Security Test
Website Security Test
Website Vulnerability Scanner
Comprehensive security testing for your website
Security Report: https://josaa.nic.in/
Scan Date: March 9, 2026, 11:04 p.m. | Duration: 35.44s
Light Scan Result
Have you made changes or fixed vulnerabilities?
Run a fresh scan to verify your latest security updates.
Want a deeper analysis?
This is a Light Scan result. Perform a Deep Scan to uncover hidden vulnerabilities like XSS, SQL Injection, and more.
Includes intrusive tests. Ensure you are
authorized.
Risk Rating
Overall Risk Rating
C (61/100)
6
Total CVEs
13
Total CWEs
Risk Distribution Chart
CVE Based Risk Distribution
| Critical | 0 |
| High | 1 |
| Medium | 5 |
| Low | 0 |
CWE Based Risk Distribution
| Critical | 0 |
| High | 5 |
| Medium | 6 |
| Low | 2 |
Unique CVE IDs
Identified
CVE-2007-2379, CVE-2011-4969, CVE-2012-6662, CVE-2014-6071, CVE-2016-10707, CVE-2018-18405
Unique CWE IDs
Identified
CWE-1004, CWE-200, CWE-319, CWE-614, CWE-674, CWE-693, CWE-770, CWE-79
How is the score calculated?
Scores start at 100. Deductions are: Critical (-10), High (-5), Medium (-2), Low (-1). To ensure fairness, deductions are capped per category: Critical (40), High (25), Medium (15), Low (10).
Scan Summary
| 1 | Input Hostname | josaa.nic.in |
| 2 | Scan Start Time | March 9, 2026, 11:04 p.m. |
| 3 | Scan Duration | 35.44s |
| 4 | Total Test Cases | 50 |
Target Information
| 1 | Target URL | https://josaa.nic.in/ |
| 2 | IP Address | 164.100.50.244 |
| 3 | Hosting Provider | Not Disclosed |
| 4 | Registrar | Not Available |
| 5 | Programming Language | PHP |
| 6 | Web Server | Not Disclosed |
| 7 | Operating System | Unknown |
| 8 | HTTPS Enabled | Enabled |
| 9 | WAF Detected | Not Detected |
Original Header Response
Date: Mon, 09 Mar 2026 17:34:50 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 22637
Connection: keep-alive
Cache-Control: max-age=3, must-revalidate
Content-Encoding: gzip
Vary: Accept-Encoding
X-Varnish: 91619864 91414835
Age: 165
X-Cache: HIT
X-Cache-Hits: 1
Accept-Ranges: bytes
Strict-Transport-Security: max-age=31536000; includeSubDomains
Expect-CT: enforce,max-age=2592000
Referrer-Policy: strict-origin-when-cross-origin, strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: img-src 'self' *.google-analytics.com img.youtube.com *.s3waas.gov.in secure.gravatar.com *.twimg.com *.twitter.com translation-plugin.bhashini.co.in data:;connect-src 'self' *.s3waas.gov.in *.google-analytics.com translation-plugin.bhashini.co.in dhruva-api.bhashini.gov.in;object-src 'none';media-src 'self' *.s3waas.gov.in data:;child-src 'self';frame-src 'self' www.google.com platform.twitter.com www.facebook.com syndication.twitter.com www.youtube.com;form-action *.s3waas.gov.in 'self';frame-ancestors 'self' *.s3waas.gov.in ;upgrade-insecure-requests;worker-src 'self' *.s3waas.gov.in data:
Permissions-Policy: accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),document-domain=("https://www.facebook.com" self),encrypted-media=(),execution-while-not-rendered=(),execution-while-not-rendered=(),execution-while-out-of-viewport=(),fullscreen=("https://www.youtube.com"),gamepad=(),geolocation=(),magnetometer=(),gyroscope=(),magnetometer=(),layout-animations=(),legacy-image-formats=(self),microphone=(),midi=(),navigation-override=(),oversized-images=(self),payment=(),picture-in-picture=(),publickey-credentials-get=(),speaker-selection=(),sync-xhr=(self),unoptimized-images=(self),unsized-media=(self),usb=(),vibrate=(),vr=(),screen-wake-lock=(),screen-wake-lock=(),web-share=(),xr-spatial-tracking=()
Network & Infrastructure Reconnaissance
| Inline Connection | Yes |
| IP Address | 164.100.50.244 |
| Hosting Provider | None |
| Server | Not Disclosed |
| Server Disclosure CVE | None |
| Operating System | Unknown |
| Open Ports | 443, 80 |
| Database Technology | Not Detected |
| WAF Detection | Not Detected |
| SSL Certificate | Certificate is valid |
Application Stack & Technology Fingerprinting
| CMS | {'WordPress': '.'} | ||||||||
| CMS CVE | No CVEs found | ||||||||
| Programming Language | PHP | ||||||||
| Technology Disclosure CVE | No CVEs found | ||||||||
| Javascript Libraries |
|
||||||||
| Javascript Libraries CVE |
|
||||||||
| Openapi Disclosure | Not Found | ||||||||
| XML RPC Endpoint Detection | Disabled |
Transport Layer Security (TLS) & Encryption
| Mixed Content Analysis | Mixed content (HTTP on HTTPS) |
| Secure Connection | Enabled |
| Unencrypted Viewstate | Not Detected |
HTTP Security Headers Analysis
| Securitys | X-XSS-PROTECTION, X-PERMITTED-CROSS-DOMAIN |
| Content Security Policy | Present |
| Strict Transport Security | Present |
| Referrer Policy | Present |
| X Content Type Options | Present |
| CSP Analysis | Wildcard (*) detected — may allow untrusted sources Missing 'default-src 'self'' directive |
| X Frame Options | Properly Configured |
| X XSS Protection | Missing x-xss-protection header |
Session & Cookie Security
| Missing HTTPonly Flag In Cookies | Missing HttpOnly flag in cookies |
| Missing Secure Flag In Cookies | Missing Secure flag in cookies |
| Loose Cookie Domain | Secure |
Sensitive Resource & File Exposure
| Directory Listing | Disabled |
| Secret Files Detection | ['https://josaa.nic.in/robots.txt'] |
| Robots Txt File Found | None |
| Path Disclosure | Not Found |
| Htaccess Exposure | None |
Authentication & Credential Exposure
| Passwords Submitted Unencrypted | Passwords submitted unencrypted |
| Password Leakage | Not Detected |
| Password Field With Autocomplete | Properly Configured |
Information Disclosure & Error Handling
| Error Messages Analysis | Secure |
| Cross Domain Inclusion | ['www.googletagmanager.com', 'gmpg.org', 'cdnbbsr.s3waas.gov.in'] |
Application Surface & Method Exposure
| HTTP Methods Allowed | None |
| Enabled Debug Method | No |
| Enabled Options Method | No |
| File Upload | Not Detected |
| Client Access Policies | Not Found |
Email & Domain Security Configuration
| Email Extraction | None Found |
| SPF | Not Configured |
| DMARC | Not Configured |
| DKIM | Not Configured |
Abuse & Rate-Limiting Controls
| Rate Limit Headers | Missing Rate Limit header |
Injection & Header Manipulation
| Host Header Injection | Not Vulnerable |
Bot & Automation Protection
| Captcha Detection | Not Detected |
Other Findings
| Registrar | None |
Findings – CVE (Common Vulnerabilities and Exposures)
| Sr. No | Vulnerability Source | CVE ID | Severity | Score | Description | Remediation |
|---|---|---|---|---|---|---|
| 2 | jquery-3.6.4 - CVE-2016-10707 | CVE-2016-10707 | High | 7.5 | jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit. | Apply latest security patches. |
| 6 | jquery-3.6.4 - CVE-2007-2379 | CVE-2007-2379 | Medium | 5.0 | The jQuery framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking." | Apply latest security patches. |
| 7 | jquery-3.6.4 - CVE-2011-4969 | CVE-2011-4969 | Medium | 4.3 | Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag. | Apply latest security patches. |
| 8 | jquery-3.6.4 - CVE-2014-6071 | CVE-2014-6071 | Medium | 6.1 | jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after. | Apply latest security patches. |
| 9 | jquery-3.6.4 - CVE-2018-18405 | CVE-2018-18405 | Medium | 6.1 | jQuery v2.2.2 allows XSS via a crafted onerror attribute of an IMG element. NOTE: this vulnerability has been reported to be spam entry | Apply latest security patches. |
| 10 | jquery-ui-3.6.4 - CVE-2012-6662 | CVE-2012-6662 | Medium | 4.3 | Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo. | Apply latest security patches. |
Findings – CWE (Common Weakness Enumeration)
| Sr. No | Vulnerability Source | CWE ID | Severity | Description | Remediation |
|---|---|---|---|---|---|
| 1 | Mixed content (HTTP on HTTPS) | CWE-319 | High | Sensitive information may be sent over unencrypted channels when HTTP assets load on an HTTPS page. | Ensure all assets (JS, CSS, images) load using HTTPS only. |
| 3 | Passwords submitted unencrypted | CWE-319 | High | Credentials transmitted without encryption can be intercepted. | Use HTTPS-only forms and ensure encrypted transport of all authentication data. |
| 4 | Missing HttpOnly flag in cookies | CWE-1004 | High | Cookies accessible by JavaScript can be stolen via XSS. | Set the HttpOnly flag to prevent client-side script access. |
| 5 | Missing Secure flag in cookies | CWE-614 | High | Cookies without the Secure flag may be sent over unencrypted connections. | Enable the Secure flag for all session or sensitive cookies. |
| 11 | Missing Rate Limit header | CWE-770 | Medium | Improper control of resource consumption may enable brute-force or DoS attacks. | Implement rate limiting and add headers such as 'X-RateLimit-Limit' and 'Retry-After'. |
| 12 | Missing Header: X-XSS-PROTECTION | CWE-693 | Low | The security header X-XSS-PROTECTION is missing. | Add X-XSS-PROTECTION header to server configuration. |
| 13 | Missing Header: X-PERMITTED-CROSS-DOMAIN | CWE-693 | Low | The security header X-PERMITTED-CROSS-DOMAIN is missing. | Add X-PERMITTED-CROSS-DOMAIN header to server configuration. |
Other Security Tools
Explore our comprehensive suite of security testing tools