pentestonline.es Scan Report Summary
TARGET URL
http://test.q2bstudio.com/
SCAN DATE
1/29/2020 12:43:19 PM (UTC)
REPORT DATE
1/29/2020 12:58:06 PM (UTC)
SCAN DURATION
00:14:46
pentestonline.es VERSION
5.3.0.24388-5.3-hf6-de321fd
9962
11.2 req/sec req/sec.
113
Identified
36
Confirmed
0
Critical
2
High
Scan Settings
ENABLED ENGINES
SQL Injection, SQL Injection (Boolean), SQL Injection (Blind), Cross-site Scripting, Command Injection, Command Injection (Blind), Local File Inclusion, Remote File Inclusion, Code Evaluation, HTTP Header Injection, Open Redirection, Web App Fingerprint, WebDAV, Reflected File Download, Insecure Reflected Content, XML External Entity, File Upload, Windows Short Filename, Cross-Origin Resource Sharing (CORS), HTTP Methods, Unicode Transformation (Best-Fit Mapping), Server-Side Request Forgery (Pattern Based), Server-Side Request Forgery (DNS), SQL Injection (Out of Band), XML External Entity (Out of Band), Cross-site Scripting (Blind), Code Evaluation (Out of Band)
URL REWRITE MODE
Heuristic
DETECTED URL REWRITE RULES
None
EXCLUDED URL PATTERNS
(log|sign)\-?(out|off)
Authentication
Scheduled
Vulnerabilities
Issues
Instances
Confirmed
0
0
0
1
2
2
4
6
3
9
34
6
9
34
24
6
37
1
TOTAL
29
113
36
1. Password Transmitted over HTTP
pentestonline.es detected that password data is being transmitted over HTTP.
Impact If an attacker can intercept network traffic, he/she can steal users' credentials.
Actions to Take See the remedy for solution. Move all of your critical forms and pages to HTTPS and do not serve them over HTTP. Remedy All sensitive data should be transferred over HTTPS rather than HTTP. Forms should be served over HTTPS. All aspects of the application that accept user input, starting from the login process, should only be served over HTTPS.
Classification
password_id
http://test.q2bstudio.com/
Request
GET / HTTP/1.1
Response
…span class="fa fa-user signin-form-icon"></span>
</div>
<!-- / Username -->
<div class="form-group w-icon">
<input name="password_id" type="password" id="password_id" class="form-control input-lg format_input_login" placeholder="Contraseña" /> <span class="fa fa-lock signin-form-icon"></span>
</div>
<!-- / Password -->
</div>
<!-- / Form -->
</d
…
password_id
./
Request
POST / HTTP/1.1
Response
…span class="fa fa-user signin-form-icon"></span>
</div>
<!-- / Username -->
<div class="form-group w-icon">
<input name="password_id" type="password" id="password_id" class="form-control input-lg format_input_login" placeholder="Contraseña" /> password_id " type="password" id="password_id" class="form-control input-lg format_input_login" placeholder="Contraseña" />
<span class="fa fa-lock signin-form-icon"></span>
</
…
2. Insecure Transportation Security Protocol Supported (SSLv3)
pentestonline.es detected that insecure transportation security protocol (SSLv3) is supported by your web server.
SSLv3 has several flaws. An attacker can cause connection failures and they can trigger the use of SSL 3.0 to exploit vulnerabilities like POODLE.
Impact Attackers can perform man-in-the-middle attacks and observe the encryption traffic between your website and its visitors.
Remedy
Configure your web server to disallow using weak ciphers. You need to restart the web server to enable changes.
For Apache, adjust the SSLProtocol directive provided by the mod_ssl module. This directive can be set either at the server level or in a virtual host configuration.
SSLProtocol +TLSv1.1 +TLSv1.2
For Nginx, locate any use of the directive ssl_protocols in the nginx.conf file and remove SSLv3.
ssl_protocols TLSv1.1 TLSv1.2;
For Microsoft IIS, you should make some changes on the system registry.
Click on Start and then Run, type regedt32 or regedit, and then click OK.
In Registry Editor, locate the following registry key or create if it does not exist:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\
Locate a key named Server or create if it doesn't exist.
Under the Server key, locate a DWORD value named Enabled or create if it doesn't exist and set its value to "0".
For lighttpd, put the following lines in your configuration file:
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
External References
Classification
Request
[pentestonline.es] SSL Connection
Response
[pentestonline.es] SSL Connection
3. Weak Ciphers Enabled
pentestonline.es detected that weak ciphers are enabled during secure communication (SSL).
You should allow only strong ciphers on your web server to protect secure communication with your visitors.
Impact Attackers might decrypt SSL traffic between your server and your visitors.
Actions to Take
For Apache, you should modify the SSLCipherSuite directive in the httpd.conf.
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
For Microsoft IIS, you should make some changes to the system registry. a. Click Start, click Run, type regedt32 or type regedit, and then click OK.b. In Registry Editor, locate the following registry key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders c. Set "Enabled" DWORD to "0x0" for the following registry keys: SCHANNEL\Ciphers\DES 56/56
Remedy Configure your web server to disallow using weak ciphers.
External References
Classification
TLS_RSA_WITH_RC4_128_SHA (0x0005)
TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Request
[pentestonline.es] SSL Connection
Response
[pentestonline.es] SSL Connection
4. Out-of-date Version (Bootstrap)
pentestonline.es identified that the target web site is using Bootstrap and detected that it is out of date.
Impact Since this is an old version of the software, it may be vulnerable to attacks.
Remedy
Please upgrade your installation of Bootstrap to the latest stable version.
Remedy References
Known Vulnerabilities in this Version
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
External References
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
External References
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
External References
Classification
3.3.7
3.4.1 (in this branch)
Result is based on 04/05/2019 16:30:00 vulnerability database content.
Certainty
Request
GET / HTTP/1.1
Response
HTTP/1.1 200 OK
3.3.7
3.4.1 (in this branch)
Result is based on 04/05/2019 16:30:00 vulnerability database content.
Certainty
Request
GET /assets/javascripts/bootstrap.min.js HTTP/1.1
Response
* Bootstrap v3.3.7 (http://getbootstrap.com)
3.3.7
3.4.1 (in this branch)
Result is based on 04/05/2019 16:30:00 vulnerability database content.
Certainty
Request
POST / HTTP/1.1
Response
HTTP/1.1 200 OK
5. Active Mixed Content over HTTPS
pentestonline.es detected that an active content loaded over HTTP within an HTTPS page.
Impact
Active Content is a resource which can run in the context of your page and moreover can alter the entire page. If the HTTPS page includes active content like scripts or stylesheets retrieved through regular, cleartext HTTP, then the connection is only partially encrypted. The unencrypted content is accessible to sniffers.
A man-in-the-middle attacker can intercept the request for the HTTP content and also rewrite the response to include malicious codes. Malicious active content can steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerabilities in the browser or its plugins, for example), and therefore the connection is not safeguarded anymore.
Remedy There are two technologies to defense against the mixed content issues:
HTTP Strict Transport Security (HSTS) is a mechanism that enforces secure resource retrieval, even in the face of user mistakes (attempting to access your web site on port 80) and implementation errors (your developers place an insecure link into a secure page)
Content Security Policy (CSP) can be used to block insecure resource retrieval from third-party web sites
Last but not least, you can use "protocol relative URLs" to have the user's browser automatically choose HTTP or HTTPS as appropriate, depending on which protocol the user is connected with. For example:
A protocol relative URL to load an style would look like <link rel="stylesheet" href="//example.com/style.css"/>.
Same for scripts <script type="text/javascript" src="//example.com/code.js"></script>
The browser will automatically add either "http:" or "https:" to the start of the URL, whichever is appropriate.
External References Remedy References
Classification
Confirmed
Resources Loaded from Insecure Origin (HTTP) http://fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,700italic,400,600,700,300&subset=latin
Request
GET / HTTP/1.1
Response
HTTP/1.1 200 OK
6. Autocomplete Enabled
pentestonline.es detected that autocomplete is enabled in one or more of the form fields which might contain sensitive information like "username", "credit card" or "CVV".
Impact If user chooses to save, data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information. This is especially important if the application is commonly used in shared computers, such as cyber cafes or airport terminals.
Actions to Take Add the attribute autocomplete="off" to the form tag or to individual "input" fields. Find all instances of inputs that store private data and disable autocomplete. Fields which contain data such as "Credit Card" or "CCV" type data should not be cached. You can allow the application to cache usernames and remember passwords; however, in most cases this is not recommended. Re-scan the application after addressing the identified issues to ensure all of the fixes have been applied properly. Required Skills for Successful Exploitation First and foremost, attacker needs either physical access or user-level code execution rights for successful exploitation. Dumping all data from a browser can be fairly easy, and a number of automated tools exist to undertake this. Where the attacker cannot dump the data, he/she could still browse the recently visited websites and activate the autocomplete feature to see previously entered values.
External References
Classification
username_id
Request
GET / HTTP/1.1
Response
… </div>
<!-- / .signin-text -->
<div class="col-sm-12 align_middle_login">
<div class="form-group w-icon">
<input name="username_id" type="text" id="username_id" class="form-control input-lg format_input_login" placeholder="Email" /> <span class="fa fa-user signin-form-icon"></span>
</div>
<!-- / Username -->
<div class="form-group w-icon">
…
username_id
Request
POST / HTTP/1.1
Response
… </div>
<!-- / .signin-text -->
<div class="col-sm-12 align_middle_login">
<div class="form-group w-icon">
<input name="username_id" type="text" id="username_id" class="form-control input-lg format_input_login" placeholder="Email" /> <span class="fa fa-user signin-form-icon"></span>
</div>
<!-- / Username -->
<div class="form-group w-icon">
…
7. Cookie Not Marked as HttpOnly
pentestonline.es identified a cookie not marked as HTTPOnly.
HTTPOnly cookies cannot be read by client-side scripts, therefore marking a cookie as HTTPOnly can provide an additional layer of protection against cross-site scripting attacks.
Impact During a cross-site scripting attack, an attacker might easily access cookies and hijack the victim's session.
Actions to Take
See the remedy for solution.
Consider marking all of the cookies used by the application as HTTPOnly. (After these changes javascript code will not be able to read cookies. )
Remedy Mark the cookie as HTTPOnly. This will be an extra layer of defense against XSS. However this is not a silver bullet and will not protect the system against cross-site scripting attacks. An attacker can use a tool such as
XSS Tunnel to bypass HTTPOnly protection.
External References
Classification
q2blng
HTTP Header
Request
GET / HTTP/1.1
Response
HTTP/1.1 200 OKSet-Cookie: q2blng=ca-ES; expires=Wed, 05-Feb-2020 12:43:22 GMT; path=/
8. Internal Server Error
pentestonline.es identified an internal server error.
The server responded with an HTTP status 500, indicating there is a server-side error. Reasons may vary, and the behavior should be analyzed carefully. If pentestonline.es is able to find a security issue in the same resource, it will report this as a separate vulnerability.
Impact The impact may vary depending on the condition. Generally this indicates poor coding practices, not enough error checking, sanitization and whitelisting. However, there might be a bigger issue, such as SQL injection. If that's the case, pentestonline.es will check for other possible issues and report them separately.
Remedy Analyze this issue and review the application code in order to handle unexpected errors; this should be a generic practice, which does not disclose further information upon an error. All errors should be handled server-side only.
Classification
Confirmed
Parameters
Parameter
Type
Value
Query Based
Query String
'"--></style></scRipt><scRipt src="//en5k_y54-pfmmjdpxw0jylmw7ejnljou7quqmkj2ius.r87.me"></s...
Request
GET /?%27%22--%3e%3c%2fstyle%3e%3c%2fscRipt%3e%3cscRipt%20src%3d%22%2f%2fen5k_y54-pfmmjdpxw0jylmw7ejnljou7quqmkj2ius%26%2346%3br87%26%2346%3bme%22%3e%3c%2fscRipt%3e HTTP/1.1
Response
HTTP/1.1 500 Internal Server Error
Confirmed
Parameters
Parameter
Type
Value
username_id
POST
<?xml version="1.0"?><!DOCTYPE ns [<!ELEMENT ns ANY><!ENTITY lfi SYSTEM "file:///C:/Windows/System32...
__VIEWSTATE
POST
__VIEWSTATE_KEY
POST
VS_52.143.173.9_637159022021935337
ctl01
POST
Inicia sesión
password_id
POST
Request
POST / HTTP/1.1
Response
HTTP/1.1 500 Internal Server Error
9. Insecure Transportation Security Protocol Supported (TLS 1.0)
pentestonline.es detected that insecure transportation security protocol (TLS 1.0) is supported by your web server.
TLS 1.0 has several flaws. An attacker can cause connection failures and they can trigger the use of TLS 1.0 to exploit vulnerabilities like BEAST (Browser Exploit Against SSL/TLS).
Websites using TLS 1.0 are considered non-compliant by PCI since 30 June 2018.
Impact Attackers can perform man-in-the-middle attacks and observe the encryption traffic between your website and its visitors.
Remedy
Configure your web server to disallow using weak ciphers. You need to restart the web server to enable changes.
External References
Classification
Request
[pentestonline.es] SSL Connection
Response
[pentestonline.es] SSL Connection
10. HTTP Strict Transport Security (HSTS) Policy Not Enabled
pentestonline.es identified that HTTP Strict Transport Security (HSTS) policy is not enabled.
The target website is being served from not only HTTP but also HTTPS and it lacks of HSTS policy implementation.
HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTP (HTTPS) connections. The HSTS Policy is communicated by the server to the user agent via a HTTP response header field named "Strict-Transport-Security". HSTS Policy specifies a period of time during which the user agent shall access the server in only secure fashion.
When a web application issues HSTS Policy to user agents, conformant user agents behave as follows:
Automatically turn any insecure links referencing the web application into secure links. (For instance, http://example.com/some/page/ will be modified to https://example.com/some/page/ before accessing the server.)
If the security of the connection cannot be ensured (e.g. the server's TLS certificate is self-signed), show an error message and do not allow the user to access the web application.
Remedy
Configure your webserver to redirect HTTP requests to HTTPS.
For Apache, you should have modification in the httpd.conf.
# load module
LoadModule headers_module modules/mod_headers.so
# redirect all HTTP to HTTPS (optional)
<VirtualHost *:80>
ServerAlias *
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</VirtualHost>
# HTTPS-Host-Configuration
<VirtualHost *:443>
# Use HTTP Strict Transport Security to force client to use secure connections only
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# Further Configuration goes here
[...]
</VirtualHost>
External References
Classification
Certainty
Request
GET / HTTP/1.1
Response
HTTP/1.1 200 OK
11. Missing X-Frame-Options Header
pentestonline.es detected a missing X-Frame-Options header which means that this website could be at risk of a clickjacking attack.
The X-Frame-Options HTTP header field indicates a policy that specifies whether the browser should render the transmitted resource within a frame or an iframe. Servers can declare this policy in the header of their HTTP responses to prevent clickjacking attacks, which ensures that their content is not embedded into other pages or frames.
Impact
Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on a framed page when they were intending to click on the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.
Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.
Remedy
Sending the proper X-Frame-Options in HTTP response headers that instruct the browser to not allow framing from other domains.
X-Frame-Options: DENY It completely denies to be loaded in frame/iframe.X-Frame-Options: SAMEORIGIN It allows only if the site which wants to load has a same origin.X-Frame-Options: ALLOW-FROM URL It grants a specific URL to load itself in a iframe. However please pay attention to that, not all browsers support this.
Employing defensive code in the UI to ensure that the current frame is the most top level window.
External References Remedy References
Classification
Certainty
Request
GET / HTTP/1.1
Response
HTTP/1.1 200 OK
Certainty
Request
GET /assets/javascripts/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /Resources/logo/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /assets/stylesheets/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /assets/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /assets/demo/themes/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /assets/demo/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /Resources/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /Resources/images/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /trace.axd HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Certainty
Request
POST / HTTP/1.1
Response
HTTP/1.1 200 OK
12. Version Disclosure (ASP.NET)
pentestonline.es identified a version disclosure (ASP.NET) in target web server's HTTP response.
This information can help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of ASP.NET.
Impact An attacker might use the disclosed information to harvest specific security vulnerabilities for the version identified.
Remedy Apply the following changes to your
web.config file to prevent information leakage by using custom error pages and removing
X-AspNet-Version from HTTP responses.
<System.Web>
<httpRuntime enableVersionHeader="false" />
<customErrors mode="On" defaultRedirect="~/error/GeneralError.aspx">
<error statusCode="403" redirect="~/error/Forbidden.aspx" />
<error statusCode="404" redirect="~/error/PageNotFound.aspx" />
<error statusCode="500" redirect="~/error/InternalError.aspx" />
</customErrors>
</System.Web>
Remedy References
Classification
Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.7.3429.0
Certainty
Request
GET /?%27%22--%3e%3c%2fstyle%3e%3c%2fscRipt%3e%3cscRipt%20src%3d%22%2f%2fen5k_y54-pfmmjdpxw0jylmw7ejnljou7quqmkj2ius%26%2346%3br87%26%2346%3bme%22%3e%3c%2fscRipt%3e HTTP/1.1
Response
Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.7.3429.0
13. Programming Error Message
pentestonline.es identified a programming error message.
Impact The error message may disclose sensitive information and this information can be used by an attacker to mount new attacks or to enlarge the attack surface. Source code, stack trace, etc. data may be disclosed. Most of these issues will be identified and reported separately by pentestonline.es.
Remedy Do not provide error messages on production environments. Save error messages with a reference number to a backend storage such as a log, text file or database, then show this number and a static user-friendly error message to the user.
Classification
Exception of type 'System.Web.HttpException' was thrown.
Certainty
Request
GET /trace.axd HTTP/1.1
Response
Exception of type 'System.Web.HttpException' was thrown.
Parameters
Parameter
Type
Value
username_id
POST
__VIEWSTATE
POST
__VIEWSTATE_KEY
POST
<?xml version="1.0"?><!DOCTYPE ns [<!ELEMENT ns ANY><!ENTITY lfi SYSTEM "file:///C:/Windows/System32...
ctl01
POST
Inicia sesión
password_id
POST
Exception of type 'System.Web.HttpUnhandledException' was thrown.
Certainty
Request
POST / HTTP/1.1
Response
Exception of type 'System.Web.HttpUnhandledException' was thrown.
Exception of type 'System.Web.HttpException' was thrown.
Certainty
Request
POST /trace.axd HTTP/1.1
Response
Exception of type 'System.Web.HttpException' was thrown.
Parameters
Parameter
Type
Value
URI-BASED
Full URL
/"ns="pentestonline.es(0x000A1B)
Exception of type 'System.Web.HttpException' was thrown.
Certainty
Request
GET /trace.axd/%22ns=%22pentestonline.es(0x000A1B) HTTP/1.1
Response
Exception of type 'System.Web.HttpException' was thrown.
14. Stack Trace Disclosure (ASP.NET)
pentestonline.es identified a stack trace disclosure (ASP.NET) in the target web server's HTTP response.
Impact An attacker can obtain information such as:
ASP.NET version. Physical file path of temporary ASP.NET files. Information about the generated exception and possibly source code, SQL queries, etc. This information might help an attacker gain more information and potentially focus on the development of further attacks for the target system.
Remedy Apply following changes on your
web.config file to prevent information leakage by applying custom error pages.
<System.Web>
<customErrors mode="On" defaultRedirect="~/error/GeneralError.aspx">
<error statusCode="403" redirect="~/error/Forbidden.aspx" />
<error statusCode="404" redirect="~/error/PageNotFound.aspx" />
<error statusCode="500" redirect="~/error/InternalError.aspx" />
</customErrors>
</System.Web>
Remedy References
Classification
Parameters
Parameter
Type
Value
Query Based
Query String
'"--></style></scRipt><scRipt src="//en5k_y54-pfmmjdpxw0jylmw7ejnljou7quqmkj2ius.r87.me"></s...
Certainty
Request
GET /?%27%22--%3e%3c%2fstyle%3e%3c%2fscRipt%3e%3cscRipt%20src%3d%22%2f%2fen5k_y54-pfmmjdpxw0jylmw7ejnljou7quqmkj2ius%26%2346%3br87%26%2346%3bme%22%3e%3c%2fscRipt%3e HTTP/1.1
Response
<b>Stack Trace:</b> <br><br>
Parameters
Parameter
Type
Value
URI-BASED
Full URL
'"--></style></scRipt><scRipt>pentestonline.es(0x000037)</scRipt>
Certainty
Request
GET /assets/'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Epentestonline.es(0x000037)%3C/scRipt%3E HTTP/1.1
Response
<b>Stack Trace:</b> <br><br>
Parameters
Parameter
Type
Value
URI-BASED
Full URL
/'"--></style></scRipt><scRipt>pentestonline.es(0x000038)</scRipt>
Certainty
Request
GET /assets/'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Epentestonline.es(0x000038)%3C/scRipt%3E HTTP/1.1
Response
<b>Stack Trace:</b> <br><br>
Parameters
Parameter
Type
Value
URI-BASED
Full URL
'"--></style></scRipt><scRipt>pentestonline.es(0x000163)</scRipt>
Certainty
Request
GET /assets/javascripts/'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Epentestonline.es(0x000163)%3C/scRipt%3E HTTP/1.1
Response
<b>Stack Trace:</b> <br><br>
Parameters
Parameter
Type
Value
URI-BASED
Full URL
/'"--></style></scRipt><scRipt>pentestonline.es(0x000164)</scRipt>
Certainty
Request
GET /assets/javascripts/'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Epentestonline.es(0x000164)%3C/scRipt%3E HTTP/1.1
Response
<b>Stack Trace:</b> <br><br>
Certainty
Request
GET /trace.axd HTTP/1.1
Response
at System.Web.Handlers.TraceHandler.System.Web.IHttpHandler.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Parameters
Parameter
Type
Value
URI-BASED
Full URL
'"--></style></scRipt><scRipt>pentestonline.es(0x00028F)</scRipt>
Certainty
Request
GET /assets/demo/'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Epentestonline.es(0x00028F)%3C/scRipt%3E HTTP/1.1
Response
<b>Stack Trace:</b> <br><br>
Parameters
Parameter
Type
Value
URI-BASED
Full URL
/'"--></style></scRipt><scRipt>pentestonline.es(0x000290)</scRipt>
Certainty
Request
GET /assets/demo/'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Epentestonline.es(0x000290)%3C/scRipt%3E HTTP/1.1
Response
<b>Stack Trace:</b> <br><br>
Parameters
Parameter
Type
Value
URI-BASED
Full URL
'"--></style></scRipt><scRipt>pentestonline.es(0x00033D)</scRipt>
Certainty
Request
GET /Resources/'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Epentestonline.es(0x00033D)%3C/scRipt%3E HTTP/1.1
Response
<b>Stack Trace:</b> <br><br>
Parameters
Parameter
Type
Value
URI-BASED
Full URL
/'"--></style></scRipt><scRipt>pentestonline.es(0x000358)</scRipt>
Certainty
Request
GET /Resources/'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Epentestonline.es(0x000358)%3C/scRipt%3E HTTP/1.1
Response
<b>Stack Trace:</b> <br><br>
Parameters
Parameter
Type
Value
URI-BASED
Full URL
'"--></style></scRipt><scRipt>pentestonline.es(0x00041F)</scRipt>
Certainty
Request
GET /Resources/images/'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Epentestonline.es(0x00041F)%3C/scRipt%3E HTTP/1.1
Response
<b>Stack Trace:</b> <br><br>
15. Autocomplete Enabled (Password Field)
pentestonline.es detected that autocomplete is enabled in one or more of the password fields.
Impact If user chooses to save, data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information. This is especially important if the application is commonly used in shared computers, such as cyber cafes or airport terminals.
Actions to Take Add the attribute autocomplete="off" to the form tag or to individual "input" fields. However, since early 2014, major browsers don't respect this instruction, due to their integrated password management mechanism, and offer to users to store password internally. Re-scan the application after addressing the identified issues to ensure all of the fixes have been applied properly. Required Skills for Successful Exploitation First and foremost, attacker needs either physical access or user-level code execution rights for successful exploitation. Dumping all data from a browser can be fairly easy, and a number of automated tools exist to undertake this. Where the attacker cannot dump the data, he/she could still browse the recently visited websites and activate the autocomplete feature to see previously entered values.
External References
Classification
password_id
Request
GET / HTTP/1.1
Response
…span class="fa fa-user signin-form-icon"></span>
</div>
<!-- / Username -->
<div class="form-group w-icon">
<input name="password_id" type="password" id="password_id" class="form-control input-lg format_input_login" placeholder="Contraseña" /> <span class="fa fa-lock signin-form-icon"></span>
</div>
<!-- / Password -->
</div>
<!-- / Form -->
</d
…
password_id
Request
POST / HTTP/1.1
Response
…span class="fa fa-user signin-form-icon"></span>
</div>
<!-- / Username -->
<div class="form-group w-icon">
<input name="password_id" type="password" id="password_id" class="form-control input-lg format_input_login" placeholder="Contraseña" /> <span class="fa fa-lock signin-form-icon"></span>
</div>
<!-- / Password -->
</div>
<!-- / Form -->
</d
…
16. OPTIONS Method Enabled
pentestonline.es detected that OPTIONS method is allowed. This issue is reported as extra information.
Impact Information disclosed from this page can be used to gain additional information about the target system.
Remedy Disable OPTIONS method in all production systems.
External References
Classification
OPTIONS, TRACE, GET, HEAD, POST
Request
OPTIONS / HTTP/1.1
Response
HTTP/1.1 200 OK
OPTIONS, TRACE, GET, HEAD, POST
Request
OPTIONS /assets/ HTTP/1.1
Response
HTTP/1.1 200 OK
OPTIONS, TRACE, GET, HEAD, POST
Request
OPTIONS /assets/javascripts/ HTTP/1.1
Response
HTTP/1.1 200 OK
OPTIONS, TRACE, GET, HEAD, POST
Request
OPTIONS /assets/demo/ HTTP/1.1
Response
HTTP/1.1 200 OK
OPTIONS, TRACE, GET, HEAD, POST
Request
OPTIONS /Resources/ HTTP/1.1
Response
HTTP/1.1 200 OK
OPTIONS, TRACE, GET, HEAD, POST
Request
OPTIONS /Resources/images/ HTTP/1.1
Response
HTTP/1.1 200 OK
OPTIONS, TRACE, GET, HEAD, POST
Request
OPTIONS /Resources/logo/ HTTP/1.1
Response
HTTP/1.1 200 OK
OPTIONS, TRACE, GET, HEAD, POST
Request
OPTIONS /assets/stylesheets/ HTTP/1.1
Response
HTTP/1.1 200 OK
OPTIONS, TRACE, GET, HEAD, POST
Request
OPTIONS /assets/demo/themes/ HTTP/1.1
Response
HTTP/1.1 200 OK
OPTIONS, TRACE, GET, HEAD, POST
Request
OPTIONS /assets/images/ HTTP/1.1
Response
HTTP/1.1 200 OK
OPTIONS, TRACE, GET, HEAD, POST
Request
OPTIONS /assets/images/plugins/ HTTP/1.1
Response
HTTP/1.1 200 OK
17. Forbidden Resource
pentestonline.es identified a forbidden resource.
Access to this resource has been denied by the web server. This is generally not a security issue, and is reported here for informational purposes.
Impact This issue is reported as additional information only. There is no direct impact arising from this issue.
Classification
Request
GET /assets/javascripts/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Request
GET /Resources/logo/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Request
GET /assets/stylesheets/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Request
GET /assets/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Request
GET /assets/demo/themes/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Request
GET /assets/demo/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Request
GET /Resources/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Request
GET /Resources/images/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Request
GET /trace.axd HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Request
GET /assets/images/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:39 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Request
GET /assets/images/plugins/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:39 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
18. Out-of-date Version (jQuery)
pentestonline.es identified the target web site is using jQuery and detected that it is out of date.
Impact Since this is an old version of the software, it may be vulnerable to attacks.
Remedy Please upgrade your installation of jQuery to the latest stable version.
Remedy References
Classification
2.0.3
2.2.4 (in this branch)
Result is based on 04/05/2019 16:30:00 vulnerability database content.
Certainty
Request
GET / HTTP/1.1
Response
/2.0.3/jquery.min.js ">' + "<" + "/script>"); </script>/1.8.3/jquery.min.js ">'+"<"+"/script>"); </script>
2.0.3
2.2.4 (in this branch)
Result is based on 04/05/2019 16:30:00 vulnerability database content.
Certainty
Request
POST / HTTP/1.1
Response
/2.0.3/jquery.min.js ">' + "<" + "/script>"); </script>/1.8.3/jquery.min.js ">'+"<"+"/script>"); </script>
19. Out-of-date Version (Moment.js)
pentestonline.es identified that the target web site is using Moment.js and detected that it is out of date.
Impact Since this is an old version of the software, it may be vulnerable to attacks.
Remedy
Please upgrade your installation of Moment.js to the latest stable version.
Remedy References
Classification
2.5.1
2.24.0 (in this branch)
Result is based on 04/05/2019 16:30:00 vulnerability database content.
Certainty
Request
GET / HTTP/1.1
Response
HTTP/1.1 200 OK
2.5.1
2.24.0 (in this branch)
Result is based on 04/05/2019 16:30:00 vulnerability database content.
Certainty
Request
POST / HTTP/1.1
Response
HTTP/1.1 200 OK
20. ASP.NET Identified
pentestonline.es identified that the target website is using ASP.NET as its web application framework.
This issue is reported as extra information only.
Impact This issue is reported as additional information only. There is no direct impact arising from this issue.
Classification
OWASP-PC-C7 CVSS 3.0
CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
Base: 5.3 (Medium)
Temporal: 5.1 (Medium)
Environmental: 5.1 (Medium)
Certainty
Request
GET / HTTP/1.1
Response
HTTP/1.1 200 OKX-Powered-By: ASP.NET
21. Out-of-date Version (jQuery UI Autocomplete)
pentestonline.es identified the target web site is using jQuery UI Autocomplete and detected that it is out of date.
Impact Since this is an old version of the software, it may be vulnerable to attacks.
Remedy Please upgrade your installation of jQuery UI Autocomplete to the latest stable version.
Remedy References
Classification
1.10.4
1.12.0 (in this branch)
Result is based on 04/05/2019 16:30:00 vulnerability database content.
Certainty
Request
GET / HTTP/1.1
Response
HTTP/1.1 200 OK
1.10.4
1.12.0 (in this branch)
Result is based on 04/05/2019 16:30:00 vulnerability database content.
Certainty
Request
POST / HTTP/1.1
Response
HTTP/1.1 200 OK
22. Version Disclosure (IIS)
pentestonline.es identified a version disclosure (IIS) in target web server's HTTP response.
This information can help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of IIS.
Impact An attacker might use the disclosed information to harvest specific security vulnerabilities for the version identified.
Remedy Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
Remedy References
Classification
Microsoft-IIS/8.5
Certainty
Request
GET /assets/javascripts/ie.min.js HTTP/1.1
Response
HTTP/1.1 200 OKServer: Microsoft-IIS/8.5
23. [Possible] Internal Path Disclosure (Windows)
pentestonline.es identified a possible Internal Path Disclosure (Windows) in the document.
Impact There is no direct impact, however this information can help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities.
Remedy Ensure this is not a false positive. Due to the nature of the issue, pentestonline.es could not confirm that this file path was actually the real file path of the target web server.
Error messages should be disabled. Remove this kind of sensitive data from the output. External References
Classification
Parameters
Parameter
Type
Value
Query Based
Query String
'"--></style></scRipt><scRipt src="//en5k_y54-pfmmjdpxw0jylmw7ejnljou7quqmkj2ius.r87.me"></s...
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\72737181\3efab75d\App_Web_ttvm1rai.4.cs
Certainty
Request
GET /?%27%22--%3e%3c%2fstyle%3e%3c%2fscRipt%3e%3cscRipt%20src%3d%22%2f%2fen5k_y54-pfmmjdpxw0jylmw7ejnljou7quqmkj2ius%26%2346%3br87%26%2346%3bme%22%3e%3c%2fscRipt%3e HTTP/1.1
Response
… <code><pre>
[No relevant source lines]</pre></code>
</td>
</tr>
</table>
<br>
<b> Source File: </b>
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\72737181\3efab75d\App_Web_ttvm1rai.4.cs <b> Line: </b> 0
<br><br>
<b>Stack Trace:</b> <br><br>
<table width=100% bgcolor="#ffffcc">
<tr>
<td>
…cludeStagesAfterAsyncPoint) +345
System.Web.UI.Page.ProcessRequest() +75
System.Web.UI.Page.ProcessRequest(HttpContext context) +70
ASP.default_aspx.ProcessRequest(HttpContext context) in
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\72737181\3efab75d\App_Web_ttvm1rai.4.cs :0
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +790
System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +195
System.Web.HttpApplicat
…n includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at ASP.default_aspx.ProcessRequest(HttpContext context) in
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\72737181\3efab75d\App_Web_ttvm1rai.4.cs :line 0
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
at Sys
…
Parameters
Parameter
Type
Value
username_id
POST
<?xml version="1.0"?><!DOCTYPE ns [<!ELEMENT ns ANY><!ENTITY lfi SYSTEM "file:///C:/Windows/System32...
__VIEWSTATE
POST
__VIEWSTATE_KEY
POST
VS_52.143.173.9_637159022021935337
ctl01
POST
Inicia sesión
password_id
POST
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\72737181\3efab75d\App_Web_ttvm1rai.4.cs
Certainty
Request
POST / HTTP/1.1
Response
… <code><pre>
[No relevant source lines]</pre></code>
</td>
</tr>
</table>
<br>
<b> Source File: </b>
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\72737181\3efab75d\App_Web_ttvm1rai.4.cs <b> Line: </b> 0
<br><br>
<b>Stack Trace:</b> <br><br>
<table width=100% bgcolor="#ffffcc">
<tr>
<td>
…cludeStagesAfterAsyncPoint) +345
System.Web.UI.Page.ProcessRequest() +75
System.Web.UI.Page.ProcessRequest(HttpContext context) +70
ASP.default_aspx.ProcessRequest(HttpContext context) in
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\72737181\3efab75d\App_Web_ttvm1rai.4.cs :0
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +790
System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +195
System.Web.HttpApplicat
…n includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at ASP.default_aspx.ProcessRequest(HttpContext context) in
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\72737181\3efab75d\App_Web_ttvm1rai.4.cs :line 0
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
at Sys
…
24. SameSite Cookie Not Implemented
Cookies are typically sent to third parties in cross origin requests. This can be abused to do CSRF attacks. Recently a new cookie attribute named SameSite was proposed to disable third-party usage for some cookies, to prevent CSRF attacks.
Same-site cookies allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.
Remedy The server can set a same-site cookie by adding the SameSite=... attribute to the Set-Cookie header:
Set-Cookie: key=value; SameSite=strict
There are two possible values for the same-site attribute:
In the strict mode, the cookie is not sent with any cross-site usage even if the user follows a link to another website. Lax cookies are only sent with a top-level get request.
External References
Classification
HTTP Header
Request
GET / HTTP/1.1
Response
HTTP/1.1 200 OKSet-Cookie: ASP.NET_SessionId=54c5dwctoptf0vzaryw3rymi; path=/; HttpOnly Set-Cookie: q2blng=ca-ES; expires=Wed, 05-Feb-2020 12:43:22 GMT; path=/
25. Subresource Integrity (SRI) Not Implemented
Subresource Integrity (SRI) provides a mechanism to check integrity of the resource hosted by third parties like Content Delivery Networks (CDNs) and verifies that the fetched resource has been delivered without unexpected manipulation.
SRI does this using hash comparison mechanism. In this way, hash value declared in HTML elements (for now only script and link elements are supported) will be compared with the hash value of the resource hosted by third party.
Use of SRI is recommended as a best-practice, whenever libraries are loaded from a third-party source.
Remedy Using Subresource Integrity is simply to add integrity attribute to the script tag along with a base64 encoded cryptographic hash value.
<script src="https://code.jquery.com/jquery-2.1.4.min.js" integrity="sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC" crossorigin="anonymous"></script> The hash algorithm must be one of sha256 , sha384 or sha512 , followed by a '-' character.
External References
Classification
http://fonts.googleapis.com/css?family=Open Sans:300italic,400italic,600italic,700italic,400,600,700,300&subset=latin
https://unpkg.com/sweetalert/dist/sweetalert.min.js
Certainty
Request
GET / HTTP/1.1
Response
<link href="http://fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,700italic,400,600,700,300&subset=latin" rel="stylesheet" type="text/css"> <script src="https://unpkg.com/sweetalert/dist/sweetalert.min.js"></script>
http://fonts.googleapis.com/css?family=Open Sans:300italic,400italic,600italic,700italic,400,600,700,300&subset=latin
https://unpkg.com/sweetalert/dist/sweetalert.min.js
Certainty
Request
POST / HTTP/1.1
Response
<link href="http://fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,700italic,400,600,700,300&subset=latin" rel="stylesheet" type="text/css"> <script src="https://unpkg.com/sweetalert/dist/sweetalert.min.js"></script>
26. Content Security Policy (CSP) Not Implemented
CSP is an added layer of security that helps to mitigate mainly Cross-site Scripting attacks.
CSP can be enabled instructing the browser with a Content-Security-Policy directive in a response header;
Content-Security-Policy: script-src 'self'; or in a meta tag;
<meta http-equiv="Content-Security-Policy" content="script-src 'self';"> In the above example, you can restrict script loading only to the same domain. It will also restrict inline script executions both in the element attributes and the event handlers. There are various directives which you can use by declaring CSP:
script-src: Restricts the script loading resources to the ones you declared. By default, it disables inline script executions unless you permit to the evaluation functions and inline scripts by the unsafe-eval and unsafe-inline keywords. base-uri: Base element is used to resolve relative URL to absolute one. By using this CSP directive, you can define all possible URLs which could be assigned to base-href attribute of the document. frame-ancestors : It is very similar to X-Frame-Options HTTP header. It defines the URLs by which the page can be loaded in an iframe. frame-src / child-src : frame-src is the deprecated version of child-src. Both define the sources that can be loaded by iframe in the page. (Please note that frame-src was brought back in CSP 3) object-src : Defines the resources that can be loaded by embedding such as Flash files, Java Applets. img-src : As its name implies, it defines the resources where the images can be loaded from. connect-src : Defines the whitelisted targets for XMLHttpRequest and WebSocket objects. default-src : It is a fallback for the directives that mostly ends with -src suffix. When the directives below are not defined, the value set to default-src will be used instead:
child-src connect-src font-src img-src manifest-src media-src object-src script-src style-src
When setting the CSP directives, you can also use some CSP keywords:
none : Denies loading resources from anywhere. self : Points to the document's URL (domain + port). unsafe-inline : Permits running inline scripts. unsafe-eval : Permits execution of evaluation functions such as eval().
In addition to CSP keywords, you can also use wildcard or only a scheme when defining whitelist URLs for the points. Wildcard can be used for subdomain and port portions of the URLs:
Content-Security-Policy: script-src https://*.example.com ; Content-Security-Policy: script-src https://example.com :*; Content-Security-Policy: script-src https:; It is also possible to set a CSP in Report-Only mode instead of forcing it immediately in the migration period. Thus you can see the violations of the CSP policy in the current state of your web site while migrating to CSP:
Content-Security-Policy-Report-Only: script-src 'self'; report-uri: https://example.com ; Impact There is no direct impact of not implementing CSP on your website. However, if your website is vulnerable to a Cross-site Scripting attack CSP can prevent successful exploitation of that vulnerability. By not implementing CSP you’ll be missing out this extra layer of security.
Actions to Take
Enable CSP on your website by sending the Content-Security-Policy in HTTP response headers that instruct the browser to apply the policies you specified. Apply the whitelist and policies as strict as possible. Rescan your application to see if pentestonline.es identifies any weaknesses in your policies. Remedy Enable CSP on your website by sending the Content-Security-Policy in HTTP response headers that instruct the browser to apply the policies you specified.
External References
Classification
Certainty
Request
GET / HTTP/1.1
Response
HTTP/1.1 200 OK
Certainty
Request
GET /assets/javascripts/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /Resources/logo/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /assets/stylesheets/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /assets/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /assets/demo/themes/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /assets/demo/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /Resources/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /Resources/images/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /trace.axd HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Certainty
Request
POST / HTTP/1.1
Response
HTTP/1.1 200 OK
27. Missing X-XSS-Protection Header
pentestonline.es detected a missing X-XSS-Protection header which means that this website could be at risk of a Cross-site Scripting (XSS) attacks.
Impact This issue is reported as additional information only. There is no direct impact arising from this issue.
Remedy Add the X-XSS-Protection header with a value of "1; mode= block".
External References
Classification
Certainty
Request
GET / HTTP/1.1
Response
HTTP/1.1 200 OK
Certainty
Request
GET /assets/javascripts/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /assets/javascripts/bootstrap.min.js HTTP/1.1
Response
HTTP/1.1 200 OK
Certainty
Request
GET /assets/demo/demo.js HTTP/1.1
Response
HTTP/1.1 200 OK
Certainty
Request
GET /assets/stylesheets/pages.min.css HTTP/1.1
Response
HTTP/1.1 200 OK
Certainty
Request
GET /assets/stylesheets/rtl.min.css HTTP/1.1
Response
HTTP/1.1 200 OK
Certainty
Request
GET /Resources/logo/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /assets/stylesheets/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /assets/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /assets/demo/themes/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /assets/demo/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
28. Referrer-Policy Not Implemented
pentestonline.es detected that no Referrer-Policy header implemented.
Referrer-Policy is a security header designed to prevent cross-domain Referer leakage.
Impact Referer header is a request header that indicates the site which the traffic originated from. If there is no adequate prevention in place, the URL itself, and even sensitive information contained in the URL will be leaked to the cross-site.
The lack of Referrer-Policy header might affect privacy of the users and site's itself
Actions to Take In a response header:
Referrer-Policy: no-referrer | same-origin | origin | strict-origin | no-origin-when-downgrading In a META tag
<meta name="Referrer-Policy" value="no-referrer | same-origin"/> In an element attribute
<a href=" http://crosssite.example.com " rel="noreferrer"></a> or
<a href=" http://crosssite.example.com " referrerpolicy="no-referrer | same-origin | origin | strict-origin | no-origin-when-downgrading"></a> Remedy Please implement a Referrer-Policy by using the Referrer-Policy response header or by declaring it in the meta tags. It’s also possible to control referrer information over an HTML-element by using the rel attribute.
External References
Classification
Certainty
Request
GET / HTTP/1.1
Response
HTTP/1.1 200 OK
Certainty
Request
GET /assets/javascripts/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /Resources/logo/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /assets/stylesheets/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /assets/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /assets/demo/themes/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /assets/demo/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /Resources/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /Resources/images/ HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1233
Content-Type: text/html
Date: Wed, 29 Jan 2020 12:43:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Certainty
Request
GET /trace.axd HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Certainty
Request
POST / HTTP/1.1
Response
HTTP/1.1 200 OK
29. Expect-CT Not Enabled
pentestonline.es identified that Expect-CT is not enabled.
Certificate Transparency is a technology that makes impossible (or at least very difficult) for a CA to issue an SSL certificate for a domain without the certificate being visible to the owner of that domain.
Google announced that, starting with April 2018, if it runs into a certificate that is not seen in Certificate Transparency (CT) Log, it will consider that certificate invalid and reject the connection. Thus sites should serve certificate that takes place in CT Logs. While handshaking, sites should serve a valid Signed Certificate Timestamp (SCT) along with the certificate itself.
Expect-CT can also be used for detecting the compatibility of the certificates that are issued before the April 2018 deadline. For instance, a certificate that was signed before April 2018, for 10 years it will be still posing a risk and can be ignored by the certificate transparency policy of the browser. By setting Expect-CT header, you can prevent misissused certificates to be used.
Remedy Configure your web server to respond with Expect-CT header.
Expect-CT: enforce, max-age=7776000, report-uri="https://ABSOLUTE_REPORT_URL "
Note: We strongly suggest you to use Expect-CT header in report-only mode first. If everything goes well and your certificate is ready, go with the Expect-CT enforce mode. To use report-only mode first, omit enforce flag and see the browser's behavior with your deployed certificate.
Expect-CT: max-age=7776000, report-uri="https://ABSOLUTE_REPORT_URL " External References
Classification
Certainty
Request
GET /assets/javascripts/bootstrap.min.js HTTP/1.1
Response
HTTP/1.1 200 OK