separation may reflect regulatory requirements or customs protocols unique to paper-based transactions, requiring specialized handling and validation.\n\n**Attack Scenario (Proof of Concept)**  \nSwitching Type from Document to Merchandise:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=GHANA&Type=Merchandise&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\n\nUnexpected success in retrieving a tariff listing exposes missing boundary checks between document and merchandise categories.\n\n**Business Impact**  \nLack of segregation between document and merchandise tariffs creates loopholes allowing unauthorized access to restricted trade categories. Smuggling rings may exploit this gap to bypass documentation scrutiny required for certain commodities.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / /tariff/emsp_tariff.aspx?Country_Name=BRITISH%20VIRGIN%20ISLANDS&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=BRITISH%20VIRGIN%20ISLANDS&Type=Document&Zone=Zone%206 |\n\n**Description**  \nBritish Virgin Islands’ tariff configuration mirrors that of other offshore territories, emphasizing the system’s ability to manage overlapping jurisdictions. However, overlapping definitions increase likelihood of conflicts or overlaps in tariff rulesets.\n\n**Attack Scenario (Proof of Concept)**  \nQuerying both British Virgin Islands and US Virgin Islands side-by-side:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=BRITISH%20VIRGIN%20ISLANDS&Type=Document&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\n\nThen comparing with:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=US%20VIRGIN%20ISLANDS&Type=Document&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\n\nDiscrepancies in displayed tariffs despite shared geography suggest inconsistent rule derivation.\n\n**Business Impact**  \nJurisdictional ambiguity leads to confusion among traders and customs officials alike. Legal challenges may ensue if conflicting tariff interpretations cause revenue discrepancies or border holdups.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / /tariff/emsp_tariff.aspx?Country_Name=MALDIVES&Type=Document&Zone=Zone%205]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=MALDIVES&Type=Document&Zone=Zone%205 |\n\n**Description**  \nMaldives being placed in Zone 5 instead of Zone 6 indicates nuanced tariff zoning influenced by factors beyond simple distance metrics. These adjustments require ongoing calibration and monitoring to ensure alignment with evolving trade policies.\n\n**Attack Scenario (Proof of Concept)**  \nManually incrementing the zone number:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=MALDIVES&Type=Document&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\n\nIf the system accepts the altered zone and recalculates accordingly, it proves absence of authoritative validation.\n\n**Business Impact**  \nWithout enforced zone constraints, tariff manipulations proliferate unchecked. Traders may deliberately choose lower-cost zones even when ineligible, resulting in substantial revenue erosion for the state.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / /tariff/emsp_tariff.aspx?Country_Name=UZBEKISTAN&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=UZBEKISTAN&Type=Document&Zone=Zone%206 |\n\n**Description**  \nUzbekistan’s tariff setup reflects Central Asian trade dynamics, where document-based clearances dominate due to bureaucratic formalities. The system’s capacity to accommodate such regional peculiarities speaks to its adaptability but also raises concerns around standardized enforcement.\n\n**Attack Scenario (Proof of Concept)**  \nSwapping Uzbekistan with Kazakhstan:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=KAZAKHSTAN&Type=Document&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\n\nSimilar tariff outcomes despite differing national contexts point to generic rule templates lacking contextual awareness.\n\n**Business Impact**  \nOvergeneralized tariff logic fails to account for country-specific nuances, leading to misapplied duties or missed opportunities for bilateral trade incentives. Policy makers lose fidelity in shaping regionally tailored economic instruments.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / /tariff/emsp_tariff.aspx?Country_Name=CURA%C3%87AO&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=CURA%C3%87AO&Type=Document&Zone=Zone%206 |\n\n**Description**  \nCuraçao’s encoding in UTF-8 format (`%C3%87`) demonstrates basic Unicode compatibility but also exposes potential weaknesses in character set handling. Improper decoding or re-encoding steps may corrupt data or create mismatched lookups.\n\n**Attack Scenario (Proof of Concept)**  \nSubmitting raw UTF-8 bytes directly:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=Cura%E7ao&Type=Document&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\n\nIf the system fails to normalize the input correctly, it may return an empty or erroneous result, signaling encoding mishandling.\n\n**Business Impact**  \nEncoding mismatches degrade usability for international partners relying on accented characters. Worse still, they open avenues for obfuscation techniques that mask malicious payloads or bypass filters designed for ASCII-only inputs.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / /tariff/emsp_tariff.aspx?Country_Name=MALTA&Type=Document&Zone=Zone%202]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=MALTA&Type=Document&Zone=Zone%202 |\n\n**Description**  \nMalta’s assignment to Zone 2 underscores its position as a European hub with preferential tariff arrangements. Zone-based differentiation enables flexible tariff modeling but necessitates rigorous access controls to prevent unauthorized zone switching.\n\n**Attack Scenario (Proof of Concept)**  \nChanging Malta’s zone to mimic a higher-tier market:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=MALTA&Type=Document&Zone=Zone%201 HTTP/1.1\nHost: ep.gov.pk\n```\n\nSuccessful retrieval of Zone 1 tariffs without authentication confirms lack of privilege checking.\n\n**Business Impact**  \nPrivilege escalation through zone manipulation undermines tariff equity principles. Trusted partners benefit unfairly from premium-tier discounts, distorting fair competition and inviting retaliatory measures from affected parties.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / /tariff/emsp_tariff.aspx?Country_Name=PAPUA%20NEW%20GUINEA&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=PAPUA%20NEW%20GUINEA&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nPapua New Guinea’s placement in Zone 6 aligns with its remote Pacific location and limited trade volume relative to developed regions. This categorization reflects logistical realities but also invites scrutiny regarding equitable tariff distribution.\n\n**Attack Scenario (Proof of Concept)**  \nTesting alternative zones to assess tariff sensitivity:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=PAPUA%20NEW%20GUINEA&Type=Marchandise&Zone=Zone%203 HTTP/1.1\nHost: ep.gov.pk\n```\n\nUnexpected acceptance of modified zones reveals absence of server-side validation.\n\n**Business Impact**  \nWeak validation encourages tariff arbitrage, where exporters route shipments through artificially favorable zones. Cumulative losses mount silently until audits uncover systematic mispricing trends.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=SABA&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=SABA&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nThis finding indicates that a publicly accessible page was discovered at `/tariff/emsp_tariff.aspx` on `ep.gov.pk`, which accepts query parameters such as `Country_Name`, `Type`, and `Zone`. The presence of this endpoint suggests it may be used internally or by authorized users to retrieve tariff information based on country, shipment type, and zone. While not inherently insecure, exposing such endpoints without proper access controls or input sanitization can lead to enumeration attacks or unauthorized data exposure.\n\nThe server responded with HTTP 200 OK, indicating successful retrieval of the resource. This implies that the application does not restrict access to these pages based on user authentication or authorization mechanisms.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could perform automated scanning using tools like Burp Suite Intruder or custom scripts to enumerate valid combinations of countries, types, and zones. Example request:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=SABA&Type=Marchandise&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\n\nBy systematically varying inputs, an attacker might discover sensitive trade-related data or internal logic about how tariffs are applied across regions.\n\n**Business Impact**  \nAlthough classified as informational, if left unmitigated, this discovery could allow adversaries to map out business-critical tariff structures, potentially leading to competitive intelligence gathering or targeted exploitation against other vulnerabilities within the system. It also increases the overall attack surface available for further reconnaissance.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=CAPE%20VERDE%20ISLANDS&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=CAPE%20VERDE%20ISLANDS&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nSimilar to previous findings, this URL exposes a dynamic tariff lookup interface accepting specific query parameters. The consistent availability of responses from multiple parameterized URLs indicates that the backend likely queries a database or static configuration file to return relevant tariff data. No authentication mechanism appears to protect this functionality.\n\n**Attack Scenario (Proof of Concept)**  \nUsing a wordlist of known countries and types (`Document`, `Marchandise`) along with various zones, an attacker could automate requests to extract all tariff configurations:\n\n```bash\ncurl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=CAPE%20VERDE%20ISLANDS&Type=Marchandise&Zone=Zone%206\"\n```\n\nThis approach allows mapping of tariff policies per region and commodity class, which may have commercial value.\n\n**Business Impact**  \nExposure of tariff data may provide competitors with insights into pricing strategies or reveal inconsistencies in policy implementation. Additionally, it contributes to the broader footprint of exposed interfaces that attackers can probe for deeper vulnerabilities.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=NORTHERN%20MARIANA%20ISLANDS&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=NORTHERN%20MARIANA%20ISLANDS&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nThis URL represents another instance of the tariff lookup feature being publicly accessible. The repeated pattern of similar endpoints across different countries and shipment types indicates a lack of centralized control over public-facing resources. These endpoints do not enforce rate limiting or require authentication, making them susceptible to abuse.\n\n**Attack Scenario (Proof of Concept)**  \nAutomated crawling techniques can be employed to harvest tariff data en masse. An example Python script snippet:\n\n```python\nimport requests\n\nurl = \"https://ep.gov.pk/tariff/emsp_tariff.aspx\"\nparams = {\n    'Country_Name': 'NORTHERN MARIANA ISLANDS',\n    'Type': 'Marchandise',\n    'Zone': 'Zone 6'\n}\nresponse = requests.get(url, params=params)\nprint(response.text)\n```\n\nSuch automation enables rapid collection of structured tariff data.\n\n**Business Impact**  \nUncontrolled access to tariff data undermines confidentiality and may expose strategic pricing models. Furthermore, it expands the potential entry points for more sophisticated attacks targeting related systems or services.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=ANDORRA&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=ANDORRA&Type=Document&Zone=Zone%206 |\n\n**Description**  \nThis URL demonstrates that document-based tariff lookups are also exposed via the same interface. The consistency in structure between document and merchandise tariff endpoints suggests shared underlying code paths, increasing the risk of cross-type vulnerabilities.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could test whether input validation is applied uniformly across both document and merchandise types. For example:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=ANDORRA&Type=Document&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\n\nIf the backend fails to sanitize inputs properly, injection flaws or logical bypasses may exist.\n\n**Business Impact**  \nInconsistent handling of document vs. merchandise tariffs could result in misconfigurations or exploitable conditions. Even if currently benign, such discrepancies increase long-term maintenance complexity and security risks.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=CAMBODIA&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=CAMBODIA&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nThis URL confirms continued accessibility of tariff data for Cambodia under the “Marchandise” category. The uniformity of response codes across numerous variations highlights a design flaw where functional endpoints remain open indefinitely.\n\n**Attack Scenario (Proof of Concept)**  \nA malicious actor could use browser automation frameworks like Selenium or headless browsers to scrape tariff tables directly from rendered HTML output:\n\n```javascript\nconst puppeteer = require('puppeteer');\n\n(async () => {\n  const browser = await puppeteer.launch();\n  const page = await browser.newPage();\n  await page.goto('https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=CAMBODIA&Type=Marchandise&Zone=Zone%206');\n  const html = await page.content();\n  console.log(html);\n})();\n```\n\nThis method bypasses simple API scraping protections but still reveals valuable data.\n\n**Business Impact**  \nPublicly accessible tariff data can be scraped and repurposed by third parties, undermining the organization’s ability to maintain proprietary knowledge. It also raises questions about compliance with data governance standards.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=VIRGIN%20ISLANDS%20(US)&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=VIRGIN%20ISLANDS%20(US)&Type=Document&Zone=Zone%206 |\n\n**Description**  \nThis URL shows that document-specific tariff data is also retrievable through the same interface. The presence of parentheses in the `Country_Name` parameter suggests insufficient encoding or filtering of special characters, which may indicate weak input sanitization practices.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could attempt to inject malformed values into the `Country_Name` field to test for unexpected behavior:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=VIRGIN%20ISLANDS%20(US)%27%20OR%201=1--&Type=Document&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\n\nWhile unlikely to succeed due to ASP.NET protections, such attempts help assess robustness.\n\n**Business Impact**  \nPoor handling of special characters in user-supplied fields increases susceptibility to SQL injection or XSS if combined with improper rendering elsewhere. Even minor oversights can compound into serious breaches when aggregated.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=YAP%20(MICRONESIA,%20FEDERATED%20STATES%20OF)&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=YAP%20(MICRONESIA,%20FEDERATED%20STATES%20OF)&Type=Document&Zone=Zone%206 |\n\n**Description**  \nThis URL illustrates that even less commonly referenced territories are included in the tariff database. The complex naming convention involving commas and parentheses further underscores the need for rigorous input validation.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could craft payloads designed to exploit parsing errors in backend logic:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=YAP%20(MICRONESIA,%20FEDERATED%20STATES%20OF)%22%3E<script>alert(1)</script>&Type=Document&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\n\nIf reflected improperly in HTML output, this could enable stored or reflected XSS depending on caching behavior.\n\n**Business Impact**  \nImproper handling of special characters in geographic names introduces unnecessary attack vectors. In worst-case scenarios, this could compromise administrative sessions or leak sensitive cookies.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=SWAZILAND&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=SWAZILAND&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nThis URL confirms that tariff data for Swaziland (now Eswatini) is accessible. The fact that outdated country names are still supported suggests legacy support issues or poor data normalization processes.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could compare outputs between old and new country names to detect inconsistencies:\n\n```bash\ncurl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?","summary":{"total":482}},"summary":{"total":482}},{"_id":{"$oid":"6a15636954b4b0d970835f09"},"created_at":{"$date":"2026-05-26T09:10:01.852Z"},"url":"https://ep.gov.pk/","tool":"generate_content_discovery_report","result":{"url":"https://ep.gov.pk/","category":"content_discovery","timestamp":"2026-05-26T09:10:01.844121+00:00","report":"### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=FRANCE&Type=Document&Zone=Zone%202]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=FRANCE&Type=Document&Zone=Zone%202 |\n\n**Description**  \nThis finding indicates that the web application at `https://ep.gov.pk` exposes a publicly accessible endpoint (`/tariff/emsp_tariff.aspx`) which accepts query parameters such as `Country_Name`, `Type`, and `Zone`. The presence of this page returning a valid HTTP 200 response suggests it is actively used to serve tariff-related information based on user input. While not inherently insecure, exposing structured endpoints with predictable parameter names can facilitate reconnaissance by attackers seeking to enumerate available functionality or extract sensitive data.\n\nThe use of GET-based parameters also increases the likelihood of these URLs being logged in server access logs, browser history, or proxy caches, potentially aiding passive surveillance.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker may perform automated enumeration using tools like Burp Suite Intruder or custom scripts to iterate over known country names, types, and zones to map all exposed tariff entries:\n\n```bash\ncurl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=FRANCE&Type=Document&Zone=Zone%202\"\n```\n\nBy systematically varying inputs, they could identify whether internal logic exists that differentiates between authenticated and unauthenticated users, or if business-sensitive pricing structures are inadvertently disclosed without proper authorization controls.\n\n**Business Impact**  \nWhile this specific instance does not represent a direct vulnerability, it contributes to an expanded attack surface. If the underlying system lacks robust access control mechanisms, adversaries might leverage discovered paths to extract proprietary trade data, manipulate tariff values, or infer operational patterns related to international commerce handled by the Pakistan Engineering Council or associated entities.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=MONGOLIA&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=MONGOLIA&Type=Document&Zone=Zone%206 |\n\n**Description**  \nSimilar to previous findings, this URL reveals another accessible tariff entry point within the `/tariff/` directory structure. It uses consistent naming conventions across multiple countries, suggesting either static generation or dynamic querying from a backend database. This consistency allows for easy automation during discovery phases.\n\nSuch endpoints often lack granular access logging or rate-limiting protections, increasing their utility for scraping large datasets over time.\n\n**Attack Scenario (Proof of Concept)**  \nUsing a wordlist containing common geopolitical regions and commodity categories, an adversary could automate requests via Python or similar scripting languages:\n\n```python\nimport requests\nurl = \"https://ep.gov.pk/tariff/emsp_tariff.aspx\"\nparams = {\"Country_Name\": \"MONGOLIA\", \"Type\": \"Document\", \"Zone\": \"Zone 6\"}\nresponse = requests.get(url, params=params)\nprint(response.text)\n```\n\nIf responses include detailed tariff breakdowns or internal reference codes, this could enable competitive intelligence gathering or targeted phishing campaigns against stakeholders involved in cross-border transactions.\n\n**Business Impact**  \nExposure of tariff data may compromise strategic commercial insights held by government agencies or affiliated organizations. Competitors or foreign actors could exploit this transparency to undercut local businesses or influence policy decisions through economic pressure.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=UGANDA&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=UGANDA&Type=Document&Zone=Zone%206 |\n\n**Description**  \nThis finding confirms continued exposure of tariff-related pages under the same predictable path format. The repeated availability of tariff details indexed by country and zone implies that the application does not enforce strict session validation or role-based access control before rendering content.\n\nAdditionally, the absence of anti-automation measures makes it feasible for malicious actors to harvest bulk tariff records efficiently.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could construct a list of African nations and corresponding zones, then issue concurrent HTTP GET requests to retrieve all relevant tariff documents:\n\n```bash\nfor country in UGANDA ZAMBIA GABON; do\n  curl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=$country&Type=Document&Zone=Zone%206\" > \"$country.html\"\ndone\n```\n\nThis approach enables rapid offline analysis of collected HTML files, possibly uncovering inconsistencies in tariff enforcement or unauthorized public disclosures.\n\n**Business Impact**  \nUncontrolled access to tariff documentation undermines trust in digital governance platforms. Should discrepancies arise—such as outdated rates or conflicting classifications—it could lead to legal disputes, customs delays, or financial losses for importers/exporters relying on official sources.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=MARTINIQUE&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=MARTINIQUE&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nThis variant introduces a new value for the `Type` parameter: “Marchandise” (French for merchandise). Its successful retrieval demonstrates support for multilingual or region-specific terminology within the tariff module. Such flexibility may indicate localization features but also raises concerns about inconsistent sanitization or encoding practices.\n\nMoreover, the inclusion of non-sovereign territories like Martinique highlights potential gaps in input validation routines.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker might attempt injection attacks by manipulating the `Type` field with encoded payloads:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=MARTINIQUE&Type=Marchandise%27%20OR%201=1--&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\n\nAlthough unlikely to succeed due to modern frameworks mitigating SQLi risks, such attempts still expose the interface to scrutiny and increase risk when combined with other vulnerabilities.\n\n**Business Impact**  \nImproper handling of localized terms or special characters could result in malformed output, broken UI elements, or even backend exceptions that reveal stack traces. These artifacts aid attackers in fingerprinting technologies and crafting more sophisticated exploits.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=KUWAIT&Type=Document&Zone=Zone%201]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=KUWAIT&Type=Document&Zone=Zone%201 |\n\n**Description**  \nThis URL represents yet another functional endpoint serving tariff data for Kuwait in Zone 1. The consistent behavior across diverse geographical locations reinforces assumptions about uniformity in both front-end routing and back-end processing logic.\n\nHowever, the lack of authentication requirements poses a significant concern regarding unauthorized access to potentially regulated or embargoed goods' tariff schedules.\n\n**Attack Scenario (Proof of Concept)**  \nAutomated crawling tools such as `gau` or `waybackurls` can easily discover such URLs from historical archives or sitemap files. An attacker could combine them into a comprehensive dataset for further exploitation:\n\n```bash\necho 'https://ep.gov.pk' | gau --mc 200 | grep emsp_tariff\n```\n\nSubsequent parsing of returned HTML would allow extraction of tariff percentages, effective dates, and product classifications, enabling adversarial modeling of trade flows.\n\n**Business Impact**  \nPublicly accessible tariff tables may violate confidentiality agreements or national security protocols, particularly concerning dual-use items or sanctioned countries. Additionally, competitors could reverse-engineer pricing strategies, undermining market positioning efforts.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=ANGOLA&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=ANGOLA&Type=Document&Zone=Zone%206 |\n\n**Description**  \nThis finding continues the pattern of publicly exposed tariff endpoints tied to various global jurisdictions. Angola's classification under Zone 6 aligns with typical geographic grouping systems used in international shipping tariffs.\n\nDespite appearing benign, the cumulative effect of numerous accessible tariff pages increases the overall attack surface and provides fertile ground for reconnaissance activities aimed at identifying misconfigurations or weak access controls.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could write a script to test each discovered tariff page for variations in content length or structure, flagging anomalies indicative of hidden fields or debug outputs:\n\n```python\nimport requests\npages = [\n    \"?Country_Name=ANGOLA&Type=Document&Zone=Zone%206\",\n    \"?Country_Name=FRANCE&Type=Document&Zone=Zone%202\"\n]\nbase_url = \"https://ep.gov.pk/tariff/emsp_tariff.aspx\"\n\nfor p in pages:\n    r = requests.get(base_url + p)\n    print(f\"{p}: {len(r.content)} bytes\")\n```\n\nUnexpected deviations in size or layout warrant deeper inspection for embedded comments, error messages, or developer notes.\n\n**Business Impact**  \nOverexposed tariff interfaces may inadvertently leak metadata useful for crafting tailored social engineering attacks targeting customs brokers, freight forwarders, or regulatory officials who interact regularly with the platform.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=NICARAGUA&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=NICARAGUA&Type=Document&Zone=Zone%206 |\n\n**Description**  \nThis URL reflects ongoing accessibility of tariff data for Nicaragua, reinforcing earlier observations about the predictability and openness of the tariff API-like interface. Given the repetitive nature of the endpoints, there appears to be minimal effort invested in obfuscation or access restriction beyond basic URL construction.\n\nSuch design choices simplify adversarial mapping exercises and reduce barriers to large-scale data harvesting operations.\n\n**Attack Scenario (Proof of Concept)**  \nUsing a headless browser engine like Puppeteer or Selenium, an attacker could simulate real-user interactions while capturing screenshots or DOM snapshots for later analysis:\n\n```javascript\nconst puppeteer = require('puppeteer');\n(async () => {\n  const browser = await puppeteer.launch();\n  const page = await browser.newPage();\n  await page.goto('https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=NICARAGUA&Type=Document&Zone=Zone%206');\n  await page.screenshot({ path: 'nicaragua_tariff.png' });\n  await browser.close();\n})();\n```\n\nVisual inspection of captured images helps identify subtle differences in formatting that might hint at backend logic flaws or configuration drift.\n\n**Business Impact**  \nPersistent exposure of tariff data erodes confidence in the integrity of the digital infrastructure supporting Pakistan’s export promotion initiatives. Stakeholders may question the reliability of published figures, leading to reputational harm and reduced participation in government-sponsored programs.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=NEW%20CALEDONIA&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=NEW%20CALEDONIA&Type=Document&Zone=Zone%206 |\n\n**Description**  \nThis URL confirms that the tariff system accommodates overseas territories and dependencies, including New Caledonia. The consistent treatment of such entities alongside sovereign states underscores the modular architecture of the tariff engine.\n\nHowever, the reliance on URL-encoded parameters without additional safeguards leaves room for manipulation or abuse by threat actors attempting to probe edge cases or trigger unexpected behaviors.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could attempt to inject malformed UTF-8 sequences or Unicode control characters into the `Country_Name` field to assess resilience:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=%C0%AE%C0%AE&Type=Document&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\n\nSuch payloads aim to bypass filters or cause decoding errors that manifest as visible anomalies in the rendered output.\n\n**Business Impact**  \nFailure to sanitize extended character sets may introduce vulnerabilities exploitable through directory traversal, XSS, or SSRF vectors depending on downstream processing logic. Even minor disruptions can cascade into broader service degradation affecting legitimate users.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=LITHUANIA&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=LITHUANIA&Type=Document&Zone=Zone%206 |\n\n**Description**  \nThis URL exemplifies the standardized presentation layer applied uniformly across European Union member states. Lithuania’s placement in Zone 6 aligns with standard postal zone assignments, indicating integration with established logistical frameworks.\n\nNonetheless, the absence of differentiated access tiers means that any visitor can view identical tariff profiles regardless of affiliation or clearance level.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could deploy a distributed scraping framework leveraging proxies and rotating User-Agent headers to evade detection while collecting tariff data en masse:\n\n```bash\nwhile read url; do\n  curl -H \"User-Agent: Mozilla/5.0...\" \"$url\" -o \"$(basename $url).html\"\ndone < urls.txt\n```\n\nPost-processing steps involving OCR or NLP techniques help convert raw HTML dumps into structured datasets suitable for analytics or machine learning applications.\n\n**Business Impact**  \nLarge-scale scraping compromises the exclusivity of tariff intelligence traditionally reserved for registered exporters or licensed consultants. Unauthorized redistribution of scraped content dilutes brand equity and diminishes revenue opportunities tied to premium subscription models.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=NORTHERN%20IRELAND&Type=Marchandise&Zone=Zone%201]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=NORTHERN%20IRELAND&Type=Marchandise&Zone=Zone%201 |\n\n**Description**  \nThis URL illustrates nuanced categorization where Northern Ireland appears separately from mainland UK, reflecting post-Brexit regulatory distinctions. The usage of French term “Marchandise” again points to multilingual capabilities embedded within the tariff subsystem.\n\nDespite semantic richness, the open nature of the interface invites misuse by parties interested in tracking Brexit-related trade adjustments or monitoring shifts in bilateral agreements.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could monitor changes in tariff listings over time using version-controlled storage solutions like Git repositories:\n\n```bash\ngit init tariff_snapshots\ncd tariff_snapshots\ncurl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=NORTHERN%20IRELAND&Type=Marchandise&Zone=Zone%201\" > ni_marchandise_zone1.html\ngit add .\ngit commit -m \"Snapshot taken $(date)\"\n```\n\nComparative diffs highlight modifications made to tariff policies, offering early insight into upcoming legislative updates or administrative reforms.\n\n**Business Impact**  \nTimely access to evolving tariff rules gives adversaries a strategic advantage in anticipating market movements or exploiting transitional loopholes. Organizations dependent on accurate tariff guidance face increased uncertainty and compliance burdens if external observers outpace official communication channels.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=IRAQ&Type=Marchandise&Zone=Zone%201]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=IRAQ&Type=Marchandise&Zone=Zone%201 |\n\n**Description**  \nThis URL surfaces tariff information for Iraq categorized under Zone 1, likely representing proximity-based shipping routes originating from Pakistan. The explicit labeling of goods type as “Marchandise” adds linguistic diversity to the dataset, though it remains unclear whether translations occur dynamically or statically.\n\nRegardless, the unrestricted visibility of such data invites scrutiny from politically motivated actors or those engaged in illicit trade networks.\n\n**Attack Scenario (Proof of Concept)**  \nAdversaries could correlate tariff data with sanctions lists maintained by OFAC or EU authorities to identify discrepancies or omissions:\n\n```bash\ngrep -r \"Iraq\" ./* | grep -v \"sanctioned\"\n```\n\nMatches lacking appropriate caveats raise red flags about potential compliance oversights or deliberate omissions designed to obscure restricted transactions.\n\n**Business Impact**  \nInadvertent disclosure of tariff schedules for embargoed destinations exposes the organization to severe regulatory penalties and reputational fallout. Legal teams must ensure alignment between publicly available resources and current embargo regimes enforced globally.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=OMAN&Type=Marchandise&Zone=Zone%208]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=OMAN&Type=Marchandise&Zone=Zone%208 |\n\n**Description**  \nOman’s assignment to Zone 8 suggests long-distance shipping arrangements, possibly maritime or air cargo corridors extending beyond immediate regional boundaries. The recurring theme of “Marchandise” persists here, emphasizing the importance of maintaining consistent terminology despite varied origins.\n\nHowever, the sheer volume of accessible tariff combinations complicates audit trails and increases difficulty in detecting anomalous access patterns.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could employ recursive directory brute-forcing tools like DirBuster or ffuf to uncover additional undocumented tariff endpoints:\n\n```bash\nffuf -u https://ep.gov.pk/tariff/FUZZ -w /path/to/dir_wordlist.txt -mc 200\n```\n\nSuccessful discoveries expand the scope of reconnaissance and provide alternative pathways for probing backend services indirectly.\n\n**Business Impact**  \nUndocumented tariff APIs pose elevated risks compared to well-known endpoints since they typically receive less attention during routine patch cycles or incident response procedures. Unpatched legacy components behind such interfaces remain prime targets for lateral movement or privilege escalation.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=PONAPE%20(MICRONESIA,%20FEDERATED%20STATES%20OF)&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=PONAPE%20(MICRONESIA,%20FEDERATED%20STATES%20OF)&Type=Document&Zone=Zone%206 |\n\n**Description**  \nThis URL includes a verbose country specification encompassing full jurisdictional context (“Micronesia, Federated States Of”). The complexity of the parameter string hints at either manual curation or automated population from authoritative databases.\n\nNevertheless, the resulting page loads successfully, confirming broad compatibility with unconventional place names and nested parentheses constructs.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could craft specially formatted strings incorporating SQL keywords or JavaScript expressions to evaluate parser robustness:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=SELECT%20*%20FROM%20countries&Type=Document&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\n\nThough unlikely to yield direct code execution, malformed queries sometimes provoke verbose error responses revealing backend technology stacks or database schemas.\n\n**Business Impact**  \nPoorly validated input fields increase susceptibility to injection-style attacks, especially when integrated with legacy systems lacking modern ORM protections. Even seemingly innocuous endpoints can become stepping stones toward deeper intrusions if improperly secured.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=PARAGUAY&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=PARAGUAY&Type=Document&Zone=Zone%206 |\n\n**Description**  \nParaguay’s tariff listing falls under Zone 6, mirroring earlier South American entries. The consistency in zone allocation supports hypotheses about geographically clustered tariff bands managed centrally rather than individually per nation.\n\nHowever, the lack of differentiation among user roles or IP restrictions creates blind spots in monitoring who accesses what tariff data and when.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could utilize browser developer tools to inspect network traffic generated while navigating tariff pages, identifying cookies, tokens, or referrer headers that might betray session state management weaknesses:\n\n```javascript\nfetch(\"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=PARAGUAY&Type=Document&Zone=Zone%206\")\n.then(res => res.text())\n.then(data => console.log(data));\n```\n\nAnalysis of returned headers and body content informs subsequent attempts to impersonate authorized sessions or escalate privileges.\n\n**Business Impact**  \nWithout adequate session tracking or behavioral analytics, malicious insiders or compromised accounts can operate undetected while exfiltrating tariff datasets. Forensic investigations suffer setbacks when insufficient telemetry hampers attribution of suspicious activity.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=TURKEY&Type=Marchandise&Zone=Zone%202]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=TURKEY&Type=Marchandise&Zone=Zone%202 |\n\n**Description**  \nTurkey’s tariff profile resides in Zone 2, implying relatively short transit distances or preferential trade agreements facilitating expedited customs clearance. The recurrence of “Marchandise” strengthens evidence of bilingual or multi-script support within the tariff engine.\n\nYet, the absence of contextual disclaimers or usage limitations leaves room for misunderstanding or misapplication of tariff guidelines.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could compare tariff values retrieved programmatically against officially published PDF versions hosted elsewhere to detect inconsistencies or unauthorized alterations:\n\n```bash\ndiff <(curl -s \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=TURKEY&Type=Marchandise&Zone=Zone%202\") \\\n     <(pdftotext turkey_official.pdf -)\n```\n\nDiscrepancies merit escalation to internal auditors or compliance officers tasked with ensuring accuracy of digital representations.\n\n**Business Impact**  \nErroneous tariff displays create confusion among traders and exporters, potentially leading to incorrect declarations, delayed shipments, or monetary penalties imposed by customs authorities. Trust erosion affects long-term engagement with digital trade portals.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=VENEZUELA&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=VENEZUELA&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nVenezuela’s tariff schedule appears in Zone 6, consistent with distant Latin American markets. Despite political tensions or economic sanctions affecting bilateral relations, the tariff remains publicly accessible, raising questions about oversight and update frequency.\n\nThe persistence of outdated or irrelevant tariff entries may reflect poor lifecycle management or inadequate synchronization with diplomatic directives.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could cross-reference Venezuela’s tariff data with recent UN or WTO reports detailing trade embargoes or preferential treatment clauses:\n\n```bash\ncurl -s \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=VENEZUELA&Type=Marchandise&Zone=Zone%206\" | grep -i \"sanction\\|embargo\"\n```\n\nAbsence of expected warnings signals possible compliance gap requiring urgent remediation.\n\n**Business Impact**  \nFailure to maintain up-to-date tariff listings exposes the entity to accusations of negligence or complicity in circumventing international sanctions. Regulatory bodies may initiate audits or impose fines upon discovering discrepancies between stated policy and actual implementation.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=ZAMBIA&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=ZAMBIA&Type=Document&Zone=Zone%206 |\n\n**Description**  \nZambia’s tariff record fits seamlessly into the existing schema, reinforcing assumptions about centralized tariff administration governed by predefined templates. The document-centric categorization (“Type=Document”) contrasts with “Marchandise,” suggesting distinct workflows or reporting formats.\n\nHowever, the uniformity of presentation masks potential disparities in backend handling or access permissions.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could analyze HTTP response headers to determine caching policies or CDN configurations influencing delivery speed and freshness guarantees:\n\n```bash\ncurl -I \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=ZAMBIA&Type=Document&Zone=Zone%206\"\n```\n\nHeaders like `Cache-Control`, `ETag`, or `Last-Modified` inform timing strategies for cache poisoning or stale resource exploitation.\n\n**Business Impact**  \nMisconfigured caching layers may serve outdated tariff data indefinitely, causing cascading failures in downstream applications reliant on timely updates. Operational inefficiencies compound when stakeholders base critical decisions on obsolete information.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=GABON&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=GABON&Type=Document&Zone=Zone%206 |\n\n**Description**  \nGabon’s tariff entry conforms to previously observed patterns, residing in Zone 6 alongside several Sub-Saharan African nations. The reuse of “Document” as the type identifier maintains syntactic consistency but offers little insight into functional differences between tariff classes.\n\nThe ease with which such URLs are constructed encourages speculative browsing and opportunistic exploration by curious or malicious visitors alike.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could generate permutations of plausible country names and zone numbers to discover undocumented tariff variants:\n\n```bash\nfor i in {1..10}; do\n  curl -s \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=GABON&Type=Document&Zone=Zone%20$i\" | wc -c\ndone\n```\n\nVariations in byte counts suggest differing levels of detail or conditional rendering logic worth investigating further.\n\n**Business Impact**  \nUnintended exposure of draft or experimental tariff configurations may prematurely reveal upcoming policy shifts, giving competitors unfair advantages or triggering premature market reactions detrimental to national interests.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=CENTRAL%20AFRICAN%20REPUBLIC&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=CENTRAL%20AFRICAN%20REPUBLIC&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nThis URL accommodates longer geopolitical identifiers, specifically the Central African Republic, demonstrating tolerance for complex nomenclature within the tariff query mechanism. The continued use of “Marchandise” reinforces multilingual orientation despite predominantly English-speaking user base expectations.\n\nHowever, the absence of normalization routines may complicate search indexing or analytics dashboards built atop tariff data streams.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could submit intentionally malformed UTF-8 byte sequences to test decoder resilience and observe error handling behaviors:\n\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=%FF%FE%FD&Type=Marchandise&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\n\nVerbose error pages disclosing file paths, line numbers, or stack frames offer valuable reconnaissance material for follow-up attacks.\n\n**Business Impact**  \nWeak error handling increases vulnerability to information disclosure attacks, where attackers extract sensitive debugging details to refine future assault vectors. Transparent error messaging should be replaced with generic fallbacks to preserve operational secrecy.\n\n---\n\n### [Content Discovery / ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=MAURITIUS&Type=Document&Zone=Zone%205]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=MAURITIUS&Type=Document&Zone=Zone%205 |\n\n**Description**  \nMauritius occupies Zone 5, deviating slightly from neighboring African nations placed in Zone 6. This distinction may reflect unique logistical considerations or preferential trading arrangements influencing tariff calculations.\n\nThe variation in zoning assignments warrants careful review to prevent misclassification errors impacting customs valuation processes.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could compare tariff structures across adjacent zones to identify irregularities suggestive of flawed zoning algorithms or manual override mistakes:\n\n```bash\ncurl -s \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=MAURITIUS&Type=Document&Zone=Zone%205\" > mauritius_z5.html\ncurl -s \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=SEYCHELLES&Type=Document&Zone=Zone%206\" > seychelles_z6.html\ndiff mauritius_z5.html seychelles_z6.html\n```\n\nDivergent markup or missing sections highlight areas needing closer examination.\n\n**Business Impact**  \nIncorrect zoning leads to miscalculated duties, royalties, or taxes owed on imported/exported commodities. Financial institutions and clearing agents depend heavily on accurate tariff references to execute transactions smoothly; inaccuracies disrupt supply chains and invite litigation.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=GEORGIA&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=GEORGIA&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nThis finding indicates that the specified URL path is publicly accessible and returns a valid HTTP response (200 OK). The endpoint appears to serve tariff-related information based on query parameters such as `Country_Name`, `Type`, and `Zone`. While not inherently insecure, exposing such endpoints without access controls or rate limiting can lead to enumeration attacks or unauthorized data harvesting.\n\nThe presence of structured query parameters suggests potential for automated crawling or brute-force discovery of additional valid paths or business logic exposure.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker may perform parameter fuzzing using tools like Burp Suite Intruder or custom scripts to enumerate all possible combinations of countries, types, and zones. This allows them to map out available tariff data exposed by the application.\n\nExample request:\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=GEORGIA&Type=Marchandise&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\n\nAutomated scanning could reveal patterns in responses indicating sensitive trade or customs data being disclosed without authentication.\n\n**Business Impact**  \nUnauthorized access to tariff structures might allow competitors or foreign entities to gain insight into Pakistan’s import/export pricing models. If combined with other vulnerabilities, it could contribute to larger reconnaissance efforts leading to more impactful breaches.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=GREECE&Type=Document&Zone=Zone%202]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=GREECE&Type=Document&Zone=Zone%202 |\n\n**Description**  \nThis URL exposes document-based tariff information specific to Greece under Zone 2. Like previous findings, this page does not require authentication but provides structured output which may contain regulated or commercially sensitive data depending on context.\n\nSuch pages often lack input sanitization checks or logging mechanisms, making them susceptible to abuse if discovered at scale.\n\n**Attack Scenario (Proof of Concept)**  \nUsing a wordlist of country names and zone values, an attacker can systematically scrape tariff documents across multiple regions. Example payload via curl:\n```bash\ncurl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=GREECE&Type=Document&Zone=Zone%202\"\n```\nRepeated requests over time could automate bulk extraction of internal tariff documentation.\n\n**Business Impact**  \nExposure of tariff documentation may inadvertently disclose confidential government policies or commercial agreements related to international trade practices, potentially affecting national economic strategy or diplomatic relations.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=COMOROS&Type=Marchandise&Zone=Zone%205]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=COMOROS&Type=Marchandise&Zone=Zone%205 |\n\n**Description**  \nThis URL serves merchandise tariff details for Comoros within Zone 5. It represents another instance of predictable resource location that can be easily enumerated due to consistent naming conventions used in the query strings.\n\nNo authentication mechanism was observed during testing, suggesting public availability of these resources.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker uses a script to iterate through known countries and zones:\n```python\nimport requests\ncountries = [\"COMOROS\", \"PANAMA\", ...]\nzones = [\"Zone 1\", \"Zone 2\", ..., \"Zone 6\"]\nfor c in countries:\n    for z in zones:\n        url = f\"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name={c}&Type=Marchandise&Zone={z}\"\n        resp = requests.get(url)\n        if resp.status_code == 200:\n            print(f\"[+] Found: {url}\")\n```\nThis enables full mapping of tariff data across various geographies.\n\n**Business Impact**  \nUncontrolled access to tariff databases undermines control over dissemination of trade policy information, possibly enabling misuse by third parties engaged in unfair competition or intelligence gathering.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=CEUTA&Type=Marchandise&Zone=Zone%201]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=CEUTA&Type=Marchandise&Zone=Zone%201 |\n\n**Description**  \nThis URL displays merchandise tariffs associated with Ceuta (a Spanish autonomous city) categorized under Zone 1. The structure implies dynamic generation of content from backend systems likely tied to customs regulations or trade agreements.\n\nThe lack of access restrictions makes this endpoint vulnerable to scraping and misuse.\n\n**Attack Scenario (Proof of Concept)**  \nA malicious actor scrapes hundreds of tariff entries using variations of the following GET request:\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=CEUTA&Type=Marchandise&Zone=Zone%201 HTTP/1.1\nHost: ep.gov.pk\nUser-Agent: Mozilla/5.0 ...\nAccept: text/html,application/xhtml+xml...\nConnection: close\n```\nThey store outputs locally for offline analysis or resale.\n\n**Business Impact**  \nIf tariff data includes preferential rates or exemptions, their unrestricted disclosure may compromise fiscal planning or enable exploitation of loopholes in cross-border transactions.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=PANAMA&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=PANAMA&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nAccessible tariff data for Panama under Zone 6 reveals further evidence of a globally indexed tariff system hosted on the domain. These URLs are typically auto-generated based on database records and do not implement sufficient access controls or obfuscation techniques.\n\n**Attack Scenario (Proof of Concept)**  \nUsing automated tools like Dirb or ffuf, attackers can discover similar endpoints:\n```bash\nffuf -u https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=FUZZ&Type=Marchandise&Zone=Zone%206 -w countries.txt\n```\nSuccessful matches yield valid tariff pages that can then be parsed for valuable metadata.\n\n**Business Impact**  \nPublicly accessible tariff tables may expose inconsistencies or outdated rules that adversaries could exploit for financial gain or regulatory arbitrage.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=TRUK%20(MICRONESIA,%20FEDERATED%20STATES%20OF)&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=TRUK%20(MICRONESIA,%20FEDERATED%20STATES%20OF)&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nThis URL presents tariff data for Truk (Micronesia), highlighting the global scope of the tariff database. The use of special characters in the `Country_Name` parameter demonstrates support for complex inputs, increasing risk of injection flaws if proper validation isn't enforced.\n\n**Attack Scenario (Proof of Concept)**  \nAttackers inject payloads into the `Country_Name` field to test for XSS or SQLi:\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=<script>alert('XSS')</script>&Type=Marchandise&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\nAlternatively, they attempt SQL injection:\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name='%20OR%20'1'='1&Type=Marchandise&Zone=Zone%206 HTTP/1.1\n```\nEven if unsuccessful, repeated probing increases server load and alerts administrators to suspicious activity.\n\n**Business Impact**  \nImproper handling of user-supplied parameters opens avenues for both denial-of-service and data exfiltration risks, especially when dealing with large-scale datasets.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=PUERTO%20RICO&Type=Marchandise&Zone=Zone%204]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=PUERTO%20RICO&Type=Marchandise&Zone=Zone%204 |\n\n**Description**  \nTariff data for Puerto Rico is accessible under Zone 4. As with prior findings, there's no indication of authentication required to view this content. Such endpoints are commonly overlooked in web application hardening processes.\n\n**Attack Scenario (Proof of Concept)**  \nAn adversary writes a Python script to extract all tariff data:\n```python\nimport urllib.parse\nbase_url = \"https://ep.gov.pk/tariff/emsp_tariff.aspx?\"\nparams = {\n    'Country_Name': 'PUERTO RICO',\n    'Type': 'Marchandise',\n    'Zone': 'Zone 4'\n}\nfull_url = base_url + urllib.parse.urlencode(params)\nresponse = requests.get(full_url)\nprint(response.text)\n```\nCollected HTML can later be processed to extract tabular tariff figures.\n\n**Business Impact**  \nAggregated tariff data may reveal pricing strategies or regional preferences that could inform competitive market positioning or influence smuggling routes.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=NEVIS%20(ST.%20KITTS)&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=NEVIS%20(ST.%20KITTS)&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nThis URL delivers tariff information for Nevis (St. Kitts) under Zone 6. Its accessibility confirms the presence of a comprehensive tariff lookup interface that supports nested geographic identifiers.\n\n**Attack Scenario (Proof of Concept)**  \nBy crafting targeted queries against each supported region, attackers build a complete dataset of tariff schedules:\n```bash\ncurl -G \\\n     --data-urlencode \"Country_Name=NEVIS (ST. KITTS)\" \\\n     --data-urlencode \"Type=Marchandise\" \\\n     --data-urlencode \"Zone=Zone 6\" \\\n     https://ep.gov.pk/tariff/emsp_tariff.aspx\n```\nResults help construct a mirror site mimicking official tariff listings.\n\n**Business Impact**  \nData replication poses reputational threats if unofficial copies misrepresent current policies or introduce errors that mislead traders relying on accurate tariff guidance.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=BOLIVIA&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=BOLIVIA&Type=Document&Zone=Zone%206 |\n\n**Description**  \nThis URL retrieves document-type tariff data for Bolivia located in Zone 6. The dual categorization (`Type=Document`) indicates nuanced classification of tariff materials beyond simple goods listing.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker leverages browser automation tools like Selenium to download PDFs or parse HTML tables:\n```python\ndriver.get(\"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=BOLIVIA&Type=Document&Zone=Zone%206\")\ntable_data = driver.find_element(By.TAG_NAME, \"table\").text\nwith open(\"bolivia_tariffs.txt\", \"w\") as f:\n    f.write(table_data)\n```\nThis facilitates offline analysis and repurposing of protected intellectual property.\n\n**Business Impact**  \nUnauthorized distribution of tariff documents may violate copyright laws or breach confidentiality clauses embedded in bilateral trade pacts.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=BELGIUM&Type=Marchandise&Zone=Zone%201]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=BELGIUM&Type=Marchandise&Zone=Zone%201 |\n\n**Description**  \nMerchandise tariff data for Belgium falls under Zone 1. This pattern reinforces assumptions about hierarchical tariff zoning schemes implemented within the application architecture.\n\n**Attack Scenario (Proof of Concept)**  \nA threat actor performs recursive crawling using tools like Scrapy:\n```python\ndef parse(self, response):\n    # Extract tariff table rows\n    for row in response.css('tr'):\n        yield {'country': row.css('td:nth-child(1)::text').get(),\n               'type': row.css('td:nth-child(2)::text').get(),\n               'zone': row.css('td:nth-child(3)::text').get()}\n```\nThey compile a searchable index of global tariff configurations.\n\n**Business Impact**  \nSystematic harvesting of tariff data erodes exclusivity of proprietary trade analytics platforms and weakens negotiating power in international forums.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=ST.%20CROIX%20(US%20VIRGIN%20ISLANDS)&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=ST.%20CROIX%20(US%20VIRGIN%20ISLANDS)&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nThis URL exposes tariff data for St. Croix (US Virgin Islands) under Zone 6. The inclusion of U.S.-affiliated territories highlights the breadth of coverage offered by the tariff engine.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker combines this endpoint with others to create a unified API gateway:\n```bash\nfor i in $(cat territories); do\n    curl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=$i&Type=Marchandise&Zone=Zone%206\" >> aggregated_output.html\ndone\n```\nResultant file becomes a consolidated repository of tariff intelligence.\n\n**Business Impact**  \nCentralized access to diverse tariff regimes may facilitate evasion of duties or manipulation of declared shipment values to reduce tax liabilities.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=ANTIGUA%20AND%20BARBUDA&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=ANTIGUA%20AND%20BARBUDA&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nTariff data for Antigua and Barbuda is accessible under Zone 6. The consistency of format and behavior across endpoints underscores the absence of differentiated access policies per geography.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker builds a dashboard integrating live tariff feeds:\n```javascript\nfetch(`https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=${country}&Type=Marchandise&Zone=${zone}`)\n.then(res => res.text())\n.then(html => updateDashboard(html));\n```\nReal-time tariff monitoring enhances operational agility for logistics firms.\n\n**Business Impact**  \nCompetitive advantage shifts toward those who can programmatically consume tariff updates faster than manual review cycles permit.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=ANGUILLA&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=ANGUILLA&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nThis URL serves tariff data for Anguilla under Zone 6. Despite minimal traffic expectations, the endpoint remains fully functional and publicly reachable.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker uses headless browsers to simulate legitimate usage while collecting tariff data:\n```python\noptions = Options()\noptions.add_argument('--headless')\ndriver = webdriver.Chrome(options=options)\ndriver.get(\"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=ANGUILLA&Type=Marchandise&Zone=Zone%206\")\nhtml_content = driver.page_source\n```\nProcessed content aids in building predictive models around duty calculations.\n\n**Business Impact**  \nSophisticated modeling of tariff fluctuations may give rise to algorithmic trading strategies targeting commodity imports subject to variable taxation.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=GHANA&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=GHANA&Type=Document&Zone=Zone%206 |\n\n**Description**  \nDocument-based tariff data for Ghana resides in Zone 6. The distinction between “document” and “merchandise” types suggests layered categorization logic within the tariff schema.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker develops a parser to extract key-value pairs from returned HTML:\n```python\nsoup = BeautifulSoup(html_response, 'html.parser')\nrows = soup.select('table tr')\nfor r in rows[1:]:\n    cells = r.find_all('td')\n    country = cells[0].text.strip()\n    type_ = cells[1].text.strip()\n    zone = cells[2].text.strip()\n    print(f\"{country} | {type_} | {zone}\")\n```\nParsed data fuels downstream applications requiring normalized tariff inputs.\n\n**Business Impact**  \nMisuse of parsed tariff data may result in incorrect declarations submitted to customs authorities, triggering audits or penalties.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=BRITISH%20VIRGIN%20ISLANDS&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=BRITISH%20VIRGIN%20ISLANDS&Type=Document&Zone=Zone%206 |\n\n**Description**  \nTariff documents for British Virgin Islands are accessible under Zone 6. The recurring theme of island nations emphasizes the importance placed on maritime jurisdictions in tariff management.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker creates a web scraper tailored to extract tariff tables:\n```bash\nwget --quiet -O bvi_tariff.html \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=BRITISH%20VIRGIN%20ISLANDS&Type=Document&Zone=Zone%206\"\ngrep \"<td>\" bvi_tariff.html > extracted_values.csv\n```\nExtracted CSV files become inputs for machine learning algorithms predicting optimal shipping routes.\n\n**Business Impact**  \nAlgorithmic optimization of cargo flows based on tariff insights may disrupt traditional freight markets and shift profit margins unpredictably.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=MALDIVES&Type=Document&Zone=Zone%205]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=MALDIVES&Type=Document&Zone=Zone%205 |\n\n**Description**  \nThis URL retrieves document-type tariff data for Maldives under Zone 5. The endpoint reflects the application’s ability to handle varied tariff classifications dynamically.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker deploys a distributed crawler network to harvest tariff data en masse:\n```bash\nparallel -j 10 wget {} ::: $(cat urls_list.txt)\n```\nEach downloaded page contributes to a growing corpus of tariff knowledge.\n\n**Business Impact**  \nMassive accumulation of tariff data may empower shadow economies operating outside formal channels, undermining state revenue collection mechanisms.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=UZBEKISTAN&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=UZBEKISTAN&Type=Document&Zone=Zone%206 |\n\n**Description**  \nTariff documents for Uzbekistan fall under Zone 6. The endpoint illustrates the global reach of the tariff database despite limited visibility in mainstream search engines.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker employs OCR technology to digitize scanned tariff documents:\n```python\nimport pytesseract\nimage = Image.open('uzbekistan_tariff.png')\ntext = pytesseract.image_to_string(image)\nwith open(\"ocr_output.txt\", \"w\") as f:\n    f.write(text)\n```\nDigitized versions improve accuracy of automated tariff lookup systems.\n\n**Business Impact**  \nEnhanced digital processing capabilities accelerate fraudulent declaration submissions, increasing fraud detection complexity for border agencies.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=CURA%C3%87AO&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=CURA%C3%87AO&Type=Document&Zone=Zone%206 |\n\n**Description**  \nThis URL serves document-type tariff data for Curaçao under Zone 6. The encoded character sequence (%C3%87) in the URL confirms robust encoding practices but also exposes underlying infrastructure to deeper inspection.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker decodes the URL manually or programmatically to understand parameter structure:\n```bash\necho \"CURA%C3%87AO\" | sed 's/%C3%87/Ç/g'\n# Output: CURAÇAO\n```\nKnowledge of encoding patterns improves success rate of future enumeration attempts.\n\n**Business Impact**  \nUnderstanding parameter encoding helps attackers bypass filters designed to block certain keywords, widening attack surface significantly.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=MALTA&Type=Document&Zone=Zone%202]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=MALTA&Type=Document&Zone=Zone%202 |\n\n**Description**  \nTariff documents for Malta reside in Zone 2. This URL exemplifies the modular nature of the tariff engine, allowing granular segmentation of tariff categories.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker compares tariff structures across different zones to detect anomalies:\n```bash\ndiff <(curl -s \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=MALTA&Type=Document&Zone=Zone%201\") \\\n     <(curl -s \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=MALTA&Type=Document&Zone=Zone%202\")\n```\nDiscrepancies hint at potential inconsistencies in tariff enforcement.\n\n**Business Impact**  \nInconsistent tariff application may encourage forum shopping among importers seeking lowest-cost entry points, reducing overall customs compliance effectiveness.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=PAPUA%20NEW%20GUINEA&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=PAPUA%20NEW%20GUINEA&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nMerchandise tariff data for Papua New Guinea is accessible under Zone 6. This final example reinforces the uniformity of access control implementation—or rather, the lack thereof—across all tariff endpoints.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker aggregates tariff data from all discovered endpoints into a centralized database:\n```sql\nINSERT INTO tariff_data (country, type, zone, html_content)\nVALUES ('Papua New Guinea', 'Marchandise', 'Zone 6', '<html>...</html>');\n```\nSubsequent querying enables rapid comparison of tariff regimes worldwide.\n\n**Business Impact**  \nComprehensive tariff databases may become targets themselves, attracting cybercriminals interested in monetizing restricted trade information or selling access to illicit actors.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=SABA&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=SABA&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nThis finding indicates that a publicly accessible page related to tariff information was discovered on the Pakistan Engineering Council's website (`ep.gov.pk`). The endpoint accepts query parameters such as `Country_Name`, `Type` (e.g., Marchandise), and `Zone`. This suggests the application dynamically generates content based on user input without requiring authentication. While not inherently insecure, exposing detailed tariff structures may provide insight into internal business logic or operational procedures.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker can enumerate valid country names, types, and zones by crafting variations of the URL structure:\n```\nGET /tariff/emsp_tariff.aspx?Country_Name=SABA&Type=Marchandise&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\nBy systematically iterating over known values, an adversary could map out all available tariff configurations, potentially identifying inconsistencies or sensitive trade-related data exposed unintentionally.\n\n**Business Impact**  \nExposure of tariff-related endpoints increases the attack surface and allows adversaries to gather intelligence about international trade policies managed by the organization. Although no direct exploitation path exists from this discovery alone, it contributes to reconnaissance efforts that might lead to more targeted attacks against backend systems or processes.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=CAPE%20VERDE%20ISLANDS&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=CAPE%20VERDE%20ISLANDS&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nThe presence of this URL confirms that the web application exposes tariff details for specific countries using predictable parameter-based routing. The use of static query strings implies that these pages are likely pre-generated or rendered dynamically but do not require access control checks before serving responses. Such behavior is common in legacy ASP.NET applications where dynamic content generation lacks proper authorization validation.\n\n**Attack Scenario (Proof of Concept)**  \nUsing automated tools like Burp Suite Intruder or custom scripts, an attacker can perform brute-force enumeration across various combinations of `Country_Name`, `Type`, and `Zone` parameters:\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=CAPE%20VERDE%20ISLANDS&Type=Marchandise&Zone=Zone%206 HTTP/1.1\nHost: ep.gov.pk\n```\nThis approach enables mapping of all accessible tariff entries, which could reveal patterns useful for further probing or manipulation attempts.\n\n**Business Impact**  \nWhile there is no immediate risk associated with viewing public tariff data, unauthorized exposure of structured datasets may violate privacy regulations if personal or confidential commercial information is inadvertently included. Additionally, attackers may leverage this knowledge to craft social engineering campaigns targeting stakeholders involved in customs operations.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=NORTHERN%20MARIANA%20ISLANDS&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=NORTHERN%20MARIANA%20ISLANDS&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nThis URL represents another instance of a publicly accessible tariff page generated via query parameters. It demonstrates that the system does not implement robust access controls or obfuscation mechanisms to prevent enumeration of tariff records. If the underlying database contains additional fields beyond those displayed, they may also be retrievable under certain conditions.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker can attempt to modify the `Type` or `Zone` parameters to explore hidden functionality:\n```http\nGET /tariff/emsp_tariff.aspx?Country_Name=NORTHERN%20MARIANA%20ISLANDS&Type=AdminOnly&Zone=Zone%2099 HTTP/1.1\nHost: ep.gov.pk\n```\nIf error handling is weak, unexpected inputs may result in verbose error messages revealing stack traces or internal server configurations.\n\n**Business Impact**  \nUncontrolled access to tariff data may expose pricing models, shipping routes, or other commercially sensitive information used internally. Even seemingly benign disclosures can aid competitors or malicious actors in planning future intrusions or economic espionage activities.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=ANDORRA&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=ANDORRA&Type=Document&Zone=Zone%206 |\n\n**Description**  \nThis URL reveals that document-type tariffs exist alongside merchandise tariffs, indicating a multi-dimensional categorization scheme within the application. The consistent availability of both categories across different zones suggests that the backend logic supports multiple tariff classifications per country. However, lack of rate limiting or access logging makes this feature vulnerable to scraping.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker can automate requests to extract all document-type tariffs:\n```bash\ncurl \"https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=ANDORRA&Type=Document&Zone=Zone%206\" > andorra_doc_zone6.html\n```\nRepeated execution across all known countries and zones would yield a complete dataset suitable for offline analysis.\n\n**Business Impact**  \nUnauthorized harvesting of tariff documents undermines competitive advantages derived from proprietary fee schedules or regulatory compliance frameworks. In regulated industries, such leaks could trigger audits or legal scrutiny from governing bodies overseeing import/export practices.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=CAMBODIA&Type=Marchandise&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=CAMBODIA&Type=Marchandise&Zone=Zone%206 |\n\n**Description**  \nThis URL confirms continued accessibility of tariff data for Cambodia under the 'Marchandise' category. The uniformity of response codes (HTTP 200 OK) across numerous similar URLs indicates that the application treats all tariff queries equally regardless of origin or sensitivity level. Absence of authentication or IP-based throttling leaves the interface open to abuse.\n\n**Attack Scenario (Proof of Concept)**  \nAutomated crawling tools can harvest large volumes of tariff data efficiently:\n```python\nimport requests\nurl = \"https://ep.gov.pk/tariff/emsp_tariff.aspx\"\nparams = {\"Country_Name\": \"CAMBODIA\", \"Type\": \"Marchandise\", \"Zone\": \"Zone 6\"}\nresponse = requests.get(url, params=params)\nprint(response.text)\n```\nSuch scripts enable rapid collection of structured tariff databases, facilitating reverse-engineering of backend logic or identification of anomalies.\n\n**Business Impact**  \nData scraping at scale compromises the integrity of tariff management workflows and risks disclosure of unpublished rates or policy changes. Competitors gaining early access to revised tariffs could exploit timing discrepancies for financial gain, undermining organizational trustworthiness.\n\n---\n\n### [Content Discovery / https://ep.gov.pk / tariff/emsp_tariff.aspx?Country_Name=VIRGIN%20ISLANDS%20(US)&Type=Document&Zone=Zone%206]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL","summary":{"total":482}},"summary":{"total":482}},{"_id":{"$oid":"6a1f31f5cde3bf870411ebfc"},"created_at":{"$date":"2026-06-02T19:41:41.028Z"},"url":"https://onmark.co.in/nmu/","tool":"generate_content_discovery_report","result":{"url":"https://onmark.co.in/nmu/","category":"content_discovery","timestamp":"2026-06-02T19:41:41.021454+00:00","report":"# Content Discovery Findings\n\n## Critical Findings\n\nNo critical findings were identified in this section.\n\n## High Findings\n\n### [Unprotected Uploads Directory]\n| Field | Value |\n|---|---|\n| Severity | High |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/uploads |\n\n**Description**  \nThe `/uploads` directory is publicly accessible and returns a `200 OK` HTTP response. Publicly accessible upload directories can serve as repositories for malware distribution, defacement content, or exfiltrated data. Moreover, unrestricted file uploads without validation create opportunities for remote code execution (RCE).\n\n**Attack Scenario (Proof of Concept)**  \nIf arbitrary file uploads are permitted, an attacker could upload a PHP shell named `shell.php` and access it via:\n```text\nhttps://onmark.co.in/nmu/uploads/shell.php?cmd=id\n```\n\nEven if direct execution isn't possible, listing contents via directory traversal (`../`) or guessing filenames enables data theft or lateral movement.\n\n**Business Impact**  \nUnprotected uploads enable attackers to host malicious payloads, deface websites, or store stolen data. Depending on stored content, this could result in regulatory fines, loss of public confidence, and operational disruptions.\n\n---\n\n### [Unprotected Uploads Directory with Trailing Slash]\n| Field | Value |\n|---|---|\n| Severity | High |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/uploads/ |\n\n**Description**  \nThis trailing-slash variant of the uploads directory behaves similarly to `/uploads`. Both versions being active implies inconsistent normalization or improper access control rules. Directory listings or predictable naming conventions exacerbate risks associated with file storage locations.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker enumerating uploaded files might use recursive GET requests or browser navigation to explore available assets:\n```http\nGET /uploads/ HTTP/1.1\nHost: onmark.co.in\n```\n\nIf directory indexing is enabled, full contents become visible, simplifying discovery of sensitive documents or executable scripts.\n\n**Business Impact**  \nPublicly indexed upload folders compromise confidentiality and integrity of hosted materials. Educational institutions storing transcripts, research papers, or personal photos face severe reputational and legal consequences upon exposure.\n\n---\n\n## Medium Findings\n\nNo medium findings were identified in this section.\n\n## Low Findings\n\n### [Exposed Bootstrap Theme CSS File]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/bootstrap/css/bootstrap-theme.css |\n\n**Description**  \nThe file `bootstrap-theme.css` was discovered at `/assets/bootstrap/css/`. This is a standard CSS file used by Bootstrap framework for theming purposes. While not inherently insecure, exposing such files can provide attackers with insight into the frontend technologies and versions in use, potentially aiding in fingerprinting and exploitation of known vulnerabilities within those libraries.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker may perform directory brute-forcing using tools like `dirb`, `gobuster`, or `ffuf` to enumerate publicly accessible assets. Identifying this file confirms that Bootstrap is being used. If an outdated version is detected, it might lead to exploitation of known XSS or other client-side vulnerabilities.\n\nExample request:\n```http\nGET /assets/bootstrap/css/bootstrap-theme.css HTTP/1.1\nHost: onmark.co.in\n```\n\nResponse indicates presence of the file:\n```http\nHTTP/1.1 200 OK\nContent-Type: text/css\n...\n```\n\n**Business Impact**  \nExposure of static resources does not directly compromise systems but contributes to reconnaissance efforts. It increases risk if combined with vulnerable components or misconfigurations elsewhere.\n\n---\n\n### [Directory Listing Enabled – Bootstrap CSS Sorted by Size Ascending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/bootstrap/css/?C=S;O=A |\n\n**Description**  \nThis path exposes a directory listing sorted by size (`?C=S`) in ascending order (`O=A`). Directory listings reveal internal structure and available files, which can aid attackers in identifying sensitive or development-related content inadvertently exposed online.\n\n**Attack Scenario (Proof of Concept)**  \nUsing browser-based navigation or automated tools, an attacker accesses the directory index to view all contents under `/assets/bootstrap/css/`.\n\nRequest:\n```http\nGET /assets/bootstrap/css/?C=S;O=A HTTP/1.1\nHost: onmark.co.in\n```\n\nResponse includes HTML output showing filenames and sizes, enabling further exploration.\n\n**Business Impact**  \nDirectory listings increase surface area for reconnaissance, possibly revealing configuration files, backups, or debug artifacts that should remain hidden from public access.\n\n---\n\n### [Directory Listing Enabled – Bootstrap CSS Sorted by Modification Time Ascending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/bootstrap/css/?C=M;O=A |\n\n**Description**  \nThis URL presents a directory listing ordered by last modified time (`?C=M`) in ascending order (`O=A`). Such listings help attackers determine when certain files were updated, potentially indicating active development environments or recent changes that have yet to undergo full testing.\n\n**Attack Scenario (Proof of Concept)**  \nAccessing the endpoint reveals timestamps associated with each file. Attackers may correlate these dates with known vulnerabilities or patch cycles.\n\nCommand example:\n```bash\ncurl -s \"https://onmark.co.in/assets/bootstrap/css/?C=M;O=A\" | grep -i '\\.css'\n```\n\n**Business Impact**  \nRevealing modification times aids in profiling application behavior over time and may expose inconsistencies between production and staging environments.\n\n---\n\n### [Directory Listing Enabled – Bootstrap JS Sorted by Date Ascending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/bootstrap/js/?C=D;O=A |\n\n**Description**  \nThis path returns a directory listing sorted by date (`?C=D`) in ascending order (`O=A`). Similar to previous findings, this allows attackers to observe temporal patterns in asset deployment or updates.\n\n**Attack Scenario (Proof of Concept)**  \nBy navigating to the URL, an attacker gains visibility into JavaScript files hosted in the `/assets/bootstrap/js/` folder along with their creation/modification dates.\n\nSample request:\n```http\nGET /assets/bootstrap/js/?C=D;O=A HTTP/1.1\nHost: onmark.co.in\n```\n\n**Business Impact**  \nDirectory indexes facilitate mapping of web application architecture and assist in crafting targeted attacks against specific assets based on age or usage frequency.\n\n---\n\n### [Directory Listing Enabled – Bootstrap Root Folder Sorted by Size Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/bootstrap/?C=S;O=D |\n\n**Description**  \nThis URL provides a directory listing of the `/assets/bootstrap/` root folder, sorted by size (`?C=S`) in descending order (`O=D`). Exposed directories often contain subdirectories or files that could include source maps, documentation, or deprecated scripts.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker browses the directory to identify nested folders like `css/`, `js/`, or even developer notes. These can be leveraged for deeper enumeration.\n\nRequest:\n```http\nGET /assets/bootstrap/?C=S;O=D HTTP/1.1\nHost: onmark.co.in\n```\n\n**Business Impact**  \nUnprotected directory listings contribute to information leakage and may expose unintended paths or legacy code still present in the environment.\n\n---\n\n### [Directory Listing Enabled – Bootstrap Root Folder Sorted by Date Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/bootstrap/?C=D;O=D |\n\n**Description**  \nThis path displays a directory listing sorted by date (`?C=D`) in descending order (`O=D`). It helps attackers understand the most recently added or modified items within the bootstrap assets hierarchy.\n\n**Attack Scenario (Proof of Concept)**  \nNavigating to the URL shows the latest additions first, helping prioritize targets during reconnaissance.\n\nExample:\n```bash\ncurl -s \"https://onmark.co.in/assets/bootstrap/?C=D;O=D\"\n```\n\n**Business Impact**  \nProviding chronological views of directories enables attackers to focus on newer or less-tested elements of the site, increasing chances of discovering exploitable flaws.\n\n---\n\n### [Directory Listing Enabled – Bootstrap JS Sorted by Modification Time Ascending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/bootstrap/js/?C=M;O=A |\n\n**Description**  \nThis URL serves a directory listing of JS files sorted by modification time (`?C=M`) in ascending order (`O=A`). Like earlier entries, this supports passive reconnaissance by providing metadata about deployed scripts.\n\n**Attack Scenario (Proof of Concept)**  \nAttackers analyze the list to find older scripts that may lack modern security controls or newer ones that haven’t been fully hardened.\n\nRequest:\n```http\nGET /assets/bootstrap/js/?C=M;O=A HTTP/1.1\nHost: onmark.co.in\n```\n\n**Business Impact**  \nMetadata exposure through directory listings weakens overall defense posture by offering clues about system evolution and maintenance practices.\n\n---\n\n### [Exposed Minified Bootstrap CSS File]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/bootstrap/css/bootstrap.min.css |\n\n**Description**  \nThe minified Bootstrap CSS file `bootstrap.min.css` is accessible at this location. Minified files are typically optimized for performance but retain version-specific identifiers useful for fingerprinting.\n\n**Attack Scenario (Proof of Concept)**  \nInspecting the file's header comments or unique class names can allow identification of exact Bootstrap version. Tools like Wappalyzer automate this process.\n\nExample inspection:\n```bash\ncurl -s \"https://onmark.co.in/assets/bootstrap/css/bootstrap.min.css\" | head -n5\n```\n\n**Business Impact**  \nKnowing the exact version of third-party frameworks facilitates targeted exploitation of known CVEs or weaknesses documented in bug trackers.\n\n---\n\n### [Exposed Uncompressed Bootstrap JS File]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/bootstrap/js/bootstrap.js |\n\n**Description**  \nThe uncompressed Bootstrap JavaScript library `bootstrap.js` is exposed. Unlike its minified counterpart, this version contains readable code and detailed comments, making reverse engineering easier.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker downloads and inspects the script to locate potential DOM manipulation points susceptible to injection or event hijacking.\n\nDownload command:\n```bash\nwget https://onmark.co.in/assets/bootstrap/js/bootstrap.js\n```\n\n**Business Impact**  \nReadable front-end logic can inform more sophisticated client-side attacks, especially if custom extensions or plugins are layered atop standard libraries.\n\n---\n\n### [Exposed Compressed Bootstrap JS File]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/bootstrap/js/bootstrap.min.js |\n\n**Description**  \nThe compressed version of Bootstrap’s JavaScript library is accessible here. Though obfuscated, it retains identifiable markers that support version detection and vulnerability correlation.\n\n**Attack Scenario (Proof of Concept)**  \nAutomated scanners compare hashes or signatures of the file against databases of known vulnerable versions.\n\nExample:\n```bash\ncurl -s \"https://onmark.co.in/assets/bootstrap/js/bootstrap.min.js\" | md5sum\n```\n\n**Business Impact**  \nEven compressed assets pose risks if they correspond to unpatched or deprecated releases, particularly in combination with other vulnerabilities.\n\n---\n\n### [Directory Listing Enabled – Bootstrap JS Sorted Alphabetically Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/bootstrap/js/?C=N;O=D |\n\n**Description**  \nThis URL delivers a directory listing of JavaScript files sorted alphabetically (`?C=N`) in descending order (`O=D`). Alphabetical sorting simplifies manual scanning for predictable naming conventions.\n\n**Attack Scenario (Proof of Concept)**  \nAttackers manually browse or script crawling of the directory to discover additional JS files beyond core Bootstrap libraries.\n\nRequest:\n```http\nGET /assets/bootstrap/js/?C=N;O=D HTTP/1.1\nHost: onmark.co.in\n```\n\n**Business Impact**  \nAlphabetized listings make it trivial to spot anomalies or unexpected files that shouldn't be publicly accessible.\n\n---\n\n### [Directory Listing Enabled – Bootstrap JS Sorted by Size Ascending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/bootstrap/js/?C=S;O=A |\n\n**Description**  \nThis URL lists JavaScript files sorted by size (`?C=S`) in ascending order (`O=A`). Size-based sorting can highlight unusually large or small files that warrant closer scrutiny.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker identifies outlier-sized files that may represent debug builds, test stubs, or embedded payloads.\n\nCommand:\n```bash\ncurl -s \"https://onmark.co.in/assets/bootstrap/js/?C=S;O=A\"\n```\n\n**Business Impact**  \nSize discrepancies in public assets may indicate poor change management or accidental exposure of internal tools.\n\n---\n\n### [Exposed Non-Minified Bootstrap CSS File]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/bootstrap/css/bootstrap.css |\n\n**Description**  \nThe non-minified version of Bootstrap’s main stylesheet is accessible. Its verbose nature makes it ideal for fingerprinting and understanding implemented UI components.\n\n**Attack Scenario (Proof of Concept)**  \nReviewing the file reveals selectors, mixins, and variables that can guide attackers toward potential DOM-based XSS vectors or styling inconsistencies.\n\nRequest:\n```http\nGET /assets/bootstrap/css/bootstrap.css HTTP/1.1\nHost: onmark.co.in\n```\n\n**Business Impact**  \nPublic availability of source-level stylesheets reduces friction in crafting tailored attacks targeting visual feedback mechanisms.\n\n---\n\n### [Directory Listing Enabled – Subject PDFs Sorted Alphabetically Ascending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/subject_pdfs/?C=N;O=A |\n\n**Description**  \nThis URL exposes a directory listing of PDF documents related to subjects, sorted alphabetically (`?C=N`) in ascending order (`O=A`). Publicly accessible academic materials may contain sensitive student or institutional data.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker enumerates the directory to download subject-related PDFs and search for personally identifiable information (PII), grades, or administrative credentials.\n\nRequest:\n```http\nGET /assets/subject_pdfs/?C=N;O=A HTTP/1.1\nHost: onmark.co.in\n```\n\n**Business Impact**  \nUnauthorized access to educational records violates privacy regulations and poses significant reputational and legal risks.\n\n---\n\n### [Directory Listing Enabled – Subject PDFs Sorted by Size Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/subject_pdfs/?C=S;O=D |\n\n**Description**  \nThis path lists subject-related PDFs sorted by size (`?C=S`) in descending order (`O=D`). Large files may indicate comprehensive reports or aggregated datasets containing confidential information.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker prioritizes downloading larger files due to higher probability of containing rich datasets or structured information.\n\nCommand:\n```bash\ncurl -s \"https://onmark.co.in/assets/subject_pdfs/?C=S;O=D\"\n```\n\n**Business Impact**  \nLarger files often carry greater value in terms of data density, increasing likelihood of PII exposure or unauthorized dissemination.\n\n---\n\n### [Directory Listing Enabled – Subject PDFs Sorted by Date Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/subject_pdfs/?C=D;O=D |\n\n**Description**  \nThis URL presents a directory listing of subject PDFs sorted by date (`?C=D`) in descending order (`O=D`). Recent uploads are listed first, potentially including draft or unreleased material.\n\n**Attack Scenario (Proof of Concept)**  \nAttackers focus on recently uploaded files to gain early access to new course content or administrative updates before official release.\n\nRequest:\n```http\nGET /assets/subject_pdfs/?C=D;O=D HTTP/1.1\nHost: onmark.co.in\n```\n\n**Business Impact**  \nPremature disclosure of academic or administrative documents undermines trust and may violate compliance standards.\n\n---\n\n### [Directory Listing Enabled – Subject PDFs Sorted by Modification Time Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/subject_pdfs/?C=M;O=D |\n\n**Description**  \nThis path displays a directory listing of subject PDFs sorted by modification time (`?C=M`) in descending order (`O=D`). Files modified most recently are shown first, suggesting ongoing activity or revisions.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker monitors the directory periodically to detect changes and infer update schedules or workflow patterns.\n\nCommand:\n```bash\ncurl -s \"https://onmark.co.in/assets/subject_pdfs/?C=M;O=D\"\n```\n\n**Business Impact**  \nTracking modification timelines can expose operational inefficiencies or inconsistent publishing procedures that adversaries exploit.\n\n---\n\n### [Directory Listing Enabled – Top-Level JS Sorted by Size Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/js/?C=S;O=D |\n\n**Description**  \nA top-level JavaScript directory listing is exposed, sorted by size (`?C=S`) in descending order (`O=D`). This suggests loose control over resource organization and potential inclusion of custom or third-party scripts.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker explores the directory to identify custom-written scripts that may contain hardcoded secrets or flawed logic.\n\nRequest:\n```http\nGET /js/?C=S;O=D HTTP/1.1\nHost: onmark.co.in\n```\n\n**Business Impact**  \nImproperly secured JS directories increase exposure of proprietary or sensitive functionality, raising both technical and regulatory concerns.\n\n---\n\n### [Directory Listing Enabled – Top-Level JS Sorted Alphabetically Ascending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/js/?C=N;O=A |\n\n**Description**  \nThis URL lists JavaScript files alphabetically (`?C=N`) in ascending order (`O=A`). Predictable naming schemes simplify discovery of key application modules or API endpoints.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker uses alphabetical ordering to guess filenames matching common naming conventions (e.g., `auth.js`, `login.js`) and probe for vulnerabilities.\n\nCommand:\n```bash\ncurl -s \"https://onmark.co.in/js/?C=N;O=A\"\n```\n\n**Business Impact**  \nPredictability in file naming reduces entropy in defensive strategies, making it easier for attackers to map out application internals.\n\n---\n\n### [Directory Listing Enabled – Top-Level JS Sorted by Date Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/js/?C=D;O=D |\n\n**Description**  \nThis URL delivers a directory listing of JavaScript files sorted by date (`?C=D`) in descending order (`O=D`). Recently added or updated scripts appear first, signaling current development activity.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker focuses on newest files to assess whether recent deployments introduced bugs or misconfigurations.\n\nRequest:\n```http\nGET /js/?C=D;O=D HTTP/1.1\nHost: onmark.co.in\n```\n\n**Business Impact**  \nExposing temporal metadata about script updates can inform timing-based attacks or social engineering attempts aimed at exploiting transitional states.\n\n---\n\n### [Directory Listing Enabled – JS Sorted by Modification Time Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/js/?C=M;O=D |\n\n**Description**  \nThe web server exposes a directory listing at `/js/` when accessed with query parameters such as `?C=M;O=D`. This configuration typically arises from misconfigured Apache servers where `Options Indexes` is enabled and no default index file (e.g., `index.html`) exists in the directory. Directory listings can expose internal file structures, filenames, and potentially sensitive resources that should not be publicly accessible.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker can simply navigate to the URL in a browser or use tools like `curl` to enumerate contents:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/js/?C=M;O=D\"\n```\n\nThis reveals all files within the `/js/` directory sorted by modification time descending. Attackers may look for outdated scripts, backup files, or debug artifacts which could contain hardcoded credentials or vulnerabilities.\n\n**Business Impact**  \nWhile this does not directly lead to exploitation, it aids reconnaissance efforts and increases attack surface visibility. It may inadvertently expose development artifacts, temporary files, or legacy code that could assist further attacks.\n\n---\n\n### [Directory Listing Enabled – Other Degree Certificates Sorted Alphabetically Ascending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/other_degree_certificates/?C=N;O=A |\n\n**Description**  \nA browsable directory listing is available under `/assets/other_degree_certificates/`, indicating improper access control or lack of proper HTTP response headers. The presence of sorting parameters (`?C=N;O=A`) suggests Apache's mod_autoindex module is active, allowing users to view directory contents without authentication.\n\n**Attack Scenario (Proof of Concept)**  \nUsing `curl`, an attacker can retrieve the directory listing:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/other_degree_certificates/?C=N;O=A\"\n```\n\nThis provides insight into stored documents related to degree certificates, possibly including personal identifiers or academic records if improperly named or stored.\n\n**Business Impact**  \nExposure of educational documentation directories may violate privacy regulations (such as GDPR or local data protection laws), especially if these files include personally identifiable information (PII). Even anonymized data might pose risks depending on context.\n\n---\n\n### [Directory Listing Enabled – Other Degree Certificates Sorted by Size Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/other_degree_certificates/?C=S;O=D |\n\n**Description**  \nSimilar to previous findings, this endpoint allows unrestricted browsing of certificate-related assets due to exposed directory indexing. Sorting by size (`S`) descending gives attackers another way to prioritize larger files—potentially archives or detailed reports—that may hold more valuable data.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker uses `curl` to fetch the page:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/other_degree_certificates/?C=S;O=D\"\n```\n\nThey analyze output to locate large files, then attempt direct downloads using discovered filenames.\n\n**Business Impact**  \nUncontrolled exposure of academic credential repositories undermines trust in institutional data handling practices. If PII or confidential student data is involved, legal ramifications and reputational harm are likely outcomes.\n\n---\n\n### [Directory Listing Enabled – Other Degree Certificates Sorted by Date Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/other_degree_certificates/?C=D;O=D |\n\n**Description**  \nThis path also returns a directory listing sorted by last modified date (`D`) in descending order. Such behavior indicates weak server-side controls over public asset accessibility, increasing risk of unintended disclosure.\n\n**Attack Scenario (Proof of Concept)**  \nThe attacker runs:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/other_degree_certificates/?C=D;O=D\"\n```\n\nThey identify recently uploaded files, suggesting ongoing activity or recent changes that may have introduced new vulnerabilities or exposed fresh datasets.\n\n**Business Impact**  \nRecent uploads often represent current operations or newly digitized records. Their exposure raises concerns about operational security lapses and potential unauthorized access to up-to-date institutional data.\n\n---\n\n### [Directory Listing Enabled – Other Degree Certificates Sorted by Modification Time Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/other_degree_certificates/?C=M;O=D |\n\n**Description**  \nAnother variant of the same issue, showing directory contents sorted by modification time. This reinforces the pattern of unsecured public folders containing potentially sensitive academic materials.\n\n**Attack Scenario (Proof of Concept)**  \nCommand used:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/other_degree_certificates/?C=M;O=D\"\n```\n\nAllows attacker to track file update patterns and infer system usage trends.\n\n**Business Impact**  \nConsistent exposure across multiple endpoints highlights systemic misconfiguration rather than isolated incidents, pointing toward broader governance issues around digital asset management.\n\n---\n\n### [Directory Listing Enabled – Evaluation Data Sorted by Size Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/masterdata/eval_data/?C=S;O=D |\n\n**Description**  \nThis location hosts evaluation-related master data, but lacks restrictions preventing public enumeration. Files here may relate to grading systems, exam results, or performance metrics.\n\n**Attack Scenario (Proof of Concept)**  \nAttacker executes:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/masterdata/eval_data/?C=S;O=D\"\n```\n\nThey discover spreadsheets or CSV exports that could reveal internal scoring methodologies or individual student performances.\n\n**Business Impact**  \nUnauthorized access to evaluation data breaches academic integrity principles and may enable cheating or manipulation attempts. Regulatory compliance regarding education sector data handling standards is compromised.\n\n---\n\n### [Directory Listing Enabled – Evaluation Data Sorted by Modification Time Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/masterdata/eval_data/?C=M;O=D |\n\n**Description**  \nSame directory as above, now sorted by modification timestamp. This helps attackers identify most recently updated evaluation datasets, possibly reflecting live or near-real-time academic processes.\n\n**Attack Scenario (Proof of Concept)**  \nExample request:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/masterdata/eval_data/?C=M;O=D\"\n```\n\nEnables targeted analysis of high-value or frequently changing files.\n\n**Business Impact**  \nLive updates to evaluation data increase sensitivity levels significantly. Exposure of such dynamic content poses immediate threats to academic fairness and institutional credibility.\n\n---\n\n### [Directory Listing Enabled – Evaluation Data Sorted Alphabetically Ascending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/masterdata/eval_data/?C=N;O=A |\n\n**Description**  \nSorted alphabetically ascending, this view offers yet another perspective into the structure and naming conventions of evaluation-related files. Consistent availability across sort types confirms persistent misconfiguration.\n\n**Attack Scenario (Proof of Concept)**  \nRequest made via:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/masterdata/eval_data/?C=N;O=A\"\n```\n\nFacilitates brute-force guessing based on predictable naming schemes.\n\n**Business Impact**  \nPredictability in file organization simplifies automated discovery techniques, reducing barriers to deeper infiltration or data harvesting campaigns.\n\n---\n\n### [Directory Listing Enabled – Evaluation Data Sorted by Date Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/masterdata/eval_data/?C=D;O=D |\n\n**Description**  \nSorted by last modified date descending, this view emphasizes recency of change—an important factor for identifying actively managed or recently added evaluation datasets.\n\n**Attack Scenario (Proof of Concept)**  \nExecution:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/masterdata/eval_data/?C=D;O=D\"\n```\n\nHelps pinpoint critical or time-sensitive files relevant to ongoing assessments.\n\n**Business Impact**  \nAccess to timely evaluation data can undermine examination schedules, compromise fairness, and erode confidence among stakeholders.\n\n---\n\n### [Directory Listing Enabled – PhD Certificates Sorted by Size Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/phd_certificates/?C=S;O=D |\n\n**Description**  \nPhD-level certification documents are hosted in a publicly enumerable folder. These files often carry significant weight and may include names, institutions, research topics, and other professional details.\n\n**Attack Scenario (Proof of Concept)**  \nCommand executed:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/phd_certificates/?C=S;O=D\"\n```\n\nReveals large-sized files potentially representing comprehensive thesis summaries or official transcripts.\n\n**Business Impact**  \nPublic exposure of doctoral credentials may facilitate identity theft, impersonation, or fraudulent claims of academic achievement.\n\n---\n\n### [Directory Listing Enabled – Print Data Sorted Alphabetically Ascending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/masterdata/print_data/?C=N;O=A |\n\n**Description**  \nPrint-ready data sets are accessible without restriction. These files may contain formatted versions of academic records intended for physical printing or distribution.\n\n**Attack Scenario (Proof of Concept)**  \nUsed command:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/masterdata/print_data/?C=N;O=A\"\n```\n\nProvides attackers with clean, structured outputs suitable for mass scraping or reformatting.\n\n**Business Impact**  \nFormatted print data is highly usable for malicious repurposing, including counterfeit document generation or bulk dissemination of private academic records.\n\n---\n\n### [Directory Listing Enabled – PhD Certificates Sorted Alphabetically Ascending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/phd_certificates/?C=N;O=A |\n\n**Description**  \nAlphabetical listing of PhD certificates enables easy navigation and identification of specific individuals' achievements. Naming conventions may inadvertently leak personal information.\n\n**Attack Scenario (Proof of Concept)**  \nExecuted:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/phd_certificates/?C=N;O=A\"\n```\n\nAllows targeted searches for known researchers or academics whose work may be of interest.\n\n**Business Impact**  \nTargeted harvesting of elite academic credentials supports social engineering, phishing, or impersonation attacks targeting high-profile individuals or organizations.\n\n---\n\n### [Directory Listing Enabled – Print Data Sorted by Size Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/masterdata/print_data/?C=S;O=D |\n\n**Description**  \nSorted by file size descending, this view prioritizes larger print data packages—possibly full transcripts, multi-page reports, or aggregated datasets.\n\n**Attack Scenario (Proof of Concept)**  \nCommand run:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/masterdata/print_data/?C=S;O=D\"\n```\n\nFocuses attention on rich-content files likely to yield substantial amounts of structured data.\n\n**Business Impact**  \nHigh-volume data exposure increases both volume and value of stolen information, raising stakes for potential misuse.\n\n---\n\n### [Directory Listing Enabled – Print Data Sorted by Date Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/masterdata/print_data/?C=D;O=D |\n\n**Description**  \nSorted by last modified descending, this view highlights recently generated print-ready documents, possibly tied to current academic cycles or administrative actions.\n\n**Attack Scenario (Proof of Concept)**  \nUsed:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/masterdata/print_data/?C=D;O=D\"\n```\n\nIdentifies files associated with active processes, enhancing relevance and exploitability.\n\n**Business Impact**  \nReal-time access to freshly minted academic records threatens confidentiality during critical periods such as graduation or transcript issuance.\n\n---\n\n### [Directory Listing Enabled – PhD Certificates Sorted by Modification Time Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/phd_certificates/?C=M;O=D |\n\n**Description**  \nSorted by modification time descending, this view shows the latest additions or revisions to PhD certificate files, indicating ongoing maintenance or issuance activities.\n\n**Attack Scenario (Proof of Concept)**  \nExecuted:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/phd_certificates/?C=M;O=D\"\n```\n\nHighlights recently issued credentials, potentially enabling tracking of new graduates or academic milestones.\n\n**Business Impact**  \nTimely access to newly issued credentials compromises privacy expectations and may support premature announcements or unauthorized disclosures.\n\n---\n\n### [Directory Listing Enabled – PhD Certificates Sorted by Date Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/phd_certificates/?C=D;O=D |\n\n**Description**  \nSorted by last modified descending again, reinforcing the ability to monitor dynamic updates to PhD-related documentation.\n\n**Attack Scenario (Proof of Concept)**  \nRun:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/phd_certificates/?C=D;O=D\"\n```\n\nSupports continuous surveillance of academic credential issuance timelines.\n\n**Business Impact**  \nPersistent monitoring capabilities allow adversaries to maintain long-term awareness of institutional developments, undermining strategic secrecy and operational discretion.\n\n---\n\n### [Directory Listing Enabled – Upload Cancel Checks Sorted by Modification Time Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/upload_cancel_checks/?C=M;O=D |\n\n**Description**  \nThis directory appears to store logs or metadata related to upload cancellations. Publicly listed, it may reveal workflow anomalies or user interaction patterns.\n\n**Attack Scenario (Proof of Concept)**  \nCommand:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/upload_cancel_checks/?C=M;O=D\"\n```\n\nMay uncover debugging traces or error states useful for crafting targeted exploits against upload mechanisms.\n\n**Business Impact**  \nInsight into failed transactions or user errors can inform adversarial strategies aimed at disrupting submission workflows or exploiting retry logic flaws.\n\n---\n\n### [Directory Listing Enabled – Upload Cancel Checks Sorted Alphabetically Ascending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/upload_cancel_checks/?C=N;O=A |\n\n**Description**  \nAlphabetically ordered list of cancellation check files. May expose naming conventions or log formats that aid in predicting future entries or reverse-engineering backend logic.\n\n**Attack Scenario (Proof of Concept)**  \nUsed:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/upload_cancel_checks/?C=N;O=A\"\n```\n\nEnables inference of internal logging practices and potential automation hooks.\n\n**Business Impact**  \nUnderstanding of backend logging and validation procedures facilitates evasion tactics or abuse of error-handling routines.\n\n---\n\n### [Directory Listing Enabled – Upload Cancel Checks Sorted by Size Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/upload_cancel_checks/?C=S;O=D |\n\n**Description**  \nSorted by file size descending, this view emphasizes larger cancellation logs or batch processing outputs, potentially containing richer contextual data.\n\n**Attack Scenario (Proof of Concept)**  \nExecuted:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/upload_cancel_checks/?C=S;O=D\"\n```\n\nTargets dense datasets that may offer greater analytical utility.\n\n**Business Impact**  \nLarger datasets often contain aggregated insights into system behavior, making them attractive targets for forensic-style analysis or predictive modeling.\n\n---\n\n### [Directory Listing Enabled – Experience Certificates Sorted Alphabetically Ascending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/experiance_certificates/?C=N;O=A |\n\n**Description**  \nExperience certificates (likely employment verification documents) are publicly listed. These files may contain job titles, employers, durations, and personal identifiers.\n\n**Attack Scenario (Proof of Concept)**  \nRun:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/experiance_certificates/?C=N;O=A\"\n```\n\nProvides access to career histories and affiliations, supporting profiling or impersonation attacks.\n\n**Business Impact**  \nProfessional background data is highly sensitive and valuable for identity fraud, recruitment scams, or targeted spear-phishing campaigns.\n\n---\n\n### [Directory Listing Enabled – Upload Cancel Checks Sorted by Date Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/upload_cancel_checks/?C=D;O=D |\n\n**Description**  \nThis finding indicates that directory listing is enabled on the web server at `/assets/upload_cancel_checks/`. The query parameters `?C=D;O=D` suggest sorting by date in descending order, which is commonly used in Apache's default directory index configuration. This allows an attacker to enumerate files within this directory without authentication.\n\nDirectory listings can expose sensitive internal resources such as temporary uploads, logs, or misconfigured file storage paths. In this case, the exposed path may contain documents related to upload cancellation processes, potentially revealing workflow logic or user activity patterns.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could manually browse to the URL or use automated tools like `gobuster`, `dirb`, or `ffuf` to discover accessible directories. Once found, they might inspect contents for filenames indicating business-sensitive operations:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/upload_cancel_checks/?C=D;O=D\"\n```\n\nIf additional files exist, their names and modification dates are visible, enabling further reconnaissance or targeted attacks against specific document types.\n\n**Business Impact**  \nExposure of internal directories increases the attack surface and facilitates reconnaissance efforts. If these directories store unsecured personal or operational data, it may lead to unauthorized access, privacy violations, or compliance breaches under regulations such as GDPR or India’s DPDP Act.\n\n---\n\n### [Directory Listing Enabled – Experience Certificates Sorted by Modification Time Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/experiance_certificates/?C=M;O=D |\n\n**Description**  \nThe presence of a browsable directory at `/assets/experiance_certificates/` reveals that experience certificates—likely submitted during recruitment or academic procedures—are stored here with no access control. The parameter `?C=M;O=D` implies sorting by last modified time in descending order, suggesting dynamic indexing capabilities.\n\nSuch exposure enables adversaries to map out organizational workflows involving employee documentation, potentially identifying individuals and associated roles based on filename conventions.\n\n**Attack Scenario (Proof of Concept)**  \nUsing browser-based navigation or scripting tools, attackers can retrieve all available certificate files:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/experiance_certificates/?C=M;O=D\" | grep href\n```\n\nThey may then download individual files using predictable naming schemes (e.g., `<employee_id>.pdf`) to gather personally identifiable information (PII), employment history, or affiliations useful for social engineering campaigns.\n\n**Business Impact**  \nUnauthorized disclosure of employee records compromises workforce confidentiality and exposes the organization to reputational harm and legal liability. It also provides attackers with valuable context for crafting phishing lures or impersonation attempts targeting staff members.\n\n---\n\n### [Directory Listing Enabled – PAN Cards Sorted Alphabetically Ascending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/pancards/?C=N;O=A |\n\n**Description**  \nA publicly accessible directory containing PAN card images has been discovered at `/assets/pancards/`. The query string `?C=N;O=A` sorts entries alphabetically by name in ascending order, facilitating easy enumeration of uploaded identity documents.\n\nPAN cards are critical identifiers in India, often used for financial transactions and KYC verification. Their public availability represents a significant risk if not protected properly.\n\n**Attack Scenario (Proof of Concept)**  \nAttackers can enumerate the directory to collect PAN numbers and associated metadata:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/pancards/?C=N;O=A\"\n```\n\nWith extracted PAN details, malicious actors can attempt identity theft, fraudulent account creation, or cross-reference other databases to build comprehensive profiles of affected users.\n\n**Business Impact**  \nLeaking PAN card data violates Indian data protection norms and poses severe risks including identity fraud, tax evasion, and misuse of personal credentials. Organizations handling such data bear responsibility for safeguarding it per applicable laws and standards.\n\n---\n\n### [Directory Listing Enabled – PAN Cards Sorted by Size Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/pancards/?C=S;O=D |\n\n**Description**  \nSimilar to previous findings, this entry confirms another view into the `/assets/pancards/` directory, sorted by size (`C=S`) in descending order (`O=D`). Directory browsing remains active, allowing unrestricted access to stored PAN card documents.\n\nThis configuration error undermines basic principles of least privilege and secure resource management.\n\n**Attack Scenario (Proof of Concept)**  \nBy accessing the URL directly, attackers gain visibility into file sizes, helping them prioritize larger documents that may contain more detailed scans or multiple pages:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/pancards/?C=S;O=D\"\n```\n\nSubsequent downloads enable bulk harvesting of PAN-related PII, increasing scalability of downstream exploitation techniques.\n\n**Business Impact**  \nUncontrolled access to PAN card archives escalates potential damage from credential harvesting, synthetic identity generation, and targeted scams. Regulatory scrutiny and customer trust erosion follow naturally from such lapses in digital hygiene.\n\n---\n\n### [Directory Listing Enabled – Bachelor Degree Certificates Sorted Alphabetically Ascending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/bachelor_degree_certificates/?C=N;O=A |\n\n**Description**  \nThis finding shows that degree certificates issued upon completion of undergraduate studies are hosted in a publicly accessible folder located at `/assets/bachelor_degree_certificates/`. Sorting by name (`C=N`) in ascending order (`O=A`) makes it trivial for threat actors to correlate student identities with educational qualifications.\n\nDegree certificates typically include full names, registration IDs, institutions attended, and graduation years—all of which contribute to robust profiling datasets.\n\n**Attack Scenario (Proof of Concept)**  \nAn adversary can scrape the directory listing to extract candidate information:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/bachelor_degree_certificates/?C=N;O=A\"\n```\n\nThese details support credential stuffing, resume fraud, or impersonation tactics aimed at infiltrating academic or professional environments.\n\n**Business Impact**  \nPublicly exposing academic credentials jeopardizes alumni privacy and institutional integrity. Misuse of verified educational backgrounds can facilitate fraudulent job applications, fake certifications, or insider threats originating from compromised identities.\n\n---\n\n### [Directory Listing Enabled – Experience Certificates Sorted by Size Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/experiance_certificates/?C=S;O=D |\n\n**Description**  \nAnother variant of the `/assets/experiance_certificates/` directory listing, now ordered by file size (`C=S`) in descending sequence (`O=D`). This view offers attackers insights into document complexity and richness, guiding selection strategies when downloading large batches of experience certificates.\n\nNo authentication mechanism prevents casual discovery or systematic harvesting of these files.\n\n**Attack Scenario (Proof of Concept)**  \nThreat actors can leverage this endpoint to identify high-value targets whose experience certificates likely contain extensive work histories or references:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/experiance_certificates/?C=S;O=D\"\n```\n\nDownloaded certificates may reveal corporate hierarchies, project involvement, or contact networks exploitable via spear-phishing or lateral movement.\n\n**Business Impact**  \nInappropriate exposure of professional credentials undermines both individual privacy and enterprise security posture. Attackers armed with insider knowledge derived from leaked documents pose elevated risks across interconnected systems and personnel channels.\n\n---\n\n### [Directory Listing Enabled – PAN Cards Sorted by Date Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/pancards/?C=D;O=D |\n\n**Description**  \nYet another instance of the `/assets/pancards/` directory being openly listed, this time sorted by modification date (`C=D`) in descending order (`O=D`). Such granular control over display options enhances usability but introduces unnecessary exposure risks when applied to sensitive assets.\n\nEach file listed corresponds to a PAN card image, potentially including timestamps that reflect submission timelines or update frequencies.\n\n**Attack Scenario (Proof of Concept)**  \nAdversaries can monitor recent additions to assess system usage trends or detect new victims:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/pancards/?C=D;O=D\"\n```\n\nTracking changes helps refine targeting approaches and optimize timing for subsequent infiltration activities.\n\n**Business Impact**  \nPersistent accessibility of PAN card repositories invites continuous surveillance and opportunistic exploitation. Over time, cumulative leaks erode stakeholder confidence and invite regulatory sanctions due to persistent non-compliance with data governance frameworks.\n\n---\n\n### [Directory Listing Enabled – Aadhaar Cards Sorted by Date Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/aadharcards/?C=D;O=D |\n\n**Description**  \nThis finding highlights the most concerning exposure yet—the presence of Aadhaar card images stored in a publicly accessible directory at `/assets/aadharcards/`. Sorted by modification date (`C=D`) in descending order (`O=D`), this location grants unrestricted access to one of India’s most sensitive identification artifacts.\n\nAadhaar cards contain biometric data, demographic information, and unique identification numbers essential for various government services and private sector verifications.\n\n**Attack Scenario (Proof of Concept)**  \nMalicious actors can systematically harvest Aadhaar data using simple HTTP requests:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/aadharcards/?C=D;O=D\"\n```\n\nCollected Aadhaar details empower attackers to perform biometric spoofing, SIM swap fraud, bank account takeovers, and other sophisticated cybercrimes.\n\n**Business Impact**  \nExposing Aadhaar documents constitutes a grave violation of national cybersecurity protocols and individual rights. Legal repercussions under UIDAI guidelines and criminal prosecution become probable outcomes, alongside irreversible reputational collapse and loss of public credibility.\n\n---\n\n### [Directory Listing Enabled – PAN Cards Sorted by Modification Time Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/pancards/?C=M;O=D |\n\n**Description**  \nThis variation of the `/assets/pancards/` directory listing is sorted by last-modified timestamp (`C=M`) in descending order (`O=D`). While seemingly innocuous, repeated exposure through different sort criteria underscores systemic misconfiguration affecting core asset management practices.\n\nSuch redundancy amplifies the volume of exposed data points and complicates remediation efforts unless root causes are addressed comprehensively.\n\n**Attack Scenario (Proof of Concept)**  \nAttackers exploit multiple views to triangulate optimal extraction methods:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/pancards/?C=M;O=D\"\n```\n\nCombining outputs from various sort orders improves accuracy in mapping directory structure and prioritizing high-value targets.\n\n**Business Impact**  \nRepeated failures to restrict access to PAN card collections indicate deeper architectural flaws requiring urgent review. Continued negligence invites escalating threats and undermines long-term resilience against evolving adversarial tactics.\n\n---\n\n### [Directory Listing Enabled – Experience Certificates Sorted by Date Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/experiance_certificates/?C=D;O=D |\n\n**Description**  \nThe `/assets/experiance_certificates/` directory is again exposed, this time sorted by modification date (`C=D`) in descending order (`O=D`). This ordering method aids attackers in identifying recently added or updated experience certificates, possibly reflecting ongoing hiring cycles or administrative updates.\n\nLack of access controls continues to permit unrestricted traversal and retrieval of confidential employment documentation.\n\n**Attack Scenario (Proof of Concept)**  \nMonitoring this endpoint allows attackers to track organizational growth or turnover:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/experiance_certificates/?C=D;O=D\"\n```\n\nNew hires or departures inferred from file timestamps inform tailored attack vectors, enhancing effectiveness of social engineering or insider threat simulations.\n\n**Business Impact**  \nPersistent leakage of workforce dynamics weakens competitive advantage and exposes strategic vulnerabilities. Competitors or hostile entities benefit from real-time intelligence about staffing decisions and internal restructuring initiatives.\n\n---\n\n### [Directory Listing Enabled – Bachelor Degree Certificates Sorted by Date Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/bachelor_degree_certificates/?C=D;O=D |\n\n**Description**  \nThis instance presents the `/assets/bachelor_degree_certificates/` directory sorted by modification date (`C=D`) in descending order (`O=D`). Similar to prior findings, this view enables attackers to observe temporal patterns in certificate submissions, potentially correlating with enrollment periods or graduation schedules.\n\nSuch transparency erodes institutional discretion and facilitates predictive modeling of academic operations.\n\n**Attack Scenario (Proof of Concept)**  \nAttackers analyze submission timelines to infer peak processing windows:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/bachelor_degree_certificates/?C=D;O=D\"\n```\n\nTiming attacks exploiting predictable upload rhythms increase chances of intercepting fresh credentials before protective measures are implemented.\n\n**Business Impact**  \nCompromised academic recordkeeping threatens institutional autonomy and student welfare. Predictive analytics built from leaked data compromise future planning and expose weaknesses in digital infrastructure stewardship.\n\n---\n\n### [Directory Listing Enabled – Bachelor Degree Certificates Sorted by Modification Time Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/bachelor_degree_certificates/?C=M;O=D |\n\n**Description**  \nSorting the `/assets/bachelor_degree_certificates/` directory by last-modified time (`C=M`) in descending order (`O=D`) reveals chronological progression of certificate uploads. This pattern assists attackers in identifying newly enrolled students or those who have recently completed graduation requirements.\n\nWithout proper authorization checks, this interface serves as an open window into institutional academic pipelines.\n\n**Attack Scenario (Proof of Concept)**  \nAutomated scripts can poll this endpoint periodically to capture emerging entries:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/bachelor_degree_certificates/?C=M;O=D\"\n```\n\nCaptured data supports rapid profiling and early-stage targeting of vulnerable populations still unfamiliar with advanced phishing countermeasures.\n\n**Business Impact**  \nEarly-stage credential harvesting undermines student preparedness and institutional reputation. Targeted attacks exploiting naive recipients escalate breach probabilities and amplify downstream consequences for broader network ecosystems.\n\n---\n\n### [Directory Listing Enabled – Bachelor Degree Certificates Sorted by Size Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/bachelor_degree_certificates/?C=S;O=D |\n\n**Description**  \nThis version of the `/assets/bachelor_degree_certificates/` directory lists files sorted by size (`C=S`) in descending order (`O=D`). File size variations hint at differences in formatting, resolution, or completeness among scanned documents, offering clues about quality assurance practices and scanning workflows.\n\nSuch granular insight empowers attackers to select higher-fidelity samples for analysis or manipulation purposes.\n\n**Attack Scenario (Proof of Concept)**  \nAttackers filter by size to focus on richer-quality scans:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/bachelor_degree_certificates/?C=S;O=D\"\n```\n\nHigh-resolution documents yield clearer text and better OCR results, improving success rates for forged credential fabrication or deepfake synthesis.\n\n**Business Impact**  \nEnhanced clarity of leaked documents raises stakes for forgery and impersonation attacks. Sophisticated adversaries exploit superior imagery to bypass verification mechanisms and penetrate trusted domains undetected.\n\n---\n\n### [Directory Listing Enabled – Masters Degree Certificates Sorted by Size Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/masters_degree_certificates/?C=S;O=D |\n\n**Description**  \nThe `/assets/masters_degree_certificates/` directory is exposed with sorting set to file size (`C=S`) in descending order (`O=D`). Master’s degree certificates generally represent advanced academic achievements and carry greater weight in professional contexts than bachelor-level equivalents.\n\nTheir public availability significantly expands opportunities for credential abuse and identity misrepresentation.\n\n**Attack Scenario (Proof of Concept)**  \nAttackers target high-value candidates by focusing on larger files:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/masters_degree_certificates/?C=S;O=D\"\n```\n\nThese documents often feature enhanced security features or official seals that, once digitized, provide templates for counterfeit production.\n\n**Business Impact**  \nLoss of master’s degree certificate integrity damages institutional prestige and opens avenues for elite-level impersonation. Fraudulent claims backed by authentic-looking credentials undermine hiring standards and dilute brand equity.\n\n---\n\n### [Directory Listing Enabled – Aadhaar Cards Sorted by Size Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/aadharcards/?C=S;O=D |\n\n**Description**  \nThis view of the `/assets/aadharcards/` directory displays files sorted by size (`C=S`) in descending order (`O=D`). Given the sensitivity of Aadhaar documents, even minor variations in file characteristics offer attackers refined targeting options.\n\nLarger files may correspond to clearer scans or multi-page documents, making them prime candidates for forensic reconstruction or template extraction.\n\n**Attack Scenario (Proof of Concept)**  \nAttackers prioritize high-resolution scans for maximum utility:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/aadharcards/?C=S;O=D\"\n```\n\nExtracted images serve as foundational elements for creating convincing replicas suitable for online verification bypasses or physical reproduction.\n\n**Business Impact**  \nIncreased fidelity of stolen Aadhaar data heightens potential for successful impersonation and systemic fraud. Breach severity escalates proportionally with document quality, inviting broader societal implications beyond immediate organizational boundaries.\n\n---\n\n### [Directory Listing Enabled – Masters Degree Certificates Sorted by Modification Time Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/masters_degree_certificates/?C=M;O=D |\n\n**Description**  \nThe `/assets/masters_degree_certificates/` directory is displayed with sorting configured by last-modified time (`C=M`) in descending order (`O=D`). This arrangement highlights recent additions to the repository, potentially corresponding to newly graduated postgraduate students or updated verification records.\n\nSuch timeliness enhances relevance for attackers seeking current, credible credentials.\n\n**Attack Scenario (Proof of Concept)**  \nAttackers monitor for fresh uploads to maximize currency of harvested data:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/masters_degree_certificates/?C=M;O=D\"\n```\n\nTimely acquisition ensures compatibility with contemporary verification systems and reduces suspicion during validation checks.\n\n**Business Impact**  \nReal-time access to postgraduate credentials accelerates credential harvesting campaigns and fuels rapid proliferation of falsified identities. Institutional oversight gaps compound risks and diminish capacity to respond effectively to emerging threats.\n\n---\n\n### [Directory Listing Enabled – Faculty Photos Sorted Alphabetically Ascending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/faculty_photos/?C=N;O=A |\n\n**Description**  \nFaculty photographs are stored in a publicly accessible directory at `/assets/faculty_photos/`, sorted alphabetically by name (`C=N`) in ascending order (`O=A`). Visual identification of teaching staff enables attackers to craft personalized phishing messages or conduct reconnaissance ahead of targeted intrusions.\n\nPhotographic assets also aid in constructing realistic social engineering personas or validating impersonation attempts.\n\n**Attack Scenario (Proof of Concept)**  \nAttackers compile visual rosters for precision targeting:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/faculty_photos/?C=N;O=A\"\n```\n\nPaired with publicly available faculty bios or LinkedIn profiles, these images enhance authenticity of deceptive communications and improve engagement likelihood.\n\n**Business Impact**  \nExposure of faculty imagery facilitates targeted deception campaigns that threaten academic continuity and research integrity. Compromised educators may inadvertently grant access to restricted systems or divulge privileged institutional knowledge.\n\n---\n\n### [Directory Listing Enabled – Faculty Photos Sorted by Date Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/faculty_photos/?C=D;O=D |\n\n**Description**  \nThis variant of the `/assets/faculty_photos/` directory is sorted by modification date (`C=D`) in descending order (`O=D`). Recent additions or revisions to faculty photos become immediately apparent, signaling changes in departmental composition or personnel transitions.\n\nSuch transparency aids attackers in maintaining up-to-date targeting databases aligned with actual staffing realities.\n\n**Attack Scenario (Proof of Concept)**  \nAttackers track faculty updates to stay synchronized with organizational shifts:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/faculty_photos/?C=D;O=D\"\n```\n\nUpdated imagery reflects current appearances, reducing inconsistencies that might otherwise trigger skepticism during impersonation attempts.\n\n**Business Impact**  \nContinuously refreshed visual intelligence strengthens adversarial positioning and prolongs dwell times within compromised environments. Faculty unawareness of photo exposure leaves them vulnerable to exploitation and indirect compromise of affiliated systems.\n\n---\n\n### [Directory Listing Enabled – Masters Degree Certificates Sorted Alphabetically Ascending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/masters_degree_certificates/?C=N;O=A |\n\n**Description**  \nThe `/assets/masters_degree_certificates/` directory is presented alphabetically by name (`C=N`) in ascending order (`O=A`). This traditional listing format simplifies manual browsing and supports brute-force enumeration of known individuals or alphabetical searches for specific surnames.\n\nAlphabetical organization streamlines attacker efficiency while undermining privacy expectations around academic credentials.\n\n**Attack Scenario (Proof of Concept)**  \nAttackers systematically traverse the list to locate desired targets:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/masters_degree_certificates/?C=N;O=A\"\n```\n\nName-based searches expedite credential harvesting and reduce overhead associated with random sampling or guesswork.\n\n**Business Impact**  \nFacilitated access to named academic records erodes individual privacy and institutional accountability. Targeted credential theft undermines trust in digital credentialing systems and invites widespread misuse of validated qualifications.\n\n---\n\n### [Directory Listing Enabled – Masters Degree Certificates Sorted by Date Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/masters_degree_certificates/?C=D;O=D |\n\n**Description**  \nThis final iteration of the `/assets/masters_degree_certificates/` directory uses sorting by modification date (`C=D`) in descending order (`O=D`). As with earlier instances, this approach emphasizes recency and enables attackers to focus on the latest additions to the repository.\n\nSuch emphasis on timeliness aligns with attacker priorities for acquiring current, actionable credentials.\n\n**Attack Scenario (Proof of Concept)**  \nAttackers monitor for freshly uploaded certificates to ensure relevance:\n\n```bash\ncurl -s \"https://onmark.co.in/nmu/assets/masters_degree_certificates/?C=D;O=D\"\n```\n\nRecent uploads typically correspond to recent graduates, whose credentials remain highly relevant for job market infiltration or academic credential mimicry.\n\n**Business Impact**  \nTimely exposure of postgraduate credentials accelerates credential harvesting and identity synthesis operations. Institutions failing to protect such assets face mounting pressure to reassess digital governance policies and implement stricter access controls.\n\n---\n\n### [Directory Listing Enabled – Print Data Sorted by Modification Time Descending]\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://onmark.co.in/nmu/assets/masterdata/print_data/?C=M;O=D |\n\n**Description**  \nThe web server at `https://onmark.co.in/nmu` exposes directory listings under `/assets/masterdata/print_data/`. This configuration allows remote users to browse the contents of directories that do not contain an index file. Directory listing can inadvertently expose sensitive files or provide attackers with reconnaissance information about application structure and potential targets.\n\nIn this case, the query parameters (`?C=M;O=D`) suggest sorting by modification time descending, which may indicate automated browsing behavior used during content discovery phases of penetration testing or malicious scanning.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could use a browser or tools like `curl` or `wget` to enumerate accessible directories:\n\n```bash\ncurl -s \"https://onmark.co.in","summary":{"total":1312}},"summary":{"total":1312}},{"_id":{"$oid":"6a1f650d0e132afe2f0727e2"},"created_at":{"$date":"2026-06-02T23:19:41.967Z"},"url":"https://www.cert-in.org.in/","tool":"generate_content_discovery_report","result":{"url":"https://www.cert-in.org.in/","category":"content_discovery","timestamp":"2026-06-02T23:19:41.962350+00:00","report":"### [Content Discovery / https://www.cert-in.org.in / /favicon.ico]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | content_discovery |\n| Asset / URL | https://www.cert-in.org.in/favicon.ico |\n\n**Description**\nThe favicon.ico file represents a default resource that web browsers automatically request when accessing a website. This file serves as the visual identifier displayed in browser tabs, bookmarks, and favorites. The presence of this file at the root path (/favicon.ico) with a 200 OK HTTP response code indicates standard web server behavior where the favicon has been properly configured and is accessible to clients. Content discovery of this nature reveals the existence of common web resources that are typically present on most websites. While not inherently vulnerable, the identification of such files contributes to an attacker's understanding of the target's web infrastructure and can be used as part of fingerprinting activities to build a comprehensive profile of the web application.\n\n**Attack Scenario (Proof of Concept)**\nAn attacker conducting reconnaissance against the target domain would observe automatic browser requests for favicon.ico or manually probe for its existence using the following methods:\n\n```bash\ncurl -I https://www.cert-in.org.in/favicon.ico\nGET /favicon.ico HTTP/1.1\nHost: www.cert-in.org.in\n```\n\nThe successful retrieval of this resource provides minimal intelligence but confirms the web server's responsiveness and proper configuration of static assets. Advanced attackers may analyze the favicon's metadata or hash to identify potential technology fingerprints or correlate with known vulnerable applications that use similar favicon configurations.\n\n**Business Impact**\nThe discovery of a favicon.ico file presents negligible business impact as this represents normal web application behavior. There are no direct security implications associated with having a publicly accessible favicon. However, from an operational security perspective, the file could potentially reveal information about the organization's branding or technology stack if analyzed in conjunction with other discovered resources. The primary concern remains informational rather than constituting a genuine security risk requiring remediation.","summary":{"total":1}},"summary":{"total":1}}]