BestPractices Report

 Scan Name: Webscantest
 Date: 9/12/2017 9:33:08 PM
 Authenticated User: testuser
 Total Links / Attackable Links: 409 / 409
 Target URL: http://webscantest.com/
https://webscantest.com/
 Reports:

Summary


Finding Type

Root Causes

Variances

Autocomplete Attribute  2   3 
Browser Cache directive (web application performance)  10   10 
Cross Origin Resources Sharing (CORS)  1   3 
Form re-submission  20   31 
HTTP Strict Transport Security  1   1 
IP Address  1   1 
Sensitive data sent over Un Encrypted Channel  15   15 
X-Content-Type-Options  1   1 
X-Frame-Options  20   20 
X-Powered-By  1   1 
X-XSS-Protection  1   1 
Total:  73   87 

By Risk

Variances: 87

Details


Collapse Autocomplete Attribute

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/login.php Root Cause #269: (1 Attack Variance)  Expand
URL: http://webscantest.com/userprofile.php Root Cause #270: (2 Attack Variances)  Expand

Description:  

HTML forms are a key component to exchanging information between a user and the server.
Browser feature of remembering what you entered in previous text form fields with the same name.
So, for example, if the field is named 'name' and you had entered several variants of your name in other fields named name, then autocompletion provides those options in a dropdown.


Recommendations:  

The password autocomplete should always be disabled, especially in sensitive applications, since an attacker, if able to access the browser cache, could easily obtain the password in cleartext (public computers are a very notable example of this attack).
You can turn it off by setting AUTOCOMPLETE to OFF:
<input autocomplete="off" name="oPassword" type="password" >


Collapse Browser Cache directive (web application performance)

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/bjax/ajax.js Root Cause #271: (1 Attack Variance)  Expand
URL: http://webscantest.com/css/style.css Root Cause #272: (1 Attack Variance)  Expand
URL: http://webscantest.com/css/style-buttons.css Root Cause #273: (1 Attack Variance)  Expand
URL: http://webscantest.com/css/style-forms.css Root Cause #274: (1 Attack Variance)  Expand
URL: http://webscantest.com/jsmenu/auto_osrun_inc.js Root Cause #275: (1 Attack Variance)  Expand
URL: http://webscantest.com/react/app.js Root Cause #276: (1 Attack Variance)  Expand
URL: http://webscantest.com/react/js7.js Root Cause #277: (1 Attack Variance)  Expand
URL: http://webscantest.com/react/react.js Root Cause #278: (1 Attack Variance)  Expand
URL: http://webscantest.com/soap/demo/jquery.soap.js Root Cause #279: (1 Attack Variance)  Expand
URL: http://webscantest.com/soap/demo/jquery.xml2json.js Root Cause #280: (1 Attack Variance)  Expand

Description:  

The response does not include cache directives, so an user receives this page from the server every time. That could mean a significant increase in server load, so that every hit to the page will generate a request to the server. The page does not contain any sensitive information, also it is accessible to unautorized users.

By default, a response is cacheable if the requirements of the request method, request header fields, and the response status indicate that it is cacheable. Therefore, the browser has a capability to temporarily store some of the pages browsed. These cached files are stored in a folder. When we ask for these pages again, the browser displays them from its cache.

Recommendations:  

Put a Cache-Control directive, freshness indicator, on the page, so it is sent with each of the original responses. As a result the browser can pull the files directly from the browser cache on subsequent requests without any need for server validation until the expires time assigned to the object is reached.
A correct cache MUST respond to a request with the most up-to-date response held by the cache that is appropriate to the request.
Do not force the browser to store the page if it contains any sensitive information.


Collapse Cross Origin Resources Sharing (CORS)

some text
  Collapse Site: http://www.webscantest.com:80
URL: http://www.webscantest.com/cors_volatile.php Root Cause #281: (3 Attack Variances)  Expand

Description:  

Cross-origin resource sharing (CORS) is a mechanism that allows JavaScript on a web page to make XMLHttpRequests to another domain, not the domain the JavaScript originated from. Such "cross-domain" requests would otherwise be forbidden by web browsers, per the same origin security policy. CORS defines a way in which the browser and the server can interact to determine whether or not to allow the cross-origin request. It is more useful than only allowing same-origin requests, but it is more secure than simply allowing all such cross-origin requests.


Recommendations:  

Web sites have various CORS countermeasures available:

  • Validate URLs passed to XMLHttpRequest.open. Current browsers allow these URLs to be cross domain; this behavior can lead to code injection by a remote attacker. Pay extra attention to absolute URLs.
  • Ensure that URLs responding with Access-Control-Allow-Origin: * do not include any sensitive content or information that might aid attacker in further attacks. Use the Access-Control-Allow-Origin header only on chosen URLs that need to be accessed cross-domain. Don't use the header for the whole domain.
  • Allow only selected, trusted domains in the Access-Control-Allow-Origin header. Prefer whitelisting domains over blacklisting or allowing any domain (do not use * wildcard nor blindly return the Origin header content without any checks).
  • Keep in mind that CORS does not prevent the requested data from going to an unauthenticated location. It's still important for the server to perform usual CSRF prevention.
  • While the RFC recommends a pre-flight request with the OPTIONS verb, current implementations might not perform this request, so it's important that "ordinary" (GET and POST) requests perform any access control necessary.
  • Discard requests received over plain HTTP with HTTPS origins to prevent mixed content bugs.
  • Don't rely only on the Origin header for Access Control checks. Browser always sends this header in CORS requests, but may be spoofed outside the browser. Application-level protocols should be used to protect sensitive data.

Collapse Form re-submission

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/crosstraining/aboutyou.php Root Cause #282: (1 Attack Variance)  Expand
URL: http://webscantest.com/crosstraining/aboutyou2.php Root Cause #283: (1 Attack Variance)  Expand
URL: http://webscantest.com/crosstraining/request.php Root Cause #284: (2 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/review.php Root Cause #285: (2 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/search.php Root Cause #286: (2 Attack Variances)  Expand
URL: http://webscantest.com/crosstraining/sitereviews.php Root Cause #287: (1 Attack Variance)  Expand
URL: http://webscantest.com/csrf/csrfpost.php Root Cause #288: (1 Attack Variance)  Expand
URL: http://webscantest.com/csrf/token.php Root Cause #289: (1 Attack Variance)  Expand
URL: http://webscantest.com/datastore/search_by_id.php Root Cause #290: (2 Attack Variances)  Expand
URL: http://webscantest.com/datastore/search_by_name.php Root Cause #291: (2 Attack Variances)  Expand
URL: http://webscantest.com/datastore/search_double_by_name.php Root Cause #292: (2 Attack Variances)  Expand
URL: http://webscantest.com/datastore/search_single_by_name.php Root Cause #293: (2 Attack Variances)  Expand
URL: http://webscantest.com/infodb/comment.php Root Cause #294: (1 Attack Variance)  Expand
URL: http://webscantest.com/infodb/search_by_name.php Root Cause #295: (1 Attack Variance)  Expand
URL: http://webscantest.com/osrun/whois.php Root Cause #296: (1 Attack Variance)  Expand
URL: http://webscantest.com/osrun/whois_nv.php Root Cause #297: (1 Attack Variance)  Expand
URL: http://webscantest.com/payment_analysis/checkdata.php Root Cause #298: (2 Attack Variances)  Expand
URL: http://webscantest.com/shutterdb/filter_by_name.php Root Cause #299: (2 Attack Variances)  Expand
URL: http://webscantest.com/shutterdb/search_by_id.php Root Cause #300: (2 Attack Variances)  Expand
URL: http://webscantest.com/shutterdb/search_by_name.php Root Cause #301: (2 Attack Variances)  Expand

Description:  

When a web form is submitted to a server through an HTTP POST request, a web user that attempts to refresh the server response in certain user agents can cause the contents of the original HTTP POST request to be resubmitted, possibly causing undesired results, such as a duplicate web purchase.


Recommendations:  

To avoid this problem, many web developers use the PRG pattern - instead of returning a web page directly, the POST operation returns a redirection command.
Post/Redirect/Get (PRG) is a web development design pattern that prevents some duplicate form submissions, creating a more intuitive interface for user agents (users). PRG implements bookmarks and the refresh button in a predictable way that does not create duplicate form submissions.


Collapse HTTP Strict Transport Security

some text
  Collapse Site: https://webscantest.com:443
URL: https://webscantest.com/ Root Cause #302: (1 Attack Variance)  Expand

Description:  

If a web site accepts a connection through HTTP and redirects to HTTPS, the user in this case may initially talk to the non-encrypted version of the site before being redirected, if, for example, the user types http://www.foo.com/ or even just foo.com. The HTTP Strict Transport Security feature lets a web site inform the browser that it should never load the site using HTTP, and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.


Recommendations:  

HSTS header is a mechanism that web sites have to communicate to the web browsers that all traffic exchanged with a given domain must always be sent over https, this will help protect the information from being passed over unencrypted requests. Considering the importance of this security measure is important to verify that the web site using this HTTP header, in order to ensure that all the data travels encrypted from the web browser to the server.

HTTP Strict Transport Security header should specify the includeSubDomains directive

Collapse IP Address

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/bjax/servertime.php Root Cause #303: (1 Attack Variance)  Expand

Description:  

IP address was leaked.


Recommendations:  

Leaking internal IP addresses may compromise system security.


Collapse Sensitive data sent over Un Encrypted Channel

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/crosstraining/aboutyou.php Root Cause #304: (1 Attack Variance)  Expand
URL: http://webscantest.com/crosstraining/aboutyou2.php Root Cause #305: (1 Attack Variance)  Expand
URL: http://webscantest.com/crosstraining/dom.php Root Cause #306: (1 Attack Variance)  Expand
URL: http://webscantest.com/crosstraining/reservation.php Root Cause #307: (1 Attack Variance)  Expand
URL: http://webscantest.com/crosstraining/review.php Root Cause #308: (1 Attack Variance)  Expand
URL: http://webscantest.com/crosstraining/sitereviews.php Root Cause #309: (1 Attack Variance)  Expand
URL: http://webscantest.com/datastore/search_by_name.php Root Cause #310: (1 Attack Variance)  Expand
URL: http://webscantest.com/datastore/search_double_by_name.php Root Cause #311: (1 Attack Variance)  Expand
URL: http://webscantest.com/datastore/search_single_by_name.php Root Cause #312: (1 Attack Variance)  Expand
URL: http://webscantest.com/infodb/comment.php Root Cause #313: (1 Attack Variance)  Expand
URL: http://webscantest.com/infodb/index.php Root Cause #314: (1 Attack Variance)  Expand
URL: http://webscantest.com/rest/demo/ Root Cause #315: (1 Attack Variance)  Expand
URL: http://webscantest.com/shutterdb/search_by_name.php Root Cause #316: (1 Attack Variance)  Expand
URL: http://webscantest.com/shutterform/ Root Cause #317: (1 Attack Variance)  Expand
URL: http://webscantest.com/soap/demo/ Root Cause #318: (1 Attack Variance)  Expand

Description:  

Sending sensitive data over HTTP


Recommendations:  

Credentials or sensitive data is transmitted without encryption and a malicious user could read user's sensitive data by simply sniffing the net with a tool like Wireshark. HTTPS protocol ensures that data is sent through an encrypted channel and not readable by other people.


Collapse X-Content-Type-Options

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/jsmenu/auto_datastore.php Root Cause #319: (1 Attack Variance)  Expand

Description:   The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions. This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files.
Recommendations:  

The X-Content-Type-Options HTTP response header can be used to indicate whether or not a browser should be allowed to sniff a response away from the declared content-type. Sites can use this to avoid MIME-sniffing a response away from the declared content-type.


Collapse X-Frame-Options

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/ Root Cause #320: (1 Attack Variance)  Expand
URL: http://webscantest.com/business/account.php Root Cause #321: (1 Attack Variance)  Expand
URL: http://webscantest.com/business/privilege.php Root Cause #322: (1 Attack Variance)  Expand
URL: http://webscantest.com/cors.php Root Cause #323: (1 Attack Variance)  Expand
URL: http://webscantest.com/cors_public.php Root Cause #324: (1 Attack Variance)  Expand
URL: http://webscantest.com/csrf Root Cause #325: (1 Attack Variance)  Expand
URL: http://webscantest.com/gonowhere Root Cause #326: (1 Attack Variance)  Expand
URL: http://webscantest.com/infodb/readme.php Root Cause #327: (1 Attack Variance)  Expand
URL: http://webscantest.com/infodb/search_by_name.php Root Cause #328: (1 Attack Variance)  Expand
URL: http://webscantest.com/jsmenu/auto_crosstraining.php Root Cause #329: (1 Attack Variance)  Expand
URL: http://webscantest.com/jsmenu/auto_datastore.php Root Cause #330: (1 Attack Variance)  Expand
URL: http://webscantest.com/jsmenu/dynalink_myfiles.php Root Cause #331: (1 Attack Variance)  Expand
URL: http://webscantest.com/react/ Root Cause #332: (1 Attack Variance)  Expand
URL: http://webscantest.com/rest/demo/ Root Cause #333: (1 Attack Variance)  Expand
URL: http://webscantest.com/rfp Root Cause #334: (1 Attack Variance)  Expand
URL: http://webscantest.com/soap/demo/ Root Cause #335: (1 Attack Variance)  Expand
URL: http://webscantest.com/static/product18.html Root Cause #336: (1 Attack Variance)  Expand
URL: http://webscantest.com/static/product44.html Root Cause #337: (1 Attack Variance)  Expand
URL: http://webscantest.com/userprofile.php Root Cause #338: (1 Attack Variance)  Expand
some text
  Collapse Site: http://www.webscantest.com:80
URL: http://www.webscantest.com/cors_public.php Root Cause #339: (1 Attack Variance)  Expand

Description:   A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers load another page over it in a transparent layer. The users think that they are clicking visible buttons, while they are actually performing actions on the hidden page.
Recommendations:  

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites.


Collapse X-Powered-By

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/jsmenu/auto_datastore.php Root Cause #340: (1 Attack Variance)  Expand

Description:  

X-Powered-By HTTP header reveals the server configuration.


Recommendations:  

Remove the header.


Collapse X-XSS-Protection

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/jsmenu/auto_datastore.php Root Cause #341: (1 Attack Variance)  Expand

Description:  

Cross-Site Scripting (XSS) attacks occur when: Data enters a Web application through an untrusted source, most frequently a web request. The data is included in dynamic content that is sent to a web user without being validated for malicious code. The malicious content sent to the web browser often takes the form of a segment of JavaScript, but may also include HTML, Flash or any other type of code that the browser may execute. The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data like cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user's machine under the guise of the vulnerable site.


Recommendations:  

X-XSS-Protection header is a mechanism that web sites have to communicate to the web browsers that XSS Filter enabled and can check a cross-site scripting attack in the URL. It has neutered this attack as the identified script was replayed back into the response page. In this way the filter is effective without modifying an initial request to the server or blocking an entire response.