Total Scans
Most Used Server
Most Used Platform
Today Scan's
Total CWE Found:
Do you want to perform a deep scan to uncover more?
Perform Deep ScanContent Security Policy (CSP) Not Implemented
CWE-1021
More InfoINFORMATIONAL
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. Content Security Policy (CSP) can be implemented by adding a Content-Security-Policy header. The value of this header is a string containing the policy directives describing your Content Security Policy. To implement CSP, you should define lists of allowed origins for the all of the types of resources that your site utilizes. For example, if you have a simple site that needs to load scripts, stylesheets, and images hosted locally, as well as from the jQuery library from their CDN, the CSP header could look like the following:Content-Security-Policy: default-src 'self'; script-src 'self' https://code.jquery.com;It was detected that your web application doesn't implement Content Security Policy (CSP) as the CSP header is missing from the response. It's recommended to implement Content Security Policy (CSP) into your web application.
It's recommended to implement Content Security Policy (CSP) into your web application. Configuring Content Security Policy involves adding the Content-Security-Policy HTTP header to a web page and giving it values to control resources the user agent is allowed to load for that page.
HTTP Strict Transport Security (HSTS) Policy Not Implemented
CWE-16
More InfoLOW
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.
It's recommended to implement HTTP Strict Transport Security (HSTS) into your web application. Consult web references for more information
Referrer-Policy Header Not Implemented
CWE-16
More InfoINFORMATIONAL
The Referrer-Policy HTTP header controls how much referrer information (sent via the Referer header) should be included with requests. Mozilla The Referer (sic) header contains the address of the previous web page from which a link to the currently requested page was followed, which has lots of fairly innocent uses including analytics, logging, or optimized caching. However, there are more problematic uses such as tracking or stealing information, or even just side effects such as inadvertently leaking sensitive information.
Configure your server to send the Referrer-Policy header for all pages with the value set to strict-origin-when-cross-origin. You can see references for other possible values.
X-Frame-Options Header Not Implemented
CWE-1021
More InfoLOW
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.
Configure your server to send this header for all pages. You can see references for possible values.
X-Content-Type-Options Header Not Implemented
CWE-16
More InfoINFORMATIONAL
The X-Content-Type-Options response HTTP header is used by the server to prevent browsers from guessing the media type ( MIME type). This is known as MIME sniffing in which the browser guesses the correct MIME type by looking at the contents of the resource. The absence of this header might cause browsers to transform non-executable content into executable content.
Configure your server to send this header with the value set to nosniff.
X-XSS-Protection Header Not Implemented
CWE-693
More InfoINFORMATIONAL
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Chrome has removed their XSS Auditor Firefox has not, and will not implement X-XSS-Protection Edge has retired their XSS filter This means that if you do not need to support legacy browsers, it is recommended that you use Content-Security-Policy without allowing unsafe-inline scripts instead.
Do not send this header or set 0 as value.
Permissions-Policy header Not Implemented
CWE-1021
More InfoINFORMATIONAL
The Permissions-Policy header allows developers to selectively enable and disable use of various browser features and APIs.
Configure Permission Policy Header properly
X-Permitted-Cross-Domain-Policies is Not Implemented
CWE-200
More InfoINFORMATIONAL
This header is used to limit which data external resources, such as Adobe Flash and PDF documents, can access on the domain. Failure to set the X-Permitted- Cross-Domain-Policies header to “none” value allows other domains to embed the application’s data in their content.
If there is no requirement to load application data within web clients such as Adobe Flash Player or Adobe Acrobat (not limited to these), then the header should be configured as follows. X-Permitted-Cross-Domain-Policies: none
OPTIONS Method Enabled
CWE-16
More InfoINFORMATIONAL
AWASAF detected that OPTIONS method is allowed. This issue is reported as extra information. Information disclosed from this page can be used to gain additional information about the target system.
Disable OPTIONS method in all production systems.
Misconfigured Access-Control-Allow-Origin Header
CWE-942
More InfoMEDIUM
CORS (Cross-Origin Resource Sharing) defines a mechanism to enable client-side cross-origin requests. This application is using CORS in an insecure way. The web application fails to properly validate the Origin header (check Details section for more information) and returns the header Access-Control-Allow-Credentials: true. In this configuration any website can issue requests made with user credentials and read the responses to these requests. Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites
Allow only selected, trusted domains in the Access-Control-Allow-Origin header.
Email Address Disclosure
CWE-200
More InfoINFORMATIONAL
AWASAF identified Email Address Disclosure. Email Address discovered within the application can be used by the spam mails engines and also brute-force tools.Valid email address may lead to social engineering attacks
Use generic email addresses such as contact@ or info@ for general communications. Remove user/people specific email addresses from the website , should this be required use submissions forms for this purpose.
.htacces File Detected
CWE-443
More InfoINFORMATIONAL
This directory contains .htaccess file that is readable.This may indicate a server misconfiguration. htaccess files are designed to be parsed by web server and should not be directly accessible . These files could contain sensitive information that could help an attacker to conduct further more attacks.It is recommended to restrict access to these files
Restrict access .htaccess files by adjusting the web server configuration
Do you need the full picture?
Our free, light scans return limited results.
To experience the full power of our security testing toolkit, subscribe now to use 40+ scan tools and features with no scan limits.
| Testing areas & features | Free / Light | Premium |
|---|---|---|
| Fingerprint web server software | Yes | Yes |
| Analyze HTTP headers for security misconfiguration | Yes | Yes |
| Check the security of HTTP cookies | Yes | Yes |
| Check the SSL certificate of the server(Valid or Expired) | Yes | Yes |
| Check if the server software is affected by known vulnerabilities | Yes | Yes |
| Analyze robots.txt for interesting URLs | Yes | Yes |
| Check client access files policy | Yes | Yes |
| Discover server configuration problems (ex. directory listing at home page) | Yes | Yes |
| Check if HTTP TRACK/TRACE methods are enabled | Yes | Yes |
| Check if security.txt is missing on the server | Yes | Yes |
| Check if HTTP OPTIONS methods are enabled | Yes | Yes |
| Check if HTTP PUT methods are enabled | Yes | Yes |
| Check if CORS is misconfigured | Yes | Yes |
| CMS Detection | Yes | Yes |
| Communication is not Secure (HTTP or HTTPS) | Yes | Yes |
| Crawl website | - | Yes |
| Check for SQL Injection | - | Yes |
| Check for Cross-Site Scripting | - | Yes |
| Check for Local File Inclusion and Remote File Inclusion | - | Yes |
| Check for OS Command Injection | - | Yes |
| Check for ASP Cookieless Cross-Site Scripting | - | Yes |
| Check for Server Side Request Forgery | - | Yes |
| Check for Open Redirect | - | Yes |
| Check for Broken Authentication | - | Yes |
| Check for PHP Code Injection | - | Yes |
| Check for JavaScript Code Injection | - | Yes |
| Check for Ruby Code Injection | - | Yes |
| Check for Python Code Injection | - | Yes |
| Check for Perl Code Injection | - | Yes |
| Check for Log4j Remote Code Execution | - | Yes |
| Check for Server-Side Template Injection | - | Yes |
| Check for ViewState Remote Code Execution | - | Yes |
| Check for Client-Side Prototype Pollution | - | Yes |
| Check for Exposed Backup Files | - | Yes |
| Check for Request URL Override | - | Yes |
| Check for Client-Side Template Injection | - | Yes |
| Check for HTTP/1.1 Request Smuggling | - | Yes |
| Check for XML External Entity attacks | - | Yes |
| Check for outdated JavaScript libraries | - | Yes |
| Find administrative pages | - | Yes |
| Check for sensitive files (archives, backups, certificates, etc) | - | Yes |
| Attempt to find interesting files / functionality | - | Yes |
| Check for information disclosure issues | - | Yes |
| Clear text submission of credentials | - | Yes |
| Verify domain sources | - | Yes |
| Check for commented code/debug messages | - | Yes |
| Find login interfaces | - | Yes |
| Sensitive data detection | - | Yes |