Website Vulnerability Scanner Report

 http://darkend.sytes.net/

The Light Website Scanner didn't check for critical issues like SQLi, XSS, Command Injection, XXE, etc. Upgrade to run Deep scans with
40+ tests and detect more vulnerabilities.

Summary

Overall risk level: Risk ratings: Scan information:

High Critical: 0 Start time: May 02, 2025 / 21:03:00 UTC+09
High: 1 Finish time: May 02, 2025 / 21:07:55 UTC+09
Medium: 1 Scan duration: 4 min, 55 sec

Low: 6 Tests performed: 50/50

Info: 42 Scan status: Finished

Findings

 Vulnerabilities found for server-side software UNCONFIRMED 

port 80/tcp

Risk Affected
CVSS CVE Summary
Level software

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55
allow a HTTP Request Smuggling attack.

Configurations are affected when mod_proxy is enabled along with some form of
RewriteRule
or ProxyPassMatch in which a non-specific pattern matches
some portion of the user-supplied request-target (URL) data and is then
re-inserted into the proxied request-target using variable
substitution. For example, something like: http_server
 9.8 CVE-2023-25690
2.4.6

RewriteEngine on
RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P]
ProxyPassReverse /here/ http://example.com:8080/

Request splitting/smuggling could result in bypass of access controls in the proxy server,
proxying unintended URLs to existing origin servers, and cache poisoning. Users are
recommended to update to at least version 2.4.56 of Apache HTTP Server.

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier
allows attacker to execute scripts in
directories permitted by the configuration but not directly reachable by any URL or source
disclosure of scripts meant to only to be executed as CGI.
http_server
 9.8 CVE-2024-38474
2.4.6
Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag
"UnsafeAllow3F" is specified.

1 / 10
 Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to
information disclosure, SSRF or local script execution via backend applications whose
http_server
 9.8 CVE-2024-38476 response headers are malicious or exploitable.
2.4.6
Users are recommended to upgrade to version 2.4.60, which fixes this issue.

The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer
overflow and resultant buffer overflow that allows attackers to execute arbitrary code or
 9.8 CVE-2022-37454 php 7.2.34
eliminate expected cryptographic properties. This occurs in the sponge function
interface.

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in

mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the http_server
 9 CVE-2022-36760
AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP 2.4.6
Server 2.4 version 2.4.54 and prior versions.

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the
http_server
 7.5 CVE-2017-3167 ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may
2.4.6
lead to authentication requirements being bypassed.

The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not

prevent changes to string objects that result in a negative length, which allows remote
 7.5 CVE-2017-8923 php 7.2.34
attackers to cause a denial of service (application crash) or possibly have unspecified
other impact by leveraging a script's use of .= with a long string.

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and
 6.5 CVE-2022-31629 same-site attackers to set a standard insecure cookie in the victim's browser which is php 7.2.34
treated as a `__Host-` or `__Secure-` cookie by PHP applications.

A vulnerability was found in PHP where setting the environment variable

 6.2 CVE-2022-4900 php 7.2.34
PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would
 5.5 CVE-2022-31628 php 7.2.34
recursively uncompress "quines" gzip files, resulting in an infinite loop.

 Details

Risk description:
The risk is that an attacker could search for an appropriate exploit (or create one himself) for any of these vulnerabilities and use it to
attack the system.

Recommendation:
In order to eliminate the risk of these vulnerabilities, we recommend you check the installed software version and upgrade to the latest
version.

Classification:
CWE : CWE-1026
OWASP Top 10 - 2017 : A9 - Using Components with Known Vulnerabilities
OWASP Top 10 - 2021 : A6 - Vulnerable and Outdated Components

 Communication is not secure CONFIRMED

port 80/tcp

URL Response URL Evidence

http://darkend.sytes.net/ http://darkend.sytes.net/ Communication is made over unsecure, unencrypted HTTP.

 Details

Risk description:
The risk is that an attacker who manages to intercept the communication at the network level can read and modify the data transmitted
(including passwords, secret tokens, credit card information and other sensitive data).

Recommendation:
We recommend you to reconfigure the web server to use HTTPS - which encrypts the communication between the web browser and the
server.

Classification:
CWE : CWE-311
OWASP Top 10 - 2017 : A3 - Sensitive Data Exposure
OWASP Top 10 - 2021 : A4 - Insecure Design

2 / 10
 Missing security header: Content-Security-Policy CONFIRMED
port 80/tcp

URL Evidence

Response does not include the HTTP Content-Security-Policy security header or meta tag
http://darkend.sytes.net/
Request / Response

 Details

Risk description:
The risk is that if the target application is vulnerable to XSS, lack of this header makes it easily exploitable by attackers.

Recommendation:
Configure the Content-Security-Header to be sent with each HTTP response in order to apply the specific policies needed by the
application.

References:
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Classification:
CWE : CWE-693
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Missing security header: Referrer-Policy CONFIRMED

port 80/tcp

URL Evidence

Response headers do not include the Referrer-Policy HTTP security header as well as the <meta> tag with name
http://darkend.sytes.net/ 'referrer' is not present in the response.
Request / Response

 Details

Risk description:
The risk is that if a user visits a web page (e.g. "http://example.com/pricing/") and clicks on a link from that page going to e.g.
"https://www.google.com", the browser will send to Google the full originating URL in the Referer header, assuming the Referrer-Policy
header is not set. The originating URL could be considered sensitive information and it could be used for user tracking.

Recommendation:
The Referrer-Policy header should be configured on the server side to avoid user tracking and inadvertent information leakage. The value
no-referrer of this header instructs the browser to omit the Referer header entirely.

References:
https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns

Classification:
CWE : CWE-693
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Missing security header: X-Content-Type-Options CONFIRMED

port 80/tcp

URL Evidence

Response headers do not include the X-Content-Type-Options HTTP security header

http://darkend.sytes.net/
Request / Response

 Details

Risk description:
The risk is that lack of this header could make possible attacks such as Cross-Site Scripting or phishing in Internet Explorer browsers.

Recommendation:

3 / 10
 We recommend setting the X-Content-Type-Options header such as X-Content-Type-Options: nosniff .

References:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

Classification:
CWE : CWE-693
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 HTTP Debug methods enabled CONFIRMED

port 80/tcp

URL Method Summary

http://darkend.sytes.net/? We injected a random query parameter inside a HTTP TRACE request. The server responded with a 200
TRACE
canary=qrkisdxqkv OK HTTP status code and we found the random value reflected in the body of the response.

 Details

Risk description:
The only risk this might present nowadays is revealing HTTP headers that have been appended by intermediate proxy servers on the way
to the destination. This can present a danger if any of those headers contain sensitive information like authentication information, secret
keys.

Recommendation:
Generally, it is good practice to disable unused functionality to minimize your attack surface. We recommend that you disable unused
HTTP methods, or even better, allow only the ones that you know are used. This can be done using your webserver configuration.

References:
https://httpd.apache.org/docs/2.4/mod/core.html#traceenable
https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#reqmethod
https://docs.microsoft.com/en-us/iis/manage/configuring-security/use-request-filtering#filter-by-verbs
https://nginx.org/en/docs/http/ngx_http_core_module.html#limit_except

Classification:
CWE : CWE-16
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Server software and technology found UNCONFIRMED 

port 80/tcp

Software / Version Category

ApexCharts.js JavaScript graphics

CentOS Operating systems

jQuery CDN CDN

toastr 2.1.4 JavaScript frameworks

core-js 3.9.0 JavaScript libraries

Google Font API Font scripts

Apache HTTP Server 2.4.6 Web servers

jQuery 3.5.1 JavaScript libraries

Moment.js 2.29.4 JavaScript libraries

PHP 7.2.34 Programming languages

Popper Miscellaneous

Quill Rich text editors

SweetAlert2 JavaScript libraries

4 / 10
 Chart.js JavaScript graphics

Dropzone 5.9.3 JavaScript libraries

 Details

Risk description:
The risk is that an attacker could use this information to mount specific attacks against the identified software type and version.

Recommendation:
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating
system: HTTP server headers, HTML meta information, etc.

References:
https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/02-
Fingerprint_Web_Server.html

Classification:
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

Screenshot:

Figure 1. Website Screenshot

 Server software identified UNCONFIRMED 

port 80/tcp

URL Page Title Page Size Summary

http://darkend.sytes.net/icons/README 4.99 KB Apache default file found.

 Details

Risk description:
The risk is that this information could be used by an attacker to mount specific attacks against the server and the application.

Recommendation:
We recommend you to remove these files if they are not needed for business purposes.

Classification:
CWE : CWE-200
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Security.txt file is missing CONFIRMED

port 80/tcp

5 / 10
 URL

Missing: http://darkend.sytes.net/.well-known/security.txt

 Details

Risk description:
There is no particular risk in not having a security.txt file for your server. However, this file is important because it offers a designated
channel for reporting vulnerabilities and security issues.

Recommendation:
We recommend you to implement the security.txt file according to the standard, in order to allow researchers or users report any security
issues they find, improving the defensive mechanisms of your server.

References:
https://securitytxt.org/

Classification:
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 HTTP OPTIONS enabled CONFIRMED

port 80/tcp

URL Method Summary

We did a HTTP OPTIONS request.

http://darkend.sytes.net/ OPTIONS
The server responded with a 200 status code and the header: Allow: GET,HEAD,POST,OPTIONS,TRACE
Request / Response

 Details

Risk description:
The only risk this might present nowadays is revealing debug HTTP methods that can be used on the server. This can present a danger if
any of those methods can lead to sensitive information, like authentication information, secret keys.

Recommendation:
We recommend that you check for unused HTTP methods or even better, disable the OPTIONS method. This can be done using your
webserver configuration.

References:
https://techcommunity.microsoft.com/t5/iis-support-blog/http-options-and-default-page-vulnerabilities/ba-p/1504845
https://docs.nginx.com/nginx-management-suite/acm/how-to/policies/allowed-http-methods/

Classification:
CWE : CWE-16
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Spider results

URL Method Page Title Page Size Status Code

http://darkend.sytes.net/ GET 54 B 200

http://darkend.sytes.net/icons/README GET 4.99 KB 200

 Details

Risk description:
The table contains all the unique pages the scanner found. The duplicated URLs are not available here as scanning those is considered
unnecessary

Recommendation:
We recommend to advanced users to make sure the scan properly detected most of the URLs in the application.

References:
All the URLs the scanner found, including duplicates (available for 90 days after the scan date)

6 / 10
 Email Address Exposure UNCONFIRMED 
port 80/tcp

URL Method Parameters Evidence

Email Address:
Headers:
[email protected]
User-Agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64)
http://darkend.sytes.net/icons/README GET [email protected]
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0
Safari/537.36
Request / Response

 Details

Risk description:
The risk is that exposed email addresses within the application could be accessed by unauthorized parties. This could lead to privacy
violations, spam, phishing attacks, or other forms of misuse.

Recommendation:
Compartmentalize the application to have 'safe' areas where trust boundaries can be unambiguously drawn. Do not allow email addresses
to go outside of the trust boundary, and always be careful when interfacing with a compartment outside of the safe area.

References:
https://owasp.org/Top10/A04_2021-Insecure_Design/

Classification:
CWE : CWE-200
OWASP Top 10 - 2017 : A6: Security Misconfiguration
OWASP Top 10 - 2021 : A4: Insecure Design

 Website is accessible.

 Nothing was found for client access policies.

 Nothing was found for robots.txt file.

 Nothing was found for outdated JavaScript libraries.

 Nothing was found for use of untrusted certificates.

 Nothing was found for administration consoles.

 Nothing was found for information disclosure.

 Nothing was found for sensitive files.

 Nothing was found for interesting files.

 Nothing was found for directory listing.

 Nothing was found for passwords submitted unencrypted.

7 / 10
 Nothing was found for error messages.

 Nothing was found for debug messages.

 Nothing was found for code comments.

 Nothing was found for missing HTTP header - Strict-Transport-Security.

 Nothing was found for missing HTTP header - Feature.

 Nothing was found for Insecure Direct Object Reference.

 Nothing was found for passwords submitted in URLs.

 Nothing was found for domain too loose set for cookies.

 Nothing was found for mixed content between HTTP and HTTPS.

 Nothing was found for cross domain file inclusion.

 Nothing was found for internal error code.

 Nothing was found for HttpOnly flag of cookie.

 Nothing was found for Secure flag of cookie.

 Nothing was found for login interfaces.

 Nothing was found for secure password submission.

 Nothing was found for sensitive data.

 Nothing was found for Server Side Request Forgery.

 Nothing was found for Open Redirect.

 Nothing was found for Exposed Backup Files.

8 / 10
 Nothing was found for unsafe HTTP header Content Security Policy.

 Nothing was found for OpenAPI files.

 Nothing was found for file upload.

 Nothing was found for SQL statement in request parameter.

 Nothing was found for password returned in later response.

 Nothing was found for Path Disclosure.

 Nothing was found for Session Token in URL.

 Nothing was found for API endpoints.

Scan coverage information

List of tests performed (50/50)

 Starting the scan...
 Checking for secure communication...
 Checking for missing HTTP header - Content Security Policy...
 Checking for missing HTTP header - Referrer...
 Checking for missing HTTP header - X-Content-Type-Options...
 Spidering target...
 Checking for website technologies...
 Checking for vulnerabilities of server-side software...
 Checking for client access policies...
 Checking for robots.txt file...
 Checking for absence of the security.txt file...
 Checking for outdated JavaScript libraries...
 Checking for use of untrusted certificates...
 Checking for enabled HTTP debug methods...
 Checking for administration consoles...
 Checking for information disclosure... (this might take a few hours)
 Checking for software identification...
 Checking for emails...
 Checking for sensitive files...
 Checking for interesting files... (this might take a few hours)
 Checking for enabled HTTP OPTIONS method...
 Checking for directory listing...
 Checking for passwords submitted unencrypted...
 Checking for error messages...
 Checking for debug messages...
 Checking for code comments...
 Checking for missing HTTP header - Strict-Transport-Security...
 Checking for missing HTTP header - Feature...
 Checking for Insecure Direct Object Reference...
 Checking for passwords submitted in URLs...
 Checking for domain too loose set for cookies...
 Checking for mixed content between HTTP and HTTPS...
 Checking for cross domain file inclusion...
 Checking for internal error code...
 Checking for HttpOnly flag of cookie...
 Checking for Secure flag of cookie...
 Checking for login interfaces...
 Checking for secure password submission...

9 / 10
  Checking for sensitive data...
 Checking for Server Side Request Forgery...
 Checking for Open Redirect...
 Checking for Exposed Backup Files...
 Checking for unsafe HTTP header Content Security Policy...
 Checking for OpenAPI files...
 Checking for file upload...
 Checking for SQL statement in request parameter...
 Checking for password returned in later response...
 Checking for Path Disclosure...
 Checking for Session Token in URL...
 Checking for API endpoints...

Scan parameters
target: http://darkend.sytes.net/
scan_type: Light
authentication: False

Scan stats
Unique Injection Points Detected: 2
URLs spidered: 2
Total number of HTTP requests: 14970
Average time until a response was
0ms
received:
Total number of HTTP request errors: 282

10 / 10