Scribd
Upload
33 views8 pages

PentestTools WebsiteScanner

The report scans a website for vulnerabilities and finds several issues. It detects vulnerabilities like insecure cookie settings, directory listing enabled, and missing security headers. It also finds potential vulnerabilities in the server-side jQuery version being used. The report provides details on each finding and recommends fixes.

Uploaded by

Nasir Ahmad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
33 views8 pages

PentestTools WebsiteScanner

The report scans a website for vulnerabilities and finds several issues. It detects vulnerabilities like insecure cookie settings, directory listing enabled, and missing security headers. It also finds potential vulnerabilities in the server-side jQuery version being used. The report provides details on each finding and recommends fixes.

Uploaded by

Nasir Ahmad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Website Vulnerability Scanner Report (Light)

Unlock the full capabilities of this scanner

See what the FULL scanner can do

Perform in-depth website scanning and discover high risk vulnerabilities.

Testing areas Light scan Full scan

Website fingerprinting  

Version-based vulnerability detection  

Common configuration issues  

SQL injection  

Cross-Site Scripting  
Local/Remote File Inclusion  

Remote command execution  

Discovery of sensitive files  

 https://www.cgc.ac.in

Summary

Overall risk level: Risk ratings: Scan information:


Medium High: 0 Start time: 2022-09-28 18:12:54 UTC+03
Medium: 4 Finish time: 2022-09-28 18:13:54 UTC+03

Low: 8 Scan duration: 1 min, 0 sec

Info: 7 Tests performed: 19/19

Scan status: Finished

Findings

 Insecure cookie setting: missing Secure flag CONFIRMED

URL Cookie Name Evidence

Set-Cookie:
https://www.cgc.ac.in PHPSESSID
PHPSESSID=f636d70dea3e3806d348f8d2ad6be76d; path=/

 Details

Risk description:
Since the Secure flag is not set on the cookie, the browser will send it over an unencrypted channel (plain HTTP) if such a request is
made. Thus, the risk exists that an attacker will intercept the clear-text communication between the browser and the server and he will
steal the cookie of the user. If this is a session cookie, the attacker could gain unauthorized access to the victim's web session.

Recommendation:

1/8
Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel.
Ensure that the secure flag is set for cookies containing such sensitive information.

References:
https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-
Session_Management_Testing/02-Testing_for_Cookies_Attributes.html

Classification:
CWE : CWE-614
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration

 Insecure cookie setting: missing HttpOnly flag CONFIRMED

URL Cookie Name Evidence

Set-Cookie:
https://www.cgc.ac.in PHPSESSID
PHPSESSID=f636d70dea3e3806d348f8d2ad6be76d; path=/

 Details

Risk description:
A cookie has been set without the HttpOnly flag, which means that it can be accessed by the JavaScript code running inside the web
page. If an attacker manages to inject malicious JavaScript code on the page (e.g. by using an XSS attack) then the cookie will be
accessible and it can be transmitted to another site. In case of a session cookie, this could lead to session hijacking.

Recommendation:
Ensure that the HttpOnly flag is set for all cookies.

References:
https://owasp.org/www-community/HttpOnly

Classification:
CWE : CWE-1004
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration

 Directory listing is enabled CONFIRMED

URL

https://www.cgc.ac.in/fonts

 Details

Risk description:
An attacker can see the entire structure of files and subdirectories from the affected URL. It is often the case that sensitive files are
"hidden" among public files in that location and attackers can use this vulnerability to access them.

Recommendation:
We recommend reconfiguring the web server in order to deny directory listing. Furthermore, you should verify that there are no sensitive
files at the mentioned URLs.

References:
http://projects.webappsec.org/w/page/13246922/Directory%20Indexing

Classification:
CWE : CWE-548
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration

Screenshot:

2/8
Figure 1. Directory Listing

 Vulnerabilities found for server-side software UNCONFIRMED 

Risk Affected
CVSS CVE Summary Exploit
Level software

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a


jQuery
 4.3 CVE-2015-9251 cross-domain Ajax request is performed without the dataType option, causing N/A
2.1.4
text/javascript responses to be executed.

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products,
mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If jQuery
 4.3 CVE-2019-11358 N/A
an unsanitized source object contained an enumerable __proto__ property, it 2.1.4
could extend the native Object.prototype.

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML
from untrusted sources - even after sanitizing it - to one of jQuery's DOM jQuery
 4.3 CVE-2020-11022 N/A
manipulation methods (i.e. .html(), .append(), and others) may execute 2.1.4
untrusted code. This problem is patched in jQuery 3.5.0.

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML
containing <option> elements from untrusted sources - even after sanitizing it - jQuery
 4.3 CVE-2020-11023 N/A
to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and 2.1.4
others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

 Details

Risk description:
These vulnerabilities expose the affected applications to the risk of unauthorized access to confidential data and possibly to denial of
service attacks. An attacker could search for an appropriate exploit (or create one himself) for any of these vulnerabilities and use it to
attack the system.

Recommendation:
We recommend you to upgrade the affected software to the latest version in order to eliminate the risk of these vulnerabilities.

Classification:
CWE : CWE-1026
OWASP Top 10 - 2013 : A9 - Using Components with Known Vulnerabilities
OWASP Top 10 - 2017 : A9 - Using Components with Known Vulnerabilities

3/8
 Missing security header: Content-Security-Policy CONFIRMED

URL Evidence

https://www.cgc.ac.in Response headers do not include the HTTP Content-Security-Policy security header

 Details

Risk description:
The Content-Security-Policy (CSP) header activates a protection mechanism implemented in web browsers which prevents exploitation
of Cross-Site Scripting vulnerabilities (XSS). If the target application is vulnerable to XSS, lack of this header makes it easily exploitable
by attackers.

Recommendation:
Configure the Content-Security-Header to be sent with each HTTP response in order to apply the specific policies needed by the
application.

References:
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Classification:
CWE : CWE-693
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration

 Missing security header: Strict-Transport-Security CONFIRMED

URL Evidence

https://www.cgc.ac.in Response headers do not include the HTTP Strict-Transport-Security header

 Details

Risk description:
The HTTP Strict-Transport-Security header instructs the browser to initiate only secure (HTTPS) connections to the web server and
deny any unencrypted HTTP connection attempts. Lack of this header permits an attacker to force a victim user to initiate a clear-text
HTTP connection to the server, thus opening the possibility to eavesdrop on the network traffic and extract sensitive information (e.g.
session cookies).

Recommendation:
The Strict-Transport-Security HTTP header should be sent with each HTTPS response. The syntax is as follows:

Strict-Transport-Security: max-age=<seconds>[; includeSubDomains]

The parameter max-age gives the time frame for requirement of HTTPS in seconds and should be chosen quite high, e.g. several
months. A value below 7776000 is considered as too low by this scanner check.
The flag includeSubDomains defines that the policy applies also for sub domains of the sender of the response.

Classification:
CWE : CWE-693
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration

 Missing security header: Referrer-Policy CONFIRMED

URL Evidence

Response headers do not include the Referrer-Policy HTTP security header as well as the <meta> tag with name
https://www.cgc.ac.in
'referrer' is not present in the response.

 Details

4/8
Risk description:
The Referrer-Policy HTTP header controls how much referrer information the browser will send with each request originated from the
current web application.
For instance, if a user visits the web page "http://example.com/pricing/" and it clicks on a link from that page going to e.g.
"https://www.google.com", the browser will send to Google the full originating URL in the Referer header, assuming the Referrer-Policy
header is not set. The originating URL could be considered sensitive information and it could be used for user tracking.

Recommendation:
The Referrer-Policy header should be configured on the server side to avoid user tracking and inadvertent information leakage. The
value no-referrer of this header instructs the browser to omit the Referer header entirely.

References:
https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns

Classification:
CWE : CWE-693
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration

 Missing security header: X-Content-Type-Options CONFIRMED

URL Evidence

https://www.cgc.ac.in Response headers do not include the X-Content-Type-Options HTTP security header

 Details

Risk description:
The HTTP header X-Content-Type-Options is addressed to the Internet Explorer browser and prevents it from reinterpreting the
content of a web page (MIME-sniffing) and thus overriding the value of the Content-Type header). Lack of this header could lead to
attacks such as Cross-Site Scripting or phishing.

Recommendation:
We recommend setting the X-Content-Type-Options header such as X-Content-Type-Options: nosniff .

References:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

Classification:
CWE : CWE-693
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration

 Missing security header: X-Frame-Options CONFIRMED

URL Evidence

https://www.cgc.ac.in Response headers do not include the HTTP X-Frame-Options security header

 Details

Risk description:
Because the X-Frame-Options header is not sent by the server, an attacker could embed this website into an iframe of a third party
website. By manipulating the display attributes of the iframe, the attacker could trick the user into performing mouse clicks in the
application, thus performing activities without user consent (ex: delete user, subscribe to newsletter, etc). This is called a Clickjacking
attack and it is described in detail here:
https://owasp.org/www-community/attacks/Clickjacking

Recommendation:
We recommend you to add the X-Frame-Options HTTP header with the values DENY or SAMEORIGIN to every page that you want to be
protected against Clickjacking attacks.

References:
https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html

5/8
Classification:
CWE : CWE-693
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration

 Missing security header: X-XSS-Protection CONFIRMED

URL Evidence

https://www.cgc.ac.in Response headers do not include the HTTP X-XSS-Protection security header

 Details

Risk description:
The X-XSS-Protection HTTP header instructs the browser to stop loading web pages when they detect reflected Cross-Site Scripting
(XSS) attacks. Lack of this header exposes application users to XSS attacks in case the web application contains such vulnerability.

Recommendation:
We recommend setting the X-XSS-Protection header to X-XSS-Protection: 1; mode=block .

References:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

Classification:
CWE : CWE-693
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration

 Robots.txt file found CONFIRMED

URL

https://www.cgc.ac.in/robots.txt

 Details

Risk description:
There is no particular security risk in having a robots.txt file. However, this file is often misused by website administrators to try to hide
some web pages from the users. This should not be considered a security measure because these URLs can be easily read directly from
the robots.txt file.

Recommendation:
We recommend you to manually review the entries from robots.txt and remove the ones which lead to sensitive locations in the website
(ex. administration panels, configuration files, etc).

References:
https://www.theregister.co.uk/2015/05/19/robotstxt/

Classification:
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration

 Server software and technology found UNCONFIRMED 

Software / Version Category

Apache Web servers

PHP Programming languages

6/8
cdnjs CDN

jsDelivr CDN

Google Hosted Libraries CDN

Facebook Login Authentication

YouTube Video players

animate.css UI frameworks

Bootstrap 4.4.1 UI frameworks

Slick JavaScript libraries

OWL Carousel Widgets

Font Awesome Font scripts

Facebook Widgets

Select2 JavaScript libraries

Modernizr 2.8.3 JavaScript libraries

jQuery UI 1.12.1 JavaScript libraries

jQuery 2.1.4 JavaScript libraries

Isotope JavaScript libraries

Google Tag Manager Tag managers

Google Remarketing Tag Retargeting

Google Analytics Analytics

Google Ads Conversion Tracking Analytics

Facebook Pixel 2.9.84 Analytics

core-js 3.0.0 JavaScript libraries

Facebook Chat Plugin 10.0 Live chat

 Details

Risk description:
An attacker could use this information to mount specific attacks against the identified software type and version.

Recommendation:
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating
system: HTTP server headers, HTML meta information, etc.

References:
https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/02-
Fingerprint_Web_Server.html

Classification:
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration

 Website is accessible.

7/8
 Nothing was found for client access policies.

 Nothing was found for absence of the security.txt file.

 Nothing was found for use of untrusted certificates.

 Nothing was found for enabled HTTP debug methods.

 Nothing was found for secure communication.

 Nothing was found for domain too loose set for cookies.

Scan coverage information

List of tests performed (19/19)


 Checking for website accessibility...
 Checking for missing HTTP header - Content Security Policy...
 Checking for Secure flag of cookie...
 Checking for missing HTTP header - Strict-Transport-Security...
 Checking for HttpOnly flag of cookie...
 Checking for missing HTTP header - Referrer...
 Checking for missing HTTP header - X-Content-Type-Options...
 Checking for missing HTTP header - X-Frame-Options...
 Checking for missing HTTP header - X-XSS-Protection...
 Checking for website technologies...
 Checking for vulnerabilities of server-side software...
 Checking for client access policies...
 Checking for robots.txt file...
 Checking for absence of the security.txt file...
 Checking for use of untrusted certificates...
 Checking for enabled HTTP debug methods...
 Checking for directory listing...
 Checking for secure communication...
 Checking for domain too loose set for cookies...

Scan parameters
Website URL: https://www.cgc.ac.in
Scan type: Light
Authentication: False

Scan stats
Unique Injection Points
169
Detected:
URLs spidered: 6
Total number of HTTP requests: 17

8/8

You might also like