OWASP_2017_A06 on ZAP

.env Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information.

.htaccess Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer.

Anti-CSRF Tokens Check

Mon, 01 Jan 0001 00:00:00 +0000

A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.

Application Error Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.

Backup File Detected

Mon, 01 Jan 0001 00:00:00 +0000

A backup or alternate version of a page or component was detected. An attacker may leverage information in such files to further attack or abuse the system.

Charset Mismatch

Mon, 01 Jan 0001 00:00:00 +0000

This check identifies responses where the HTTP Content-Type header declares a charset different from the charset defined by the body of the HTML or XML. When there’s a charset mismatch between the HTTP header and content body Web browsers can be forced into an undesirable content-sniffing mode to determine the content’s correct character set.

Charset Mismatch (Header Versus Meta Charset)

Mon, 01 Jan 0001 00:00:00 +0000

Charset Mismatch (Header Versus Meta Content-Type Charset)

Mon, 01 Jan 0001 00:00:00 +0000

Charset Mismatch (Meta Charset Versus Meta Content-Type Charset)

Mon, 01 Jan 0001 00:00:00 +0000

Cloud Metadata Potentially Exposed

Mon, 01 Jan 0001 00:00:00 +0000

The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure. All of these providers provide metadata via an internal unroutable IP address ‘169.254.169.254’ - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field.

Content Security Policy (CSP) Header Not Set

Mon, 01 Jan 0001 00:00:00 +0000

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

Content Security Policy (CSP) Report-Only Header Found

Mon, 01 Jan 0001 00:00:00 +0000

The response contained a Content-Security-Policy-Report-Only header, this may indicate a work-in-progress implementation, or an oversight in promoting pre-Prod to Prod, etc.

Content-Type Header Empty

Mon, 01 Jan 0001 00:00:00 +0000

The Content-Type header was either missing or empty.

Content-Type Header Missing

Mon, 01 Jan 0001 00:00:00 +0000

The Content-Type header was either missing or empty.

Cookie No HttpOnly Flag

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

Cookie Slack Detector

Mon, 01 Jan 0001 00:00:00 +0000

Repeated GET requests: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced.

Cookie Without Secure Flag

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

Cross-Domain Misconfiguration - Adobe - Read

Mon, 01 Jan 0001 00:00:00 +0000

Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server.

Cross-Domain Misconfiguration - Adobe - Send

Mon, 01 Jan 0001 00:00:00 +0000

Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server.

Cross-Domain Misconfiguration - Silverlight

Mon, 01 Jan 0001 00:00:00 +0000

Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server.

CSP: Failure to Define Directive with No Fallback

Mon, 01 Jan 0001 00:00:00 +0000

The Content Security Policy fails to define one of the directives that has no fallback. Missing/excluding them is the same as allowing anything.

CSP: Header & Meta

Mon, 01 Jan 0001 00:00:00 +0000

The message contained both CSP specified via header and via Meta tag. It was not possible to union these policies in order to perform an analysis. Therefore, they have been evaluated individually.

CSP: Malformed Policy (Non-ASCII)

Mon, 01 Jan 0001 00:00:00 +0000

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

CSP: Meta Policy Invalid Directive

Mon, 01 Jan 0001 00:00:00 +0000

The policy specified via meta element contains either or both the sandbox or frame-ancestors directive, which are not permitted inside meta CSP definitions.

CSP: Notices

Mon, 01 Jan 0001 00:00:00 +0000

CSP: script-src unsafe-eval

Mon, 01 Jan 0001 00:00:00 +0000

CSP: script-src unsafe-hashes

Mon, 01 Jan 0001 00:00:00 +0000

CSP: script-src unsafe-inline

Mon, 01 Jan 0001 00:00:00 +0000

CSP: style-src unsafe-hashes

Mon, 01 Jan 0001 00:00:00 +0000

CSP: style-src unsafe-inline

Mon, 01 Jan 0001 00:00:00 +0000

CSP: Wildcard Directive

Mon, 01 Jan 0001 00:00:00 +0000

CSP: X-Content-Security-Policy

Mon, 01 Jan 0001 00:00:00 +0000

CSP: X-WebKit-CSP

Mon, 01 Jan 0001 00:00:00 +0000

Directory Browsing

Mon, 01 Jan 0001 00:00:00 +0000

It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information.

ELMAH Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information.

Emails Found in the Viewstate

Mon, 01 Jan 0001 00:00:00 +0000

Email addresses were found being serialized in the viewstate field.

Exposed Secrets in Swagger/OpenAPI Path

Mon, 01 Jan 0001 00:00:00 +0000

Swagger UI endpoint exposes sensitive secrets such as client secrets, API keys, or OAuth tokens. These secrets may be accessible in the HTML source and should not be exposed publicly, as this can lead to compromise.

Full Path Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

The full path of files which might be sensitive has been exposed to the client.

Generic Padding Oracle

Mon, 01 Jan 0001 00:00:00 +0000

By manipulating the padding on an encrypted string, an attacker is able to generate an error message that indicates a likely ‘padding oracle’ vulnerability. Such a vulnerability can affect any application or framework that uses encryption improperly, such as some versions of ASP.net, Java Server Faces, and Mono. An attacker may exploit this issue to decrypt data and recover encryption keys, potentially viewing and modifying confidential data. This rule should detect the MS10-070 padding oracle vulnerability in ASP.net if CustomErrors are enabled for that.

GET for POST

Mon, 01 Jan 0001 00:00:00 +0000

A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible.

GraphQL Endpoint Supports Introspection

Mon, 01 Jan 0001 00:00:00 +0000

The GraphQL endpoint has Introspection enabled. Introspection allows clients to query the schema and retrieve detailed information about the fields, types, inputs, etc. supported by the GraphQL endpoint. This may be valuable to an attacker, as it could enable them to craft more targeted queries.

Hidden File Found

Mon, 01 Jan 0001 00:00:00 +0000

A sensitive file was identified as accessible or available. This may leak administrative, configuration, or credential information which can be leveraged by a malicious individual to further attack the system or conduct social engineering efforts.

HTTP Only Site

Mon, 01 Jan 0001 00:00:00 +0000

The site is only served under HTTP and not HTTPS.

HTTP Parameter Override

Mon, 01 Jan 0001 00:00:00 +0000

Unspecified form action: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable.

HTTP to HTTPS Insecure Transition in Form Post

Mon, 01 Jan 0001 00:00:00 +0000

This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed.

HTTPS Content Available via HTTP

Mon, 01 Jan 0001 00:00:00 +0000

Content which was initially accessed via HTTPS (i.e.: using SSL/TLS encryption) is also accessible via HTTP (without encryption).

HTTPS to HTTP Insecure Transition in Form Post

Mon, 01 Jan 0001 00:00:00 +0000

This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they’re submitting data to a secure page when in fact they are not.

Image Exposes Location or Privacy Data

Mon, 01 Jan 0001 00:00:00 +0000

The image was found to contain embedded location information, such as GPS coordinates, or another privacy exposure, such as camera serial number. Depending on the context of the image in the website, this information may expose private details of the users of a site. For example, a site that allows users to upload profile pictures taken in the home may expose the home’s address.

In Page Banner Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The server returned a version banner string in the response content. Such information leaks may allow attackers to further target specific issues impacting the product and version in use.

Insecure HTTP Method - CONNECT

Mon, 01 Jan 0001 00:00:00 +0000

The insecure HTTP method [CONNECT] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components.

Insecure HTTP Method - DELETE

Mon, 01 Jan 0001 00:00:00 +0000

The insecure HTTP method [DELETE] is enabled on the web server for this resource. Depending on the web server configuration, and the underlying implementation responsible for serving the resource, this might or might not be exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the HttpOnly flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. The CONNECT method can be used by a web client to create an HTTP tunnel to third party websites or services.

Insecure HTTP Method - PROPFIND

Mon, 01 Jan 0001 00:00:00 +0000

This HTTP method is a WEBDAV method: PROPFIND. If this server is not offering any WEBDAV services, these methods should not be available.

Insecure HTTP Method - PUT

Mon, 01 Jan 0001 00:00:00 +0000

The insecure HTTP method [PUT] is enabled on the web server for this resource. Depending on the web server configuration, and the underlying implementation responsible for serving the resource, this might or might not be exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the HttpOnly flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. The CONNECT method can be used by a web client to create an HTTP tunnel to third party websites or services.

Insecure HTTP Method - PUT

Mon, 01 Jan 0001 00:00:00 +0000

This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for update capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.

Insecure HTTP Method - TRACE

Mon, 01 Jan 0001 00:00:00 +0000

The insecure HTTP method [TRACE] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the HttpOnly flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability.

Insecure JSF ViewState

Mon, 01 Jan 0001 00:00:00 +0000

The response at the following URL contains a ViewState value that has no cryptographic protections.

Loosely Scoped Cookie

Mon, 01 Jan 0001 00:00:00 +0000

Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent.

Missing Anti-clickjacking Header

Mon, 01 Jan 0001 00:00:00 +0000

The response does not protect against ‘ClickJacking’ attacks. It should include either Content-Security-Policy with ‘frame-ancestors’ directive or X-Frame-Options.

Modern Web Application

Mon, 01 Jan 0001 00:00:00 +0000

The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.

Multiple X-Frame-Options Header Entries

Mon, 01 Jan 0001 00:00:00 +0000

X-Frame-Options (XFO) headers were found, a response with multiple XFO header entries may not be predictably treated by all user-agents.

Obsolete Content Security Policy (CSP) Header Found

Mon, 01 Jan 0001 00:00:00 +0000

The “X-Content-Security-Policy” and “X-WebKit-CSP” headers are no longer recommended.

Old Asp.Net Version in Use

Mon, 01 Jan 0001 00:00:00 +0000

This website uses ASP.NET version 1.0 or 1.1.

Possible Username Enumeration

Mon, 01 Jan 0001 00:00:00 +0000

It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the ‘Attack Strength’ Option in ZAP. Please manually check the ‘Other Info’ field to confirm if this is actually an issue.

Potential IP Addresses Found in the Viewstate

Mon, 01 Jan 0001 00:00:00 +0000

Potential IP addresses were found being serialized in the viewstate field.

Properties File Disclosure - /WEB-INF folder

Mon, 01 Jan 0001 00:00:00 +0000

A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys.

Proxy Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

1 proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine

A list of targets for an attack against the application.
Potential vulnerabilities on the proxy servers that service the application.
The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated.

Proxy Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

1 proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine

A list of targets for an attack against the application.
Potential vulnerabilities on the proxy servers that service the application.
The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated.

Relative Path Confusion

Mon, 01 Jan 0001 00:00:00 +0000

The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct “relative path” for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the “cross-content” response in a permissive manner, or can be tricked into permissively parsing the “cross-content” response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability.

Reverse Tabnabbing

Mon, 01 Jan 0001 00:00:00 +0000

At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the “noopener” and “noreferrer” keywords in the “rel” attribute, which allows the target page to take control of this page.

Secure Pages Include Mixed Content

Mon, 01 Jan 0001 00:00:00 +0000

The page includes mixed content, that is content accessed via HTTP instead of HTTPS.

Server Leaks its Webserver Application via "Server" HTTP Response Header Field

Mon, 01 Jan 0001 00:00:00 +0000

The web/application server is leaking the application it uses as a webserver via the “Server” HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to. This information alone, i.e. without a version string, is not very dangerous for the security of a server, nevertheless this information in the response header field is almost always useless and thus just an obsolete attacking vector.

Server Leaks Version Information via "Server" HTTP Response Header Field

Mon, 01 Jan 0001 00:00:00 +0000

The web/application server is leaking version information via the “Server” HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.

Source Code Disclosure - /WEB-INF Folder

Mon, 01 Jan 0001 00:00:00 +0000

Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code.

Source Code Disclosure - File Inclusion

Mon, 01 Jan 0001 00:00:00 +0000

The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal.

Source Code Disclosure - Git

Mon, 01 Jan 0001 00:00:00 +0000

The source code for the current page was disclosed by the web server.

Source Code Disclosure - PHP

Mon, 01 Jan 0001 00:00:00 +0000

Application Source Code was disclosed by the web server. - PHP

Source Code Disclosure - SVN

Mon, 01 Jan 0001 00:00:00 +0000

The source code for the current page was disclosed by the web server.

Split Viewstate in Use

Mon, 01 Jan 0001 00:00:00 +0000

This website uses ASP.NET’s Viewstate and its value is split into several chunks.

Strict-Transport-Security Defined via META (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) META tag was found, defining HTTP Strict Transport Security (HSTS) via a META tag is explicitly not supported by the spec (RFC 6797).

Strict-Transport-Security Disabled

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it contains the directive max-age=0 which disables the control and instructs browsers to reset any previous HSTS related settings. See RFC 6797 for further details. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Header Not Set

Mon, 01 Jan 0001 00:00:00 +0000

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standards track protocol and is specified in RFC 6797.

Strict-Transport-Security Header on Plain HTTP Response

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but HSTS headers are ignored on plain (non-HTTPS) responses. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Malformed Content (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters.

Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Missing Max-Age (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it is missing the max-age directive (or the directive is missing a value). See RFC 6797 for further details. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Multiple Header Entries (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

HTTP Strict Transport Security (HSTS) headers were found, a response with multiple HSTS header entries is not compliant with the specification (RFC 6797) and only the first HSTS header will be processed others will be ignored by user agents or the HSTS policy may be incorrectly applied. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Sub Resource Integrity Attribute Missing

Mon, 01 Jan 0001 00:00:00 +0000

The integrity attribute is missing on a script or link tag served by an external server. The integrity tag prevents an attacker who have gained access to this server from injecting a malicious content.

Trace.axd Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information.

Viewstate without MAC Signature (Sure)

Mon, 01 Jan 0001 00:00:00 +0000

This website uses ASP.NET’s Viewstate but without any MAC.

Viewstate without MAC Signature (Unsure)

Mon, 01 Jan 0001 00:00:00 +0000

This website uses ASP.NET’s Viewstate but maybe without any MAC.

Vulnerable Swagger UI Version Detected

Mon, 01 Jan 0001 00:00:00 +0000

This Swagger UI version is known to contain vulnerabilities. Exploitation may allow unauthorized access, XSS, or token theft.

Affected versions:

Swagger UI v2 < 2.2.10
Swagger UI v3 < 3.24.3

Web Cache Deception

Mon, 01 Jan 0001 00:00:00 +0000

Web cache deception may be possible. It may be possible for unauthorised user to view sensitive data on this page.

WSDL File Detection

Mon, 01 Jan 0001 00:00:00 +0000

A WSDL File has been detected.

X-AspNet-Version Response Header

Mon, 01 Jan 0001 00:00:00 +0000

Server leaks information via “X-AspNet-Version”/“X-AspNetMvc-Version” HTTP response header field(s).

X-Backend-Server Header Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems.

X-Content-Type-Options Header Missing

Mon, 01 Jan 0001 00:00:00 +0000

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to ’nosniff’. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

X-Frame-Options Defined via META (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034).

X-Frame-Options Setting Malformed

Mon, 01 Jan 0001 00:00:00 +0000

An X-Frame-Options header was present in the response but the value was not correctly set.