Website Vulnerability Scanner Report (Light)

Unlock the full capabilities of this scanner

See wh at th e FULL scan n er can d o

Perform in-depth website scanning and discover high risk vulnerabilities.

Testi n g areas Li gh t scan Fu l l scan

Website fingerprinting  

Version-based vulnerability detection  

Common configuration issues  

SQL injection  

Cross-Site Scripting  

Local/Remote File Inclusion  

Remote command execution  

Discovery of sensitive files  

 https://atomwaffendivision.org/

Summary

Ov erall risk lev el: Risk rat ings: Scan informat ion:
H igh High: 1 Start time: 2021-04-12 21:36:28 UTC+03
Medium: 2 Finish time: 2021-04-12 21:36:48 UTC+03
Low: 8 Scan duration: 20 sec

Info: 6 Tests performed: 17/17

Scan status: Finished

Findings

 Vulnerabilities found for server-side software

Ris k A ffe c te d
C VS S C VE S umma ry E xploit
Le ve l s oftwa re

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP
object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. WordPress
 7.5 CVE-2018-20148 N/A
This is caused by mishandling of serialized data at phar:// URLs in the 4.9.3
wp_get_attachment_thumb_file function in wp-includes/post.php.

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability
WordPress
 7.5 CVE-2019-17669 because URL validation does not consider the interpretation of a name as a N/A
4.9.3
series of hex characters.

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability
WordPress
 7.5 CVE-2019-17670 because Windows paths are mishandled during certain validation of relative N/A
4.9.3
URLs.

1/6
 wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1
WordPress
 7.5 CVE-2019-20041 mishandles the HTML5 colon named entity, allowing attackers to bypass input N/A
4.9.3
sanitization, as demonstrated by the javascript: substring.

WordPress before 5.5.2 mishandles deserialization requests in wp- WordPress

 7.5 CVE-2020-28032 N/A
includes/Requests/Utility/FilteredIterator.php. 4.9.3

 Details

Ris k de s c ription:
These vulnerabilities expose the affected applications to the risk of unauthorized access to confidential data and possibly to denial of service
attacks. An attacker could search for an appropriate exploit (or create one himself) for any of these vulnerabilities and use it to attack the
system.

Re c omme nda tion:

We recommend you to upgrade the affected software to the latest version in order to eliminate the risk of these vulnerabilities.

 Insecure cookie setting: missing Secure flag

C ookie
U RL E vide nc e
Na me

Set-Cookie:
__cfduid https://atomwaffendivision.org/ __cfduid=d26710b3e4ded0913285b330683d42f781618252588; expires=Wed, 12-May-21 18:36:28
GMT; path=/; domain=.atomwaffendivision.org; HttpOnly; SameSite=Lax

 Details

Ris k de s c ription:
Since the Secure flag is not set on the cookie, the browser will send it over an unencrypted channel (plain HTTP) if such a request is made.
Thus, the risk exists that an attacker will intercept the clear-text communication between the browser and the server and he will steal the cookie
of the user. If this is a session cookie, the attacker could gain unauthorized access to the victim's web session.

Re c omme nda tion:

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure
that the secure flag is set for cookies containing such sensitive information.
https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-
Testing_for_Cookies_Attributes.html

 Insecure cookie setting: domain too loose

C ookie Na me U RL E vide nc e

Set-Cookie:
__cfduid https://atomwaffendivision.org/
.atomwaffendivision.org

 Details

Ris k de s c ription:
A cookie may be used in multiple subdomains belonging to the same domain. For instance, a cookie set for example.com, may be sent along
with the requests sent to dev.example.com, calendar.example.com, hostedsite.example.com. Potentially risky websites under your main domain
may access those cookies and use the victim session on the main site.

Re c omme nda tion:

The Domain attribute should be set to the origin host to limit the scope to that particular server. For example if the application resides on server
app.mysite.com, then it should be set to Domain=app.mysite.com

 Missing security header: Strict-Transport-Security

U RL E vide nc e

https://atomwaffendivision.org/ Response headers do not include the HTTP Strict-Transport-Security header

 Details

Ris k de s c ription:
The HTTP Strict-Transport-Security header instructs the browser to initiate only secure (HTTPS) connections to the web server and deny any
unencrypted HTTP connection attempts. Lack of this header permits an attacker to force a victim user to initiate a clear-text HTTP connection to

2/6
 the server, thus opening the possibility to eavesdrop on the network traffic and extract sensitive information (e.g. session cookies).

Re c omme nda tion:

The Strict-Transport-Security HTTP header should be sent with each HTTPS response. The syntax is as follows:

Strict-Transport-Security: max-age=<seconds>[; includeSubDomains]

The parameter max-age gives the time frame for requirement of HTTPS in seconds and should be chosen quite high, e.g. several months. A
value below 7776000 is considered as too low by this scanner check.
The flag includeSubDomains defines that the policy applies also for sub domains of the sender of the response.

 Missing security header: Content-Security-Policy

U RL E vide nc e

https://atomwaffendivision.org/ Response headers do not include the HTTP Content-Security-Policy security header

 Details

Ris k de s c ription:
The Content-Security-Policy (CSP) header activates a protection mechanism implemented in web browsers which prevents exploitation of
Cross-Site Scripting vulnerabilities (XSS). If the target application is vulnerable to XSS, lack of this header makes it easily exploitable by
attackers.

Re c omme nda tion:

Configure the Content-Security-Header to be sent with each HTTP response in order to apply the specific policies needed by the application.

Read more about CSP:

https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

 Missing security header: X-Frame-Options

U RL E vide nc e

https://atomwaffendivision.org/ Response headers do not include the HTTP X-Frame-Options security header

 Details

Ris k de s c ription:
Because the X-Frame-Options header is not sent by the server, an attacker could embed this website into an iframe of a third party website. By
manipulating the display attributes of the iframe, the attacker could trick the user into performing mouse clicks in the application, thus
performing activities without user's consent (ex: delete user, subscribe to newsletter, etc). This is called a Clickjacking attack and it is described
in detail here:
https://owasp.org/www-community/attacks/Clickjacking

Re c omme nda tion:

We recommend you to add the X-Frame-Options HTTP header with the values DENY or SAMEORIGIN to every page that you want to be
protected against Clickjacking attacks.

More information about this issue:

https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html

 Missing security header: X-XSS-Protection

U RL E vide nc e

https://atomwaffendivision.org/ Response headers do not include the HTTP X-XSS-Protection security header

 Details

Ris k de s c ription:
The X-XSS-Protection HTTP header instructs the browser to stop loading web pages when they detect reflected Cross-Site Scripting (XSS)
attacks. Lack of this header exposes application users to XSS attacks in case the web application contains such vulnerability.

Re c omme nda tion:

We recommend setting the X-XSS-Protection header to X-XSS-Protection: 1; mode=block .

3/6
 More information about this issue:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

 Missing security header: X-Content-Type-Options

U RL E vide nc e

https://atomwaffendivision.org/ Response headers do not include the X-Content-Type-Options HTTP security header

 Details

Ris k de s c ription:
The HTTP header X-Content-Type-Options is addressed to the Internet Explorer browser and prevents it from reinterpreting the content of a web
page (MIME-sniffing) and thus overriding the value of the Content-Type header). Lack of this header could lead to attacks such as Cross-Site
Scripting or phishing.

Re c omme nda tion:

We recommend setting the X-Content-Type-Options header such as X-Content-Type-Options: nosniff .

More information about this issue:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options.

 Missing security header: Referrer-Policy

U RL E vide nc e

https://atomwaffendivision.org/ Response headers do not include the Referrer-Policy HTTP security header

 Details

Ris k de s c ription:
The Referrer-Policy HTTP header controls how much referrer information the browser will send with each request originated from the current
web application.
For instance, if a user visits the web page "http://example.com/pricing/" and it clicks on a link from that page going to e.g.
"https://www.google.com", the browser will send to Google the full originating URL in the Referer header, assuming the Referrer-Policy header
is not set. The originating URL could be considered sensitive information and it could be used for user tracking.

Re c omme nda tion:

The Referrer-Policy header should be configured on the server side to avoid user tracking and inadvertent information leakage. The value no-
referrer of this header instructs the browser to omit the Referer header entirely.

Read more:
https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns

 Server software and technology found

S oftwa re / Ve rs ion C a te g ory

Twitter Bootstrap Web Frameworks

WordPress 4.9.3 CMS, Blogs

CloudFlare CDN

Font Awesome Font Scripts

Google Font API Font Scripts

jQuery JavaScript Frameworks

 Details

Ris k de s c ription:
An attacker could use this information to mount specific attacks against the identified software type and version.

Re c omme nda tion:

We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating
system: HTTP server headers, HTML meta information, etc.

4/6
 More information about this issue:
https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/02-
Fingerprint_Web_Server.html.

S c re e ns hot:

 Robots.txt file found

https://atomwaffendivision.org/robots.txt

 Details

Ris k de s c ription:
There is no particular security risk in having a robots.txt file. However, this file is often misused by website administrators to try to hide some
web pages from the users. This should not be considered a security measure because these URLs can be easily read directly from the robots.txt
file.

Re c omme nda tion:

We recommend you to manually review the entries from robots.txt and remove the ones which lead to sensitive locations in the website (ex.
administration panels, configuration files, etc).

More information about this issue:

https://www.theregister.co.uk/2015/05/19/robotstxt/

 Website is accessible.

 Nothing was found for client access policies.

 Nothing was found for use of untrusted certificates.

 Nothing was found for directory listing.

 Nothing was found for secure communication.

 Nothing was found for HttpOnly flag of cookie.

Scan coverage information

5/6
List of tests performed (17/ 17)
 Checking for website accessibility...
 Checking for Secure flag of cookie...
 Checking for domain too loose set for cookies...
 Checking for missing HTTP header - Strict-Transport-Security...
 Checking for missing HTTP header - Content Security Policy...
 Checking for missing HTTP header - X-Frame-Options...
 Checking for missing HTTP header - X-XSS-Protection...
 Checking for missing HTTP header - X-Content-Type-Options...
 Checking for missing HTTP header - Referrer...
 Checking for website technologies...
 Checking for vulnerabilities of server-side software...
 Checking for robots.txt file...
 Checking for client access policies...
 Checking for use of untrusted certificates...
 Checking for directory listing...
 Checking for secure communication...
 Checking for HttpOnly flag of cookie...

Scan parameters
Website URL: https://atomwaffendivision.org/
Scan type: Light
Authentication: False

6/6