Scribd Logo
Upload

Welcome to Scribd!

  • 43 views

    Website Vulnerability Scanner Report (Light)

    Uploaded by

    alex681219
    The document is a vulnerability scanner report for a website that identifies several security issues. The light scan found 5 issues of medium risk: directory listing enabled, untrusted SSL certificate, insecure cookie setting missing secure flag, and missing security headers for HSTS, CSP, and X-Frame-Options. Enabling the full scan could detect additional high risk issues like SQL injection, XSS, file inclusion, and command execution vulnerabilities.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Website Vulnerability Scanner Report (Light)

    Uploaded by

    alex681219
    43 views6 pages
    The document is a vulnerability scanner report for a website that identifies several security issues. The light scan found 5 issues of medium risk: directory listing enabled, untrusted SSL certificate, insecure cookie setting missing secure flag, and missing security headers for HSTS, CSP, and X-Frame-Options. Enabling the full scan could detect additional high risk issues like SQL injection, XSS, file inclusion, and command execution vulnerabilities.

    Original Description:

    Original Title

    PentestTools-WebsiteScanner-report

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document is a vulnerability scanner report for a website that identifies several security issues. The light scan found 5 issues of medium risk: directory listing enabled, untrusted SSL certificate, insecure cookie setting missing secure flag, and missing security headers for HSTS, CSP, and X-Frame-Options. Enabling the full scan could detect additional high risk issues like SQL injection, XSS, file inclusion, and command execution vulnerabilities.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    43 views6 pages

    Website Vulnerability Scanner Report (Light)

    Uploaded by

    alex681219
    The document is a vulnerability scanner report for a website that identifies several security issues. The light scan found 5 issues of medium risk: directory listing enabled, untrusted SSL certificate, insecure cookie setting missing secure flag, and missing security headers for HSTS, CSP, and X-Frame-Options. Enabling the full scan could detect additional high risk issues like SQL injection, XSS, file inclusion, and command execution vulnerabilities.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 6

    Website Vulnerability Scanner Report (Light)

    Unlock the full capabilities of this scanner

    See what the FULL scanner can do

    Perform in-depth website scanning and discover high risk vulnerabilities.

    Testing areas Light scan Full scan

    Website fingerprinting  

    Version-based vulnerability detection  

    Common configuration issues  

    SQL injection  
    Cross-Site Scripting  

    Local/Remote File Inclusion  

    Remote command execution  

    Discovery of sensitive files  

     https://132.148.71.254

    Summary

    Overall risk level: Risk ratings: Scan information:


    Medium High: 0 Start time: 2022-01-19 15:46:33 UTC+02
    Medium: 3 Finish time: 2022-01-19 15:47:11 UTC+02

    Low: 7 Scan duration: 38 sec

    Info: 5 Tests performed: 15/15

    Scan status: Finished

    Findings

     Directory listing is enabled CONFIRMED

    URL

    https://132.148.71.254/

     Details

    Risk description:
    An attacker can see the entire structure of files and subdirectories from the affected URL. It is often the case that sensitive files are
    "hidden" among public files in that location and attackers can use this vulnerability to access them.

    Recommendation:

    1/6
    We recommend reconfiguring the web server in order to deny directory listing. Furthermore, you should verify that there are no sensitive
    files at the mentioned URLs.

    More information about this issue:


    http://projects.webappsec.org/w/page/13246922/Directory%20Indexing.

    Classification:
    CWE : CWE-548
    OWASP Top 10 - 2013 : A5 - Security Misconfiguration
    OWASP Top 10 - 2017 : A6 - Security Misconfiguration

    Screenshot:

    Figure 1. Directory Listing

     SSL/TLS: Server certificate is not trusted CONFIRMED

    URL: https://132.148.71.254

     Details

    Risk description:
    The SSL certificate presented by the web server is not trusted by web browsers. This makes it really difficult for humans to distinguish
    between the real certificate presented by the server and a fake SSL certificate. An attacker could easily mount a man-in-the-middle
    attack in order to sniff the SSL communication by presenting the user a fake SSL certificate.

    Recommendation:
    We recommend you to configure a trusted SSL certificate for the web server.

    Here are some examples of how to configure SSL for various servers:
    - Apache: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
    - Nginx: http://nginx.org/en/docs/http/configuring_https_servers.html

    Classification:
    OWASP Top 10 - 2013 : A5 - Security Misconfiguration
    OWASP Top 10 - 2017 : A6 - Security Misconfiguration

     Insecure cookie setting: missing Secure flag CONFIRMED

    Cookie
    URL Evidence
    Name

    2/6
    Set-Cookie:
    https://132.148.71.254/IN
    ci_session ci_session=2okdp9j1f8u8naf7kagjfah29o9uifoq; expires=Wed, 19-Jan-2022 15:47:00 GMT; Max-
    GREDION
    Age=7200; path=/; HttpOnly

     Details

    Risk description:
    Since the Secure flag is not set on the cookie, the browser will send it over an unencrypted channel (plain HTTP) if such a request is made.
    Thus, the risk exists that an attacker will intercept the clear-text communication between the browser and the server and he will steal the
    cookie of the user. If this is a session cookie, the attacker could gain unauthorized access to the victim's web session.

    Recommendation:
    Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel.
    Ensure that the secure flag is set for cookies containing such sensitive information.
    https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-
    Session_Management_Testing/02-Testing_for_Cookies_Attributes.html

    Classification:
    CWE : CWE-614
    OWASP Top 10 - 2013 : A5 - Security Misconfiguration
    OWASP Top 10 - 2017 : A6 - Security Misconfiguration

     Missing security header: Strict-Transport-Security CONFIRMED

    URL Evidence

    https://132.148.71.254 Response headers do not include the HTTP Strict-Transport-Security header

     Details

    Risk description:
    The HTTP Strict-Transport-Security header instructs the browser to initiate only secure (HTTPS) connections to the web server and deny
    any unencrypted HTTP connection attempts. Lack of this header permits an attacker to force a victim user to initiate a clear-text HTTP
    connection to the server, thus opening the possibility to eavesdrop on the network traffic and extract sensitive information (e.g. session
    cookies).

    Recommendation:
    The Strict-Transport-Security HTTP header should be sent with each HTTPS response. The syntax is as follows:

    Strict-Transport-Security: max-age=<seconds>[; includeSubDomains]

    The parameter max-age gives the time frame for requirement of HTTPS in seconds and should be chosen quite high, e.g. several months.
    A value below 7776000 is considered as too low by this scanner check.
    The flag includeSubDomains defines that the policy applies also for sub domains of the sender of the response.

    Classification:
    CWE : CWE-693
    OWASP Top 10 - 2013 : A5 - Security Misconfiguration
    OWASP Top 10 - 2017 : A6 - Security Misconfiguration

     Missing security header: Content-Security-Policy CONFIRMED

    URL Evidence

    https://132.148.71.254 Response headers do not include the HTTP Content-Security-Policy security header

     Details

    Risk description:
    The Content-Security-Policy (CSP) header activates a protection mechanism implemented in web browsers which prevents exploitation
    of Cross-Site Scripting vulnerabilities (XSS). If the target application is vulnerable to XSS, lack of this header makes it easily exploitable by
    attackers.

    Recommendation:
    Configure the Content-Security-Header to be sent with each HTTP response in order to apply the specific policies needed by the

    3/6
    application.

    Read more about CSP:


    https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

    Classification:
    CWE : CWE-693
    OWASP Top 10 - 2013 : A5 - Security Misconfiguration
    OWASP Top 10 - 2017 : A6 - Security Misconfiguration

     Missing security header: X-Frame-Options CONFIRMED

    URL Evidence

    https://132.148.71.254 Response headers do not include the HTTP X-Frame-Options security header

     Details

    Risk description:
    Because the X-Frame-Options header is not sent by the server, an attacker could embed this website into an iframe of a third party
    website. By manipulating the display attributes of the iframe, the attacker could trick the user into performing mouse clicks in the
    application, thus performing activities without user's consent (ex: delete user, subscribe to newsletter, etc). This is called a Clickjacking
    attack and it is described in detail here:
    https://owasp.org/www-community/attacks/Clickjacking

    Recommendation:
    We recommend you to add the X-Frame-Options HTTP header with the values DENY or SAMEORIGIN to every page that you want to be
    protected against Clickjacking attacks.

    More information about this issue:


    https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html

    Classification:
    CWE : CWE-693
    OWASP Top 10 - 2013 : A5 - Security Misconfiguration
    OWASP Top 10 - 2017 : A6 - Security Misconfiguration

     Missing security header: X-XSS-Protection CONFIRMED

    URL Evidence

    https://132.148.71.254 Response headers do not include the HTTP X-XSS-Protection security header

     Details

    Risk description:
    The X-XSS-Protection HTTP header instructs the browser to stop loading web pages when they detect reflected Cross-Site Scripting (XSS)
    attacks. Lack of this header exposes application users to XSS attacks in case the web application contains such vulnerability.

    Recommendation:
    We recommend setting the X-XSS-Protection header to X-XSS-Protection: 1; mode=block .

    More information about this issue:


    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

    Classification:
    CWE : CWE-693
    OWASP Top 10 - 2013 : A5 - Security Misconfiguration
    OWASP Top 10 - 2017 : A6 - Security Misconfiguration

     Missing security header: X-Content-Type-Options CONFIRMED

    URL Evidence

    4/6
    https://132.148.71.254 Response headers do not include the X-Content-Type-Options HTTP security header

     Details

    Risk description:
    The HTTP header X-Content-Type-Options is addressed to the Internet Explorer browser and prevents it from reinterpreting the content of a
    web page (MIME-sniffing) and thus overriding the value of the Content-Type header). Lack of this header could lead to attacks such as
    Cross-Site Scripting or phishing.

    Recommendation:
    We recommend setting the X-Content-Type-Options header such as X-Content-Type-Options: nosniff .

    More information about this issue:


    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options.

    Classification:
    CWE : CWE-693
    OWASP Top 10 - 2013 : A5 - Security Misconfiguration
    OWASP Top 10 - 2017 : A6 - Security Misconfiguration

     Missing security header: Referrer-Policy CONFIRMED

    URL Evidence

    https://132.148.71.254 Response headers do not include the Referrer-Policy HTTP security header

     Details

    Risk description:
    The Referrer-Policy HTTP header controls how much referrer information the browser will send with each request originated from the
    current web application.
    For instance, if a user visits the web page "http://example.com/pricing/" and it clicks on a link from that page going to e.g.
    "https://www.google.com", the browser will send to Google the full originating URL in the Referer header, assuming the Referrer-Policy
    header is not set. The originating URL could be considered sensitive information and it could be used for user tracking.

    Recommendation:
    The Referrer-Policy header should be configured on the server side to avoid user tracking and inadvertent information leakage. The value
    no-referrer of this header instructs the browser to omit the Referer header entirely.

    Read more:
    https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns

    Classification:
    CWE : CWE-693
    OWASP Top 10 - 2013 : A5 - Security Misconfiguration
    OWASP Top 10 - 2017 : A6 - Security Misconfiguration

     Server software and technology found


    Software / Version Category

    Apache Web servers

     Details

    Risk description:
    An attacker could use this information to mount specific attacks against the identified software type and version.

    Recommendation:
    We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating
    system: HTTP server headers, HTML meta information, etc.

    More information about this issue:


    https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/02-
    Fingerprint_Web_Server.html.

    5/6
    Classification:
    OWASP Top 10 - 2013 : A5 - Security Misconfiguration
    OWASP Top 10 - 2017 : A6 - Security Misconfiguration

     Website is accessible.

     Nothing was found for vulnerabilities of server-side software.

     Nothing was found for client access policies.

     Nothing was found for robots.txt file.

     Nothing was found for enabled HTTP debug methods.

    Scan coverage information

    List of tests performed (15/15)


     Checking for website accessibility...
     Checking for directory listing...
     Checking for missing HTTP header - Strict-Transport-Security...
     Checking for missing HTTP header - Content Security Policy...
     Checking for missing HTTP header - X-Frame-Options...
     Checking for missing HTTP header - X-XSS-Protection...
     Checking for missing HTTP header - X-Content-Type-Options...
     Checking for missing HTTP header - Referrer...
     Checking for website technologies...
     Checking for vulnerabilities of server-side software...
     Checking for client access policies...
     Checking for robots.txt file...
     Checking for use of untrusted certificates...
     Checking for enabled HTTP debug methods...
     Checking for Secure flag of cookie...

    Scan parameters
    Website URL: https://132.148.71.254
    Scan type: Light
    Authentication: False

    Scan stats
    Unique Injection Points Detected: 4
    URLs spidered: 7
    Total number of HTTP requests: 16

    6/6

    You might also like