Security Test
Website Security Test
Website Vulnerability Scanner
Comprehensive security testing for your website
Security Report: https://awasaf.com/
Scan Date: March 11, 2026, 7:04 p.m. | Duration: 100.35s
Deep Scan Result
Have you made changes or fixed vulnerabilities?
Run a fresh scan to verify your latest security updates.
Risk Rating
Overall Risk Rating
F (18/100)
6
Total CVEs
51
Total CWEs
Risk Distribution Chart
CVE Based Risk Distribution
| Critical | 0 |
| High | 0 |
| Medium | 6 |
| Low | 0 |
CWE Based Risk Distribution
| Critical | 0 |
| High | 41 |
| Medium | 7 |
| Low | 3 |
Unique CVE IDs
Identified
CVE-2009-3896, CVE-2009-3898, CVE-2016-10735, CVE-2018-14040, CVE-2018-14041, CVE-2018-14042
Unique CWE IDs
Identified
CWE-1004, CWE-119, CWE-200, CWE-22, CWE-319, CWE-352, CWE-614, CWE-693, CWE-770, CWE-79
How is the score calculated?
Scores start at 100. Deductions are: Critical (-10), High (-5), Medium (-2), Low (-1). To ensure fairness, deductions are capped per category: Critical (40), High (25), Medium (15), Low (10).
Scan Summary
| 1 | Input Hostname | awasaf.com |
| 2 | Scan Start Time | March 11, 2026, 7:04 p.m. |
| 3 | Scan Duration | 100.35s |
| 4 | Total Test Cases | 50 |
Target Information
| 1 | Target URL | https://awasaf.com/ |
| 2 | IP Address | 195.35.20.171 |
| 3 | Hosting Provider | Hostinger |
| 4 | Registrar | Not Available |
| 5 | Programming Language | Not Detected |
| 6 | Web Server | nginx/1.18.0 (ubuntu) |
| 7 | Operating System | Linux |
| 8 | HTTPS Enabled | Enabled |
| 9 | WAF Detected | Not Detected |
OWASP Top 10 Vulnerabilities
OWASP Category
A01:2021 - Broken Access Control
Findings: 36
OWASP Category
A03:2021 - Injection
Findings: 15
Original Header Response
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 11 Mar 2026 13:34:20 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: DENY
Vary: Cookie
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin
Set-Cookie: guest_id=12be01a8-2531-4596-bbb6-2eea72adfb25; expires=Thu, 11 Mar 2027 13:34:20 GMT; HttpOnly; Max-Age=31536000; Path=/; SameSite=Lax, sessionid=pfarbxdf5nfv2vtvthuwxfkg7fb2fki3; expires=Wed, 25 Mar 2026 13:34:20 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax
Permissions-Policy: geolocation=(), microphone=(), camera=()
X-XSS-Protection: 1; mode=block
X-Permitted-Cross-Domain-Policies: none
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Encoding: gzip
Network & Infrastructure Reconnaissance
| Inline Connection | Yes |
| IP Address | 195.35.20.171 |
| Hosting Provider | Hostinger |
| Server | nginx/1.18.0 (ubuntu) |
| Server Disclosure CVE |
|
| Operating System | Linux |
| Open Ports | 3306, 443 |
| Database Technology | Not Detected |
| WAF Detection | Not Detected |
| SSL Certificate | Certificate is valid |
Application Stack & Technology Fingerprinting
| CMS | Not Detected | ||
| CMS CVE | Not Applicable | ||
| Programming Language | Not Detected | ||
| Technology Disclosure CVE | None | ||
| Javascript Libraries |
|
||
| Javascript Libraries CVE |
|
||
| Openapi Disclosure | Not Found | ||
| XML RPC Endpoint Detection | Not Applicable |
Transport Layer Security (TLS) & Encryption
| Mixed Content Analysis | Mixed content (HTTP on HTTPS) |
| Secure Connection | Enabled |
| Unencrypted Viewstate | Not Detected |
HTTP Security Headers Analysis
| Securitys | CONTENT-SECURITY-POLICY, X-PERMITTED-CROSS-DOMAIN |
| Content Security Policy | Missing Content-Security-Policy header |
| Strict Transport Security | Present |
| Referrer Policy | Present |
| X Content Type Options | Present |
| CSP Analysis | Properly Configured |
| X Frame Options | Properly Configured |
| X XSS Protection | Properly Configured |
Session & Cookie Security
| Missing HTTPonly Flag In Cookies | Missing HttpOnly flag in cookies |
| Missing Secure Flag In Cookies | Missing Secure flag in cookies |
| Loose Cookie Domain | Secure |
Sensitive Resource & File Exposure
| Directory Listing | Disabled |
| Secret Files Detection | ['https://awasaf.com/sitemap.xml'] |
| Robots Txt File Found | None |
| Path Disclosure | Not Found |
| Htaccess Exposure | None |
Authentication & Credential Exposure
| Passwords Submitted Unencrypted | Passwords submitted unencrypted | ||||||
| Password Leakage | Not Detected | ||||||
| Password Field With Autocomplete |
|
Information Disclosure & Error Handling
| Error Messages Analysis | Secure |
| Cross Domain Inclusion | ['cdn.tailwindcss.com', 'www.googletagmanager.com', 'cdn.jsdelivr.net'] |
Application Surface & Method Exposure
| HTTP Methods Allowed | GET, OPTIONS, HEAD |
| Enabled Debug Method | No |
| Enabled Options Method | Yes |
| File Upload | Not Detected |
| Client Access Policies | Not Found |
Email & Domain Security Configuration
| Email Extraction | Emails exposed |
| SPF | v=spf1 include:_spf.mail.hostinger.com ~all |
| DMARC | v=DMARC1; p=none |
| DKIM | Not Configured |
Abuse & Rate-Limiting Controls
| Rate Limit Headers | Missing Rate Limit header |
Injection & Header Manipulation
| Host Header Injection | Possible |
Bot & Automation Protection
| Captcha Detection | Not Detected |
Other Findings
| Registrar | None |
Deep Scan Findings
| CSRF |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| SQLi Boolean Based |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| SQLi Time Based |
|
Findings – CVE (Common Vulnerabilities and Exposures)
| Sr. No | Vulnerability Source | CVE ID | Severity | Score | Description | Remediation |
|---|---|---|---|---|---|---|
| 6 | nginx-1.18.0 - CVE-2009-3896 | CVE-2009-3896 | Medium | 5.0 | src/http/ngx_http_parse.c in nginx (aka Engine X) 0.1.0 through 0.4.14, 0.5.x before 0.5.38, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.14 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a long URI. | Apply latest security patches. |
| 7 | nginx-1.18.0 - CVE-2009-3898 | CVE-2009-3898 | Medium | 4.9 | Directory traversal vulnerability in src/http/modules/ngx_http_dav_module.c in nginx (aka Engine X) before 0.7.63, and 0.8.x before 0.8.17, allows remote authenticated users to create or overwrite arbitrary files via a .. (dot dot) in the Destination HTTP header for the WebDAV (1) COPY or (2) MOVE method. | Apply latest security patches. |
| 8 | bootstrap-5.1.3 - CVE-2018-14040 | CVE-2018-14040 | Medium | 6.1 | In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. | Apply latest security patches. |
| 9 | bootstrap-5.1.3 - CVE-2018-14041 | CVE-2018-14041 | Medium | 6.1 | In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy. | Apply latest security patches. |
| 10 | bootstrap-5.1.3 - CVE-2018-14042 | CVE-2018-14042 | Medium | 6.1 | In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. | Apply latest security patches. |
| 11 | bootstrap-5.1.3 - CVE-2016-10735 | CVE-2016-10735 | Medium | 6.1 | In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041. | Apply latest security patches. |
Findings – CWE (Common Weakness Enumeration)
| Sr. No | Vulnerability Source | CWE ID | Severity | Description | Remediation |
|---|---|---|---|---|---|
| 1 | Mixed content (HTTP on HTTPS) | CWE-319 | High | Sensitive information may be sent over unencrypted channels when HTTP assets load on an HTTPS page. | Ensure all assets (JS, CSS, images) load using HTTPS only. |
| 2 | Passwords submitted unencrypted | CWE-319 | High | Credentials transmitted without encryption can be intercepted. | Use HTTPS-only forms and ensure encrypted transport of all authentication data. |
| 3 | Missing Content-Security-Policy header | CWE-693 | High | Failure to enforce mechanisms that protect against unauthorized modifications such as XSS or content injection. | Implement a strong Content-Security-Policy header such as: "Content-Security-Policy: default-src 'self'; script-src 'self'". |
| 4 | Missing HttpOnly flag in cookies | CWE-1004 | High | Cookies accessible by JavaScript can be stolen via XSS. | Set the HttpOnly flag to prevent client-side script access. |
| 5 | Missing Secure flag in cookies | CWE-614 | High | Cookies without the Secure flag may be sent over unencrypted connections. | Enable the Secure flag for all session or sensitive cookies. |
| 12 | Missing Rate Limit header | CWE-770 | Medium | Improper control of resource consumption may enable brute-force or DoS attacks. | Implement rate limiting and add headers such as 'X-RateLimit-Limit' and 'Retry-After'. |
| 13 | Missing Header: CONTENT-SECURITY-POLICY | CWE-693 | Low | The security header CONTENT-SECURITY-POLICY is missing. | Add CONTENT-SECURITY-POLICY header to server configuration. |
| 14 | Missing Header: X-PERMITTED-CROSS-DOMAIN | CWE-693 | Low | The security header X-PERMITTED-CROSS-DOMAIN is missing. | Add X-PERMITTED-CROSS-DOMAIN header to server configuration. |
| 15 | Emails exposed | CWE-200 | Low | Publicly exposed email addresses may lead to phishing or spam attacks. | Obfuscate email addresses or remove unnecessary public exposure. |
Deep Scan Vulnerabilities
Total Findings: 51
Other Security Tools
Explore our comprehensive suite of security testing tools