Security Test
Website Security Test
Website Vulnerability Scanner
Comprehensive security testing for your website
Security Report: https://awasaf.com/
Scan Date: Feb. 9, 2026, 10:36 p.m. | Duration: 6.81 seconds
Have you made changes or fixed vulnerabilities?
Run a fresh scan to verify your latest security updates.
Risk Rating
Overall Risk Rating
F (35/100)
Risk Distribution Chart
CVE Based Risk Distribution
| Critical | 0 |
| High | 0 |
| Medium | 6 |
| Low | 0 |
CWE Based Risk Distribution
| Critical | 0 |
| High | 3 |
| Medium | 1 |
| Low | 0 |
Scan Summary
| 1 | Input Hostname | awasaf.com |
| 2 | Target URL | https://awasaf.com/ |
| 3 | Scan Start Time | Feb. 9, 2026, 10:36 p.m. |
| 4 | Scan Duration | 6.81 seconds |
| 5 | Total Test Cases | 50 |
| 6 | Passed Cases | 22 |
| 7 | Failed Cases | 21 |
Target Information
| 1 | Target URL | https://awasaf.com/ |
| 2 | IP Address | 195.35.20.171 |
| 3 | Hosting Provider | Hostinger |
| 4 | Registrar | Not Available |
| 5 | Programming Language | Not Detected |
| 6 | Web Server | nginx/1.18.0 (ubuntu) |
| 7 | CMS | Not Detected |
| 8 | Operating System | Linux |
| 9 | HTTPS Enabled | Yes |
| 10 | WAF Detected | Not Detected |
Original Header Response
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 09 Feb 2026 17:06:53 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: DENY
Vary: Cookie
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin
Set-Cookie: guest_id=0c3263da-501f-4a16-902d-b242ee05234d; expires=Tue, 09 Feb 2027 17:06:53 GMT; HttpOnly; Max-Age=31536000; Path=/; SameSite=Lax, sessionid=zr78r9gl5uodmis9kgw19od9ltzpwx0l; expires=Mon, 23 Feb 2026 17:06:53 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax
Permissions-Policy: geolocation=(), microphone=(), camera=()
X-XSS-Protection: 1; mode=block
X-Permitted-Cross-Domain-Policies: none
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Encoding: gzip
Detailed Technical Analysis
| 1 | Open Ports | ['3306', '443'] |
| 2 | Debug Method Enabled | No |
| 3 | OPTIONS Method | Yes |
| 4 | DKIM | Not Detected |
| 5 | SPF | Not Detected |
| 6 | DMARC | v=DMARC1; p=none |
| 7 | Captcha Detection | Not Detected |
| 8 | Password field with autocomplete | [{'url': 'https://awasaf.com/user/login/', 'autocomplete': 'Not Set', 'evidence': '<input class="form-control" name="login[password]" placeholder="Enter your password" required="" type="password"/>'}] |
| 9 | Unencrypted Viewstate | Not Detected |
Additional Findings
Javascript Libraries
Secret Files Detection
Http Methods Allowed
- GET
- OPTIONS
- HEAD
Cross Domain Inclusion
- cdn.tailwindcss.com
- www.googletagmanager.com
- cdn.jsdelivr.net
Findings – CVE (Common Vulnerabilities and Exposures)
| Sr. No | Vulnerability Source | CVE ID | Severity | Score | Description | Remediation |
|---|---|---|---|---|---|---|
| 4 | nginx-1.18.0 - CVE-2009-3896 | CVE-2009-3896 | Medium | 5.0 | src/http/ngx_http_parse.c in nginx (aka Engine X) 0.1.0 through 0.4.14, 0.5.x before 0.5.38, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.14 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a long URI. | No solution provided. |
| 5 | nginx-1.18.0 - CVE-2009-3898 | CVE-2009-3898 | Medium | 4.9 | Directory traversal vulnerability in src/http/modules/ngx_http_dav_module.c in nginx (aka Engine X) before 0.7.63, and 0.8.x before 0.8.17, allows remote authenticated users to create or overwrite arbitrary files via a .. (dot dot) in the Destination HTTP header for the WebDAV (1) COPY or (2) MOVE method. | No solution provided. |
| 6 | bootstrap-5.1.3 - CVE-2018-14040 | CVE-2018-14040 | Medium | 6.1 | In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. | No solution provided. |
| 7 | bootstrap-5.1.3 - CVE-2018-14041 | CVE-2018-14041 | Medium | 6.1 | In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy. | No solution provided. |
| 8 | bootstrap-5.1.3 - CVE-2018-14042 | CVE-2018-14042 | Medium | 6.1 | In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. | No solution provided. |
| 9 | bootstrap-5.1.3 - CVE-2016-10735 | CVE-2016-10735 | Medium | 6.1 | In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041. | No solution provided. |
Findings – CWE (Common Weakness Enumeration)
| Sr. No | Vulnerability Source | CWE ID | Severity | Description | Remediation |
|---|---|---|---|---|---|
| 1 | Missing Content-Security-Policy header | CWE-693 | High | Failure to enforce mechanisms that protect against unauthorized modifications such as XSS or content injection. | Implement a strong Content-Security-Policy header such as: "Content-Security-Policy: default-src 'self'; script-src 'self'". |
| 2 | Missing HttpOnly flag in cookies | CWE-1004 | High | Cookies accessible by JavaScript can be stolen via XSS. | Set the HttpOnly flag to prevent client-side script access. |
| 3 | Missing Secure flag in cookies | CWE-614 | High | Cookies without the Secure flag may be sent over unencrypted connections. | Enable the Secure flag for all session or sensitive cookies. |
| 10 | Missing Rate Limit header | CWE-770 | Medium | Improper control of resource consumption may enable brute-force or DoS attacks. | Implement rate limiting and add headers such as 'X-RateLimit-Limit' and 'Retry-After'. |
Scan Test Cases
| Sr. No | Test Case |
|---|---|
| 1 | Inline Connection |
| 2 | Ip-Address |
| 3 | Cloud_Provider |
| 4 | Server Disclosure |
| 5 | Technology Disclosure |
| 6 | Cms Detection |
| 7 | Mixed Content Analysis |
| 8 | Operating-System |
| 9 | Open Ports Scan |
| 10 | Database |
| 11 | Javascript Libraries |
| 12 | Secure Connection Check |
| 13 | Directories Listing Exposed |
| 14 | Password Exposing Pages |
| 15 | Missing Security Headers |
| 16 | Missing Content-Security-Policy |
| 17 | Missing Strict-Transport-Security |
| 18 | Missing Referrer-Policy |
| 19 | Missing X-Content-Type-Options |
| 20 | Missing Cookie http flag |
| 21 | Missing Cookie secure flag |
| 22 | Secret Files Detection |
| 23 | Security File Detection |
| Sr. No | Test Case |
|---|---|
| 24 | WAF-Detection |
| 25 | SSL Certificate Validation |
| 26 | Loose Cookie Domain |
| 27 | CSP Header Analysis |
| 28 | OpenAPI Disclosure |
| 29 | Password Leak Detection |
| 30 | Path Disclosure |
| 31 | Error Messages Analysis |
| 32 | Rate Limit Headers |
| 33 | Email Extraction |
| 34 | Xml-RPC Endpoint Detection |
| 35 | HTTP Methods Allowed |
| 36 | Enabled Debug Method |
| 37 | Enabled OPTIONS Method |
| 38 | Cross-Domain Inclusion |
| 39 | File Upload Detection |
| 40 | Client Access Policies |
| 41 | X-FRAME OPTIONS |
| 42 | X-XSS PROTECTION |
| 43 | .htaccess Exposure |
| 44 | Captcha Detection |
| 45 | Password field with autocomplete |
| 46 | DKIM |
| 47 | SPF |
| 48 | DMARC |
| 49 | Host Header Injection |
| 50 | Unencrypted Viewstate |
Passed & Failed Cases
Passed Cases (22)
- CMS
- Secure Connection
- Directory Listing Exposed
- Missing Strict-Transport-Security header
- Missing Referrer-Policy header
- Missing X-Content-Type-Options header
- robots.txt file found
- SSL Certificate
- Loose cookie domain
- OpenAPI Disclosure
- Password Leakage
- Error Messages Analysis
- Path Disclosure
- XML-RPC Endpoint Detection (XML-RPC Endpoint Detection)
- Not Enabled Debug Method
- File Upload Detection
- Client Access Policies
- .htaccess Exposure
- Password field with autocomplete
- SPF
- DMARC
- DKIM
Failed Cases (21)
- Server Disclosure
- Mixed Content (HTTP on HTTPS)
- Open Ports Scan
- Javascript Libraries
- Passwords submitted unencrypted
- Missing Security Headers
- Missing Content-Security-Policy header
- Missing HttpOnly flag in cookies
- Missing Secure flag in cookies
- Secret Files Detection
- security.txt file not found
- WAF Detection
- Rate Limit Headers
- Emails exposed
- Enabled OPTIONS Method
- Cross-Domain Inclusion
- X-FRAME OPTIONS
- X-XSS PROTECTION
- Host Header Injection
- Captcha checking
- Unencrypted Viewstate
View Raw Scan Data (JSON)
{
"host": "awasaf.com",
"host_url": "https://awasaf.com/",
"task_id": "ea870857-e425-4ac6-b8c2-4d9068847b95",
"status": "COMPLETED",
"inline_connection": "Yes",
"original_header": {
"Server": "nginx/1.18.0 (Ubuntu)",
"Date": "Mon, 09 Feb 2026 17:06:53 GMT",
"Content-Type": "text/html; charset=utf-8",
"Transfer-Encoding": "chunked",
"Connection": "keep-alive",
"X-Frame-Options": "DENY",
"Vary": "Cookie",
"X-Content-Type-Options": "nosniff",
"Referrer-Policy": "same-origin",
"Cross-Origin-Opener-Policy": "same-origin",
"Set-Cookie": "guest_id=0c3263da-501f-4a16-902d-b242ee05234d; expires=Tue, 09 Feb 2027 17:06:53 GMT; HttpOnly; Max-Age=31536000; Path=/; SameSite=Lax, sessionid=zr78r9gl5uodmis9kgw19od9ltzpwx0l; expires=Mon, 23 Feb 2026 17:06:53 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax",
"Permissions-Policy": "geolocation=(), microphone=(), camera=()",
"X-XSS-Protection": "1; mode=block",
"X-Permitted-Cross-Domain-Policies": "none",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload",
"Content-Encoding": "gzip"
},
"ip_address": "195.35.20.171",
"hosting_provider": "Hostinger",
"registrar": null,
"cms": null,
"cms_cve": null,
"server": "nginx/1.18.0 (ubuntu)",
"server_disclosure_cve": {
"nginx-1.18.0": [
{
"Id": "CVE-2009-3896",
"CWE": "CWE-119",
"Published": "2009-11-24T17:30:00",
"Description": "src/http/ngx_http_parse.c in nginx (aka Engine X) 0.1.0 through 0.4.14, 0.5.x before 0.5.38, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.14 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a long URI.",
"Score": 5.0,
"Severity": "MEDIUM"
},
{
"Id": "CVE-2009-3898",
"CWE": "CWE-22",
"Published": "2009-11-24T17:30:00",
"Description": "Directory traversal vulnerability in src/http/modules/ngx_http_dav_module.c in nginx (aka Engine X) before 0.7.63, and 0.8.x before 0.8.17, allows remote authenticated users to create or overwrite arbitrary files via a .. (dot dot) in the Destination HTTP header for the WebDAV (1) COPY or (2) MOVE method.",
"Score": 4.9,
"Severity": "MEDIUM"
}
]
},
"programming_language": null,
"technology_disclosure_cve": null,
"mixed_content_analysis": {
"Source": [
"http://awasaf.com"
],
"Mixed content (HTTP on HTTPS)": {
"issue": "Mixed content (HTTP on HTTPS)",
"severity": "High",
"cwe_id": "CWE-319",
"cwe_description": "Sensitive information may be sent over unencrypted channels when HTTP assets load on an HTTPS page.",
"fix": "Ensure all assets (JS, CSS, images) load using HTTPS only."
}
},
"operating_system": "Linux",
"open_ports": [
"3306",
"443"
],
"database_technology": null,
"javascript_libraries": [
{
"bootstrap": {
"version": "5.1.3",
"source": "/static/front/assets/js/bootstrap.min.js"
}
}
],
"javascript_libraries_cve": {
"bootstrap-5.1.3": [
{
"Id": "CVE-2018-14040",
"CWE": "CWE-79",
"Published": "2018-07-13T14:29:00",
"Description": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"Score": 6.1,
"Severity": "MEDIUM"
},
{
"Id": "CVE-2018-14041",
"CWE": "CWE-79",
"Published": "2018-07-13T14:29:00",
"Description": "In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.",
"Score": 6.1,
"Severity": "MEDIUM"
},
{
"Id": "CVE-2018-14042",
"CWE": "CWE-79",
"Published": "2018-07-13T14:29:00",
"Description": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"Score": 6.1,
"Severity": "MEDIUM"
},
{
"Id": "CVE-2016-10735",
"CWE": "CWE-79",
"Published": "2019-01-09T05:29:00",
"Description": "In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.",
"Score": 6.1,
"Severity": "MEDIUM"
}
]
},
"secure_connection": "Yes",
"directory_listing": null,
"passwords_submitted_unencrypted": null,
"missing_security_headers": [
"CONTENT-SECURITY-POLICY",
"X-PERMITTED-CROSS-DOMAIN"
],
"missing_content_security_policy_header": {
"issue": "Missing Content-Security-Policy header",
"severity": "High",
"cwe_id": "CWE-693",
"cwe_description": "Failure to enforce mechanisms that protect against unauthorized modifications such as XSS or content injection.",
"fix": "Implement a strong Content-Security-Policy header such as: \"Content-Security-Policy: default-src 'self'; script-src 'self'\"."
},
"missing_strict_transport_security_header": null,
"missing_referrer_policy_header": null,
"missing_x_content_type_options_header": null,
"missing_httponly_flag_in_cookies": {
"issue": "Missing HttpOnly flag in cookies",
"severity": "High",
"cwe_id": "CWE-1004",
"cwe_description": "Cookies accessible by JavaScript can be stolen via XSS.",
"fix": "Set the HttpOnly flag to prevent client-side script access."
},
"missing_secure_flag_in_cookies": {
"issue": "Missing Secure flag in cookies",
"severity": "High",
"cwe_id": "CWE-614",
"cwe_description": "Cookies without the Secure flag may be sent over unencrypted connections.",
"fix": "Enable the Secure flag for all session or sensitive cookies."
},
"secret_files_detection": [
"https://awasaf.com/sitemap.xml"
],
"robots_txt_file_found": null,
"waf_detection": null,
"ssl_certificate": "Certificate is valid",
"loose_cookie_domain": null,
"csp_header_analysis": null,
"openapi_disclosure": null,
"password_leakage": null,
"error_messages_analysis": null,
"path_disclosure": null,
"rate_limit_headers": {
"issue": "Missing Rate Limit header",
"severity": "Medium",
"cwe_id": "CWE-770",
"cwe_description": "Improper control of resource consumption may enable brute-force or DoS attacks.",
"fix": "Implement rate limiting and add headers such as 'X-RateLimit-Limit' and 'Retry-After'."
},
"email_extraction": {
"Source": [
"contact@awasaf.com"
],
"Emails exposed": {
"issue": "Emails exposed",
"severity": "Low",
"cwe_id": "CWE-200",
"cwe_description": "Publicly exposed email addresses may lead to phishing or spam attacks.",
"fix": "Obfuscate email addresses or remove unnecessary public exposure."
}
},
"xml_rpc_endpoint_detection": null,
"http_methods_allowed": [
"GET",
"OPTIONS",
"HEAD"
],
"enabled_debug_method": "No",
"enabled_options_method": "Yes",
"cross_domain_inclusion": [
"cdn.tailwindcss.com",
"www.googletagmanager.com",
"cdn.jsdelivr.net"
],
"file_upload": null,
"client_access_policies": null,
"x_frame_options": "Properly Configured",
"x_xss_protection": "Properly Configured",
"htaccess_exposure": null,
"host_header_injection": "Possible",
"captcha_detection": null,
"password_field_with_autocomplete": [
{
"url": "https://awasaf.com/user/login/",
"autocomplete": "Not Set",
"evidence": "<input class=\"form-control\" name=\"login[password]\" placeholder=\"Enter your password\" required=\"\" type=\"password\"/>"
}
],
"spf": null,
"dmarc": "v=DMARC1; p=none",
"dkim": null,
"unencrypted_viewstate": null,
"total_scans": [
"Inline Connection",
"Ip-Address",
"Cloud_Provider",
"Server Disclosure",
"Technology Disclosure",
"Cms Detection",
"Mixed Content Analysis",
"Operating-System",
"Open Ports Scan",
"Database",
"Javascript Libraries",
"Secure Connection Check",
"Directories Listing Exposed",
"Password Exposing Pages",
"Missing Security Headers",
"Missing Content-Security-Policy",
"Missing Strict-Transport-Security",
"Missing Referrer-Policy",
"Missing X-Content-Type-Options",
"Missing Cookie http flag",
"Missing Cookie secure flag",
"Secret Files Detection",
"Security File Detection",
"WAF-Detection",
"SSL Certificate Validation",
"Loose Cookie Domain",
"CSP Header Analysis",
"OpenAPI Disclosure",
"Password Leak Detection",
"Path Disclosure",
"Error Messages Analysis",
"Rate Limit Headers",
"Email Extraction",
"Xml-RPC Endpoint Detection",
"HTTP Methods Allowed",
"Enabled Debug Method",
"Enabled OPTIONS Method",
"Cross-Domain Inclusion",
"File Upload Detection",
"Client Access Policies",
"X-FRAME OPTIONS",
"X-XSS PROTECTION",
".htaccess Exposure",
"Captcha Detection",
"Password field with autocomplete",
"DKIM",
"SPF",
"DMARC",
"Host Header Injection",
"Unencrypted Viewstate"
],
"executive_summary": {
"Total Checks Passed": 22,
"Passed Cases": [
"CMS",
"Secure Connection",
"Directory Listing Exposed",
"Missing Strict-Transport-Security header",
"Missing Referrer-Policy header",
"Missing X-Content-Type-Options header",
"robots.txt file found",
"SSL Certificate",
"Loose cookie domain",
"OpenAPI Disclosure",
"Password Leakage",
"Error Messages Analysis",
"Path Disclosure",
"XML-RPC Endpoint Detection (XML-RPC Endpoint Detection) ",
" Not Enabled Debug Method",
"File Upload Detection",
"Client Access Policies",
".htaccess Exposure",
"Password field with autocomplete",
"SPF",
"DMARC",
"DKIM"
],
"Total Checks Failed": 21,
"Failed Cases": [
"Server Disclosure",
"Mixed Content (HTTP on HTTPS)",
"Open Ports Scan",
"Javascript Libraries",
"Passwords submitted unencrypted",
"Missing Security Headers",
"Missing Content-Security-Policy header",
"Missing HttpOnly flag in cookies",
"Missing Secure flag in cookies",
"Secret Files Detection",
"security.txt file not found",
"WAF Detection",
"Rate Limit Headers",
"Emails exposed",
"Enabled OPTIONS Method",
"Cross-Domain Inclusion",
"X-FRAME OPTIONS",
"X-XSS PROTECTION",
"Host Header Injection",
"Captcha checking",
"Unencrypted Viewstate"
],
"Total CWEs Found": 4
},
"total_scan_time": "6.81 seconds",
"scan_start_timestamp": "2026-02-09 17:06:52"
}
Other Security Tools
Explore our comprehensive suite of security testing tools