Scribd
Upload
82 views

Developer Report: Acunetix Website Audit 23 December, 2021

The scan found 2 low severity issues: 1) The site is vulnerable to clickjacking attacks because it is missing an X-Frame-Options header. 2) The TRACE HTTP method is enabled, which could allow sensitive header information to be accessed from other domains. The scan checked 1 URL and found it had 1 input but no vulnerabilities. It completed in 5 minutes and 35 seconds.

Uploaded by

BAGAS TRI RAMADANA -
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
82 views

Developer Report: Acunetix Website Audit 23 December, 2021

The scan found 2 low severity issues: 1) The site is vulnerable to clickjacking attacks because it is missing an X-Frame-Options header. 2) The TRACE HTTP method is enabled, which could allow sensitive header information to be accessed from other domains. The scan checked 1 URL and found it had 1 input but no vulnerabilities. It completed in 5 minutes and 35 seconds.

Uploaded by

BAGAS TRI RAMADANA -
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
You are on page 1/ 7

Acunetix Website Audit

23 December, 2021

Developer Report

Generated by Acunetix WVS Reporter (v10.5 Build 20160217)


Scan of https://riau.go.id:443/
Scan details

Scan information
Start time 23/12/2021 02:48:09
Finish time 23/12/2021 02:53:44
Scan time 5 minutes, 35 seconds
Profile Default
Server information
Responsive True
Server banner Apache
Server OS Unknown
Server technologies PHP

Threat level
Acunetix Threat Level 1
One or more low-severity type vulnerabilities have been discovered by the scanner.

Alerts distribution

Total alerts found 2


High 0
Medium 0
Low 2
Informational 0

Knowledge base
List of files with inputs
These files have at least one input (GET or POST).

- / - 1 inputs
List of external hosts
These hosts were linked from this website but they were not scanned because they are not listed in the list of hosts allowed.
(Configuration-> Scan Settings ->Scanning Options-> List of hosts allowed).

- www.riau.go.id

Alerts summary
Acunetix Website Audit 2

Clickjacking: X-Frame-Options header missing


Classification
CVSS Base Score: 6.8

- Access Vector: Network


- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
CWE CWE-693
Affected items Variations
Web Server 1

TRACE method is enabled


Classification
CVSS Base Score: 0.0

- Access Vector: Network


- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: None
CWE CWE-16
Affected items Variations
Web Server 1
Acunetix Website Audit 3

Alert details

Clickjacking: X-Frame-Options header missing

Severity Low
Type Configuration
Reported by module Scripting (Clickjacking_X_Frame_Options.script)
Description
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into
clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information
or taking control of their computer while clicking on seemingly innocuous web pages.

The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-
Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page inside a
frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

Impact
The impact depends on the affected web application.
Recommendation
Configure your web server to include an X-Frame-Options header. Consult Web references for more information about the possible
values for this header.
References
Clickjacking Protection for Java EE
Frame Buster Buster
Defending with Content Security Policy frame-ancestors directive
OWASP Clickjacking
Clickjacking
The X-Frame-Options response header
Affected items

Web Server
Details
No details are available.
Request headers
GET / HTTP/1.1
Host: riau.go.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0
Safari/537.21
Accept: */*

Acunetix Website Audit 4

TRACE method is enabled

Severity Low
Type Validation
Reported by module Scripting (Track_Trace_Server_Methods.script)
Description
HTTP TRACE method is enabled on this web server. In the presence of other cross-domain vulnerabilities in web browsers, sensitive
header information could be read from any domains that support the HTTP TRACE method.
Impact
Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication
data.
Recommendation
Disable TRACE Method on the web server.
References
Cross-site tracing (XST)
US-CERT VU#867593
W3C - RFC 2616
Affected items

Web Server
Details
No details are available.
Request headers
TRACE /THki7hpnWr HTTP/1.1
Host: riau.go.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0
Safari/537.21
Accept: */*

Acunetix Website Audit 5

Scanned items (coverage report)

Scanned 1 URLs. Found False vulnerable.


URL: https://riau.go.id/
No vulnerabilities have been identified for this URL
1 input(s) found for this URL
Inputs
Input scheme 1
Input name Input type
Host HTTP Header
Acunetix Website Audit 6

You might also like