POLICY_QA_STD on ZAP

Absence of Anti-CSRF Tokens

Mon, 01 Jan 0001 00:00:00 +0000

No Anti-CSRF tokens were found in a HTML submission form. A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.

Anti-CSRF Tokens Check

Mon, 01 Jan 0001 00:00:00 +0000

A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.

Application Error Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.

Authentication Credentials Captured

Mon, 01 Jan 0001 00:00:00 +0000

An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted. The attacker eavesdrops on the network until an authentication has completed.

Charset Mismatch

Mon, 01 Jan 0001 00:00:00 +0000

This check identifies responses where the HTTP Content-Type header declares a charset different from the charset defined by the body of the HTML or XML. When there’s a charset mismatch between the HTTP header and content body Web browsers can be forced into an undesirable content-sniffing mode to determine the content’s correct character set.

Charset Mismatch (Header Versus Meta Charset)

Mon, 01 Jan 0001 00:00:00 +0000

Charset Mismatch (Header Versus Meta Content-Type Charset)

Mon, 01 Jan 0001 00:00:00 +0000

Charset Mismatch (Meta Charset Versus Meta Content-Type Charset)

Mon, 01 Jan 0001 00:00:00 +0000

Content Security Policy (CSP) Header Not Set

Mon, 01 Jan 0001 00:00:00 +0000

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

Content Security Policy (CSP) Report-Only Header Found

Mon, 01 Jan 0001 00:00:00 +0000

The response contained a Content-Security-Policy-Report-Only header, this may indicate a work-in-progress implementation, or an oversight in promoting pre-Prod to Prod, etc.

Content-Type Header Empty

Mon, 01 Jan 0001 00:00:00 +0000

The Content-Type header was either missing or empty.

Content-Type Header Missing

Mon, 01 Jan 0001 00:00:00 +0000

The Content-Type header was either missing or empty.

Cookie No HttpOnly Flag

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

Cookie Poisoning

Mon, 01 Jan 0001 00:00:00 +0000

This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug.

Cookie with Invalid SameSite Attribute

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set with an invalid SameSite attribute value, which means that the cookie can be sent as a result of a ‘cross-site’ request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.

Cookie with SameSite Attribute None

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set with its SameSite attribute set to “none”, which means that the cookie can be sent as a result of a ‘cross-site’ request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.

Cookie without SameSite Attribute

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a ‘cross-site’ request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.

Cookie Without Secure Flag

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

CORS Header

Mon, 01 Jan 0001 00:00:00 +0000

Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP).

CORS Misconfiguration

Mon, 01 Jan 0001 00:00:00 +0000

This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim’s user agent. In order to perform authenticated AJAX queries, the server must specify the header “Access-Control-Allow-Credentials: true” and the “Access-Control-Allow-Origin” header must be set to null or the malicious page’s domain. Even if this misconfiguration doesn’t allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites). A malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc).

CORS Misconfiguration

Mon, 01 Jan 0001 00:00:00 +0000

Cross Site Scripting (DOM Based)

Mon, 01 Jan 0001 00:00:00 +0000

Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user’s browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology. When an attacker gets a user’s browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.

Cross Site Scripting (Persistent)

Mon, 01 Jan 0001 00:00:00 +0000

Cross Site Scripting (Persistent)

Mon, 01 Jan 0001 00:00:00 +0000

Cross Site Scripting (Persistent) - Prime

Mon, 01 Jan 0001 00:00:00 +0000

Cross Site Scripting (Persistent) - Spider

Mon, 01 Jan 0001 00:00:00 +0000

Cross Site Scripting (Reflected)

Mon, 01 Jan 0001 00:00:00 +0000

Cross Site Scripting Weakness (Persistent in JSON Response)

Mon, 01 Jan 0001 00:00:00 +0000

A XSS attack was found in a JSON response, this might leave content consumers vulnerable to attack if they don’t appropriately handle the data (response).

Cross-Domain JavaScript Source File Inclusion

Mon, 01 Jan 0001 00:00:00 +0000

The page includes one or more script files from a third-party domain.

Cross-Domain Misconfiguration

Mon, 01 Jan 0001 00:00:00 +0000

Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.

Cross-Origin-Embedder-Policy Header Missing or Invalid

Mon, 01 Jan 0001 00:00:00 +0000

Cross-Origin-Embedder-Policy header is a response header that prevents a document from loading any cross-origin resources that don’t explicitly grant the document permission (using CORP or CORS).

Cross-Origin-Opener-Policy Header Missing or Invalid

Mon, 01 Jan 0001 00:00:00 +0000

Cross-Origin-Opener-Policy header is a response header that allows a site to control if others included documents share the same browsing context. Sharing the same browsing context with untrusted documents might lead to data leak.

Cross-Origin-Resource-Policy Header Missing or Invalid

Mon, 01 Jan 0001 00:00:00 +0000

Cross-Origin-Resource-Policy header is an opt-in header designed to counter side-channels attacks like Spectre. Resource should be specifically set as shareable amongst different origins.

CSP: Failure to Define Directive with No Fallback

Mon, 01 Jan 0001 00:00:00 +0000

The Content Security Policy fails to define one of the directives that has no fallback. Missing/excluding them is the same as allowing anything.

CSP: Header & Meta

Mon, 01 Jan 0001 00:00:00 +0000

The message contained both CSP specified via header and via Meta tag. It was not possible to union these policies in order to perform an analysis. Therefore, they have been evaluated individually.

CSP: Malformed Policy (Non-ASCII)

Mon, 01 Jan 0001 00:00:00 +0000

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

CSP: Meta Policy Invalid Directive

Mon, 01 Jan 0001 00:00:00 +0000

The policy specified via meta element contains either or both the sandbox or frame-ancestors directive, which are not permitted inside meta CSP definitions.

CSP: Notices

Mon, 01 Jan 0001 00:00:00 +0000

CSP: script-src unsafe-eval

Mon, 01 Jan 0001 00:00:00 +0000

CSP: script-src unsafe-hashes

Mon, 01 Jan 0001 00:00:00 +0000

CSP: script-src unsafe-inline

Mon, 01 Jan 0001 00:00:00 +0000

CSP: style-src unsafe-hashes

Mon, 01 Jan 0001 00:00:00 +0000

CSP: style-src unsafe-inline

Mon, 01 Jan 0001 00:00:00 +0000

CSP: Wildcard Directive

Mon, 01 Jan 0001 00:00:00 +0000

CSP: X-Content-Security-Policy

Mon, 01 Jan 0001 00:00:00 +0000

CSP: X-WebKit-CSP

Mon, 01 Jan 0001 00:00:00 +0000

Deprecated Feature Policy Header Set

Mon, 01 Jan 0001 00:00:00 +0000

The header has now been renamed to Permissions-Policy.

Directory Browsing

Mon, 01 Jan 0001 00:00:00 +0000

It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information.

Directory Browsing

Mon, 01 Jan 0001 00:00:00 +0000

It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information.

Exponential Entity Expansion (Billion Laughs Attack)

Mon, 01 Jan 0001 00:00:00 +0000

An exponential entity expansion, or “billion laughs” attack is a type of denial-of-service (DoS) attack. It is aimed at parsers of markup languages like XML or YAML that allow macro expansions.

Expression Language Injection

Mon, 01 Jan 0001 00:00:00 +0000

The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. In certain versions of Spring 3.0.5 and earlier, there was a vulnerability (CVE-2011-2730) in which Expression Language tags would be evaluated twice, which effectively exposed any application to EL injection. However, even for later versions, this weakness is still possible depending on configuration.

External Redirect

Mon, 01 Jan 0001 00:00:00 +0000

URL redirectors represent common functionality employed by web sites to forward an incoming request to an alternate resource. This can be done for a variety of reasons and is often done to allow resources to be moved within the directory structure and to avoid breaking functionality for users that request the resource at its previous location. URL redirectors may also be used to implement load balancing, leveraging abbreviated URLs or recording outgoing links. It is this last implementation which is often used in phishing attacks as described in the example below. URL redirectors do not necessarily represent a direct security vulnerability but can be abused by attackers trying to social engineer victims into believing that they are navigating to a site other than the true destination.

External Redirect

Mon, 01 Jan 0001 00:00:00 +0000

External Redirect

Mon, 01 Jan 0001 00:00:00 +0000

External Redirect

Mon, 01 Jan 0001 00:00:00 +0000

Full Path Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

The full path of files which might be sensitive has been exposed to the client.

GET for POST

Mon, 01 Jan 0001 00:00:00 +0000

A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible.

HTTP Parameter Override

Mon, 01 Jan 0001 00:00:00 +0000

Unspecified form action: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable.

HTTP to HTTPS Insecure Transition in Form Post

Mon, 01 Jan 0001 00:00:00 +0000

This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed.

HTTPS Configuration

Mon, 01 Jan 0001 00:00:00 +0000

Performs HTTPS configuration analysis including certificate details and supported cipher suites.

HTTPS Security Configuration Issues

Mon, 01 Jan 0001 00:00:00 +0000

The HTTPS configuration has one or more security issues identified by the TLS risk assessment.

HTTPS to HTTP Insecure Transition in Form Post

Mon, 01 Jan 0001 00:00:00 +0000

This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they’re submitting data to a secure page when in fact they are not.

Image Exposes Location or Privacy Data

Mon, 01 Jan 0001 00:00:00 +0000

The image was found to contain embedded location information, such as GPS coordinates, or another privacy exposure, such as camera serial number. Depending on the context of the image in the website, this information may expose private details of the users of a site. For example, a site that allows users to upload profile pictures taken in the home may expose the home’s address.

In Page Banner Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The server returned a version banner string in the response content. Such information leaks may allow attackers to further target specific issues impacting the product and version in use.

Information Disclosure - Sensitive Information in HTTP Referrer Header

Mon, 01 Jan 0001 00:00:00 +0000

The HTTP header may have leaked a potentially sensitive parameter to another domain. This can violate PCI and most organizational compliance policies. You can configure the list of strings for this check to add or remove values specific to your environment.

Information Disclosure - Sensitive Information in URL

Mon, 01 Jan 0001 00:00:00 +0000

The request appeared to contain sensitive information leaked in the URL. This can violate PCI and most organizational compliance policies. You can configure the list of strings for this check to add or remove values specific to your environment.

Insecure JSF ViewState

Mon, 01 Jan 0001 00:00:00 +0000

The response at the following URL contains a ViewState value that has no cryptographic protections.

Loosely Scoped Cookie

Mon, 01 Jan 0001 00:00:00 +0000

Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent.

Missing Anti-clickjacking Header

Mon, 01 Jan 0001 00:00:00 +0000

The response does not protect against ‘ClickJacking’ attacks. It should include either Content-Security-Policy with ‘frame-ancestors’ directive or X-Frame-Options.

Modern Web Application

Mon, 01 Jan 0001 00:00:00 +0000

The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.

Multiple X-Frame-Options Header Entries

Mon, 01 Jan 0001 00:00:00 +0000

X-Frame-Options (XFO) headers were found, a response with multiple XFO header entries may not be predictably treated by all user-agents.

Obsolete Content Security Policy (CSP) Header Found

Mon, 01 Jan 0001 00:00:00 +0000

The “X-Content-Security-Policy” and “X-WebKit-CSP” headers are no longer recommended.

Off-site Redirect

Mon, 01 Jan 0001 00:00:00 +0000

Open redirects are one of the OWASP 2010 Top Ten vulnerabilities. This check looks at user-supplied input in query string parameters and POST data to identify where open redirects might be possible. Open redirects occur when an application allows user-supplied input (e.g. https://nottrusted.com) to control an off-site destination. This is generally a pretty accurate way to find where 301 or 302 redirects could be exploited by spammers or phishing attacks.

Path Traversal

Mon, 01 Jan 0001 00:00:00 +0000

The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal.

Path Traversal

Mon, 01 Jan 0001 00:00:00 +0000

Path Traversal

Mon, 01 Jan 0001 00:00:00 +0000

Path Traversal

Mon, 01 Jan 0001 00:00:00 +0000

Path Traversal

Mon, 01 Jan 0001 00:00:00 +0000

Permissions Policy Header Not Set

Mon, 01 Jan 0001 00:00:00 +0000

Permissions Policy Header is an added layer of security that helps to restrict from unauthorized access or usage of browser/client features by web resources. This policy ensures the user privacy by limiting or specifying the features of the browsers can be used by the web resources. Permissions Policy provides a set of standard HTTP headers that allow website owners to limit which features of browsers can be used by the page such as camera, microphone, location, full screen etc.

PII Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

The response contains Personally Identifiable Information, such as CC number, SSN and similar sensitive data.

Private IP Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.

Referer Exposes Session ID

Mon, 01 Jan 0001 00:00:00 +0000

A hyperlink pointing to another host name was found. As session ID URL rewrite is used, it may be disclosed in referer header to external hosts.

Remote Code Execution (React2Shell)

Mon, 01 Jan 0001 00:00:00 +0000

The server is running Next.js and vulnerable versions of React Server Components with Next.js which allow remote attackers to execute arbitrary code.

Remote File Inclusion

Mon, 01 Jan 0001 00:00:00 +0000

Remote File Include (RFI) is an attack technique used to exploit “dynamic file include” mechanisms in web applications. When web applications take user input (URL, parameter value, etc.) and pass them into file include commands, the web application might be tricked into including remote files with malicious code.

Remote OS Command Injection

Mon, 01 Jan 0001 00:00:00 +0000

Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs.

Remote OS Command Injection (Time Based)

Mon, 01 Jan 0001 00:00:00 +0000

Reverse Tabnabbing

Mon, 01 Jan 0001 00:00:00 +0000

At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the “noopener” and “noreferrer” keywords in the “rel” attribute, which allows the target page to take control of this page.

Script Served From Malicious Domain (polyfill)

Mon, 01 Jan 0001 00:00:00 +0000

The page includes one or more script files loaded from one of the ‘polyfill’ domains. These are not associated with the polyfill.js library and are known to serve malicious content.

Script Served From Malicious Domain (polyfill)

Mon, 01 Jan 0001 00:00:00 +0000

The page includes one or more script which appear to include a reference to one of the ‘polyfill’ domains. These are not associated with the polyfill.js library and are known to serve malicious content. You should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain.

Secure Pages Include Mixed Content

Mon, 01 Jan 0001 00:00:00 +0000

The page includes mixed content, that is content accessed via HTTP instead of HTTPS.

Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

Mon, 01 Jan 0001 00:00:00 +0000

The web/application server is leaking information via one or more “X-Powered-By” HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to.

Server Leaks its Webserver Application via "Server" HTTP Response Header Field

Mon, 01 Jan 0001 00:00:00 +0000

The web/application server is leaking the application it uses as a webserver via the “Server” HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to. This information alone, i.e. without a version string, is not very dangerous for the security of a server, nevertheless this information in the response header field is almost always useless and thus just an obsolete attacking vector.

Server Leaks Version Information via "Server" HTTP Response Header Field

Mon, 01 Jan 0001 00:00:00 +0000

The web/application server is leaking version information via the “Server” HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.

Server Side Code Injection - ASP Code Injection

Mon, 01 Jan 0001 00:00:00 +0000

A code injection may be possible including custom code that will be evaluated by the scripting engine.

Server Side Code Injection - PHP Code Injection

Mon, 01 Jan 0001 00:00:00 +0000

A code injection may be possible including custom code that will be evaluated by the scripting engine.

Server Side Include

Mon, 01 Jan 0001 00:00:00 +0000

Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed.

Server Side Template Injection

Mon, 01 Jan 0001 00:00:00 +0000

When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution.

Session ID in URL Rewrite

Mon, 01 Jan 0001 00:00:00 +0000

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

Session ID in URL Rewrite

Mon, 01 Jan 0001 00:00:00 +0000

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

SOAP Action Spoofing

Mon, 01 Jan 0001 00:00:00 +0000

An unintended SOAP operation was executed by the server.

SOAP XML Injection

Mon, 01 Jan 0001 00:00:00 +0000

Some XML injected code has been interpreted by the server.

Source Code Disclosure - PHP

Mon, 01 Jan 0001 00:00:00 +0000

Application Source Code was disclosed by the web server. - PHP

SQL Injection

Mon, 01 Jan 0001 00:00:00 +0000

SQL injection may be possible.

SQL Injection - Hypersonic SQL (Time Based)

Mon, 01 Jan 0001 00:00:00 +0000

SQL injection may be possible.

SQL Injection - MsSQL (Time Based)

Mon, 01 Jan 0001 00:00:00 +0000

SQL injection may be possible.

SQL Injection - MySQL (Time Based)

Mon, 01 Jan 0001 00:00:00 +0000

SQL injection may be possible.

SQL Injection - Oracle (Time Based)

Mon, 01 Jan 0001 00:00:00 +0000

SQL injection may be possible.

SQL Injection - PostgreSQL (Time Based)

Mon, 01 Jan 0001 00:00:00 +0000

SQL injection may be possible.

Strict-Transport-Security Defined via META (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) META tag was found, defining HTTP Strict Transport Security (HSTS) via a META tag is explicitly not supported by the spec (RFC 6797).

Strict-Transport-Security Disabled

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it contains the directive max-age=0 which disables the control and instructs browsers to reset any previous HSTS related settings. See RFC 6797 for further details. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Header Not Set

Mon, 01 Jan 0001 00:00:00 +0000

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standards track protocol and is specified in RFC 6797.

Strict-Transport-Security Header on Plain HTTP Response

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but HSTS headers are ignored on plain (non-HTTPS) responses. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Malformed Content (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters.

Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Missing Max-Age (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it is missing the max-age directive (or the directive is missing a value). See RFC 6797 for further details. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Multiple Header Entries (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

HTTP Strict Transport Security (HSTS) headers were found, a response with multiple HSTS header entries is not compliant with the specification (RFC 6797) and only the first HSTS header will be processed others will be ignored by user agents or the HSTS policy may be incorrectly applied. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Sub Resource Integrity Attribute Missing

Mon, 01 Jan 0001 00:00:00 +0000

The integrity attribute is missing on a script or link tag served by an external server. The integrity tag prevents an attacker who have gained access to this server from injecting a malicious content.

Vulnerable JS Library

Mon, 01 Jan 0001 00:00:00 +0000

The identified library appears to be vulnerable.

Weak Authentication Method

Mon, 01 Jan 0001 00:00:00 +0000

HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network.

WSDL File Detection

Mon, 01 Jan 0001 00:00:00 +0000

A WSDL File has been detected.

X-ChromeLogger-Data (XCOLD) Header Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find: server file system locations, vhost declarations, etc.

X-Content-Type-Options Header Missing

Mon, 01 Jan 0001 00:00:00 +0000

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to ’nosniff’. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

X-Debug-Token Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The response contained an X-Debug-Token or X-Debug-Token-Link header. This indicates that Symfony’s Profiler may be in use and exposing sensitive data.

X-Frame-Options Defined via META (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034).

X-Frame-Options Setting Malformed

Mon, 01 Jan 0001 00:00:00 +0000

An X-Frame-Options header was present in the response but the value was not correctly set.

XML External Entity Attack

Mon, 01 Jan 0001 00:00:00 +0000

This technique takes advantage of a feature of XML to build documents dynamically at the time of processing. An XML message can either provide data explicitly or by pointing to an URI where the data exists. In the attack technique, external entities may replace the entity value with malicious data, alternate referrals or may compromise the security of the data the server/XML application has access to. Attackers may also use External Entities to have the web services server download malicious code or content to the server for use in secondary or follow on attacks.

XPath Injection

Mon, 01 Jan 0001 00:00:00 +0000

XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents. It can be used directly by an application to query an XML document, as part of a larger operation such as applying an XSLT transformation to an XML document, or applying an XQuery to an XML document. The syntax of XPath bears some resemblance to an SQL query, and indeed, it is possible to form SQL-like queries on an XML document using XPath.

XSLT Injection

Mon, 01 Jan 0001 00:00:00 +0000

Injection using XSL transformations may be possible, and may allow an attacker to read system information, read and write files, or execute arbitrary code.