Risk | Count |
---|---|
High | 2 |
Medium | 6 |
Low | 0 |
Warning | 0 |
Information | 1 |
Total | 9 |
No | Vulnerability Name | Risk | Severity | Cvss score | Occurrences |
---|---|---|---|---|---|
1 | Insecure communication | High | High | 8.1 | 1 |
2 | Sql injection - MySQL | High | High | 7.4 | 1 |
3 | Verb tampering | Medium | Medium | 6.4 | 1 |
4 | Missing security headers - X-Content-Type-Options | Medium | Medium | 5.0 | 1 |
5 | Missing security headers - X-Frame-Options | Medium | Medium | 5.0 | 1 |
6 | Sensitive information disclosure in response headers - server | Medium | Medium | 5.0 | 1 |
7 | Sensitive information disclosure in response headers - x-powered-by | Medium | Medium | 5.0 | 1 |
8 | Missing Content Security Policy in response header | Medium | Medium | 5.0 | 1 |
9 | Missing security headers - X-XSS-Protection | Information | Information | 1 |
Risk | High |
Severity | High |
CVSS Score | 8.1 |
Occurrences | 1 |
Details | Vooki detected insecure communication vulnerability. Insecure communications are when a client and server communicate over a non-secure (unencrypted) channel. Without encrypting the channel, the developer can’t guarantee the integrity of the data. |
Remediation | Make sure all client-to-server connections are encrypted with SSL. |
URL: | |
Occurrences in this URL: | 1 |
Request | Response |
---|---|
Method: GET Cookie: security=low; _ga=GA1.1.606855242.1626373710; _gid=GA1.1.1871091112.1626373710; acceptCookies=true; PHPSESSID=tlu0k06487lr584t29v0gub172 |
status code: 200 |
Risk | High |
Severity | High |
CVSS Score | 7.4 |
Occurrences | 1 |
Details | Vooki identified SQL Injection vulnerability. A SQL injection attack consists of the insertion or injection of a SQL query via the client's input data to the application. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input to affect the execution of predefined SQL commands.
A successful SQL injection can |
Remediation | SQL Injection flaws are introduced when software developers create dynamic database queries that include user-supplied input.
Techniques for preventing SQL Injection vulnerabilities are: |
URL: | |
Occurrences in this URL: | 1 |
Request | Response |
---|---|
Method: GET Cookie: security=low; _ga=GA1.1.606855242.1626373710; _gid=GA1.1.1871091112.1626373710; acceptCookies=true; PHPSESSID=tlu0k06487lr584t29v0gub172 |
date: Fri, 16 Jul 2021 06:00:24 GMT server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8 x-powered-by: PHP/8.0.8 expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate pragma: no-cache content-length: 162 keep-alive: timeout=5, max=97 connection: Keep-Alive content-type: text/html; charset=UTF-8 status code: 200 |
Risk | Medium |
Severity | Medium |
CVSS Score | 6.4 |
Occurrences | 1 |
Details | Vooki detected verb tampering vulnerability. The HTTP includes many request methods other than the standard GET, POST, PUT and PATCH requests. A web server may respond to these alternative methods and return some data. Sometimes it may reveal some fruitful information to the attacker. |
Remediation |
URL: | |
Occurrences in this URL: | 1 |
Request | Response |
---|---|
Method: TRACE Cookie: security=low; _ga=GA1.1.606855242.1626373710; _gid=GA1.1.1871091112.1626373710; acceptCookies=true; PHPSESSID=tlu0k06487lr584t29v0gub172 |
date: Fri, 16 Jul 2021 06:00:24 GMT server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8 keep-alive: timeout=5, max=96 connection: Keep-Alive transfer-encoding: chunked content-type: message/http status code: 200 |
Risk | Medium |
Severity | Medium |
CVSS Score | 5.0 |
Occurrences | 1 |
Details | Vooki detected that 'X-Content-Type-Options' security header is missing. There are some HTTP response headers that your application can use to increase security of your application. Once set, these HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities. The 'X-Content-Type-Options' response HTTP header indicates the browser that the MIME types in the Content-Type headers should not be changed and be followed. Example: X-Content-Type-Options: nosniff If 'X-Content-Type-Options: nosniff' is specified in the response header, the browser checks the content type and blocks the request if the content type is mismatched. |
Remediation | It's recommended to implement the x-content-type-options security header.
Reference:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xcto |
URL: | |
Occurrences in this URL: | 1 |
Request | Response |
---|---|
Method: GET Cookie: security=low; _ga=GA1.1.606855242.1626373710; _gid=GA1.1.1871091112.1626373710; acceptCookies=true; PHPSESSID=tlu0k06487lr584t29v0gub172 |
date: Fri, 16 Jul 2021 06:00:24 GMT server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8 x-powered-by: PHP/8.0.8 expires: Tue, 23 Jun 2009 12:00:00 GMT cache-control: no-cache, must-revalidate pragma: no-cache content-length: 4266 keep-alive: timeout=5, max=94 connection: Keep-Alive content-type: text/html;charset=utf-8 status code: 200 |
Risk | Medium |
Severity | Medium |
CVSS Score | 5.0 |
Occurrences | 1 |
Details | Vooki detected that 'X-Frame-Options' security header is missing. There are some HTTP response headers that your application can use to increase security of your application. Once set, these HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities.
X-Frame-Options: The 'X-Frame-Options' HTTP response header can be used to indicate whether browsers should be allowed to render a page in a |
Remediation | It's recommended to implement the 'X-Frame-Options' security header with 'deny' or 'sameorigin' value.
Reference:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xcto |
URL: | |
Occurrences in this URL: | 1 |
Request | Response |
---|---|
Method: GET Cookie: security=low; _ga=GA1.1.606855242.1626373710; _gid=GA1.1.1871091112.1626373710; acceptCookies=true; PHPSESSID=tlu0k06487lr584t29v0gub172 |
date: Fri, 16 Jul 2021 06:00:24 GMT server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8 x-powered-by: PHP/8.0.8 expires: Tue, 23 Jun 2009 12:00:00 GMT cache-control: no-cache, must-revalidate pragma: no-cache content-length: 4266 keep-alive: timeout=5, max=94 connection: Keep-Alive content-type: text/html;charset=utf-8 status code: 200 |
Risk | Medium |
Severity | Medium |
CVSS Score | 5.0 |
Occurrences | 1 |
Details | Vooki detected a Sensitive information disclosure in the server response header. Information gathering is a type of attack during which the attackers send requests to the server to gather more information. If the server is not configured correctly, it may leak information about itself, such as the server version, PHP/ASP.NET version, OpenSSH version. These issues are not exploitable in most cases but are considered web application security issues because they allow attackers to gather the information that can be used later in the attack lifecycle. |
Remediation |
URL: | |
Occurrences in this URL: | 1 |
Request | Response |
---|---|
Method: GET Cookie: security=low; _ga=GA1.1.606855242.1626373710; _gid=GA1.1.1871091112.1626373710; acceptCookies=true; PHPSESSID=tlu0k06487lr584t29v0gub172 |
date: Fri, 16 Jul 2021 06:00:24 GMT server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8 x-powered-by: PHP/8.0.8 expires: Tue, 23 Jun 2009 12:00:00 GMT cache-control: no-cache, must-revalidate pragma: no-cache content-length: 4266 keep-alive: timeout=5, max=93 connection: Keep-Alive content-type: text/html;charset=utf-8 status code: 200 |
Risk | Medium |
Severity | Medium |
CVSS Score | 5.0 |
Occurrences | 1 |
Details | Vooki detected a Sensitive information disclosure in the x-powered-by response header. Information gathering is a type of attack during which the attackers send requests to the server to gather more information. If the server is not configured correctly, it may leak information about itself, such as the server version, PHP/ASP.NET version, OpenSSH version. These issues are not exploitable in most cases but are considered web application security issues because they allow attackers to gather the information that can be used later in the attack lifecycle. |
Remediation |
URL: | |
Occurrences in this URL: | 1 |
Request | Response |
---|---|
Method: GET Cookie: security=low; _ga=GA1.1.606855242.1626373710; _gid=GA1.1.1871091112.1626373710; acceptCookies=true; PHPSESSID=tlu0k06487lr584t29v0gub172 |
date: Fri, 16 Jul 2021 06:00:24 GMT server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8 x-powered-by: PHP/8.0.8 expires: Tue, 23 Jun 2009 12:00:00 GMT cache-control: no-cache, must-revalidate pragma: no-cache content-length: 4266 keep-alive: timeout=5, max=93 connection: Keep-Alive content-type: text/html;charset=utf-8 status code: 200 |
Risk | Medium |
Severity | Medium |
CVSS Score | 5.0 |
Occurrences | 1 |
Details | Vooki detected that the Content Security Policy (CSP) is missing in the response header. It is an added layer of security that helps to detect and mitigate data injection and Cross Site Scripting (XSS) vulnerabilities. |
Remediation | It's recommended to include the Content Security Policy (CSP) header in the response.
Reference:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html |
URL: | |
Occurrences in this URL: | 1 |
Request | Response |
---|---|
Method: GET Cookie: security=low; _ga=GA1.1.606855242.1626373710; _gid=GA1.1.1871091112.1626373710; acceptCookies=true; PHPSESSID=tlu0k06487lr584t29v0gub172 |
date: Fri, 16 Jul 2021 06:00:19 GMT server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8 x-powered-by: PHP/8.0.8 expires: Tue, 23 Jun 2009 12:00:00 GMT cache-control: no-cache, must-revalidate pragma: no-cache content-length: 4266 keep-alive: timeout=5, max=100 connection: Keep-Alive content-type: text/html;charset=utf-8 |
Risk | Information |
Severity | Information |
Occurrences | 1 |
Details | Vooki detected that 'X-XSS-Protection' security header is missing. There are some HTTP response headers that your application can use to increase security ofyour application. Once set, these HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities.
X-XSS-Protection: The HTTPÂ 'X-XSS-Protection'Â response header is a mechanism that stops pages from loading when Internet Explorer, Chrome, and Safari detect reflected cross-site scripting (XSS) attacks.
For example:
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1;report= |
Remediation | It's recommended to implement the 'X-XSS-Protection' security header
Reference:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xcto |
URL: | |
Occurrences in this URL: | 1 |
Request | Response |
---|---|
Method: GET Cookie: security=low; _ga=GA1.1.606855242.1626373710; _gid=GA1.1.1871091112.1626373710; acceptCookies=true; PHPSESSID=tlu0k06487lr584t29v0gub172 |
date: Fri, 16 Jul 2021 06:00:24 GMT server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.8 x-powered-by: PHP/8.0.8 expires: Tue, 23 Jun 2009 12:00:00 GMT cache-control: no-cache, must-revalidate pragma: no-cache content-length: 4266 keep-alive: timeout=5, max=94 connection: Keep-Alive content-type: text/html;charset=utf-8 status code: 200 |