| Clear login form | Reference: CWE-319: Cleartext Transmission of Sensitive Information. Applications that transmit data over unencrypted connections make themselves vulnerable to interception. Vulnerabilities that result in the disclosure of users' data can result in compromises that are extremely difficult to investigate due to obscured audit trails. Personally Identifiable Information (PII) can be later used for phishing attacks amongst others. |
| Cookie consent issue | The application was found to issue cookies upon navigating to the application without requiring the user to accept the use of the cookies. As of May 2011, countries within the EU are required to give users the right to refuse the use of cookies that may be detrimental to their online privacy. In the UK, this is reflected in the Privacy and Electronic Communications Regulations. This is commonly known as the Cookie Law. |
| Compromised applications | Using an application that has been part of a data breach may pose severe risks, including unauthorised access to user accounts, data theft, and identity fraud. This can result in significant financial losses, compromised sensitive information, and long-term damage to personal and organisational reputation. |
| CSP heading misconfiguration | Reference: CWE-79 - (Improper Neutralisation of Input During Web Page Generation, aka Cross-site Scripting or XSS). The Content-Security-Policy header was designed to modify the way browsers render pages, and thus to protect from various cross-site injections, including Cross-Site Scripting. It is important to set the header value correctly, in a way that will not prevent the proper operation of the website. For example, if the header is set to prevent the execution of inline JavaScript, the website must not use inline JavaScript in its pages. |
| Dangling DNS | Reference: CWE-16: Weakness in Configuration of DNS Records. Assess if subdomain takeover is possible with the provider. Dangling DNS refers to DNS records that may no longer be in use and may point to non-existent or expired domains, potentially directing users to malicious sites controlled by attackers. This can lead to phishing attacks, malware downloads, and unauthorised data collection, compromising user security and damaging organisational reputation. Regular monitoring and maintenance of DNS configurations are crucial to mitigate these risks. |
| Deprecated SSL Cipher Category | Deprecated SSL ciphers poses serious security risks, including vulnerability to advanced cryptographic attacks that can decrypt or alter sensitive data. This compromises the confidentiality and integrity of communications, potentially allowing attackers to access or manipulate information exchanged between clients and servers. |
| Deprecated SSL Protocol | Using deprecated SSL protocols exposes a domain to significant security vulnerabilities, including susceptibility to various attacks such as man-in-the-middle attacks, where attackers can intercept and alter communications. It also weakens the encryption, making it easier for cybercriminals to decrypt sensitive information, compromising data confidentiality and integrity. |
| Exposed database | From port scanning, an DB access port was discovered exposed to internet (MSQL, PostgreSQL, MS SQL). |
| Exposed file-sharing server | From port scanning, a file-sharing server was discovered exposed to internet (FTP, SMB). |
| Exposed remote access service | From port scanning, a remote access service was discovered exposed to internet (SSH server, RDP). |
| HREF misconfiguration | An application with invalid HREF references can lead to broken links, resulting in poor user experience and reduced website credibility. Additionally, it can negatively impact SEO rankings and hinder navigation, potentially causing users to leave the site. |
| HSTS Header Misconfiguration | HTTP Strict Transport Security (HSTS) can be configured on application servers to indicate that future connections to the server should use HTTPS connections. This can mitigate a number of attacks where an attacker may try to manipulate a user's connection to use an unencrypted connection. For example: Performing SSL stripping, an attacker sitting between a client and server can communicate with a client on regular unencrypted HTTP. The client can see that the session is not encrypted, but critically, the client doesn't know that the session is supposed to be encrypted. HSTS solves this problem by telling the client's web browser that all connections to the domain should be encrypted until at least a certain date. Or, if the web application mixes usage of HTTP and HTTPS, an attacker can manipulate pages in the unsecured area of the application or change redirection targets in a manner that the switch to the secured page is not performed or done in a manner, that the attacker remains between client and server. If there is no HTTP server, an attacker in the same network could simulate an HTTP server and motivate the user to click on a prepared URL by a social engineering attack. |
| HTTP responsive IP | Web applications should not reply to client requests using an IP-based URL. |
| Invalid certificate | Reference: CWE-295 - Improper Certificate Validation. Invalid certificates pose security risks such as exposing user data to interception by third parties and enabling man-in-the-middle attacks. Users may be deterred from using the application due to security warnings, potentially leading to loss of trust, reduced adoption, and reputational damage for the organisation. |
| Malicious Clone | Maliciously cloned applications typically use spoofed, copycat or Typosquat domains and are intended to trick unsuspecting users into visiting a malicious clone of an otherwise legitimate application. Users unknowingly accessing a maliciously cloned application may become victims of malware downloaded via the cloned application (aka 'drive-by-downloads'). |
| Missing CSP headers | Reference: CWE-79 - (Improper Neutralisation of Input During Web Page Generation, aka Cross-site Scripting or XSS). The Content-Security-Policy header was designed to modify the way browsers render pages, and thus to protect from various cross-site injections, including Cross-Site Scripting. It is important to set the header value correctly, in a way that will not prevent the proper operation of the website. For example, if the header is set to prevent the execution of inline JavaScript, the website must not use inline JavaScript in its pages. |
| Missing HSTS Header | HTTP Strict Transport Security (HSTS) can be configured on application servers to indicate that future connections to the server should use HTTPS connections. This can mitigate a number of attacks where an attacker may try to manipulate a user's connection to use an unencrypted connection. For example: Performing SSL stripping, an attacker sitting between a client and server can communicate with a client on regular unencrypted HTTP. The client can see that the session is not encrypted, but critically, the client doesn't know that the session is supposed to be encrypted. HSTS solves this problem by telling the client's web browser that all connections to the domain should be encrypted until at least a certain date. Or if the web application mixes usage of HTTP and HTTPS, an attacker can manipulate pages in the unsecured area of the application or change redirection targets in a manner that the switch to the secured page is not performed or done in a manner, that the attacker remains between client and server. If there is no HTTP server, an attacker in the same network could simulate an HTTP server and motivate the user to click on a prepared URL by a social engineering attack. |
| Missing Referrer Policy Header | The 'Referrer-Policy' header was designed to prevent cross-domain Referrer leakage. It is a request header that indicates the site from which the traffic originated. If there is no adequate prevention in place, the URL itself, and even sensitive information contained in the URL, will be leaked to the cross-site. The lack of a Referrer-Policy header might affect the privacy of the users and the site itself. |
| Missing X-Content Type Options Header | MIME-type checking utilises standard functionality in browsers to find an appropriate way to render data where the HTTP headers sent by the server are either inconclusive or missing. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the intended content type. |
| Missing X-Frame Options Header | The 'X-Frame-Options' HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame, iframe, embed or object. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites. Different user agents may respond differently when processing more than one X-Frame-Options header. |
| Old components | Reference: A06:2021 - Vulnerable and Outdated Components. It is important that all software components be maintained at the latest version, as older versions are likely affected by one or more publicly disclosed vulnerabilities. |
| Privacy policy issue | Not having a privacy policy on a company's web application or website can lead to legal and regulatory non-compliance, exposing the company to fines and legal actions. Additionally, it undermines user trust, as customers may be concerned about how their personal data is collected, used, and protected, potentially reducing user engagement and harming the company's reputation. |
| Referred Policy Header Misconfiguration | The 'Referrer-Policy' header was designed to prevent cross-domain Referrer leakage. It is a request header that indicates the site from which the traffic originated. If there is no adequate prevention in place, the URL itself, and even sensitive information contained in the URL, will be leaked to the cross-site. The lack of a Referrer-Policy header might affect the privacy of the users and the site itself. |
| Suspicious subdomain | Reference: CWE-16: Configuration & CWE-200: Information Exposure. Check if Dev, Test environments should be accessible without authentication to the public. |
| Web server default page | Reference: CWE-200 - Information Exposure. This web server has a default welcome page. By default, many web and application server software packages are configured with a number of default or initial installation information pages. These 'welcome' pages often reveal software information. Should an attacker be able to determine the type and version of web application software in use, they may be able to focus on specific vulnerabilities associated with the software present. This can make the process of attempting exploitation more straightforward and accurate. Obtaining this information can also result in an estimation of the underlying platform and hardware present. |
| X-Content Type Options Header Misconfiguration | MIME-type checking utilises standard functionality in browsers to find an appropriate way to render data where the HTTP headers sent by the server are either inconclusive or missing. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the intended content type. |
| X-Frame Options Header Misconfiguration | The 'X-Frame-Options' HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame, iframe, embed or object. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites. Different user agents may respond differently when processing more than one X-Frame-Options header. |