Website Vulnerability Scanner Report (Light)

Unlock the full capabilities of this scanner

See what the DEEP scanner can do

Perform in-depth website scanning and discover high risk vulnerabilities.

Testing areas Light scan Deep scan

Website fingerprinting  
Version-based vulnerability detection  

Common configuration issues  

SQL injection  
Cross-Site Scripting  

Local/Remote File Inclusion  

Remote command execution  

Discovery of sensitive files  

 https://www.cyclingsgear-eur.shop/collections/best-sellers/products/men-s-core-lightweight-
jersey_dd4a2bb7?data_from=index_index&variant_sku_code=15197221-12140090-54908895-
12140091-54908896-0-0

The Light Website Scanner didn't check for critical issues like SQLi, XSS, Command Injection, XXE, etc. Upgrade to run Deep scans with
40+ tests and detect more vulnerabilities.

Summary

Overall risk level: Risk ratings: Scan information:

Medium High: 0 Start time: Aug 05, 2024 / 09:31:15
Medium: 3 Finish time: Aug 05, 2024 / 09:31:58
Low: 5 Scan duration: 43 sec

Info: 11 Tests performed: 19/19

Scan status: Finished

Findings

 Insecure cookie setting: missing HttpOnly flag CONFIRMED

URL Cookie Name Evidence

1/7
 The server responded with Set-Cookie header(s) that does not specify the HttpOnly flag:
Set-Cookie: PHPSESSID=88f5eae526a913626ac9e989656ba951
Set-Cookie: _fbs_fbp=fb.1.1722839478212.9578816062
Set-Cookie: oemsaas_keep_alive=3A44CB48-D191-F82A-473B-EEEB798D7BBF
https://www.cyclingsgear- PHPSESSID, Set-Cookie:
eur.shop/collections/best- _fbs_fbp, order_utm_history=%5B%7B%22utm_source%22%3A%22direct%22%2C%22utm_medium
sellers/products/men-s- oemsaas_keep_alive, %22%3A%22default%22%2C%22utm_term%22%3A%22%22%2C%22utm_campaign%22%3
core-lightweight- order_utm_history, A%22%22%2C%22utm_content%22%3A%22%22%2C%22source_device%22%3A%22comp
jersey_dd4a2bb7 utm_medium uter%22%2C%22create_time%22%3A1722839478%2C%22expire_time%22%3A17254314
78%7D%5D
Set-Cookie: utm_medium=default

Request / Response

 Details

Risk description:
The risk is that an attacker who injects malicious JavaScript code on the page (e.g. by using an XSS attack) can access the cookie and can
send it to another site. In case of a session cookie, this could lead to session hijacking.

Recommendation:
Ensure that the HttpOnly flag is set for all cookies.

References:
https://owasp.org/www-community/HttpOnly

Classification:
CWE : CWE-1004
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Insecure cookie setting: missing Secure flag CONFIRMED

Cookie
URL Evidence
Name

Set-Cookie: _fbs_fbp=fb.1.1722839478212.9578816062; expires=Sun, 03-Nov-2024 06:31:18

GMT; Max-Age=7776000; path=/, utm_source=direct; expires=Wed, 04-Sep-2024 06:31:18 GMT;
Max-Age=2592000; path=/, utm_medium=default; expires=Wed, 04-Sep-2024 06:31:18 GMT;
Max-Age=2592000; path=/, utm_term=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-
Age=0; path=/, utm_campaign=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0;
https://www.cyclingsgear- path=/, utm_content=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/,
eur.shop/collections/best- order_utm_history=%5B%7B%22utm_source%22%3A%22direct%22%2C%22utm_medium%22%3A%
sellers/products/men-s- PHPSESSID 22default%22%2C%22utm_term%22%3A%22%22%2C%22utm_campaign%22%3A%22%22%2C%22u
core-lightweight- tm_content%22%3A%22%22%2C%22source_device%22%3A%22computer%22%2C%22create_time
jersey_dd4a2bb7 %22%3A1722839478%2C%22expire_time%22%3A1725431478%7D%5D; path=/,
oemsaas_keep_alive=3A44CB48-D191-F82A-473B-EEEB798D7BBF; expires=Mon, 05-Aug-2024
07:01:18 GMT; Max-Age=1800; path=/, PHPSESSID=88f5eae526a913626ac9e989656ba951;
path=/

Request / Response

 Details

Risk description:
The risk exists that an attacker will intercept the clear-text communication between the browser and the server and he will steal the cookie
of the user. If this is a session cookie, the attacker could gain unauthorized access to the victim's web session.

Recommendation:
Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel.
Ensure that the secure flag is set for cookies containing such sensitive information.

References:
https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-
Session_Management_Testing/02-Testing_for_Cookies_Attributes.html

Classification:
CWE : CWE-614
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

2/7
 Vulnerabilities found for server-side software UNCONFIRMED 

Risk Affected
CVSS CVE Summary
Level software

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting
dates. A path traversal vulnerability impacts npm (server) users of Moment.js between
versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment
 5 CVE-2022-24785
moment locale. This problem is patched in 2.29.2, and the patch can be applied to all 2.24.0
affected versions. As a workaround, sanitize the user-provided locale name before passing
it to Moment.js.

moment is a JavaScript date library for parsing, validating, manipulating, and formatting
dates. Affected versions of moment were found to use an inefficient parsing algorithm.
Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing,
which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may
moment
 5 CVE-2022-31129 notice a noticeable slowdown is observed with inputs above 10k characters. Users who
2.24.0
pass user-provided strings without sanity length checks to moment constructor are
vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied
to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable
to upgrade should consider limiting date lengths accepted from user input.

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput)
function does not differentiate selectors from HTML in a reliable fashion. In vulnerable
versions, jQuery determined whether the input was HTML by looking for the '<' character
jquery
 4.3 CVE-2012-6708 anywhere in the string, giving attackers more flexibility when attempting to construct a
1.8.3
malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly
starts with the '<' character, limiting exploitability only to attackers who can control the
beginning of a string, which is far less common.

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain
jquery
 4.3 CVE-2015-9251 Ajax request is performed without the dataType option, causing text/javascript responses
1.8.3
to be executed.

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles
jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source jquery
 4.3 CVE-2019-11358
object contained an enumerable __proto__ property, it could extend the native 1.8.3
Object.prototype.

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing
<option> elements from untrusted sources - even after sanitizing it - to one of jQuery's jquery
 4.3 CVE-2020-11023
DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted 1.8.3
code. This problem is patched in jQuery 3.5.0.

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from
untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods jquery
 4.3 CVE-2020-11022
(i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in 1.8.3
jQuery 3.5.0.

 Details

Risk description:
The risk is that an attacker could search for an appropriate exploit (or create one himself) for any of these vulnerabilities and use it to
attack the system.

Recommendation:
We recommend you to upgrade the affected software to the latest version in order to eliminate the risk of these vulnerabilities.

Classification:
CWE : CWE-1026
OWASP Top 10 - 2017 : A9 - Using Components with Known Vulnerabilities
OWASP Top 10 - 2021 : A6 - Vulnerable and Outdated Components

 Missing security header: Strict-Transport-Security CONFIRMED

URL Evidence

Response headers do not include the HTTP Strict-Transport-

https://www.cyclingsgear-eur.shop/collections/best-sellers/products/men-s-core-
Security header
lightweight-jersey_dd4a2bb7
Request / Response

 Details

3/7
 Risk description:
The risk is that lack of this header permits an attacker to force a victim user to initiate a clear-text HTTP connection to the server, thus
opening the possibility to eavesdrop on the network traffic and extract sensitive information (e.g. session cookies).

Recommendation:
The Strict-Transport-Security HTTP header should be sent with each HTTPS response. The syntax is as follows:

Strict-Transport-Security: max-age=<seconds>[; includeSubDomains]

The parameter max-age gives the time frame for requirement of HTTPS in seconds and should be chosen quite high, e.g. several months.
A value below 7776000 is considered as too low by this scanner check.
The flag includeSubDomains defines that the policy applies also for sub domains of the sender of the response.

Classification:
CWE : CWE-693
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Missing security header: Content-Security-Policy CONFIRMED

URL Evidence

Response does not include the HTTP Content-Security-Policy

https://www.cyclingsgear-eur.shop/collections/best-sellers/products/men-s-core-
security header or meta tag
lightweight-jersey_dd4a2bb7
Request / Response

 Details

Risk description:
The risk is that if the target application is vulnerable to XSS, lack of this header makes it easily exploitable by attackers.

Recommendation:
Configure the Content-Security-Header to be sent with each HTTP response in order to apply the specific policies needed by the
application.

References:
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Classification:
CWE : CWE-693
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Missing security header: X-Content-Type-Options CONFIRMED

URL Evidence

Response headers do not include the X-Content-Type-Options

https://www.cyclingsgear-eur.shop/collections/best-sellers/products/men-s-core-
HTTP security header
lightweight-jersey_dd4a2bb7
Request / Response

 Details

Risk description:
The risk is that lack of this header could make possible attacks such as Cross-Site Scripting or phishing in Internet Explorer browsers.

Recommendation:
We recommend setting the X-Content-Type-Options header such as X-Content-Type-Options: nosniff .

References:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

Classification:
CWE : CWE-693
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

4/7
 Robots.txt file found CONFIRMED

URL

https://www.cyclingsgear-eur.shop/robots.txt

 Details

Risk description:
There is no particular security risk in having a robots.txt file. However, it's important to note that adding endpoints in it should not be
considered a security measure, as this file can be directly accessed and read by anyone.

Recommendation:
We recommend you to manually review the entries from robots.txt and remove the ones which lead to sensitive locations in the website
(ex. administration panels, configuration files, etc).

References:
https://www.theregister.co.uk/2015/05/19/robotstxt/

Classification:
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Server software and technology found UNCONFIRMED 

Software / Version Category

Facebook Pixel 2.9.164 Analytics

PHP Programming languages

Cloudflare CDN

anime.js 3.2.1 JavaScript graphics

core-js 3.0.0 JavaScript libraries

HTTP/3 Miscellaneous

jQuery 1.8.3 JavaScript libraries

Moment.js 2.24.0 JavaScript libraries

Swiper JavaScript libraries

Cloudflare Bot Management Security

 Details

Risk description:
The risk is that an attacker could use this information to mount specific attacks against the identified software type and version.

Recommendation:
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating
system: HTTP server headers, HTML meta information, etc.

References:
https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/02-
Fingerprint_Web_Server.html

Classification:
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Security.txt file is missing CONFIRMED

URL

5/7
 Missing: https://www.cyclingsgear-eur.shop/.well-known/security.txt

 Details

Risk description:
There is no particular risk in not having a security.txt file for your server. However, this file is important because it offers a designated
channel for reporting vulnerabilities and security issues.

Recommendation:
We recommend you to implement the security.txt file according to the standard, in order to allow researchers or users report any security
issues they find, improving the defensive mechanisms of your server.

References:
https://securitytxt.org/

Classification:
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 HTTP OPTIONS enabled CONFIRMED

URL Method Summary

We did a HTTP OPTIONS request.

https://www.cyclingsgear-eur.shop/collections/best-sellers/products/men-s-core-lightweight-
The server responded with a 204
jersey_dd4a2bb7?data_from=index_index&variant_sku_code=15197221-12140090-54908895-12140091- OPTIONS
status code and the header:
54908896-0-0
Allow: GET
Request / Response

 Details

Risk description:
The only risk this might present nowadays is revealing debug HTTP methods that can be used on the server. This can present a danger if
any of those methods can lead to sensitive information, like authentication information, secret keys.

Recommendation:
We recommend that you check for unused HTTP methods or even better, disable the OPTIONS method. This can be done using your
webserver configuration.

References:
https://techcommunity.microsoft.com/t5/iis-support-blog/http-options-and-default-page-vulnerabilities/ba-p/1504845
https://docs.nginx.com/nginx-management-suite/acm/how-to/policies/allowed-http-methods/

Classification:
CWE : CWE-16
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Website is accessible.

 Nothing was found for client access policies.

 Nothing was found for use of untrusted certificates.

 Nothing was found for enabled HTTP debug methods.

 Nothing was found for secure communication.

 Nothing was found for directory listing.

6/7
 Nothing was found for missing HTTP header - Referrer.

 Nothing was found for domain too loose set for cookies.

 Nothing was found for unsafe HTTP header Content Security Policy.

Scan coverage information

List of tests performed (19/19)

 Starting the scan...
 Checking for missing HTTP header - Strict-Transport-Security...
 Checking for missing HTTP header - Content Security Policy...
 Checking for HttpOnly flag of cookie...
 Checking for missing HTTP header - X-Content-Type-Options...
 Checking for Secure flag of cookie...
 Checking for website technologies...
 Checking for vulnerabilities of server-side software...
 Checking for client access policies...
 Checking for robots.txt file...
 Checking for absence of the security.txt file...
 Checking for use of untrusted certificates...
 Checking for enabled HTTP debug methods...
 Checking for enabled HTTP OPTIONS method...
 Checking for secure communication...
 Checking for directory listing...
 Checking for missing HTTP header - Referrer...
 Checking for domain too loose set for cookies...
 Checking for unsafe HTTP header Content Security Policy...

Scan parameters
https://www.cyclingsgear-eur.shop/collections/best-sellers/products/men-s-core-lightweight-jersey_dd4a2bb7?
Target:
data_from=index_index&variant_sku_code=15197221-12140090-54908895-12140091-54908896-0-0
Scan type: Light
Authentication: False

Scan stats
Unique Injection Points Detected: 2
URLs spidered: 1
Total number of HTTP requests: 10
Average time until a response was
238ms
received:

7/7