S.

no Vulnerability URL/Location Severity

1 Weak Ciphers https://mahakisan.com/ High
2 Clear Text Credentials https://mahakisan.com/ High
3 Account Bruterforce https://mahakisan.com/ High
4 Session Hijacking https://mahakisan.com/my-account/High
5 Sensitive information disclosure https://mahakisan.com/wp-json/wp/Medium
6 Robots.txt file Disclosed https://mahakisan.com/robots.txt Medium
7 CSRF https://mahakisan.com/Checkout Medium
8 Risky HTTP Methods Allowed https://mahakisan.com/ Medium
9 PHP Version Disclosed https://mahakisan.com/ Medium
10 Outdated PHP Version https://mahakisan.com/ Medium
11 Old Password Acceptance https://mahakisan.com/my-account/Medium
12 User Enumeration https://mahakisan.com/my-account/Medium
13 Strict-Transport-Security is missing https://mahakisan.com/ Low
14 Content-Security-Policy is missing https://mahakisan.com/ Low
15 X-XSS-Protection header is missing https://mahakisan.com/ Low
16 X-Frame-Options header is missing https://mahakisan.com/ Low
17 X-Content-Type-Options is missing https://mahakisan.com/ Low
18 Cookie Without Secure Flag https://mahakisan.com/ Low
19 Cookie without Same Site Attribute https://mahakisan.com/ Low
20 Cookies without HTTP only flag https://mahakisan.com/ Low
21 Clickjacking https://mahakisan.com/ Low
22 Improper Input Validation https://mahakisan.com/cart Low
CWE Description
Number
327 We detected that weak ciphers are enabled during secure communication (TLS 1.2).
319 You should
Sensitive allow
data only strong
credentials mustciphers on your when
be protected web server to protect secure communication with your v
it is tran
307 A hacking method that uses trial and error to crack passwor
384 Session hijacking is as the term suggests. A user in a sess
200 Sensitive Data Exposure occurs when an organization unknow
200 We detected a Robots.txt file with potentially sensitive cont
352 Cross site request forgery (CSRF) is an attack vector that
650 Detected that some risky HTTP methods are allowed on th
200 We identified a version disclosure (PHP) in the target web server's HTTP response.
1035, 937 This information
We identified youcan
arehelp
usinganan
attacker gain a
out-of-date greaterofunderstanding
version PHP. of the systems in use and potentia
521 Website is accepting the Previously set password as a Ne
203 Revealing valid usernames can lead to privacy breaches, espe
523 Identified that HTTP Strict Transport Security (HSTS) policy is not enabled.
1021 Content-Security-Policy response header allows web site adm
693 Identified that X-XSS-Protection header is missing in the
1021 The X-Frame-Options HTTP header field indicates a policy t
693 The HTTP 'X-Content-Type-Options' response header preven
614 Identified a cookie not marked as secure, and transmitted over HTTPS.
1275 This means
Cookies are the cookie
typically could
sent potentially
to third partiesbe
in stolen by an requests.
cross origin attacker who can successfully intercept and d
1004 Same-site cookies allow servers to mitigate the risk
We identified a cookie not marked as HTTPOnly.HTTPOnly coo of CSRF and information leakage attacks by asse
1021 Clickjacking attacks attempt to trick the user into uninten
20 Input validation is a frequently-used technique for checking potentially dangerous inputs in order to en
Website is accepting special characters like: (!@#$%^&*()_+-=[];',./<>?:"{})
Impact
Attackers might decrypt SSL traffic between your server
If the application transmits sensitive information via une
It leads to account takeover
A session attack takes advantage of data leaks in the co
Attacks that gain access into a system and are left to
Depending on the content of the file, an attacker might di
Attacker can delete the user in bulk request via brutefor
Information disclosed from these pages can be used to ga
An attacker might use the disclosed information to harvest
Since this is an old version of the software, it may be vul
If an Attacker knows your old password he can easily logi
The system responds differently when provided with a v
Login pages do not use adequate measures to protect the
if your website is vulnerable to a Cross-site Scripting at
The server is not configured to return a 'X-XSS-Protecti
X-Frame-Options header which means that this website cou
The server did not return a correct 'X-Content-Type-Optio
This cookie will be transmitted over a HTTP connection, t
If the website does not impose additional defense against
During a cross-site scripting attack, an attacker might ea
Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button o
Using
When asoftware
similar technique, keystrokes
does not validate inputcan also beanhijacked.With
properly, attacker a carefully crafted combination of stylesheets, ifram
Mitigation
Configure your web server to disallow using weak c
Use HTTPS for the whole web site and redirect an
1. Implement captcha. 2. Brute-force attacks is to
Here arepasswords
Ensure a few ways you
are can reduce
stored with an the risk of specifically
algorithm session hijacking:
designed for password protection,
Disable autocomplete on forms collecting sensitive data and disable caching for pages that contain sensitive data.
Ensure you have nothing sensitive exposed within this file, such as the path of an administration panel. If disallowed
Unpredictable with high entropy, as for session tokens in general.
Tied to the
Enable onlyuser's
HTTPsession.
methods on your web server which are necessary for your application to run. Use only GET and P
Configure your web server to prevent information
Please upgrade your installation of PHP to the latest
Enforce a strong password policy for not accepting
Ensure that the system presents the same error mes
Configure your webserver to redirect HTTP request
Configure your web server to include an 'Content-Se
Configure your web server to include an 'X-XSS-Prot
Configure your web server to include an 'X-Frame-Options' header. Sending the proper X-Frame-Options in HTTP re
X-Frame-Options:
Configure your webDENYserverIt to
completely
include an denies to be loaded in frame/iframe.
'X-Content-T
Mark all cookies used within the application as secur
The server can set a same-site cookie by adding the SameSite=... attribute to the Set-Cookie header. There are thre
Mark the cookie as HTTPOnly. This will be an extra
Sending the proper X-Frame-Options in HTTP response headers that instruct the browser to not allow framing from
X-Frame-Options: DENY
validating form fields and Itother
completely denies
inputs was to be loaded in frame/iframe.
impleme