Website Vulnerability Scanner Report (Light)
Unlock the full capabilities of this scanner
See what the DEEP scanner can do
Perform in-depth website scanning and discover high risk vulnerabilities.
Testing areas Light scan Deep scan
Website fingerprinting
Version-based vulnerability detection
Common configuration issues
SQL injection
Cross-Site Scripting
Local/Remote File Inclusion
Remote command execution
Discovery of sensitive files
http://online.t42.co.uk/pa_ga.htm
The Light Website Scanner didn't check for critical issues like SQLi, XSS, Command Injection, XXE, etc. Upgrade to run Deep scans with
40+ tests and detect more vulnerabilities.
Summary
Overall risk level: Risk ratings: Scan information:
Medium High: 0 Start time: Aug 12, 2024 / 06:53:57 UTC+03
Medium: 1 Finish time: Aug 12, 2024 / 06:54:15 UTC+03
Low: 4 Scan duration: 18 sec
Info: 14 Tests performed: 19/19
Scan status: Finished
Findings
Communication is not secure CONFIRMED
URL Response URL Evidence
http://online.t42.co.uk/pa_ga.htm http://online.t42.co.uk/pa_ga.htm Communication is made over unsecure, unencrypted HTTP.
Details
Risk description:
The risk is that an attacker who manages to intercept the communication at the network level can read and modify the data transmitted
(including passwords, secret tokens, credit card information and other sensitive data).
Recommendation:
1/5
� We recommend you to reconfigure the web server to use HTTPS - which encrypts the communication between the web browser and the
server.
Classification:
CWE : CWE-311
OWASP Top 10 - 2017 : A3 - Sensitive Data Exposure
OWASP Top 10 - 2021 : A4 - Insecure Design
Missing security header: Content-Security-Policy CONFIRMED
URL Evidence
Response does not include the HTTP Content-Security-Policy security header or meta tag
http://online.t42.co.uk/pa_ga.htm
Request / Response
Details
Risk description:
The risk is that if the target application is vulnerable to XSS, lack of this header makes it easily exploitable by attackers.
Recommendation:
Configure the Content-Security-Header to be sent with each HTTP response in order to apply the specific policies needed by the
application.
References:
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
Classification:
CWE : CWE-693
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration
Missing security header: Referrer-Policy CONFIRMED
URL Evidence
Response headers do not include the Referrer-Policy HTTP security header as well as the <meta> tag with
http://online.t42.co.uk/pa_ga.htm name 'referrer' is not present in the response.
Request / Response
Details
Risk description:
The risk is that if a user visits a web page (e.g. "http://example.com/pricing/") and clicks on a link from that page going to e.g.
"https://www.google.com", the browser will send to Google the full originating URL in the Referer header, assuming the Referrer-Policy
header is not set. The originating URL could be considered sensitive information and it could be used for user tracking.
Recommendation:
The Referrer-Policy header should be configured on the server side to avoid user tracking and inadvertent information leakage. The value
no-referrer of this header instructs the browser to omit the Referer header entirely.
References:
https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns
Classification:
CWE : CWE-693
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration
Missing security header: X-Content-Type-Options CONFIRMED
URL Evidence
Response headers do not include the X-Content-Type-Options HTTP security header
http://online.t42.co.uk/pa_ga.htm
Request / Response
Details
2/5
� Risk description:
The risk is that lack of this header could make possible attacks such as Cross-Site Scripting or phishing in Internet Explorer browsers.
Recommendation:
We recommend setting the X-Content-Type-Options header such as X-Content-Type-Options: nosniff .
References:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
Classification:
CWE : CWE-693
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration
Server software and technology found UNCONFIRMED
Software / Version Category
Cloudflare CDN
HTTP/3 Miscellaneous
Details
Risk description:
The risk is that an attacker could use this information to mount specific attacks against the identified software type and version.
Recommendation:
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating
system: HTTP server headers, HTML meta information, etc.
References:
https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/02-
Fingerprint_Web_Server.html
Classification:
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration
Security.txt file is missing CONFIRMED
URL
Missing: http://online.t42.co.uk/.well-known/security.txt
Details
Risk description:
There is no particular risk in not having a security.txt file for your server. However, this file is important because it offers a designated
channel for reporting vulnerabilities and security issues.
Recommendation:
We recommend you to implement the security.txt file according to the standard, in order to allow researchers or users report any security
issues they find, improving the defensive mechanisms of your server.
References:
https://securitytxt.org/
Classification:
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration
Website is accessible.
Nothing was found for vulnerabilities of server-side software.
3/5
� Nothing was found for client access policies.
Nothing was found for robots.txt file.
Nothing was found for use of untrusted certificates.
Nothing was found for enabled HTTP debug methods.
Nothing was found for enabled HTTP OPTIONS method.
Nothing was found for directory listing.
Nothing was found for missing HTTP header - Strict-Transport-Security.
Nothing was found for domain too loose set for cookies.
Nothing was found for HttpOnly flag of cookie.
Nothing was found for Secure flag of cookie.
Nothing was found for unsafe HTTP header Content Security Policy.
Scan coverage information
List of tests performed (19/19)
Starting the scan...
Checking for missing HTTP header - Content Security Policy...
Checking for secure communication...
Checking for missing HTTP header - Referrer...
Checking for missing HTTP header - X-Content-Type-Options...
Checking for website technologies...
Checking for vulnerabilities of server-side software...
Checking for client access policies...
Checking for robots.txt file...
Checking for absence of the security.txt file...
Checking for use of untrusted certificates...
Checking for enabled HTTP debug methods...
Checking for enabled HTTP OPTIONS method...
Checking for directory listing...
Checking for missing HTTP header - Strict-Transport-Security...
Checking for domain too loose set for cookies...
Checking for HttpOnly flag of cookie...
Checking for Secure flag of cookie...
Checking for unsafe HTTP header Content Security Policy...
Scan parameters
Target: http://online.t42.co.uk/pa_ga.htm
Scan type: Light
4/5
�Authentication: False
Scan stats
Unique Injection Points Detected: 1
URLs spidered: 1
Total number of HTTP requests: 10
Average time until a response was
21ms
received:
5/5
