SYSTEMIC on ZAP

Absence of Anti-CSRF Tokens

Mon, 01 Jan 0001 00:00:00 +0000

No Anti-CSRF tokens were found in a HTML submission form. A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.

Anti-CSRF Tokens Check

Mon, 01 Jan 0001 00:00:00 +0000

A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.

Charset Mismatch

Mon, 01 Jan 0001 00:00:00 +0000

This check identifies responses where the HTTP Content-Type header declares a charset different from the charset defined by the body of the HTML or XML. When there’s a charset mismatch between the HTTP header and content body Web browsers can be forced into an undesirable content-sniffing mode to determine the content’s correct character set.

Charset Mismatch (Header Versus Meta Charset)

Mon, 01 Jan 0001 00:00:00 +0000

Charset Mismatch (Header Versus Meta Content-Type Charset)

Mon, 01 Jan 0001 00:00:00 +0000

Charset Mismatch (Meta Charset Versus Meta Content-Type Charset)

Mon, 01 Jan 0001 00:00:00 +0000

Content Security Policy (CSP) Header Not Set

Mon, 01 Jan 0001 00:00:00 +0000

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

Content Security Policy (CSP) Report-Only Header Found

Mon, 01 Jan 0001 00:00:00 +0000

The response contained a Content-Security-Policy-Report-Only header, this may indicate a work-in-progress implementation, or an oversight in promoting pre-Prod to Prod, etc.

Content-Type Header Empty

Mon, 01 Jan 0001 00:00:00 +0000

The Content-Type header was either missing or empty.

Content-Type Header Missing

Mon, 01 Jan 0001 00:00:00 +0000

The Content-Type header was either missing or empty.

Cookie No HttpOnly Flag

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

Cookie Poisoning

Mon, 01 Jan 0001 00:00:00 +0000

This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug.

Cookie Slack Detector

Mon, 01 Jan 0001 00:00:00 +0000

Repeated GET requests: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced.

Cookie with Invalid SameSite Attribute

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set with an invalid SameSite attribute value, which means that the cookie can be sent as a result of a ‘cross-site’ request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.

Cookie with SameSite Attribute None

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set with its SameSite attribute set to “none”, which means that the cookie can be sent as a result of a ‘cross-site’ request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.

Cookie without SameSite Attribute

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a ‘cross-site’ request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.

Cookie Without Secure Flag

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

CORS Header

Mon, 01 Jan 0001 00:00:00 +0000

Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP).

CORS Misconfiguration

Mon, 01 Jan 0001 00:00:00 +0000

This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim’s user agent. In order to perform authenticated AJAX queries, the server must specify the header “Access-Control-Allow-Credentials: true” and the “Access-Control-Allow-Origin” header must be set to null or the malicious page’s domain. Even if this misconfiguration doesn’t allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites). A malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc).

CORS Misconfiguration

Mon, 01 Jan 0001 00:00:00 +0000

CRLF Injection

Mon, 01 Jan 0001 00:00:00 +0000

Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist.

Cross-Domain JavaScript Source File Inclusion

Mon, 01 Jan 0001 00:00:00 +0000

The page includes one or more script files from a third-party domain.

Cross-Domain Misconfiguration

Mon, 01 Jan 0001 00:00:00 +0000

Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.

Cross-Origin-Embedder-Policy Header Missing or Invalid

Mon, 01 Jan 0001 00:00:00 +0000

Cross-Origin-Embedder-Policy header is a response header that prevents a document from loading any cross-origin resources that don’t explicitly grant the document permission (using CORP or CORS).

Cross-Origin-Opener-Policy Header Missing or Invalid

Mon, 01 Jan 0001 00:00:00 +0000

Cross-Origin-Opener-Policy header is a response header that allows a site to control if others included documents share the same browsing context. Sharing the same browsing context with untrusted documents might lead to data leak.

Cross-Origin-Resource-Policy Header Missing or Invalid

Mon, 01 Jan 0001 00:00:00 +0000

Cross-Origin-Resource-Policy header is an opt-in header designed to counter side-channels attacks like Spectre. Resource should be specifically set as shareable amongst different origins.

CSP: Failure to Define Directive with No Fallback

Mon, 01 Jan 0001 00:00:00 +0000

The Content Security Policy fails to define one of the directives that has no fallback. Missing/excluding them is the same as allowing anything.

CSP: Header & Meta

Mon, 01 Jan 0001 00:00:00 +0000

The message contained both CSP specified via header and via Meta tag. It was not possible to union these policies in order to perform an analysis. Therefore, they have been evaluated individually.

CSP: Malformed Policy (Non-ASCII)

Mon, 01 Jan 0001 00:00:00 +0000

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

CSP: Meta Policy Invalid Directive

Mon, 01 Jan 0001 00:00:00 +0000

The policy specified via meta element contains either or both the sandbox or frame-ancestors directive, which are not permitted inside meta CSP definitions.

CSP: Notices

Mon, 01 Jan 0001 00:00:00 +0000

CSP: script-src unsafe-eval

Mon, 01 Jan 0001 00:00:00 +0000

CSP: script-src unsafe-hashes

Mon, 01 Jan 0001 00:00:00 +0000

CSP: script-src unsafe-inline

Mon, 01 Jan 0001 00:00:00 +0000

CSP: style-src unsafe-hashes

Mon, 01 Jan 0001 00:00:00 +0000

CSP: style-src unsafe-inline

Mon, 01 Jan 0001 00:00:00 +0000

CSP: Wildcard Directive

Mon, 01 Jan 0001 00:00:00 +0000

CSP: X-Content-Security-Policy

Mon, 01 Jan 0001 00:00:00 +0000

CSP: X-WebKit-CSP

Mon, 01 Jan 0001 00:00:00 +0000

Deprecated Feature Policy Header Set

Mon, 01 Jan 0001 00:00:00 +0000

The header has now been renamed to Permissions-Policy.

Directory Browsing

Mon, 01 Jan 0001 00:00:00 +0000

It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information.

Directory Browsing

Mon, 01 Jan 0001 00:00:00 +0000

It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information.

Emails Found in the Viewstate

Mon, 01 Jan 0001 00:00:00 +0000

Email addresses were found being serialized in the viewstate field.

HTTPS Configuration

Mon, 01 Jan 0001 00:00:00 +0000

Performs HTTPS configuration analysis including certificate details and supported cipher suites.

HTTPS Content Available via HTTP

Mon, 01 Jan 0001 00:00:00 +0000

Content which was initially accessed via HTTPS (i.e.: using SSL/TLS encryption) is also accessible via HTTP (without encryption).

HTTPS Security Configuration Issues

Mon, 01 Jan 0001 00:00:00 +0000

The HTTPS configuration has one or more security issues identified by the TLS risk assessment.

In Page Banner Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The server returned a version banner string in the response content. Such information leaks may allow attackers to further target specific issues impacting the product and version in use.

Information Disclosure - Sensitive Information in HTTP Referrer Header

Mon, 01 Jan 0001 00:00:00 +0000

The HTTP header may have leaked a potentially sensitive parameter to another domain. This can violate PCI and most organizational compliance policies. You can configure the list of strings for this check to add or remove values specific to your environment.

Information Disclosure - Sensitive Information in URL

Mon, 01 Jan 0001 00:00:00 +0000

The request appeared to contain sensitive information leaked in the URL. This can violate PCI and most organizational compliance policies. You can configure the list of strings for this check to add or remove values specific to your environment.

Loosely Scoped Cookie

Mon, 01 Jan 0001 00:00:00 +0000

Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent.

Missing Anti-clickjacking Header

Mon, 01 Jan 0001 00:00:00 +0000

The response does not protect against ‘ClickJacking’ attacks. It should include either Content-Security-Policy with ‘frame-ancestors’ directive or X-Frame-Options.

Modern Web Application

Mon, 01 Jan 0001 00:00:00 +0000

The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.

Multiple X-Frame-Options Header Entries

Mon, 01 Jan 0001 00:00:00 +0000

X-Frame-Options (XFO) headers were found, a response with multiple XFO header entries may not be predictably treated by all user-agents.

Non-Storable Content

Mon, 01 Jan 0001 00:00:00 +0000

The response contents are not storable by caching components such as proxy servers. If the response does not contain sensitive, personal or user-specific information, it may benefit from being stored and cached, to improve performance.

Obsolete Content Security Policy (CSP) Header Found

Mon, 01 Jan 0001 00:00:00 +0000

The “X-Content-Security-Policy” and “X-WebKit-CSP” headers are no longer recommended.

Old Asp.Net Version in Use

Mon, 01 Jan 0001 00:00:00 +0000

This website uses ASP.NET version 1.0 or 1.1.

Permissions Policy Header Not Set

Mon, 01 Jan 0001 00:00:00 +0000

Permissions Policy Header is an added layer of security that helps to restrict from unauthorized access or usage of browser/client features by web resources. This policy ensures the user privacy by limiting or specifying the features of the browsers can be used by the web resources. Permissions Policy provides a set of standard HTTP headers that allow website owners to limit which features of browsers can be used by the page such as camera, microphone, location, full screen etc.

Potential IP Addresses Found in the Viewstate

Mon, 01 Jan 0001 00:00:00 +0000

Potential IP addresses were found being serialized in the viewstate field.

Proxy Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

1 proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine

A list of targets for an attack against the application.
Potential vulnerabilities on the proxy servers that service the application.
The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated.

Proxy Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

1 proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine

A list of targets for an attack against the application.
Potential vulnerabilities on the proxy servers that service the application.
The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated.

Re-examine Cache-control Directives

Mon, 01 Jan 0001 00:00:00 +0000

The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached.

Referer Exposes Session ID

Mon, 01 Jan 0001 00:00:00 +0000

A hyperlink pointing to another host name was found. As session ID URL rewrite is used, it may be disclosed in referer header to external hosts.

Retrieved from Cache

Mon, 01 Jan 0001 00:00:00 +0000

The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as “proxy” caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance.

Retrieved from Cache

Mon, 01 Jan 0001 00:00:00 +0000

Sec-Fetch-Dest Header Has an Invalid Value

Mon, 01 Jan 0001 00:00:00 +0000

Specifies how and where the data would be used. For instance, if the value is audio, then the requested resource must be audio data and not any other type of resource.

Sec-Fetch-Dest Header is Missing

Mon, 01 Jan 0001 00:00:00 +0000

Specifies how and where the data would be used. For instance, if the value is audio, then the requested resource must be audio data and not any other type of resource.

Sec-Fetch-Mode Header Has an Invalid Value

Mon, 01 Jan 0001 00:00:00 +0000

Allows to differentiate between requests for navigating between HTML pages and requests for loading resources like images, audio etc.

Sec-Fetch-Mode Header is Missing

Mon, 01 Jan 0001 00:00:00 +0000

Allows to differentiate between requests for navigating between HTML pages and requests for loading resources like images, audio etc.

Sec-Fetch-Site Header Has an Invalid Value

Mon, 01 Jan 0001 00:00:00 +0000

Specifies the relationship between request initiator’s origin and target’s origin.

Sec-Fetch-Site Header is Missing

Mon, 01 Jan 0001 00:00:00 +0000

Specifies the relationship between request initiator’s origin and target’s origin.

Sec-Fetch-User Header Has an Invalid Value

Mon, 01 Jan 0001 00:00:00 +0000

Specifies if a navigation request was initiated by a user.

Sec-Fetch-User Header is Missing

Mon, 01 Jan 0001 00:00:00 +0000

Specifies if a navigation request was initiated by a user.

Secure Pages Include Mixed Content

Mon, 01 Jan 0001 00:00:00 +0000

The page includes mixed content, that is content accessed via HTTP instead of HTTPS.

Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

Mon, 01 Jan 0001 00:00:00 +0000

The web/application server is leaking information via one or more “X-Powered-By” HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to.

Server Leaks its Webserver Application via "Server" HTTP Response Header Field

Mon, 01 Jan 0001 00:00:00 +0000

The web/application server is leaking the application it uses as a webserver via the “Server” HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to. This information alone, i.e. without a version string, is not very dangerous for the security of a server, nevertheless this information in the response header field is almost always useless and thus just an obsolete attacking vector.

Server Leaks Version Information via "Server" HTTP Response Header Field

Mon, 01 Jan 0001 00:00:00 +0000

The web/application server is leaking version information via the “Server” HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.

Session ID in URL Rewrite

Mon, 01 Jan 0001 00:00:00 +0000

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

Session ID in URL Rewrite

Mon, 01 Jan 0001 00:00:00 +0000

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

Split Viewstate in Use

Mon, 01 Jan 0001 00:00:00 +0000

This website uses ASP.NET’s Viewstate and its value is split into several chunks.

Storable and Cacheable Content

Mon, 01 Jan 0001 00:00:00 +0000

The response contents are storable by caching components such as proxy servers, and may be retrieved directly from the cache, rather than from the origin server by the caching servers, in response to similar requests from other users. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where “shared” caching servers such as “proxy” caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance.

Storable but Non-Cacheable Content

Mon, 01 Jan 0001 00:00:00 +0000

The response contents are storable by caching components such as proxy servers, but will not be retrieved directly from the cache, without validating the request upstream, in response to similar requests from other users.

Strict-Transport-Security Defined via META (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) META tag was found, defining HTTP Strict Transport Security (HSTS) via a META tag is explicitly not supported by the spec (RFC 6797).

Strict-Transport-Security Disabled

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it contains the directive max-age=0 which disables the control and instructs browsers to reset any previous HSTS related settings. See RFC 6797 for further details. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Header Not Set

Mon, 01 Jan 0001 00:00:00 +0000

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standards track protocol and is specified in RFC 6797.

Strict-Transport-Security Header on Plain HTTP Response

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but HSTS headers are ignored on plain (non-HTTPS) responses. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Malformed Content (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters.

Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Missing Max-Age (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it is missing the max-age directive (or the directive is missing a value). See RFC 6797 for further details. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Multiple Header Entries (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

HTTP Strict Transport Security (HSTS) headers were found, a response with multiple HSTS header entries is not compliant with the specification (RFC 6797) and only the first HSTS header will be processed others will be ignored by user agents or the HSTS policy may be incorrectly applied. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Sub Resource Integrity Attribute Missing

Mon, 01 Jan 0001 00:00:00 +0000

The integrity attribute is missing on a script or link tag served by an external server. The integrity tag prevents an attacker who have gained access to this server from injecting a malicious content.

Timestamp Disclosure - Unix

Mon, 01 Jan 0001 00:00:00 +0000

A timestamp was disclosed by the application/web server. - Unix

User Agent Fuzzer

Mon, 01 Jan 0001 00:00:00 +0000

Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response.

User Controllable Charset

Mon, 01 Jan 0001 00:00:00 +0000

This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page.

Viewstate without MAC Signature (Sure)

Mon, 01 Jan 0001 00:00:00 +0000

This website uses ASP.NET’s Viewstate but without any MAC.

Viewstate without MAC Signature (Unsure)

Mon, 01 Jan 0001 00:00:00 +0000

This website uses ASP.NET’s Viewstate but maybe without any MAC.

Web Cache Deception

Mon, 01 Jan 0001 00:00:00 +0000

Web cache deception may be possible. It may be possible for unauthorised user to view sensitive data on this page.

X-AspNet-Version Response Header

Mon, 01 Jan 0001 00:00:00 +0000

Server leaks information via “X-AspNet-Version”/“X-AspNetMvc-Version” HTTP response header field(s).

X-Backend-Server Header Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems.

X-ChromeLogger-Data (XCOLD) Header Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find: server file system locations, vhost declarations, etc.

X-Content-Type-Options Header Missing

Mon, 01 Jan 0001 00:00:00 +0000

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to ’nosniff’. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

X-Debug-Token Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The response contained an X-Debug-Token or X-Debug-Token-Link header. This indicates that Symfony’s Profiler may be in use and exposing sensitive data.

X-Frame-Options Defined via META (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034).

X-Frame-Options Setting Malformed

Mon, 01 Jan 0001 00:00:00 +0000

An X-Frame-Options header was present in the response but the value was not correctly set.