International Standard - ISO 27001:2013: Compliance Report
International Standard - ISO 27001:2013: Compliance Report
International Standard - ISO 27001:2013: Compliance Report
27001:2013
Compliance Report
14 June 2019
Generated by Acunetix
Description
ISO/IEC 27001 is an information security management system (ISMS) standard published in September 2013 by the International
Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC
27001:2013 - Information technology - Security techniques - Information security management systems - Requirements.
The objective of this standard is to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining,
and improving an Information Security Management System.
Disclaimer
This document or any of its content cannot account for, or be included in any form of legal advice. The outcome of a vulnerability
scan (or security evaluation) should be utilized to ensure that diligent measures are taken to lower the risk of potential exploits
carried out to compromise data.
Legal advice must be supplied according to its legal context. All laws and the environments in which they are applied, are
constantly changed and revised. Therefore no information provided in this document may ever be used as an alternative to a
qualified legal body or representative.
Scan
URL http://192.168.1.207:8069/web/
Scan date 14/06/2019, 09:04:31
Duration 2 minutes, 59 seconds
Profile Full Scan
Compliance at a Glance
This section of the report is a summary and lists the number of alerts found according to individual compliance categories.
- Inventory of assets(8.1.1)
No alerts in this category
- Handling of assets(8.2.3)
Total number of alerts in this category: 1
- Electronic messaging(13.2.3)
No alerts in this category
- Protection of records(18.1.3)
Total number of alerts in this category: 1
This section is a detailed report that explains each vulnerability found according to individual compliance categories.
(8.1.1)Inventory of assets
Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall
be drawn up and maintained.
(8.2.3)Handling of assets
Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme
adopted by the organization.
This application contains a session token in the query parameters. A session token is sensitive information and should not be
stored in the URL. URLs could be logged or leaked via the Referer header.
Users shall only be provided with access to the network and network services that they have been specifically authorized to use.
No alerts in this category.
The allocation and use of privileged access rights shall be restricted and controlled.
Cross-Site Request Forgery (CSRF, or XSRF) is a vulnerability wherein an attacker tricks a victim into making a request the victim
did not intend to make. Therefore, with CSRF, an attacker abuses the trust a web application has with a victim's browser.
Acunetix found an HTML form with no apparent anti-CSRF protection implemented. Consult the 'Attack details' section for more
information about the affected HTML form.
A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an
attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you
discover the one correct combination that works.
This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommended to
implement some type of account lockout after a defined number of incorrect password attempts. Consult Web references for more
information about fixing this problem.
Base Score: 5.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 5.3
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: None
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
CWE CWE-307
Affected item Web Server
Affected parameter
Variants Not available in the free trial
The allocation of secret authentication information shall be controlled through a formal management process.
Users shall be required to follow the organization's practices in the use of secret authentication information.
A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an
attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you
discover the one correct combination that works.
This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommended to
implement some type of account lockout after a defined number of incorrect password attempts. Consult Web references for more
information about fixing this problem.
Access to information and application system functions shall be restricted in accordance with the access control policy.
This application contains a session token in the query parameters. A session token is sensitive information and should not be
stored in the URL. URLs could be logged or leaked via the Referer header.
Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on
procedure.
Password management systems shall be interactive and shall ensure quality passwords.
A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an
attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you
discover the one correct combination that works.
This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommended to
implement some type of account lockout after a defined number of incorrect password attempts. Consult Web references for more
information about fixing this problem.
The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly
controlled.
Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to
the operational environment.
Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user
awareness.
Logging facilities and log information shall be protected against tampering and unauthorized access.
This application contains a session token in the query parameters. A session token is sensitive information and should not be
stored in the URL. URLs could be logged or leaked via the Referer header.
System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.
This application contains a session token in the query parameters. A session token is sensitive information and should not be
stored in the URL. URLs could be logged or leaked via the Referer header.
You are using a vulnerable Javascript library. One or more vulnerabilities were reported for this version of the Javascript library.
Consult Attack details and Web References for more information about the affected library and the vulnerabilities that were
reported.
You are using a vulnerable Javascript library. One or more vulnerabilities were reported for this version of the Javascript library.
Consult Attack details and Web References for more information about the affected library and the vulnerabilities that were
reported.
This cookie does not have the HTTPOnly flag set. When a cookie is set with the HTTPOnly flag, it instructs the browser that the
cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session
cookies.
This cookie does not have the Secure flag set. When a cookie is set with the Secure flag, it instructs the browser that the cookie
can only be accessed over secure SSL channels. This is an important security protection for session cookies.
A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an
attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you
discover the one correct combination that works.
This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommended to
implement some type of account lockout after a defined number of incorrect password attempts. Consult Web references for more
information about fixing this problem.
Security mechanisms, service levels and management requirements of all network services shall be identified and included in
network services agreements, whether these services are provided in-house or outsourced.
(13.2.3)Electronic messaging
Information involved in application services passing over public networks shall be protected from fraudulent activity, contract
dispute and unauthorized disclosure and modification.
Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing,
unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.
Rules for the development of software and systems shall be established and applied to developments within the organization.
Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.
(18.1.3)Protection of records
Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with
legislatory, regulatory, contractual and business requirements.
Total number of alerts in this category: 1
This application contains a session token in the query parameters. A session token is sensitive information and should not be
stored in the URL. URLs could be logged or leaked via the Referer header.
Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation
where applicable.
This application contains a session token in the query parameters. A session token is sensitive information and should not be
stored in the URL. URLs could be logged or leaked via the Referer header.
Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.
This section provides full details of the types of vulnerabilities found according to individual affected items.
Web Server
Cross-Site Request Forgery (CSRF, or XSRF) is a vulnerability wherein an attacker tricks a victim into making a request the victim
did not intend to make. Therefore, with CSRF, an attacker abuses the trust a web application has with a victim's browser.
Acunetix found an HTML form with no apparent anti-CSRF protection implemented. Consult the 'Attack details' section for more
information about the affected HTML form.
You are using a vulnerable Javascript library. One or more vulnerabilities were reported for this version of the Javascript library.
Consult Attack details and Web References for more information about the affected library and the vulnerabilities that were
reported.
You are using a vulnerable Javascript library. One or more vulnerabilities were reported for this version of the Javascript library.
Consult Attack details and Web References for more information about the affected library and the vulnerabilities that were
reported.
This cookie does not have the HTTPOnly flag set. When a cookie is set with the HTTPOnly flag, it instructs the browser that the
cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session
cookies.
This cookie does not have the Secure flag set. When a cookie is set with the Secure flag, it instructs the browser that the cookie
can only be accessed over secure SSL channels. This is an important security protection for session cookies.
A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an
attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you
discover the one correct combination that works.
This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommended to
implement some type of account lockout after a defined number of incorrect password attempts. Consult Web references for more
information about fixing this problem.
This alert belongs to the following categories: 9.2.3, 9.3.1, 9.4.3, 12.5.1
This application contains a session token in the query parameters. A session token is sensitive information and should not be
stored in the URL. URLs could be logged or leaked via the Referer header.
This alert belongs to the following categories: 8.2.3, 9.4.1, 12.4.2, 12.4.3, 18.1.3, 18.1.4