WAS Scan Report
Scan Report
03 Jun 2024
Vulnerabilities of all selected scans are consolidated into one report so that you can view their evolution.
Takashi Moriyama
Moriyama
mryam3tm
17203 NE 33rd St
Redmond, Washington 98052
United States of America
Target and Filters
Scans (1)
Web Application Vulnerability Scan - Redmunch - May 30, 2024
Web Applications (1)
Redmunch
Summary
Security Risk
Vulnerabilities
Sensitive Contents
Information Gathered
2
0
18
Findings by Severity
Vulnerabilities by Group
OWASP Top 10 2021 Vulnerabilities
Scan
Date
Level 5
Level 4
Level 3
Level 2
Level 1
Sensitive Contents
Information Gathered
Web Application Vulnerability Scan - Redmunch - May 30, 2024
30 May 2024 14:01 GMT-0800
0
0
1
0
1
0
18
Results (20)
Vulnerability (2)
Path Disclosure (1)
150246 Path-relative stylesheet import (PRSSI) vulnerability (1)
150246 Path-relative stylesheet import (PRSSI) vulnerability
URL: https://www.redmunch.com/
Finding #
26575898 (295486694)
Severity
Confirmed Vulnerability - Level 1
Unique #
cf494cfe-cb22-4858-9eac-f5726483b969
Group
Path Disclosure
Detection Date
30 May 2024 14:01 GMT-0800
CWE
OWASP
WASC
-
CVSS V3 Base 3.1 CVSS V3 Temporal 2.9 CVSS V3 Attack Vector Network
Details
Threat
Relative URLs can be dangerous since browser may not determine the correct directory. If the HTML uses path-relative CSS links, it may be susceptible to path-relative stylesheet import (PRSSI) vulnerabilities. This could allow an attacker to take advantage of CSS imports with relative URLs by overwriting their target file.

References:
Evil CSS Injection
Relative Path Overwrite Attack
Research paper: Large-Scale Analysis of Style Injection by Relative Path Overwrite

Impact
An attacker may trick browsers into importing JavaScript or HTML code as a stylesheet. This has been shown to enable a number of different attacks, including cross-site scripting (XSS) and exfiltration of CSRF tokens.
Solution
It is recommended to use absolute URLs for CSS imports. Alternately you can add the HTML "base" tag in the document which defines the base URL or target location for all the relative URLs.

The vulnerability can also be mitigated by using the following best practices to harden the web pages:

  • Set a DOCTYPE which does not allow Quirks mode as explained at https://hsivonen.fi/doctype/
  • Set response header X-Frame-Options: deny
  • Set response header X-Content-Type-Options: nosniff.
Detection Information
Parameter
No param has been required for detecting the information.
Authentication
In order to detect this vulnerability, no authentication has been required.
Access Path
Here is the path followed by the scanner to reach the exploitable URL:
http://www.redmunch.com/
Payloads
#1 Request
GET https://www.redmunch.com/
Referer: http://www.redmunch.com/
Host: www.redmunch.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.177 Safari/537.36
Accept: */*
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Response

Relative Path CSS Links found:
<link rel="stylesheet" href="styles.css">
Information Disclosure (1)
150124 Clickjacking - Framable Page (1)
150124 Clickjacking - Framable Page
URL: https://www.redmunch.com/
Finding #
26552922 (295486693)
Severity
Confirmed Vulnerability - Level 3
Unique #
873649f2-b263-4d5e-933c-81cffd2edcd4
Group
Information Disclosure
Detection Date
30 May 2024 14:01 GMT-0800
CWE
OWASP
WASC
CVSS V3 Base 5.8 CVSS V3 Temporal 5.2 CVSS V3 Attack Vector Network
Details
Threat
The web page can be framed. This means that clickjacking attacks against users are possible.
Note: For both 150245 and 150124 only 10 pages are reported and only responses with status code 200 ok are tested and reported
Impact
With clickjacking, an attacker can trick a victim user into clicking an invisible frame on the web page, thereby causing the victim to take an action they did not intend to take.
Solution
Clickjacking prevention mechanisms include:
- X-Frame-Options: This HTTP response header can be used to prevent framing of web pages.
- Content-Security-Policy: The 'frame-ancestors' directive can be used to prevent framing of web pages.
- Framekiller JavaScript code designed to prevent a malicious user from framing the page. This method is not recommended due to its unreliability.

See the OWASP Clickjacking Defense Cheat Sheet for more information.
To avoid a common X-Frame-Options implementation mistake, see https://blog.qualys.com/securitylabs/2015/10/20/clickjacking-a-common-implementation-mistake-that-can-put-your-websites-in-danger.

Detection Information
Parameter
No param has been required for detecting the information.
Authentication
In order to detect this vulnerability, no authentication has been required.
Access Path
Here is the path followed by the scanner to reach the exploitable URL:
http://www.redmunch.com/
Payloads
#1 Request
GET https://www.redmunch.com/
Host: www.redmunch.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.177 Safari/537.36
Accept: */*
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Response
The URI was framed.
Information Gathered (18)
Scan Diagnostics (11)
6 DNS Host Name (1)
6 DNS Host Name
Finding #
12223504 (295486691)
Severity
Information Gathered - Level 1
Unique #
f8e603f4-a946-429d-b777-60de8a52a3bf
Group
Scan Diagnostics
Detection Date
30 May 2024 14:01 GMT-0800
CWE
-
OWASP
-
WASC
-
Details
Threat
The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section.
Impact
N/A
Solution
N/A
 
SSL Data
Flags
-
Protocol
-
Virtual Host
20.69.151.16
IP
20.69.151.16
Port
-
Result
#table IP_address Host_name 20.69.151.16 No_registered_hostname
Info List
Info #1
45038 Host Scan Time - Scanner (1)
45038 Host Scan Time - Scanner
Finding #
12223505 (295486692)
Severity
Information Gathered - Level 1
Unique #
1f386f83-5d26-47a6-874f-04218b32d0b7
Group
Scan Diagnostics
Detection Date
30 May 2024 14:01 GMT-0800
CWE
-
OWASP
-
WASC
-
Details
Threat
The Host Scan Time is the period of time it takes the scanning engine to perform the vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below.

The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the service's Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners.

Impact
N/A
Solution
N/A
 
SSL Data
Flags
-
Protocol
-
Virtual Host
www.redmunch.com
IP
20.69.151.16
Port
-
Result
Scan duration: 1152 seconds Start time: Thu May 30 21:00:58 UTC 2024 End time: Thu May 30 21:20:10 UTC 2024
Info List
Info #1
150009 Links Crawled (1)
150009 Links Crawled
Finding #
12223500 (295486688)
Severity
Information Gathered - Level 1
Unique #
1722cff8-9b9a-49dd-b4f0-e652a816525e
Group
Scan Diagnostics
Detection Date
30 May 2024 14:01 GMT-0800
CWE
-
OWASP
-
WASC
-
Details
Threat
The list of unique links crawled and HTML forms submitted by the scanner appear in the Results section. This list may contain fewer links than the maximum threshold defined.

NOTE: This list also includes:
- All the unique links that are reported in QID 150140 (Redundant links/URL paths crawled and not crawled)
- All the forms reported in QID 150152 (Forms Crawled)
- All the forms in QID 150115 (Authentication Form Found)
- Certain requests from QID 150172 (Requests Crawled)

Impact
N/A
Solution
N/A
Results
Duration of crawl phase (seconds): 176.00
Number of links: 4
(This number excludes form requests and links re-requested during authentication.)

https://www.redmunch.com/
https://www.redmunch.com/favicon.ico
http://www.redmunch.com/
http://www.redmunch.com/favicon.ico
 
150010 External Links Discovered (1)
150010 External Links Discovered
Finding #
12230050 (295486686)
Severity
Information Gathered - Level 1
Unique #
6834fca2-b351-4eb8-85e4-cec1bec130db
Group
Scan Diagnostics
Detection Date
30 May 2024 14:01 GMT-0800
CWE
-
OWASP
-
WASC
-
Details
Threat
External links discovered during the scan are listed in the Results section. These links were out of scope for the scan and were not crawled.
Impact
N/A
Solution
N/A
Results
Number of links: 6
https://appservice.azureedge.net/css/static-apps/v3/main.css
https://appservice.azureedge.net/images/static-apps/v3/favicon.svg
https://appservice.azureedge.net/scripts/static-apps/v3/loc.min.js
https://ajax.aspnetcdn.com/ajax/bootstrap/5.2.3/bootstrap.min.js
https://ajax.aspnetcdn.com/ajax/bootstrap/5.2.3/css/bootstrap.min.css
https://ajax.aspnetcdn.com/ajax/jquery/jquery-3.7.1.min.js
 
150020 Links Rejected By Crawl Scope or Exclusion List (1)
150020 Links Rejected By Crawl Scope or Exclusion List
Finding #
12223495 (295486678)
Severity
Information Gathered - Level 1
Unique #
948eaedf-9881-471b-a49a-78a70838b359
Group
Scan Diagnostics
Detection Date
30 May 2024 14:01 GMT-0800
CWE
-
OWASP
-
WASC
-
Details
Threat
One or more links were not crawled because of an explicit rule to exclude them. This also occurs if a link is malformed.

Exclude list and Include list entries can cause links to be rejected. If a scan is limited to a specific starting directory, then links outside that directory will neither be crawled or tested.

Links that contain a host name or IP address different from the target application are considered external links and not crawled by default; those types of links are not listed here. This often happens when the scope of a scan is limited to the directory of the starting URL. The scope can be changed in the Web Application Record.

During the test phase, some path-based tests may be rejected if the scan is limited to the directory of the starting URL and the test would fall outside that directory. In these cases, the number of rejected links may be too high to list in the Results section.

Impact
Links listed here were neither crawled or tested by the Web application scanning engine.
Solution
A link might have been intentionally matched by a exclude or include list entry. Verify that no links in this list were unintentionally rejected.
Results
Links not permitted:
(This list includes links from QIDs: 150010,150041,150143,150170)

External links discovered:
https://appservice.azureedge.net/css/static-apps/v3/main.css
https://appservice.azureedge.net/images/static-apps/v3/favicon.svg
https://appservice.azureedge.net/scripts/static-apps/v3/loc.min.js
https://ajax.aspnetcdn.com/ajax/bootstrap/5.2.3/bootstrap.min.js
https://ajax.aspnetcdn.com/ajax/bootstrap/5.2.3/css/bootstrap.min.css
https://ajax.aspnetcdn.com/ajax/jquery/jquery-3.7.1.min.js

IP based excluded links:
 
150021 Scan Diagnostics (1)
150021 Scan Diagnostics
Finding #
12223496 (295486679)
Severity
Information Gathered - Level 1
Unique #
dee15ef4-ec81-4838-befa-e1587bb78a6b
Group
Scan Diagnostics
Detection Date
30 May 2024 14:01 GMT-0800
CWE
-
OWASP
-
WASC
-
Details
Threat
This check provides various details of the scan's performance and behavior. In some cases, this check can be used to identify problems that the scanner encountered when crawling the target Web application.
Impact
The scan diagnostics data provides technical details about the crawler's performance and behavior. This information does not necessarily imply problems with the Web application.
Solution
No action is required.
Results
Loaded 0 exclude list entries.
Loaded 0 allow list entries.
HTML form authentication unavailable, no WEBAPP entry found
Target web application page http://www.redmunch.com/ fetched. Status code:307, Content-Type:text/html, load time:1 milliseconds.
Batch #0 VirtualHostDiscovery: estimated time < 10 minutes (70 tests, 0 inputs)
VirtualHostDiscovery: 70 vulnsigs tests, completed 69 requests, 6 seconds. Completed 69 requests of 70 estimated requests (98.5714%). All tests completed.
Batch #0 CMSDetection: estimated time < 1 minute (1 tests, 1 inputs)
[CMSDetection phase] : No potential CMS found using Blind Elephant algorithm. Aborting the CMS Detection phase
CMSDetection: 1 vulnsigs tests, completed 56 requests, 2 seconds. Completed 56 requests of 56 estimated requests (100%). All tests completed.
Collected 5 links overall in 0 hours 2 minutes duration.
Batch #0 BannersVersionReporting: estimated time < 1 minute (1 tests, 1 inputs)
BannersVersionReporting: 1 vulnsigs tests, completed 0 requests, 0 seconds. Completed 0 requests of 1 estimated requests (0%). All tests completed.
Path manipulation: Estimated requests (payloads x links): files with extension:(0 x 2) + files:(0 x 2) + directories:(9 x 2) + paths:(0 x 4) = total (18)
Batch #0 WS Directory Path manipulation: estimated time < 1 minute (9 tests, 4 inputs)
WS Directory Path manipulation: 9 vulnsigs tests, completed 18 requests, 0 seconds. Completed 18 requests of 18 estimated requests (100%). All tests completed.
Batch #0 WS enumeration: estimated time < 1 minute (11 tests, 4 inputs)
WS enumeration: 11 vulnsigs tests, completed 24 requests, 1 seconds. Completed 24 requests of 44 estimated requests (54.5455%). All tests completed.
Batch #1 URI parameter manipulation (no auth): estimated time < 1 minute (113 tests, 0 inputs)
Batch #1 URI parameter manipulation (no auth): 113 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute.
Batch #1 URI blind SQL manipulation (no auth): estimated time < 1 minute (8 tests, 0 inputs)
Batch #1 URI blind SQL manipulation (no auth): 8 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute.
Batch #1 URI parameter time-based tests (no auth): estimated time < 1 minute (16 tests, 0 inputs)
Batch #1 URI parameter time-based tests (no auth): 16 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute.
Batch #1 URI parameter time-based tests for Apache Struts Vulnerabilities (no auth): estimated time < 1 minute (1 tests, 0 inputs)
Batch #1 URI parameter time-based tests for Apache Struts Vulnerabilities (no auth): 1 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute.
Batch #4 WebCgiOob: estimated time < 1 minute (135 tests, 1 inputs)
Batch #4 WebCgiOob: 135 vulnsigs tests, completed 360 requests, 8 seconds. Completed 360 requests of 632 estimated requests (56.962%). All tests completed.
Potential LDAP Login Bypass no tests enabled.
No XML requests found. Skipping XXE tests.
Batch #4 DOM XSS exploitation: estimated time < 1 minute (4 tests, 0 inputs)
Batch #4 DOM XSS exploitation: 4 vulnsigs tests, completed 0 requests, 1 seconds. No tests to execute.
Batch #4 HTTP call manipulation: estimated time < 1 minute (38 tests, 0 inputs)
Batch #4 HTTP call manipulation: 38 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute.
Batch #4 Open Redirect analysis: estimated time < 1 minute (2 tests, 0 inputs)
Batch #4 Open Redirect analysis: 2 vulnsigs tests, completed 0 requests, 2 seconds. No tests to execute.
CSRF tests will not be launched because the scan is not successfully authenticated.
Batch #4 File Inclusion analysis: estimated time < 1 minute (1 tests, 5 inputs)
Batch #4 File Inclusion analysis: 1 vulnsigs tests, completed 0 requests, 0 seconds. Completed 0 requests of 5 estimated requests (0%). All tests completed.
Batch #4 Cookie manipulation: estimated time < 1 minute (47 tests, 0 inputs)
Batch #4 Cookie manipulation: 47 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute.
Batch #4 Header manipulation: estimated time < 1 minute (47 tests, 4 inputs)
Batch #4 Header manipulation: 47 vulnsigs tests, completed 726 requests, 11 seconds. Completed 726 requests of 520 estimated requests (139.615%). XSS optimization removed 232 links. All tests completed.
Batch #4 shell shock detector: estimated time < 1 minute (1 tests, 4 inputs)
Batch #4 shell shock detector: 1 vulnsigs tests, completed 6 requests, 0 seconds. Completed 6 requests of 4 estimated requests (150%). All tests completed.
Batch #4 shell shock detector(form): estimated time < 1 minute (1 tests, 0 inputs)
Batch #4 shell shock detector(form): 1 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute.
Cookies Without Consent no tests enabled.
Batch #5 HTTP Time Bandit: estimated time < 1 minute (1 tests, 10 inputs)
Batch #5 HTTP Time Bandit: 1 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute.
Path manipulation: Estimated requests (payloads x links): files with extension:(0 x 2) + files:(0 x 2) + directories:(4 x 2) + paths:(11 x 4) = total (52)
Batch #5 Path XSS manipulation: estimated time < 1 minute (15 tests, 4 inputs)
Batch #5 Path XSS manipulation: 15 vulnsigs tests, completed 50 requests, 1 seconds. Completed 50 requests of 52 estimated requests (96.1538%). All tests completed.
Path manipulation: Estimated requests (payloads x links): files with extension:(0 x 2) + files:(0 x 2) + directories:(1 x 2) + paths:(0 x 4) = total (2)
Batch #5 Tomcat Vuln manipulation: estimated time < 1 minute (1 tests, 4 inputs)
Batch #5 Tomcat Vuln manipulation: 1 vulnsigs tests, completed 2 requests, 0 seconds. Completed 2 requests of 2 estimated requests (100%). All tests completed.
Path manipulation: Estimated requests (payloads x links): files with extension:(0 x 2) + files:(0 x 2) + directories:(16 x 2) + paths:(0 x 4) = total (32)
Batch #5 Time based path manipulation: estimated time < 1 minute (16 tests, 5 inputs)
Batch #5 Time based path manipulation: 16 vulnsigs tests, completed 64 requests, 660 seconds. Completed 64 requests of 32 estimated requests (200%). All tests completed.
Path manipulation: Estimated requests (payloads x links): files with extension:(1 x 2) + files:(12 x 2) + directories:(145 x 2) + paths:(14 x 4) = total (372)
Batch #5 Path manipulation: estimated time < 1 minute (172 tests, 4 inputs)
Batch #5 Path manipulation: 172 vulnsigs tests, completed 346 requests, 5 seconds. Completed 346 requests of 372 estimated requests (93.0108%). All tests completed.
WebCgiHrsTests: no test enabled
Batch #5 WebCgiGeneric: estimated time < 10 minutes (543 tests, 1 inputs)
Batch #5 WebCgiGeneric: 543 vulnsigs tests, completed 821 requests, 13 seconds. Completed 821 requests of 3008 estimated requests (27.2939%). All tests completed.
Batch #5 Open Redirect analysis: estimated time < 1 minute (2 tests, 0 inputs)
Batch #5 Open Redirect analysis: 2 vulnsigs tests, completed 0 requests, 5 seconds. No tests to execute.
Duration of Crawl Time: 176.00 (seconds)
Duration of Test Phase: 876.00 (seconds)
Total Scan Time: 1052.00 (seconds)

Total requests made: 2752
Average server response time: 0.06 seconds

Average browser load time: 0.06 seconds
 
150152 Forms Crawled (1)
150152 Forms Crawled
Finding #
12223498 (295486681)
Severity
Information Gathered - Level 1
Unique #
29944a3a-c359-4308-98b5-14ec82604e6b
Group
Scan Diagnostics
Detection Date
30 May 2024 14:01 GMT-0800
CWE
-
OWASP
-
WASC
-
Details
Threat
The Results section lists the unique forms that were identified and submitted by the scanner. The forms listed in this QID do not include authentication forms (i.e. login forms), which are reported separately under QID 150115.

The scanner does a redundancy check on forms by inspecting the form fields. Forms determined to be the redundant based on identical form fields will not be tested. If desired, you can enable 'Include form action URI in form uniqueness calculation' in the WAS option profile to have the scanner also consider the form's action attribute in the redundancy check.

NOTE: Any regular expression specified under 'Redundant Links' are not applied to forms. Forms (unique or redundant) are not reported under QID 150140.

Impact
N/A
Solution
N/A
Results
Total internal forms seen (this count includes duplicate forms): 0

Crawled forms (Total: 0)
NOTE: This does not include authentication forms. Authentication forms are reported separately in QID 150115
 
150247 Web Server and Technologies Detected (1)
150247 Web Server and Technologies Detected
Finding #
12230048 (295486677)
Severity
Information Gathered - Level 1
Unique #
c90cd845-c851-4555-9b6c-badf4ed92005
Group
Scan Diagnostics
Detection Date
30 May 2024 14:01 GMT-0800
CWE
OWASP
-
WASC
-
Details
Threat
Information disclosure is an application weakness in revealing sensitive data, such as technical details of the system or environment.

This check reports the various technologies used by the web application based on the information available in different components of the Request-Response.

Impact
An attacker may use sensitive data to exploit the target web application, its hosting network, or its users.
Solution
Ensure that your web servers do not reveal any sensitive information about your technology stack and system details


Please review the issues reported below:

Results

Number of technologies detected: 1
Technology name: Bootstrap
Technology version: Bootstrap 5.2.3
Matched Components:
html response match:
tible" content="IE=edge">
<title>Azure Static Web Apps - 404: Not found</title>
<link rel="shortcut icon" href="https://appservice.azureedge.net/images/static-apps/v3/favicon.svg" type="image/x-icon">
<link rel="stylesheet" href="https://ajax.aspnetcdn.com/ajax/bootstrap/5.2.3/css/bootstrap.min.css" crossorigin="anonymous">
<link rel="stylesheet" type="text/css" href="https://appservice.azureedge.net/css/static-apps/v3/main.css">
<script src="https://appservice.azureedge.net/scripts/static-apps/
script tag match:
<script src="https://ajax.aspnetcdn.com/ajax/bootstrap/5.2.3/bootstrap.min.js" crossorigin="anonymous"></script>
Matched links: reporting only first 3 links
https://www.redmunch.com/favicon.ico

 
150528 Server Returns HTTP 4XX Error Code During Scanning (1)
150528 Server Returns HTTP 4XX Error Code During Scanning
Finding #
12230047 (295486676)
Severity
Information Gathered - Level 1
Unique #
311bcbc3-d8d2-426d-8876-42d362ff354d
Group
Scan Diagnostics
Detection Date
30 May 2024 14:01 GMT-0800
CWE
-
OWASP
-
WASC
-
Details
Threat
During the WAS scan, links with HTTP 4xx response code were observed and these are listed in the Results section. The HTTP 4xx message indicates a client error. The list of supported 4xx response code are as below:

400 - Bad Request
401 - Unauthorized
403 - Forbidden
404 - Not Found
405 - Method Not Allowed
407 - Proxy Authentication Required
408 - Request Timeout
413 - Payload Too Large
414 - URI Too Long

Impact
The presence of a HTTP 4xx error during the crawl phase indicates that some problem exists on the website that will be encountered during normal usage of the Web application. Note WAS depends on responses to detect many vulnerabilities if the link does not respond with an expected response then any vulnerabilities present on such links may not be detected.
Solution
Review each link to determine why the client encountered an error while requesting the link. Additionally review and investigate the results of QID 150042 which lists 5xx errors, QID 150019 which lists unexpected response codes and QID 150097 which lists a potential blocked request.
Results
Number of links with 4xx response code: 1
(Only first 50 such links are listed)

404 https://www.redmunch.com/favicon.ico
 
150545 JavaScript Library Loaded via External Server (1)
150545 JavaScript Library Loaded via External Server
Finding #
12230049 (295486685)
Severity
Information Gathered - Level 1
Unique #
5f2bf708-f3b9-4a42-a0be-18f5bb3341ff
Group
Scan Diagnostics
Detection Date
30 May 2024 14:01 GMT-0800
CWE
OWASP
-
WASC
-
Details
Threat
WAS will report out-of-scope JavaScript libraries discovered by the scanner during crawling and are provided in the Results section. Out-of-Scope means the link was not "in scope" per the Web Application configuration. The discovered libraries are reported only once based on the page on which they were first detected.

Each library is reported along with other information such as the URL of page on which it was first found, the version, and the URL of the .js file. Check results of QID 150176, if present, for the in-scope JavaScript libraries detected

Impact
When including third-party functionality, such as a JavaScript library, the application trust those libraries added. Without sufficient protection mechanisms, the functionality could be malicious in nature (i.e. either by coming from an untrusted source, being spoofed, or being modified in transit from a trusted source).
Solution
Use digital signatures or similar mechanisms to verify the software or data is from the expected source and has not been altered. Ensure libraries and dependencies, are consuming trusted repositories. If you have a higher risk profile, consider hosting an internal known-good repository that's vetted.
Results

Number of unique external facing JS libraries: 2
Javascript library : Bootstrap
Version : 5.2.3
Script uri : https://ajax.aspnetcdn.com/ajax/bootstrap/5.2.3/bootstrap.min.js
Found on the following page(only first page is reported):
https://www.redmunch.com/favicon.ico

===============================================================

Javascript library : jQuery
Version : 3.7.1
Script uri : https://ajax.aspnetcdn.com/ajax/jquery/jquery-3.7.1.min.js
Found on the following page(only first page is reported):
https://www.redmunch.com/favicon.ico

===============================================================
 
150546 First Link Crawled Response Code Information (1)
150546 First Link Crawled Response Code Information
Finding #
12223493 (295486684)
Severity
Information Gathered - Level 1
Unique #
57253852-1721-4aaa-b1dc-b3276f114f2c
Group
Scan Diagnostics
Detection Date
30 May 2024 14:01 GMT-0800
CWE
-
OWASP
-
WASC
-
Details
Threat
The Web server returned the following information from where the Web application scanning engine initiated. Information reported includes First Link Crawled, response Code, response Header, and response Body (first 500 characters). The first link crawled is the "Web Application URL (or Swagger file URL)" set in the Web Application profile.
Impact
An erroneous response might be indicative of a problem in the Web server, or the scan configuration.
Solution
Review the information to check if this is in line with the expected scan configuration. Refer to the output of QIDs 150009, 150019, 150021, 150042 and 150528 (if present) for additional details.
Results
Base URI: http://www.redmunch.com/
Response Code: 307
Response Header:
Cross-Origin-Resource-Policy: Cross-Origin
Location: https://www.redmunch.com/
Non-Authoritative-Reason: HSTS

Response Body:
<html><head></head><body></body></html>

 
Security Weaknesses (7)
150202 Missing header: X-Content-Type-Options (1)
150202 Missing header: X-Content-Type-Options
Finding #
12230051 (295486687)
Severity
Information Gathered - Level 2
Unique #
e002eb87-f069-4807-9f5e-dea09f8dc97a
Group
Security Weaknesses
Detection Date
30 May 2024 14:01 GMT-0800
CWE
OWASP
WASC
Details
Threat
The X-Content-Type-Options response header is not present. WAS reports missing X-Content-Type-Options header on each crawled link for both static and dynamic responses. The scanner performs the check not only on 200 responses but 4xx and 5xx responses as well. It's also possible the QID will be reported on directory-level links.
Impact
All web browsers employ a content-sniffing algorithm that inspects the contents of HTTP responses and also occasionally overrides the MIME type provided by the server. If X-Content-Type-Options header is not present, browsers can potentially be tricked into treating non-HTML response as HTML. An attacker can then potentially leverage the functionality to perform a cross-site scripting (XSS) attack. This specific case is known as a Content-Sniffing XSS (CS-XSS) attack.
Solution
It is recommended to disable browser content sniffing by adding the X-Content-Type-Options header to the HTTP response with a value of 'nosniff'. Also, ensure that the 'Content-Type' header is set correctly on responses.
Results

X-Content-Type-Options: Header missing
Response headers on link: GET https://www.redmunch.com/favicon.ico response code: 404
content-type: text/html
date: Thu, 30 May 2024 21:02:25 GMT

Header missing on the following link(s):
(Only first 50 such pages are listed)

GET https://www.redmunch.com/favicon.ico response code: 404
 
150206 Content-Security-Policy Not Implemented (1)
150206 Content-Security-Policy Not Implemented
Finding #
12223502 (295486689)
Severity
Information Gathered - Level 2
Unique #
67a2ebdb-b8ad-481a-85b5-9deaab8aca19
Group
Security Weaknesses
Detection Date
30 May 2024 14:01 GMT-0800
CWE
OWASP
WASC
Details
Threat
No Content-Security-Policy (CSP) is specified for the page. WAS checks for the missing CSP on all static and dynamic pages. It checks for CSP in the response headers (Content-Security-Policy, X-Content-Security-Policy or X-Webkit-CSP) and in response body (http-equiv="Content-Security-Policy" meta tag).

HTTP 4xx and 5xx responses can also be susceptible to attacks such as XSS. For better security it's important to set appropriate CSP policies on 4xx and 5xx responses as well.

Impact
Content-Security Policy is a defense mechanism that can significantly reduce the risk and impact of XSS attacks in modern browsers. The CSP specification provides a set of content restrictions for web resources and a mechanism for transmitting the policy from a server to a client where the policy is enforced. When a Content Security Policy is specified, a number of default behaviors in user agents are changed; specifically inline content and JavaScript eval constructs are not interpreted without additional directives. In short, CSP allows you to create a whitelist of sources of the trusted content. The CSP policy instructs the browser to only render resources from those whitelisted sources. Even though an attacker can find a security vulnerability in the application through which to inject script, the script won't match the whitelisted sources defined in the CSP policy, and therefore will not be executed.

The absence of Content Security Policy in the response will allow the attacker to exploit vulnerabilities as the protection provided by the browser is not at all leveraged by the Web application. If secure CSP configuration is not implemented, browsers will not be able to block content-injection attacks such as Cross-Site Scripting and Clickjacking.

Solution
Appropriate CSP policies help prevent content-injection attacks such as cross-site scripting (XSS) and clickjacking. It's recommended to add secure CSP policies as a part of a defense-in-depth approach for securing web applications.

References:
- https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
- https://developers.google.com/web/fundamentals/security/csp/

Results

Content-Security-Policy: Header missing
Response headers on link: GET https://www.redmunch.com/ response code: 200
cache-control: public, must-revalidate, max-age=30
content-encoding: br
content-type: text/html
date: Thu, 30 May 2024 21:02:10 GMT
etag: "96717626"
last-modified: Thu, 30 May 2024 17:41:35 GMT
referrer-policy: same-origin
strict-transport-security: max-age=10886400; includeSubDomains; preload
vary: Accept-Encoding
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-xss-protection: 1; mode=block

Header missing on the following link(s):
(Only first 50 such pages are listed)

GET https://www.redmunch.com/ response code: 200
GET https://www.redmunch.com/favicon.ico response code: 404
GET https://www.redmunch.com/styles.css response code: 200
 
150208 Missing header: Referrer-Policy (1)
150208 Missing header: Referrer-Policy
Finding #
12230046 (295486675)
Severity
Information Gathered - Level 2
Unique #
cfc2bd79-2266-41ff-b008-abb2af443070
Group
Security Weaknesses
Detection Date
30 May 2024 14:01 GMT-0800
CWE
OWASP
WASC
Details
Threat
No Referrer Policy is specified for the link. WAS checks for the missing Referrer Policy on all static and dynamic pages. It checks for one of the following Referrer Policy in the response headers:

1) no-referrer
2) no-referrer-when-downgrade
3) same-origin
4) origin
5) origin-when-cross-origin
6) strict-origin
7) strict-origin-when-cross-origin

If the Referrer Policy header is not found , WAS checks in response body for meta tag containing tag name as "referrer" and one of the above Referrer Policy.

Impact
The Referrer-Policy header controls how much referrer information is sent to a site when navigating to it. Absence of Referrer-Policy header can lead to leakage of sensitive information via the referrer header.
Solution
Referrer Policy header improves security by ensuring websites don't leak sensitive information via the referrer header. It's recommended to add secure Referrer Policies as a part of a defense-in-depth approach.

References:
- https://www.w3.org/TR/referrer-policy/
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

Results

Referrer-Policy: Header missing
Response headers on link: GET https://www.redmunch.com/favicon.ico response code: 404
content-type: text/html
date: Thu, 30 May 2024 21:02:25 GMT

Header missing on the following link(s):
(Only first 50 such pages are listed)

GET https://www.redmunch.com/favicon.ico response code: 404
 
150248 Missing header: Permissions-Policy (1)
150248 Missing header: Permissions-Policy
Finding #
12223499 (295486682)
Severity
Information Gathered - Level 2
Unique #
5707d9e0-f9ee-40d4-804f-05057a57b0b9
Group
Security Weaknesses
Detection Date
30 May 2024 14:01 GMT-0800
CWE
OWASP
WASC
-
Details
Threat
The Permissions-Policy response header is not present.
Impact
Permissions-Policy allows web developers to selectively enable, disable, or modify the behavior of some of the browser features and APIs within their application.

A user agent has a set of supported features(Policy Controlled Features), which is the set of features which it allows to be controlled through policies.

Not defining policy for unused and risky policy controlled features may leave application vulnerable.

Solution
It is recommended to define policy for policy controlled features to make application more secure.

References:
Permissions-Policy W3C Working Draft
Policy Controlled Features

Results

Permissions-Policy: Header missing
Response headers on link: GET https://www.redmunch.com/ response code: 200
cache-control: public, must-revalidate, max-age=30
content-encoding: br
content-type: text/html
date: Thu, 30 May 2024 21:02:10 GMT
etag: "96717626"
last-modified: Thu, 30 May 2024 17:41:35 GMT
referrer-policy: same-origin
strict-transport-security: max-age=10886400; includeSubDomains; preload
vary: Accept-Encoding
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-xss-protection: 1; mode=block

Header missing on the following link(s):
(Only first 50 such pages are listed)

GET https://www.redmunch.com/ response code: 200
GET https://www.redmunch.com/favicon.ico response code: 404
GET https://www.redmunch.com/styles.css response code: 200
 
150249 Misconfigured Header: Cache-Control (1)
150249 Misconfigured Header: Cache-Control
Finding #
12223501 (295486683)
Severity
Information Gathered - Level 2
Unique #
6f429b6d-6f9c-4694-9e11-eee768f233d3
Group
Security Weaknesses
Detection Date
30 May 2024 14:01 GMT-0800
CWE
OWASP
WASC
-
Details
Threat
Cache-Control header present but directives may not configured to adequately safeguard sensitive information.

For Example:
Cache-Control directive set to public.

max-age value is greater than 86400.

Impact
If directive is set to public, the resource can be stored by any cache.

If max-age value is greater than 86400 for sensitive information may lead to information leakage.

Solution
Please check that resources with sensitive information are not configured with Cache-Control public directive.

Also please make sure that max-age directive value set properly to not cache sensitive information for longer period than needed.

References:
Mozilla Documentation Cache-Control

Results

Cache-Control: Header misconfigured. Cache-Control public directive found.
Cache-Control:public, must-revalidate, max-age=30 on the link: GET https://www.redmunch.com/ response code: 200

Cache-Control: Header misconfigured. Cache-Control public directive found.
Cache-Control:public, must-revalidate, max-age=30 on the link: GET https://www.redmunch.com/styles.css response code: 200
 
150204 Missing header: X-XSS-Protection (1)
150204 Missing header: X-XSS-Protection
Finding #
12230052 (295486690)
Severity
Information Gathered - Level 1
Unique #
2b5e1c4a-c695-443b-a664-a6364e7abda4
Group
Security Weaknesses
Detection Date
30 May 2024 14:01 GMT-0800
CWE
OWASP
WASC
Details
Threat
The X-XSS-Protection response header is not present.
Impact
The X-XSS-Protection response header provides a layer of protection against reflected cross-site scripting (XSS) attacks by instructing browsers to abort rendering a page in which a reflected XSS attack has been detected. This is a best-effort second line of defense measure which helps prevent an attacker from using evasion techniques to avoid the neutralization mechanisms that the filters use by default. When configured appropriately, browser-level XSS filters can provide additional layers of defense against web application attacks.

Note that HTTP 4xx and 5xx responses can also be susceptible to attacks such as XSS. For better security the X-XSS-Protection header should be set on 4xx and 5xx responses as well.

Solution
It is recommend to set X-XSS-Protection header with value set to '1; mode=block' on all the relevant responses to activate browser's XSS filter.

NOTE: The X-XSS-Protection header is not supported by all browsers. Google Chrome and Safari are some of the browsers which support it, Firefox on the other hand does not support the header. X-XSS-Protection header does not guarantee a complete protection against XSS. For better protection against XSS attacks, the web application should use secure coding principles. Also, consider leveraging the Content-Security-Policy (CSP) header, which is supported by all browsers.

Using X-XSS-Protection could have unintended side effects, please understand the implications carefully before using it.

References:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
- https://blog.innerht.ml/the-misunderstood-x-xss-protection/
- https://www.mbsd.jp/blog/20160407.html
- https://www.chromium.org/developers/design-documents/xss-auditor

Results

X-Xss-Protection: Header missing
Response headers on link: GET https://www.redmunch.com/favicon.ico response code: 404
content-type: text/html
date: Thu, 30 May 2024 21:02:25 GMT

Header missing on the following link(s):
(Only first 50 such pages are listed)

GET https://www.redmunch.com/favicon.ico response code: 404
 
150245 Missing header: X-Frame-Options (1)
150245 Missing header: X-Frame-Options
Finding #
12223497 (295486680)
Severity
Information Gathered - Level 1
Unique #
17acaed9-91b6-4f9f-883c-b3a53a10f040
Group
Security Weaknesses
Detection Date
30 May 2024 14:01 GMT-0800
CWE
OWASP
WASC
Details
Threat
The X-Frame-Options header is not set in the HTTP response, meaning the page can potentially be loaded into an attacker-controlled frame. This could lead to clickjacking, where an attacker adds an invisible layer on top of the legitimate page to trick users into clicking on a malicious link or taking a harmful action.

Note: Only responses with status code 200 ok are tested and reported for 150245 and 150124

Impact
Without an X-Frame-Options response header, clickjacking may be possible. However, if the application properly uses the Content-Security-Policy "frame-ancestors" directive, then modern web browsers would stop the page from being framed and prevent clickjacking.
Solution
The X-Frame-Options allows three values: DENY, SAMEORIGIN and ALLOW-FROM. It is recommended to use DENY, which prevents all domains from framing the page or SAMEORIGIN, which allows framing only by the same site. DENY and SAMEORGIN are supported by all browsers. Using ALLOW-FROM is not recommended because not all browsers support it.

Note: To avoid a common X-Frame-Options implementation mistake, see https://blog.qualys.com/securitylabs/2015/10/20/clickjacking-a-common-implementation-mistake-that-can-put-your-websites-in-danger.

Results
X-Frame-Options header is missing or not set to DENY or SAMEORIGIN for the following pages:
(Only first 10 such pages are reported)

GET https://www.redmunch.com/
Response code: 200
Response headers:
cache-control: public, must-revalidate, max-age=30
content-encoding: br
content-type: text/html
date: Thu, 30 May 2024 21:02:10 GMT
etag: "96717626"
last-modified: Thu, 30 May 2024 17:41:35 GMT
referrer-policy: same-origin
strict-transport-security: max-age=10886400; includeSubDomains; preload
vary: Accept-Encoding
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-xss-protection: 1; mode=block

 
Appendix
Scan Details
Option Profile Details
Web Application Details: Redmunch
Severity Levels
CONFIDENTIAL AND PROPRIETARY INFORMATION.
Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2024, Qualys, Inc.